Has Crowdstrike changed the way we view security tools?

tom

If you are here for the fix:

1. Boot Windows into safe mode

2. Go to C:\Windows\System32\drivers\CrowdStrike

3. Delete C-00000291*.sys

4. Repeat for every host in your enterprise network including remote workers

5. If you’re using BitLocker, my condolences.

A big issue for Crowdstrike

Crowdstrike is one of the biggest, if not the biggest, market leader when it comes to protecting endpoints, cloud workloads, identities and data. Its no wonder the Crowdstrike incident of 2024 came as a shock, who would of thought that a mass outage would be caused by Crowdstike’s Falcon endpoint protection software.

Snip from Crowdstrike’s Website, a tagline that aged like milk.

A series of unfortunate events

In the early hours of Friday 19th many users reported a getting blue screens of death on their windows-based computers, to the dismay of all of the tech industry, many went to twitter (X) to question what is happening.

This small scale event very quickly then turned into a full scale cyber issue, with many stipulating a possible cyber attack. A large majority of the main industries were affected, cloud service providers, airports and banks (https://en.wikipedia.org/wiki/2024_CrowdStrike_incident).


Silence broken

Eventually people realised that some part of Crowdstrike was causing the issue, and at this point the memes and jokes were in full swing with many posting about not having to work, and how the poor Crowdstike intern that pushed to prod must be having a very bad day.

There was eventually a break in the onslaught of memes when Crowdtrike announced the reason for the boot loop:

On July 19, 2024 at 04:09 UTC, as part of ongoing operations, CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.”

https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/

According to Crowdstike, these files are used in order to help protect devices and are part of the behavioral protection mechanisms used by the Falcon sensor.

For most people this can be somewhat summed as an “update” that has caused the issue.

What does this mean moving forward?

Although the road ahead for my IT teams may be a long one. This has brought into question the prevalence of monolithic infrastructure and the relance heavily on one type of system/device to hold up our critical infrastructure. Do we need to have a rethink as to how we design networks and infrastructure?

Many people have said that it shows how easily windows is to break, however this event does not mean that moving to Linux/MacOS would of seen any less of an impact, should the same of happened there. With both of these operating systems, Kernel panic is a thing and that can also be brought about by any legitimate application.

Personally, I still believe Crowdstike to be one of the best solutions out there for EDR among many other things. However, this has just highlighted the absolute need for pre-prod testing and diversifying networks within an organisation to help combat issues with one OS.

Leave a Reply

Your email address will not be published. Required fields are marked *