Snake Oilers: LimaCharlie, Honeywell Cyber Insights, CobaltStrike and Outflank

Patrick Gray

Foreign.

Max Lamoth Brassard

And welcome to another edition of Snake Oilers here at Risky Business. My name is Patrick Gray. The idea behind these Snake Oilers podcast is vendors give us money so they get to come onto this show and pitch you their products. So everyone you see in one of these editions paid to be here. And yeah, we've got three companies pitching for you hard. Today we're going to hear from Lima Charlie and their idea is they've built like a cloud platform platform for Security Primitives. So yeah, it's like a, like a SecOps cloud platform. We're going to hear from them first. They will be hearing from Honeywell and they're going to be talking about a product that came to them through an acquisition. It's called Cyber Insights. It's a security platform for ot. This is a product that used to be called Scarter Fence, then it was acquired by Honeywell. Now it's their thing, they're going to tell us all about that. And then finally we're going to hear from Connor Johnson who works with Fortra. And of course these days they offer pen testing tools that they got via acquisition as well. And when Fortra first wrote to us to ask if they could do one of these segments, I thought any company that we have been that mean to over the years due to other products in their portfolio if they want to come and sponsor us, you know, I just, I just admire that. Right. And of course we're going to be talking about Cobalt Strike and a couple of other goodies that they offer to red teams around the world. But yeah, let's start off by chatting with Lima Charlie. Now Lima Charlie was founded by Max Lamoth Brossard, who did give me the correct pronunciation of his name in French, but if I tried to say it I would probably, probably die. But yeah, Max is the, is the CEO and founder of Lima Charlie. And really what they're trying to do is build a cloud platform for Security primitives, right. Which sounds a little bit hand wavy. So I'll drop you in here where Max explains what it is that Lima Charlie actually does enjoy.

Chris Christensen

So Lima Charlie is building the SecOps Cloud Platform. It's a cloud provider for cybersecurity primitives. So we've got all kinds of well understood cybersecurity products from the EDR to automation agents, the ability to ingest all kinds of telemetry, the ability to do routing and optimization, so sending this data to other places. So we are built like a cloud provider. That's kind of the big difference, right? We're built like a Cloud provider. So today you're an incident responder and you need 20,000 endpoints. Like in the next five minutes you can go. And you can do that. If you're an enterprise and you are looking to go from your stack of 50 different products and boil that down, because it's not true that those 50 products need to be 50 different products. The reality of cybersecurity is that a lot of these things are well understood. They're not cutting edge anymore. And that's where we come in. Like a cloud provider, we give you those primitives. They called it the undifferentiated heavy lifting. Right. Like the bits that are well understood. So, hey, I have office365 and I want to be able to alert on it and send an alert into my siem. None of these things are cutting edge. So, yeah, you can go and buy, you know, four different products for this and another one to glue those together and manage a contract and manage all that stuff. Or you can just start using Lima Charlie, get it on your own, spin up, do it exactly the way that you want it. And because we're built like a cloud provider, we are not a black box.

Patrick Gray

Right?

Chris Christensen

All those other vendors, if you buy CrowdStrike, you're buying the promise that CrowdStrike is the best at defending against everything at the same time for everybody. We are taking the approach where we give you the LEGO locks so that you can go and say, as an enterprise, I know that I have this network that needs to be defended in a specific way. You can very easily go and build that security posture. And it's a security posture. You can look at it, you can know what you're protected against, what you're not protected against, you can reason about it. So it's really a powerful new way to look at it. It's kind of going from the old days of buying the box software and starting to use the cloud providers. So it's a very different deal.

Max Lamoth Brassard

All right, so what are the various components that make up Lima Charlie? Because what you just described, it sounds like you've got some sort of maybe log correlation engine, right, where you can ingest logs from things like O365 or from routers or maybe corelight sensors or whatever. So a little bit seem like in that sense. But you also have client software as well. Right. So why don't you walk us through what the actual components are that make up what you're selling here.

Chris Christensen

That's right. You hit on an important point, which is we don't think that those things, you know, they're different acronyms. It doesn't need to be different products. So here's how we view the world, right? You want to ingest things, you need access to telemetry, you need access to, you know, logs. Now logs that could be edr. And we do have our own edr, cross platform Windows, Mac, Linux, everything under the sun. But it can also be from cloud to Cloud. So Office365 or Azure or anything like that, Okta, all the usual suspects. Or it could be things from on prem. We've got people that ingest from hundreds of firewalls just constantly into the platform. So all of these things come into Lima Charlie. And then we have an automation engine, a single automation engine that runs across all of this telemetry. So what that means is that your analysts aren't trying to engineer detection in a totally different way from Okta, from Defender, from Azure, from edr. It's all done in the same way. Then we do a year of full telemetry retention. Again, we don't want folks to start to negotiate with their vendor, like, do I need this one more day? What does that. No, we think everybody should have a full year of telemetry retention. And we do that at a fraction of the cost of a company that's dedicated to only doing storage, because that's the thing they're going to be monetizing. Finally, we have the data routing and optimization. So that's simple. Hey, I've got all of these data sources coming into Lima Charlie. I want my analysts to get my detections into a splunk, for example, and then I want all of my bulk data from Azure to go into this bucket, right? So taking this data, sending it to the relevant places, all different technologies along the way, you can transform them, you can anonymize them, you can reduce the data. So it allows you to optimize really, really well the back end of those systems. Maybe you won't replace your sim, but you can probably reduce the bill by 70% to that sim. So all of these things kind of put together are the core of Lima Charlie. But like a cloud provider, there is a ton of capabilities that are built that are kind of peripheral on that because it's so easy to build on a cloud provider. It's the same thing with Lima Charlie. So we'll have products like binlib, which is like a private virus total offering. So we see all of these capabilities as truly Lego blocks in your security posture and not big bundles that you must have pre Negotiated ahead of time with all kinds of different vendors.

Max Lamoth Brassard

You're explaining this as something that's extremely flexible. Right. So what I'm wondering is, can you think of two case studies off the top of your head where people are using it for wildly different things? Give us a couple of examples there.

Chris Christensen

Absolutely. So I've got three examples. So one is around service providers. So in a specific case, a case study that we've published, we became the mortar for that service provider, meaning they changed their endpoint. They were using a collection of a bunch of different technologies, some sysmon, some waza, some, I think some velociraptor, like a bunch of different things. They were able to consolidate on a single technology. They had a log forwarder replace that log forwarder, a single technology. Then in the cloud, they're able to engineer all of their detection at once in that same automation engine. They got a year of retention. So we solved the compliance issue. Their analysts really liked their siem, one of the few ones. And so what they did is they only optimized what they sent to the siem. Not everything goes at all times in the simulation. Instead the SIEM triggers when you want the full data from an endpoint, for example, they trigger that to get sent in the sim. So they've reduced their spend. If I recall, it was by 70% on infrastructure.

Max Lamoth Brassard

Look, fortunes have been made by saving people money on their splunk bills, right? Like this is one of the weirdest business models in business. But yeah, that's how it works sometimes, right?

Chris Christensen

That's right, that's right. And for us it's table stakes, right? We see what we are building as a cloud provider, not a one trick pony. Other totally different example, we've got a company called bluemira that used to be a cloud sim in the cloud sim space, wanted to expand into the XDR space. So they came to us and used our agent in a fairly unopinionated way. Just like they would spin up an EC2 instance and they built their whole product zero to GA in five months. So that's a type of acceleration speed that you couldn't get by. Let's try to negotiate that with crowdstrike. Right, like, good luck.

Max Lamoth Brassard

Yeah, I mean what I'm hearing though also is I've asked you for a couple of case studies. They're both service providers in this case, like they're both managed providers. From what I understand, this is where Lima Charlie is quite popular is with those MSSPs, is that correct?

Chris Christensen

So that is correct. We are extremely popular in the service space. Where we are popular in the enterprise space is with companies that have a good cybersecurity team, right? Like we kind of joke sometimes the company with two part time cybersecurity people is probably not a good fit. In the same way that if you had two part time IT folks, you don't go and build an aws, right? You need something easier. But if you have a cybersecurity team and they need to understand the security posture in the company, you want to reduce the cost, you want to streamline and automate processes, right? Automating in a cloud environment is so, so much easier. So those types of enterprise of teams, they gain just like the service providers because they need to do things at scale, right? They need to do a lot of automation. Often they have a large footprint to understand and customize around. So that's where we shine as well.

Max Lamoth Brassard

So it really is about organizations that have teams that can work on detections and do customizations and things like that. I mean we often hear about major enterprises having detection teams, for example, who can write their own detections and whatnot. But you don't often hear about them like almost doing semi roll your own telemetry collection, right? Is that what people are doing?

Chris Christensen

Usually they're not so much on the collection side of things. That's the part that we make easy. That's the part that's no brainer. Zero to 20,000 endpoints in 30 seconds, that's easy. The part where the detection engineering will come in is when they want. Here's the example I give all the time when WannaCry happened. I remember that morning I went on Twitter and detecting WannaCry was one of the easiest thing in cybersecurity ever done. It was one of the easiest threats. It was called WannaCryptexe. If you killed it when you saw it, you were done. But how many people that morning woke up and called their vendor and said like, hey, am I protected against this? And they kind of got one of two answers right. One was, yeah, yeah, you're totally good. We've got AI, we're solved. I was like, is that not the greatest answer? The other one was, well, we're going to have a patch that's rolling out this afternoon. That's better. But still it's not great when the threat is that easy in theory to just block. So what we do is we make it trivial for those teams to be able to go and have that governance to come in and say, you know what? I Want a rule on Windows that if I see this thing, I'm going to go and kill it. Right. And so it's these types of things that they can really dig into limitarily and start to automate things they never thought they could. Right. Some people will collect various forms of forensic information automatically from endpoints and then they'll correlate that with automation around Office365 and then automatically go and lock out a user. And so we just make that easy. So as long as you want to be able to do these powerful things, we're by far the best platform for that.

Max Lamoth Brassard

Do you have many customers who are running your endpoint agent alongside some of the, you know, the bigger EDR companies as well? Because I'd imagine, because what you're describing is just like easy, you know, easy mitigations that you can roll out to every endpoint and, you know, that's fantastic. But do you have people who are using it for that just to fill in some of the blanks from their major providers?

Chris Christensen

Absolutely, absolutely. So I'll quote one of our customers. We do a better job detecting using carbon black than carbon black does with carbon black. Right. So we do Support all other EDRs. Again, we're built like a cloud, so everything can come in, everything can go out. We don't hold your data hostage in any way. So a lot, especially of service providers, will often have a very eclectic ecosystem of different solutions. And so specifically for the endpoint, what we'll do is we go even beyond that where we do normalization and encapsulation. So we will take those other EDRs and we will convert that into a single format that you can build your roles against. But we know that not everything converts so well. So what we'll do is we will include the original always in those events so you don't lose anything. What you gain is the ability to have a single set of detection and remediation and playbooks that operates across all of those. So we'll see that in sort of like the service providers that need to support that in enterprise. We will see that very often in large enterprise that is coming into limit Charlie. But they can't just do it all at once. They have to do this in phases. So what they're doing is they will move the security department first, right into Lima Charlie with the agent, but then connect everything into Lima Charlie. So that way they can immediately get all of kind of the core value, but also over time do their phase. It's really like moving to the cloud.

Max Lamoth Brassard

All Right. Max Lamoth Brassard, thank you so much for joining me on the show to walk us through Lima Charlie and what it's all about. Appreciate your time.

Chris Christensen

Thanks for having me.

Max Lamoth Brassard

That was Max Lamoth Brassard there with a chat about Lima Charlie. Big thanks to him for that. Next up, we're going to chat with Chris Christensen from Honeywell and he is the director of Global cybersecurity for Honeywell Building Automation. And they have a product they're offering called Cyber Insights, which is for OT environments. It gives you visibility into what's running, what its patch levels are and whatnot. And this is a product that used to be called Skate Offence or Scar Defence before Honeywell acquired them. So I'll drop you in here as Chris Christensen explains what Cyber Insights actually does. Here he is.

Patrick Gray

So we acquired a company called Skate Offense and then we have made it so that it is now Honeywell product and it's called Cyber Insights. So Cyber Insights is essentially a platform for people who have buildings that are wanting to make sure that they have visibility of all of their different systems that are within operational technology area. They can see all of their different systems. So it's vendor like. It works on all different vendor systems, but it gives them a real time view of their assets, their inventory, and then it also helps them to be able to mitigate risk and make sure that if they have any vulnerabilities or issues on their network or on their systems or any of their devices, that IT updates them and lets them know that it might need a patch, it might need an update, but it does asset discovery. It enhanced the security posture for the customers. It's a great product for our customers and for anybody that owns a facility and is trying to make sure that there's a gap between the OT and the IT team, so that the IT team can see all of the different systems that are in the OT infrastructure.

Max Lamoth Brassard

So this is a visibility and discovery tool, less of a network monitoring tool, is that right?

Patrick Gray

Yes.

Max Lamoth Brassard

Okay. Right. So now I work with Run Zero. Right. They do active discovery of ot. There's two camps. There's the IT must be passive. It absolutely must be passive to avoid disruption. And then there's the, well, you're going to miss stuff if you're only doing passive, it must be active. Which approach did you take?

Patrick Gray

We took the approach of having IT being passive, making sure that we can hear the things on the existing infrastructure. We haven't had any problems of missing anything as of to date. So there isn't anything that we've missed. But just doing the passive approach makes it so that the customer's environment works more seamlessly. There's not as much interruption. So that's what the approach we've taken.

Max Lamoth Brassard

Right. So when you deploy this, I'm guessing you're going to need access to span ports and things like that. Like how do you actually go and set this thing up?

Patrick Gray

So you're exactly right. We're going to connect it to a span port and anything that's coming back to that spam port, we're going to hear that device being able to talk and then we're going to be able to pick it up and put it into a nice pretty dashboard so the customers can see the different systems that are there. Gives them the IP address, the Mac address, more information that they will need and that they should have had but maybe didn't necessarily have. They probably had it on an Excel spreadsheet somewhere. But this gives them real time visibility on those things.

Max Lamoth Brassard

Yeah, it goes into a spreadsheet that maybe gets updated every three years if you're lucky kind of thing. Right. Like that is frankly how it works. Right. So when people are buying this, they're rolling it out. What are the main things that they're looking for here? I mean, I'm guessing. Look, sadly I'm going to say it, I'm guessing a lot of the time people are buying this for compliance purposes. Did I guess that about right?

Patrick Gray

So at first, no, they weren't buying it just for compliance, but we are seeing a big uptick on that, like with NIST 2 in Europe as well as with NIST in America and the different, like the different requirements and regulatory controls that are coming out, this does help them be able to have asset visibility. And so we have seen a big, big increase on making sure that they're monitoring these different systems.

Max Lamoth Brassard

Yeah, right. Okay, so what is the main driver then for people to actually go and plonk down their hard earned cash on a system like this? What is it they're seeking to achieve?

Patrick Gray

So we're seeing a lot of uptick on operational technologies being attacked. So because again you mentioned that they are vulnerable, they're old, they're legacy systems, it's an easy place for attackers to get in. Now if you don't even know what type of systems you have, you're not able to protect those systems. So the first step is to be able to have visibility so that what you know is there, then you can be able to figure out how to make sure that it's secure. And it's protected.

Max Lamoth Brassard

Okay. When you're talking about attacks against ot, we've seen, obviously, things like the Vault Typhoon campaigns that are targeting, I guess, the IT environments, you know, adjacent to ot. But what attacks have we seen targeting OT directly itself?

Patrick Gray

I mean, there's several. One of the biggest ones that always comes to mind for me is the target H vac breach that happened several years ago when they got through on an H VAC system and they got into all of the target data. So customer's information, credit cards, bank statements, finance items that were in target. But we're also seeing that those different attacks within OT systems, once they're into the OT area, they sometimes will wait and be able to get into an IT area. So for instance, a card access system, if you have a card access system that's connected to active directory, if I can get into that card access server, then I'm going to be able to get into your IT information as well. But more importantly, I think that right now we're seeing a lot of attacks that actually just want to take stuff down. They're not even necessarily looking for Social Security numbers, date of births. They're just looking to be able to say, hey, I took down this facility and that's what my greatness is. And so we want to make sure that our customers or everybody understands that in order to protect their systems, they need to be able to be aware of what's out there.

Max Lamoth Brassard

Yeah. I mean, interestingly enough though, like that target hack, I wouldn't call that. I mean, it's kind of ot. Right. But that's going to be some Windows server that's controlling the devices. Right. So it's more like traditional bread and butter hacking. The stuff you mention about card systems, that's very interesting. Right. I can absolutely see how that is something where. Yeah, if you're running vulnerable card payment devices, you're going to want to know when they need to have a patch. You're going to want to know if you, if you missed one. Absolutely. A clear use case there. And in terms of. Yeah. In terms of going into the, into the IT environments, is that actually happening that much though? Have we seen that? I think I seem to remember, like maybe my colleague Catalan covering one of them once.

Patrick Gray

Yeah. And honestly, there's a lot that, as you know, lately with attacks, most organizations, the first place they go is to their legal team to find a. Out what they can or can't say. So a lot of the different attacks, like one of the ones that I think is a great Example of this is with the MGM grand attack, right? So they got in into the IT systems, but essentially their OT systems didn't work as well. So if you watched anything on TikTok or saw any of the videos, you would see that individuals would go to the elevator to try to access the room. They wouldn't have access to the elevator because the cards weren't working. They'd go to their rooms, those weren't working. They had to do fire watches. They didn't know if their fire system was up and running. So I think a lot of it is just the disruption that IT causes and that they can get into those type of, you know, fire card, access H vac, those type of systems when they're in IT makes it so that those facilities don't work to the way that they're supposed to.

Max Lamoth Brassard

But isn't it. Isn't it the case that the reason those systems weren't working is because the attackers had control of the IT systems that were controlling those OT devices?

Patrick Gray

In that example, I'm not sure we knew that they actually had control. They just didn't have visibility of those systems. So when you look at was their fire system working? It was, right? If there was an actual fire, they would have pulled the alarm and there would have been a fire alarm go off. But even the IT team, they didn't know if those fire systems were working. The card access system, once they've got attacked, they just make sure they shut down everything versus just the things that have been attacked because they didn't want anything else to be infected. So I think from that perspective, you're seeing that all of those things, they don't know enough about them and how they're working with the IT systems. So they don't necessarily separate them in the way that makes them so that you have one system can work and the other system doesn't. At the same time, it's almost as if the IT team's like, all right, we've got this attack. We want to take everything down.

Max Lamoth Brassard

Yeah, okay. I sort of see what you're saying there, which is, you know, having this visibility is a good step to avoid those sort of problems in the first place.

Patrick Gray

Definitely.

Max Lamoth Brassard

Yeah, yeah, okay, got it. So in terms of, like, what are the, you know, most alarming findings? You know, you would know, right, When a customer normally goes and installs something like this and then they run it for the first time. You know, we used to hear about when vulnerability scanners first became, you know, something that could be used in Enterprise. You would hear about people running their First Nessus scan 15, 20 years ago, and oh my God, they would want to. They would want to fall over. What's the equivalent sort of war story when it comes to deploying this sort of thing for the first time?

Patrick Gray

It's very similar to what they would have saw then. I mean, when you look at even like a card access system, sometimes customers and individuals, they don't know how many different printers they're running. Right. The IT team has printers on the IT area, but when it comes to the OT OT area, they're not always aware of even just the different printers that are available. So we recently did. We. We recently deployed this onto a customer site and one of the first things they noticed was there was like five printers that were out of compliance that hadn't been patched, that hadn't been updated, and immediately they wanted to make sure that they corrected those things. So it really was some of just the basic things that the IT organization looks and sees. Well, this is on the OT area. It's not something we need to worry about. Oh, wait, this is a printer. We better make sure that we update that and make sure that it's patched correctly as well.

Max Lamoth Brassard

Yeah, right. I don't know if you saw there was a recent bit of news about an IP camera being used to ransomware a network, and they did it via access from the IP camera to the file shares, which I guess, you know, is that OT is that it's more IoT than OT, but it was still an interesting case.

Patrick Gray

Well, but even in that case, you're exactly right. Like, if somebody can get into your camera system, how far, how, how much further can they go? Like, because if they're able to do that, like, the capabilities once they're in there, if they shut down all your visibility, if you have an emergency or if something happens, you're not able to actually see what's going on. So your eyes are pinned and you're not able to take care of what needs to be done.

Max Lamoth Brassard

So really, to sum up the pitch here, it's about continuous visibility into OT across your network so that you can then better prepare and architect things to put yourself in better shape.

Patrick Gray

Correct? Completely. Agreed. Yes.

Max Lamoth Brassard

All right, that's a great simple pitch. Chris Christensen, thank you so much for joining me to walk through it. Appreciate your time.

Patrick Gray

All right, thank you. Have a great day.

Max Lamoth Brassard

That was Chris Christensen there from Honeywell. Big thanks to him for that. And yeah, Cyber Insights for OT made by Honeywell should be pretty easy for you to Find if that is something you are looking for. So the final company we are hearing from today is Fortra. Fortra is a software company that acquires other software companies and you know that, that that's how they grow and they've had some acquisitions that we've made fun of like I think go anywhere. MFT is a Fortra product, but they also happen to own Cobalt Strike and Outflank. And Cobalt Strike of course is a sort of infamous C2 framework which is old versions, old pirated versions of Cobalt Strike were actually quite popular with, you know, Cybercrox basically for quite a long time. But they did eventually get a handle on that with all of the, you know, licensing requirements and whatnot. So, you know, I don't know that it's as everywhere as it used to be, but you know, the versions being used out there in the wild didn't really connect to the sort of pros versions and haven't for, for quite a while. So yeah, Fortra these days they sell Cobalt Strike and they also have another suite of tools for Red Teamers called Outflank or Outflank. And Connor Johnson from Fortra joined me to pitch these tools from Fortra to Red Teams and explain to us who uses them. Enjoy.

Connor Johnson

Yes, so at Fortra we provide offense security tools. Cobalt Strike and Outfly and Quitch are really designed to help Red Teamers emulate real world cyber attacks. So giving Red Teams the ability to test environments the same way that an advanced attacker would. I mean, we know today that the threat landscape is getting more and more sophisticated every day. And the tools that we provide ultimately help organizations close those security weaknesses and identify vulnerabilities before an attacker is able to exploit them. So again, Cobalt Strike Outflank are the red teaming solutions we offer. Cobalt Strike provides the the post exploitation capabilities through its beacon payload and malleable C2, while outflank is kind of the new kid on the block, which is a broad set of offense security tools that covers the entire attack or kill chain and has an emphasis on like evasion and OPSEC safe tooling.

Max Lamoth Brassard

Yeah, right. So why don't we just start by talking about Cobalt Strike? Right, because as I say, it's been around since the Jurassic era. Is it still popular? Because it was my understanding that like EDR tooling and stuff got pretty good at detecting it. So Red Teamers have kind of moved away from using it a little bit or is there just, you know, a bunch of use cases where it's still the go to Yeah, I mean, we.

Connor Johnson

Still see a lot of red teams that are using Cobalt Strike. I mean, a lot of people have used it over a long period of time and it's still a really stable customizable C2 framework that, I mean, our team is continuing to develop and put R D into. So I mean, we had a new release just a few weeks ago, 4.11, which has some new capabilities and cool things in there. And then with Outflank, I mean, we kind of expand the capabilities of Cobalt Strike, then, I mean, use those two together to enhance those Red team processes.

Max Lamoth Brassard

So why don't you walk us through Outflank? Because, you know, Cobalt Strike, obviously I'm familiar with, you know, and it's worth reiterating again that like a lot of the issues around weak licensing controls that led to adversaries actually using it, like they've been resolved years ago. And often when you're hearing about, you know, ransomware crews and whatever, using Cobalt Strike, it's pirated, ancient versions. So just get that out of the way. But when it comes to Outflank, you know, it's a tool set that, that I'm not really familiar with. Can you walk us through like, what each component does and you know, what, what you use them to do?

Connor Johnson

Yeah, so I don't know that I can walk you through each component because there's about 30 plus different tools that are available in the toolkit.

Max Lamoth Brassard

Well, the big ones then Give us the, give us the headline capabilities then.

Connor Johnson

Yeah, so I mean, really, Outflank is a toolkit that is built by elite red teamers for red teamers, so built for performing in mature, sensitive target environments officially, I guess, simulating techniques that are used by APTS and other cyber attackers. So like I mentioned earlier, the, the attack chain coverage that we have, we cover the full attack chain from the in phase to the through phase to the out phase. So initial access, lateral movement, privilege escalation, evasion, and much more. So we have our payload generator with EDR presets. If you're going up against a specific EDR helps you generate the payload with enhanced like anti forensic type payloads or hidden desktop, which you can essentially interact with a user's desktop to see what they're doing without them knowing. And I mean those are just a couple of the tools that we have in there. There's a lot more that, that goes into it. Just again, that works with Cobalt Strike and also as a standalone product.

Max Lamoth Brassard

Yeah, I mean, I'm guessing the reason this is A thing is because like for a long time pen testers have had to maintain, you know, custom tool sets. Right. Like each pen test shop will develop their own tools for this. But you know, as detections and controls have got better, like that just keeps getting harder.

Connor Johnson

Right? I mean detections is one thing going against the EDRs, they're obviously really good these days. So I mean trying to constantly do your own R and D and develop the tools to go against those EDRs, that's a challenge in itself. But also red teaming as a, as an industry, I mean there's, there's a lot that goes into it and I mean teams struggle with keeping up with the rapid pace of adversary attacks and different tooling that they need to use during their engagements. So that's where outflank comes in. You're essentially outsourcing the research and development phase to the outflank team to keep up with those advanced tactics that attackers are using.

Max Lamoth Brassard

Now I'd imagine some of the bigger security consulting and pen test shops, they're going to stick with their in house stuff, right? Because that's kind of a value add for them. I'd imagine the market for this, and correct me if I'm wrong, would be more of those small to mid size pen test shops as opposed to the global consultancies that do this sort of stuff. Have I got that about right?

Connor Johnson

Yeah, I mean we work with kind of companies of all shapes and sizes. I mean we talk to consultants that are one, two man shops, but we also have, I mean big four consultants, top five banks and so on that are using these solutions to do internal testing and also provide red team services to their customer base. So like I said, I mean it's not something that it's just small consultant that's or mid sized consultant that's using it. It's kind of really all over the board.

Max Lamoth Brassard

And how common is it for internal red teams to be using it? Because that's something you just mentioned there. Like, you know, is it, is it getting more common for like large enterprises just to have those internal teams and use this sort of tooling?

Connor Johnson

Yeah, we've definitely seen an uptick in, I mean organizations running their own internal red team processes. I mean of course they still are using third parties to come in and get another set of eyes on things and do that maybe annually, biannually. But we also see that a lot of these large organizations are starting to build out their internal offensive security program and use outflank, use Cobalt Strike as kind of their primary commercial tools to help perform those engagements.

Max Lamoth Brassard

Now I just want to go back to talking about one of the products here, which is the hidden desktop thing, which means you can, once you've dropped the right payload on a box, you can actually pointy clicky, like it's your own desktop around without the user seeing. Right. So the user can be sitting there using their desktop, but you can also be there and like doing stuff and they can't see it. Is that about right?

Connor Johnson

That is correct. And it's when you actually see it live, you're kind of jaw dropped at the, at the look of it. I mean the fact that I could be on my email or in our CRM or doing whatever the case may be and someone could be watching everything I'm doing and I mean seeing my passwords or whatever the case may be. Yeah, that's.

Max Lamoth Brassard

But is it just that they're watching or can they also do stuff as well? I mean I'm guessing they can do stuff but that will still be visible to the user. Like I'm wondering how all of that works.

Connor Johnson

Yeah, they can also do stuff. So I mean it's covert interaction on the target desktop. I mean in terms of what they can do and how they can do it, that's run by people a lot smarter than I am. But yeah, it is some pretty cool stuff that the Outflank team has developed there.

Max Lamoth Brassard

Now one of the things about this product set I guess is that you do have some community contributions. You know, I'm looking at your website here, it says there's a curated repository of 100 user developed extensions. Is that pen test firms developing modules and stuff that then go into the product and are shared with everybody else. And how hard is it to convince people to give up their extensions so that everybody else can use them?

Connor Johnson

Yeah, so Cobalt Strike has the community kit like you said, with a hundred plus different scripts that are contributed by the community. I mean like we were mentioning earlier, Cobalt Strike has been around for a long period of time and has a large community base. So I mean we see a lot of users of the Cobalt Strike solution, I mean actively contributing to that community kit and, and sharing their tradecraft and ideas with the larger Red Team community. Now that's just the Cobalt Strike piece of it. Now Outflank has an entirely, I guess, same but different type of community. So with the Outflank solution we have two separate type communities. So one is a Slack channel that is dedicated just for the customer and the Outflank team. So that's there for support or questions about documentation, questions about a specific tool or whatever the case may be in an engagement there. The other piece of it is the Community Slack channel. So all the Outflank users get access to that Community Slack channel where you can communicate with other Outflank users. You can share ideas on Red Team engagements. You can ask questions if you're going or struggling with a specific, I guess, topic or going against an EDR in those engagements. That's where you can really share with that entire community to share that tradecraft and share knowledge amongst all the other outflank users.

Max Lamoth Brassard

Now, I got one final question, which is, you know, pen testers are the group of people in the world that I would least like to be a salesman. Like dealing with that group of people. Right, because you're talking about when it comes to the technology, among the most, you know, educated and proficient people, when it comes to actual hard tech. You know, you work in sales, you're an account executive on this stuff. I just got to ask, what's it like selling technology to pen testers?

Connor Johnson

Yeah, I mean, it's. It's different every day. I think that's the great part of it, is all the use cases are different. And I mean, you're talking to very smart and interesting people. I mean, lucky for me, I have some very, very smart people that are built around me here at Fortra. And I mean, some of the best red teamers that are out there and offensive security professionals in the industry. So having those guys to back me up when I might not know the answer to a question or we need to show something cool, I mean, that's always a benefit for me, that's for sure.

Max Lamoth Brassard

All right, well, Conor Johnson, thanks so much for joining us on this edition of Snake Oilers. To pitch us Fortra's offensive security tooling solutions, Cobalt Strike and Outflank. Great to meet you.

Connor Johnson

You as well. Thank you.

Max Lamoth Brassard

That was Conor Johnson from Fortra there talking about Outflank and Cobalt Strike, which are software packages that are used by Red teamers. So big thanks to them for that. And that is it for this edition of Snake Oilers. I do hope you enjoyed it. I'll be back soon with more security news and analysis, but until then, I've been. Patrick Gray, thanks for listening.