Risky Business - Snake Oilers: LimaCharlie, Honeywell Cyber Insights, CobaltStrike and Outflank
Episode Date: April 28, 2025In this edition of the Snake Oilers podcast, three sponsors come along to pitch their products: LimaCharlie: A public cloud for SecOps Honeywell Cyber Insights: An ...OT security/discovery solution Fortra’s CobaltStrike and Outflank: Security tooling for red teamers This episode is also available on Youtube. Show notes
Transcript
Discussion (0)
Hey everyone and welcome to another edition of Snake Oilers here at Risky Business.
My name is Patrick Gray.
The idea behind these Snake Oilers podcasts is vendors give us money so they get to come
onto this show and pitch you their products.
So everyone you see in one of these editions paid to be here and yeah we've got three companies
pitching for you hard today.
We're gonna hear from Lima Charlie,
and their idea is they've built like a cloud platform
for security primitives.
So yeah, it's like a SecOps cloud platform.
We're gonna hear from them first.
They will be hearing from Honeywell,
and they're gonna be talking about a product
that came to them through an acquisition. It's called Cyber Insights. It's a security platform for OT.
This is a product that used to be called Skardafence, then it was acquired by Honeywell. Now it's
their thing. They're going to tell us all about that. And then finally, we're going
to hear from Connor Johnson, who works with Fortra. And of course, these days they offer
pen testing tools that they got via acquisition as well and when Fortra first wrote to us to ask if
they could do one of these segments I thought any company that we have been
that mean to over the years due to other products in their portfolio if they want
to come and sponsor us you know I just I just admire that right and of course
we're going to be talking about Cobalt Strike
and a couple of other goodies that they offer
to red teams around the world.
But yeah, let's start off by chatting with Lima Charlie.
Now Lima Charlie was founded by Max Lamothe Brossard
who did give me the correct pronunciation
of his name in French, but if I tried to say it,
I would probably die. But yeah, Max is the CEO and founder of Lima Charlie. And really
what they're trying to do is build a cloud platform for security primitives, right? Which
sounds a little bit hand wavy. So I'll drop you in here where Max explains what it is
that Lima Charlie actually does. Enjoy. So Lima Charlie is building the
SecOps Cloud Platform. It's a cloud provider for cybersecurity primitives. So we've got all kinds
of well understood cybersecurity products from the EDR to automation agents, the ability to ingest
all kinds of telemetry, the ability to do routing and optimization, so sending this data to
other places. So we are built like a cloud provider. That's kind of the big difference, right? We're
built like a cloud provider. So today you're an incident responder and you need 20,000 endpoints,
like in the next five minutes, you can go and you can do that. If you're an enterprise and you are looking to go from your
stack of 50 different products and boil that down,
because it's not true that those 50 products need to be 50
different products.
The reality of cybersecurity is that a lot of these things are
well understood.
They're not cutting edge anymore.
And that's where we come in.
Like a cloud provider. We give you those
primitives, they call it the undifferentiated heavy lifting, right? Like the bits that are well
understood. So, hey, I have Office 365, and I want to be able to alert on it and send an alert into
my SIEM. None of these things are cutting edge. So yeah, you can go and buy, you know, four different products
for this and another one to glue those together and manage the contract and manage all that stuff.
Or you can just start using Lima Charlie, get it on your own, spin up, do it exactly the way that
you want it. And because we're built like a cloud provider, we are not a black box, right? All those
other vendors, if you buy CrowdStrike,
you're buying the promise that CrowdStrike is the best
at defending against everything
at the same time for everybody.
We are taking the approach where we give you the Lego blocks
so that you can go and say, as an enterprise,
I know that I have this network that needs to be,
you know, defended in a specific way.
You can very easily go and build that
security posture.
And it's a security posture.
You can look at it.
You can know what you're protected against, what you're not protected against.
You can reason about it.
So it's really a powerful new way to look at it.
It's kind of going from the old days of buying the box software and starting to use the cloud
providers. So it's a very different deal.
All right, so what are the various components
that make up Lima Charlie?
Because what you just described, it
sounds like you've got some sort of maybe log correlation
engine, right, where you can ingest logs from things
like O365 or from routers or maybe Corlite sensors
or whatever.
So a little bit seem like in that sense,
but you also have client software as well, right?
So why don't you walk us through what the actual components
are that make up what you're selling here?
That's right.
You hit on an important point, which
is we don't think that those things,
there are different acronyms.
It doesn't need to be different products.
So here's how we view the world.
You want to ingest things.
You need access to telemetry. You need access to telemetry.
You need access to logs.
Now logs that could be EDR, and we do have our own EDR,
cross-platform Windows, Mac, Linux, everything
under the sun.
But it can also be from cloud to cloud,
so Office 365 or Azure or anything like that,
Okta, all the usual suspects.
Or it could be things from on-prem.
We've got people that ingest from hundreds of firewalls
just constantly into the platform.
So all of these things come into Lima Charlie.
And then we have an automation engine,
a single automation engine that runs across all
of this telemetry.
So what that means is that your analysts aren't trying to engineer
detection in a totally different way from Okta, from Defender, from Azure, from EDR.
It's all done in the same way. Then we do a year of full telemetry retention. Again, we don't want
folks to start to negotiate with their vendor, like, do I need this one more day? What does that? No. We think everybody should have a full year
of telemetry retention.
And we do that at a fraction of the cost
as of a company that's dedicated to only doing storage,
because that's the thing they're going to be monetizing.
Finally, we have the data routing and optimization.
So that's simple.
Hey, I've got all of these data sources
coming into Lima Charlie. I want got all of these data sources coming into
Lima Charlie. I want my analysts to get my detections into a Splunk, for example. And
then I want all of my bulk data from Azure to go into this bucket, right? So taking this
data, sending it to the relevant places, all different technologies along the way, you
can transform them, you can anonymize them, you can reduce the data.
So it allows you to optimize really, really well the backend of those systems.
Maybe you won't replace your SIM, but you can probably reduce the bill by 70% to that SIM.
So all of these things kind of put together are the core of Lima Charlie.
But like a cloud provider, there is a ton of capabilities that are built that are kind of put together are the core of Lima Charlie. But like a cloud provider, there is a ton of
capabilities that are built that are kind of peripheral on that because it's so easy to build
on a cloud provider. It's the same thing with Lima Charlie. So we'll have products like
Binlib, which is like a private virus total offering. So we see all of these capabilities
We see all of these capabilities as truly Lego blocks in your security posture and not big bundles that you must have pre-negotiated ahead of time with all kinds of different
vendors.
You're explaining this as something that's extremely flexible, right?
So what I'm wondering is, can you think of two case studies off the top of your head
where people are using it for wildly different things?
Give us a couple of examples there.
Absolutely.
So I've got three examples.
So one is around service providers.
So in a specific case, a case study that we've published, we became the mortar for that service
provider, meaning they changed their endpoints.
They were using a collection of a bunch of different technology, some Sysmon, some Waza, some, I think,
some Velociraptor, like a bunch of different things.
They were able to consolidate on a single technology.
They had to log forward or replace that log forward
or a single technology.
Then in the cloud, they're able to engineer
all of their detection at once in that same automation engine.
They got a year of retention, so we solved the compliance issue.
Their analysts really liked their SIEM, one of the few ones.
And so what they did is they only optimized
what they sent to the SIEM.
Not everything goes at all times in a SIEM.
Instead, the SIEM triggers when you want the full data
from an endpoint, for example,
they trigger that to get sent in the SIM. So they've reduced their spend, if I recall,
it was by 70% on infrastructure.
Look, fortunes have been made by saving people money on their Splunk bills, right? Like this
is one of the weirdest business models in business, but yeah, that's how it works sometimes,
right? That's right. That's right. And for us, it's table stakes, right? We see what we are building
as a cloud provider, not a one trick pony. Other totally different example, we've got a company
called BlueMirror that used to be a cloud sim in the cloud sim space wanted to expand into the XDR space. So they came to us and use
our agent in a fairly unopinionated way, just like they would spin up an EC2 instance. And they built
their whole product zero to GA in five months. So that's a type of acceleration speed that you
couldn't get by, let's try to negotiate that with CrowdStrike, right? Like good luck.
Yeah.
I mean, what I'm hearing though, also is I've asked you for a couple of case
studies, they're both service providers in this case, like they're both, you
know, managed providers from what I understand, this is where, you know,
Lima Charlie is quite popular is with those MSSPs.
Is that correct?
So, uh, that is correct.
We are extremely popular in the service space where we are popular in the
enterprise space is with companies that have a good cybersecurity team. We kind of joke sometimes
the company with two part-time cybersecurity people is probably not a good fit in the same way
that if you have two part-time IT folks, you don't go and build an AWS. You need something easier.
But if you have a cybersecurity team
and they need to understand the security posture
in the company, you want to reduce the cost,
you want to streamline and automate processes, right?
Automating in a cloud environment is so much easier.
So those types of enterprise, of teams,
they gain just like the service providers
because they still, they need to do things
at scale, right?
They need to do a lot of automation.
Often they have a large footprint to understand
and customize around.
So that's where we shine as well.
So it's really is about organizations that have teams
that can work on detections and do customizations
and things like that.
I mean, we often hear about major enterprises
having detection teams, for example, who can write their own
detections and whatnot.
But you don't often hear about them almost doing semi-roll
your own telemetry collection, right?
Is that what people are doing?
Usually, they're not so much on the collection side of thing.
That's the part that we make easy.
That's the part that's no-brainer, right?
Zero to 20,000 endpoints in 30 seconds.
That's easy.
The part where the detection engineering will come in
is when they want to, here's the example I give all the time.
When WannaCry happened, I remember that morning,
I went on Twitter, and detecting WannaCry
was one of the easiest thing in cybersecurity ever done.
It was one of the easiest threats.
It was called WannaCrypt.exe. If you killed it when you saw it, you ever done. It was one of the easiest threats. It was called 1acrypt.exe.
If you killed it when you saw it, you were done.
But how many people that morning woke up and called
their vendor and said, hey, am I protected against this?
And they got one of two answers.
One was, yeah, you're totally good.
We've got AI we're to solve.
And it was like, eh, is that not the greatest answer?
The other one was, well, we're going
to have a patch that's rolling out this afternoon.
That's better, but still, it's not great
when the threat is that easy, in theory, to just block.
So what we do is we make it trivial for those teams
to be able to go and have that governance,
to come in and say, you know what?
I want a rule on Windows that if I see this thing, I'm going to go and kill it, right?
And so it's these types of things that they can really dig into Lima Charlie and start
to automate things they never thought they could, right?
Some people will collect various forms of forensic information automatically from endpoints,
and then they'll correlate that with automation around Office 365 and then
Automatically you'll go and lock out a user and so we just make that easy
So as long as you want to be able to do these powerful things, we're by far the best platform for that
Do you have many customers who are running your endpoint agent alongside some of the, you know, the
bigger EDR companies as well? Because I'd imagine, because what you're describing is
just like easy, you know, easy mitigations that you can roll out to every endpoint. And
you know, that's fantastic. But do you have people who are, who are, you know, using it
for that just to fill in some of the blanks from their major providers?
Absolutely. Absolutely. We so I'll quote one of our customers.
We do a better job detecting using Carbon Black
than Carbon Black does with Carbon Black.
So we do support all other EDRs.
Again, we're built like a cloud.
So everything can come in.
Everything can go out.
We don't hold your data hostage in any way.
So a lot, especially of service providers,
will often have a very eclectic ecosystem
of different solutions.
And so specifically for the endpoint, what we'll do
is we go even beyond that, where we do normalization
and encapsulation.
So we will take those other EDRs,
and we will convert that into a single format
that you can build your roles against.
But we know that not everything converts so well.
So what we'll do is we will include the original always
in those events.
So you don't lose anything.
What you gain is the ability to have
a single set of detection and remediation and playbooks
that operates across all of those.
So we'll see that in the service providers that
need to support that.
In enterprise, we will see that very often
in large enterprise that is coming into Lima Charly,
but they can't just do it all at once.
They have to do this in phases.
So what they're doing is they will move the security
department first into Lima Charly with the agent,
but then connect everything into Lima Charlie.
So that way they can immediately get all of kind of the core value, but also over time do their face.
It's it's really like moving to the cloud.
All right, Max Lamothe Brassad, thank you so much for joining me on the show to walk us through Lima Charlie and what it's all about.
Appreciate your time.
Thanks for having me.
That was Max Lamothe Brassad there with a chat through Lima Charlie and what it's all about. Appreciate your time. Thanks for having me. That was Max Lamothe-Bressard there
with a chat about Lima Charlie.
Big thanks to him for that.
Next up, we're gonna chat with Chris Christensen
from Honeywell, and he is the Director
of Global Cybersecurity for Honeywell Building Automation.
And they have a product they're offering
called Cyber Insights, which is for OT environments.
It gives you visibility into what's running, what its patch levels are and whatnot.
And this is a product that used to be called Skate Offense or Skard Offense before Honeywell
acquired them.
So I'll drop you in here as Chris Christensen explains what Cyber Insights actually does.
Here he is.
So we acquired a company called Skate Offense and then we have made it so that it is now
Honeywell product and it's called Cyber Insights.
So Cyber Insights is essentially a platform for people who have buildings that are wanting
to make sure that they have visibility of all of their different systems that are within
operational technology area.
They can see all of their different systems.
So it's vendor, like it works on all different vendor systems, but it gives them a real time
view of their assets, their inventory.
And then it also helps them to be able to mitigate risk and make sure that if they have
any vulnerabilities or issues on their network or on their systems or any of their devices,
that it updates them and lets them know that it might need a patch, it might need an update, but it does asset discovery.
It enhanced the security posture for the customers.
It's a great product for our customers and for anybody that owns a facility and
is trying to make sure that there's a gap between the OT and the IT team so that
the IT team can see all of the different systems that are in the OT infrastructure.
So this is a visibility and discovery tool, less of a network monitoring tool, is that right?
Yes.
Okay, right. So now I work with RunZero, right? They do active discovery of OT.
There's two camps. There's the, it must be passive. It absolutely must be passive to avoid
disruption. And then there's the, well, you're going to miss stuff if you're only doing passive it must be active. Which
approach did you take? We took the approach of having it being passive, making sure that we can
hear the things on the existing infrastructure. We haven't had any problems of missing anything
as of to date, so there isn't anything that we've missed but just doing the passive approach makes
it so that the customer's environment works more seamlessly.
There's not as much interruption.
So that's what the approach we've taken.
Right.
So when you deploy this, I'm guessing you're going to need access to
span ports and things like that.
Like how do you actually go and set this thing up?
So you're exactly right.
We're going to connect it to a span port and anything that's coming
back to that span port, we're going to hear that that device being able to talk and then we're going to be able to a spam port. And anything that's coming back to that spam port, we're going to hear that device being able to talk.
And then we're going to be able to pick it up and put it
into a nice pretty dashboard so the customers can
see the different systems that are there.
Gives them the IP address, the MAC address,
more information that they will need
and that they should have had but maybe didn't necessarily
have.
They probably had it on an Excel spreadsheet somewhere.
But this gives them realtime visibility on those things.
Yeah, it goes into a spreadsheet that maybe gets updated every three years if you're lucky
kind of thing, right? Like that is frankly how it works. Right. So when people are buying
this, they're rolling it out. What are the main things that they're looking for here?
I mean, I'm guessing, look, sadly, I'm going to say it. I'm guessing a lot of the time
people are buying this for compliance purposes. Did I guess that about right? for here. I mean, I'm guessing, look, sadly, I'm gonna say it, I'm guessing a lot of the time people
are buying this for compliance purposes. Did I guess that about right? So at first, no, they weren't
buying it just for compliance, but we are seeing a big uptick on that. Like with NIST 2 in Europe,
as well as with NIST in America, and the different requirements and regulatory controls that are
coming out, this does help them be able to have asset visibility. And so we have seen a big, big increase on making sure that they're monitoring these different systems.
Yeah, right. Okay. So what is the main driver then for people to actually go and plonk down
their hard earned cash on a system like this? What is it they're seeking to achieve?
So we're seeing a lot of uptick on operational technologies being attacked. So because again,
you mentioned that they are vulnerable, they're old,
they're legacy systems. Um, it's an easy place for attackers to get in.
Now, if you don't even know what type of systems you have,
you're not able to protect those systems.
So the first step is to be able to have visibility so that what you know is
there,
then you can be able to figure out how to make sure that it's secure and it's
protected.
Okay. When you're talking about attacks against OT, we've seen obviously things like the Vault Typhoon campaigns that are targeting, I guess, the IT environments, you know, adjacent to OT.
But what attacks have we seen targeting OT directly itself?
I mean, there's several. One of the biggest ones that always comes to mind for me
is the target HVAC breach that happened several years ago.
When they got through on an HVAC system
and they got into all of the target data,
so customer's information, credit cards, bank statements,
finance items that were in target.
But we're also seeing that those different attacks within OT
systems, once they're also seeing that those different attacks within OT systems,
once they're into the OT area, they sometimes will wait
and be able to get into an IT area.
So for instance, a card access system.
If you have a card access system
that's connected to Active Directory,
if I can get into that card access server,
then I'm gonna be able to get
into your IT information as well.
But more importantly, I think that right now
we're seeing a lot of attacks
that actually
just want to take stuff down. They're not even necessarily looking for social security numbers,
data bursts. They're just looking to be able to say, hey, I took down this facility and that's
what my greatness is. And so we want to make sure that our customers or everybody understands that
in order to protect their systems, they need to be able to be aware of what's out there.
Yeah. I mean, interestingly enough though, like that target hack, I wouldn't call that,
I mean, it's kind of OT, right? But that's going to be some Windows server that's controlling
the devices, right? So it's more like traditional bread and butter hacking. The stuff you mentioned
about card systems, that's very interesting, right? I can absolutely see how that is something
where, yeah, if you're running vulnerable
card payment devices you're going to want to know when they need to have a patch, you're going to
want to know if you if you missed one, absolutely a clear use case there. And in terms of yeah in
terms of going into the into the IT environments is that actually happening that much though?
Have we seen that? I think I seem to remember like maybe my colleague, Catalin, covering one of them once.
Yeah.
And honestly, there's a lot that as you know, lately with attacks, most organizations, the
first place they go is to their legal team to find out what they can or can't say.
So a lot of the different attacks, like one of the ones that I think is a great example
of this is with the MGM Grand Attack, right?
So they got into the IT systems,
but essentially their OT systems didn't work as well.
So if you watched anything on TikTok
or saw any of the videos,
you would see that individuals would go to the elevator
to try to access the room.
They wouldn't have access to the elevator
because the cards weren't working.
They'd go to their rooms, those weren't working.
They had to do fire watches.
They didn't know if their fire system was up and running.
So I think a lot of it is just the disruption that it causes and that they can get into
those type of, you know, fire, card access, HVAC, those type of systems when they're in,
it makes it so that those facilities don't work to the way that they're supposed to.
But isn't it the case that the reason those systems weren't working is because the attackers
had control of the IT systems that were controlling those OT devices?
In that example, I'm not sure we knew that they actually had control. They just didn't have
visibility of those systems. So when you look at was their fire system working, it was, right? If
there was an actual fire, they would have pulled the alarm
and there would have been a fire alarm go off.
But even the IT team,
they didn't know if those fire systems were working.
The card access system,
once they've got attacked,
they just make sure they shut down everything
versus just the things that have been attacked
because they didn't want anything else to be infected.
So I think from that perspective,
you're seeing that all of those things, they don't know enough about them and how they're working with the IT systems.
So they don't necessarily separate them in the way that makes them so that you have one system can work and the other system doesn't at the same time.
It's almost as if the IT team is like, all right, we've got this attack. We want to take everything down.
Yeah, OK. I sort of see what you're saying there, which is having this visibility is a good step
to avoid those sort of problems in the first place.
Definitely.
Yeah, yeah.
OK, got it.
So in terms of what are the most alarming findings,
you would know when a customer normally goes and installs
something like this, and then they run it for the first time.
We used to hear about when vulnerability scanners first became something that could be used in enterprise,
you would hear about people running their first Nessus scan
15, 20 years ago, and oh my God,
they would wanna fall over.
What's the equivalent sort of war story
when it comes to deploying this sort of thing
for the first time?
It's very similar to what they would have saw then.
I mean, when you look at even like a card access system,
sometimes customers and individuals,
they don't know how many different printers
they're running, right?
The IT team has printers on the IT area,
but when it comes to the OT area,
they're not always aware of even just the different printers
that are available.
So we recently deployed this onto a customer site,
and one of the first things they noticed
was there was like five printers that were out of compliance
that hadn't been patched, that hadn't been updated.
And immediately they wanted to make sure
that they corrected those things.
So it really was some of just the basic things
that the IT organization looks and sees,
well, this is on the OT area.
It's not something we need to worry about.
Oh, wait, this is a printer?
We better make sure that we update that
and make sure that it's patched correctly as well.
Yeah, right.
I don't know if you saw there was a recent bit of news
about an IP camera being used to ransomware a network
and they did it via access from the IP camera
to the file shares, which I guess, you know,
is that OT is that, it's more IOT than OT,
but it was still an interesting case.
Well but even in that case you're exactly right like if somebody can get
into your camera system how far how how much further can they go like because if
they're able to do that like the capabilities once they're in there if
they shut down all your visibility if you have an emergency or if something
happens you're not able to actually see what's going on so your eyes are pinned and you're not able to take care of what needs to be done.
So really to sum up the pitch here, it's about continuous visibility into OT across your
network so that you can then better prepare and architect things to put yourself in better
shape.
Correct.
Completely agreed.
Yes.
All right.
That's a great simple pitch.
Chris Christensen, thank you so much for joining me to walk through it. I appreciate your time.
All right. Thank you. Have a great day.
That was Chris Christensen there from Honeywell. Big thanks to him for that. And yes, Cyber Insights for OT made by Honeywell should be pretty easy for you to find if that is something you are looking for. So the final company we are hearing from today
is Fortra. Fortra is a software company that acquires other software companies
and you know that that that's how they grow and they've had some acquisitions
that we've made fun of like I think Go Anywhere MFT is a Fortra product these
days but they also happen to own Cobalt Strike and Outflank. And Cobalt Strike of course is a sort of infamous
C2 framework which is old versions, old pirated versions of Cobalt Strike were actually quite
popular with you know, cyber crooks basically for quite a long time. But they did eventually
get a handle on that with all of the licensing requirements and what not. So you know, not,
I don't know that it's as everywhere as
it used to be but you know the versions being used out there in the wild didn't
really connect to the sort of pro versions and haven't for for quite a
while so yeah Fortra these days they sell Cobalt Strike and they also have
another suite of tools for red teamers called Outflank or Outflank and Connor Johnson from
Fortra joined me to pitch these tools from Fortra to red teams and explain to us who
uses them.
Enjoy.
Yes.
So at Fortra, we provide offense security tools, Cobalt Strike and Outflank, which are
really designed to help red teamers emulate real world cyber attacks. So giving red teams the ability to test environments the same way that an advanced attacker would.
I mean, we know today that the threat landscape is getting more and more sophisticated every
day and the tools that we provide ultimately help organizations close those security weaknesses
and identify vulnerabilities before an attacker is able to exploit them.
So again, Cobalt Strike, Outflank are the red teaming solutions we offer. Cobalt Strike provides the
the post exploitation capabilities through its beacon payload and malleable C2.
While Outflank is kind of the new kid on the block,
C2, while Alflanq is kind of the new kid on the block, which is a broad set of offense security tools that covers the entire attacker kill chain and has an emphasis on like evasion
and OPSEC safe tooling.
Yeah, right.
So why don't we just start by talking about Cobalt Strike, right?
Because as I say, it's been around since the Jurassic era.
Is it still popular? Because it was my understanding that like EDR tooling and stuff got pretty good at
detecting it. So Red Team has kind of moved away from using it a little bit, or is there just,
you know, a bunch of use cases where it's still the go-to? Yeah, I mean, we still see a lot of
Red Teams that are using Cobalt Strike. I mean mean a lot of people have used it over a long
period of time and it's still a really stable customizable C2 framework that I mean our team
is continuing to develop and put R&D into. So I mean we had a new release just a few weeks ago,
4.11 which has some new capabilities and cool things in there. And then with Outflank,
I mean, we kind of expand the capabilities of Cobalt Strike and, I mean, use those two together
to enhance those Red Team processes. So why don't you walk us through Outflank? Because,
you know, Cobalt Strike, obviously I'm familiar with, you know, and it's worth reiterating again that like a lot of the issues around weak licensing controls that led to
adversaries actually using it, like they've been resolved years ago and often when you're
hearing about, you know, ransomware crews and whatever using Cobalt Strike, it's pirated
ancient versions. So just get that out of the way. But when it comes to Outflank, you
know, it's a tool set that I'm not really familiar with.
Can you walk us through like what each component does and, you know, what you use them to do?
Yeah.
So I don't know that I can walk you through each component because there's about 30 plus
different tools that are available in the toolkit.
Well, the big ones then, give us the headline capabilities then.
Yeah.
So, I mean, really Outflank is a toolkit that is built by
elite red teamers for red teamers. So built for performing in mature sensitive target environments,
officially I guess simulating techniques that are used by APTs and other cyber attackers. So
like I mentioned earlier, the attack chain coverage that we have, we cover the full
attack chain from the in phase to the through phase to the out phase. So initial access, lateral
movement, privilege escalation, evasion, and much more. So we have our payload generator with EDR
presets. If you're going up against a specific EDR helps you generate
the payload with enhanced anti-forensic type payloads or hidden desktop which you can
essentially interact with a user's desktop to see what they're doing without them knowing.
Those are just a couple of the tools that we have in there. There's a lot more that that goes into it.
Again, that works with Cobalt Strike and also as a standalone product.
Yeah, I mean, I'm guessing the reason this is a thing is because like for a long time,
pen testers have had to maintain, you know, custom tool sets, right?
Like each pen test shop will develop their own tools for this, but you know, as
detections and controls have got better, like that just keeps getting harder.
Right, I mean detections is one thing. Going against the EDRs, they're
obviously really good these days, so I mean trying to constantly do your own
R&D and develop the tools to go against those EDRs. That's a challenge in itself, but also
Red teaming as a as an industry. I mean there's there's a lot that goes into it
and I mean teams struggle with keeping up with the rapid pace of
Adversary attacks and different tooling that they need to use during their engagements.
So that's where Outflank comes in. You're essentially outsourcing the research and development
phase to the Outflank team to keep up with those advanced tactics that attackers are
using.
Now, I'd imagine some of the bigger, you know, security consulting and pen test shops, they're
going to stick with their in-house stuff, right? Because that's kind of a value add
for them. I'd imagine the market for this, and correct me if I'm wrong, would be more of those small
to mid-size pentest shops as opposed to like the global consultancies that do this sort
of stuff.
Have I got that about right?
Yeah, I mean, we work with kind of companies of all shapes and sizes.
I mean, we talk to consultants that are one, two-man shops, but we also have, I mean, we talk to consultants that are one, two man shops, but we also have,
I mean, big four consultants, top five banks and so on that are using these solutions to,
I mean, do internal testing and also provide red team services to their customer base. So
like I said, I mean, it's not something that it's a just small consultant that's
or mid-sized consultant that's using it. It's kind of really all over the board.
And how common is it for internal red teams to be using it? Because that's
something you just mentioned there. Like, you know, is it getting more common
for like large enterprises just to have those internal teams and use this sort
of tooling? Yeah, we've definitely seen an uptick in, I mean, organizations running their own internal
rev team processes. I mean, of course, they still are using third parties to come in and get another
set of eyes on things and do that maybe annually, buy annually. But we also see that a lot of these
large organizations are starting to build out their internal offensive security program and use our flank use Cobalt Strike as kind of their
primary commercial tools to help perform those engagements.
Now I just want to go back to talking about one of the products here,
which is the hidden desktop thing, which means you can,
once you've dropped the right payload on a box, you can actually pointy clicky,
like it's your own desktop around without the user seeing, right?
So the user can be sitting there using their desktop, but you can also be there and like doing stuff and they can't see it.
Is that about right?
That is correct. And it's when you actually see it live, you're kind of jaw dropped at the look of it.
I mean, the fact that I could be on my email or in our CRM or doing whatever the case may be and someone could be watching everything I'm doing.
And I mean, seeing my passwords or whatever the case may be.
Yeah, that's-
But is it just that they're watching
or can they also do stuff as well?
I mean, I'm guessing they can do stuff,
but that will still be visible to the user.
Like I'm wondering how all of that works.
Yeah, they can also do stuff.
So I mean, it's covert interaction
on the target's desktop. I mean, in terms of what they
can do and how they can do it, that's run by people a lot smarter than I am. But yeah, it is
some pretty cool stuff that the Outflank team has developed there. Now, one of the things about this
product set, I guess, is that you do have some community contributions. You know, I'm looking at
your website here. It says there's a curated repository of a hundred user developed
extensions. Is that pen test firms developing, you know, modules and stuff that, you know,
then go into the product and are shared with everybody else. And like, how hard is it to
convince people to give up their, their extension so that everybody else can use them?
Yeah. So cobalt strike has the community kit, like you said, with a hundred plus different scripts that are contributed by the community.
I mean, like we were mentioning earlier, Cobalt Strike has been around for a long period of time
and has a large community base. So, I mean, we see a lot of users of the Cobalt Strike solution actively contributing to that community kit and
sharing their tradecraft and ideas with the larger Red Team community. Now that's just the Cobalt
Strike piece of it. Now, Outflank has an entirely, I guess, same but different type of community.
I guess same but different type of community. So with the Outflank solution, we have two separate type communities.
So one is a Slack channel that is dedicated just for the customer and the Outflank team.
So that's there for support or questions about documentation, questions about a specific
tool or whatever the case may be in an engagement there. questions about documentation, questions about a specific tool,
or whatever the case may be in an engagement there.
The other piece of it is the community Slack channel.
So all the Outflank users get access to that community Slack channel
where you can communicate with the other Outflank users,
you can share ideas on red team engagements,
you can ask questions if you're going or struggling with a specific topic or going against an
EDR in those engagements. That's where you can really share with that entire community
to share that trade graft and share knowledge amongst all the other out-flying users. Now I've got one final question which is, you know, pen testers are the group of people in
the world that I would least likely, least like to be a salesman, like dealing with that group
of people, right? Because you're talking about when it comes to the technology among the most,
you know, educated and proficient people when it comes to actual hard tech. You work
in sales, you're an account executive on this stuff. I just got to ask, what's it like selling
technology to pen testers?
Yeah. I mean, it's different every day. I think that's the great part of it is all the
use cases are different. And I mean, you're talking to very smart and interesting people. I mean
lucky for me I have some very very smart people that are are built around me here at Fortra and I mean some of the best red teamers that that are out there and um offensive security professionals
in the industry. So having those guys to to back me up when uh I might not know the answer to a
question or we need to show something cool I mean that, that's always a benefit for me, that's for sure.
All right. Well, Connor Johnson, thanks so much for joining us on this edition of Snake
Oilers to pitch us Fortra's offensive security tooling solutions, Cobalt Strike and Outflank.
Great to meet you.
You as well. Thank you.
That was Connor Johnson from Fortra there talking about Outflank and Cobalt Strike,
which are software packages that are used by Red Teamers.
So big thanks to them for that.
And that is it for this edition of Snake Oilers.
I do hope you enjoyed it.
I'll be back soon with more security news and analysis.
But until then, I've been Patrick Gray.
Thanks for listening.