Pursuing strategic partnerships to tackle Cobalt Strike abuse

Transcript - Pursuing strategic partnerships to tackle Cobalt Strike abuse

Jill McKeon: Hello and welcome to Healthcare Strategies. I'm Jill McKeon, associate editor of Healthtech Security. Today we're joined by Bob Erdman, associate vice president, research and development at Fortra. Welcome, Bob.

Bob Erdman: Thank you.

McKeon: So, today we're diving into a really interesting topic. For some background for our listeners -- in 2023, Fortra teamed up with Microsoft's Digital Crimes Unit and the Health Information Sharing and Analysis Center, or Health-ISAC, to crack down on abuse of Cobalt Strike, which is a legitimate security tool that cyber threat actors have been abusing illegal copies of to perpetrate cyberattacks against organizations in many sectors, including healthcare. Fortra acquired Cobalt Strike back in 2020. Then, in March 2025, after two years of this partnership between Fortra, Microsoft and Health-ISAC, Fortra reported that the number of unauthorized copies of Cobalt Strike observed in the wild had decreased by 80% over the last two years.

So, today we're going to speak with Bob about Cobalt Strike abuse, these successful efforts to crack down on it and just the value of partnerships like this one in the world of cybersecurity. Bob, it would be great if you could start by telling us a little bit about Cobalt Strike and what it's traditionally used for in the security world.

Erdman: Sure. So, Cobalt Strike is a cybersecurity tool used by organizations to test their defenses and harden them against any kind of malicious activities that may be directed towards them. Cobalt Strike's licensing allows for lawful and ethical penetration testing and red team activities and actually forbids use by military, law enforcement or intelligence gathering use cases.

Cobalt Strike is generally used in an assumed breach scenario, where an organization is either saying, "We're going to assume that we've already been breached" or "At some point, we're going to be breached."

It differs a little bit from standard penetration testing, where we're just looking to find as many vulnerabilities and open doors and windows as we can find, and we're actually looking to test fairly specific scenarios about how a threat actor might behave once they gain access to somebody's environment.

McKeon: Definitely. Yeah, so it sounds like a really useful tool on the defense side, but I know that there's been a history of threat actors abusing legitimate tools -- not just Cobalt Strike, but other tools as well. So, I'm curious what makes those tactics successful? How does abusing a legitimate tool like Cobalt Strike allow threat actors to really succeed in their efforts?

Erdman: As you mentioned, unfortunately, there's always malicious use of all of the different tools that are out there, Cobalt Strike included. The heavy lifting is being done by somebody else. So, we're developing a tool being used for certain types of scenarios, and if they can get a hold of it and repurpose it, they're going to use those tools for malicious uses, just like when they would abuse email service deliveries for phishing or offensive tools for pen testing or Cobalt Strike tools for red teaming.

The way that they're being breached is very similar to the way that they're being tested. So, those threat actors, if they can get hold of these tools, then of course can repurpose them for their malicious designs. And that's definitely something that we're doing our best, along with many other entities, to crack down on.

McKeon: So, the use of these tools makes it harder for teams to detect when these threat actors are there?

Erdman: It makes it harder to defend, of course. It makes it easier on the threat actors, of course, too, because they don't have to necessarily develop as much of their own infrastructure around these things if they can insert commercial pieces or open-source pieces that do some of the same things. That just makes it a little easier for them to do what they're doing.

McKeon: For sure. And I'm curious with Cobalt Strike specifically, how widespread was abuse of this tool before that partnership formed in 2023? How did it really impact organizations across all sectors, including healthcare?

Erdman: I think there's always been some level of abuse of all of these types of tools. Anything more than zero to us is too much, of course. But where we really saw it starting to become more prolific was as the ransomware-as-a-service ecosystem started to grow and move around it. So, more and more times, we were seeing, as part of an attack chain, Cobalt Strike would be included or some tool very similar to Cobalt Strike. So, we really started to look at how those tools were being shared, where they were being acquired from and how these licenses were being abused. As we started to dig into that, it led us to all these other efforts. It's not every attack, like I said, but if it's more than no attacks then of course we're taking notice. But it was definitely being favored among some of the adversary toolkits, especially coming out of some of the usual geographic areas that you'd imagine.

McKeon: Right. So you started to notice that pattern of threat actors abusing this tool, and then your organization teamed up with Microsoft and Health-ISAC. Can you tell me a bit more about how that partnership came about and what each of those entities' roles were in this effort?

Erdman: Yeah, I think this was a really great, great partnership to have and we saw some great effects. As we were starting to see those kinds of things happening after we acquired Cobalt Strike, we added a lot of additional security controls inside of the product itself to make it harder to abuse. And we started tracking where these different channels were that things were being shared and proliferated and some of the techniques being used. And Fortra was cracking down and engaging with law enforcement and working through the DMCA, Digital Millennium Copyright Act, to go after the places the tools were being passed around. So, social media sites, Telegram, Twitter, file hosting locations and places like that. It was definitely a bit of whack-a-mole, of course, as we'd take down two Telegram channels and you'd see three Twitter feeds pop up sharing the files. It was having effect, but of course not as great as we would've liked to have seen.

And around that same time, Microsoft had started their own internal process and effort to track down in the malicious uses of these types of tools, and they reached out to us and actually wanted to know if we'd like to partner up and combine our efforts, share some data. And DCU, the Digital Crimes Unit, had an interesting legal theory that they wanted to pursue based around intellectual property abuse and allowing us to go through the civil side of the court system, which is much faster than going through the criminal side.

So, we started working together. We spent a lot of time building out processes and pipelines. So, the ability to quickly share information between ourselves -- we each had unique visibility into different places on the internet, and we were able to combine that different data. And Fortra, as the license holder of Cobalt Strike, we can quickly determine if something is legitimate -- a real customer doing their own red team operations to expose themselves where they've been visible, or if it's somebody using it maliciously. And then bringing along all the law enforcement groups, of course, we also built a way to, in real time, be able to share the observations that we were seeing with law enforcement so that they'd be able to take further actions as needed against these different things.

And as we built out this court case, it was important for us to also be able to show the harm that was being caused by these malicious actors and activities. And that's where Health-ISAC came along and was that third leg of the stool, being able to represent their clients and show the court this is what's really going on from these activities. So, it's not just Microsoft and Fortra complaining about somebody cheating on their licenses, but there's actual harm happening to outside entities based upon these different activities going in there.

So, as we went in and built out that court case, and then we were able to get a court order to begin to take action against these different environments. We spent a lot of time building out automated pipelines to be able to take action against these different places and around the world really start to push back against the abuse of these tools.

McKeon: Yeah, it's so interesting to hear just how that partnership came together. Each of these entities were looking into this on their own, and then you joined forces to really prove just how widespread this issue was. Yeah. So, I know you got into this a little bit, but I'd love to hear more about just the results of this multi-year effort to disrupt Cobalt Strike abuse and reduce the number of unauthorized copies. Are there any specific data points that you can share with us about the overall success of this operation?

Erdman: Yeah. The speed and scale that we're able to achieve working together has really been great. Over time now, what essentially happens is when we observe a copy out in the wild, we can quickly determine -- is it unauthorized and malicious? Is it real? And then we pass that into a notification pipeline where we send notices to the infrastructure providers where the systems are being run. So, your Amazons, your Azures, you name the hosting provider all around the world. And leverage those different providers to take those systems offline quickly.

As far as what we observe in the wild on a daily basis, we've seen roughly an 80% reduction in the number of systems that the different groups and the different entities that we're working with are able to observe out there. And because of the automation of taking these systems down and getting them offline, that dwell time from when we see a system to when we see it go down -- because we monitor and we continue to enforce those notices until we see it taken offline -- has been greatly reduced. So, it's a much smaller window where a system can be observed doing this.

Hundreds of domains that were malicious have been seized and sinkholed. That has allowed additional intelligence gathering to happen from the traffic that's going on in there as well, which has really been great. And while our court order is in the U.S., of course -- so we really have DMCA as a U.S.-based law -- most countries cooperate and observe that, or they have something similar in their areas of the world. That allows us to enforce these different places around the world and have this done. As expected, the remaining systems we do see have been pushed into a much smaller geographic window. Most of the traffic now originates from a very limited set of countries or hosting providers where they're either not as quick to action or they have enough cover from their states to ignore it sometimes. But that makes it much easier for us to defend against, now that we see where that's happening from. So, it's really been a great result for us, and we've had great cooperation from Microsoft and a number of other organizations, as well as global law enforcement.

McKeon: And that brings up a great point. I think that partnership between Fortra, Health-ISAC, Microsoft is a big part of it, but it also takes cooperation, collaboration between so many different entities to really make that work.

Erdman: It really does. It's the old 'see something, say something' rule. Anybody who's seeing things now has places to get that information out. We're able, on a daily basis, to share in real time what we see from things like Cobalt Strike, phishing kits, malicious websites and domains. The whole ecosystem around that is really coming together with information-sharing activities. Fortra and everybody else as well are working with more than just Health-ISAC, other industry ISACs, to really push back on this all around the world.

McKeon: Definitely. And I know, aside from this particular partnership, Fortra also took part in Operation Morpheus, which was a multi-year effort by the UK's National Crime Agency that also constituted a global takedown of misuse of Cobalt Strike. So, I'm curious how those efforts also contributed to the success and the collaboration there as well.

Erdman: Yeah, that was another great public-private partnership that Microsoft and Fortra were able to take part in. Initially, roughly 600 to 700 systems were identified and the majority of those were immediately taken down once that law enforcement action commenced. Fortra and Microsoft and other private partners worked together with those law enforcement teams. Again, we were able to push back on these. And of course, having law enforcement around is great because they could do things we could not. We can get an order to take down a provider or a site. We can't put somebody in handcuffs, whereas they can. It's great to see. It feels like the number of seized websites, seized servers and people getting arrested is continuing to increase worldwide, and that's really good to see to keep pushing back in the ecosystem.

McKeon: For sure. And I know we've already spoken a lot about just the importance of collaboration. It seems to be the theme of the episode today. But I'm curious if we could even double down on that more and talk about just the importance of cross-organizational collaborations and improving cyber resilience specifically in healthcare. I know that it's such a highly targeted and highly regulated industry.

Erdman: Yeah, I think these are really important, and we, along with Microsoft, have definitely made an effort to share the techniques that we've used and how we came about doing this across different conferences and webinars and podcasts like this. Having those friends who are able to work with you can really enhance your operational capabilities, and having law enforcement coming along with us gives us that final place that we can go as we're seeing these different places and these different IOCs.

So, we think it's super important to have these industry partnerships. We work heavily with Microsoft, we work with a lot of other worldwide intelligence providers and other defensive security technology places to do this as well, being able to share that information around and being able to get more pushback against these actors. The more friends you have doing these types of things, the more of an effect we can have and the greater you can make your security resiliency.

McKeon: I'm also curious how you see the landscape of cyber threats evolving over the next few years beyond just Cobalt Strike abuse, just in a general sense.

Erdman: We're seeing more and more pickup in these types of tools. Of course, there's other competing tools out there. There are starting to be some open-source frameworks. As we push down at Cobalt Strike, we're seeing an increase in some other technologies that are similar, or maybe now, at this level of efforts, they're starting to shift their tactics a bit. But in general, the way that they're initially breaching these environments is fairly constant over time. Phishing is high on the list, generally No. 1. Some form of business email compromise or spear phishing, targeted attacks, weak configurations by design or by mistake and missing patches is honestly still a big one. And I don't think those are going to change a lot in the very near term. Those are really effective ways to breach an environment.

What we are seeing change a lot is the tactics around that. It's allowing threat actors to be better at it and more efficient in that scale, especially using things like artificial intelligence and AI technologies. Where we used to see maybe a phishing email coming out of a foreign country with grammar mistakes, missing punctuation, you could just tell it wasn't quite right. They're translating it now with AI, they can do that at scale. They can target anywhere in the world and be able to push those things out.

When we're doing our vulnerability management programs and we're looking for vectors and patches and maybe systems that are exposed to the internet, the threat actors are doing that too and they're doing it with better scale and technology than they used to in the past. So, they're accelerating what they can do and how they can do their intelligence gathering and have a better way to target our executives and our employees as they're trying to get into these systems initially. And stopping that front line of defense is getting really important.

McKeon: Definitely. Yeah. It's interesting to hear that these threat actors are going back to tried-and-true techniques like phishing, business email compromise -- those things still work. But as you said, they're using AI and things like that to make these attacks even more successful. So, I'm sure on the defense side, it's tough.

Erdman: And we're doing the same thing on the defensive side. We're all starting to use more machine learning, more artificial intelligence to be able to detect things at scale, uncover what's going on across these different campaigns, and being able to more quickly target these threat actors as they're trying to get access to your environments.

McKeon: And to close this out, I'm curious what advice you'd give to healthcare organizations that are looking to strengthen their cybersecurity posture in this environment where these threats are continuing and advancing.

Erdman: A lot of it really is initially make sure you've got the basics right. It's blocking and tackling kind of things. Do you have a DR plan? You probably do. When's the last time you actually checked your incident response and tried to exercise it? What's going to happen if you are breached? Like we said in the assumed breach model, you're either assuming you're already breached or you're going to get breached at some point. It's just a matter of what you do afterwards, and to that effect, to make sure that you understand your change of command, what things are going to happen and when and how you're going to do that. It's really important. Do you have multifactor authentication enabled everywhere? Are you segmenting your networks so that if you do get compromised, that blast radius is limited or are things sitting wide open where they can move laterally all across the network as they come on?

How are you managing your vulnerability type programs? A lot of times what we see is managing for the numbers. I got 10,000 vulnerabilities today. I can't close them all. I'm going to knock off 2,000 fast ones. So, I have 8,000. It looks great on paper, but are you really making risk-based decisions on what is the most likely path someone's going to take to compromise your crown jewels, patient data, getting access to devices and things, or are you just playing a numbers type game? So doing a risk-based evaluation of what it is and how you need to protect yourself, thinking like an attacker would, being able to arrange your defenses in those types of matters.

Those are all great ways to start. We are definitely seeing more OT and IoT type attacks. Medical devices are right in that chain. A lot of those are probably built with not great security in mind at the beginning. Who's ever going to attack the electronic interface to my pacemaker? But those kinds of things are happening these days, and we need to be mindful of all the different threat vectors. And especially as now so many people have gone to a, at least partial, work-from-home model. Your visibility used to be much more controlled. People are coming into the office, they're signing into the network, they're sitting at a desk. Now, in many respects, people are connecting from anywhere, working from home, doing jobs, and third-party suppliers have people working from home. Your area that you have to be concerned with has expanded a lot, and you need to take all of those different places into account.

McKeon: Yeah. And that's great advice to think like the attacker and really tackle it from that end. So, it was great to hear about this partnership. Always nice to hear a success story in cybersecurity, and I'm sure these efforts will continue. Thanks so much for joining us today, Bob. It was a pleasure.

Bob Erdman: Yep. Looking forward to further updates in the future. For Fortra, Microsoft and the H-ISAC, this is a long-term effort, and we're expecting many more years to keep going after this, and we'll keep you posted with more great details.

McKeon: Great. Thank you.

Kelsey Waddill: And thank you listener for tuning in. If you liked what you heard, head over to Spotify or Apple and drop us a review. We'll be choosing some of our reviews to be read on the show in appreciation. So, keep listening through to the end because you might get name-dropped. See you next time.