Today's incident
response teams face a number of complex challenges. First, they have to sort
through what is often an overwhelming
number of alerts, identify the top priorities,
and address the largest threats to the organization. For each of those
high-priority events, they must understand
the scope of the threat and identify the attack vector. What steps were taken
to compromise the system and how did the attacks slip
past the existing defenses? The next step is to take
action to stop and remediate any active breach. That often requires
getting physical access to run commands or
even re-image systems. The effort is time consuming,
especially for larger, more distributed companies. However, it is a critical step. If a system is not
properly remediated, there is a risk of
recurrence, or even worse, further propagation across
other network systems. Fast, comprehensive
action here can be the difference between an
incident and a serious breach. Lastly, it's important to
learn from these events and use any available
indicators to protect the larger environment and ensure that
similar attacks do not slip through the cracks next time. In this demonstration,
we're going to look at how CrowdStrike can
help address these challenges by providing
complete information and reducing response
time to minutes. We will see how CrowdStrike
Falcon helps prioritize events and provides all of
the context and details needed to take decisive action. Leveraging the
extensive capabilities of real-time
response, we will use that information to limit the
exposure, remediate the system, and ensure the rest
of our environment is protected
against this attack. We will start with the
Windows system, where a company insider is using a
USB drive to install a Bitcoin miner. Once it is installed, we see
the Bitcoin application running and can take a deeper look
at what else has changed. The USB executable has dropped
a copy of a PowerShell script. It also appears
that a registry key was put in place to maintain
persistence after reboot. These are important
details as we look to remediate this system. We want to be sure
that each is addressed as we restore the system
to its original state. As we shift perspectives and
look at the Falcon console, we see the related
detection for this system. There is a complete process tree
that highlights BCMiner.exe. We see that it was installed
from an external drive and we can use the hash of the
file later in our remediation process. As we scroll down,
under disk operations, Falcon has recorded
the exact destination where the PowerShell
script was dropped. Looking back at
the process tree, we also see where PowerShell was
detected as part of this event. Also, Falcon reports the
command line parameters used to execute the Bitcoin miner. In the last step of
the process tree, we see the details
behind the registry key that was placed on
this system, including the exact command used along
with the full key-in value. This information
will help us ensure that our cleanup is thorough. Now that we understand
the scope of this threat, we can take action to
do something about it. Our first step in the
remediation process is to temporarily shut down
the machine's network access. We want to ensure that
there is no lateral movement across the network while
we work to remediate this specific system. Next, we're going to use the
real-time response console to remove the miner application
and perform specific commands on the compromised system. From this session, we can
begin the cleanup process. For the purposes
of the demo, you will also see a
picture-in-picture display of the compromised system. As we go through the
remediation commands, you will see real-time results. We will start by listing the
currently running processes and identifying the ID for the
running instance of PowerShell. With the process ID, we
can now issue the command to kill PowerShell
and effectively stop the application. Next, we want to extract a
copy of the BCMiner PowerShell script. This will give us a chance to do
further forensic investigations after the remediation
is complete. Even without local
system access, we would have the
path of that file thanks to the Falcon
detection details that we reviewed earlier. Now that we have a
copy, we can proceed with cleaning the endpoint
and issue a command to remove the local
copy of the script. Lastly, it's important that
we clean up the registry. You will remember
that in the Falcon UI, we saw the location and
name of the key that was created to keep the
Bitcoin miner up and running. Once that is deleted,
we have successfully undone all of the changes and
restored the original system state. The complete remediation process
took just over one minute. As we look to close
this incident, there are two remaining
actions we need to take. Now that the system has
been fully remediated, we can lift the
network containment so that the user can return
to business as usual. Because the remediation
was complete in minutes, there was minimal
impact to productivity. Also, we want to use the
information we reviewed earlier to protect the
rest of our organization. In this case, we can add the
hash of the USB executable to the policy blacklist. This will ensure that no Falcon
protected system can execute this file in the
future, regardless of how it might be delivered. The same hash could be
leveraged to improve our other defenses, such
as firewall and web content filters. If we try to run the USB
file again on our system, we see an execution error. The policy is now
in place to block the hash on this and every
other system in the environment. As you saw, CrowdStrike's
powerful EDR solution not only brought the
alert to our attention, but also provided us all
of the information needed to take effective and
complete measures to remediate this incident. Real-time response gave us the
tools to execute on the cleanup without needing physical access
or costing the user hours of productivity. The provided
indicators were also used to improve
our organization's overall defenses. CrowdStrike empowered our
analysts to respond and perform a complete, thorough
remediation in minutes, stopping the incident before it
could become a serious breach.
