One Size Does Not Fit All: Flexible Response Capabilities Matter

If all threats were equal, it might be possible to make the entire remediation process autonomous. But all cybersecurity professionals know that threats and incidents vary in complexity and potential impact, so a one-size-fits-all approach is impractical, if not impossible. Organizations big and small need a range of response capabilities. CrowdStrike believes that a combination of automation and analyst-driven intervention provides the flexibility organizations need for effective and efficient incident response workflows.

 

Automated Cleanup

 

CrowdStrike Falcon® automated remediation streamlines the time-consuming and sometimes mundane cleanup tasks by removing attack artifacts and dormant malware, which, if not removed, can lead to reinfection or potentially be leveraged in a later attack.

 

Analysts have the flexibility to select which protected endpoints are enabled with this capability. Once enabled, the Falcon platform automatically cleans up artifacts — from dropped files to modified registry keys — that are left behind after blocking key malicious activity. For reporting and reviewing, the Falcon platform logs a comprehensive list of all actions it performed and enables admins to centrally manage remediated artifacts such as releasing a quarantined file.

 

With Falcon’s targeted indicators of attack (IOA) remediation, the automation process does not require an analyst to initiate the remediation — freeing them to focus on higher-priority actions.

 

Make It Your Own

 

As threats advance, response actions need to follow suit. CrowdStrike® Real Time Response provides direct system access to contain systems and run a variety of commands as well as executables and customized scripts to support any number of use cases through both APIs and the user interface. Among their many applications, scripts can be used to automate workflow steps such as the removal of a persistent registry key placed on multiple hosts or performing a system rollback if shadow copies are available. Responders can run custom scripts on remote hosts across Windows, macOS and Linux operating systems.

 

Extensive API functionality enables responders to automate and script their own playbooks, ensuring repeatability and consistency. While many responders are very comfortable with this type of workflow, CrowdStrike provides extensive API documentation and tools to help maximize the effectiveness of these APIs for all teams.

 

 

Dive In

 

Leveraging the detailed event data available in the Falcon platform, Real Time Response enables teams to identify and surgically remove all active attack components, before recovering any additional artifacts.

 

With the ability to run commands, executables and scripts, the response possibilities are endless with Real Time Response. A few examples include:
  • Navigate the file system and perform file system operations
  • Put and get files to and from the system to the CrowdStrike cloud
  • Stage commonly used programs and PowerShell scripts

     

  • List running processes and kill processes
  • Retrieve memory dumps, event logs or any other files
  • Show network connections
  • Query, create or modify registry keys
  • Identify disabled security services and restore them to a functioning state

Streamline and Improve Your Response Workflows

In the real world, effective workflows empower incident responders with speed and agility for the task at hand — from routine malware clean-up to more complex surgical action. Flexibility in remote response capability empowers responders to avoid downtime, save money in time and resources, remove threat actors, and reduce the damage of an attack. Often, these workflows include automated, scripted and manual components. CrowdStrike gives responders the flexibility and capabilities needed for their response posture — one size does not fit all.

 

 

Additional Resources

Breaches Stop Here