More can be done to curb misuse of Cobalt Strike, expert says

Did you miss a session at the Data Summit? Watch On-Demand Here.

Despite the fact that it’s a commercially available software product from a U.S.-based cybersecurity vendor, Cobalt Strike is one of the most popular tools used by cybercriminals, due to its versatility and efficacy in carrying out cyberattacks.

But while Cobalt Strike has been utilized for malicious purposes for years, the damage associated with its use has surged in the past few years. In particular, there’s a strong correlation between use of Cobalt Strike and ransomware attacks, numerous researchers have found.

However, the vendor that owns Cobalt Strike, HelpSystems, could be doing far more to combat the problem, according to the cofounder of Red Canary, a prominent managed detection and response firm that has researched the issue.

“We just want to see some level of ownership over the proliferation of the tool,” said Keith McCammon, who is chief security officer at Red Canary and heads the company’s security strategy, operations and threat research.

It’s long been common for threat actors to use legitimate tools in illegitimate ways. But in recent years, “the costs associated with their use have gone completely out of control,” McCammon said.

A prevalent threat

VentureBeat spoke with McCammon in connection with the release of Red Canary’s 2022 Threat Detection Report. Cobalt Strike ranked as the third most prevalent threat tracked in the report, affecting 7.9% of Red Canary customers last year. The threat ranked behind only the TA551 threat group and the Mimikatz credential-stealing tool.

Cobalt Strike is widely used for its intended purpose by red teams — “ethical hackers” who play the part of a cyber adversary to test companies’ defenses. But it’s popular with cyber criminals for the same reason: The tool can be used to carry out a malicious cyber operation essentially from start to finish, McCammon said.

In at least one case, documented by Brian Krebs, the legitimate version of Cobalt Strike was obtained by a threat actor that had set up a shell company.

But for the most part, the cyber industry believes that cybercriminals are using cracked versions of the Cobalt Strike software, McCammon said.

Simply put, Cobalt Strike is popular because it does the job: According to the HelpSystems datasheet, the post-exploitation tool enables everything from client-side reconnaissance, to post-exploitation payload deployment, to covert communication.

“It is an end-to-end tool to orchestrate and execute a full-scope intrusion, and remain undetected,” McCammon said.

Major ransomware groups such as Conti, Ryuk and REvil are known to have utilized Cobalt Strike significantly, helping to drive the expansion of the ransomware threat. In all, the number of ransomware attacks more than doubled in 2021 — jumping 105% during the year compared to 2020, according to SonicWall. And the average ransom demand grew 36% to $6.1 million last year, CrowdStrike reported.

Tough questions

The use of Cobalt Strike by threat actors has become so costly that there is a question about whether Cobalt Strike is doing more harm than good by being commercially available, according to McCammon. If the tool were pulled from the market, eventually the cracked versions of the software would stop being effective as defenders caught up with it, he said.

But barring that unlikely move, there are a number of other steps that HelpSystems could take to assist with the problem, McCammon said.

It’s true that HelpSystems has built in aspects that make Cobalt Strike harder to pirate, and make it easier to discern good use versus malicious use, he said. But the company can go further, according to McCammon.

For starters, there needs to be a level of transparency around the licensing process, he said. If HelpSystems were to provide a means of license attribution — in the cases where legitimacy of the product use is in question — that could help to thwart illegitimate usage, McCammon said.

Another licensing issue is that, ironically, cyber researchers and defenders are unable to commercially acquire Cobalt Strike. Its sale is restricted to offensive cyber operations.

“That’s probably been one of the single biggest frustrations from the industry over the years,” said McCammon, who cofounded Red Canary in 2013. “We can’t control [criminals] getting their hands on it — but the thing that HelpSystems can control is to make sure that organizations that are in a position to defend, have the same level of access to it.”

Thus, there ought to be a license that allows defenders to legally acquire Cobalt Strike, he said. “And if there are constraints that come with that, those are probably things we can work through,” McCammon said.

Curbing misuse

In terms of curtailing the proliferation of Cobalt Strike in cybercrime, McCammon said he’d like to see HelpSystems do more, as well. Ideally, he said, this would include seeking out and validating illegitimate instances of the software or its corresponding infrastructure.

“Let’s focus on folks who shouldn’t have this in the first place, who absolutely did not buy it,” McCammon said. “And [HelpSystems can] take some ownership from that perspective. They should do their part to identify those instances, and do their part to support other organizations who are identifying it.”

And lastly, once HelpSystems has compiled this information, the company should disseminate it to those in the industry that are in a position to act on it, he said.

“It seems kind of utopian, but there’s precedent for working together in this way in InfoSec,” McCammon said. “When we do pinpoint malicious infrastructure or misuse, we can get that out to as many of the right folks as possible, as fast as possible.”

Ultimately though, when it comes to the threat posed by malicious Cobalt Strike usage, “none of these actions would even come close to solving the problem. But they’re steps in the right direction,” McCammon said. “The act of partnership, I think, is what the whole industry would benefit from.”

VentureBeat provided HelpSystems with the chance to respond to each of these points, including about the potential harms of Cobalt Strike’s commercial availability, questions about licensing and potential ways to curb illegitimate usage.

“At this time, we are not answering direct questions,” HelpSystems said in a statement provided to VentureBeat. “But please be aware that HelpSystems takes its vetting and product development processes seriously and remains dedicated to ensuring Cobalt Strike remains a world class cybersecurity tool to help approved organizations with security operations and incident response.”

Strategic Cyber, the company that originally developed Cobalt Strike, was founded in 2012. HelpSystems acquired the Cobalt Strike maker in March 2020.

Eden Prairie, Minnesota-based HelpSystems is owned by private equity firms including TA Associates and Harvest Partners, and has made a string of acquisitions since acquiring Cobalt Strike. The acquisitions have included Digital Guardian, PhishLabs, Agari, Beyond Security, Digital Defense, FileCatalyst and Vera. Most recently, HelpSystems has announced agreements over the past two months to acquire Tripwire and Alert Logic.

Originally appeared on: TheSpuzz