There is a lot of noise around the recent outage affecting Microsoft devices due to a software update from CrowdStrike. Officials say it wasn’t a cyberattack but a misconfigured or corrupted update sent to customers by CrowdStrike.
Just as Impactful as a Cyberattack
While up to now, there are no reports of a threat actor activity, this incident is having the same impact as some of the more devastating cyber attacks we’ve seen in the past. The reality is that a security incident can occur without the involvement of a threat actor, affecting the fundamental principles of security as outlined in the CIA Triad: availability, integrity, and confidentiality.
When any of these principles are compromised, the overall security of the system is impacted. In this particular case, the incident primarily affected the availability of the systems causing widespread outages to major airlines, banks, retailers, but also organizations of all sizes.
How Could This Have Happened?
Given the significant number of affected machines, a thorough testing process by CrowdStrike would likely have identified the issue during the testing phase. If such testing had been conducted, the problem could have been detected and addressed in a timely manner. This means the following scenarios are possible:
- CrowdStrike didn’t test the update appropriately, which is highly unlikely due to Crowdstrike’s multiple security certifications, including FedRamp.
- If the update did pass the testing stage successfully, it is safe to say it was altered after the Q/A was completed. This is likely to have happened in a couple of ways: through an employee by mistake or intentionally or via a threat actor. The investigation taking place right now will help shed light on how exactly it happened.
While it’s too early to tell, we do know one thing. Adversaries recognize the disruption that can occur by targeting system updates at single points of failure in our critical infrastructure. This motivates adversaries to carry out similar attacks in the future and to take advantage of current circumstances. There are already dozens of phishing sites posing as the CrowdStrike help desk and support center.
The CrowdStrike outage is a stark reminder of the dangers organizations face when it comes to Platformization which is a trend we’re seeing industry-wide. Consolidation of tools can lead to over-reliance on a single provider which can be devastating in similar situations.
What Does Recovery Look Like?
The only way to recover affected devices is through manual intervention. This requires physical attention to each device, as remote management tools are ineffective due to the nature of the outage.
The burden of manually recovering each system is substantial, involving significant time and resource allocation. The workaround for impacted devices (blue screen) can only be done on a one-on-one basis, there is no fix that can be applied at scale. This causes additional disruption to operations and increased costs due to downtime.
How Lumu Helps
In the process of recovering, many organizations may be overloaded with work or turn to third-party providers to help through this process. With the lack of control over what may happen during the recovery process, Lumu will provide visibility into recovered devices.
In situations where CrowdStrike needs to be disabled, Lumu will serve as the last line of defense. As these devices come back online with CrowdStrike disabled, or if users choose to uninstall it, Lumu can easily integrate with other Firewall and EDR tools to ensure these devices are protected as they reconnect. Lumu continues to provide visibility into the network despite the current challenges.