By: Owen Dubiel
April 5, 2021
Crowdstrike RTR Optimization
By: Owen Dubiel
April 5, 2021
Crowdstrike has taken significant steps in the industry to proclaim itself as one of the top contenders for Endpoint Detection and Response. Many Crowdstrike customers can detect, isolate, contain, troubleshoot, and remediate 90% of incidents within minutes, but many are unaware of exactly how to accomplish this. This article will dive into the full capabilities of Crowdstrike’s RTR (Real-Time Response) solution and break out a list of actionable items that can help you optimize your response times.
RTR (Real-Time Response) is a built-in method to connect to a Crowdstrike managed machine. The RTR connection provides admins to gain administrative shell permissions on a host to quickly and effectively respond to security incidents.
RTR also keeps detailed audit logs of all actions taken and by whom. These details include the machine involved, the admin acting, the duration of the session, files retrieved or interacted with, and any other actions that may have taken place.
RTR is a susceptible tool within Crowdstrike and should not be provisioned to just anyone. RTR has its only access roles that govern its ability to connect and utilize custom scripts on a system.
RTR comes with the ability to create, save, and run custom scripts. Whether Powershell, bash, or zsh, its ability is powerful and enables admins to perform actions or investigations on the affected machines. The following are some examples of custom scripts that may help reduce the turnaround time of isolating a security incident:
- Windows uninstall/reinstall of the Crowdstrike Sensor
- Check Linux information like kernel, OS, CS sensor, and RFM statues
- Install and run the Crowdstrike diagnostic tool
- Check if a system needs a reboot
- Install Yara rules
- Unzip a file
- Shutdown a machine
- Disable SMB file sharing
- Send the device a message to display to the user
- Gather scheduled tasks running
- Export windows event logs
- Search for .EXE files running
- Pull Chrome extensions in use
All of the above use cases are only the tip of the iceberg. Determining if an incident is malicious quickly is vital in effectively isolating a threat and determining if a host can be network contained for legitimate concern. Once you have created a custom script, it can run in RTR with just a click of a button.
In combination with your custom scripts, RTR allows admins to have a list of files that are ready to be placed on an endpoint if needed. This option is called “Put” files, and it is an excellent addition to custom scripts that allow for easy uploads of required files to a user machine. Examples of “Put” files include:
- The Crowdstrike Uninstall/Install tool or Sensor
- Crowdstrike’s Forensics Collector
- The Crowdstrike PS Falcon toolkit
- Windows/Linux Diagnostic tools
- CrowdResponse tool
- Management tools (Procmon)
- Forensics tools (Wireshark, Nmap, Autopsy, etc.)
Each Crowdstrike customer needs to identify which abilities they are ok with Security teams taking on individual endpoints and then creating procedures around performing each to ensure transparency and avoid any political-office chain of command hang-ups once the process is rolling.
Crowdstrike is only continuing to grow its foothold as a Cybersecurity leader in Endpoint Protection. It is essential for any organization deploying Crowdstrike to stay on top of these features to ensure they are getting the most significant benefit for their money. By implementing a solid rollout usage plan for RTR, security teams and organizations alike can have that sense of reassurance that if a security incident occurs, they will be ready to collect, investigate, and mitigate any potential threats as fast as possible. For more ideas on how to implement and best utilize EDR solutions, check out some of the courses offered by Cybrary.