Right now, a variety of threat actors, including advanced persistent threat groups, are abusing Cobalt Strike for malicious ends. Stopping these attacks requires a layered security posture that secures the in-memory security gap of detection-based security solutions. That’s moving target defense, explains Michael Gorelik, CTO of Morphisec.
Cobalt Strike is an adversary simulation tool developed for pen-testing to emulate the tactics and techniques malicious actors use when attempting to access and control a target’s network. Cobalt Strike’s Beacon is a post-exploitation backdoor and part of a rich Cobalt Strike framework used to achieve persistence, privilege escalation, and lateral movement within a network.Â
Unfortunately, threat actors ranging from ransomware operators to state-sponsored advanced persistent threat (APT) groups also use Cobalt Strike for their own malicious ends.
The MITRE ATT&CK knowledge base documents over 50 techniques the Cobalt Strike framework uses and over 20 APT groups actively exploiting the framework. The surge of Cobalt Strike exploitations has led Google Cloud’s intelligence research to release 165 YARAOpens a new window rules to try and improve detection mechanisms. Nevertheless, Cobalt Strike continues to feature in prominent attacks, including the infamous SolarWinds supply chain attack.Â
IBM’s 2023 Security X-Force Threat Intelligence IndexOpens a new window notes the deployment of backdoors (like Cobalt Strike) emerged as attackers’ top action last year. About 67 percent of those backdoor cases were ransomware attempts, though defenders were able to detect the backdoor before the ransomware was deployed.
The CobaltStrike Beacon was used for remote control in the SolarWinds attack.
Source: MicrosoftOpens a new window Â
Cobalt Strike Evades EDRs by Executing In-Memory
EDRs (Endpoint Detection and Response) must detect Cobalt Strike and other pen-testing frameworks to stop them. That may sound easy enough, but here’s the catch—Cobalt Strike employs sophisticated evasive techniques upon installation, execution, and during C2 communications. These evasive techniques ensure Cobalt Strike runs undetected in memory once its initial loader has been executed.
The continuing success of attacks using Cobalt Strike, as well as others such as Emotet andOpens a new window  Jupyter, illustrate a growing gap that has developed between attacks, which are changing and becoming increasingly more sophisticated, and defenses, which are stagnant and predictable. Just look at the inherent security gap in EDRs. Despite vendor claims, they can’t effectively find and stop malware in memory at runtime. Specifically, they can’t effectively perform memory introspection during application execution, which is needed to find and prevent malware as it executes in memory.
A key constraint is that memory inspection during application runtime massively degrades usability. This is because of two reasons. Firstly, runtime memory is a vast, dynamic space that requires significant processing power to scan. Consider the runtime environment of a typical application, which could hold close to 4GB of virtual memory. Any solution trying to perform large-scale memory inspection of this size consumes significant system resources. Secondly, because memory is constantly changing and there are limits to how many times you can stop an application without reducing its responsiveness, it’s impossible to continuously scan an application. So this leads to close to zero visibility.Â
Typical stages in CobaltStrike execution, which works primarily in-memory to evade detection.
Source: Palo AltoOpens a new window
NGAV, EPPs, and EDRs/XDRs can perform memory introspection. However, this is typically done within a sandbox, not in the real-time environment of endpoints. Even then, in a best-case scenario, memory scanning-focused solutions can only scan a small percentage of application memory. This leaves a significant security gap for exploitation by Cobalt Strike and similar tools.Â
The challenge is exacerbated by the fact that increasing amounts of threat actors are using polymorphism, packing, and obfuscation to hide their presence, including in-memory. This makes the chances of catching malicious activity in runtime memory close to zero.
See More: NDR vs. EDR vs. XDR — Which Is Right for Your Cybersecurity Stack?
Securing the In-memory Security Gap with Moving Target Defense
Reliably preventing compromise by advanced threats requires deploying a layered security posture that makes attackers’ life difficult.Â
This means deploying best-of-breed scanning-based solutions. NGAV (NextGen antivirus), EPP (Endpoint protection platform), and EDR/XDR (Endpoint detection and response/ Extended detection and response) technologies are essential for spotting many types of malicious behavior and displaying network activity.
But as mentioned, these technologies don’t reliably stop unknown threats and those at the run-time memory layer.Â
That’s where a proactive, deterministic security technology like moving target defense (MTD) comes in. MTD is increasingly popular because it closes a security gap these other offerings cannot address. Instead of dealing with threats after it sees them, MTD pre-emptively denies access to the memory assets’ untrusted code targets without needing any prior knowledge of signatures or behavior patterns to do so.Â
As advanced threats become more common, this kind of proactive, deterministic technology is becoming essential. Without it, there is no effective way to stop threats targeting device memory.Â
MTD closes the in-memory security gap by preventing the execution of shellcodes, in-memory exploits, credential dumping, propagation through code injection techniques, and many other living-off-the-land and defense evasion techniques. MTD doesn’t need to recognize malicious patterns in-memory. Instead, MTD only allows trusted code to execute. It does this by randomizing the application runtime memory environment, updating trusted code with the changes, and leaving traps behind for untrusted code. Because it doesn’t need to inspect the runtime memory environment to block attacks, MTD is ultra-lightweight.
For attacks like Cobalt Strike backdoors, the initial loader loads into memory to remain undetected. However, because this code is untrusted, it triggers MTD memory traps, which block its execution.
This prevention-first approach doesn’t rely on signatures or behavioral patterns, so it blocks evasive, unknown attacks, zero-day attacks, supply chain attacks, and fileless attacks – with a negligible performance impact.Â
Moving Target Defense prevents attacks by morphing application memory and diverting untrusted code into traps.
Source: MorphisecOpens a new window
It’s not surprising then that Lawrence Pingree, Gartner VP of emerging technologies, security & risk, argues that 2023 will be the year of Moving Target DefenseOpens a new window .
With a track record of blocking Cobalt Strike backdoors, Moving Target Defense also protects against new ransomware variants, all Qakbot strains, Emotet malware, Mimikatz attacks, RATs, and other threats that evade EPPs and EDRs/XDRs from the likes of Microsoft, Trend Micro, SentinelOne, CrowdStrike, Sophos, Palo Alto, and others.Â
What are your thoughts on moving target defense (MTD)? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . We’d love to know!
Image Source: Shutterstock
MORE ON THREAT DETECTION
- Top 3 Reasons Why Organizations Fail at Threat Detection
- Halt the Alerts: It’s Time to Democratize Threat Detection
- Is Extended Detection and Response (XDR) the Ultimate Foundation of Cybersecurity Infrastructure?
- Why Network Detection and Response is Critical to Cyberattack Forensics
- How to Tackle Cybersecurity Threats with a Risk-Based Approach