How Falcon Sandbox Improves Threat Response
In this demonstration, we will be introducing CrowdStrike’s Falcon Sandbox and taking a closer look at what’s set this solution apart from others in the market. Falcon Sandbox gives malware researchers and security operations teams the information that they need to provide their organization with faster threat protection and response.
Before we begin, let’s consider the life of a malware researcher. They are highly knowledgeable technical resources with a very specialized skill set. They are also very busy people, given there is no shortage today of malware, breaches, and news coverage. Here, you see their key objectives, and you quickly realize that a single sample could take days of complex research, using manual processes, multiple tools, and various interfaces. Today, we’re going to look at three different situations and see how the Falcon Sandbox solution can make their lives easier.
To begin, we’re going to do a side by side comparison with a competitor. First, we’ll upload a sample to Cuckoo and submit it for analysis. While that is running, we will upload the exact same file to Falcon Sandbox so that we can compare the results. We want to understand how CrowdStrike’s anti-evasion techniques and hybrid analysis compare to other vendors.
First, from Cuckoo the report indicates signs of malicious behavior but with a score of 2.8 out of 10. We see the standard file details and hash values. And then as we scroll down, in the signatures area, we see some indications, but very little useful information. There are notes that the file installed itself for auto run and is seen as malicious by 50 AV providers.
When we contrast that with Falcon Sandbox, we see a clear difference right away. CrowdStrike fans the foul malicious with a 100 of 100 score. We see that the risks associated with this file include remote access, spyware, persistence, fingerprinting, and network behaviors. The report shows that there are 13 different malicious indicators for this file, including anti-detection techniques and spawned processes. There are also 15 suspicious indicators, including the fact that the sample includes strings that may be used as part of an injection method. As we scroll down, we see additional information on the file details and behaviors including a process tree. Using the exact same sample, Falcon Sandbox was able to provide a complete risk assessment with detailed analysis and reporting, thanks to its advanced anti-evasion techniques.
While the first example focused on the initial phases of investigation, let’s now look at the importance of customization options, as well as looking deeper into the behaviors and indicators of compromise. The next sample was given to us by the Endpoint Security team for analysis. Our first step was to submit the sample to the Sandbox, but the results are not what we expected. There is only one malicious indicator, and as we scroll down further, we do not see any useful results in the process tree or the network analysis.
We circled back to the Endpoint team to understand a little more about how this file was discovered. It seems that there was an alert in the Falcon UI, and as we drill down, we see the potential problem. Our sample was likely dropped on the system, but the download EXE file that has since been deleted. Here we can see that our sample was run using an additional parameter. We can use that information and try again.
From the Sandbox UI, we can elect to resubmit the file and add this parameter to help ensure that the malware fully detonates. Now we see a more complete picture. There are additional malicious indicators, including malicious sites, unusual use of network protocols, and cryptography strings.
Lastly, the process tree shows us more about the actions taken by the sample. We can even see details on APIs, registry actions, extracted files, and other critical information to understand how the malware operates. All of this was possible thanks to the hybrid analysis and Falcon Sandbox’s ability to support customizations, like a required parameter.
We have seen how Falcon Sandbox uses anti-evasion techniques and customization options to ensure greater success executing and analyzing malware. We’ve looked at the level of detail in the risk assessment and the behavior analysis. Now we can understand how those results can help improve our overall security posture.
Let’s use the report from our last investigation. Thanks to CrowdStrike’s intelligence integration, Falcon Sandbox was able to link this malware back to the bad actor, Goblin Panda. Directly from the Sandbox UI, we can open an intel report, to learn more about that actor and this specific campaign. For even more detail, we can access the full actor profile. There, we have actionable data, including frequently targeted industries and commonly used vulnerabilities. We can share those with our patch management team to ensure that our systems are protected against Goblin Panda’s approach.
As we look back to the Sandbox UI, we see a few final pieces of information to help us close out this investigation. First, is CrowdStrike’s mal query integration. This wealth of information helps us understand this piece of malware in the larger context of CrowdStrike’s database. Here we can even download [? a yar ?] rule to help us fund other related malware. And finally, under network analysis, we can download this list of DNS requests and contacted hosts. These can be used by the firewall and IPS teams to further ensure that our systems are prohibited from communicating with Goblin Panda.
As you can see, Falcon Sandbox gives malware researchers and security operations teams safe, complete malware analysis, as well as all of the information needed to provide their organization with faster threat protection and response. Thanks for watching, and please visit us at crowdstrike.com.