Protect Strikes on Endpoints
With all systems now a part of larger networks like corporate networks and the cloud, any remote device can be a potential entry point for cyberattacks that can devastate far more than just that device. It’s critical to orchestrate endpoint protection with other products and operations vital to the overall security posture.
Here, we will show how combining CrowdStrike’s endpoint security capabilities with Demisto’s security orchestration and automation features can provide security analysts with a deep investigative toolkit to nip attacks in the bud.
The Playbook Flow
Let’s go over the sequence of tasks that we can run with the CrowdStrike IOC playbook on Demisto. This playbook automates a host of actions – both within and outside CrowdStrike – to orchestrate an IOC enrichment and hunting operation.
This playbook will automatically enrich the incident with indicators, get file details for particular indicators using Falcon Intel, find related indicators from the same malware family if any malicious indicators are found, use Falcon Host to hunt for endpoints infected with the malicious indicator, and access those endpoints using Demisto’s dissolvable agent to retrieve malicious files.
Let’s look at each step in greater detail:
Stage 1: Enrichment
After initial enrichment that parses out various indicators, the playbook calls CrowdStrike Falcon Intel to find specific details about the indicators from its rich threat intelligence database. In this example, the incident had an MD5 hash, and the output of the task that pulls information from Falcon Intel can be seen below:
The details we get include indicator type, malice confidence, malware family, kill chain information, domain types, and a host of other metrics for deeper study.
After this task, the playbook checks if any of the indicators that have been pulled are malicious. In our example, we found a malicious MD5 hash. Now, we can enrich the investigation with even more context by using Demisto and Falcon Intel to cross-correlate the malicious MD5 hash and find other indicators within the same malware family (in this case, WanaRansomware).
The playbook task and its output are shown below:
You can also view the full artifact in a new tab as shown below:
With these tasks, we have effectively combined the deep threat intelligence of CrowdStrike Falcon Intel with the security orchestration playbooks of Demisto to automate multi-tiered enrichment of an incident.
To learn more about Demisto's integration with CrowdStrike, watch our video walkthrough on YouTube.
Stage 2: Endpoint Detection and Protection
Once we’ve narrowed down on the malicious indicators and collected all relevant details and context about them, it’s time to search all endpoints on the system, see whether they’ve been infected by these malicious indicators, and pull the infected files from each endpoint. The playbook flow for this stage is shown below:
Search for infected endpoints: We use Falcon Host’s capability through the cs-device-ran-on command to search all endpoints in the system for the malicious MD5 hash.
Retrieve endpoint details: We use Falcon Host’s capability through the cs-device-search command to return all important endpoint details that will enable us to identify the specific endpoints to install Demisto’s dissolvable agent on.
Install Demisto agent: Here, we take the device details from the previous step and install Demisto’s dissolvable agent on those devices. This agent prevents the need to poke holes in firewalls or disturb other security aspects, instead directly installing on an endpoint and enabling a host of possible commands.
Pull infected files from endpoint: Finally, we use the agent’s FetchFileD2 command to pull out the infected files from each endpoint for further analysis and remediation.
With these simple steps, we just orchestrated a comprehensive enrichment and endpoint protection operation that spanned across products and was fully automated!
In our follow up article on Demisto’s integration with CrowdStrike, we will demonstrate how many of these commands can also be run interactively on a command line interface while collaborating with other analysts.
If you are new to Demisto and interested in exploring the platform further, we invite you to sign-up for the Demisto Community Edition.