Crowdstrike Falcon Series: Deployment to Maximum Protection

Crowdstrike Logo

From Crowdstrike Falcon Web Page :

The Crowdstrike Falcon platform is purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more. Today’s sophisticated attackers are going “beyond malware” to breach organizations, increasingly relying on exploits, zero days, and hard-to-detect methods such as credential theft and tools that are already part of the victim’s environment or operating system, such as PowerShell.

So in this article, I want to share step by step from the deployment stage to maximum or optimal protection with Crowdstrike :

1. Install the Falcon Agent from your Falcon Console to Device you want to protect, You can go to Host Setup Management > Sensor Download and Choose the Operating system host you want to protect.

Falcon Agent Downloads

2. After that you must create the group for the policy, and assign the host you want to protect.

Falcon Host Grouping

3. Config the sensor update policies and assign to host groups, in my recommendation for stabilizing Falcon sensor update you can adjust setting to Auto — N — 1 it means when a scheduled release happens, hosts with this setting update to the second-newest version, not the latest.

Sensor Update Policy Assignment

Assign Sensor Update Policy to host groups

4. Config the prevention policy (in this article implementation is the windows operating system), this prevention policy has three phases before settings the maximum or optimal protection :

• Initial Deployment Settings

This policy is optimized for detection, so you can start testing activity and triage detections and allowlist false positives as appropriate. If you are deploying Falcon with existing antivirus or host intrusion prevention systems (HIPS), this deployment setting is useful.

Sensor Capabilities

Sensor Capabilities Initial Deployment

Sensor Visibility

Sensor Visibility Initial Deployment

Next-Gen Antivirus

Next-Gen Antivirus Deployment

Next-Gen Antivirus Initial Deployment

Malware Protection

Malware Protection Initial Deployment

Behavior-based Prevention

Behavior-based Prevention Initial Deployment

Behavior-based Prevention Initial Deployment

• Interim Protection

This policy offers solid IOA (Indicator Of Attack) protection and other preventions. Triage detections and allowlist false positives as appropriate before proceeding to Optimal or Maximum Protection. If you don’t have existing antivirus/host intrusion protection software (HIPS) or you already replace the existing antivirus with Falcon Crowdstrike, you can use this policy first and then tune it to Optimal or Maximum protection.

Sensor Capabilities

Sensor Capabilities Interim Protection

Sensor Visibility

Sensor Visibilitity Interim Protection

Sensor Visibility Interim Protection

Next-Gen Antivirus

Next-Gen Antivirus Interim Protection

Next-Gen Antivirus Interim Protection

Malware Protection

Malware Protection Interim Protection

Behavior-based Prevention

Behavior-based Prevention Interim Protection

Behavior-based Prevention Interim Protection

• Optimal or Maximum Protection

After configuration Interim Protection is fine in your environment, so in the next phase you can tune it the policies for Optimal or Maximum Protection. This policy is optimally configured for stopping breaches. ideally after detection triage and allow listing as part of Interim Protection.

Sensor Capabilities

Sensor Capabilities Maximum Protection

Sensor Visibility

Sensor Visibility Maximum Protection

Sensor Visibility Maximum Protection

Next-Gen Antivirus

Next-Gen Antivirus Maximum Protection

Next-Gen Antivirus Maximum Protection

Malware Protection

Malware Protection Maximum Protection

Behavior-based Prevention

Behavior-based Prevention Maximum Protection

Behavior-based Prevention Maximum Protection

5. After that you can configure the Response Policies for Real-Time Response in Host and assign a host group, in the recommendation you can Enable All Configurations.

Real-Time Response Configuration

6. Next step you can configure USB Policy for Device Control. In many organizations, they have to block the USB port from storage but in some cases, the organizations just set it to Read Only USB port from storage for Business.

Full Block USB Policy

Read-Only USB Policy

So after all policy configured, you can test the policy in the host using the script in Falcon Crowdstrike for safety testing :

In the Command Prompt window, type the following commands:

“Sc query csagent”

You should see a that the Falcon Agent is installed and running

Next type:

“choice /m crowdstrike_sample_detection”

Type “Y”

Crowdstrike Sample Detection

You can see the result in Falcon Console like this

Sample script malware by Crowdstrike

If you want to test for real malware cases, I recommend you install the Falcon agent in the staging environment area, and in this example, I am using real malware and I try to run it on administrator privileges.

The malware I used is Ransomware Lockbit for testing: https://www.virustotal.com/gui/file/aeb8f128d346f457c35e5ef7446dbb88c3db8b1478f7d62de6b30f3c225032bf/detection

After I ran the ransomware in my staging environment, Falcon Crowdstrike killed the process with the description “A suspicious process, associated with potentially destructive malware like ransomware, launched. Review the process tree”. The Falcon Crowdstrike recognizes the signing of Ransomware by Indicator Of Attack.

Ransomware Killed By Falcon Crowdstrike

Another example is to test the detection and prevention of Falcon Crowdstrike using tools like APT Simulator or Atomic Red Team and the most interesting and I found in the Falcon Crowdstrike console detection is the tools trying to dump the credentials and the Falcon Crowdstrike successfully detect and block the operation.

Falcon Crowdstrike Block the malicious activity

That’s all for now, Thank you and Stay Secure!