CrowdStrike Outage Explained by Keith Barker CCIE

00:00

hello and welcome my name is Keith

00:02

Barker and I'd like to give you a high

00:03

Lev overview of what you need to know

00:05

about the crowd strike incident that

00:07

happened in July 2024 and these are the

00:10

three main questions I'd like to cover

00:11

with you right now first of all what

00:13

happened secondly why did it happen and

00:14

third and fairly important to people are

00:16

still cleaning up after this how do we

00:18

resolve it so let's begin with question

00:20

number one what exactly happened to over

00:22

8 million Windows computers and are you

00:24

impacted first of all it would look like

00:26

the result looks like this this is a

00:27

representation of the blue screen of

00:30

death or as his friends call it BS o d

00:33

for the acronym for blue screen of death

00:35

and for the question of are you impacted

00:37

the answer is yes even if you personally

00:39

didn't have a blue screen of death on

00:40

your Windows computer it's very likely

00:42

there was interruptions to other

00:43

services that you very likely were

00:45

attempting or were going to use things

00:47

like businesses and Airlines and

00:49

hospitals and various critical services

00:51

around the world so I have friends who

00:53

Miss flights I had children that missed

00:55

doctor's appointments all because those

00:57

systems were down due to their blue

00:58

screen of death so again whether this

01:00

happened to you personally or you were

01:01

impacted by somebody else's computer

01:03

systems having blue screens of death

01:05

this impacted hundreds of millions of

01:06

people all over the planet in one way or

01:09

another so when something like that

01:10

happens one of the questions might be

01:12

well how in the world did this occur so

01:14

let's tackle that next and a great way

01:16

to understand why this happened would be

01:18

to use the analogy of a castle so let's

01:21

imagine we have a castle right here so

01:22

this would be the perimeter and then

01:24

within the castle there's other secure

01:26

areas it's very likely that's where we

01:27

keep the king or the royalty whoever it

01:29

happens to to be in the most secure area

01:31

so we'll call this area zero the most

01:33

secure area and the Outer Perimeter here

01:35

we'll go ahead and call that area one so

01:37

we can think of this area zero here in

01:39

the castle the innermost part of it as

01:40

the most secure area now if somebody

01:42

needs access to the king or to the staff

01:44

of the king or to the royalty what can

01:46

happen is a request can be made for that

01:49

access maybe we need to get a decision

01:50

from the king or some other request

01:52

needs to be made that request is made

01:54

and then inside this most secure area

01:56

the decisions are made and then the

01:58

results are handed back and the concept

02:00

is if something negative happens out

02:01

here in area one let's say we have I'm

02:03

going to go ahead and draw an X to

02:04

represent something negative happening

02:05

hopefully that's not going to impact the

02:07

area zero because there's extra security

02:09

to get to area zero the goal is to not

02:12

let those negative events impact the

02:14

area zero the most secure area where the

02:16

king and the treasures are all kept or

02:18

in the case of a queen where the queen

02:19

and all the treasures are kept so how

02:21

does this story of the castle with a

02:23

most secure area and a less secure area

02:26

apply to why this blue screen of death

02:28

happened as part of the crowd strike

02:30

incident in July of 2024 and here's how

02:33

it applies I'm going to draw the same

02:34

diagram again except this time I'm going

02:36

to call this ring one and think of it

02:39

like area one for the castle the outside

02:41

perimeter but in a computer system it's

02:42

referred to as ring one and then the

02:44

operating system and the most critical

02:46

functions are going to be running in a

02:47

separate and more secure area called

02:49

ring zero and just like our analogy of

02:52

the castle and area one and area zero

02:55

inside of a computer system we have

02:57

these similar areas except they're

02:58

referred to as the most areas here's

03:00

ring zero and the less secure area or

03:02

the outside perimeter here is referred

03:04

to as ring one and here at ring zero the

03:06

operating system is handling core

03:08

functions for the operating system

03:10

itself so when we have other

03:11

applications such as Microsoft Office

03:14

applications or other programs or

03:15

browsers that we're running they're

03:16

running in ring one it's also referred

03:18

to as user mode so these little red

03:21

boxes I'm going to refer to as

03:22

applications think of them like user

03:24

applications that are running in ring

03:25

one now for those applications to work

03:27

they need resources for example they

03:29

need to get to memory or they may need

03:30

to write to the dis or they may need to

03:32

write to the network or make requests

03:33

from the network so when those apps need

03:35

resources they're interacting and making

03:36

this request to the ring zero components

03:38

and right here at ring zero we have

03:40

things like memory management and access

03:42

to the hardware and all the super secure

03:44

services that the operating system is in

03:46

charge of and that would also include

03:47

things such as drivers so when an

03:49

application needs resources it's making

03:51

those requests and then hopefully those

03:52

requests are being granted back to the

03:54

applications from the operating system

03:56

another common term for ring zero and

03:58

ring one are kernel mode and I'll match

03:59

set the same color here and just think

04:01

of Kernel mode as the most secure area

04:03

of the operating system that gets direct

04:05

access to the hardware and resources and

04:06

again that's where the operating system

04:07

runs and drivers run in ring zero or in

04:10

kernel mode and ring one where most

04:12

applications run that's referred to as

04:14

user mode some parentheses I'll just

04:16

shout out ring zero for kernel mode and

04:19

next to user mode I'll go aad and put

04:20

ring one just as a reminder now what's

04:23

the benefit of having two of these

04:24

different modes kernel mode at ring zero

04:26

and user mode well the benefit is if we

04:28

have an application that goes sideways

04:31

it has a problem or an issue hopefully

04:33

we just want that application to die by

04:35

itself and not take down the entire

04:37

system and that's normally the case with

04:39

applications that are run in user mode

04:41

for example let's imagine we're running

04:43

our favorite network-based game on our

04:45

computer it's running in user mode in

04:48

ring level one and it crashes the intent

04:50

is for just that application to crash

04:52

because of its problem and not to take

04:54

down the entire operating system and get

04:55

a blue screen of death so let me clean

04:57

this up just a teeny bit and let's talk

04:59

about why

05:00

the Falcon application let's take a look

05:01

at what that is why that from crowd

05:04

strike caused the blue screen of death

05:06

crowd strike makes some software that

05:07

runs on a Windows computer that helps to

05:10

identify and prevent malware so think of

05:12

it like an anti-malware program on

05:15

steroids it's really really efficient

05:17

until it brings down the computer but

05:18

for the moment let's just go ahead and

05:20

label out that their product called

05:22

Falcon again think of Falcon like an

05:23

antivirus or antimalware software and as

05:26

far as the impact goes the blue screen

05:28

of death happened to individuals and

05:30

computer systems where they were running

05:32

the Falcon service from crowd strike now

05:34

the reason that the Falcon software

05:36

caused the blue screen of death was

05:38

because had two things that were

05:39

currently working at the same time

05:41

number one the Falcon software is

05:42

running in kernel mode here at ring zero

05:46

so if there's a problem with the

05:47

software and it ruins effectively the

05:49

kernel that's going to cause the blue

05:50

screen of death instead of the computer

05:52

still trying to continue which if

05:54

there's problems at ring zero with

05:55

access to memory for example two

05:57

different programs right into the same

05:58

memory space or walking on top of each

06:00

other the operating system is designed

06:02

to Halt instead of continuing which

06:04

could lead to further data corruption so

06:06

their code the Falcon code is being run

06:08

as a device driver here at ring zero in

06:11

kernel mode and there's probably some

06:12

great reasons why they're doing that one

06:14

would be they want more access and

06:16

direct access to make sure that their

06:18

antimalware and anti virus Etc software

06:21

is currently working correctly and able

06:22

to go ahead and really catch everything

06:24

that's trying to happen and it's not

06:25

like they just walked up and said hey

06:27

can we do this with Microsoft they went

06:28

through a process called

06:32

whql which is an acronym for Windows

06:34

Hardware qualified lab and they were

06:37

certified which effectively means that

06:39

Microsoft tested and worked with their

06:40

software validated it and said yep

06:42

you're good to go we approve of this and

06:45

here's the rub even though the Falcon

06:47

software was certified through whql so

06:49

let's go ahead and manage this is Falcon

06:51

right here so it's been certified it's

06:52

been signed by Microsoft that it's good

06:54

to go the underlying components of

06:56

Falcon periodically get updates and

06:59

that's where the whole thing went South

07:00

so let's imagine the Falcon software

07:02

itself has some subordinate files think

07:04

of them like files that the Falcon

07:06

software itself uses as part of its

07:08

operation and let's go ahead and put

07:09

file one and file two and file three and

07:12

so if they need to update some

07:13

components of the Falcon driver their

07:15

software effectively what they can do is

07:17

update those files and then they have an

07:18

updated component as part of the Falcon

07:21

software and that's deployed to clients

07:23

that are using this system from crow

07:25

called Falcon through Dynamic updates

07:27

well even though the Falcon software was

07:30

certified by Microsoft in the event that

07:33

they do an update and they have a

07:34

corrupt or incorrect file that they're

07:36

using as part of the Falcon software

07:38

because it's running in kernel mode at

07:40

ring zero if there's a problem with one

07:41

of those supporting files that's being

07:42

used by Falcon that could and did cause

07:45

a problem as part of the update that

07:47

happened on July 19th with these files

07:49

that were being used by the Falcon

07:51

driver which again is our code wearing

07:52

at ring zero in kernel mode it can be

07:54

identified as C- then 5 Z

07:58

291 Das and then some extension which

08:00

won't matter tooo much because it's this

08:02

update that caused the problem so to

08:04

answer the question why did this happen

08:05

customer systems that were using crowd

08:08

strikes Falcon software when they got

08:09

the dynamic update the update had an

08:11

incorrect file and as a result the

08:13

incorrect file caused the application to

08:15

fail and because it was at ring zero or

08:17

kernel mode that caused the blue screen

08:19

of death so next let's turn our

08:20

attention to how it is being resolved

08:22

now they can push out a new update and

08:24

they have since the actual incident

08:26

happened but if a computer boots up to

08:28

the blue screen of death it's not going

08:30

to be able to continue with any other

08:31

kind of update because at that point

08:33

it's halted and the process for

08:35

correcting this if you're sitting at the

08:36

computer that has a blue screen of death

08:38

would be to reboot the computer into

08:40

what's known as safe mode and then in

08:42

safe mode you drill down to the file

08:44

structure find any of the updated files

08:46

from Falcon with this

08:48

00000000 291 and then delete that file

08:51

or any files with that 291 update and

08:54

then go ahead and reboot and that works

08:56

great most of the time except for the

08:57

fact that a lot of servers don't have a

09:00

guei connected to them for example a GUI

09:02

is a graphical user interface a lot of

09:04

servers don't have a screen attached to

09:06

them all the time and as a result if you

09:08

have hundreds or thousands of servers

09:10

that are running in a Data Center and

09:12

they don't have screens that some you

09:13

can just walk up to and work with it may

09:15

take a little more time or scripting to

09:17

actually make that change another

09:18

complication comes in if we're using a

09:21

security feature on the file system

09:22

called bit Locker so if a system is

09:24

using bit Locker there are some

09:26

additional steps and depending if you

09:27

have the keys or not additional steps

09:29

beyond that to get fully recovered just

09:32

be aware there is some additional work

09:33

to do if you're currently using bit

09:35

Locker also as part of the recovery

09:37

process to Aid that Microsoft updated

09:39

their Microsoft recovery tool on July

09:43

22nd and that recovery tool provides two

09:45

repair options to help it admins

09:47

expedite the repair process so one of

09:49

those options is booting from wind PE to

09:52

facilitate the repair and the other

09:54

option is doing the recover from safe

09:56

mode and I guess the final thing we

09:57

should chat about is how could this be

09:59

avoided and the answer is QA so even

10:03

though the Falcon driver or the Falcon

10:05

code itself which was running at ring

10:07

zero is certified via whql from

10:09

Microsoft the updates that they were

10:12

doing obviously were not thoroughly

10:14

tested enough to prevent the blue screen

10:16

of death so the two solutions would be

10:18

one is better QA on the updates for the

10:20

Falcon software or secondly they could

10:23

run the Falcon software not in ring zero

10:25

in kernel mode but rather run it as an

10:27

application which might degrade some of

10:29

its deficiencies in identifying malware

10:31

but at least if it crashed it would only

10:33

crash itself and it wouldn't cause the

10:35

entire system because it's not a kernel

10:37

zero application it wouldn't cause the

10:38

entire system to crash so thanks for

10:40

joining me in this video as we've

10:41

addressed three elements number one what

10:43

happened number two why it happened and

10:46

third how it's being resolved and until

10:48

next time I'm Keith Barker and stay safe