Risky Business - Snake Oilers: LimaCharlie, Honeywell Cyber Insights, CobaltStrike and Outflank

Episode Date: April 28, 2025

In this edition of the Snake Oilers podcast, three sponsors come along to pitch their products: LimaCharlie: A public cloud for SecOps Honeywell Cyber Insights: An ...OT security/discovery solution Fortra’s CobaltStrike and Outflank: Security tooling for red teamers This episode is also available on Youtube. Show notes

Transcript
Discussion (0)
Starting point is 00:00:00 Hey everyone and welcome to another edition of Snake Oilers here at Risky Business. My name is Patrick Gray. The idea behind these Snake Oilers podcasts is vendors give us money so they get to come onto this show and pitch you their products. So everyone you see in one of these editions paid to be here and yeah we've got three companies pitching for you hard today. We're gonna hear from Lima Charlie, and their idea is they've built like a cloud platform
Starting point is 00:00:32 for security primitives. So yeah, it's like a SecOps cloud platform. We're gonna hear from them first. They will be hearing from Honeywell, and they're gonna be talking about a product that came to them through an acquisition. It's called Cyber Insights. It's a security platform for OT. This is a product that used to be called Skardafence, then it was acquired by Honeywell. Now it's their thing. They're going to tell us all about that. And then finally, we're going
Starting point is 00:00:57 to hear from Connor Johnson, who works with Fortra. And of course, these days they offer pen testing tools that they got via acquisition as well and when Fortra first wrote to us to ask if they could do one of these segments I thought any company that we have been that mean to over the years due to other products in their portfolio if they want to come and sponsor us you know I just I just admire that right and of course we're going to be talking about Cobalt Strike and a couple of other goodies that they offer to red teams around the world.
Starting point is 00:01:31 But yeah, let's start off by chatting with Lima Charlie. Now Lima Charlie was founded by Max Lamothe Brossard who did give me the correct pronunciation of his name in French, but if I tried to say it, I would probably die. But yeah, Max is the CEO and founder of Lima Charlie. And really what they're trying to do is build a cloud platform for security primitives, right? Which sounds a little bit hand wavy. So I'll drop you in here where Max explains what it is that Lima Charlie actually does. Enjoy. So Lima Charlie is building the
Starting point is 00:02:05 SecOps Cloud Platform. It's a cloud provider for cybersecurity primitives. So we've got all kinds of well understood cybersecurity products from the EDR to automation agents, the ability to ingest all kinds of telemetry, the ability to do routing and optimization, so sending this data to other places. So we are built like a cloud provider. That's kind of the big difference, right? We're built like a cloud provider. So today you're an incident responder and you need 20,000 endpoints, like in the next five minutes, you can go and you can do that. If you're an enterprise and you are looking to go from your stack of 50 different products and boil that down, because it's not true that those 50 products need to be 50
Starting point is 00:02:53 different products. The reality of cybersecurity is that a lot of these things are well understood. They're not cutting edge anymore. And that's where we come in. Like a cloud provider. We give you those primitives, they call it the undifferentiated heavy lifting, right? Like the bits that are well understood. So, hey, I have Office 365, and I want to be able to alert on it and send an alert into
Starting point is 00:03:18 my SIEM. None of these things are cutting edge. So yeah, you can go and buy, you know, four different products for this and another one to glue those together and manage the contract and manage all that stuff. Or you can just start using Lima Charlie, get it on your own, spin up, do it exactly the way that you want it. And because we're built like a cloud provider, we are not a black box, right? All those other vendors, if you buy CrowdStrike, you're buying the promise that CrowdStrike is the best at defending against everything at the same time for everybody.
Starting point is 00:03:52 We are taking the approach where we give you the Lego blocks so that you can go and say, as an enterprise, I know that I have this network that needs to be, you know, defended in a specific way. You can very easily go and build that security posture. And it's a security posture. You can look at it.
Starting point is 00:04:09 You can know what you're protected against, what you're not protected against. You can reason about it. So it's really a powerful new way to look at it. It's kind of going from the old days of buying the box software and starting to use the cloud providers. So it's a very different deal. All right, so what are the various components that make up Lima Charlie? Because what you just described, it
Starting point is 00:04:31 sounds like you've got some sort of maybe log correlation engine, right, where you can ingest logs from things like O365 or from routers or maybe Corlite sensors or whatever. So a little bit seem like in that sense, but you also have client software as well, right? So why don't you walk us through what the actual components are that make up what you're selling here?
Starting point is 00:04:50 That's right. You hit on an important point, which is we don't think that those things, there are different acronyms. It doesn't need to be different products. So here's how we view the world. You want to ingest things. You need access to telemetry. You need access to telemetry.
Starting point is 00:05:05 You need access to logs. Now logs that could be EDR, and we do have our own EDR, cross-platform Windows, Mac, Linux, everything under the sun. But it can also be from cloud to cloud, so Office 365 or Azure or anything like that, Okta, all the usual suspects. Or it could be things from on-prem.
Starting point is 00:05:27 We've got people that ingest from hundreds of firewalls just constantly into the platform. So all of these things come into Lima Charlie. And then we have an automation engine, a single automation engine that runs across all of this telemetry. So what that means is that your analysts aren't trying to engineer detection in a totally different way from Okta, from Defender, from Azure, from EDR.
Starting point is 00:05:52 It's all done in the same way. Then we do a year of full telemetry retention. Again, we don't want folks to start to negotiate with their vendor, like, do I need this one more day? What does that? No. We think everybody should have a full year of telemetry retention. And we do that at a fraction of the cost as of a company that's dedicated to only doing storage, because that's the thing they're going to be monetizing. Finally, we have the data routing and optimization. So that's simple.
Starting point is 00:06:22 Hey, I've got all of these data sources coming into Lima Charlie. I want got all of these data sources coming into Lima Charlie. I want my analysts to get my detections into a Splunk, for example. And then I want all of my bulk data from Azure to go into this bucket, right? So taking this data, sending it to the relevant places, all different technologies along the way, you can transform them, you can anonymize them, you can reduce the data. So it allows you to optimize really, really well the backend of those systems. Maybe you won't replace your SIM, but you can probably reduce the bill by 70% to that SIM.
Starting point is 00:06:57 So all of these things kind of put together are the core of Lima Charlie. But like a cloud provider, there is a ton of capabilities that are built that are kind of put together are the core of Lima Charlie. But like a cloud provider, there is a ton of capabilities that are built that are kind of peripheral on that because it's so easy to build on a cloud provider. It's the same thing with Lima Charlie. So we'll have products like Binlib, which is like a private virus total offering. So we see all of these capabilities We see all of these capabilities as truly Lego blocks in your security posture and not big bundles that you must have pre-negotiated ahead of time with all kinds of different vendors. You're explaining this as something that's extremely flexible, right?
Starting point is 00:07:37 So what I'm wondering is, can you think of two case studies off the top of your head where people are using it for wildly different things? Give us a couple of examples there. Absolutely. So I've got three examples. So one is around service providers. So in a specific case, a case study that we've published, we became the mortar for that service provider, meaning they changed their endpoints.
Starting point is 00:08:01 They were using a collection of a bunch of different technology, some Sysmon, some Waza, some, I think, some Velociraptor, like a bunch of different things. They were able to consolidate on a single technology. They had to log forward or replace that log forward or a single technology. Then in the cloud, they're able to engineer all of their detection at once in that same automation engine. They got a year of retention, so we solved the compliance issue.
Starting point is 00:08:30 Their analysts really liked their SIEM, one of the few ones. And so what they did is they only optimized what they sent to the SIEM. Not everything goes at all times in a SIEM. Instead, the SIEM triggers when you want the full data from an endpoint, for example, they trigger that to get sent in the SIM. So they've reduced their spend, if I recall, it was by 70% on infrastructure.
Starting point is 00:08:54 Look, fortunes have been made by saving people money on their Splunk bills, right? Like this is one of the weirdest business models in business, but yeah, that's how it works sometimes, right? That's right. That's right. And for us, it's table stakes, right? We see what we are building as a cloud provider, not a one trick pony. Other totally different example, we've got a company called BlueMirror that used to be a cloud sim in the cloud sim space wanted to expand into the XDR space. So they came to us and use our agent in a fairly unopinionated way, just like they would spin up an EC2 instance. And they built their whole product zero to GA in five months. So that's a type of acceleration speed that you couldn't get by, let's try to negotiate that with CrowdStrike, right? Like good luck.
Starting point is 00:09:44 Yeah. I mean, what I'm hearing though, also is I've asked you for a couple of case studies, they're both service providers in this case, like they're both, you know, managed providers from what I understand, this is where, you know, Lima Charlie is quite popular is with those MSSPs. Is that correct? So, uh, that is correct. We are extremely popular in the service space where we are popular in the
Starting point is 00:10:04 enterprise space is with companies that have a good cybersecurity team. We kind of joke sometimes the company with two part-time cybersecurity people is probably not a good fit in the same way that if you have two part-time IT folks, you don't go and build an AWS. You need something easier. But if you have a cybersecurity team and they need to understand the security posture in the company, you want to reduce the cost, you want to streamline and automate processes, right? Automating in a cloud environment is so much easier.
Starting point is 00:10:38 So those types of enterprise, of teams, they gain just like the service providers because they still, they need to do things at scale, right? They need to do a lot of automation. Often they have a large footprint to understand and customize around. So that's where we shine as well.
Starting point is 00:10:55 So it's really is about organizations that have teams that can work on detections and do customizations and things like that. I mean, we often hear about major enterprises having detection teams, for example, who can write their own detections and whatnot. But you don't often hear about them almost doing semi-roll your own telemetry collection, right?
Starting point is 00:11:12 Is that what people are doing? Usually, they're not so much on the collection side of thing. That's the part that we make easy. That's the part that's no-brainer, right? Zero to 20,000 endpoints in 30 seconds. That's easy. The part where the detection engineering will come in is when they want to, here's the example I give all the time.
Starting point is 00:11:32 When WannaCry happened, I remember that morning, I went on Twitter, and detecting WannaCry was one of the easiest thing in cybersecurity ever done. It was one of the easiest threats. It was called WannaCrypt.exe. If you killed it when you saw it, you ever done. It was one of the easiest threats. It was called 1acrypt.exe. If you killed it when you saw it, you were done. But how many people that morning woke up and called their vendor and said, hey, am I protected against this?
Starting point is 00:11:54 And they got one of two answers. One was, yeah, you're totally good. We've got AI we're to solve. And it was like, eh, is that not the greatest answer? The other one was, well, we're going to have a patch that's rolling out this afternoon. That's better, but still, it's not great when the threat is that easy, in theory, to just block.
Starting point is 00:12:16 So what we do is we make it trivial for those teams to be able to go and have that governance, to come in and say, you know what? I want a rule on Windows that if I see this thing, I'm going to go and kill it, right? And so it's these types of things that they can really dig into Lima Charlie and start to automate things they never thought they could, right? Some people will collect various forms of forensic information automatically from endpoints, and then they'll correlate that with automation around Office 365 and then
Starting point is 00:12:48 Automatically you'll go and lock out a user and so we just make that easy So as long as you want to be able to do these powerful things, we're by far the best platform for that Do you have many customers who are running your endpoint agent alongside some of the, you know, the bigger EDR companies as well? Because I'd imagine, because what you're describing is just like easy, you know, easy mitigations that you can roll out to every endpoint. And you know, that's fantastic. But do you have people who are, who are, you know, using it for that just to fill in some of the blanks from their major providers? Absolutely. Absolutely. We so I'll quote one of our customers.
Starting point is 00:13:27 We do a better job detecting using Carbon Black than Carbon Black does with Carbon Black. So we do support all other EDRs. Again, we're built like a cloud. So everything can come in. Everything can go out. We don't hold your data hostage in any way. So a lot, especially of service providers,
Starting point is 00:13:45 will often have a very eclectic ecosystem of different solutions. And so specifically for the endpoint, what we'll do is we go even beyond that, where we do normalization and encapsulation. So we will take those other EDRs, and we will convert that into a single format that you can build your roles against.
Starting point is 00:14:05 But we know that not everything converts so well. So what we'll do is we will include the original always in those events. So you don't lose anything. What you gain is the ability to have a single set of detection and remediation and playbooks that operates across all of those. So we'll see that in the service providers that
Starting point is 00:14:25 need to support that. In enterprise, we will see that very often in large enterprise that is coming into Lima Charly, but they can't just do it all at once. They have to do this in phases. So what they're doing is they will move the security department first into Lima Charly with the agent, but then connect everything into Lima Charlie.
Starting point is 00:14:45 So that way they can immediately get all of kind of the core value, but also over time do their face. It's it's really like moving to the cloud. All right, Max Lamothe Brassad, thank you so much for joining me on the show to walk us through Lima Charlie and what it's all about. Appreciate your time. Thanks for having me. That was Max Lamothe Brassad there with a chat through Lima Charlie and what it's all about. Appreciate your time. Thanks for having me. That was Max Lamothe-Bressard there with a chat about Lima Charlie. Big thanks to him for that.
Starting point is 00:15:11 Next up, we're gonna chat with Chris Christensen from Honeywell, and he is the Director of Global Cybersecurity for Honeywell Building Automation. And they have a product they're offering called Cyber Insights, which is for OT environments. It gives you visibility into what's running, what its patch levels are and whatnot. And this is a product that used to be called Skate Offense or Skard Offense before Honeywell acquired them.
Starting point is 00:15:36 So I'll drop you in here as Chris Christensen explains what Cyber Insights actually does. Here he is. So we acquired a company called Skate Offense and then we have made it so that it is now Honeywell product and it's called Cyber Insights. So Cyber Insights is essentially a platform for people who have buildings that are wanting to make sure that they have visibility of all of their different systems that are within operational technology area. They can see all of their different systems.
Starting point is 00:16:03 So it's vendor, like it works on all different vendor systems, but it gives them a real time view of their assets, their inventory. And then it also helps them to be able to mitigate risk and make sure that if they have any vulnerabilities or issues on their network or on their systems or any of their devices, that it updates them and lets them know that it might need a patch, it might need an update, but it does asset discovery. It enhanced the security posture for the customers. It's a great product for our customers and for anybody that owns a facility and is trying to make sure that there's a gap between the OT and the IT team so that
Starting point is 00:16:39 the IT team can see all of the different systems that are in the OT infrastructure. So this is a visibility and discovery tool, less of a network monitoring tool, is that right? Yes. Okay, right. So now I work with RunZero, right? They do active discovery of OT. There's two camps. There's the, it must be passive. It absolutely must be passive to avoid disruption. And then there's the, well, you're going to miss stuff if you're only doing passive it must be active. Which approach did you take? We took the approach of having it being passive, making sure that we can hear the things on the existing infrastructure. We haven't had any problems of missing anything
Starting point is 00:17:17 as of to date, so there isn't anything that we've missed but just doing the passive approach makes it so that the customer's environment works more seamlessly. There's not as much interruption. So that's what the approach we've taken. Right. So when you deploy this, I'm guessing you're going to need access to span ports and things like that. Like how do you actually go and set this thing up?
Starting point is 00:17:39 So you're exactly right. We're going to connect it to a span port and anything that's coming back to that span port, we're going to hear that that device being able to talk and then we're going to be able to a spam port. And anything that's coming back to that spam port, we're going to hear that device being able to talk. And then we're going to be able to pick it up and put it into a nice pretty dashboard so the customers can see the different systems that are there. Gives them the IP address, the MAC address, more information that they will need
Starting point is 00:17:58 and that they should have had but maybe didn't necessarily have. They probably had it on an Excel spreadsheet somewhere. But this gives them realtime visibility on those things. Yeah, it goes into a spreadsheet that maybe gets updated every three years if you're lucky kind of thing, right? Like that is frankly how it works. Right. So when people are buying this, they're rolling it out. What are the main things that they're looking for here? I mean, I'm guessing, look, sadly, I'm going to say it. I'm guessing a lot of the time
Starting point is 00:18:24 people are buying this for compliance purposes. Did I guess that about right? for here. I mean, I'm guessing, look, sadly, I'm gonna say it, I'm guessing a lot of the time people are buying this for compliance purposes. Did I guess that about right? So at first, no, they weren't buying it just for compliance, but we are seeing a big uptick on that. Like with NIST 2 in Europe, as well as with NIST in America, and the different requirements and regulatory controls that are coming out, this does help them be able to have asset visibility. And so we have seen a big, big increase on making sure that they're monitoring these different systems. Yeah, right. Okay. So what is the main driver then for people to actually go and plonk down their hard earned cash on a system like this? What is it they're seeking to achieve? So we're seeing a lot of uptick on operational technologies being attacked. So because again,
Starting point is 00:19:04 you mentioned that they are vulnerable, they're old, they're legacy systems. Um, it's an easy place for attackers to get in. Now, if you don't even know what type of systems you have, you're not able to protect those systems. So the first step is to be able to have visibility so that what you know is there, then you can be able to figure out how to make sure that it's secure and it's protected.
Starting point is 00:19:24 Okay. When you're talking about attacks against OT, we've seen obviously things like the Vault Typhoon campaigns that are targeting, I guess, the IT environments, you know, adjacent to OT. But what attacks have we seen targeting OT directly itself? I mean, there's several. One of the biggest ones that always comes to mind for me is the target HVAC breach that happened several years ago. When they got through on an HVAC system and they got into all of the target data, so customer's information, credit cards, bank statements, finance items that were in target.
Starting point is 00:20:02 But we're also seeing that those different attacks within OT systems, once they're also seeing that those different attacks within OT systems, once they're into the OT area, they sometimes will wait and be able to get into an IT area. So for instance, a card access system. If you have a card access system that's connected to Active Directory, if I can get into that card access server,
Starting point is 00:20:18 then I'm gonna be able to get into your IT information as well. But more importantly, I think that right now we're seeing a lot of attacks that actually just want to take stuff down. They're not even necessarily looking for social security numbers, data bursts. They're just looking to be able to say, hey, I took down this facility and that's what my greatness is. And so we want to make sure that our customers or everybody understands that
Starting point is 00:20:39 in order to protect their systems, they need to be able to be aware of what's out there. Yeah. I mean, interestingly enough though, like that target hack, I wouldn't call that, I mean, it's kind of OT, right? But that's going to be some Windows server that's controlling the devices, right? So it's more like traditional bread and butter hacking. The stuff you mentioned about card systems, that's very interesting, right? I can absolutely see how that is something where, yeah, if you're running vulnerable card payment devices you're going to want to know when they need to have a patch, you're going to want to know if you if you missed one, absolutely a clear use case there. And in terms of yeah in
Starting point is 00:21:17 terms of going into the into the IT environments is that actually happening that much though? Have we seen that? I think I seem to remember like maybe my colleague, Catalin, covering one of them once. Yeah. And honestly, there's a lot that as you know, lately with attacks, most organizations, the first place they go is to their legal team to find out what they can or can't say. So a lot of the different attacks, like one of the ones that I think is a great example of this is with the MGM Grand Attack, right? So they got into the IT systems,
Starting point is 00:21:49 but essentially their OT systems didn't work as well. So if you watched anything on TikTok or saw any of the videos, you would see that individuals would go to the elevator to try to access the room. They wouldn't have access to the elevator because the cards weren't working. They'd go to their rooms, those weren't working.
Starting point is 00:22:06 They had to do fire watches. They didn't know if their fire system was up and running. So I think a lot of it is just the disruption that it causes and that they can get into those type of, you know, fire, card access, HVAC, those type of systems when they're in, it makes it so that those facilities don't work to the way that they're supposed to. But isn't it the case that the reason those systems weren't working is because the attackers had control of the IT systems that were controlling those OT devices? In that example, I'm not sure we knew that they actually had control. They just didn't have
Starting point is 00:22:37 visibility of those systems. So when you look at was their fire system working, it was, right? If there was an actual fire, they would have pulled the alarm and there would have been a fire alarm go off. But even the IT team, they didn't know if those fire systems were working. The card access system, once they've got attacked, they just make sure they shut down everything
Starting point is 00:22:55 versus just the things that have been attacked because they didn't want anything else to be infected. So I think from that perspective, you're seeing that all of those things, they don't know enough about them and how they're working with the IT systems. So they don't necessarily separate them in the way that makes them so that you have one system can work and the other system doesn't at the same time. It's almost as if the IT team is like, all right, we've got this attack. We want to take everything down. Yeah, OK. I sort of see what you're saying there, which is having this visibility is a good step to avoid those sort of problems in the first place.
Starting point is 00:23:28 Definitely. Yeah, yeah. OK, got it. So in terms of what are the most alarming findings, you would know when a customer normally goes and installs something like this, and then they run it for the first time. We used to hear about when vulnerability scanners first became something that could be used in enterprise, you would hear about people running their first Nessus scan
Starting point is 00:23:51 15, 20 years ago, and oh my God, they would wanna fall over. What's the equivalent sort of war story when it comes to deploying this sort of thing for the first time? It's very similar to what they would have saw then. I mean, when you look at even like a card access system, sometimes customers and individuals,
Starting point is 00:24:07 they don't know how many different printers they're running, right? The IT team has printers on the IT area, but when it comes to the OT area, they're not always aware of even just the different printers that are available. So we recently deployed this onto a customer site, and one of the first things they noticed
Starting point is 00:24:26 was there was like five printers that were out of compliance that hadn't been patched, that hadn't been updated. And immediately they wanted to make sure that they corrected those things. So it really was some of just the basic things that the IT organization looks and sees, well, this is on the OT area. It's not something we need to worry about.
Starting point is 00:24:41 Oh, wait, this is a printer? We better make sure that we update that and make sure that it's patched correctly as well. Yeah, right. I don't know if you saw there was a recent bit of news about an IP camera being used to ransomware a network and they did it via access from the IP camera to the file shares, which I guess, you know,
Starting point is 00:24:59 is that OT is that, it's more IOT than OT, but it was still an interesting case. Well but even in that case you're exactly right like if somebody can get into your camera system how far how how much further can they go like because if they're able to do that like the capabilities once they're in there if they shut down all your visibility if you have an emergency or if something happens you're not able to actually see what's going on so your eyes are pinned and you're not able to take care of what needs to be done. So really to sum up the pitch here, it's about continuous visibility into OT across your
Starting point is 00:25:32 network so that you can then better prepare and architect things to put yourself in better shape. Correct. Completely agreed. Yes. All right. That's a great simple pitch. Chris Christensen, thank you so much for joining me to walk through it. I appreciate your time.
Starting point is 00:25:47 All right. Thank you. Have a great day. That was Chris Christensen there from Honeywell. Big thanks to him for that. And yes, Cyber Insights for OT made by Honeywell should be pretty easy for you to find if that is something you are looking for. So the final company we are hearing from today is Fortra. Fortra is a software company that acquires other software companies and you know that that that's how they grow and they've had some acquisitions that we've made fun of like I think Go Anywhere MFT is a Fortra product these days but they also happen to own Cobalt Strike and Outflank. And Cobalt Strike of course is a sort of infamous C2 framework which is old versions, old pirated versions of Cobalt Strike were actually quite popular with you know, cyber crooks basically for quite a long time. But they did eventually
Starting point is 00:26:38 get a handle on that with all of the licensing requirements and what not. So you know, not, I don't know that it's as everywhere as it used to be but you know the versions being used out there in the wild didn't really connect to the sort of pro versions and haven't for for quite a while so yeah Fortra these days they sell Cobalt Strike and they also have another suite of tools for red teamers called Outflank or Outflank and Connor Johnson from Fortra joined me to pitch these tools from Fortra to red teams and explain to us who uses them.
Starting point is 00:27:12 Enjoy. Yes. So at Fortra, we provide offense security tools, Cobalt Strike and Outflank, which are really designed to help red teamers emulate real world cyber attacks. So giving red teams the ability to test environments the same way that an advanced attacker would. I mean, we know today that the threat landscape is getting more and more sophisticated every day and the tools that we provide ultimately help organizations close those security weaknesses and identify vulnerabilities before an attacker is able to exploit them. So again, Cobalt Strike, Outflank are the red teaming solutions we offer. Cobalt Strike provides the
Starting point is 00:27:55 the post exploitation capabilities through its beacon payload and malleable C2. While Outflank is kind of the new kid on the block, C2, while Alflanq is kind of the new kid on the block, which is a broad set of offense security tools that covers the entire attacker kill chain and has an emphasis on like evasion and OPSEC safe tooling. Yeah, right. So why don't we just start by talking about Cobalt Strike, right? Because as I say, it's been around since the Jurassic era. Is it still popular? Because it was my understanding that like EDR tooling and stuff got pretty good at
Starting point is 00:28:29 detecting it. So Red Team has kind of moved away from using it a little bit, or is there just, you know, a bunch of use cases where it's still the go-to? Yeah, I mean, we still see a lot of Red Teams that are using Cobalt Strike. I mean mean a lot of people have used it over a long period of time and it's still a really stable customizable C2 framework that I mean our team is continuing to develop and put R&D into. So I mean we had a new release just a few weeks ago, 4.11 which has some new capabilities and cool things in there. And then with Outflank, I mean, we kind of expand the capabilities of Cobalt Strike and, I mean, use those two together to enhance those Red Team processes. So why don't you walk us through Outflank? Because,
Starting point is 00:29:20 you know, Cobalt Strike, obviously I'm familiar with, you know, and it's worth reiterating again that like a lot of the issues around weak licensing controls that led to adversaries actually using it, like they've been resolved years ago and often when you're hearing about, you know, ransomware crews and whatever using Cobalt Strike, it's pirated ancient versions. So just get that out of the way. But when it comes to Outflank, you know, it's a tool set that I'm not really familiar with. Can you walk us through like what each component does and, you know, what you use them to do? Yeah. So I don't know that I can walk you through each component because there's about 30 plus
Starting point is 00:29:54 different tools that are available in the toolkit. Well, the big ones then, give us the headline capabilities then. Yeah. So, I mean, really Outflank is a toolkit that is built by elite red teamers for red teamers. So built for performing in mature sensitive target environments, officially I guess simulating techniques that are used by APTs and other cyber attackers. So like I mentioned earlier, the attack chain coverage that we have, we cover the full attack chain from the in phase to the through phase to the out phase. So initial access, lateral
Starting point is 00:30:33 movement, privilege escalation, evasion, and much more. So we have our payload generator with EDR presets. If you're going up against a specific EDR helps you generate the payload with enhanced anti-forensic type payloads or hidden desktop which you can essentially interact with a user's desktop to see what they're doing without them knowing. Those are just a couple of the tools that we have in there. There's a lot more that that goes into it. Again, that works with Cobalt Strike and also as a standalone product. Yeah, I mean, I'm guessing the reason this is a thing is because like for a long time, pen testers have had to maintain, you know, custom tool sets, right?
Starting point is 00:31:23 Like each pen test shop will develop their own tools for this, but you know, as detections and controls have got better, like that just keeps getting harder. Right, I mean detections is one thing. Going against the EDRs, they're obviously really good these days, so I mean trying to constantly do your own R&D and develop the tools to go against those EDRs. That's a challenge in itself, but also Red teaming as a as an industry. I mean there's there's a lot that goes into it and I mean teams struggle with keeping up with the rapid pace of Adversary attacks and different tooling that they need to use during their engagements.
Starting point is 00:32:05 So that's where Outflank comes in. You're essentially outsourcing the research and development phase to the Outflank team to keep up with those advanced tactics that attackers are using. Now, I'd imagine some of the bigger, you know, security consulting and pen test shops, they're going to stick with their in-house stuff, right? Because that's kind of a value add for them. I'd imagine the market for this, and correct me if I'm wrong, would be more of those small to mid-size pentest shops as opposed to like the global consultancies that do this sort of stuff.
Starting point is 00:32:35 Have I got that about right? Yeah, I mean, we work with kind of companies of all shapes and sizes. I mean, we talk to consultants that are one, two-man shops, but we also have, I mean, we talk to consultants that are one, two man shops, but we also have, I mean, big four consultants, top five banks and so on that are using these solutions to, I mean, do internal testing and also provide red team services to their customer base. So like I said, I mean, it's not something that it's a just small consultant that's or mid-sized consultant that's using it. It's kind of really all over the board. And how common is it for internal red teams to be using it? Because that's
Starting point is 00:33:14 something you just mentioned there. Like, you know, is it getting more common for like large enterprises just to have those internal teams and use this sort of tooling? Yeah, we've definitely seen an uptick in, I mean, organizations running their own internal rev team processes. I mean, of course, they still are using third parties to come in and get another set of eyes on things and do that maybe annually, buy annually. But we also see that a lot of these large organizations are starting to build out their internal offensive security program and use our flank use Cobalt Strike as kind of their primary commercial tools to help perform those engagements. Now I just want to go back to talking about one of the products here,
Starting point is 00:33:55 which is the hidden desktop thing, which means you can, once you've dropped the right payload on a box, you can actually pointy clicky, like it's your own desktop around without the user seeing, right? So the user can be sitting there using their desktop, but you can also be there and like doing stuff and they can't see it. Is that about right? That is correct. And it's when you actually see it live, you're kind of jaw dropped at the look of it. I mean, the fact that I could be on my email or in our CRM or doing whatever the case may be and someone could be watching everything I'm doing. And I mean, seeing my passwords or whatever the case may be.
Starting point is 00:34:31 Yeah, that's- But is it just that they're watching or can they also do stuff as well? I mean, I'm guessing they can do stuff, but that will still be visible to the user. Like I'm wondering how all of that works. Yeah, they can also do stuff. So I mean, it's covert interaction
Starting point is 00:34:43 on the target's desktop. I mean, in terms of what they can do and how they can do it, that's run by people a lot smarter than I am. But yeah, it is some pretty cool stuff that the Outflank team has developed there. Now, one of the things about this product set, I guess, is that you do have some community contributions. You know, I'm looking at your website here. It says there's a curated repository of a hundred user developed extensions. Is that pen test firms developing, you know, modules and stuff that, you know, then go into the product and are shared with everybody else. And like, how hard is it to convince people to give up their, their extension so that everybody else can use them?
Starting point is 00:35:22 Yeah. So cobalt strike has the community kit, like you said, with a hundred plus different scripts that are contributed by the community. I mean, like we were mentioning earlier, Cobalt Strike has been around for a long period of time and has a large community base. So, I mean, we see a lot of users of the Cobalt Strike solution actively contributing to that community kit and sharing their tradecraft and ideas with the larger Red Team community. Now that's just the Cobalt Strike piece of it. Now, Outflank has an entirely, I guess, same but different type of community. I guess same but different type of community. So with the Outflank solution, we have two separate type communities. So one is a Slack channel that is dedicated just for the customer and the Outflank team. So that's there for support or questions about documentation, questions about a specific
Starting point is 00:36:24 tool or whatever the case may be in an engagement there. questions about documentation, questions about a specific tool, or whatever the case may be in an engagement there. The other piece of it is the community Slack channel. So all the Outflank users get access to that community Slack channel where you can communicate with the other Outflank users, you can share ideas on red team engagements, you can ask questions if you're going or struggling with a specific topic or going against an EDR in those engagements. That's where you can really share with that entire community
Starting point is 00:36:58 to share that trade graft and share knowledge amongst all the other out-flying users. Now I've got one final question which is, you know, pen testers are the group of people in the world that I would least likely, least like to be a salesman, like dealing with that group of people, right? Because you're talking about when it comes to the technology among the most, you know, educated and proficient people when it comes to actual hard tech. You work in sales, you're an account executive on this stuff. I just got to ask, what's it like selling technology to pen testers? Yeah. I mean, it's different every day. I think that's the great part of it is all the use cases are different. And I mean, you're talking to very smart and interesting people. I mean
Starting point is 00:37:51 lucky for me I have some very very smart people that are are built around me here at Fortra and I mean some of the best red teamers that that are out there and um offensive security professionals in the industry. So having those guys to to back me up when uh I might not know the answer to a question or we need to show something cool I mean that, that's always a benefit for me, that's for sure. All right. Well, Connor Johnson, thanks so much for joining us on this edition of Snake Oilers to pitch us Fortra's offensive security tooling solutions, Cobalt Strike and Outflank. Great to meet you. You as well. Thank you. That was Connor Johnson from Fortra there talking about Outflank and Cobalt Strike,
Starting point is 00:38:28 which are software packages that are used by Red Teamers. So big thanks to them for that. And that is it for this edition of Snake Oilers. I do hope you enjoyed it. I'll be back soon with more security news and analysis. But until then, I've been Patrick Gray. Thanks for listening.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.