Skip to main content

CrowdStrike Falcon was ALWAYS a bad idea

On Friday, July 19, 2024, a single piece of software ground a good chunk of the planet to a screeching halt when someone at CrowdStrike deployed a system driver file filled with zeroes. Threat and state level actors can only dream of having backdoor, kernel level access to the OS of the hundreds of thousands, if not millions, of machines that CrowdStrike Falcon has been installed on.

If you are a top level IT manager and use Microsoft Defender, SentinelOne, Huntress, or other Enterprise Endpoint Detection & Response (EDR) remote management solutions, you are probably patting yourself on the back and thinking to yourself, "Whew! We just dodged a bullet!" No. You are still someone who doesn't actually understand the fundamentals of system and network security. True system and network security isn't dependent upon a single piece of magical software that solves all of your problems. It is a combination of first hardening of the mind to trust nothing and trust no one and THEN forming a proper, layered defense-in-depth strategy. What software you run has absolutely nothing to do with actual security. I NAT my network traffic to my ISP's router so they can only see one device and can't potentially remotely access my network. I don't allow WiFi connections to touch my LAN for a number of reasons. I use ad and stats blockers because advertising and stat networks are known malware sources/injection opportunities. I write the vast majority of my own software, vet every update, and never import third party libraries using unvetted package managers like NPM, Composer, pip, etc. I can't access my email or network resources except from one device and one network. These are all choices I've made because I understand the critical implications of NOT doing those things.

That is just the tip of the iceberg of what I do personally. I expect far more from corporate IT heads. If you threw CrowdStrike Falcon or any other EDR solution on your systems and decided that was "good enough," then you aren't doing your job. At all. I've seen the garbage that you've forced down your employee's throats called "cybersecurity training" and it's a joke. Here's a helpful hint: If it has "cyber" in the name, it should make you cringe, want to vomit a little, and probably isn't all that effective. That trash barely scratches the surface of what true system and network security looks like. Does it maybe stop a couple of ransomware deployments? Perhaps. But you are treating the symptom, not the cause. CrowdStrike Falcon and other EDR solutions don't actually solve the problem!

So what is the problem? In short, it's people. Humans are falliable. Can a threat actor install malware on your systems without involving people at some level? No. They can't. Whether it is a phishing attack, weak password selection, an open port in the firewall, what software is deployed in your corporate images, etc. All of those things happen because you allowed people to use your systems who don't constantly consider the security implications of every single action or inaction. You hand someone a laptop and require them to go through a modicum of training without testing their personal willpower and understanding of the attacker's psychology. That's a recipe for disaster. You then bandaid the problem with software and maybe even more lame training videos while missing the fact that you've still got a knife in your jugular. If everyone using your network and systems automatically assumes everything and everyone is a threat vector, then EDR software becomes unnecessary.

This doesn't even begin to cover the fact that EDR software is a literal backdoor on a system that also phones home. Most, if not all, EDR solutions are remote control cloud solutions that can alter the files on the machine! You have a fancy control panel that lets you remotely manage the files on a fleet of machines. Did you even stop to think for one brief moment that might just be a REALLY bad idea? If you had done so, Friday, July 19, 2024 wouldn't have happened. This event stands as incontrovertible proof that you don't actually know what you are doing when it comes to system and network security even if you are currently using an EDR solution that isn't CrowdStrike Falcon. EDR solutions hand control of your systems over to a third party, which you made a conscious choice to do. And they want you to install their software on ALL of your systems. Not just client computers but your servers too, which is, again, another conscious choice that you made. Their "solution" can remotely create, modify, and delete files. Now imagine a threat actor gaining access to your EDR solution's dashboard. They don't even need to do that though and don't even need to target your specific network or systems directly. They can simply embed perfectly good, well-known, digitally signed EXEs and DLLs into generic malware PDFs, upload the malware PDFs to Virus Total, and then watch the fireworks happen from the sidelines over the next 6-12 months as your EDR solution wrecks your network of machines by constantly deleting EXEs and DLLs that just happened to be embedded into a malware PDF (Yes, I've seen this happen). You've handed the keys to the kingdom to the bad guys on a Californium-252 platter and still not fixed the actual problem. Californium-252 is single most expensive element known to mankind ($27 million USD per gram) that is also radioactive. The analogy seems fitting to me.

Comments