The Weaponization of Pen-Testing Tools

How big an issue is the weaponization of pen-testing tools and how can it be mitigated? Davey Winder explores.

Cobalt Strike is a penetration-testing tool used by red teams, providing adversary simulation by way of acting as a post-exploitation agent. Its versatility is manifest. In the right hands, Cobalt Strike is renowned for helping pen-testers gain access to network resources and remain stealthily embedded while controlling compromised hosts on a network.

However, problems arise when it’s in the wrong hands. The Cisco Talos research paper, The Art and Science of Detecting Cobalt Strike, suggests that it was used in 66% of all the ransomware attacks it responded to during the summer of 2020. The reaction of some threat intelligence folk on Twitter was one of surprise that it wasn’t more, a lot more. Of course, it isn’t just Cobalt Strike used by ‘real’ attackers, which begs the question of just how big a problem is the weaponization of pen-testing tools and how can it be mitigated?

Off-the-Shelf Products
The fact that cyber-criminals and nation state actors are employing the same kind of tools, kits and platforms leveraged legitimately by penetration testers should, frankly, come as a surprise to nobody. Why would they create their own if there are off-the-shelf products that have already proven their worth in terms of attack reconnaissance?

Ultimately, the difference between simulation and attack reality is one of intent; the tools used are mostly the same. Certainly, when it comes to fully-featured post-exploitation platforms, Cobalt Strike sits atop the proven and powerful pile. Not only is it always evolving, but there’s best practice documentation aplenty. This includes documentation that “describes how the underlying technology works, making it easier to apply for a large community of users,” says Anna Chung, a principal researcher at Unit 42, Palo Alto Networks.

That it is so widely used by red teams and pen-testers generally is a reason why it attracts malicious actors: their activities can ‘blend in’ and so seem innocuous. “Some of the key detection-evasion techniques available with Cobalt Strike include its malleable C2 feature allowing the beacon (the agent running on the victim system) to communicate mimicking one or more of many legitimate applications over various types of protocols,” Chung continues, adding “other features allow for manipulation of data relating to the in-memory beacon payload making it harder to detect.”

Cobalt Strike provides what Cyjax CISO and threat intelligence veteran Ian Thornton-Trump calls “an excellent baseline for red team or third-party pen-testers to mimic an APT adversary,” making it a magnet for threat actors. “The development costs of a suite of tools to infiltrate, exploit, establish a foothold, move laterally for persistence and setup C2 communications against a target network from scratch is astronomically expensive,” he points out. Why bear that cost when someone else can do so?

The developer of Cobalt Strike, Strategic Cyber LLC, is aware of this and has introduced risk-mitigating measures such as performing risk assessments on those requesting trials, which are limited to genuine pen-testers and red teams, as well as adding licensed product tracking identifiers. Unfortunately, as former hacker and technology director at the US National Security Agency, now CTO at Synack, Mark Kuhr, explains, “products that introduce license-tracking technology will likely not be used, or the tracking elements will be disabled via reverse engineering.”

That appears to be the case with Cobalt Strike, where not only are cracked versions sold or shared on criminal markets, but cracked versions with added stealth functionality. 

Anyway, the weaponization of pen-testing tools is not restricted to Cobalt Strike alone, let’s not forget, and according to Paul Bischoff, a privacy advocate at Comparitech, many other tool vendors “do very little to prevent malicious use, arguing that it’s not their responsibility to police how users use a product once it has been purchased.”

Without going further down that particular rabbit hole, Tad Heppner, a senior threat researcher at Sophos, says that telematics suggest the largest detection clusters for legitimate attack tools involve shellcode, encoders, payloads and stagers generated using Metasploit and PowerShell Empire as well as Cobalt Strike. “Metasploit (and Metasploit Pro) have a good collection of shellcode templates as well as an established command and control framework,” Heppner says.

“There are some newer up and coming kits that also provide command and control functionality and which have been gaining in popularity, such as Covenant, CALDERA, Faction C2, Mythic (formerly Apfell), Nuages, Octopus, PoshC2 and SilentTrinity.”

What Can Be Done?
Threat actors are drawn towards pen-testing tools for a combination of reasons, from cost and availability, through to familiarity and operation security. The elephant in the room has to be what can be done to stop this weaponization of legitimate frameworks and applications? Is legislation the answer? Thornton-Trump is not convinced, at least not when it comes to legislating against the sale or availability of such software. “I see the issue almost entirely as one of governance and legality of the actor behavior,” he explains, as “generally the creation of a software tool is ethically and legally agnostic unless the author specifically advises or advertises otherwise.”

So, in the case of someone deliberately advocating unlawful use, legal statutes can be applied such as RICO, conspiracy to commit and aiding and abetting. “It is the behavior of the threat actor and their mindset which needs to be governed,” Thornton-Trump continues. “The legal apparatus is sufficient as it stands to govern and determine criminal versus non-criminal behavior, with the resulting consequences through the court system. I don’t think it’s prudent to invent what amounts to an entirely new set of laws or regulations for ‘software weaponization.’”

While it is certainly possible to add more legal restrictions to the sale of such tools, Kuhr warns of a significant downside as “the definitions could be overly broad and prevent the sale of legitimate cybersecurity tools.” Restricting international trade is not the answer, Kuhr says, given the inability to effectively enforce such controls anyway. 

Javvad Malik, security awareness advocate at KnowBe4, adds that the question of legislation will inevitably arise, but that “by controlling or restricting the effectiveness of such tools, testers will only be putting themselves at a disadvantage as they won’t be able to test their infrastructure fully.”

It is the combination of the ineffective nature of legal controls with the advantages that pen-testing tools bring to the security equation, which Richard Hughes, head of technical cybersecurity at A&O IT, picks up on. “Trying to put controls in place for these tools would be futile as they could be bypassed or ignored by any malevolent actors,” Hughes says. What’s more, focusing on who has the tools to exploit your vulnerabilities could be missing the point by a country mile. “The point is that you are vulnerable,” Hughes argues, “and there is more often than not a solution to remove or reduce this vulnerability rendering these tools ineffective.”

A good analogy here would be the lock on your office door. If you think it is not overly secure, Hughes explains, you could do one of two things: worry about someone buying a set of lock picks or purchasing a better lock yourself. “You need to remove your vulnerabilities and then they cannot be exploited,” Hughes adds. “Regular vulnerability assessments or penetration tests are key here, and the unimpeded use of tools to make this process more efficient will enable security consultants and ethical hackers to find more vulnerabilities and allow you to remediate them.”

Ultimately, the benefit of penetration-testing tools will always outweigh the threat posed by those who misuse them. Attempts to control the weaponization of these tools are, frankly, not only ‘pissing in the wind’ but also doing so in the direction of those who are best placed to help strengthen enterprise network security.

What is needed is more pen-testing, more teams of all colors contracted to apply those tools as part of a highly-skilled security audit, and then there would be less opportunity for malicious actors to exploit their use in the first place. This is not, then, a weaponization problem at all, but rather one of perspective.

A View from the Inside
Rapid7 is the company behind the world’s most used penetration-testing framework, Metasploit, as part of an open source community collaboration, as well as the commercial Metasploit Pro product. Here’s what research director Tod Beardsley has to say regarding the weaponization of such tools.

“Publicly available tools like Metasploit, Mimikatz, Cobalt Strike and all the rest are critical for infosec defenders to be able to learn and emulate criminal tactics in the defense of their enterprises. We’ve always believed a healthy, open forum for discussing and demonstrating cybersecurity risk is a major component of a well-educated, well-resourced defender organization. With that said, Rapid7 cooperates with the US commerce, state and defense departments to ensure that we’re adhering to the law when it comes to providing these tools for information security defense, as well as other regulatory bodies in the places we do business.

In the old days of exploit trading, you didn’t know where the exploit came from, how reliable it was and what sneaky backdoor surprises were added in, either as a prank or for malicious intent. We do not want to see the community slide back to that. We also take our responsibility in sharing and discussing vulnerability information very seriously, and wherever possible, practice reasonable coordinated disclosure when it comes to sensitive exploit intelligence.

"The last thing we want to do is create an environment where only bad guys get good exploit tools. Such a situation would ensure that security practitioners could never really be certain that their defenses would hold up under a real attack. There will always be well-resourced criminal and intelligence organizations that have capabilities that meet or exceed what’s available to the public, so our hope is that by continuously improving our defensive products with a robust community effort, we give defenders a chance to ensure that everyone has reasonable security on a hostile internet.”