Why Crowdstrike’s focus on attackers and active defense polarizes infosec pros
I’ve been writing this story forever it seems, trying to arrive at a reasonable version of the truth. I’ve been sworn to secrecy, and have had so many off-the-record conversations I’m tempted to just leave part of this page blank as a symbolic defacement of my own work – a lulz by me, on me.
Rarely has a company been such a lightning rod for both intrigue and blowback like Crowdstrike. Welcome to the Kim Kardashian of information security.
Flush with $26 million (Series A) in funding from Warbug Pincus, and with some fanfare, Crowdstrike crawled out of a morass of security products and security consultancies in early 2012 at the RSA Conference, one of the largest information security gatherings in the world. (The conference is put on by RSA, a cryptography company acquired by EMC in 2006.)
Crowdstrike promised a brand-new approach, one that focused less on the exploit and more on the attacker. The company officially announced its offering at this year’s RSA conference, and it just recently announced the shipment of its Falcon platform. Crowdstrike CEO and founder, George Kurtz, claims the company is growing quickly, snatching up new customers like a bird of prey.
The company’s harshest detractors characterize them more like vultures. Some believe Crowdstrike will inevitably test legal and ethical boundaries in fighting hackers; the implication is that Crowdstrike offers offensive capabilities, known in some circles as “hack back.” Kurtz emphatically denies it.
Some view the company skeptically, wondering whether its claims are real, others argue that what Crowdstrike purports to do is nothing new, while still other professionals lean more optimistically. I managed to find one customer who shut down like an angry clam when I probed for details; I talked with another fan and potential customer off the record, but even he admitted that what Crowdstrike is claiming is hard to do. To be fair, none of the people I talked with extensively had been fully briefed on the product since it officially launched.
Some employed in the industry agree that new approaches to information security are necessary because of a growing sophistication among attackers, although quite a few also believe that even most modern security breaches still stem from ignorance of basic security hygiene, or unwitting and uneducated end users, and there is data to substantiate both sides.
Alas, if George Bernard Shaw had observed information security professionals rather than economists, he might have posited that they, too, wouldn’t reach a conclusion if laid end to end...
For the past couple of decades, most corporate information security practices revolved around stopping attacks using an arsenal of gloomy and expensive technology: Anti-virus software for PCs, firewalls and intrusion detection systems to block misbehaving applications and suspicious-looking network traffic, VPNs to encrypt data in transit. And that’s just for starters.
Hardly deterred, hackers still probe discretely for openings, socially engineer easy access, and pummel perimeters with overwhelming floods of traffic, taking down sites and industrial control systems, or littering them with all sorts of malware, some of it hiding for weeks or months, innocent and undetected, until ready to unleash the furor of its authors on a designated target (known as advanced persistent threats, or APTs, although that term appears to be anathema to security professionals these days).
The attackers pilfer credit cards and identity data, deface public websites, and shut down crucial operations. The most insidious attacks cause serious financial damage. In 2012, more than 17 million identity records were exposed, according to the Identity Theft Resource Center. A Ponemon Institute study estimates that the average loss per company from a data breach was $5.4 million in 2012.
There is evidence to suggest that the majority of incidents don’t result from any magical new (read: APT) capabilities. In one widely read (and entertainingly written) study, Verizon’s 2013 Data Breach Investigations Report, respondents said that 76 percent of network intrusions were the result of weak or stolen credentials. The number of attacks initiated by social engineering tactics was up four-fold from the prior year.
Drew Maness, VP of external threat management for Universal Music Group says that “the tools out there make it easy for someone who isn’t sophisticated to run a botnet.” He said that there are still plenty of routine, old-school-style attacks against his company’s network.
“It’s basic stuff,” says Maness, but part of the problem is that the industry “hasn’t defined what the standard of due diligence is.” For example, if someone shoplifts from Nordstrom, he says, it’s not news; Nordstrom’s stock doesn’t take a hit. But if someone defaces Nordstrom’s site, or it’s dishing out malicious code, it’s suddenly a problem. In light of that, he asks: “And we’re expected to defend against China or other well-funded nation states and organizations by ourselves?”
On the more ominous and persistent side of the threat landscape, then, organizations are hiring consulting firms (call them APT hunters), like Booz-Alan & Hamilton or Mandiant to come to the rescue, not just to uncover and stop attacks but also to keep existing breaches out of the news.
Crowdstrike emerged against this somewhat unsettled backdrop. The company’s founders and principles are, by and large, ex-McAfee and ex-FBI, including Shawn Henry, the now-retired Executive Assistant Director of the FBI. Henry led the criminal and cyber programs, and investigations for the FBI, among other roles there. CEO Kurtz started Foundstone, a security professional services company, in 1999 and sold it to McAfee (now part of Intel) in 2004.
Because Crowdstrike launched in so-called stealth mode (let’s safely label that an oxymoron), there were lots of questions about whether its solution would step into that legally questionable area of attacking the attacker. Most industry observers say that no corporate legal counsel would ever condone any counter-attack approaches.
Brian Martin of Attrition.org, a site with a stated mission of calling bullshit on some of the hype in the security community, has been pretty vocal about his opposition to Crowdstrike’s approach:
Crowdstrike puts forth a vague and very different message in the media versus their actual offerings. Ultimately, they need to be very clear. Do they perform "strike back" services? If they say yes, they are morons and violating the law. If they won't commit to a yes/no answer, they are riding the line purely for sales.
Martin pointed to early Crowdstrike press coverage, and what he deemed “nebulous” statements by executives like Kurtz about taking the fight to adversaries, as sources of duplicity.
Kurtz sets the record straight:
We are talking about Active Defense, not hack back. We have the former executive assistant director of the FBI and their lead cyber attorney on our team. Do you really think we would do things that are illegal? Kind of a ridiculous statement by people who don’t know what they are talking about.
Crowdstrike puts lightweight sensors (400 KB of code) on every computer in an organization (there are also sensors for DNS and e-mail). Those sensors collect data, like a flight recorder and feed it up to the Crowdstrike cloud-based data center, where it analyzed and processed using big data tools like Hadoop.
By watching everything that happens on a system in real time, Crowdstrike’s software can infer when something bad occurs and take action. Crowdstrike applies an organic understanding of damaging or threatening behavior and the ability to determine the actor behind it, and, Kurtz likes to say, “connecting the dots.”
Some security professionals have questioned this approach. Attrition.org’s Martin says that attribution is “a pipe dream, and certainly not reliable or readily repeatable, and certainly not enough to reliably sell it as a service unless they are only identifying the low hanging fruit of attackers.”
Kurtz said that Crowdstrike collects its own intelligence using its 20 person-intelligence team, and infuses that into its platform, but also that Crowdstrike takes an active role in sharing its information with the rest of the industry. Having other threat intelligence, he said, is like having commodity raw materials: “The value is what you do to enrich the data...we spend lots of time creating finished intelligence, not just having raw intelligence.”
The intelligence researchers study and track adversaries around the world and create profiles that can be mechanized and attributed to behavior on a particular system. Organizations can then take actions, like killing a connection, or locking down a compromised system.
Jerry Johnson, Senior IT Policy & Technology Advisor for Pacific Northwest National Laboratory, which is part of the US Department of Energy (DOE), and experienced a serious breach two years ago, said:
Detection is exceedingly difficult. While you are looking for that slightly bent needle in a haystack of needles, they are happily exfiltrating your secrets. You have to isolate and add protection to sensitive data. You have to put up barriers to moving around the network and gaining privileged access. And you STILL have to watch for the adversary who has gained a foothold on one or two of a handful of workstations and are meticulously and quietly working to overcome the barriers you’ve created. Crowdstrike does the latter, from what I can tell.
“The trade craft never changes,” Kurtz said, referencing the commonly understood kill chain processes that any hacker adheres to. “It doesn’t matter what gun or blowtorch you bring, ultimately you have to get in . . . maintain persistence, move laterally and disrupt systems.”
Johnson told me that PNNL conducted a “threat-source analysis of the four key actor types: APT, cybercriminal, trespasser/hactivist, vandal. We looked at their intent or motivation, their capability, and their modus operandi (which is ever evolving). Our analysis is that not all hackers adhere to the kill chain. Some simply don’t have the capabilities. Some have different motives.”
In some ways, we’ve seen the Crowdstrike approach in various forms before. Network forensic tools help try to discover attack sources after the fact. Security Information and Event Management (SIEM) manage and analyze security event data, but not necessarily at this scale, or in real time, which is where Kurtz says the real differentiation lies.
Now it’s time to prove it.
Image Credit: toffehoff on Flickr]