Playing With CrowdStrike Machine Learning Detection

A review of the new generation EDR CrowdStrike

Carlos Cilleruelo
The Startup

--

CrowdStrike Logo | crowdstrike.com

Recently one of my clients received a well-performed phishing attack with an “invoice”, that like a lot of attachments was malware. Everything seemed to be legit except that the invoice ended in one of my honeypot inboxes. I usually deploy some email addresses, not in use active use by the company, that I monitor in order to catch attacks. The malware seems to be a trojan focused on stealing information. Furthermore being a fresh sample at the beginning is was only detected by six detection engines in VirusTotal, right now it detected by 18 over the 60 available on VirusTotal.

VirusTotal scan of the sample | Image by the author

Due to this low detection rate, it was more than possible than my client could have ended infected. This is nothing new but help me to show my client the current evolution of phishing attacks and offer them the possibility to improve their security. Being a small-medium size enterprise they can not allocate a lot budget to cybersecurity, but I started to study possible improvements.

One of the first malware detection engines that blocked the malware was CrowdStrike Falcon.

--

--

Carlos Cilleruelo
The Startup

Bachelor of Computer Science and MSc on Cyber Security. Currently working as a cybersecurity researcher at the University of Alcalá.