CS is an EDR (Endpoint Detection & Response) and it connects to other parts like XDR (Extended Detection and Response) and MDM (Mobile Device Management). They differ from the typical antivirus in how they detect threats. The AV usually checks against known threats, while EDR detects endpoint behavior anomalies. For example, if your browser spawns a shell, it will be marked and the process quarantined. Of course, they do share a lot of common domains like real-time protection, cloud analysis, etc., and some AVs have most of the EDR capabilities, and some EDRs have most of the AV capabilities.
This is briefly described.
We're running something similar ( not CS ) where I work.
It seems to me that these tools create lots of problems ( slows down the machine significantly in particular, gets things wrong and quarantines processes/machines when it shouldn't, injects itself into processes so changes behaviour, etc ).
The main question I have is : does anyone have an actual instance of such tools detecting something useful ? No one in the office was able to show one.
I contracted for a company that gave me a company issued macbook with crowdstrike. It logged my execve() or something, because I did a curl from rustup | sh, and this alerted an admin who then contacted me to ask if this was legitimate behaviour.
Worked for a fairly largish org (~40k emps), and one of the "security" gurus roped me into a conversation because he found a batch file in my Teams shared files. The contents:
set JAVA_HOME="what_ever_path"
and asked me to explain this egregious hacking attempt.
My company had a mandatory req of installing it. If you look into it - it logs and spies on everything you do, every dns req, every website, every application etc.
Now my m3-ultra MacBook work computer that they gave is a 4000 USD teams/email machine since I prefer to work on computers without spyware.
I understand your preference. I have two questions:
1) Do you think that an organization should have no protections in place?
2) Why not just work from the machine they provided you, and do everything else on a personal machine?
I assume from your rhetorical question that you don't. I personally don't know enough about it to say whether it does or not - but, I will make what I believe is a reasonable assumption and say that all else being equal, yes, a fleet of machines with a EDR sensor installed is more "protected" than a fleet without.
If you have a point to make, why not just say what you are trying to say; it will be more effective discourse. I am genuinely curious.
They key to tools like crowdstrike is not so much protection, and being able to trace an attack through the infrastructure. They can see that your credentials were comprimised on your machine, and which systems you then connected to (or that bad process did) so they can trace the attack and make sure get it all cleaned up.
My favorite work story is from 10 years ago. We had an internal IRC server for the devs. I'd written an IRC bot to do some basic functions. It was running on my desktop.
I get a call from IT on my work phone. My co-workers hear my end of the conversation:
"No, it's not a bot net. It's just one bot. Yeah, I wrote it and it talks IRC."
It is one of the best systems available for realtime protection of windows systems against various threat actors. Prior to today you could probably have said 'no one gets fired for recommending Crowdstrike as the security tool for the company.' It is everywhere and in particular if you are a large org with a lot of Windows seats you are likely a Crowdstrike customer.
What the heck is it doing? My work laptop fan always seems to be blasting air whether it is 10pm or 3am. It's in a reboot loop now so I just shut it off.
All my Linux machines are all quiet when nothing is running. In contrast I go to the bathroom at 10pm or 3am and the work laptop fan is blasting. I've logged and see some other security stuff taking up CPU cycles but it happens at least a few times an hour. I wonder how much electricity the world is wasting with this crap.
When I first got the laptop when I started this job 5 years ago I thought it must be infected with malware because it was always running the fan so I put it in a separate VLAN so it can't attack my home Linux machines. IT told me it is security software. Who knew that the cyber attack would come from inside the security software.
Some of these services go even further. One time, our IT department was being sales-bombed with a service that would remove our actual login credentials to servers, and then "for security" we'd access said servers using a MITM website kind of thing that would be behind our corporate AD-login. I didn't even find out the full intricate details before telling them to "nope this the fuck out" and stay away with a 10-ft pole.
It's like these people have nothing better to do with their time and just absolutely have to have to design and build a product for the sake of it, and then dump it on marketing for > 0 amounts of sales through pretty-much wearing IT departments down. Or in the case of this Crowdstrike thing, through the protection racket known as security audit compliance.
It injects itself into (at least) every executable startup and every executable write to disk. It's quite noticeable if you have it installed and run, say, an installer that unpacks a lot of DLL files, because each one gets checksummed and the checksum sent to a remote host. Every time.
I hated it before this incident and I will be bringing this incident up every time it is mentioned.
So it exists because nobody has any idea what the execution graph of their programs are, and CS is down because of that too.. Do we really need this level of dynamism in our programs?
And like most AV systems it seems to be a bigger threat than what it supposedly protects against. Seriously how is it acceptable to have one corporation push a live update and take down tons of critical services all over the world. Just imagine what a malicious actor could accomplish with such a delivery vector.
Indeed. The xz backdoor team must be kicking themselves: "We spent years getting our own vector into a tool, only for our world domination plans to be thwarted at the last minute ... we could have just bribed someone at CS!"
Botnet that checks if your bots in the botnet act like bad bots and can be considered bad too. Also checking if some of your files match AV signature. Also reading all your logs if you really want.
