A few months ago, Google Cloud shared that it has identified 34 cracked versions of Cobalt Strike and released YARA Rules to detect specific versions of Cobalt Strike more likely to be leveraged by threat actors.

The goal behind Google Cloud’s research is to make Cobalt Strike “harder for bad guys to abuse”, and IronNet believes a proactive approach to Cobalt Strike server detection is key in this community effort.

Detecting the use of Cobalt Strike has become essential for network defenders, especially as this legitimate pen-testing tool has become so popular among cyber adversaries in recent years.

Among other C2 frameworks exploited by adversaries – such as Covenant, Sliver, Empire and Metasploit – Cobalt Strike has remained a favourite of threat actors. While Cobalt Strike is still the most widely abused framework, however, threat actors are also pivoting to alternative frameworks – such as Sliver – that are easier to acquire, have more operational security and are less likely to be detected. Accordingly, as Google Cloud provided YARA signatures for only specific versions of cracked Cobalt strike, detection gaps still remain.

The need for threat intel to ‘shift left’

This shift towards alternative frameworks is likely in response to the cybersecurity community developing improved detection capabilities for identifying attacker infrastructure, especially in relation to Cobalt Strike. While these improvements have been significant, the majority of C2 detection capabilities and threat intel feeds are still reactive, meaning the intel is often shared only because someone else has experienced that attack before.

As threat actors adopt more evasive tactics to bypass static C2 detections, it becomes increasingly important to proactively block such threats before they are used in an attack.

Before using a C2 server in a malware attack, threat actors first have to acquire it either by purchasing it legitimately, obtaining a cracked version or obtaining a free version if it is open source. They then must take steps such as install software; configure the server; register SSL certificates; add files to the server; access it via SSH, RDP, or panel login; and then expose it on a port to allow for commands and exfiltration. In conducting these actions, an attacker leaves behind fingerprints, which offer increased detection opportunities.

Introducing proactive threat intelligence

By identifying C2 infrastructure as it is being set up (during the early stages of the kill chain), analysts have the invaluable opportunity to be proactive.

This is why IronNet has taken a focus on proactive threat intelligence (PTI) in addition to reactive threat intelligence (RTI). PTI includes actively searching for threat infrastructure that has yet to be actioned and, in turn, producing intelligence before an attack occurs. This makes it much more difficult for threat actors to hide their infrastructure, as escaping detection is no longer as simple as discarding infrastructure after use in an attack, but requires fundamental changes in how threat actors stand up and weaponise their servers.

In relation to the cyberattack kill chain of the MITRE ATT&CK® framework, PTI takes place at the resource development phase — that is, before the threat actor has gained initial access. RTI, on the other hand, is often generated at the execution or persistence phase — that is, well after the threat actor begins an intrusion into a victim network.

A new weapon for thwarting cyberattacks: IronRadar proactive threat intelligence feed

Seeing the value in being proactive in C2 detection, IronNet’s world-class threat analysts have developed a proprietary process of fingerprinting a server to determine whether it is a C2 as those servers are being stood up and even before an attack is initiated. This intelligence is provided via a threat intelligence feed called IronRadar that can be directly integrated into an organisation’s existing security tools, thus enabling cybersecurity teams to proactively block threats and improve detection by automatically ingesting data on the latest known — as well as new and unreported — attacker infrastructure. As such, IronRadar stands out as a proactive threat intelligence feed instead of a reactive one, allowing for increased capability to detect and block threats targeting your network.

Indeed, IronRadar is able to fill the aforementioned gaps in detection by anticipating and responding ahead of the curve. This proactive approach improves any company’s risk posture — whether a less-resourced organisation or a large enterprise company.

IronRadar supports detection capabilities for more than 30 additional tools, including scanning engines, phishing frameworks and popularly used loader malware. This proactive threat intel is provided via an open API for consumption by a firewall, a SIEM, a threat intel platform or any other threat hunting tools. IronRadar’s ability to integrate with security tools, as well as block or query for IOCs to correlate with other threat alerts, enables threat hunting and provides situational awareness for hunt operations.

In summary

While the YARA Rules Google Cloud released are a great open-source resource for identifying the use of Cobalt Strike, we believe there is a greater need to be proactive in detecting adversary infrastructure — especially as newer versions of Cobalt Strike get adopted and exploited. Through IronRadar, we closely track how threat actors are staging infrastructure for use in attacks and enable organisations to proactively block a range of malicious infrastructure.

About IronNet
Founded in 2014 by General (retired) Keith Alexander, IronNet (NYSE: IRNT) is a global cybersecurity leader that is transforming how organisations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing a number of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today.