The Crowdstrike Incident: A technical analysis and Lessons Learned

Date: Jan 16, 2022

Incident Overview

On July 19, 2024, CrowdStrike experienced a major global disruption due to a flawed update to their Falcon sensor. This update led to widespread system instability, particularly affecting Windows systems, causing them to crash with the “blue screen of death” (BSOD). Approximately 8.5 million devices were affected, disrupting critical sectors such as airlines, healthcare, financial services, and media (SC Media) (CrowdStrike).

Detailed Analysis of the Incident

The incident CrowdStrike experienced involved a Rapid Response Content update for Windows hosts running Falcon sensor version 7.11 and above, leading to system crashes (BSOD). This update included new Template Instances designed to detect attack techniques via Named Pipes. However, an undetected error in the Content Validator allowed problematic content into Channel File 291, which included configuration data with null bytes. These null bytes in the configuration data caused an out-of-bounds memory read when processed by the Falcon sensor’s Content Interpreter, leading to an exception that triggered the BSOD. This issue affected Windows hosts online between 04:09 and 05:27 UTC on July 19, 2024, while Mac and Linux hosts were unaffected.

The problematic content, which included null bytes, passed the Content Validator checks erroneously, leading to an exception that the Content Interpreter could not handle. The deployment of the new IPC Template Instances was part of the routine updates CrowdStrike conducts to adapt to emerging threats. The IPC Template Instances were stress-tested and validated before deployment. However, the specific problematic content in Channel File 291 caused the incident.

Impact on BitLocker Encrypted Devices:

Devices with BitLocker encryption were particularly hard-hit. The BSOD and subsequent reboot cycles made it challenging to access the necessary BitLocker recovery keys, which are often stored on network servers that were also affected by the update. This complicated the recovery process significantly.

CrowdStrike has been thorough in their analysis, detailing the timeline of events and the technical specifics of the failure. The root cause was pinpointed to the invalid data in the configuration file, which was not executable code but still critical enough to crash the systems when misinterpreted. Their ongoing investigation aims to uncover more details about the incident and improve the validation processes to prevent such occurrences in the future.

Eye Openers

This incident underscores several critical eye openers for both development teams and organizations. By examining these lessons, we can enhance our preparedness and resilience against similar disruptions in the future.

Insights for Development Teams

  1. Phased Rollout of Updates: Implementing a phased rollout for updates can help mitigate the risk of widespread disruptions. A staggered approach, deploying updates to a small percentage of users first, allows for the identification and resolution of issues before a full-scale release. Feature flags and progressive delivery techniques should be used to manage this process effectively (Cyber.gov.au).
  2. Comprehensive Testing and Patch Management: Updates should undergo rigorous testing across various environments and configurations. This includes automated testing pipelines that simulate different hardware and software configurations, as well as manual testing in sandbox environments. Utilizing continuous integration/continuous deployment (CI/CD) pipelines ensures that updates are thoroughly vetted before deployment (Wikipedia) (Security Boulevard).
  3. Rollback Mechanisms: Implementing robust rollback mechanisms is crucial. These mechanisms should allow for quick reversion to a previous stable state if an update causes issues. This can be achieved by maintaining versioned backups and utilizing containerization technologies, such as Docker, to manage and deploy updates safely (Security Boulevard).
  4. Automated Monitoring and Alerting: Developing and integrating automated monitoring systems that can detect anomalies and alert teams in real-time is essential. Tools like Prometheus for monitoring and Grafana for visualization can provide insights into system performance and highlight potential issues before they escalate. These systems should be configured to trigger alerts for unusual patterns that may indicate an update-related problem (Cyber.gov.au).

Lessons for Users and Organizations

  1. Incident Response Preparedness: Organizations must have well-defined and practiced incident response plans. These plans should include automated incident detection and response systems, such as Security Information and Event Management (SIEM) tools like Splunk or Elasticsearch, which can help in the rapid identification and mitigation of issues (Security Boulevard) (Cyber.gov.au).
  2. Business Continuity Planning (BCP) and Disaster Recovery (DR): Robust BCP and DR plans are essential. These plans should include automated failover systems, regular DR drills, and the use of geographically distributed backup solutions. Leveraging cloud-based DR services, such as AWS Disaster Recovery, can ensure quick recovery and continuity of operations during and after an incident (Security Boulevard).
  3. Avoid Single Points of Failure: Designing IT infrastructure to avoid single points of failure is critical. This involves implementing redundancy at multiple levels, including data centers, network paths, and critical application components. Using multi-cloud strategies and load balancing can distribute risk and enhance system resilience (Cyber.gov.au).
  4. Regular Backups: Implementing consistent and reliable backup practices is vital. Automated backup solutions, such as Veeam or Rubrik, ensure that data is regularly backed up and easily restorable. These backups should be stored in secure, off-site locations and regularly tested for integrity and recoverability (Security Boulevard).
  5. User Training and Awareness: Continuous training programs for users on recognizing and responding to system anomalies and security threats are crucial. Organizations should conduct regular phishing simulations and security awareness training to help users identify and avoid potential threats, especially following incidents (Cyber.gov.au).
  6. Vendor Communication and Coordination: It’s crucial for security and IT teams to stay in sync. This incident, which initially appeared to be a cyberattack, underscores the importance of coordinated communication and response efforts between internal teams and external vendors. Ensuring updates and support are sourced from official channels can prevent the application of unofficial patches that may introduce additional risks (Security Boulevard) (Cyber.gov.au).

The CrowdStrike incident serves as a powerful reminder of the interconnected nature of modern IT infrastructure and the necessity for rigorous update and incident management practices. By incorporating these lessons, organizations can enhance their overall security posture and resilience against future disruptions.