Oddbean new post about | logout
Derek Ross | 4 months ago (raw) | root | parent | reply | flag 
 I am not familiar with this product, but from my reading this morning it sounds like a policy could have disabled automatic updates which could then hBe been turned on after tested in another environment. This mimics every other product I've used as well.
stacksatsio | 4 months ago (raw) | root | parent | reply | flag +1 
 It auto updates so they can roll out things in near real time. Crowdstrike’s value prop is that they have telemetry from thousands of environments globally, they see shit before anyone else so they can remediate before customers even know there might be a problem. When you come from something like carbon black (which bluescreens shit everyday of the week) this is a win for security at scale.

Obviously there is a tradeoff but people didn’t seem to consider it, until it materialised..
Joe | 4 months ago (raw) | root | parent | reply | flag 
 Word on the street is people were getting hit even with that turned off. 

It’s the pervasive issue with cloud products of trusting someone else with persistent admin privileges. https://image.nostr.build/016896d0b9a48988b8f3c83fe212bf0b7bdbda4942f96308ad75237108b519ca.jpg
Derek Ross | 4 months ago (raw) | root | parent | reply | flag +1 
 Wow. That's fucking wild.
jb55 | 4 months ago (raw) | root | parent | reply | flag +2 
 The fact that they can push kernel drivers at will without permission. insanity. 🤦‍♂️
dimi | 4 months ago (raw) | root | parent | reply | flag +2 
 The service is installed as admin. It can do whatever the hell it wants. This is standard for EDR agents.
Joe | 4 months ago (raw) | root | parent | reply | flag +1 
 That’s the point. Two sides of the coin.
dimi | 4 months ago (raw) | root | parent | reply | flag 
 Outsourcing to defender == USG red/white/blue team. Or private security via these alternatives. 

It’s compelling & this is the trade off.
Tyler Burns | 4 months ago (raw) | root | parent | reply | flag +1 
 It is installed as a kernel mode driver which is even higher privileges than a user mode admin. It isn't quite standard for EDR agents as there are a lot of solutions whose agents only use usermode hooking for their detections.
dimi | 4 months ago (raw) | root | parent | reply | flag +1 
 When I was surveying the landscape it was certainly true, but that was a while ago. Which are usermode only?
Tyler Burns | 4 months ago (raw) | root | parent | reply | flag +1 
 A lot are still usermode hooks. Some are mixed. For example, CarbonBlack has some kernel level drivers for file and network detections, but its prevention policies all operate as usermode hooks.

https://github.com/Mr-Un1k0d3r/EDRs
dimi | 4 months ago (raw) | root | parent | reply | flag +1 
 Ya but we’re not just talking about detections. The agent for each of these still needs kernel admin to hook? So you’d have to abuse the deployed agent in most cases, which is too sophisticated for 99.999% of attacks, but the risk is still present, right?
Tyler Burns | 4 months ago (raw) | root | parent | reply | flag +1 
 No, you don't need kernel mode access to hook into API calls like NtReadVirtualMemory, NtOpenProcess, etc which are all API calls that exist in usermode space. Having usermode hooks certainly makes it easier for malware to thus unhook the security agent and avoid detection. So it is a trade off.
dimi | 4 months ago (raw) | root | parent | reply | flag 
 Ah, ok, now I follow. Ya. I don’t recall any usermode only agents on my radar in 2017, probably because of the lesser features. Was leaning heavily on the response part.