CrowdStrike Falcon® Prevent FAQ
An IOC is a piece of evidence or artifact left behind after something has happened. An IOA is a series of actions or behaviors that an adversary employs to achieve his goal. The use of IOCs has been the traditional focus of endpoint detection, but modern adversaries have adapted to more easily evade IOC sweeps. In a forensics investigation, IOCs are the evidence that proves a network’s security has been breached. Unfortunately, by the time the IOC is discovered, the network likely has been compromised. Conversely, IOAs reflect a series of actions the attacker must perform in order to be successful. They are a set of actions that are required for any tool or technique to accomplish common attacker behaviors like code execution, persistence, command and control (C&C), and lateral movement. An effective IOA approach not only collects and analyzes exactly what is happening on the organization’s systems and networks, it does so in real time, preventing the malicious activity from being successful.
AI-powered IoAs are generated by powerful machine learning models in the cloud that continuously learn from threat intelligence to identify and protect against emerging classes of attack. These models continuously analyze event streams from the endpoint to issue IoAs to the Falcon agent, enabling the most up-to-date protection enforcement on the sensor.
- Signature-less malware protection: Falcon Prevent does not rely on signatures. This frees security teams from having to deploy virus definition update files to all endpoints on a daily basis.
- Machine learning: Falcon Prevent leverages machine learning to identify and block malware. Machine learning is particularly effective at stopping new, polymorphic or obfuscated malware, which is often missed by legacy AV solutions.
- Indicators of Attack (IOAs): Falcon Prevent uses IOAs to identify threats based on behavior, regardless of malware or tools used. Understanding the sequences of malicious behavior allows Falcon Prevent to stop attacks that go beyond malware. Examples include protection against lateral movement, webshell attacks and fileless attacks.
- Advanced Memory Scanning: Falcon Prevent eliminates blindspots with high performant memory scans, removing the performance constraints of traditional memory scanning, leaving malware-free threats nowhere to hide.
- Exploit protection: Falcon Prevent includes exploitation protection to harden systems against attempts to exploit vulnerable applications (e.g. Adobe Flash, Java and Microsoft Silverlight).
- Threat intelligence integration: Events can be contextualized by integrated threat intelligence, providing details on the attributed adversary and any other information known about the attack.
Yes, Falcon Prevent uses an array of complementary prevention and detection methods to protect against ransomware, including the following:
- Blocking of known ransomware
- Exploit blocking to stop the execution and spread of ransomware via unpatched vulnerabilities
- Machine learning for detection of previously unknown zero-day ransomware
- Indicators of Attack (IOAs), advanced memory scanning and other techniques identify and block additional unknown ransomware, and also new categories of ransomware that don’t use files to encrypt victims’ data