More can be done to curb Cobalt Strike abuse, expert says

Missed a session at the Data Summit? View on demand here.

Despite being a commercially available software product from a US-based cybersecurity vendor, Cobalt Strike is one of the most popular tools used by cybercriminals due to its versatility and effectiveness in carrying out cyberattacks.

But while Cobalt Strike has been used for malicious purposes for years, the damage associated with its use has increased dramatically in recent years. In particular, there is a strong correlation between the use of Cobalt Strike and ransomware attacks, numerous researchers have found.

However, the vendor that owns Cobalt Strike, HelpSystems, could do a lot more to combat the problem, according to the co-founder of Red Canary, a prominently managed detection and response company that has researched the issue.

“We just want to see a degree of ownership over the distribution of the tool,” said Keith McCammon, chief security officer at Red Canary and head of the company’s security strategy, operations and threat research.

It has long been common for threat actors to use legitimate tools in illegitimate ways. But in recent years, “the costs associated with its use have gotten completely out of hand,” McCammon said.

A common threat

VentureBeat spoke to McCammon in connection with the publication of Red Canary’s 2022 Threat Detection Report. Cobalt Strike was the third most common threat tracked in the report, affecting 7.9% of Red Canary customers last year. The threat was only behind the TA551 threat group and the Mimikatz credential stealing tool.

Cobalt Strike is widely used for its intended purpose by red teams – “ethical hackers” who play the role of a cyber attacker to test the defense of companies. But it’s popular with cybercriminals for the same reason: The tool can be used to essentially run a malicious cyber operation from start to finish, McCammon said.

In at least one case, documented by Brian Krebs, the legitimate version of Cobalt Strike was obtained by a threat actor who had set up a shell company.

But for the most part, the cyber industry believes that cybercriminals are using cracked versions of the Cobalt Strike software, McCammon said.

Simply put, Cobalt Strike is popular because it does its job: According to the HelpSystems datasheet, the post-exploit tool enables everything from client-side reconnaissance, to post-exploit payload deployment, to covert communications.

“It’s an end-to-end tool to orchestrate and execute a full-scale break-in, and go undetected,” McCammon said.

Major ransomware groups such as Conti, Ryuk, and REvil are known to have used Cobalt Strike significantly, contributing to the spread of the ransomware threat. In total, the number of ransomware attacks more than doubled in 2021 — a 105% increase over the year compared to 2020, according to SonicWall. And average ransom demand grew 36% to $6.1 million last year, CrowdStrike reported.

Difficult questions

Threat actors’ use of Cobalt Strike has become so costly that it is questionable whether Cobalt Strike does more harm than good by being commercially available, McCammon said. If the tool were taken off the market, the cracked versions of the software would eventually stop working as defenders caught up with it, he said.

But beyond that unlikely step, there are a number of other steps HelpSystems could take to fix the problem, McCammon said.

It’s true that HelpSystems has built in aspects that make Cobalt Strike harder to piracy and easier to distinguish between good use versus malicious use, he said. But according to McCammon, the company can go further.

For starters, there needs to be a level of transparency around the licensing process, he said. If HelpSystems provided a way to grant licenses — in cases where the legitimacy of product use is at stake — it could help thwart illegal uses, McCammon said.

Another licensing issue is that, ironically, cyber researchers and advocates cannot acquire Cobalt Strike commercially. Its sale is limited to offensive cyber operations.

“That has probably been one of the industry’s biggest frustrations over the years,” said McCammon, Red Canary co-founder in 2013. “We have no control [criminals] get their hands on it — but what HelpSystems can control is to make sure organizations capable of defending have the same level of access.”

So there should be a license that allows defenders to legally acquire Cobalt Strike, he said. “And if there are restrictions on that, those are probably things we can get through,” McCammon said.

Preventing Abuse

As for curbing the spread of Cobalt Strike in cybercrime, McCammon said he’d like to see HelpSystems do more, too. Ideally, he said, this would include seeking and validating illegitimate copies of the software or associated infrastructure.

“Let’s focus on people who shouldn’t have this in the first place, who definitely didn’t buy it,” McCammon said. “And [HelpSystems can] take ownership from that perspective. They should do their part to identify those cases, and do their part to support other organizations that identify it.”

And finally, once HelpSystems has collected this information, the company must disseminate it to those in the industry who are able to act on it, he said.

“It seems a bit utopian, but there’s precedent for working together like this in InfoSec,” McCammon said. “If we detect malicious infrastructure or abuse, we can get it to as many of the right people as quickly as possible.”

But ultimately, when it comes to the threat posed by malicious Cobalt Strike use, “none of these actions would even come close to addressing the problem. But they are steps in the right direction,” McCammon said. partnership, I think, is what the whole industry would benefit from.”

VentureBeat gave HelpSystems the opportunity to respond to each of these points, including the potential drawbacks of Cobalt Strike’s commercial availability, questions about licensing, and possible ways to curb illegal use.

“At this time, we are not answering direct questions,” HelpSystems said in a statement to VentureBeat. “But please note that HelpSystems takes its auditing and product development processes seriously and remains committed to ensuring Cobalt Strike remains a world-class cybersecurity tool to assist approved organizations with security operations and incident response.”

Strategic Cyber, the company that originally developed Cobalt Strike, was founded in 2012. HelpSystems acquired the maker of Cobalt Strike in March 2020.

Eden Prairie, Minnesota-based HelpSystems is owned by private equity firms, including TA Associates and Harvest Partners, and has made a series of acquisitions since its acquisition of Cobalt Strike. The acquisitions include Digital Guardian, PhishLabs, Agari, Beyond Security, Digital Defense, FileCatalyst and Vera. Most recently, HelpSystems has in the past two months announced agreements to acquire Tripwire and Alert Logic.

VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more

This post More can be done to curb Cobalt Strike abuse, expert says

was original published at “https://venturebeat.com/2022/03/22/more-can-be-done-to-curb-misuse-of-cobalt-strike-expert-says/”