silence-is-best · October 25, 2021 11:10 · 11philip22 · Oct 25, 2021
diff --git a/gistfile1.txt b/gistfile1.txt
 Team,

 	In light of recent understanding in the use of your product, Cobaltstrike, in ransomware engagements I've felt compelled to write this.  I'm not going to flower this up, so I'll jump right to it.
 	
 	What I'm asking for:
 		For CoreSecurity to evaluate the human cost versus the company profits of CobaltStrike.
 		For CoreSecurity to at least internally acknowledge that CobaltStrike is now an integral part of the ransomware ecosystem.
 		For CoreSecurity to provide assistance to incident responders.
 		For CoreSecurity to implement additional controls and mitigations (suggestions below) on CobaltStirke.
 		
 	What I'm NOT asking for:
 		To stop making CobaltStike.  Nobody questions it's usefulness or effectiveness.
 	
 	Some possible additional controls and mitigation's (some, none, all, of these may be possible/feasible, or are already in place..forgive my ignorance in these cases):
 		Hardcode a hardware ID (h/t Imminent RAT) to easily track validated purchasers
 		Implement "phone home" before execution.  Yes, defenders might catch this, but imagine if your phone home servers start seeing connections from high profile companies not in your purchasers list...you might become part of the solution.
 		As seen suggested online, implement a kill switch.  Valid incident response companies could provide the above hardware ID for example.
 		
 	I realize that some of these can be defeated with varying skill levels, which is why the onus would be upon you to make them as difficult to subvert as possible.  This would at minimum raise the skill bar for ransomware gangs.
 		
 	I think most people know that the real way to stop ransomware is to make it unprofitable for threat actors and ransomware gangs.  Sadly, I also believe that this will not happen soon (if at all), so other mitigations should be explored (this being one of them).

 Thank you.

 James
	Team,

	In light of recent understanding in the use of your product, Cobaltstrike, in ransomware engagements I've felt compelled to write this. I'm not going to flower this up, so I'll jump right to it.

	What I'm asking for:
	For CoreSecurity to evaluate the human cost versus the company profits of CobaltStrike.
	For CoreSecurity to at least internally acknowledge that CobaltStrike is now an integral part of the ransomware ecosystem.
	For CoreSecurity to provide assistance to incident responders.
	For CoreSecurity to implement additional controls and mitigations (suggestions below) on CobaltStirke.

	What I'm NOT asking for:
	To stop making CobaltStike. Nobody questions it's usefulness or effectiveness.

	Some possible additional controls and mitigation's (some, none, all, of these may be possible/feasible, or are already in place..forgive my ignorance in these cases):
	Hardcode a hardware ID (h/t Imminent RAT) to easily track validated purchasers
	Implement "phone home" before execution. Yes, defenders might catch this, but imagine if your phone home servers start seeing connections from high profile companies not in your purchasers list...you might become part of the solution.
	As seen suggested online, implement a kill switch. Valid incident response companies could provide the above hardware ID for example.

	I realize that some of these can be defeated with varying skill levels, which is why the onus would be upon you to make them as difficult to subvert as possible. This would at minimum raise the skill bar for ransomware gangs.

	I think most people know that the real way to stop ransomware is to make it unprofitable for threat actors and ransomware gangs. Sadly, I also believe that this will not happen soon (if at all), so other mitigations should be explored (this being one of them).

	Thank you.

	James