Lots of aspiring technology start-ups dream of getting their product written up in The New York Times or Wall Street Journal when it launches. For Crowdstrike Inc. a two year-old security start-up based in Laguna Niguel, California, media attention from the papers of record hasn’t been an issue. This reporter counted twelve articles mentioning the company in The Times in the last year, and another two reports in The Journal. Much of that ink has been spilled on stories related to Crowdstrike research on sophisticated attacks, or the company’s all-star executive team, including former McAfee executives George Kurtz (CEO) and Dmitri Alperovitch (CTO), as well as former FBI cybersecurity chief Shawn Henry (Crowdstrike’s head of services), who left the Bureau in April, 2012 to join the company.
For much of that time, Crowdstrike has been known mostly as a security services and intelligence firm, but the goal was always to offer products that helped companies fight off – or fight back against –the most sophisticated and persistent attackers. On Tuesday, the company made good on that promise: releasing “Falcon” a services platform for what Crowdstrike calls “active defense.”
Don’t Call It A Hack Back
That’s a term with some weight to it – and one that has attracted some negative attention, with Crowdstrike lumped in with those who advocate so-called “hack back” – retaliation against those responsible for cyber attacks. Of course, that’s not something Crowdstrike ever advocated per se. Nor is it a service that they offer. The bigger picture of “Active Defense” is of a strategy of shifting from trying to spot “indicators of compromise” and block attacks to identifying what Alperovitch calls “tradecraft.”
“These are the elements of an attack that are not scalable,” he told Security Ledger. “Humans are involved. They’re sitting behind a keyboard doing reconnaissance,” he said. Those manual aspects of advanced attacks are, almost by definition, not scalable, and they’re also much harder to change or switch out to evade detection. “When you’re launching hundreds of ops (operations) a week, you can’t do this differently,” Alperovitch said. Besides, it’s very unlikely that sophisticated and determined hackers will back down just because their victim blocked an attack, he said. The value of the information they’re after is just too high.
From Layered Defense To Counter Intelligence
Crowdstrike’s approach, then is more “counterintelligence” than “layered defense.” Falcon is a cloud-based platform with pluggable modules in the model of Salesforce.com, said Alperovitch. Thus far, Crowdstrike has published four modules for Falcon. They are Threatprotect, a light-weight, host based server for Windows and Mac endpoints, as well as DNS Protect and Email Protect. The underlying technology there looks a lot like other behavior-based approaches to threat detection that we’ve heard about from the likes of EMC Silvertail, Mandiant and others: Crowdstrike doesn’t rely on signatures of known threats. Rather, it keeps a watch for malicious programs acting maliciously. Alperovitch used the example of a process that dumps passwords from a database or application. “The only time that would ever happen is in an attack or a pen(etration) test,” he said. “In either case, you want to spot it.”
The company has also released a module called “Adversary Intelligence” that provides what Alperovitch called “actionable intelligence” on around
4,000 four dozen* hacking groups around the world. That could include their modus operandi, the tools and techniques they use, what kind of information they’re known to look for and so on, he said.
As victims learn more about their attackers, the thinking goes, they can become more mature in how they respond to them, enabling responses such as deception and misinformation that accomplish what static defenses can’t: raising the cost and risk to the adversary. After all, if the hacking crew filching negotiating tactics from a western competitor grabs a decoy document that outlines an entirely different strategy than the one their competitor intends to use, they’ve actually harmed their client, not helped them, Alperovitch notes.
Still. Alperovitch is realistic about the limits of Crowdstrike’s technology. As it stands, its not a replacement for antivirus software, or the long list of other security point products organizations have had to deploy in the last 20 years. “This is additive,” he said. “AV is good for run of the mill stuff that’s sent to 100,000 people,” he said. “But the sophisticated adversary has that same AV package and will test their malware against it to make sure it’s not detected.” As Vice President of Threat Research at McAfee, Alperovitch had an inside view to some of the most publicized attacks of the last decade, including the Aurora attacks on Google, and the so-called Night Dragon attacks against prominent energy companies. All the victims of those attacks had the full complement of security products deployed – AV, firewall, IDS and IPS, Alperovitch said.
The process by which industry and the government come to terms with that and figuring out how to respond is just starting, but could take ten years or more to fully mature. “This is a long game,” he said. “In the short-term, things aren’t going to get better.” Still, the increasingly public acknowledgment of the true source and motives of the attack is a beginning. Not the beginning of the end, Alperovitch says, quoting Winston Churchill, “but maybe the end of the beginning.”
(*) Editor’s Note An earlier version of this blog post incorrectly stated that Crowdstrike tracked 4,000 hacking groups. The number was four dozen. The article has been corrected. We apologize for any confusion! PFR 6/19/2013