CrowdStrike Incident Review July 2024

Questions and Answers

What was the primary reason for the Windows system crash on July 19, 2024?

• A content configuration update was released. (correct)
• There was a cyber attack.
• A hardware failure happened.
• A power outage occurred.

Mac and Linux hosts were impacted by the Windows sensor update on July 19, 2024.

False (B)

What time did the defect in the content update get reverted?

05:27 UTC

CrowdStrike's Sensor Content is part of a sensor release and is not dynamically updated from the _____.

cloud

Match the following CrowdStrike update types with their characteristics:

Sensor Content = Provided with sensor releases and not dynamically updated Rapid Response Content = Designed to respond quickly to changing threats Windows sensor update = Resulted in a system crash on July 19, 2024 Content configuration update = Regular part of the Falcon platform's dynamic protection mechanisms

Which testing methods are included in the sensor release process?

Performance testing (A), Integration testing (C)

Template Types and Template Instances are the same thing.

False (B)

What is the primary purpose of Rapid Response Content?

To perform behavioral pattern-matching operations using a highly optimized engine.

Customers can choose to install the latest sensor release or one version older ('N-1') or two versions older ('N-2') through __________.

Sensor Update Policies

Match the following terms with their definitions:

Template Types = Pre-defined fields for threat detection Template Instances = Configured mappings for specific sensor behaviors Rapid Response Content = Behavioral pattern-matching operations on the sensor QA Process = Extensive testing and validation steps before release

Flashcards are hidden until you start studying

Study Notes

Incident Overview

• CrowdStrike released a preliminary Post Incident Review (PIR) following an operational event on July 19, 2024.
• A content configuration update for the Windows sensor was intended to enhance telemetry on new threat techniques.
• The update led to a Windows system crash affecting sensors version 7.11 and above between 04:09 UTC and 05:27 UTC.
• Mac and Linux systems were unaffected by this incident.

Update and Resolution

• The defective configuration update was reverted at 05:27 UTC on the same day.
• Systems that connected post-05:27 UTC or that did not connect during the incident window remained unaffected.

Understanding the Cause

• CrowdStrike provides security updates in two main categories: Sensor Content and Rapid Response Content.
• The incident specifically involved a Rapid Response Content update with an undetected error.

Sensor Content

• Sensor Content encompasses a variety of capabilities aimed at adversary response, embedded directly in the sensor release.
• Unlike Rapid Response Content, Sensor Content is not dynamically updated and requires a full sensor release.
• It contains AI models and is built with reusable coding for long-term threat detection.
• Extensive QA processes ensure reliability, including automated and manual testing prior to rollout.

Rapid Response Content

• Rapid Response Content is designed for real-time adaptation to evolving threats and performs behavioral pattern matching using an optimized engine.
• It consists of fields and values with specific configurations for Template Instances, which enable the observation, detection, or prevention of target behaviors.
• Template Types represent capabilities for the sensor, providing essential telemetry and detection functionalities.

Deployment Control

• Customers have autonomy over their deployment through Sensor Update Policies, allowing them to choose sensors' versions to install, either the latest or older versions.
• This gives organizations the flexibility to manage their security environments effectively while integrating updates as needed.