Cobalt Strike may be a double-edged sword but pentesting tools are invaluable, says expert


What happens when the cybercriminal outfits start turning the very tools designed to help protect target companies against them? Cybernews spoke to an industry expert to find out more about this phenomenon in digital security, and whether we should be worried about it.

During the course of their work safeguarding enterprises and other organizations from cyberattacks, security professionals – sometimes referred to as “red teamers” or “pentesters” – often mimic criminals, staging an assault on a client company’s defenses, with their permission, to assess their strengths and weaknesses.

To do this they have to simulate a cyberattack, sniffing around an organization’s setup to probe it for blindspots a genuine criminal might use. To help the “white-hat hackers” do this, many useful tools have been developed – such as Cobalt Strike, designed by cybersecurity tech wiz Raphael Mudge in 2012, or BloodHound, an open-source tool readily available on the developer platform GitHub.

ADVERTISEMENT

Unfortunately, just as many reports have surfaced in recent years of threat actors picking up these weapons and turning them against the ‘good guys.’ Perhaps the most notorious example of this was the SolarWinds hack, which reportedly involved the use of Cobalt Strike.

So, are these red team pentester tools doing more harm than good? To find out more, I reached out to Greg Hatcher, the founder of cybersecurity firm White Knight Labs who cut his teeth working for the US military’s Special Forces.

While Hatcher acknowledges that such tools can constitute a “double-edged sword,” he still believes they are worth keeping around for the inevitable showdown with ransom-hungry crooks online. In this exclusive Cybernews interview, he explains why.

Cobalt Strike, Metasploit, BloodHound, sqlmap, Burp Suite, and Nmap are the names I've heard mentioned of pentester tools that are popular with threat actors. Are these tools worth it, and of the ones I've named are there any you would say are better or worse in this regard?

So for starters, I think BloodHound is an incredible tool for finding misconfigurations in Active Directory [a tool that allows for comprehensive management of computing systems and their users]. It's used by attackers and defenders just as much, so I would not say that it is a tool that should be shut down due to illicit purposes. Burp Suite is pretty much the number-one web application security-testing commercial software on the planet, so that's definitely a good tool.

Is it going to be used by threat actors that are trying to do attacks against web and mobile applications? Absolutely. But it's sort of like a knife, right? Whoever is holding the knife is going to be the one that decides whether they're going to use it for good intent or bad.

"Because it is so heavily used, default Cobalt Strike out of the box without modification is heavily signatured. Script kiddles [...] trying to use it [...] they're getting caught quickly."

Greg Hatcher, founder of White Knight Labs

Cobalt Strike is the one I kind of come to more of a sticking point with. You know, it's been around for about a decade now. It was created by Raphael Mudge. It came out of the Armitage framework [designed by Mudge to help cybersecurity professionals use Metasploit] as a paid-for tool, and now it's extremely cost-prohibitive, I think about $6,000 for one license. The thing is, because it is so heavily used, default Cobalt Strike out of the box without modification is heavily signatured. So you have these attackers that are script kiddies: they're trying to use it out of the box, and they're getting caught quickly.

ADVERTISEMENT

But that being said, it's still in the hands of people that know what they're doing. You have apex predators that are software developers that can actually write custom loaders, and get around a lot of your products. So Cobalt Strike is more of a double-edged sword, whereas all the other tools that you mentioned are definitely OK to be in the hands of everybody, in my opinion.

I saw research from a few years ago that suggested the most common open-source tools adopted by criminals were memory-injection libraries and remote-access Trojans (RATs). Is that still the case, or has the trend shifted?

Once you actually have an implant at a Windows machine – the vast majority of enterprise environments are comprised of Windows machines – you may actually need a remote access tool to get some kind of functionality, whether you want to dump credentials out of memory or create some kind of process injection.

But you need to set persistence, so you can't just have a dumb tool: you need a fully functioning implant. I would say that has not changed whatsoever, that RATs are definitely still highly available, open-source, some of the top ones on the market. Cobalt Strike is not free, it's very much a paid-for tool, but we've had very good luck with Mythic, which you can just go to GitHub and download. Another good one, Sliver by Bishop Fox [designed as an alternative to Cobalt Strike] is an excellent tool, which has a fully functioning implant.

The other one we were talking about was memory or process injection and, yes, that is still very common today. There actually was a new process-injection technique released at Black Hat [hacker conference] last year called Dirty Vanity. So it's still very much an area of research and it really depends who is using the tool. Mythic, Havoc, Sliver, these are all command-and-control (C2) frameworks that can be used by red teamers, penetration testers, or criminals – because anyone can go to GitHub and pull them down. So like I said before, it really depends on the intent.

Going back to what's been reported previously, is it still the case that cybercriminals are stripping code from pentesting tools and incorporating it in their own malware?

Absolutely, yes. Why reinvent the wheel if there's a certain tool that implements a technique that you want, and you can just rip the code out and reuse it in your own tools? We do that all the time on red team engagements. It's a huge timesaver.

Who do you see dual-purposing tools the most, is it mainly state-backed groups or is it more towards the script-kiddie end, or both?

We see a lot of illicit use coming out of China, but it really is all over the place. Even a criminal organization could just set up a shell company and purchase Cobalt Strike. There are certain export laws that forger has to follow when selling Cobalt Strike, but those can be subverted either way. So it really is everybody across the board, even for the white-hat hackers. The biggest barrier to entry is going to be the cost. It's kind of unfortunate: the black-hat hackers have the money, the white-hat hackers don't sometimes.

"There's a lot of things I learned in Special Forces, like contingency planning, that I implement in cybersecurity."

Greg Hatcher, founder of White Knight Labs
ADVERTISEMENT

Has the reverse ever happened? I mean a threat group coming up with a tool that the white-hat guys look at and say, ‘Oh, that's quite useful. We can use that in our own red teaming exercises.’

Not so much. A lot of it is ransomware, and there's free and open source. For instance, White Knight Labs does a ransomware simulation, but we're not going to go use Emotet ransomware. We have our own ransomware that we wrote by hand, we know exactly what it's doing. That being said, if you're going to do an adversarial emulation for a client, you do have to emulate those types of criminal or that advanced persistent threat (APT). It's more emulating TTPs [techniques, tactics and procedures] as opposed to using the exact same code. Sometimes criminals and APTs, they'll write their own C2 frameworks, which you'll never have access to.

You have a military background with Special Forces. Does that alter your perspective of the cyber landscape, in terms of digital weapons being used and counter-used? Because in the military sphere, that's probably something you see daily.

For the most part, the everyday American citizen underestimates the threat. There's a lot of things that I learned in Special Forces, like contingency planning, that I implement in cybersecurity. So if one attack doesn't work, I'll have something else ready to go. I'll have a primary means of entry, an alternate, and a contingent. But I have found most people in the private sector don't actually think like that.

A lot of being a good soldier, like keeping your rifle clean and having a clean uniform, these are just basics. If you do the basics right in cybersecurity, like good hygiene, using MFA [multifactor authentication] for critical accounts, long passwords, updating your operating system whenever patches come out, those can take you really far and put you ahead of the curve – because an attacker, if they're lazy and you're a hard target, is just going to go around you to an easier one.

How much do developments in areas such as artificial intelligence, machine learning, and quantum computing worry you going forward, in terms of how they impact the toolkits that are available to both the ‘good’ and ‘bad’ guys? Is that something you give a lot of thought to?

Absolutely. At White Knight Labs we use ChatGPT: we have the paid-for chatbot, just because it really helps with report-writing. I think our AI is going to lower the barrier to entry for writing malware. We've already seen this.

It's not good at writing software right now: if you go on YouTube and look at the videos and Chat trying to write code, it's pretty terrible actually. But that being said, GPT is in its infancy, right? Because they worked for seven years in darkrooms to make this thing: this is just the beginning. Who knows how fast this thing is going to learn and where it is going to be in two to three years: to be able to write undetectable malware, or find a kernel of vulnerability in the Windows operating system. It's definitely an area where it's going to be able to learn faster than any human being, that's for sure.

ADVERTISEMENT