CrowdStrike Outage: Not a Cyberattack, but a Cyber Incident!

CrowdStrike: The Cybersecurity Firm That Broke the Internet

What Happened?

In July 2024, a software update from cybersecurity company CrowdStrike caused widespread problems. This wasn’t a cyberattack, but a technical error in the update. It led to computers crashing and caused major disruptions across many industries, including banking, healthcare, and transportation.

Patches were launched to resolve issues but required manual reboots. It was one of the biggest IT outages since 2017.

What is CrowStrike exactly?

CrowdStrike is a cybersecurity company that offers a cloud-delivered endpoint protection platform (EPP). They protect businesses from cyberattacks by providing a variety of services, including:

• Next-generation antivirus and anti-malware
• Endpoint detection and response (EDR)
• Managed threat hunting
• Vulnerability management
• Threat intelligence

CrowdStrike Falcon sensor is a lightweight agent that acts as the foundation for the CrowdStrike Falcon platform’s security functionalities.

The CrowdStrike Falcon sensor issue in July 2024 originated from a faulty update, not due to a cyberattack itself. Here’s a closer look at how it unfolded:

On July 19th, 2024, CrowdStrike released a routine update for the Falcon sensor specifically for Windows systems. This update included a configuration file named “Channel File 291”.

Logic Error: Unfortunately, Channel File 291 contained a programming flaw, essentially a logic error. This error caused a conflict within the Windows kernel (the core of the operating system) when the Falcon sensor interacted with it.

(BSOD) System Crash: Due to the logic error, the Falcon sensor triggered a system crash on affected Windows machines. This resulted in the infamous blue screen of death (BSOD), rendering the systems unusable.

The CrowdStrike Falcon sensor issue was a technical failure, not a cyberattack. However, its impact on system availability and potential data loss aligns with the availability and integrity components of the CIA triad.

The issue is a prime example of how a technical malfunction can significantly impact the availability and integrity of an organization’s information systems.

While the incident was not malicious in nature (i.e., not a cyberattack), it resulted in a cyber incident due to its adverse effects on the system.

• Numerous endpoints, including applications, servers, and PCs, became inaccessible due to the sensor issue.
• Essential services and servers experienced prolonged downtime, lasting several hours.
• Even critical infrastructure systems, such as CCTV servers, were affected by the outage.
• Data Loss Potential: The extended system downtime increased the risk of data loss or corruption.

Understanding the CIA Triad in Relation to the Incident:

• Availability: The widespread inaccessibility of endpoints, servers, and services caused by the Falcon sensor issue directly compromised the availability component of the CIA triad. Critical systems and data were unavailable for extended periods, hindering business operations and potentially leading to financial loss.
• Integrity: Although there’s no evidence of data alteration or corruption in this specific case, the prolonged system downtime could have potentially increased the risk of data integrity breaches. For instance, if systems were restored from backups, there might be a discrepancy between the current and backed-up data, affecting data integrity.
• Confidentiality: While the Falcon sensor issue primarily affected availability and to a lesser extent integrity, it’s essential to note that a compromised system can indirectly impact confidentiality. For example, if critical systems are down, alternative methods might be used to access information, potentially increasing the risk of unauthorized access and data breaches.

While the CrowdStrike Falcon sensor issue was not a cyberattack, it serves as a stark reminder of the importance of maintaining robust IT infrastructure and disaster recovery plans to protect against disruptions that can impact the CIA triad.

Lessons Learned

The CrowdStrike outage serves as a stark reminder of the dependency of our system on our digital world. It highlights the critical importance of:

• Rigorous testing and quality assurance procedures in software development.
• Robust disaster recovery and business continuity plans.
• Diversifying IT infrastructure to mitigate risks associated with single points of failure.

Let me know if you’d like more examples or want to delve deeper!

Follow me on LinkedIn: https://www.linkedin.com/in/ajay-monga2/