Written by: Joseph Salazar, Technical Marketing Engineer – Attivo Networks actively solicits feedback from its customers for improvements and new features they want to see. We regularly receive requests to integrate with particular technology solutions that allow customers to better leverage the Attivo ThreatDefend® platform with their existing security controls. One of the more recently requested integrations was with the CrowdStrike EDR platform. Attivo was able to complete the initial phase of the CrowdStrike integrations earlier this year. This blog covers the current Attivo/CrowdStrike integrations and discusses how organizations can benefit from the joint solution.
CrowdStrike offers the Falcon Platform, which provides unified endpoint protection from the cloud. The Falcon Platform is flexible and extensible when it comes to meeting an organization’s endpoint security needs. The platform offers the following components:
- Falcon Prevent – NGAV
- Falcon X – Threat Intelligence
- Falcon Device Control – USB device Control
- Falcon Firewall Management – Host Firewall
- Falcon Insight – EDR
- Falcon Overwatch – Threat Hunting
- Falcon Discover – IT hygiene (patch management)
These components come bundled as three levels of subscription.
The following modules are available as stand-alone solutions or can add functionality to the bundles depending on specific needs.
- Falcon Spotlight – Manage System Vulnerabilities
- Falcon for Mobile – Mobile EDR
- Falcon Search Engine – Malware Search
- Falcon Sandbox – Automated Malware Analysis
These Falcon Platform components work together to stop many attacks and protect the organization. Unfortunately, advanced attackers have tactics and techniques that can evade detection, and this is where the Attivo Networks ThreatDefend® platform can help. The ThreatDefend platform acts as a safety net to detect these evasive attackers once they compromise an internal system and attempt to look and move around. The platform creates a detection fabric made of up decoys and deceptions at the network, endpoint, application, data/database, and Active Directory layers to reveal attackers as they try to infiltrate further into the organization. When used in conjunction with EDR solutions, the ThreatDefend platform can significantly improve detection performance (see our report on how the platform improves MITRE ATT&CK evaluation detections).
For CrowdStrike, the ThreatDefend platform integrations focus on two specific components – the Falcon Insight EDR solution, and the Falcon Sandbox malware analysis module.
Falcon Insight delivers continuous, comprehensive endpoint visibility that spans detection, response, and forensics to ensure that security teams miss nothing and stop potential breaches. Falcon Sandbox performs an in-depth analysis of evasive and unknown threats, enriches the results with threat intelligence, and delivers actionable indicators of compromise (IOCs), enabling security teams to understand sophisticated malware attacks better and strengthen their defenses.
The first integration that Attivo Networks completed is with Falcon Insight to automatically quarantine infected systems from the network and is available in the current version of the ThreatDefend platform. It combines the visibility and detection capabilities of the ThreatDefend platform with the endpoint isolation functions of Falcon Insight.
If attackers successfully evade the Falcon Insight endpoint protections, the ThreatDefend platform decoy assets are there to identify their lateral movement activities. These could be port scans to a host looking for services to exploit, an unauthorized AD query scraping the database for Domain Administrator accounts, a piece of ransomware trying to enumerate files on local or network mapped shares to encrypt, and many more. When the attacker engages with the decoy assets on the endpoint, it leads them to the network decoys for engagement while alerting on the activity. The platform notifies the security teams while collecting forensics and recording all attacker activity on the decoy systems. The security team can then choose to isolate the system with Falcon Insight through the ThreatDefend platform’s UI. They can either manually activate the integration to initiate the quarantine or configure it to run automatically for specific types of alerts or as part of a repeatable IR playbook.
The next integrations are the Falcon Insight threat hunting functions and the Falcon Sandbox malware analysis function. For threat hunting with Falcon Insight, the ThreatDefend platform integration will send event data and forensics to Falcon Insight, such as network packet captures and IoCs, that the decoys collected as the attacker interacted with them. It can then search through the other systems for matching data that would indicate other infected systems needing remediation. For Falcon Sandbox, the ThreatDefend platform will share captured files and payloads that landed on the decoy to the sandbox for additional analysis as a threat intelligence sharing function. These upcoming integrations strengthen existing security controls and enhance defenses.
The Attivo Networks ThreatDefend platform adds value to existing solutions by acting as a detection safety net for advanced attackers that evade current defenses. By integrating with the partner controls in the environment, it adds visibility into in-network threats and east-west activity while accelerating incident response and threat intelligence sharing. The CrowdStrike integrations are another example of this cooperative effort to enhance an organization’s security posture.