Another day, another Cobalt Strike beacon on a Domain Controller (DC). 😬
Our ThreatOps team sends a critical incident report, and remediations are completed. From here, happy trails, right? Wrong!
A Cobalt Strike beacon is a latter part of the MITRE ATT&CK framework—the path that threat actors take from Initial Access all the way to Impact (in this case, ransomware). Finding the Cobalt Strike beacon is only scratching the surface, and there’s much more digging to be done.
Let’s jump right into why just remediating this incident from a high-level is not where remediation should end—and what you can do for long-term success.
Flying Under the Radar
Let’s address the elephant in the room: How does a threat actor bypass a trained cybersecurity team until the DC is compromised?
Quite often, the problem is that a managed detection and response (MDR) or an endpoint detection and response (EDR) tool isn’t installed on the workstations themselves. This is problematic, as these tools can provide insights and catch bad actors in their tracks before they have a chance to do too much damage.
While most security professionals may feel it’s obvious to protect an environment’s workstations, the cost of doing so can prevent it from actually happening. Many teams may believe that having antivirus installed on the workstations is good enough. And while this may save money in the short term, at the end of the day, antivirus solutions are reactive, finding only known indicators and threats. And with the added “bonus” of alert fatigue, any issues flag have the potential to be ignored.
When our partners use all available features of The Huntress Managed Security Platform, these threats can be identified faster and easier. Our ThreatOps team uses the tools at their disposal—Managed Antivirus, Process Insights, Persistent Foothold Detection and Ransomware Canaries—to remedy the threat before significant damage is done. Ultimately, being able to dig deeper into identified Cobalt Strike beacons empowers our team to deliver a contextually accurate and actionable incident report to our partners.
But for any of this to work, each endpoint must have an EDR tool, such as Huntress, installed for full visibility. Otherwise, threat actors have the luxury of defenders only knowing part of the story and what’s going on. Lateral movement becomes harder to seek out, leaving threat actors to explore and weak havoc in the form of malicious executions.
Full Visibility Is Key
Full visibility into your environment is the key to success when it comes to protecting your assets. Knowing only part of the story enables you to remedy only part of the problem.
We recommend installing the Huntress agent across all our partners’ endpoints, and even if you’re not a Huntress partner, we hope this blog has made a case for installing your preferred EDR solution across all your endpoints. Giving your team full visibility into what’s happening in your environments will make it that much easier to get back up and running if (and when) you find yourself in the crosshairs of a hacker.