CrowdStrike: Crooked, Shrill, Unashamed

Since the misattribution of a suspected breach into the DNC network in early 2016 to Russia, CrowdStrike has been boosted by:

  • DNC loyalists in the FBI, CIA, DHS, and DNI
  • the fawning coverage by mainstream media
  • NBC News employing Shawn Henry, a CrowdStrike top officer and former executive assistant to FBI Director Robert Mueller, as a cyber security consultant
  • $300M investments by Google and Silicon Valley VCs

crowdstrike henry mueller-rectToday, that creates an impression that CrowdStrike is a respectable entity. But when it was invited by the DNC to take care of a suspected breach in 2016, it could not be mistaken for one. CrowdStrike was a four year old upstart hardly noticeable in the crowded market for cyber-security products and services of the kind it provided.  The weakness of its product could not be compensated by its excellent PR, but strong ties to Obama’s FBI helped.

Low Ranking by Gartner

In 2016, CrowdStrike wasn’t even in the Gartner Magic Quadrant for the EndpointProtection Platforms (pdf), meaning that it trailed well behind 18 included vendors. In 2017, CrowdStrike was included (pdf) only because “The company grew its installed base rapidly in 2016 due to the publicity from high profile incident response work [mentioned misattribution], and the attractiveness of the CrowdStrike Overwatch service”, but not among the top 10 vendors.

CrowdStrike Falcon was among 29 unranked vendors in the 2015-2016 Gartner Market Guide for Endpoint Detection and Response Solutions (pdf), which stressed that EDR solutions are not replacement for endpoint protection platforms. The report also warned readers about EDR products in general:

 “The biggest problem for any buyer of EDR techniques is determining the depth and accuracy of detection techniques. There are no standardized public tests of detection capability yet. Vendors have excellent marketing departments capable of spinning even the simplest techniques into invincible ones,and

“The EDR market is clearly in the Gold Rush days and nearing the Peak of Inflated Expectations …”

The FBI should have been familiar with the low regard in which CrowdStrike was held in the professional community and on the marketplace. “The FBI’s role—operating domestically—is to anticipate, investigate, attribute, and disrupt cyber intrusions affecting the United States,” according to disgraced FBI Director Robert Mueller (2013).

Caught, Exposed, but Unashamed

Attribution of a suspected cyber intrusion to a specific sophisticated actor is very hard. Verification or falsification of it is almost impossible. CrowdStrike knew and took advantage of this fact when making its false attributions.

But by the end of 2016 it became so brazen or desperate that it made an attribution in a situation when it could be verified. On December 22, 2016, it published and promoted a report claiming that 80% of Ukrainian howitzers had been destroyed by Russian military because an Android application used by the Ukrainian artillery units had been breached by the same Russian military unit that had allegedly penetrated the DNC network in April-May 2016. Fancy Bear was the code name for that non-existent group.  For a couple of weeks CrowdStrike personalities were bragging about its “discovery” all over MSM. For example, Forbes opined:

That Fancy Bear was involved in such a campaign further proved the group was Russian and was facilitating GRU operations. Previous reports had linked the GRU to the DNC hack, though hard evidence was thin on the ground. But Alperovitch believes this is one of the clearest indicators yet that the hacks on the U.S. election were ordered by the GRU. “It’s pretty high confidence that Fancy Bear had to be in touch with the Russian military,” he added. “This is exactly what the mission is of the GRU.

Note that “the group” is a figment of the imagination of Shawn Henry and/or Dmitri Alperovitch of CrowdStrike. But this circus laid the ground to the so-called Intelligence Community Assessment, an unclassified document dated by January 6, 2017, that purported to confirm the CrowdStrike “findings.” In fact, even that assessment (misleadingly named to make it sound as a proper Intelligence Community Coordinated Assessment, according to Skip Folden, whose website has disappeared, but there is an archive) received high confidence only from the CIA and FBI. The NSA expressed moderate confidence, which is closer to disagreement than to agreement.

Of course, nobody listened to refutations that started pouring on January 6th.  Ukraine’s military rejected all CrowdStrike’s claims, both the size of losses and the allegation that its Android application had been infected (press release in Ukrainian). Few weeks later, the International Institute for Strategic Studies rejected the claims that it had been the source of the losses figures used by CrowdStrike.

In the end, CrowdStrike has been thoroughly exposed as a fraud and a liar. Its personalities picked up misinformation about Ukrainian losses from a mouthpiece for the Russian government, falsely attributed it to IISS, then made up the whole story about the alleged breach. But the lie succeeded: it has convinced the public and some officers in the intelligence community that Fancy Bear was real, and that CrowdStrike had skills to detect it. The MSM and Democrats have declared ICA, based on the CrowdStrike’s lies, an undisputable truth, and some even went so far as to suggest that doubting it is comparable to treason.

More Black Eyes

  • In 2012, Stuart McClure, a friend of George Kurtz who left McAfee about the same time, refused to join CrowdStrike on ethical grounds.

“I’ve known George since 1998. We were best friends for 14 years,” says McClure. “But I decided I needed to live my life with high integrity and with high-integrity people, so I decided to do this gig on my own. He’s still bitter about it.” (Forbes, 2016-07-06)

  • Certain bad actors made a lot of noise out of the fact that ThreatConnect, another private firm, published the same conclusions as CrowdStrike (1, 2). They did not mention that ThreatConnect had been CrowdStrike’s partner and reseller since 2015. All other companies making similar attribution claims used the data from CrowdStrike, similarly flawed methodology, and had strong conflicts of interest.

Dangerous Pseudo-Science in Cyber Security in WUWT provides more information and a wider picture.

Google showered CrowdStrike with money and hid negative references to it. The following are screenshots of a Google search for CrowdStrike con in a browser at a fresh state (empty cookies, cache.)

google search crowdstrike congoogle search crowdstrike con scrolled