CrowdStrike Falcon Service Tracks Attacks Back To Source

For nearly a year, startup security firm CrowdStrike has talked up the concept of active defences: technologies and tactics that identify the attackers and their targets so companies can use the information to protect their data systems.

The company announced a managed service designed to allow companies to track attackers not by their malware or the vulnerabilities that they exploit, but by other components of their tradecraft.

‘Falcon’

Dubbed Falcon, the platform uses a threat model derived from defence circles to assign attacks to a specific group, a process the focuses on the adversary’s actions within the network.

“You don’t want to look for specific indicators, such as code or exploits,” Dmitri Alperovitch, chief technology officer for CrowdStrike, told eWEEK. “You want to focus on the objectives and the tradecraft – what they are doing.”

The Falcon platform monitors email, domain-name servers and each laptop and desktop for signs of attack. CrowdStrike analyses the attack information in its own security operations centre to gather intelligence on the various groups that are targeting its customers, said Alperovitch.

The company aims to give its customers the ability to know what kinds of attackers are targeting their systems and employees.

The concept of active defence – not to be confused with the legally questionable strategy of launching cyber-counterstrikes against attackers – aims to make the attacker’s job more difficult and more expensive.

In the past few years, nation-state-sponsored attacks targeting intellectual property have become a concern for major companies. CrowdStrike has focused on identifying the groups behind attacks by their tactics, techniques and procedures, or TTPs, rather than focusing on stopping the malware portion of the attack.

Real-time tracking

In addition, the company has gathered intelligence on the groups behind the attacks and links what its customers systems are encountering with additional intelligence. CrowdStrike observes in real-time what is happening and uploads details to the cloud, so that it can warn companies, not only of an attack in progress, but where a known group may attack next, based on its profile.

The company is aiming to count, not just large enterprises among its client base, but smaller ones as well, George Kurtz, president and chief executive of CrowdStrike, told eWEEK.

“The model that we have scales, not only because it is cloud-based, but we have augmented that with a high-end group of analysts that [small and midsize businesses] would never be able to hire,” he said. “Using that knowledge across the customer base is very valuable. At the end of the day, it is a very elastic model.”

Targeted attacks driven by foreign adversaries – whether companies engaged in industrial espionage or nation-state-funded attackers looking for intelligence – have become widespread in recent years. In February, incident response firm Mandiant released many of the details of a major campaign linked to China.

But other attackers – from Iran, North Korea and India – are also targeting US systems, Kurtz said.

Are you a security pro? Try our quiz!

Originally published on eWeek.