Crowdstrike Falcon Series: Deployment to Maximum Protection
From Crowdstrike Falcon Web Page :
The Crowdstrike Falcon platform is purpose-built to stop breaches via a unified set of cloud-delivered technologies that prevent all types of attacks — including malware and much more. Today’s sophisticated attackers are going “beyond malware” to breach organizations, increasingly relying on exploits, zero days, and hard-to-detect methods such as credential theft and tools that are already part of the victim’s environment or operating system, such as PowerShell.
So in this article, I want to share step by step from the deployment stage to maximum or optimal protection with Crowdstrike :
- Install the Falcon Agent from your Falcon Console to Device you want to protect, You can go to Host Setup Management > Sensor Download and Choose the Operating system host you want to protect.
2. After that you must create the group for the policy, and assign the host you want to protect.
3. Config the sensor update policies and assign to host groups, in my recommendation for stabilizing Falcon sensor update you can adjust setting to Auto — N — 1 it means when a scheduled release happens, hosts with this setting update to the second-newest version, not the latest.
4. Config the prevention policy (in this article implementation is the windows operating system), this prevention policy has three phases before settings the maximum or optimal protection :
- Initial Deployment Settings
This policy is optimized for detection, so you can start testing activity and triage detections and allowlist false positives as appropriate. If you are deploying Falcon with existing antivirus or host intrusion prevention systems (HIPS), this deployment setting is useful.
Sensor Capabilities
Sensor Visibility
Next-Gen Antivirus
Malware Protection
Behavior-based Prevention
- Interim Protection
This policy offers solid IOA (Indicator Of Attack) protection and other preventions. Triage detections and allowlist false positives as appropriate before proceeding to Optimal or Maximum Protection. If you don’t have existing antivirus/host intrusion protection software (HIPS) or you already replace the existing antivirus with Falcon Crowdstrike, you can use this policy first and then tune it to Optimal or Maximum protection.
Sensor Capabilities
Sensor Visibility
Next-Gen Antivirus
Malware Protection
Behavior-based Prevention
- Optimal or Maximum Protection
After configuration Interim Protection is fine in your environment, so in the next phase you can tune it the policies for Optimal or Maximum Protection. This policy is optimally configured for stopping breaches. ideally after detection triage and allow listing as part of Interim Protection.
Sensor Capabilities
Sensor Visibility
Next-Gen Antivirus
Malware Protection
Behavior-based Prevention
5. After that you can configure the Response Policies for Real-Time Response in Host and assign a host group, in the recommendation you can Enable All Configurations.
6. Next step you can configure USB Policy for Device Control. In many organizations, they have to block the USB port from storage but in some cases, the organizations just set it to Read Only USB port from storage for Business.
So after all policy configured, you can test the policy in the host using the script in Falcon Crowdstrike for safety testing :
In the Command Prompt window, type the following commands:
“Sc query csagent”
You should see a that the Falcon Agent is installed and running
Next type:
“choice /m crowdstrike_sample_detection”
Type “Y”
You can see the result in Falcon Console like this
If you want to test for real malware cases, I recommend you install the Falcon agent in the staging environment area, and in this example, I am using real malware and I try to run it on administrator privileges.
The malware I used is Ransomware Lockbit for testing: https://www.virustotal.com/gui/file/aeb8f128d346f457c35e5ef7446dbb88c3db8b1478f7d62de6b30f3c225032bf/detection
After I ran the ransomware in my staging environment, Falcon Crowdstrike killed the process with the description “A suspicious process, associated with potentially destructive malware like ransomware, launched. Review the process tree”. The Falcon Crowdstrike recognizes the signing of Ransomware by Indicator Of Attack.
Another example is to test the detection and prevention of Falcon Crowdstrike using tools like APT Simulator or Atomic Red Team and the most interesting and I found in the Falcon Crowdstrike console detection is the tools trying to dump the credentials and the Falcon Crowdstrike successfully detect and block the operation.
That’s all for now, Thank you and Stay Secure!