- CrowdStrike Incident Response teams leverage Falcon Identity Threat Detection (ITD) for Microsoft Active Directory (AD) and Azure AD account authentication visibility, credential hygiene and multifactor authentication implementation
- Falcon ITD is integrated into the CrowdStrike Falcon®® platform and provides alerts, dashboards and custom templates to identify compromised accounts and areas to reduce the attack surface and implement additional security measures
- Falcon ITD allows our Incident Response teams to quickly identify malicious activity that would have previously only been visible through retroactive log review and audits, helping organizations eradicate threats faster and more efficiently
How Falcon ITD Is Leveraged During Incident Response
It’s no secret that one of CrowdStrike’s key differentiators in delivering high-quality, lower-cost investigations to victim organizations is the Falcon platform. Throughout 2021, we have included Falcon ITD in the arsenal of Falcon modules when performing incident response. This new module provides both clients and responders with the following critical data points during a response:- Suspicious logins/authentication activity
- Failed login activity, including password spraying and brute force attempts
- Inventory of all identities across the enterprise, including stale accounts, with password hygiene scores
- Identity store (e.g., Active Directory, LDAP/S) verification and assessment to discover any vulnerabilities across multiple domains
- Consolidated events around user, device, activity and more for improved visibility and pattern identification
- Creation of a “Watch List” of specific accounts of interest
Figure 1 shows the Falcon ITD Overview dashboard, which features attack surface risk categories and assesses the severity as Low, Medium or High. CrowdStrike responders use this data to understand highly exploitable ways an attacker could escalate privileges, such as non-privileged accounts that have attack paths to privileged accounts, accounts that can be traversed to compromise the privileged accounts' credentials, or if the current password policies allow accounts with passwords that can be easily cracked. Figure 2 shows the main Incidents dashboard. This dashboard highlights suspicious events based on baseline patterns and indicators of authentication activity, and also includes any custom detection patterns the CrowdStrike incident response teams have configured, such as alerting when an account authenticates to a specific system. CrowdStrike responders leverage this information to understand and confirm findings such as the following scenarios:
- Credentials were used to perform unusual LDAP activity that fits Service Principal Name (SPN) enumeration patterns
- An account entered the wrong two-factor verification code or the identity verification timeout was reached
- Credentials used are consistent with “pass the hash” (PtH) techniques
- Unusual LDAP search queries known to be used by the BloodHound reconnaissance tool were performed by an account
- Alert if a specific account or group of accounts authenticates to any system or specific ones
- Enforce a block for specific accounts from authenticating to any system or specific ones
- Enforce a block for specific authentication protocols being used
- Implement identity verification from a 2FA provider such as Google, Duo or Azure for any account or for a specific one attempting to authenticate via Kerberos, LDAP or NTLM protocols
- Implement a password reset for any account that has a compromised password
Hygiene and Reconnaissance Case Study
During a recent incident response investigation, CrowdStrike Services identified an eCrime threat actor that maintained intermittent access to the victim’s environment for years. The threat actor leveraged multiple privileged accounts and created a domain administrator account — undetected — to perform reconnaissance, move laterally and gather information from the environment. CrowdStrike incident responders leveraged Falcon ITD to quickly map out permissions associated with the accounts compromised by the threat actor, and identify password hygiene issues that aided the threat actor. By importing a custom password list into Falcon ITD, incident responders were able to identify accounts that were likely leveraged by the threat actor with the same organizational default or easily guessed password. Falcon ITD also allowed CrowdStrike’s incident response teams to track the threat actor's reconnaissance of SMB shares across the victim environment. The threat actor leveraged a legitimate administrative account on a system that did not have Falcon installed. Fortunately, the visibility provided by Falcon ITD still alerted incident responders to this reconnaissance activity, and we coordinated with the client to implement remediations to eradicate the threat actor.
Multifactor Authentication and Domain Replication Case Study
During another investigation, CrowdStrike incident responders identified a nation-state threat actor that compromised an environment and had remained persistent for multiple years. With this level of sophisticated threat actor and the knowledge they had of the victim environment’s network, Active Directory structure and privileged credential usage, no malware was needed to be able to achieve their objectives. In light of the multiyear undetected access, CrowdStrike incident responders leveraged Falcon ITD to aid in limiting the threat actor’s mobility by enforcing MFA validation for two scenarios, vastly reducing unauthorized lateral movement capabilities:- Enforce MFA (via Duo) for administrator usage of RDP to servers
- Enforce MFA (via Duo) for any user to RDP from any server to a workstation
Conclusion
Falcon Identity Threat Detection provides CrowdStrike incident response teams with another advantage when performing investigations into eCrime or nation-state attacks by providing increased visibility and control in Active Directory, which had previously been unachievable at speed and scale.
Additional Resources
- For more information on Falcon ITD, see the overview page and the data sheet.
- For more information on CrowdStrike Services, please visit the overview page.