CrowdStrike's Critical Slip-Up: What Investors and Law Makers Need to Know - Part 1 - Understanding

Quick Disclaimer:

This content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained here constitutes a solicitation, recommendation, endorsement, or offer by Ubineer Corp. or Andi Kerenxhi to buy or sell any securities or other financial instruments in this or in?in any other jurisdiction in which such solicitation or offer would be unlawful under the securities laws of such jurisdiction.

All Content on this article is information of a general nature and does not address the circumstances of any particular individual or entity. Nothing in the article constitutes professional and/or financial advice, nor does any information on the article constitute a comprehensive or complete statement of the matters discussed or the law relating thereto. Ubineer Corp. is not a fiduciary but it is a software company. You alone assume the sole responsibility of evaluating the merits and risks associated with the use of any information or other Content on this article. Before making any decisions based on such information or other Content. In exchange for reading this article, you agree not to hold Ubineer Corp. or Andi Kerenxhi, its affiliates or any third party service provider liable for any possible claim for damages arising from any decision you make based on information or other Content made available to you through this article.

I believe it’s fair to say that most of the investment and lawmaker community have heard about CrowdStrike (Ticker: CRWD) recently. Having spent almost a decade as a software equity analyst and now almost half a decade building software for investors, I feel I have a unique point of view that is worth sharing with you all. In this article I will share my mental model and analysis, and I hope that I provide investors with a clear understanding of what happened July 19th. If this post gains some traction. I will also share my view on the potential implications, and what key factors investors and politicians should start to consider moving forward. Additionally, I will also share Ubineer’s CrowdStrike estimates for next quarter free of charge once they are available.

Follow me on LinkedIn, X or Threads for updates to this story and more.?

Let’s talk about July 19th straight from the technical details source and the Preliminary Post Incident Review (PIR). Here are the most important points for investors and law makers, followed by my 20 step interpretation.

Technical Detail key Quotes:

This issue is not the result of or related to a cyberattack.

The update that occurred at 04:09 UTC was designed to target newly observed, malicious named pipes being used by common C2 frameworks in cyberattacks. The configuration update triggered a logic error that resulted in an operating system crash.?

CrowdStrike has corrected the logic error by updating the content in Channel File 291. No additional changes to Channel File 291 beyond the updated logic will be deployed. Falcon is still evaluating and protecting against the abuse of named pipes.?

This is not related to null bytes contained within Channel File 291 or any other Channel File.?

PIR important Quotes:

On Friday, July 19, 2024 at 04:09 UTC, as part of regular operations, CrowdStrike released a content configuration update for the Windows sensor to gather telemetry on possible novel threat techniques.

CrowdStrike delivers security content configuration updates to our sensors in two ways: Sensor Content that is shipped with our sensor directly, and Rapid Response Content that is designed to respond to the changing threat landscape at operational speed. The issue on Friday involved a Rapid Response Content update with an undetected error.[...] The event of Friday, July 19, 2024 was not triggered by Sensor Content, which is only delivered with the release of an updated Falcon sensor.

Rapid Response Content provides visibility and detections on the sensor without requiring sensor code changes. This capability is used by threat detection engineers to gather telemetry, identify indicators of adversary behavior and perform detections and preventions. Rapid Response Content is behavioral heuristics, separate and distinct from CrowdStrike’s on-sensor AI prevention and detection capabilities.

Due to a bug in the Content Validator, one of the two Template Instances passed validation despite containing problematic content data.

When received by the sensor and loaded into the Content Interpreter, problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD).

Mapping what happened in 20 steps

1. Computer Startup: When you Power on your device, the BIOS loads followed by Hardware Checks, Bootloader. The Kernal then is loaded into memory. The Kernal is the core of the Windows Operating System.
2. Windows Startup Drivers Load: Essential drivers tend to bridge how the computer talks with hardware (graphic cards, mouse, keyboard, printer, ethernet etc....). One of these drivers is 'CSAgent.sys' from CrowdStrike. [If you want a deeper understanding of drivers look at the Appendix Definition Section]
3. CrowdStrike Falcon EDR Sensor Initialization: The 'csagent.sys' is activated, loading the Falcon EDR sensor. It then waits for instructions, from the Sensor Content. [For more details on Falcon EDR see Appendix]
4. The Sensor Content: Sensor Content is the foundation of CrowdStrike's threat detection. It includes, pre-defined rules for handling known and common threats. Additionally it includes pre-defined "Template Types".
5. Template Types: Template Types are like blueprints for how the Sensor can handling specific threat behaviors not identified in the Sensor Content. After Template types are loaded the Content Interpreter initializes
6. Content Interpreter: Content Interpreter, has the ability to read and translate Channel Files (Configuration files) like 'C-00000291-XXXXXXX.sys' .
7. Sensor Detection Engine Starts: CrowdStrike Falcon EDR begins monitoring system activity.
8. Continuous System Monitoring: The sensor actively analyzes system behavior for threats. It then wants to ping CrowdStrike Cloud for updates. It sends a message to the 'CSAgent.sys' driver.
9. The 'CSAgent.sys' driver then gathers the right internet resources to send a request to CrowdStrike Cloud.
10. CrowdStrike Falcon Cloud Platform : CrowdStrike Falcon Cloud Platform has a massive database of threats. Let's refer to this as their Threat Intelligence IP. To update their clients Sensors CrowdStrike send Rapid Response Content configuration files or channel files via the internet.
11. Rapid Response Content: Rapid Response Content is how CrowdStrike creates rules and instruction for their Sensor to help it to detect cyber threats. These rules are created by using the Content Configuration System in the Cloud.
12. Content Configuration System: Security engineers use the Content Configuration System to create Template Instances, they write these instances into channel (configuration) files. One such file was 'C-00000291-XXXXXXX.sys' .
13. Template Instances: This is where the actual detection logic lives. The best way to think of this is to think of the Channel File as a recipe book. The recipe book is divided into different sections such as Cookies, Cakes, Appetizers and so on. Each section, describes the recepies to be cooked using a different type of Template. CrowdStrike refers to these Templates as Template Types. Template Types keep the Sensor organized and help it know what type of threat it is investigating. A Template Instance is like the step by step recipe of what the Sensor should look for.
14. Unfortunetly for CrowdStrike, the faulty Template Instance was meant to configure a Template Type designed to monitor and detect malicious use of named pipes. Named pipes are like private communication channels within Windows Operating systems and the hardware that runs it. Applications use them to exchange data, like sending a Word document to your printer.
15. Let's say the security engineers creates the "Block-Suspicious-Word-Macros" Template Instance. They makes a mistake in their configuration by given a broad rule like: ''If a Word document (.docx) contains the word 'invoice,' block it and alert the user.'' The problem is now your CEO, CFO and accounting department can't print any invoices.
16. In February 2024, CrowdStrike introduced, the "IPC Template Type" that provided Falcon EDR Sensor Agent with the ability to understand and analyze named pipe activity. A faulty Template Instance is created by the CrowdStrike security engineers using the Content Configuration System. [Think of it as an appatizer recipe that makes you sick]. CrowdStrike has created a Content Validator to find faulty Template Instance.
17. Content Validator: The Content Validator had a code bug in it and did not catch the faulty Template Instance.
18. Channel File: The faulty instructions are packaged into the Channel File 'C-00000291-XXXXXXX.sys' . Which is delivered via internet to the Falcon sensor on the user's computer.
19. Content Interpreter: The Content Interpreter receives and applies the new flawed logic instruction to the "IPC Template Type". This led to the out-of-bounds memory read and the system crash.
20. Out-of-Bounds Memory Read: The faulty instructions cause the sensor to try to access invalid memory resulting in a Windows BSOD(blue screen of death)
21. Windows BSOD - System Crash

Conclusion:

The July 19th CrowdStrike incident, while extremely disruptive, highlights a critical aspect of modern cybersecurity. This event wasn't a malicious attack, but rather a stark reminder that the race between security providers and malicious actors is a constant back-and-forth.

APPENDIX

Primer on Falcon EDR

EDR stands for Endpoint Detection and Response. Think of EDR as the successor to Antiviruses. What makes Falcon EDR the best solution is its ability to detect threats, investigate them and respond to them quickly.

The best way to understand the above is to think of computer viruses as biological viruses. Hence, a great mental model for EDR is our “immune system”.

So how does Falcon detect threats?

As most of you know, our immune system first builds a baseline of our cells and organs. Falcon does this exact thing. It learns what software you typically use, what websites you visit, and what kind of data flows through your network.? Once it understands what's "normal", it can quickly detect anything suspicious (or that is not “normal”). To do this it has to continuously monitor activity on your device.?

It can even detect and stop brand-new, unknown threats (that are known as zero-day attacks in the cyber security community).

• How does Falcon Investigate these threats?

When Falcon EDR detects a threat, it first captures in-depth information about the threat, including its origin, techniques used, and affected files. This helps security teams understand the attack and minimise damage. From my knowledge this is where the 'C-00000XXX-XXXXXXX.sys' files play a key role.

• How does it Respond to Attacks?

Once the threat is identified and investigated, Falcon takes “swift action to neutralise” it. This could involve isolating the affected device from the network , removing the malicious file or even rolling back the system to a safe start. To do this CrowdStrike Falcon Operates at the Kernel mode (Ring 0) on Windows devices. Whereas most Antivirus companies operate at the User mode.?

Kernels, Drivers, Startup Drivers, Channel Files, Named Pipes & C2 Attacks

• Kernel

The kernel is the brain that controls everything in your device – how the hardware interacts with software, how data is stored and accessed, and how different programs communicate. Access to the Microsoft OS Kernel is highly restricted. You and I for example can't really write code in it.

• Drivers

Think of drivers as translators between your computer's brain (the kernel) and your body parts (the hardware). Drivers provide a set of instructions that allow the kernel to understand and control specific hardware components, like printers, graphics cards, or even your mouse.

• Startup Drivers:

Some drivers, like those for essential hardware, need to be active as soon as you turn on your computer. These are called startup drivers. The 'CSAgent.sys' file is one such driver that starts monitoring for threats from the moment your computer boots up.

To ensure security and stability, Windows requires drivers to be digitally signed by Microsoft through a process called Windows Hardware Quality Labs (WHQL) certification. This process, while crucial, can sometimes take several weeks to months to complete.

• Channel (Configuration) Files:

Channel files are like constantly updated instructions for drivers without having to go through Windows Hardware Quality Labs signature. The above 'C-00000XXX-XXXXXXX.sys' file is a channel file. The 'C-00000291-XXXXXXX.sys' deals with Named Pipes. From the source:

Channel File 291 controls how Falcon evaluates named pipe1 execution on Windows systems. Named pipes are used for normal, interprocess or intersystem communication in Windows.

The impacted Channel File in this event is 291 and will have a filename that starts with “C-00000291-” and ends with a .sys extension. Although Channel Files end with the SYS extension, they are not kernel drivers.

• Named Pipes:

Named pipes are like hidden private communication channels within your computer. Applications use them to exchange data quickly and discreetly, like sending a Word document to your printer. While essential for normal operation, hackers can exploit named pipes to hide their activity and control compromised systems.

• C2 Attacks:

C2 stands for "Command and Control." In a C2 attack, hackers gain remote access to your computer. They can then use hidden communication channels, like named pipes, to issue commands to the compromised system without being detected.