eBook

HOW CROWDSTRIKE ALIGNS WITH THE

AUSTRALIAN CYBER SECURITY CENTRE
(ACSC)
Essential Eight Maturity Model
Introduction
The Australian Cyber Security Centre (ACSC) has developed
prioritised mitigation strategies, in the form of the Strategies to Mitigate
Cyber Security Incidents, to help organisations protect themselves
against various cyber threats. The most effective of these mitigation
strategies is the Essential Eight.

The Essential Eight has been designed to protect Microsoft Windows-based

internet-connected networks. While the principles behind the Essential
Eight may be applied to cloud services and enterprise mobility, or to
other operating systems, it was not primarily designed for such purposes
and alternative mitigation strategies may be more appropriate to
mitigate unique cyber threats to these environments. In such cases, the
CrowdStrike controls listed in this document also apply beyond Windows
environments.

The Essential Eight Maturity Model, first published in June 2017 and
updated regularly, supports the implementation of the Essential Eight. It
is based on the ACSC’s experience in producing cyber threat intelligence,
responding to cybersecurity incidents, conducting penetration testing and
assisting organisations to implement the Essential Eight.

2
This document shows how CrowdStrike and CrowdStrike Store
partners align to Maturity Level Two of the Essential Eight
Assessment Process Guide for each of the eight mitigation
strategies. As organisations progress through the Maturity levels,
the capabilities described in this document may also be applicable
in addressing the Control Description Test IDs. For more information
on how you can configure CrowdStrike Falcon® in line with the Test
Methodology, please engage your Account Team who can provide a
step-by-step process.

About CrowdStrike
CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined
modern security with the world’s most advanced cloud-native platform for
protecting critical areas of enterprise risk — endpoints and cloud workloads,
identity and data.

Powered by the CrowdStrike® Security Cloud and world-class AI, the

CrowdStrike Falcon® platform leverages real-time indicators of attack, threat
intelligence, evolving adversary tradecraft and enriched telemetry from across
the enterprise to deliver hyper-accurate detections, automated protection and
remediation, elite threat hunting and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the

Falcon platform delivers rapid and scalable deployment, superior protection and
performance, reduced complexity and immediate time-to-value.

CrowdStrike: We stop breaches. | Learn more: https://www.crowdstrike.com.au/

Follow us: Blog | Twitter

© 2023 CrowdStrike, Inc. All rights reserved.

3
Mitigation Strategy Maturity Level Two CrowdStrike Alignment CrowdStrike Store Partners
Test Descriptions

ML2-AC-01 - (Workstations & Internet- The rise of fileless attacks, which are carried out entirely in memory, is Developed by cybersecurity practitioners, Airlock
facing servers) A dedicated application making it hard for traditional security solutions to detect them. In 2022, Digital addresses the technical and organisational
control solution is implemented. 71% of all attacks were malware-free.1 challenges typically associated with allowlisting.
Airlock delivers purpose-built workflows that enable
ML2-AC-02 - (Workstations & Internet- The method of protection against fileless attacks through application rapid and scalable deployment while significantly
facing servers) The system is only able control lists all trusted processes to block unknown ones from reducing staffing resources required for day-to-day
to execute approved executables. executing. However, fileless attacks exploit vulnerabilities in legitimate, management. Airlock also provides rich file visibility
allowlisted apps or use OS executables, making it impossible to block across the organisation, by collecting and building
ML2-AC-03 - (Workstations & Internet- essential apps for both users and the OS. a centralised database of files seen within the
facing servers) The system is only able
environment. This data can be interrogated at any
to execute approved software libraries. XSL script processing is described in the MITRE ATT&CK® framework
time and is further enhanced by CrowdStrike Falcon
under ID T1220. Attackers may bypass application control and achieve
endpoint detection and response (EDR) telemetry.
ML2-AC-04 - (Workstations & Internet- execution of code by embedding scripts within XSL files. These files
facing servers) The system is only able contain code that performs formatting on XML files, which means
to execute approved scripts. that it can be a way to run code supplied by an attacker. Due to its

Application ML2-AC-05 - (Workstations & Internet-

legitimate functionality, attackers can use XSL to bypass application
allowlisting and execute arbitrary code.
facing servers) The system is only able
Control to execute approved installers. Wmic.exe is a command-line utility that comes pre-installed on all
versions of Windows and is used to access Windows Management
ML2-AC-06 - (Workstations & Internet- CROWDSTRIKE STORE DEMO
Instrumentation (WMI). An attacker can use the Wmic.exe to invoke
facing servers) The system is only able
the code from an XML file. According to MITRE’s ID T1220, an attacker
to execute approved compiled HTML
can also use WMI to perform code execution by using the /FORMAT
files.
switch. It’s also worth noting that Wmic.exe is capable of running code
from local or remote XSL files.
ML2-AC-07 - (Workstations & Internet-
facing servers) The system is only able
As you can see, fileless techniques are extremely challenging to
to execute approved HTML applications.
detect if you rely on signature-based methods, sandboxing, application
control or even machine learning protection methods.
ML2-AC-08 - (Workstations & Internet-
facing servers) The system is only able
to execute approved control panel
applets.

01
ML2-AC-09 - (Workstations & Internet-
facing servers) The system is logging
the application control product when it
allows and blocks execution.

1. Source: CrowdStrike 2023 Global Threat Report

4
Mitigation Strategy Maturity Level Two CrowdStrike Alignment CrowdStrike Store Partners
Test Descriptions

CrowdStrike uses a unique approach to application control as part of its

endpoint protection solution. This approach combines multiple methods
such as machine learning, custom rules, memory protection and file integrity
monitoring. By using these complementary methods, CrowdStrike provides
a powerful and integrated approach that delivers unrivaled endpoint
protection against fileless attacks and other cyber threats:

∎ CrowdStrike Falcon® Prevent (NGAV): CrowdStrike combines human

and machine intelligence to uncover new threats and enable high-fidelity
detections. Machine learning is implemented across the process lifecycle
in the CrowdStrike Falcon platform. In this demonstration we dive into
how machine learning is used and how it can benefit your organisation’s
security. DEMO

∎ CrowdStrike Falcon Prevent (Custom Rules): Customers can

leverage custom indicators of attack (IOAs) to add their own customised
rules to audit or protect against the testing methodology for this mitigation
Application strategy. Used alongside global CrowdStrike preventions, these
organisational indicators have unlimited potential to help organisations
Control identify events defined by specific applications and behaviors. DEMO

∎ CrowdStrike Falcon Prevent (Memory Protection): Because

malware-free or fileless attacks can be carried out entirely in memory,
detection can be challenging. But with new cutting-edge Advanced
Memory Scanning capabilities, organisations can quickly automate high-
performance scanning to detect the most advanced attacks. DEMO

∎ CrowdStrike Falcon® Insight XDR (Scheduled Searches): Falcon

Insight XDR can be used to automate queries, send notifications and
download event data as evidence to support the testing methodology.
DEMO

01
∎ CrowdStrike Falcon® FileVantage: CrowdStrike’s file integrity
monitoring solution streamlines your security operations. It provides real-
time insight for file, folder and registry changes, while offering valuable
contextual data around detections, adding further evidence and visibility.
DEMO

5
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

ML2-PA-01 - A vulnerability scanner is Microsoft’s Patch Tuesday is dreaded by every security team. With Customers can build automated workflows using
run and reviewed at least weekly to scan dozens of new patches inundating your team every month, how do you CrowdStrike Falcon® Fusion integrated security
the organisation’s office productivity know which to prioritise? How do you know if you have visibility or risk orchestration automation and response (SOAR) to
suites, web browsers, email clients, PDF across applications? trigger incident ticket creation in ServiceNow IT Service
software and security products. Management (ITSM). Security and DevSecOps teams
SecOps staff for both government agencies and organisations are can leverage detections and incidents from the Falcon
ML2-PA-02 - A vulnerability scanner often pressed for time. With the plethora of critical and highly scored platform to help streamline incident management
is run and reviewed at least fortnightly vulnerabilities for applications, a common issue arises where not all and accelerate response capabilities. You can also
to scan the organisation’s other highly scored vulnerabilities are addressed in a timely manner. This orchestrate remediation of vulnerabilities by creating
applications. leaves organisations with gaps or flaws within their systems that threat ServiceNow tickets directly from Falcon Spotlight, and
actors use to exploit organisations for nefarious gain. easily configure the workflow to attach auto-generated
ML2-PA-03 - The organisation has an
reports, enabling you to track the remediation progress
effective process for patching office Historically, SecOps has relied on vendors to provide some
of your security team to improve efficiency and
productivity suites, web browsers, email prioritisation information around this large body of vulnerabilities — but
monitoring.
clients, PDF software and security that is no longer enough. With the limited amount of time typically
products within two weeks. allocated for patching and updating systems, critical vulnerabilities This ServiceNow ITSM plugin leverages Falcon Fusion
are not being remediated — a situation that can be potentially very to allow you to receive Falcon-generated alerts via
ML2-PA-04 - Office productivity suites, damaging.
Patch web browsers, email clients, PDF
ServiceNow ITSM.

software and security products do not CrowdStrike combines the power of its world-class machine learning
Applications have security vulnerabilities older than and unparalleled intelligence to arm every customer with the insight
two weeks. they need to prioritise patches and take action across workloads and
applications within your ecosystem.
ML2-PA-05 - Other applications that
CROWDSTRIKE STORE
have a vulnerability are patched or CrowdStrike Falcon® Spotlight offers organisations continuous and
mitigated within one month. real-time assessment of vulnerability exposure on their endpoints.
Falcon Spotlight’s native integration into the Falcon platform enables
customers to operationalise vulnerability assessment within a Build automated workflows using Falcon Fusion to
complete endpoint protection framework. Falcon Spotlight adds trigger issue creation in Jira. Security and DevSecOps
preparation and readiness to the unparalleled prevention, detection teams can leverage detections and incidents from the
and response provided by the Falcon platform, resulting in a stronger Falcon platform to help streamline incident management
security posture. and accelerate response capabilities. You can also
orchestrate remediation of vulnerabilities by creating

02
Falcon Spotlight: DEMO Jira issues directly from Falcon Spotlight, enabling you
to track the remediation progress of your security team
Falcon Spotlight (Automate Workflows): DEMO
to improve efficiency and monitoring.
CrowdStrike’s adversary-focused approach to its cloud-native
application protection platform (CNAPP) provides both agent-based
and agentless solutions delivered from the Falcon platform to extend
vulnerability assessment to DevOps. CrowdStrike enhances your
vulnerability management program by focusing on integrating security
into the CI/CD pipeline.
CROWDSTRIKE STORE

6
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

As part of the functionality of CrowdStrike Falcon® Cloud Security, JumpCloud empowers your security operations,
customers have the ability to create verified image policies to ensure IT and DevOps teams to secure and manage your
that only approved images are allowed to progress through the CI/CD devices, all from a single platform. By integrating
pipeline and run in their hosts or Kubernetes clusters. with the CrowdStrike Falcon platform’s Real Time
∎ Falcon CNAPP: DEMO Response (RTR) commands to deploy the JumpCloud
agent, you can easily secure, update and manage the
CrowdStrike Falcon Fusion is the extensible response framework host’s operating system. With group-based patching
built on the CrowdStrike Falcon platform that enables the security and policies, you can quickly gain visibility and close
orchestration, automation and response (SOAR) of complex security gaps.
workflows. These workflows can be used to simplify tasks, accelerate
response and save valuable time for security teams when handling
incidents and, in this case, vulnerabilities workflows. Falcon Fusion is
included in the Falcon platform and available to all customers.
∎ Falcon Fusion: DEMO

∎ Falcon Plugins and Add-Ons: CROWDSTRIKE STORE

CROWDSTRIKE STORE

Why just focus on the inside out? Resilient cybersecurity posture

Patch can only be achieved with a full understanding of your internal and
external attack surface. As the attack surface expands, so does the Kenna.VM integrates with Falcon Spotlight to allow
Applications “community” of adversaries and cybercriminals exploiting externally security teams to focus their limited resources on
exposed assets to break into organisations around the globe. Gartner remediating the vulnerabilities that matter the most.
identified attack surface expansion as the number one trend in its Kenna layers CrowdStrike’s rich endpoint data with
most recent Top Security and Risk Management Trends for 2022,2 robust threat and vulnerability intel and advanced data
turning external attack surface management (EASM) into a critical tool science to identify and prioritise the vulnerabilities that
in the cybersecurity arsenal. pose a real risk to the organisation. With Kenna.VM
and CrowdStrike data, security teams are able to get a
CrowdStrike Falcon® Surface provides a uniquely differentiated
clearer accurate picture of risk within their environment,
EASM offering, delivering an adversary-driven EASM capability that
along with the actionable insight to make effective and
minimises risk from unknown, externally exposed assets. With Falcon
efficient remediation decisions.
Surface, security teams can close security gaps by employing an
outside-in view of the enterprise attack surface. This empowers teams
to prioritise and manage all exposed internet-facing assets that are

02
centralised or remote across on-premises environments, subsidiary,
cloud and third-party vendors — all with a zero-touch approach.

 artner Press Release, Gartner Identifies Top Security and Risk

2. G CROWDSTRIKE STORE
Management Trends for 2022, March 7, 2022. GARTNER is a registered
trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S.
and internationally and is used herein with permission. All rights reserved.

7
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

Falcon Surface automatically prioritises risks by leveraging Improve security posture with NopSec Unified
CrowdStrike’s adversary intelligence to guide precise actions based VRM®️ as it continually ingests Falcon Spotlight
on the most critical risks, including natively integrating context of vulnerabilities and enriches the data with aggregated
industry-specific risks, CVE scores for vulnerabilities on exposed threat intelligence and context from over 30 different
assets, geolocation, attack history and asset type. sources to prioritise and accelerate vulnerability
remediation. Unified VRM consolidates and prioritises
∎ Falcon Surface (EASM): DEMO risks, putting an end to vulnerability fatigue.
Integration with industry-standard ticketing and
patching systems dramatically reduces the time
necessary to fix critical vulnerabilities.

Patch CROWDSTRIKE STORE

Applications Vulcan Cyber gives you the tools to effectively manage

the vulnerability and risk lifecycle for your cyber
assets, including application, cloud and infrastructure.
By integrating with your tools, including the
Falcon platform, you can better analyse and prioritise
your vulnerability and risk data to orchestrate
remediation. Playbooks automate communication and
collaboration between teams responsible for mitigation
and execute remediation actions when appropriate.

02 CROWDSTRIKE STORE

8
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

ML2-OM-01 - Microsoft Office macros in While adversaries continue to innovate their tactics to remain under Mimecast and CrowdStrike protect organisations at
Microsoft Office files are unable to make the radar, tried-and-true techniques such as phishing remain popular both the secure email gateway and on endpoint devices.
Win32 API calls. among targeted and eCrime operators alike. In the CrowdStrike 2022 Joint customers can enhance threat protection through
Falcon OverWatch Threat Hunting Report, CrowdStrike Intelligence the integration of these industry-leading platforms. The
ML2-OM-02 - Allowed execution of assessed that adversaries began making the shift to using other integration shares intelligence derived from malware
a Microsoft Office macro within a methods in response to Microsoft’s announcement that it would begin detected at the Mimecast Secure Email Gateway with
Microsoft Office file is logged. disabling internet-enabled macros in Office documents by default. the CrowdStrike Falcon platform.

ML2-OM-03 - Blocked execution of Script-based threats such as BokBot and other fileless attacks
a Microsoft Office macro within a are on the rise because they can avoid detection from traditional
Microsoft Office file is logged.. file-inspection-based detection capabilities by leveraging trusted
applications that are part of the operating system, and also productivity
applications like Office, to interpret and execute malicious script
content. CROWDSTRIKE STORE

Falcon Prevent customers are protected from script-based attacks

Configure using the Falcon platform’s Script-Based Execution Monitoring feature. Proofpoint and CrowdStrike have partnered to
The Script Control feature implements a set of components that
Microsoft provides expanded visibility into a scripting language.
transform your security program and protect your
organisation from the ever-changing threat landscape.
Office ScriptControl provides AMSI-based and AMSI-emulation-based
Together, they improve your security efficacy and
enhance your visibility and context around threats.
Settings introspection of the PowerShell engine. ScriptControl allows the Falcon
sensor to block malicious operations that attempt to hide by translating
The orchestration and response capabilities make your
security team more productive.
high-level operations into multiple lower-level requests, such as:

∎ Contents of executed script files

∎ Typed strings on a PowerShell prompt

∎ Dynamically executed strings through the Invoke-Expression cmdlet

03
∎ Commands supplied as a command-line parameter, such as CROWDSTRIKE STORE
-EncodedCommand

This enables the prevention of malicious VBA macros in Microsoft

Office products as well as malicious VBScript, JScript and Excel 4.0
macros.

∎ Falcon Prevent (Script Control): BLOG

9
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

ML2-AH-01 - Microsoft Office files Rather than simply relying on static signatures and heuristics, Developed by cybersecurity practitioners, Airlock
cannot create child processes security solutions need to do more to detect and protect against Digital addresses the technical and organisational
today’s targeted attacks. They need to identify behaviors that challenges typically associated with allowlisting.
ML2-AH-02 - Microsoft Office files indicate malicious activity. By identifying malicious or suspicious Airlock delivers purpose-built workflows that enable
cannot create executable content. behaviors, security solutions can protect against attacks that have rapid and scalable deployment while significantly
never been seen, including sophisticated fileless attacks. reducing staffing resources required for day-to-day
ML2-AH-03 - Microsoft Office files
management. Airlock also provides rich file visibility
cannot inject code into other processes. And because each organisation has unique circumstances and across the organisation, by collecting and building
environments to monitor and protect, tailored security can be a centralised database of files seen within the
ML2-AH-04 - Microsoft Office files do
needed for specific or very localised risks such as limiting use of environment. This data can be interrogated at any
not execute OLE packages.
infrequently used applications or detecting suspicious activity that time and is further enhanced by CrowdStrike Falcon
isn’t fundamentally malicious. EDR telemetry.
ML2-AH-05 - Microsoft Office security
settings are unable to be modified by a
Falcon Prevent uses the detailed event data collected by the Falcon
standard user account.
agent to develop baseline rules or indicators that identify and prevent
attacks that would otherwise leverage bad behaviors. CrowdStrike
ML2-AH-06 - PDF software cannot
tunes and expands those built-in indicators to offer immediate
create child processes.
protection against the latest attacks.
User ML2-AH-07 - PDF software security CROWDSTRIKE STORE DEMO
In addition to the included global IOAs, customers can create
Application settings are unable to be modified by a
standard user account.
custom IOA rules in the Falcon platform. Because advanced

Hardening ML2-AH-08 - The Microsoft guidance

tactics can be narrowly directed, tailored rules (e.g., preventing
Office from executing files) give customers the ability to create
Talon Cyber Security secures SaaS and
web-based applications with TalonWork, its
for hardening Microsoft Edge is specific behavioral detections based on what they know about their
Secure Enterprise Browser. By integration with
implemented. environment, applications, specific tools and expected behaviors.
CrowdStrike Falcon® Intelligence, you gain a
The CrowdStrike Falcon® Zero Trust Assessment (ZTA) expands hardened Chromium-based browser that provides
ML2-AH-09 - The Google guidance
Zero Trust beyond authentication to enable detection, alerting and deep visibility and control to defend against malware
for hardening Google Chrome is
enforcement of conditional access based on device health and and prevent data loss from unmanaged endpoints.
implemented.
compliance checks to mitigate risks. With expanded support for Seamlessly reduce cyber risk and simplify meeting
ML2-AH-10 - The ACSC guidance macOS and Linux, Falcon ZTA provides visibility into all endpoints audit and compliance requirements by easily verifying
for hardening Microsoft Office is running across all operating platforms in an organisation. any endpoint’s security posture before granting users
implemented. OR The Microsoft Falcon ZTA monitors over 120 different unique endpoint settings, access to corporate systems. With an intuitive cloud-
guidance for hardening Microsoft Office including sensor health, applied CrowdStrike policies and native based management console, it’s easy for central

04
is implemented. operating system (OS) security settings; these settings are a few administrators to configure TalonWork features, set
of those recommended by the guidelines set forth by Microsoft and policies, manage browser extensions, audit activities,
ML2-AH-11 - Vendor guidance for the Center for Internet Security. Customers also receive actionable demonstrate compliance, and detect, investigate and
hardening PDF software is implemented. reports on findings via the Falcon console and APIs to ensure that resolve security incidents.
the highest degree of device security is enforced.
ML2-AH-12 - PowerShell scripts that
have been blocked are logged.
Falcon Insight (ZTA): DEMO

Falcon Insight (ZTA Integrations): BLOG

CROWDSTRIKE STORE
10
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

ML2-RA-01 - A process for disabling known privileged Access brokers are threat actors who acquire access to Combine best-in-class solutions for
accounts exists and is enforced. Users are made aware organisations and provide or sell this access to other actors, identity management and endpoint
of this requirement when being provisioned with a including ransomware operators. As outlined in the CrowdStrike security to strengthen and simplify
privileged account. 2023 Global Threat Report, the popularity of their services secure remote access for trusted
increased in 2022, with more than 2,500 advertisements for users and devices. Okta and
ML2-RA-02 - There are no privileged accounts that have
access identified — a 112% increase compared to 2021. CrowdStrike have a deeply integrated
an Active Directory expiry date that is greater than 12
joint solution that centralises visibility
months or do not have an expiry date. Why would an attacker hack into a system when they can simply
and supplies critical user and device
use stolen credentials to masquerade as an approved user and log
ML2-RA-03 - A process for disabling privileged accounts context to access requests. You get
in to the target organisation?
that have not been used for 45 days exists and is the data-driven insights you need to
enforced by the entity. Evidence exists for the usage of Once inside, attackers increasingly target Microsoft Active support reliable, automated access
the 45 days inactive disabling process, including support Directory (AD) because it holds the proverbial keys to the decisions, so your teams can support
tickets or administrative logs that show accounts were kingdom, providing broad access to the systems, applications, remote team productivity while
disabled. resources and data that adversaries exploit in their attacks. When keeping the enterprise safe.
an attacker controls the keys, they can control the organisation.
ML2-RA-04 - There are no enabled privileged accounts
that have a lastlogondate that is greater than 45 days. The problem for security teams and CISOs is they often lack
visibility into the risk presented by AD and identity threats.
Restrict ML2-RA-05 - Where a privileged environment is
virtualised, the virtualised image is not located in an
With thousands of identities and configurations to manage,

Administrative unprivileged environment. This includes virtual machines

understanding the level of risk and enforcing AD hygiene can be
difficult. But because the ability to detect and stop identity-based
CROWDSTRIKE STORE
on a standard unprivileged SOE.
Privileges ML2-RA-06 - Servers are configured to not allow remote
attacks is critical to stopping breaches, understanding the risk that
your AD creates is the best place to start. The CyberArk PAM as a Service
access traffic or connections from systems that are not solution leverages leading automation
CrowdStrike Falcon® Identity Threat Detection (ITD) represents
jump servers. technologies to protect your business
the first level of detection for AD security. Falcon ITD provides
as it grows. The Conditional Access
ML2-RA-07 - The Microsoft Local Administrator visibility for identity-based attacks and anomalies, comparing live
integration allows clients to leverage
Password Solution (LAPS) or a similar solution is traffic against behavior baselines and rules to detect attacks and
the Falcon ZTA risk score when
implemented on Windows workstations and servers. lateral movement. It provides real-time AD security alerts on rogue
determining what level of privileged
users and sideways credential movement within the network or
ML2-RA-08 - Services account passwords are generated access can be granted to a user. If the
cloud.
to be long, unique and unpredictable. Service account Falcon ZTA score exceeds a certain
passwords are stored in a secure location, such as a threshold, the user can be blocked
password manager or a Privileged Access Management or their access can be limited until

05
solution. the issues on the endpoint have been
resolved.
ML2-RA-09 - Passwords should be changed at least
once every 12 months.

ML2-RA-10 - Successful and failed logins of privileged

accounts are logged.

ML2-RA-11 - Changes made to privileged accounts and

groups within Active Directory are logged.
CROWDSTRIKE STORE

11
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

Falcon ITD enables you to: The AI-powered ForgeRock Identity

Platform is both comprehensive and
simple to use. It is the only platform
∎ See all organisational service accounts, privileged users and
that includes full-suite identity and
user credentials and attributes
access management (IAM) and identity
∎ Add the context of “who” to network attack discovery and governance and administration (IGA)
investigation, with behavioral analysis for each credential capabilities; can be implemented
across an organisation for all identities
∎ Track every authentication transaction, and alert when the
(workforce, consumers, things); and
risk is elevated (e.g., accessing new systems or being granted
offers feature parity across all delivery
additional privileges), or if the traffic is abnormal (varies from
options, including on-premises, any
normal patterns of the user behavior)
cloud environment, multi-cloud, hybrid
∎ Expand understanding for both architecture and security and as a service. Choose the best
teams by combining context of authentication-level events with authentication method for your users
recommended best practices for network security and applications based on endpoint
intelligence from CrowdStrike.
Restrict Seeing user authentication activity everywhere, from local legacy

Administrative apps to your cloud environment stack, is the first step toward
effectively managing AD security for identity and access.
Privileges CrowdStrike offers a complimentary Active Directory Risk Review
to help security teams achieve visibility, understand risk and
gain insights into the proactive steps that stop identity-based
attacks before they happen. The risk review is powered by the
CrowdStrike Falcon® Identity Threat Protection (ITP) module,
native to the Falcon sensor. CROWDSTRIKE STORE

Falcon ITP: DEMO

Falcon ITP (Lateral Movement): DEMO

Identity theft and overly permissive accounts are also major

challenges faced by organisations in public and hybrid cloud

05
environments. As demonstrated with the Sunburst attack, the
adversary is looking to take advantage of the human error and
misconfigurations that can be common with cloud deployments.
Leveraging CrowdStrike’s wealth of cloud experience,
CrowdStrike Falcon® Cloud Security provides cloud security
posture management (CSPM) to help organisations identify those
security issues and indicators of misconfiguration (IOMs) and
IOAs.

Falcon Cloud Security (Secure Identity Services): DEMO

Falcon Cloud Security (CIEM): DEMO

12
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

ML2-PO-01 - A vulnerability scanner is run Microsoft’s Patch Tuesday is dreaded by every security team. Customers can build automated workflows using
and reviewed at least weekly to scan the With dozens of new patches inundating your team every month, Falcon Fusion to trigger incident ticket creation
organisation’s operating systems. how do you know which to prioritise? How do you know if in ServiceNow ITSM. Security and DevSecOps
you have visibility of every workload? And let’s not forget that teams can leverage detections and incidents
ML2-PO-02 - The organisation has an macOS and Linux carry their own vulnerabilities that need to be from the Falcon platform to help streamline
effective process for patching operating mitigated. incident management and accelerate response
systems within two weeks. capabilities. You can also orchestrate remediation of
Driven by all of the new technologies being adopted and vulnerabilities by creating ServiceNow tickets directly
ML2-PO-03 - Operating systems that have a the move to the cloud, the number and types of assets an from Falcon Spotlight, and easily configure the
vulnerability are patched or mitigated within organisation has to manage increased nearly fourfold over the workflow to attach auto-generated reports, enabling
two weeks. last 10 years.3 As a result, organisations are at risk to adversaries, you to track the remediation progress of your
who continually conduct reconnaissance to identify, target and security team to improve efficiency and monitoring.
exploit soft targets and vulnerabilities.

The proliferation of assets also creates an untenable situation

for IT to minimise service disruption as asset configurations are
changed and patches are applied. Gaining visibility and being
able to manage both known and unknown assets are critical to
Patch maintaining proper security hygiene and a proactive security
CROWDSTRIKE STORE
posture, but remain an unsolved challenge for nearly every
Operating organisation.

Systems CrowdStrike Asset Graph dynamically monitors and tracks the Build automated workflows using Falcon Fusion
complex interactions among assets, providing a single holistic to trigger issue creation in Jira. Security and
view of the risks those assets pose, including vulnerabilities. DevSecOps teams can leverage detections
CrowdStrike Asset Graph provides graph visualisations of the and incidents from the Falcon platform to help
relationships among all assets such as devices, users, accounts, streamline incident management and accelerate
applications, cloud workloads and operations technology (OT), response capabilities. You can also orchestrate
along with the rich context necessary for proper security hygiene remediation of vulnerabilities by creating Jira issues
and proactive security posture management to reduce risk in directly from Falcon Spotlight, enabling you to track
their organisations — without impacting IT. the remediation progress of your security team to
improve efficiency and monitoring.
Within CrowdStrike Asset Graph, a new relationship mapping
tool provides a comprehensive visual map of how assets are

06
connected to each other, including how many steps an internet-
exposed device is from business-critical assets to trace and
shutdown potential adversary paths before they can be used.

CROWDSTRIKE STORE
3. Source: https://www.crowdstrike.com/blog/introducing-
crowdstrike-asset-graph/

13
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

CrowdStrike Falcon® Discover, the Falcon platform’s IT hygiene JumpCloud empowers your security operations,
module, is powered by CrowdStrike Asset Graph, feeding it IT, and DevOps teams to secure and manage your
information on assets where the Falcon agent is deployed. devices, all from a single platform. By integrating
CrowdStrike Asset Graph can then provide high-level information with the CrowdStrike Falcon platform’s Real
about all assets in your environment such as operating systems, Time Response (RTR) commands to deploy the
manufacturer and model, and whether the asset is managed, JumpCloud agent, you can easily secure, update,
unmanaged, or unsupported by the Falcon sensor or even out of and manage the host’s operating system. With
support with Microsoft. group-based patching and policies, you can quickly
gain visibility and close security gaps.
CrowdStrike Asset Graph Top Insights for an asset provides
visibility into critical vulnerabilities, recommended remediations
and last patch installed date to quickly prioritise patching efforts.
A single-click pivot from the asset view takes you to
Falcon Spotlight for a more comprehensive view of the
vulnerabilities and options to expand the search to understand
how broad the risk is.
Patch CROWDSTRIKE STORE
Falcon Spotlight, as highlighted in the Patch Applications
Operating mitigation strategy, offers organisations continuous and real-time
assessment of vulnerability exposure on their workloads.
Systems Its native integration into the Falcon platform enables customers
Kenna.VM integrates with Falcon Spotlight to allow
security teams to focus their limited resources
to operationalise vulnerability assessment within a complete
on remediating the vulnerabilities that matter the
endpoint protection framework. Falcon Spotlight coverage for
most. Kenna layers CrowdStrike’s rich endpoint
operating systems also adds response actions delivered via
data with robust threat and vulnerability intel and
emergency patching within the Falcon Spotlight dashboard or
advanced data science to identify and prioritise
available via API:
the vulnerabilities that pose a real risk to the
∎ Falcon Spotlight: DEMO organisation. With Kenna.VM and CrowdStrike data,
security teams are able to get a clearer accurate
∎ Falcon Spotlight (Automate Workflows): DEMO picture of risk within their environment, along
with the actionable insight to make effective and
∎ Falcon Spotlight (Emergency Patching): DEMO efficient remediation decisions.

06 CROWDSTRIKE STORE

14
Mitigation Strategy Maturity Level Two CrowdStrike Alignment Technology Partners
Test Descriptions

Falcon Fusion is an extensible framework built on the Falcon Improve security posture with NopSec Unified
platform that allows the orchestration and automation of VRM®️ as it continually ingests Falcon Spotlight
complex workflows. These workflows can be used to simplify vulnerabilities and enriches the data with
tasks, accelerate response and save valuable time for security aggregated threat intelligence and context
teams when handling incidents, and in this case vulnerabilities from over 30 different sources to prioritise and
workflows. Falcon Fusion is included in the Falcon platform and accelerate vulnerability remediation. Unified
available to all customers. VRM consolidates and prioritises risks, putting
an end to vulnerability fatigue. Integration with
∎ Falcon Fusion (Built-in Workflows): DEMO industry-standard ticketing and patching systems
dramatically reduces the time necessary to fix
∎ Falcon Plugins and Add-Ons: STORE
critical vulnerabilities.

Patch
Operating CROWDSTRIKE STORE

Systems
Vulcan Cyber gives you the tools to effectively
manage the vulnerability and risk lifecycle for
your cyber assets, including application, cloud
and infrastructure. By integrating with your tools,
including the Falcon platform, you can better
analyse and prioritise your vulnerability and
risk data to orchestrate remediation. Playbooks
automate communication and collaboration
between teams responsible for mitigation and
execute remediation actions when appropriate.

06 CROWDSTRIKE STORE

15
 Mitigation Strategy Maturity Level Two CrowdStrike Alignment CrowdStrike Store Partners
Test Descriptions

ML2-MF-01 - A privileged user who is Access brokers have become a key component of the Combine best-in-class solutions for identity
performing administrative activities is eCrime threat landscape, selling access to threat actors and management and endpoint security to strengthen
required to respond to an MFA challenge facilitating a myriad of criminal activities. Many access brokers and simplify secure remote access for trusted users
at some point in the authentication have established relationships with big game hunting (BGH) and devices. Okta and CrowdStrike have a deeply
lifecycle. This can be implemented when ransomware operators and affiliates of prolific integrated joint solution that centralises visibility and
authenticating to a machine (such as a ransomware-as-a-service (RaaS) programs. supplies critical user and device context to access
jump server) or when attempting to raise requests. You get the data-driven insights you need
privileges. The organisation has a list of Many intrusion scenarios, as highlighted in the to support reliable, automated access decisions, so
systems that have privileged users or CrowdStrike 2022 Falcon OverWatch Threat Hunting Report, your teams can support remote team productivity
support privileged functions. feature the exploitation of remote access services and the use while keeping the enterprise safe.
of RDP and some form of valid account.
ML2-MF-02 - The organisation requires that
internet-facing services use multi-factor Multifactor authentication (MFA) has become a crucial method
authentication that uses either: something for controlling access to critical applications and resources,
users have and something users know, or and a key control in deterring threat actors who purchase
something users have that is unlocked by compromised credentials from access brokers.
CROWDSTRIKE STORE
something users know or are.
One way to enforce identity verification is to trigger MFA every
Multi-Factor ML2-MF-03 - The organisation requires time a user tries to access a resource or application. This can
Beyond Identity eliminates the vulnerabilities of
that privileged users utilise multi-factor create MFA fatigue, which not only may reduce user productivity
Authentication authentication that uses either: something but also potentially creates a risk scenario in which the user
passwords and the inconvenience of traditional
MFA. It ensures high confidence in identity claims
users have and something users know, or inadvertently allows access to a malicious sign-in attempt. by cryptographically binding a user identity to their
something users have that is unlocked by devices. The solution leverages X.509 certificates
Customers using Falcon identity protection solutions gain a and the TLS protocol without any certificate
something users know or are.
better user experience and improved security with risk-based management required by customers.
ML2-MF-04 - The organisation’s internet- MFA: The user’s trust is evaluated in real time to determine
whether to allow access to specific resources even before The integration of Beyond Identity’s advanced,
facing systems log successful MFA attempts.
the authentication request hits the AD. With baselines and passwordless MFA with CrowdStrike’s leading
endpoint protection stops the two most prevalent
ML2-MF-05 - Administrative access dynamic risks tied to every identity and its behavior, malicious
sources of ransomware and account takeover
connections log successful MFA attempts. activity — such as lateral movement, risky behavior, unusual
attacks: passwords and compromised endpoints.
endpoint usage, privilege escalation and malicious RDP login
ML2-MF-06 - The organisation’s internet- attempts — is detected and challenged in real time without The integration provides a critical and foundational
facing systems log unsuccessful MFA requiring cumbersome log analytics or point solutions. layer for Zero Trust, enabling an extremely high-
attempts. trust method of authenticating users (employees,

07
Prioritising security controls in these areas, such as contractors, and consultants) and ensuring they are
ML2-MF-07 - Administrative access implementing MFA, would help in many cases. When it comes to only able to gain access from endpoint devices that
connections log unsuccessful MFA attempts.. hunting for precursors of ransomware activity, identifying lateral meet security policy requirements and those that
movement between critical assets such as domain controllers are given a clean bill of health by Beyond Identity
and backup servers is also crucial. and CrowdStrike.

CROWDSTRIKE STORE
16
Mitigation Strategy Maturity Level Two CrowdStrike Alignment CrowdStrike Store Partners
Test Descriptions

Falcon identity protection solutions automatically classify TruU replaces hackable passwords with
and assess the privileges of all identities — think of it as continuously validated identity that adapts to
next-generation privileged access security — with visibility and how people work so they can be protected and
security control of all accounts tied to AD, Azure AD and SSOs productive.
like Okta, Ping and Active Directory Federation Services (ADFS).
With identity segmentation and visibility into behavior and risks TruU and CrowdStrike take the Falcon ZTA score
for all users, organisations can restrict access to high-value from the endpoint and combine that into the TruU
resources and stop ransomware attacks from progressing, thus risk score using the TruU Risk Engine. The TruU
allowing organisations to adopt a broader identity protection risk score is compared against the score indicated
strategy. by the policy threshold and if the score is within the
bounds, the user is logged into the computer with
The identity attack surface can also be influenced by a single non- TruU presence alone. If the score is higher than the
privileged account, so you shouldn’t narrow security efforts to only threshold then another factor is required for access.
privileged accounts. It is important to understand that traditional
privileged access management (PAM) solutions provide visibility
into only privileged accounts. In addition to requiring careful
planning to deploy and configure a PAM solution, organisations
should consider the probability that jump servers can be
Multi-Factor bypassed and password vaults can be compromised.

Authentication Think of PAM as an “operational” solution to “manage”

privileged accounts. For example, PAM solutions do not prevent CROWDSTRIKE STORE
the misuse of valid credentials, they only manage the use of
privileged accounts — however, a privileged account from PAM
could still be used by a skilled adversary to go undetected
within a customer environment.

Falcon identity protection solutions can complement your

PAM solution by enabling holistic visibility, analytics and
protection for your privileged identities and service accounts,
and enforcement of risk-based MFA — improving the user
experience for your administrators.

∎ Falcon ITP (Zero Trust): DEMO

07
CrowdStrike Falcon® Intelligence Recon, CrowdStrike’s digital
risk protection solution, goes beyond the dark web to include
forums with restricted access on the deep web, breach data
and messaging apps — all resources commonly used by
access brokers to trade or advertise. Falcon Intelligence Recon
provides customers with an increased level of situational
awareness and helps uncover potential malicious activity before
eCrime adversaries have the chance to exploit it.

∎ Falcon Intelligence Recon: DEMO

17
Mitigation Strategy Maturity Level Two CrowdStrike Alignment CrowdStrike Store Partners
Test Descriptions

ML2-RB-01 - Privileged users (excluding ECrime adversaries remain highly capable, particularly if measured by
backup administrator accounts) are the speed at which they can move through a victim’s environment. An
unable to access backups that do not important Falcon OverWatch speed measurement is breakout time: the
belong to them. time an adversary takes to move laterally, from an initially compromised
host to another host within the victim environment. According to the
ML2-RB-02 - Privileged users (excluding
backup administrator accounts) are CrowdStrike 2022 Falcon OverWatch Threat Hunting Report, of the
unable to modify and delete backups. hands-on eCrime intrusion activity observed between July 2021 and
June 2022 where breakout time could be derived, the average was just
1 hour 24 minutes. Moreover, the Falcon OverWatch team found that
in 30% of those eCrime intrusions, the adversary was able to move
laterally to additional hosts in under 30 minutes.

Without a data backup, companies are often at a complete loss when

a ransomware attack occurs. Backups are normally the quickest and
most reliable way to recover.

The LockBit ransomware family has constantly been adding new

capabilities, including tampering with Microsoft Server Volume
Regular Shadow Copy Service (VSS) and System Restore by interacting with
the legitimate Windows tools. Capabilities such as lateral movement
Backups or destruction of shadow copies are some of the most effective and
pervasive tactics ransomware uses.

The tampering and deletion of VSS shadow copies is a common

tactic to prevent data recovery. Adversaries will often abuse
legitimate Microsoft administrator tools to disable and remove VSS
shadow copies. Common tools include Windows Management
Instrumentation (WMI), BCDEdit (a command-line tool for managing
Boot Configuration Data) and vssadmin.exe.

LockBit 2.0 utilises the following WMI command line for deleting
shadow copies and disabling system recovery:

C:\Windows\System32\cmd.exe /c vssadmin delete

08
shadows /all /quiet & wmic shadowcopy delete
& bcdedit /set {default} bootstatuspolicy
ignoreallfailures & bcdedit /set {default}
recoveryenabled no

The use of preinstalled operating system tools, such as WMI, is

not new. Still, adversaries have started abusing them as part of the
initial access tactic to perform tasks without requiring a malicious
executable file to be run or written to the disk on the compromised
system.

18
Mitigation Strategy Maturity Level Two CrowdStrike Alignment CrowdStrike Store Partners
Test Descriptions

Falcon Prevent takes a layered approach to detecting and preventing

ransomware developed by eCrime actors, by using behavior-based
IOAs and advanced machine learning, among other capabilities.
CrowdStrike is committed to continually improving the efficacy of its
technologies against known and unknown threats and adversaries.

CrowdStrike’s enhanced IOA detections accurately distinguish

malicious behavior from benign, resulting in high-confidence
detections. This is especially important when ransomware shares
similar capabilities with legitimate software, like backup solutions.
Both can enumerate directories and write files that on the surface
may seem inconsequential, but when correlated with other indicators
on the endpoint, can identify a legitimate attack.

The Falcon platform offers protection against ransomware incidents,

which is increasingly valuable as the popularity of ransomware
continues to rise. CrowdStrike’s approach is to stop ransomware
from infecting a system and encrypting its files. CrowdStrike believes
Regular a prevention approach is absolutely necessary because decryption
is often impossible and no organisation wants to pay the ransom,
Backups leaving often-cumbersome restoration from backups as a last resort.

Falcon Prevent protects shadow copies from being tampered with,

adding another protection layer to mitigate ransomware attacks.
Protecting shadow copies helps potentially compromised systems
restore encrypted data with much less time and effort. Ultimately, this
helps reduce operational costs associated with person-hours spent
spinning up encrypted systems post-compromise.

The Falcon platform can prevent suspicious processes from

tampering with shadow copies and performing actions such as
changing file size to render the backup useless. For instance, should
a LockBit 2.0 ransomware infection occur and attempt to use the
legitimate Microsoft administrator tool (vssadmin.exe) to manipulate

08
shadow copies, Falcon immediately detects this behavior and
prevents the ransomware from deleting or tampering with them.

19
Mitigation Strategy Maturity Level Two CrowdStrike Alignment CrowdStrike Store Partners
Test Descriptions

By combining the Falcon Fusion integrated SOAR solution with

Falcon RTR, which provides surgical remote remediation capabilities,
responders are able to automate post-remediation actions including:
running checks on the system to ensure it is clean, running custom
scripts and executables, issuing automated notifications via
collaboration channels like email, Slack or Microsoft Teams, and
updating ticket status on IT management systems like ServiceNow
and Jira.

∎ Falcon Prevent (Falcon RTR): Falcon RTR is a tool that can provide
as many unique solutions as there are threats. Because response
to a cybersecurity incident can be as unique as the attack itself,
there is no “one-click-fixes-all” solution. DEMO

∎ Falcon Fusion: Falcon Fusion integrates with Falcon RTR to provide

powerful incident response and remediation across the entire
Falcon platform via a simple drag-and-drop experience that works
at scale across a multi-platform technology stack. DEMO
Regular
Backups

08 20