Insight

The good and the bad

Cobalt strike and the potential implications of alleged leaked source code

Andy Corriveau

Andy Corriveau

Senior Associate, Cyber Security Services, KPMG US

+1 216-288-8814

David Nides

David Nides

Principal, Cyber Security Services, KPMG US

+1 312-665-3760

Ed Goings

Ed Goings

Principal, Cyber Security, KPMG US

+1 312-665-2551

What is cobalt strike?

Cobalt strike is a quiet and powerful commercially available red team framework that can emulate a sophisticated threat actor’s access, movement, and covert communications on a target network. Cobalt strike is also widely utilized by red teams that test incident response and detection readiness. It has also been embraced by threat actors like ransomware operators and nation-state adversaries that have integrated cobalt strike into advanced attack methodologies.

In late October 2020, it appeared that a decompiled version or part of cobalt strike’s source code was uploaded publicly to GitHub. This has already been copied to hundreds of additional repositories (forks) enabling widespread availability.*

What this means for defenders? (The Good)

Cobalt strike’s advanced capabilities can help evade security controls and detections which is why it’s so widely used by red teamers. However, the alleged leak of source code could be a silver lining for defenders. It may provide them the ability to better understand how it works, develop or enhance indicators of compromise (IOCs), countermeasures and strategies to detect, and combat attacks that use it. However, network defenders should also prepare for the likely use of modified or enhanced versions of cobalt strike. 

What this means for attackers? (The Bad, and the Ugly)

Distribution of cobalt strike has historically been limited via customer screening, limited availability outside the U.S. and Canada, and controlled exports to prevent access to threat actors. Illegitimate use of cobalt strike has been limited to older versions and degraded trial versions of the software. Now, potentially a recent version of the tool will be in virtually anyone’s hands.

According to David Nides, Cyber Response Principal, “A security tool like cobalt strike being widely available significantly lowers the barrier of entry for attackers and cyber criminals”

Threat groups that have been previously restricted to a degraded “trial” or old versions of cobalt strike will also likely “upgrade” to this alleged version of the software. This will enable attackers to move potentially even more quickly and “stealthier” as part of future incidents.

Lastly, bad actors have been historically quick to weaponize and integrate new capabilities into new or existing attacks. For example, the tools and exploits leaked from shadow brokers, resulted in adapting EternalBlue to Cryptomining, WannaCry, and other ransomware campaigns. 

Whether “good” or “bad”, expect to see more of cobalt strike. What are some things you should consider?

  • We commonly see organizations that think they have preventative or detective controls in place but they are actually set up incorrectly or do not work. Consider performing advisory simulations that use cobalt strike to validate and refine these measures for cobalt strike.
  • Develop and test incident response plans (through table- tops or purple team exercises) to prepare for incidents that involve cobalt strike.
  • Assess your organizations risks. Given the recent correlation between cobalt strike and ransomware incidents, consider a ransomware resilience assessment. These touch on attacker negotiation and planning, security monitoring, containment, and recovery.
  • Cobalt strike can make performing investigations difficult. Make sure you follow leading practices for event log monitoring, retention of logs, as well as network visibility.

*Bleeping computer; November 2020; Alleged source code of Cobalt Strike toolkit shared online.

*Github.com