Navigating the Recent CrowdStrike Update Crisis

Damini MagoJuly 19, 2024

A recent incident involving CrowdStrike, a leading endpoint detection and response (EDR) provider, brought the reality of the ever-evolving cybersecurity landscape into sharp focus for the cyber insurance industry and the global business community.

Although initial reports indicate that this event was not malicious, a flawed security update distributed by the cybersecurity vendor created an event that appears more similar to a supply chain attack.

The quickly deployed security patch dramatically spread among interconnected systems, businesses, and so on - more typical of a cyber event, where a nefarious threat actor deploys a malicious patch causing widespread issues. Let's delve into what happened and its implications.

The Incident

CrowdStrike's efforts to stay ahead of threats are built on its proactive approach of pushing out automatic updates. These updates equip systems with the latest threat signatures, allowing for swift identification and neutralization of attacks.

However, one recent automatic update caused an issue that disrupted the operation of numerous enterprises due to its interaction with Microsoft Windows.

According to early reports, at 04:09 UTC on Friday, July 19, 2024, CrowdStrike pushed out an update to its Falcon EDR product. The deployment of IT updates, particularly those affecting critical components like the Microsoft Windows kernel, can have staggered impacts due to their geographic rollout.

A 'follow-the-sun' model, where updates are deployed regionally, as in this case starting from Australia and working through to the U.S., illustrates how initial disruptions in one region can cascade westward. The timing of these updates and the state of devices during the update window significantly influence the extent of the impact.

The Impact

As mentioned above, the reported flawed update from CrowdStrike appears to have mimicked a supply chain incident, causing cascading and widespread disruptions among interconnected systems.

Unlike a malicious attack, due to the vendor's trusted position within the networks of affected enterprises, this update event could skip the initial access hurdle and many other kill chain steps, and avoid protective, defensive measures designed to thwart threat actors.

Early reporting states the update triggered a system-level problem, resulting in the affected Windows operating system computers entering into a dreaded 'Blue Screen of Death' (BSOD) loop. The machines would reboot, encounter the BSOD, and then restart - endlessly.

The only current known fix involves manually deleting a specific file in the Windows System32 folder located on the machine.

Accessing this file requires booting the machine into the Windows Safe Mode, an environment that helps with diagnostics to restore or repair the machine's systems.

However, accessing and deleting this file is far from straightforward. Users cannot boot normally into Safe Mode due to the BSOD loop, preventing access to the affected systems.

Further, this step is complicated by enterprise security measures like BitLocker, which prevent easy access to Safe Mode.

Technical Challenge for Enterprises

Without easy access to Windows Safe Mode, impacted users can't access the local file directory to delete the problematic file, and even for those users savvy enough to access Safe Mode, for non-technical users implementing the fix is not straightforward and requires guidance, complicating matters further for those working remotely.

As a result, IT staff may have to intervene manually, often requiring administrative access that complicates remote fixes.

This means that in certain cases, the only solution could be for an IT employee to physically access each affected machine, which, dependent on the IT infrastructure of a company, either involves the IT employee going to the user or the user meeting with the IT team. The fix also may temporarily involve inhibiting the machine's EDR capability.

Widespread Disruption

This issue seems to have affected entities globally using CrowdStrike's enterprise software, many of which have stringent security protocols. The recovery process could extend over days or weeks, with the potential to cause significant operational downtime.

Furthermore, such incidents disproportionately affect industries that cannot afford downtime, such as airlines and hospitals.

The operational disruptions caused by this incident are not just technical-related, but have real-world consequences, from reported flight delays to postponed medical procedures.

Impacts also extend to services on Microsoft Azure, causing simultaneous downstream impact to enterprises.

It is also important to consider the revenue reliance of enterprises on the services impacted and their business models, which may or may not be resilient to downtime.

Another key area of impact will be the downstream disruptions to enterprises that do not use CrowdStrike but rely heavily on the availability of systems that have been affected.

Insurance Implications and Potential for Losses

An interesting dynamic emerges when considering the impact on cyber insurers. As insurers often require EDR solutions for underwriting policies, enterprises using CrowdStrike are more likely to have cyber insurance policies, though, in terms of any claims, the extent and terms of coverage within an individual cyber policy will vary.

There remain unknown implications of this event to how the coverage is being triggered.

The scale of potential losses, particularly for critical industries, underscores the importance of understanding and managing cyber risk.

For instance, industries like airlines and hospitals, which depend on continuous systems availability, are particularly vulnerable, as an inability to access critical systems could lead to business interruption (BI) and potential claims.

As this incident, although initially reported as non-malicious, has shared similarities with large-scale cyberattacks in terms of its disruptive impact on an insurer's clients, the fallout could see losses, especially for sectors that rely heavily on systems uptime.

Insurers could see that their incident response and claims handling teams are stretched thin given the scale of this incident, as the number of enterprises impacted and how they were impacted becomes clearer in the next few days.

Policy terms and conditions still vary widely, and even though the cyber insurance market has evolved there isn't standardization of terms. Insurers will have to start the process of individually assessing each client's policy in turn to establish their exposure.

Future Considerations

This incident acts as a wakeup call and highlights several key lessons for enterprises, the cybersecurity, and cyber insurance industry at large:

1. Testing and Validation: Even trusted vendors need to undertake rigorous testing and validation processes before deploying updates. This can mitigate the risk of widespread disruptions.

2. Rollback Mechanisms: Enterprises should have robust rollback mechanisms in place to quickly revert to previous states in case of problematic updates.

3. Communication and Support: Effective communication channels and support mechanisms are crucial for guiding users through troubleshooting processes, especially during widespread incidents.

4. Balancing Risk: Organizations must balance the need for automatic updates to protect against malicious threats with the potential risks of such updates causing disruptions.

5. Insurance Clarity: Clear understanding and documentation of cyber insurance policies are essential to determine coverage in connection with such incidents.

Moving Forward

This CrowdStrike incident is a stark reminder of the delicate balance between maintaining security and stability in the cybersecurity realm within our increasingly interconnected and complex digital landscape.

While proactive threat detection and response are vital, they must be balanced with meticulous testing and contingency planning. As the industry navigates this incident, it will undoubtedly lead to enhanced protocols and safeguards to prevent similar future occurrences.

As always, Moody's stands ready to help customers better understand the cyber insurance marketplace and will keep a close eye on further developments regarding this incident.

Find out more about Moody's RMS Cyber Solutions.

Damini Mago

Assistant Director, Product Management - Cyber

Damini is an Assistant Director, Product Management - Cyber at Moody's. She has worked with numerous (re)insurers to understand, measure, and manage their cyber risk.

As a member of Moody's RMS Cyber Product Strategy team, Damini leads in the setting of the product roadmap and drives the adoption of catastrophe risk management software, advancing the catastrophe risk modeling effort while working closely with the industry.

Damini has an engineering background with years of experience in financial quantitative modeling and data science.

• #cyber insurance
• #cyber risk
• #RMS Cyber Solutions
• #CrowdStrike
• #CrowdStrike Falcon
• #endpoint detection and response
• #Microsoft Windows
• #Safe Mode