h1

Waging Cyber War with Cobalt Strike at the Collegiate Cyber Defense Competition

March 18, 2013

The 2013 season for the Collegiate Cyber Defense Competition (CCDC) is well underway. These CCDC events put student blue teams in charge of a corporate network. One hour of competition time simulates a week of real life. On top of system administration and business injects, students must defend their networks against a constant barrage of attacks from a professional red team.

In the past, different vendors have made extended trials of their products available for use by the CCDC red teams. In 2012, Rapid7 made Metasploit Pro available. Several years ago, Immunity offered their Canvas product as well. Keeping with this tradition, Strategic Cyber has made Cobalt Strike available to the 2013 red teams.

This offer is more than an extended trial though. I believe a well-prepared red team will help the students get the most out of their CCDC experience. To help CCDC red teams prepare, Strategic Cyber has mailed its pen test lab DVDs to all red team members that requested one. This DVD includes target VMs and self-guided labs on exploitation, social engineering, post-exploitation, pivoting, and collaboration.

Cobalt Strike is a collection of threat emulation tools added to Armitage and the Metasploit Framework. While Cobalt Strike was built for a client-side attack surface, it offers several capabilities CCDC red teams will find useful. Here’s a few of them:

  • Collaboration – While most commercial penetration testing products offer collaboration features now, Cobalt Strike’s little sister Armitage pioneered some of these ideas. Armitage was made to meet CCDC red team needs. With Cobalt Strike, CCDC red teams will have the ability to simultaneously interact with compromised hosts, share data, and track events through a shared event log. Cobalt Strike’s host labels feature also allows the red team to add notes to hosts and to create arbitrary groups of targets.hackers
  • Distributed Operations – A known CCDC Red Team best practice is to setup multiple attack servers, each with a specific role. Red Team members should perform noisy actions, such as attacks and scans, on their local system. Compromised systems should actively communicate with a server dedicated to long-term persistence.  Red Team members should use another server for active post-exploitation and pivoting. This is a lot of attack servers to keep track of!

    Cobalt Strike embraces this idea by enabling distributed operations. One Cobalt Strike client may control multiple attack servers. Cobalt Strike’s distributed ops features make it seamless to send sessions between servers, use all known credentials in a brute force attack, and to set up client-side attacks that span multiple servers.distops_phase3

  • APT-style Command and Control – Years ago, the CCDC red team activity resembled sport fishing. We would exploit a host, marvel at our accomplishment, and throw it back for more exploitation later. Now, CCDC red teams try to mimic a well-embedded adversary. A well-embedded attacker does not maintain an active connection to their victim at all times. They install agents that periodically phone home, request tasks, and execute them.

    Cobalt Strike’s Beacon gives CCDC red teams this asynchronous style command and control. Beacon uses DNS to ask if tasks are available. When tasked, Beacon will download its tasks over HTTP and execute them. Beacon is a first-class payload, like Meterpreter. It’s trivial to deliver it with a client-side exploit, embed it in an executable, and inject it into a process. Beacon will log keystrokes, execute commands, and spawn Meterpreter sessions for active post-exploitation. Beacon is Cobalt Strike’s agent for long-term command and control.

  • Cortana Scripting – One of the hardest parts of CCDC is managing 10+ simultaneous engagements. The CCDC Red Team has to try all attacks against all teams for them to count. Fortunately, it’s trivial to write scripts to automate most red team actions including launching exploits and installing persistence. All Cortana scripts written for use with Armitage will work just fine with Cobalt Strike.

I know we had a lot of fun with Cobalt Strike at the North East and Rocky Mountain CCDC regions. I’m looking forward to the war stories that come from this season.

One comment

  1. All of this delicious malicious without disruption of service either…. if we weren’t looking we would have no idea, so I can’t speak to our countermeasures. Kudos sir.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s