On the morning of July 19, 2024, a global system outage linked to a CrowdStrike Windows update caused significant disruptions at airports worldwide. The update led to widespread issues with Windows servers, virtual machines, and endpoint systems used by CrowdStrike clients, resulting in numerous “blue screens of death” and system inoperability.
Since Friday, organizations worldwide have faced significant operational disruptions following a software update from security vendor CrowdStrike, which caused widespread “blue screens of death” on Windows systems.
On Monday, global technology advisory firm Gartner published a research note detailing steps for CrowdStrike users to manage the fallout from this incident. The note provides guidance on immediate, midterm, and long-term actions.
Gartner’s immediate recommendations include monitoring for new threat intelligence, as the chaos has led to an increase in opportunistic attacks. “During a crisis, people often seek out any available help, leading to the rise of fraudulent websites,” said Sumed Barde, head of product at Simbian, an AI security firm. “Some of these sites demand upfront payments or offer advice laced with malware.”
Chris Morales, CISO at Netenrich, highlighted several opportunistic threats to watch for, including phishing campaigns pretending to be from CrowdStrike or related companies, credential stuffing, brute-force attacks, and exploitation of known vulnerabilities.
Potential for Ransomware Surge
The incident could also lead to a rise in ransomware attacks. “With security measures weakened, attackers might increase attempts to exfiltrate data or launch DDoS attacks,” said Tim Freestone, chief strategy and marketing officer of Kiteworks. He noted that the disruption might also lead to increased attempts at exploiting vulnerable systems.
Security operations center (SOC) teams are advised to ensure that any temporary measures or workarounds are properly decommissioned to avoid future problems, according to Josh Thorngren, security strategist at ForAllSecure.
Gartner’s midterm recommendations focus on assessing impacts on secondary systems, identifying exposed vulnerabilities, and maintaining visibility into upcoming system updates. Additionally, SOC teams should monitor for anomalies such as unusual data flows and unauthorized access requests, said Katie Teitler-Santullo, a cybersecurity strategist for OX Security.
To combat fake domains set up by scammers, organizations should add them to their blocklists to prevent accidental visits. Managing employee burnout and fatigue is also crucial, as stressed teams may struggle with decision-making and operational effectiveness, according to Jon Amato, Gartner Senior Director Analyst.
Managing Fatigue and Burnout
Gartner highlighted the importance of addressing employee burnout during this crisis. “The stress of dealing with widespread disruptions can lead to decision fatigue and errors,” Amato noted. Chris Morales emphasized that this added stress could compromise the quality of incident response and overall security.
Long-Term Resilience
For long-term recovery, Gartner advises focusing on building resilience. This involves developing redundant systems, ensuring continuous data backups, establishing alternate communication channels, and preparing for operations under diminished conditions. Maurice Uenuma from Blancco Technology Group stressed the importance of resilience as the frequency and impact of such incidents are likely to increase. Jenna Wells from Supply Wisdom added that having a thorough understanding of your supply chain and proactive business continuity plans is essential for responding effectively to future crises.
Overall, Gartner’s guidance emphasizes the need for immediate vigilance, midterm assessment, and long-term strategic planning to navigate and mitigate the effects of this disruption.