A penetration-testing tool, Cobalt Strike is used by red teams to simulate adversaries by acting as an exploitation agent. Its versatility is evident. In the right hands, Cobalt Strike helps pen-testers access network resources and remain furtively embedded while controlling compromised hosts on a network.
Cyber-criminals and nation-state actors use the same kinds of tools, kits, and platforms that penetration testers use legitimately, so nobody should be surprised by this. There are off-the-shelf products already proven to be useful in attack reconnaissance; why would they build their own?
Ultimately, the difference between simulation and attack reality is one of intent; the tools used are mostly the same. Cobalt Strike is the best-known post-exploitation platform when it comes to its powerful features. Aside from constantly evolving, there is also plenty of best practice documentation available. This includes documents that explain how the underlying technology works, making it easier to apply for a large community of users, says Anna Chung, a principal researcher at Unit 42, Palo Alto Networks.
Cobalt Strike gives third parties and red teams the ability to mimic a classic APT adversary, a benefit that makes it a magnet for threat actors according to Cyjax’s CISO, Ian Thornton-Trump. Developing a suite of tools for infiltration, exploit, establishing a foothold, moving laterally for persistence and setting up C2 communications is astronomically expensive, he says. Why should we bear that burden when others can? This is known to the developer of Cobalt Strike, Strategic Cyber LLC, which has implemented risk mitigation tactics such as performing risk assessments on those requesting trials, which are limited to genuine pen-testers and red teams. Company products may also be licensed for tracking purposes.
The CTO at Synack, Mark Kuhr, a former hacker and technology director at the US National Security Agency, explains that “products that introduce license-tracking technology will likely not be used, or the tracking elements will be disabled by reverse engineering.” That appears to be the case with Cobalt Strike, where not only are cracked versions sold or shared on criminal markets, but cracked versions with added stealth functionality.
The weaponization of pen-testing tools is not limited to Cobalt Strike alone, and according to Paul Bischoff, a privacy advocate at Comparitech, many other tool vendors “do very little in the prevention of malicious use, claiming it’s not their responsibility.”
What can be done to help?
Various factors, including cost and availability, familiarity, and operation security, attract threat actors to pen-testing tools. How can we prevent this weaponization of legitimate applications and frameworks? That is the elephant in the room. Would legislation be a good solution? As for banning the sale or availability of such software, Thornton-Trump is not convinced, at least not yet. It is pretty much all about the regulatory or legal aspects of the actor behaviour, he says, as “generally speaking, a software program’s creation is ethically and legally agnostic unless the author specifically suggests or advertises otherwise.” A legal statute such as RICO, conspiracy to commit and aiding and abetting can be applied in the case of someone deliberately advocating unlawful use.
Thornton-Trump explains that the threat actor’s behaviour needs to be monitored, as well as their mindset. Thru the court system, the legal apparatus governs and determines criminal and non-criminal behaviour, and is sufficient to determine the consequences as they stand. “I believe it would be imprudent to come up with legislation or regulations that would have the equivalent of creating a new legal system for software weaponization.”