How to Contain an Infected System
Crowdstrike’s advanced prevention and detection platform, Falcon, can often identify attacks that are currently running in an environment. In this situation, this Windows 10 host has been owned through a Meterpreter exploit designed to use encrypted traffic to avoid detection.
I’m going to start a continuous ping and download to illustrate both the speed and effectiveness of Falcon’s network contain feature. The ping will illustrate how quickly the command from the cloud-based console takes effect, and the purpose of the download is to highlight that a TCP session that has been established prior to the containing action will also be dropped.
In the activity dashboard, we’ll click on a new detections and see that the Windows 10 hosts I’m looking at has a couple of new alerts. Looking into the latest detection, we see PowerShell activity in Meterpreter being used to launch a suspicious file. Later, we see that Falcon detected Mimikatz attempting to run and steal credentials.
On the right in the execution details, we can see information about the command issued in PowerShell and then other associated behaviors. Toward the bottom, in the duration section, we see that the attack is currently in progress. At this point, it would make sense to contain the machine and take it offline.
Back toward the top is the network containment option. Here we can add notes in the audit log and then select confirm.
As soon as this is complete, I’ll move quickly back to the Windows 10 hosts, and we can now see that the ping is receiving a general failure alert, and the download has been interrupted.
Crowdstrike’s network containment immediately cuts off connections from everyone except the Crowdstrike cloud and then any other IP addresses the administrator chooses to allow during a network containment. This allows for management of the host, even when contained. The network containment will also survive a reboot, unlike other security products that exist.
Once remediation on the host is complete, we can quickly and easily uncontain the host by navigating to the host app. Contained hosts can easily be found by using the faceted search at the top, sorting on the status column, or just a quick visual inspection. In this case, we can clearly see which host is contained.
Clicking for more details will open the host info pane and expose the lift containment button. Again, we’ll enter any pertinent comments to the audit log and then select confirm. Moving quickly back to the host, we can see the pings start again. On the download, we can get the Resume button and see that the download is also connecting.
Falcon’s ability to quickly spot suspicious activity can also make it necessary to also take immediate action. As we’ve seen here, network containment is a quick and effective way to take that action. To try the product or learn more, check this out at crowdstrike.com.