Often, he said, the alerts are useless - more false positives than anything. However, when a red team ran an engagement last year, Falcon Host did detect the red team's actions, which was considered a win by the IR team. Otherwise, at least on his network, Falcon Host generates more noise than signal.
It was made clear during the Falcon Host demo that the product is there to stop hacking attempts. When tuned, it can detect a number of known methods and techniques, but it wasn't clear from the demo how the unknowns are dealt with. Videos on YouTube about Falcon Host do address the topic, but Salted Hash can't verify the rate of success.
The demo we witnessed used Metasploit and a basic attack technique (ASLR bypass). In addition, the domain used by the demo was we11point.com, a domain associated with a known actor that has been covered extensively by CrowdStrike and others. In all fairness, there was no way the demo could fail.
Tuning and blocking:
Falcon Host, Jason explained, is more of a host-based intrusion detection system (HIDS) than anything else, unless you enable a feature that will stop an attack.
This function however, isn't activated in Jason's environment due to fears that the automation it will break the business and kill processes that are legitimate. As it stands, Jason added, CrowdStrike's Falcon platform is mostly a response tool, not threat intelligence.
During the demo, the automated blocking features were both enabled and disabled on Falcon Host. The same Metasploit-based attack was used each time. The known attack methods were detected without blocking enabled and alerts were raised.
However, the attack was still successful. When blocking was enabled, the known attack methods were halted and the demo attack was unsuccessful.
The image on the left shows the demo attack being detected. The redaction to the image was made by Salted Hash.
Based on the features shown during the demo, Jason's comment that Falcon Host is a response tool and not threat intelligence is correct.
CrowdStrike collects their own threat intelligence (Falcon Intelligence) and uses it to drive the Falcon Platform.
One of the questions CrowdStrike didn't answer when we reached out to them addressed how the company helped customers get past the hurdle of not trusting automated blocks and responses. It's an important question considering it's a key aspect of the platform.
Another CrowdStrike offering, Falcon DNS, did detect bad traffic via malware to a C2. Once again though, Jason explained, much of that traffic is also noise by way of false positives, so one tends to get inured to the alerts.
Once in a blue moon, he said, Jason will get an email detailing domains that are likely being registered for squatting or phishing, and while that's useful, those emails didn't catch the other domains he discovered himself, so it's hit or miss.
Sign up for Computerworld eNewsletters.