I’m sometimes asked: “Raphael, what does Strategic Cyber LLC do to control Cobalt Strike?” That’s the subject of this blog post.
What is Cobalt Strike? The textbook answer is that Cobalt Strike is a platform for red team operations and adversary simulations. In the right hands, Cobalt Strike empowers security professionals and enables better security assessments.
While the product’s capability makes it a popular choice for red team security assessments, it’s also dangerous in the wrong hands. That’s not something we take lightly. A great effort goes into limiting distribution of Cobalt Strike to security professionals who will only use the product for ethical penetration testing purposes.
- We perform a screen and risk assessment of all trial requests and sales—a process that includes assessment of the organization’s plausible use case
- We degrade functionality in the product’s trial distribution.
- Our licensed product adds identifiers to its payloads that attribute the end-user.
If you’d like to learn more, I recommend that you read our Corporate Compliance and Ethics document.
I can haz Cobalt Strike?
While our screening and risk assessment reduces risk—it doesn’t eliminate it. Yet, the process is working.
One day, we received a trial request from a Detective in a small town police department. The provided email was biz350@[domain].gov. We initially read this as a generic procurement address. Some organizations have these. With GDPR, I expect we’ll see a lot more of this from EU entities going forward too.
We didn’t have any concerns about the identity or location of this end-user organization. The risk assessment is where we ran into problems. We had to ask the obvious question: Why would a small police department need Cobalt Strike? Is a patrolman using department time and budget to get an OSCP? We denied the trial request.
A few days later, we received a follow-up email from the email address associated with the trial request. The writing was odd though. It came off like a professional correspondence fed through an LOLcat translator.
That wasn’t the kicker though. The email name read “Minolta Copier”. A quick Google search revealed that biz350 is a model of an internet connected printer/copy machine.
At this point, we were convinced the entity was compromised. We gathered up the information we had and opted to notify the organization. That was an awkward call.
“Hello, dispatch.”
“Hi… uh… I’d like to speak to someone in IT?”
“Excuse me, can you state the reason why?”
“I promise, this isn’t a phishing scam, I think your printer is hacked”
“…”
While we can’t share the specific “red flags” we use, every sale and trial request goes through our screening and risk assessment process. This forces us to ask questions and find answers. When something doesn’t add up, we either collaborate to resolve it, or disengage completely.
Reporting incidents and artifacts?
From time to time, we receive informal requests for technical assistance or records from private entities. Our policy is not to perform analysis for, provide deconfliction services to, or disclose our records to private entities upon informal request.
If we have information relevant to a law enforcement investigation, we comply with valid legal process.
This stance is to avoid frivolous requests and to protect our customer’s information.
We also investigate tips. We can’t usually share information back, but we look into things brought to our attention. [email protected] is the best email address to start those conversations.