Disrupting Cracked Cobalt Strike
Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cyber security. It might get a little weird. But don't worry. I'm your guide to the back alleys of the threat landscape. The effort to knock cracked Cobalt Strike offline began in 2021 when DCU, an eclectic global group of cybercrime fighters, wanted to make a bigger dent on the rise in ransomware attacks. Previous operations had targeted individual botnets like TrickBot and Necurs separately. But ransomware investigator Jason Lyons proposed a major operation, targeting many malware groups and focused on what they had in common: their use of cracked, legacy Cobalt Strike. Welcome to the "Microsoft Threat Intelligence" podcast and oh boy, we're talking cracked Cobalt Strike takedown, and I am joined by my guests Richard Boscovich, also known as "Bosco," Assistant General Council at Microsoft, Jason Lyons, Principal Investigator with the DCU at Microsoft, and Bob Erdman, Associate VP Research and Development at Fortra. Thank you for joining me. >> Thanks for having us. >> Thank you. There's a lot of really interesting articles written about the Cobalt Strike takedown. And it happened about a year ago. So, I think Jason, since you're sort of the lead in the technical aspect of the start of this, can you kind of walk me through what happened here and why Microsoft chose to partner with Fortra to take down cracked Cobalt Strike?
Jason Lyons: Yes, there was obviously a -- I think we started about two years ago, a really renewed effort to really understand the ransomware ecosystem. There was a lot of effort inside Microsoft to really understand how ransomware was impacting our customers around the world, not only from an antivirus protection or OS protection, but there was also from a digital crime scene perspective of, "How do we identify these threat actors? How do we possibly disrupt ransomware?" And, you know, "What are the possibly mechanisms we can use to disrupt the distribution of ransomware?" So, we have a lot of different internal teams inside Microsoft that do a lot of different great work. We have our incident response folks who respond to customer environments. We have our MSTIC folks that are tracking it and grouping threat actors together. So, there's a lot of input signals inside Microsoft. And as I was, you know, examining the ransomware ecosystem, there kept being one commonality popping up and that was the use of crack Cobalt Strike in these ransomware attacks.
Sherrod DeGrippo: So, Bob, help me understand, with Cobalt Strike, which being in the trenches for a long time, we've battled cracked Cobalt Strike for years. Help me understand legitimately what Cobalt Strike is used for and then what threat actors were doing with it.
Bob Erdman: So, Cobalt Strike is an adversary emulation or red teaming tool. So, it allows defenders to go in and test the defenses of the networks. Look for areas that could be compromised by a threat actor and show how they could harden that, make sure that they're giving the best protection to their enterprises that they can. And what we had -- this is a tool that Fortra took over a few years ago, developed by somebody else, and then we brought that into our fold of our security tools. And what we're seeing, and I think it especially started to grow in proliferation during COVID was that threat actors were getting copies of the tool illegally and using it for the same types of purposes. They were going out and breaking into an enterprise, and then using Cobalt Strike as part of their attack chain and using it to gain lateral movement and exfiltrate data from unsuspecting victims. So, this is something that we have been working on and we're really happy to work with Microsoft to even have a greater effect on this.
Sherrod DeGrippo: So, I guess now is a great time to ask Bosco, I don't understand the legal mechanisms here to take something like this down. I know that it leveraged DMCA, which I think is creative and wild, and the DMCA is so controversial. Whose idea was this? Where did this come from? Help us understand from a legal perspective like, how did this happen?
Richard Boscovich: Yes, the DMCA's always polarized a lot of people on both sides, right? It was originally meant, the Digital Millenium Copyright Act, came -- it's been around for a long time. And its main purpose, if not its primary purpose, was to protect copyrights, copyright holders. And when you think about -- of the statute itself, it was meant to protect music, artists, movies, things like that. And any type of copyrighted work. What we did at the DCU, a couple of operations ago so to speak, is try to expand our toolset from a legal perspective and include the DMCA in a unique way, specifically against ZLoader and Necurs, where we started looking at malware and trying to understand whether or not the malware was using any of our APIs or SDKs in their processes. And the reason why, you know, we came up with that idea, you know, there was a case -- I call it the Google versus Oracle which actually ended up going to the Supreme Court. It was a 9th Circuit case. And one of the key issues there, if not the issue, was the use of JAVA by Google, which of course is owned by Oracle. Long story short, the concept of whether API's fall within copyright protection was addressed in that case, and then eventually it went to the Supreme Court and although the case itself was overruled, meaning that Google won the war in the sense that, "Hey, the court said that it was fair use," but the underlying legal concept that APIs are in fact copyrightable remained. So, that's still a good law. So, we wanted to check to see whether or not we could use that for one primary purpose when we did a couple of operations before the actual Cobalt Strike operation, and that was, "Can we kind of get around the Computer Decency Act, Section 230, which gives immunity to a lot of hosting providers, and there's a lot of good hosting providers, but there's some hosting providers that are somewhat recalcitrant in how they react--
Sherrod DeGrippo: I love that. They're recalcitrant. And mention, is this typically referred to as the Safe Harbor piece or--
Richard Boscovich: Yes.
Sherrod DeGrippo: -okay, so it's the Safe Harbor of DMCA which to my understanding, it protects ISPs from if it's automatically uploaded, then hey, not liable as a hosting provider.
Richard Boscovich: Yes, and the CDA, yes. And for the--
Sherrod DeGrippo: And the CDA.
Richard Boscovich: -yes, yes. Section 230, which is actually getting a lot of attention the last couple of years. So, the great thing about the DMCA, it's really the -- currently the only exception to that Section 230. So, there was a carve-out at the DMCA, so I looked at that and I would say that this is what we should probably try to leverage to be much more aggressive in our takedowns when it comes down to infringing malware of command and control structures. So, we tested that concept in a couple of cases previously, and it worked. The courts agreed. They relied on the Google Oracle case, and then they said, "Yes, that it in fact is applicable." So, fast forward now with Cobalt Strike, so we wanted to get that same type of impact, get the biggest hammer possible which is the DMCA hammer, to take away and take down these crack versions of Cobalt Strike, which of course are copyrightable. And also, we did a lot of reverse engineering. This is something that Jason Lyons could talk to on some of the ransomware that was being dropped after the leveraging of Cobalt Strike, and a lot of that reverse engineering again identified APIs belonging to Microsoft, which are copyrightable and had been copyrighted in that -- in those ransomware samples as well. So, it was kind of looking at it from a nice, holistic way of getting the most leverage possible to persuade aggressively these hosting providers to take those C2s or infringing sites down, which were hosting, distributing or somehow leveraging Cobalt Strike. And it was very effective, because remember, the DMCA, and here's really the kicker, is that they have -- the statute itself has very serious financial penalties. If it's not taken down, the fines in the DMCA go up very fast. In fact, there was a case that we filed in eastern district of Virginia which was interesting. We were filing one of our cases and I think I was there with Jason Lyons, and it might have been TrickBot or ZBoot [phonetic], I don't remember right now. But there was a jury that was about to be instructed. It had just left. And little did we know that a couple months later we find out that that was the jury that awarded, in the DMCA case, I think it was something upwards of a billion-dollar jury verdict against a major internet service provider or telco company. So, that shows you how big a hammer the DMCA is. So, it's a very great cause of action to use in these cases.
Sherrod DeGrippo: You could even say the DMCA is a ban hammer in a way. It's a big old ban hammer.
Richard Boscovich: It's like a door. It's a door.
Sherrod DeGrippo: So, I guess Jason, the question for you then is, it sounds like you were able to find a lot of cracked Cobalt Strike instances out there, either via beacons or servers, how did you find those?
Jason Lyons: Yes, so we took a multi-source approach to identifying what we believed to be crack Cobalt strike. The kicker is that the only people that really know what is cracked or compromised Cobalt Strike is Fortra, right? So, I was going to this exercise of you know, working with our Windows Defender folks, collecting beacons because Windows Defender detects any version of Cobalt Strike as malware. We were using some open-source tools like Shodan and other threat intelligence companies like Risk IQ which is now a Microsoft company. Some of their threat intelligence, because of all these different services were out there collecting crack Cobalt Strike beacons. And so, we just started collecting as much as -- data as we could from multiple sources. And then doing the -- basically like a frequency analysis of like how -- what watermarks of Cobalt Strike do we see the most frequently, and then obviously looking and extracting the value out of those watermarks, you can quickly kind of tell what's been cracked or forged. But again, it's all theoretical exercise until we were able to partner with Fortra who they could actually give us the definitive list of what was cracked, according to them. And then we could apply that to our take-down pipeline.
Sherrod DeGrippo: Bob, how'd you make that decision?
Bob Erdman: I think it was a pretty easy one for us. Fortra on its own was kind of heading down that same path. We were doing our own surveys and investigations. We had our own set of partners that we were working with to gather data on where we were seeing these things out across the internet, and we were actually using the DMCA in much more of a traditional fashion, looking for the places that the software was being shared, where these actors were getting their copies from. And then using the DMCA to knock down those sharing sites and those places where the files are proliferating. But once Microsoft reached out, being able to combine the telemetry data that they were seeing, which in a large part was different than the telemetry data that we were seeing, it really gave us a much broader picture of what was going on in the internet at-wide. And then it's very easy for us to tell as the license issuers which copies were legitimate and which copies weren't. Sometimes it's easy. Jason can look at a fake watermark and it's pretty obviously fake, but a lot of times we can't really tell without going back and seeing if it had ever been issued or maybe was issued and somebody lost control of their environment and it had been compromised. Those also go on the list. So, it let us quickly make that determination and really Microsoft had a bigger scale than we could go after. We weren't seeing all the effects that we wanted to, and being able to partner, you know, let us combine forces and really reach out a lot farther.
Sherrod DeGrippo: So, prior to the contact for Microsoft, you were doing traditional DMCA notification submissions to ISPS that had like forums and hosting of cracked Cobalt Strike?
Bob Erdman: Social media type sites, forums and hosting, anonymous file share sites, and passing IOCs out to the community, but it was really more -- we see this server over here, we know it's bad, here's an IP at a port but we didn't have the tools to really take it down. We could just identify it and try and make everybody know that it's there. So, it was really giving us one more step in the chain to really go after these providers and knock it down with the DMCA theory that Bosco provided.
Sherrod DeGrippo: So, Bosco, that makes me want to ask you then, it sounds like this strategy was not to just submit the traditional DMCA notification to hosts. What did we do that was different than that that leveraged the DMCA, because I saw there was like an order from a judge that gave us some kind of extra legitimacy. What is that?
Richard Boscovich: The DMCA itself has a statutory mechanism and it depending how you kind of set up the program, in and of itself is a really, as you mentioned earlier, a big hammer. And it one of the financial penalties. But it's kind of a series you really have to follow the statute very carefully. It's kind of a quick interaction between where notification goes out, which has to provide a certain amount of quantitative information. That information is going to be a response. And depending on the response, it's taken down or there's a potential for litigation. That's the traditional statutory DMCA, which is very effective, but it takes some time. What we've done is that we weren't ahead, and we said, "Okay, we're going to have causes of action of the DMCA but we're going to get court orders." Now, the court order changed the dynamics of that statutory, you know, dance of communications back and forth, and accelerates it, because now there's a federal court order directed at the hosting provider. So, you speed things up exponentially. So, that process of taking things down goes much, much faster. So, that's what we did. We kind of you know, accelerated the process by seeking the court's intervention via court orders, pursuant to DMCA and a host of other both common law and other types of causes of action to accelerate the take down process. Not only on the sites hosting, but there was always a component of domain seizure which was very integral to the operation and was going in parallel also with court orders to seize domains that were also leveraging a crack Cobalt Strike.
Sherrod DeGrippo: That is so fascinating because that's not the traditional understanding that most people have to the way the DMCAs leverage. To my understanding, like you submit a DMCA notification to a host that you're a copyright owner, and that user that's uploaded has the option to take it down or submit a counter-notification saying, "Hey, get out of here. If you really want to deal with this, take me to court." So, my question is, did we get any kind of pushback or counter-DMCAs or anybody that said, "Hey, I'm not taking this out. Not, not a single one. Okay."
Richard Boscovich: Not domestically. I mean obviously we're talking about within the U.S. jurisdiction. You know, once the court order came back and to the credit both of Fortra and Jason Lyons and the DCU and Microsoft teams, we presented overwhelming evidence, and very specific evidence to the court, and that really assisted us in getting these orders. And then, kind of really made the court's job easier from that perspective. And once we had those orders locked in, it was basically -- you know, it goes out. The order goes out. The sites go down.
Sherrod DeGrippo: And what do you think it was that was compelling to a judge to say, "You know what? Enough is enough. I'm ready to do an order"?
Richard Boscovich: Well, it's a great question, especially when it comes to the domain seizure side. One of the things that a lot of lawyers understand is that the courts are really overburdened. They're listening to a lot of cases, you know? A lot of criminal cases, a lot of cases, even at the federal level. So, many times, you know, when a federal judge sees that the copyright or an IP type case from a civil perspective, they kind of view it, "Oh, my God. It's Microsoft." "Oh, it's Fortra," or it could be whatever multinational coming in, trying to protect itself. It deals with the case a little bit differently. What we try to do and what we have to do, especially on the domain seizure side because we're seizing something ex parte that we're going to seize the domain first and then give notice to defendant. There's a balancing test that we have to do, because that's a constitutional question and that is a balancing test on, "Does the public harm outweigh the defendant's right to prior notice?" So, what that means basically is that we have to show that, "Hey, yes, this is an IP case. It's a copyright case. We want to see something, but it's not only to protect Microsoft's IP or to protect Fortra's IP. There's a huge public policy, public safety component." And we always do a very good job of explaining, "Well, this is what's happening with the cracked Cobalt Strike. It's leading to all of these bad things happening to the public, to consumers, to end users," and that's a very compelling argument. It meets our requirement to the statute. And it allows the court to view the case very differently from a standard copyright case. And it becomes a case which is really more for public good, for public welfare.
Sherrod DeGrippo: I think that's so interesting because one of the constituents that you didn't mention that I would like to mention is detection engineers really benefitted from this, because for years, cracked Cobalt Strike was just a pain in the rear for those who create detections and security products because it was a constant battle to say, "Oh, that's a cracked Cobalt Strike beacon." So Bob, my question for you is, what has been the impact from your point of view, from your perspective, over the past year? What's the difference today versus before this action took place for you?
Bob Erdman: I think one of the biggest differences in the global surveys that we perform with Microsoft and what we're seeing on a daily basis, where are things being used, how much of this are we seeing, more than a 50% reduction in active systems. I mean, we're not at zero. We know this is going to be a long-term effort. But the amount of systems that we're proliferating has been greatly reduced. The places that we were seeing the software shared have been greatly reduced. People are a little bit scared now in some respects. We see people warning each other about being exposed up on the internet and being found by this effort. And we've also seen kind of a geographic shift of where these things run from. So, when you're going to stand this up, you have to host it somewhere. And just where those things are able to be hosted now because of these actions, has kind of pushed it into a smaller pocket of the globe, which makes it easier for people to defend against just by knowing where it might be coming from.
Sherrod DeGrippo: So, I guess from our side, Jason, from Microsoft's point of view, what's been the impact here? I know that you know, we've seen some botnets impacted. Have you sort of seen any difference in the past year that relates to your visibility?
Jason Lyons: Oh, yes. There's been a dramatic drop in -- when we started, we would observe active, thousand Cobalt Strike C2 servers a day, right? And since the takedown, we're down to a couple hundred a day. So, it's been a dramatic increase. And I just want to point out that like the scope and scale of this operation was huge, right? So, we were not only targeting domains that were hosting cracked Cobalt Strike. We were targeting also just pure IP hosting. So, you know, we had to build all this automation in the background to basically -- to be able to tackle this at scale. And so, we built what we call crawlers and emulators and would go out and take these inputs from the different sources I had mentioned earlier, Defender, Risk IQ, Shodan, use that as inputs. Our automation would go out and make contact with those C2s or domains, confirm and download a beacon and then they would extract the watermark from those beacons and determine whether it's bad or good. And then that would -- if it was bad or good, then we'd get kicked over to the DMCA automation email notification system, which would then kick out automatic DMCA notifications to -- I think we were averaging a couple thousand a day emails of going out. So, the scale on this thing is -- was huge.
Sherrod DeGrippo: I love that it's automated. So, essentially were like just -- we're using a bot to find and destroy -- to search and destroy for cracked Cobalt Strike. Bob, you're laughing. Do you think that's kind of a good characterization, or no?
Bob Erdman: No, I do think it's good. I was going to throw even more on the automation. The messaging that's going out is actually targeted by the place that we're seeing the infrastructure. So, there's even more automation that Jason's team has built so that a message that might go out to a U.S. provider is different than a message that might go out to a European provider, based on where we're seeing things.
Jason Lyons: Yes, that's a good point. We had like -- I think we're up to like over 30 different email notification templates, depending on geo location--
Sherrod DeGrippo: For different countries?
Jason Lyons: Yes.
Sherrod DeGrippo: Oh, wow. >> Jason Lyons. So, and Bosco did a lot of work on research and what laws we could use in certain countries and areas that would basically affect some takedown. Okay, well that's a super-nerdy thing that you've just walked me into. Bosco, what's the global DMCA equivalent looking like?
Richard Boscovich: I mean, there really is no exact equivalent now. I mean, there's some EU regulations and security rules and in the EU, they were very helpful. And that hacked almost as fast. And I think there's some new legislation now since then that has just passed that's really good. But we had to take a look and see what -- if there are any unique notification processes and templates that we'd have to use. And I'll give an example. You know, in the case of crack Cobalt Strike that were located in China. You know, there are very specific ways in who you have to notify. And so, we had to make sure that our templates were consistent with the local rules and laws in that jurisdiction. And made sure that all of our notifications went directly into that particular mailbox. So, it was -- it took some time. There were a lot of templates. But we've gotten some very gotten some very good results, even in a lot of the foreign jurisdictions which are outside of U.S. -- the ability of U.S. courts to you know, uphold any law seem to by kind of leveraging their local regulations and notification processes.
Sherrod DeGrippo: That's incredible that you're essentially automating a global notification and takedown of a threat actor infrastructure partnered with the legitimate software publisher of Fortra. So, I guess like kind of the next question is, "Where do we go from here?" And Jason, I'll ask you. Like, it sounds like cracked Cobalt Strike is a much-reduced level than it was before from a volume perspective. What's the criminals doing now? Like, what's the next thing?
Jason Lyons: You know, there's always some new thing on the scene, right? And it just really depends on these actor groups and what they're comfortable with. You know, when you talk about the more sophisticated groups, you know, there's usually custom stuff that they create. They'll also be on utilize basically cyber crime as a service. You know, you have these different service level providers that provide you know, uses of botnets. You know, we've got Dark Gate out there. There's always another tool to replace, you know, the last thing we took down. And we also see also use of other post exploit tools, you know, that are commercially available as well. Not as prolific as what we saw, but you know, there's always a mixed bag of people taking open-source tools that are used for contesting and using them for cybercrime.
Sherrod DeGrippo: Very cool. And Bob, tell me like what are you seeing in terms of your next frontier on dealing with crack Cobalt Strike or other kinds of abuse that threat actors might do leveraging your work?
Bob Erdman: Yes, we work in a lot of areas other than Cobalt Strike. And we're trying to you know, take these same kind of techniques that we've seen here and how successful this has been and applied them to things like phishing kits as a service and other larger ecosystems like this. And I think it's really encouraging that we're seeing more and more of these law enforcement operations going after these larger sources, knocking down whole environments, whole threat actor groups, all in one shot. It's been great having the publicity around this, because we're also getting more inputs, and I think that's helping all of our jobs. We're getting more reach out from you know, private -- third investigator type priorities. We're getting more reach out from the public. Law enforcement type sources feeding indicators. And bringing those into the pool so we can run them through the pipeline and add them to the list. You know, that's been a really great thing to see, and we're going to continue doing the same kind of work. This will be a multi-year effort as far as the Cobalt Strike. You know, as the product's changing to make it harder to abuse, and then we're pushing on the other end to anything that we find to be able to shut it down. You know, we're going to keep pushing towards that zero number in the future here.
Sherrod DeGrippo: Can you tell me just a little bit more about that? Is there any specific points that are noteworthy you want to mention that you've done to make Cobalt Strike harder to abuse?
Bob Erdman: So, one of the things probably not everybody knows, Cobalt Strike in itself is actually fairly well regulated. There's a lot of export restrictions on these types of tools. There's a huge vetting process that goes on in the background. We deny about as many requests for license as we fulfill because they don't meet the background when we check out, you know, check out a different system. That's why you see so many of these being stolen, copied. It's hard to purchase it the right way. And as part of the efforts that we had going on before we joined up with this action, as we were finding these things out on you know, a file share site or a social media share, a telegram channel, what have you, we were pulling them apart internally and then closing off loop holes in the product where we might have seen if an actor was able to crack a copy and make an adjustment and use it illegitimately by a certain method that we could shut that down and make changes in the actual software to make it harder for the next time. And we're continuing to improve the resiliency of that front-end process from Fortra's perspective. Closing the things that they've been able to abuse, making it harder to obtain copies illegitimately and make it easier to detect from the outside for defenders, so that we can push this whole process forward.
Sherrod DeGrippo: Awesome. I love that it's like this continually evolving thing to make sure that crack Cobalt Strike is kind of kept off the streets. Bosco, I want to ask you just sort of, I think for my own curiosity, can you rate the creativity level of using the DMCA for this? Is this something -- for me, I find this wildly creative, but in your world that's full of lawyers and DTU people, was this kind of like a, "Oh, yes, that's fine,"?
Richard Boscovich: I mean I think the most interesting aspect of it was we always for the past, you know, 15 years, we've prided ourselves in developing, you know, and leveraging what would be standard, you know, either common law causes of action or any type of civil causes of action, which were not necessarily meant to address cybercrime, but that we've been able to apply in novel ways. So, it really was novel in its application, especially when it came to the point of utilizing the copyright ability of APIs after the Google and Oracle case came out. So, from that perspective, I think it's pretty novel and it's pretty unique. But it is consistent with what we've done in the past, and we've developed our toolkit over the past decade to address these types of questions. In fact, I think in the very near future, you're going to see some additional cases in which we're going to be leveraging some very unique application of civil law, again within the cybercrime context. So, the short answer is yes, it's a unique application of a statute. And I always like to say sometimes you don't necessarily need new law to address a problem. You just have to be able to use what you have and use it in a unique and novel way, because the courts in common law are very receptive and are able to adapt very quickly as we've seen over the past decade or so.
Sherrod DeGrippo: I love it. I've never heard such a creative use of the DMCA. So, that's been a really fascinating thing to see. So, Jason, I'm always worried about focusing on Microsoft being secure. That's really important to me. And so, did we find any cracked Cobalt Strike hanging out on Microsoft infrastructure? How'd we handle that?
Jason Lyons: Yes, that was really the first operational phase of this operation was to make sure that our own house was clean before we started out and sending takedown notices to other providers. As you can imagine, that can be kind of a PR nightmare if we had a bunch of -- if it actually was hosting a bunch of cracked Cobalt Strike, right? So, yes, really the first phase was really to work with CDOC and get a really efficient takedown process. So, we built a lot of--
Sherrod DeGrippo: What is CDOC?
Jason Lyons: CDOC is our cyber defense center. It's really an organization of multiple organizations that protect Azure and the different properties and products, you know, Office, different things like that. And Microsoft. So, it's really kind of our central point of being able to do some internal takedowns. You know, we -- like I mentioned earlier, you know, we built a lot of automation to make this stuff happen in real time. So, it was a really important point for us to make sure that we were keeping our own house in order.
Sherrod DeGrippo: And can you just give me just a little bit of detail on that? Does that mean that we scanned Azure to find cracked Cobalt Strike?
Jason Lyons: That is correct, yes.
Sherrod DeGrippo: Awesome. And when we found them, what did we do?
Jason Lyons: Well, there's several different processes in Microsoft, as you can imagine, depending on who the client is, what kind of subscription is in Azure. But we really had to work out basically a terms of service takedown notice in Azure for different versions of cracked Cobalt Strike. So, the CDOC was you know, very important for us and was really our central point of contact to -- in trying to keep Azure clean.
Sherrod DeGrippo: Love that. Okay, so Bosco, something else I want to understand is you kept mentioning common law, civil stuff. I know the DMCA has criminal aspects to it. How did you kind of work with law enforcement versus civil versus criminal courts? How did all that shake out?
Richard Boscovich: Yes, I mean -- and that's a good question and it's a question -- we got a lot of those questions back when we started the program, over a decade ago, right? One of the things that you know, as a private litigant, both Microsoft and Fortra in this case, obviously private litigants, our main concern obviously is to protect, not only our customers intellectual property, and we have to do it very quickly and aggressively. So, from the civil perspective, one of the great things about civil law in this case is that our main focus is stop the harm immediately, identifying the potential victims and remediate the problem. So, but to do that, you also don't want to interfere with any criminal investigations. According to criminal law, of course their objectives is to not deter by attribution. In other words, identifying who the bad players are, the criminals, trying to indict, bring them to justice, which of course that brings a deterrent effect. So, we try to kind of do two of these things at the same time to get the biggest impact possible. Stop the harm immediately, start remediating whilst at the same time allow law enforcement to go out and do their job and attribution arrest for deterrents. So, what we developed in this case, and we've been doing this manually so to speak until ultimately, we've automated this process as well, and that is in real time deconfliction. And what I mean by that, if you go back to what Jason and Bob were talking about, identifying the cracked Cobalt Strike, where it's located and so forth, we want to make sure that our visibility was also visible to law enforcement for the main purpose of deconfliction. In other words, we didn't want to interfere in any ongoing criminal investigation by taking a site down, a VR civil process, which is very fast, as I mentioned. It goes quick. And then not allowing law enforcement to complete their work in terms of attribution for the criminal investigation. So, we developed a process where law enforcement would be able to come back and say, you know, pause, wait to give them time to do their job whilst at the same time allowing us to clean up as much of the ecosystem as possible. And it worked out really, really well. And we're very happy with that relationship and the ability to deconflict and partner with law enforcement. And it was interesting because we were talking to law enforcement as was Fortra. So, we just got all of it together and made it into one automated system, and we're really happy about the results.
Sherrod DeGrippo: I love that. I love that it really is such a coordinated effort between so many different groups and organizations and being able to protect the internet better. So, Jason, I know that we've seized about 170 domains so far in this focused operation, and several even this week. So, how does that work and help me understand too, I know that we set up some sink holes. So, can you kind of help us understand what sink holes are and how they played into this particular project?
Jason Lyons: Yes, so we're -- what we do is the term sink hole is a DNS sinkhole. Right? So, domain name system sinkhole. So, when you know, we'll just use badguy.com, right, for instance. So, badguy.com's got to resolve to an IP address and so what we do is during the course of the investigation, as we're crawling and scanning infrastructure, identifying cracked versions of Cobalt Strike, if that C2, that cracked Cobalt Strike's team server is actually using a domain as infrastructure, we'll be able to capture that. Right? And then we'll be able to verify the watermark and verify that the domain is hosting, you know, cracked Cobalt Strike. So, part of the disruption process has been to legally take down that domain. And really, the main purpose one is to disrupt, obviously stop the harm of the infrastructure of the command and control server. But two, we then get the court to award us that domain as Microsoft. We seize that domain. It now becomes property of Microsoft. Now, we can change the IP address on that domain, and now all the victims of that particular command and control server of badguy.com for instance, is now communicating to Microsoft. And so, really the point of that is really to gain visibility into the victims, right? To really understand, "Hey, Grandma's computer's infected and they're over at XYZ ISP." And that's really one of the really staples of I think DCU is we don't sell this as cyber -- we don't sell this as threat intelligence, right? We take this intelligence and we give it to the Delcos, the ISPs, to basically identify critical infrastructure and for you know, the responders to be able to respond to this and get it cleaned up.
Sherrod DeGrippo: Jason, I love how community focused that is. This has been amazing. Thank you so much, Bob Erdman from Fortra, Bosco from Microsoft, Jason Lyons from Microsoft. Thank you for joining me. This was a fascinating thing, and I hope we get to hear back from you soon on all the cool things that you guys are working on. I appreciate you coming on the podcast. >> Thanks for having us. >> Thank you. >> Thank you. [ Music ] Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at TIpodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, MSthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]
Microsoft Threat Intelligence