Seriously, #CrowdStroke should've ended #Microsoft or at least #Windows for good...

https://en.wikipedia.org/wiki/2024_CrowdStrike-related_IT_outages#Background

#CrowdStrike #InsecureUnderAnyConfiguration #UnsafeAtAnyConfiguration #Govware #Malware #ITsec #InfoSec #OSec #ComSec #CriticalInfrastructure #SinglePointOfFailure #Resilience

I barely dodged the #CrowdStroke during my trip, only to get my train delayed by arsons for my return.

At least the latter is fucking up the JOs so it's not all bad 

[long post] #CrowdStroke is demonstrating the significant risks of giving a third party remote root across your systems. I'd argue we don't have to accept this and can stop granting such vendors access to critical systems with acceptable security.

Risks of AV/NGAV/EDR/XDR/whatever the next buzzword is don't just include functional bugs: false positives killing your critical processes, data exposure, or supply chain attacks via third party have all happened.

The commonly repeated refrains of "bugs can happen to anyone" "this stuff is hard" etc. aren't reassuring or an acceptable answer when Delta, for example, has continued to mass-cancel flights for 4 days (so far!) Shrugging our collective shoulders and just hoping the AV - I mean EDR - vendors don't screw up again like they have several times before and continuing to install their agents everywhere is just not going to cut it.

Nevertheless effective active endpoint security software is arguably necessary on endpoints where users surf the internet and open attachments to block malicious initial access, but on critical servers, the situation is reversed. If an agent for a common C2 framework is detected on a domain controller or OT control system, immediately killing it is likely not the best response option, even apart from the risks above. It is indicative of a far broader ongoing intrusion requiring a comprehensive incident response.

But what is the alternative exactly? How else will you see that agent or credential dump or brute force attempt, etc.? Nearly all the high signal data from hashes of libraries loaded to process injection via CreateRemoteThread can be collected by built-in or configurable event collection with something like sysmon, forwarded to a SIEM, and analyzed against executable whitelists, YARA rules, VirusTotal, and more. Brute force attempts can be detected by these as well as by packet captures, request log analytics, etc.

Nearly all the value of CrowdStrike comes not from the superiority of a few extra points their kernel driver can monitor, but from the analysts watching, investigating, tuning, and responding to the data collected. This is type of service that many managed security services can provide on a safer and more passive stack. Not only that, but you can often keep your data in your own SIEMs, in your network, in your datacenter, that you own.

It can be the right choice for many systems. I'd argue it undoubtedly is for critical OT ICS systems, and likely is for many IT servers as well.

"Flying home in the age of #CrowdStroke" - post from xeiaso.net

Autobiographical notes on my trip home from DevRelCon 2024 https://xeiaso.net/notes/2024/flying-home-crowdstroke/