Gartner IDs Recovery Steps for CrowdStrike ‘Screen of Death’ Disaster

Since Friday, organizations have been struggling to get their operations up and running after a software update by security vendor CrowdStrike set off an epidemic of “blue screens of death” globally, commonly known as the screen of death for Windows users.

On Monday, global technology advisory firm Gartner released a research note outlining short-term, intermediate, and long-term measures CrowdStrike users can implement to deal with what’s become the update from hell.

One of the firm’s recommendations for immediate action is to make sure security teams are on the lookout for new threat intelligence related to opportunistic attacks. “In panic mode, people begin clutching at straws,” explained Sumed Barde, head of product at Simbian, an AI security company in Mountain View, Calif.

“They’re looking for any help they can get online,” he told TechNewsWorld. “So what we’re seeing is a bunch of fake websites popping up by scammers.”

Barde explained that one form of scam is a website that does nothing but demands upfront payments. Other websites offer free advice but contain malware.

Chris Morales, CISO at Netenrich, a security operations center services provider in San Jose, Calif., cited several kinds of opportunistic attacks organizations should be on high alert for during this initial period of the CrowdStrike outage. “Phishing campaigns are big,” he told TechNewsWorld. “Attackers love to take advantage of the confusion by sending emails that look like they’re from CrowdStrike or related companies.”

“Credential stuffing and brute-force attacks are common, too, as attackers try to exploit any temporary security gaps,” he added.

“And, of course, there’s always the risk of known vulnerabilities being targeted more aggressively during the chaos,” he said.

Potential for Ransomware Surge

The outage may also fuel another online scourge. “Ransomware attacks could surge as attackers leverage the weakened security postures of affected organizations,” said Tim Freestone, chief strategy and marketing officer of Kiteworks, a secure content communications provider in San Mateo, Calif.

“Data exfiltration attempts may increase, targeting the temporarily vulnerable systems,” he told TechNewsWorld. “The outage might also inspire DDoS attacks to further overwhelm already strained networks.”

Invitations for opportunistic exploits by hackers may also be created as security operations center teams implement ad hoc measures to get systems operational quickly.

“One of the biggest things for SOCs is going to be to ensure that any temporary systems, temporary permission elevations or other workarounds that have been put into place have been decommissioned,” observed Josh Thorngren, a security strategist at ForAllSecure, a software security testing company in Pittsburgh.

“When there’s activity on these devices or networks two weeks from now, that’s likely to be a problem,” he told TechNewsWorld.

Gartner also made some recommendations for midterm actions. “The focus for midterm actions is to assess the impact on secondary systems, look for exposed vulnerabilities, and ensure you have visibility into planned systemwide updates and releases in the coming week,” it explained.

Manage Fatigue and Burnout

Among the midterm actions suggested by Gartner was for organizations to review anomalies or unusual trends with the SOC teams to minimize the risks of an undetected opportunistic attack.

“SOC teams should be on the lookout for unusual amounts of data going into or being taken out of repositories, higher-than-usual access requests, users seemingly requesting access to files or drives they don’t usually want or need to access, and any changes in permissions or configurations that don’t fit into previous baselines or trends,” said Katie Teitler-Santullo, a cybersecurity strategist for OX Security, a developer of active application security posture management platforms, in Tel Aviv, Israel

“IT and security teams can also help their organizations by adding any known fake domains, like crowdstrikebluescreen[.]com or crowdstrike-helpdesk[.]com, to their blocklists to prevent users from inadvertently visiting those sites,” she told TechNewsWorld.

Another midterm action proposed by Gartner is actively managing employee burnout and fatigue. “This outage goes beyond security teams because it touches every single machine in a company,” noted Gartner Senior Director Analyst Jon Amato.

“That creates a laborious, time-consuming, tedious process,” he told TechNewsWorld. “The help desk staffs at most businesses right now are strained to the breaking point. I’m hearing about companies hiring armies of contractors coming to touch machines and working 24/7. The longer that goes on, the more likely you’re going to have fatigue set in. It’s a recipe for burnout.”

Morales explained that burnout and fatigue are huge issues during events like the CrowdStrike outage and are often overlooked. “Think about it,” he said. “Our security teams are suddenly dealing with a massive surge in workload. They’re trying to manage the incident response while keeping all the regular operations going. It’s like trying to put out a fire while still cooking dinner.”

“This kind of prolonged stress can lead to serious decision fatigue, where the quality of choices starts to nosedive,” he continued. “Tired employees might miss critical alerts or subtle signs of an attack.”

“And let’s face it,” he added, “we’re all humans — the chances of making a mistake skyrocket when you’re exhausted. One small error could lead to a misconfiguration or a delayed response, and suddenly, we’ve got a much bigger problem on our hands.”

Resiliency for the Long-Term

Gartner’s long-term actions aim to mitigate or reduce the risk of future events like the CrowdStrike event. “The CrowdStrike outage reinforces the need to focus on resilience,” Gartner noted, and recommended, “Use a top-down approach to connect the approach to overall strategic objectives.”

“For all the efforts to prevent such mistakes from happening again, we should anticipate that these cascading errors will increase in frequency and impact in the years to come as the world becomes even more interconnected and interdependent,” said Maurice Uenuma, vice president and general manager at the Blancco Technology Group, a global company that specializes in data erasure and mobile device diagnostics

“Because of this, we must focus on resilience — the ability to survive and recover when the inevitable crisis comes,” he told TechNewsWorld.

“Resilience is achieved by having separate, redundant ways to perform critical tasks, ensuring continuous backup of data, building alternate communication channels, and rehearsing for operating with diminished capabilities under adverse conditions,” he explained.

“If companies want to be more resilient, they must first have full oversight and awareness of their supply chain,” added Jenna Wells, chief customer and product officer at Supply Wisdom, a real-time risk intelligence platform in New York City.

“If you have full oversight and awareness of your supply chain, you are saving time and increasing your resilience by already knowing your points of failure,” she told TechNewsWorld. “You can then proactively put a business continuity plan in place for when events do happen.”

“Whether it be a cyber event — or, as in this case, a human error — you need to be able to react in any type of incident with the snap of a finger,” she said. “After all, it’s not if but when an event happens.”