Threats CrowdStrike: What the Biggest Cyber Outage in History Teaches Us About Incident Response Plans

Crucial systems across the world collapsed on Friday, triggered by one mistake in a single company. The CrowdStrike outage hit banks, airlines, and healthcare systems. This incident, described as the “largest IT outage in history”, serves as a reminder of the delicate balance of today's digital infrastructure– and of the potential for far-reaching consequences when an IT provider goes offline.

Let's dive in:

Who is CrowdStrike? Why Did the Outage Occur?

A cybersecurity software developed by organization CrowdStrike— used by numerous Fortune 500 companies around the globe, including major global banks, healthcare, travel, and energy companies— requires deep-level access to a computer’s operating system to scan for surface-level threats.

The July 19th outage is tied to CrowdStrike’s flagship Falcon platform, a cloud-based solution that combines multiple security solutions into a single hub, including antivirus capabilities, endpoint protection, threat detection, and real-time monitoring to prevent unauthorized access to a company’s system.

This routine sensor update inadvertently triggered what is more commonly referred to as "the blue screen of death" for over 8.5 million Windows devices.

The Cybersecurity Ramifications of the CrowdStrike Cyber Outage

As first reported by cybersecurity publication SecurityWeek, threat actors — particularly groups with financial motivations — have leveraged the outage as an opportunity, utilizing the fact that many people and organizations have been scrambling to find information and fixes regarding their blue screens.

These include, but are not limited to"

• Threat intelligence firm ThreatMon reported seeing archive files named ‘crowdstrike-hotfix’ delivering HijackLoader payloads to its customers in Latin America

• Over dozens of domains referencing CrowdStrike have been registered since Friday, with many of them being used for nefarious purposes. These domains can host phishing pages, malware or scams. In some instances, such domains offer ‘fixes’ that users would have to pay for via cryptocurrency

  FalconFeeds reported that Palestinian hacktivists have leveraged the CrowdStrike incident in an attempt to trick Israeli organizations into installing wiper malware on their systems

The Operational Ramifications of the CrowdStrike Cyber Outage

Alongside cybersecurity-related hurdles is the operational challenges that have presented themselves.

On Friday alone, this yielded:

• Significant impacts to the Global Payroll Association, following a statement that many employees would be going without their pay checks

• Trains, payment in shops, pharmacies, and GP surgery capabilities across the UK having been hit

• Billboards in Times Square going dark

• Bank employees around the world being told not to try to access their accounts unless they are deemed “essential personnel”

• Over 3000 flights canceled worldwide

What started with delays at airports turned into widespread flight cancellations. The disruption in airline systems doesn’t just disrupt flight schedules; it also affected global supply chains reliant on air cargo, demonstrating the multifaceted nature of modern IT ecosystems. Meanwhile, broadcasts were interrupted at numerous TV and radio stations and operations at supermarkets and banks were brought to a standstill.

While the majority of systems are back online as of July 22nd, full recovery is estimated to take weeks.

CrowdStrike Outage Recovery Implications

How the aforementioned impacted sectors have managed this crisis reflects both the strength and vulnerabilities of their own cybersecurity and disaster recovery responses. The slow recovery process ahead will show the significant challenges to come in restoring service continuity on CrowdStrike's end.

Additionally, this outage has highlighted the strategic risks of relying on a single source of technology. This global outage showed how important it is to have diverse technological alliances to enhance national security and economic stability, while raising concerns about the potential for hostile states to exploit such vulnerabilities. This incident will add a new layer of urgency to international cybersecurity collaborations and policy interventions.

As services begin to stabilize, this outage should serve as a wake-up call for IT professionals, business leaders, and policymakers alike. The pressing need to reassess and even overhaul existing cybersecurity strategies and IT management practices is clear. Improving system resilience to withstand large scale disruptions must be a priority.

The global IT outage marks a timely reminder and a critical juncture for discussions on digital resilience and the future of technology governance at the business, infrastructure and policy levels.

The Benefits of a Proactive Cybersecurity Incident Response Plan

With notable organizations such as, but not included to, Indigo, Uber, NATO, and MSI reporting significant outages in recent years, businesses of all sizes should note the importance of an incident response plan… and either A) get one in place, or B) refine any pre-existing IRPs that may have already been drafted.

A thorough IRP process gives your organization instructions regarding how to effectively minimize losses, remedy exploitable vulnerabilities in your cyber infrastructure, restore all impacted systems and devices, and shut down the attack vector that was used to guarantee that no similar attack will succeed in the future.

IRPs are integral to preventing cyber-related incidents, protecting sensitive data, pinpointing the root causes of security breaches, and how to recover in the worst-case scenario. They cement the best practices for cybersecurity incident handling and outline a step-by-step breakdown of how your organization should notify law enforcement, employees, staff, and any impacted clients.

The top benefits of an iron-clad IRP are:

• Minimizing the duration of security breaches: The average lifecycle of a security breach is up to 287 days, with organizations taking 212 days on average to identify a breach and 75 days to completely contain it

• Rolling back the damage done by threat actors: With 68 records lost or stolen every second, the average data breach costing organizations $4.35 million, and the number of cyberattacks skyrocketing by the year, the damage done through just one data breach can be borderline insurmountable if not dealt with ASAP

• Streamlining the digital forensics process: What data has been compromised, and what are your attackers likely to try to do with it? Digital forensics is the science of identifying, processing, analyzing, and reporting on electronically-stored data–with an emphasis on how that data can be used for potentially criminal purposes. Common criminal uses of data include ransom or fraud

• Bolstering your organization’s recovery time: Recovery time for business can be slow, regardless of the type of data breach at hand. Having an IRP in place maximizes your response times and guarantees that every member of your organization knows what part they can play to get your systems back up and running

• Mitigating negative publicity in the wake of a breach: A hit to one’s reputation, trust, or client base are all common drawbacks of experiencing a cyberattack. By showcasing to your client base that you are targeting the problem at hand and prioritizing the safety of their personal information, you can keep reputational loss to a minimum

Establishing a Computer Security Incident Response Team

Does your organization have a computer security incident response team (CSIRT) established yet?

If not, take this as your sign to prioritize the formation of one.

The typical roles held in a CSIRT are:

• The Incident Response Manager, who oversees actions during the detection, counter, and recovery of a cyberattack

• The Security Analyst, who implements operational controls during all phases

• The Threat Intelligence, who utilizes threat intelligence to understand prior, existing, and potential future threats to the organization’s cybersecurity

There are generally multiples of each role in CSIRTs for medium-to-large organizations. Because most SMBs don’t have the capacity to hire internal staff to act as Threat Intelligence, that role is often outsourced to third-party pentesting vendors like the team here at Packetlabs who can monitor an organization’s infrastructure for leaked credentials, provide recommendations on how to strengthen security posture, and analyze existing and future threats.

Ideally, a CSIRT will be composed of staff from a business’s legal, human resources, IT, public relations, and leadership vectors to become fully cross-functional if (and when) an emergency strikes.

Conclusion

Cybersecurity giant CrowdStrike launched an investigation after receiving widespread reports of Windows hosts experiencing a Blue Screen of Death (BSOD). In the latest update provided at the time of writing the company said it’s in the process of reverting changes that may have caused the issue.

This global outage triggered a variety of cybercrime and operational challenges for organizations across key sectors–and served as a reminder of why a hybrid blend of continuous penetration testing and proactive cybersecurity incident response plans are so critical for business continuity.