Hundreds of domains that were malicious have been seized and sinkhole that has allowed additional intelligence gathering to happen from the traffic that's going on in there as well, which has really been great.

Hello and welcome to Healthcare Strategies.

I'm Jill McKeon, associate editor of Health Tech Security.

Today we're joined by Bob Erdman, associate Vice President Research and Development at Fort.

Welcome Bob.

Thank you.

So today we're diving into a really interesting topic for some background for our listeners.

In 2023, Fort teamed up with Microsoft's Digital Crimes Unit and the health Information Sharing and analysis center or Health ISAC to crack down on abuse of Cobalt Strike, which is a legitimate security tool that cyber threat actors have been abusing illegal copies of to perpetrate cyber attacks against organizations in many sectors, including Healthcare.

Fort acquired Cobalt Strike back in 2020.

Then in March, 2025, after two years of this partnership between Fort Microsoft and Health ISAC Fort reported that the number of unauthorized copies of Cobalt Strike observed in the wild had decreased by 80% over the last two years.

So today we're going to speak with Bob about Cobalt strike abuse, these successful efforts to crack down on it and just the value of partnerships like this one in the world of cybersecurity.

So Bob, it'd be great if you could start by telling us a little bit about Cobalt Strike and what it's traditionally used for in the security world.

Sure.

So Cobalt Strike is a cybersecurity tool used by organizations to test their defenses and harden them against any kind of malicious activities that may be directed towards them.

Cobalt Strike's licensing allows for lawful and ethical penetration testing and red team activities and actually forbids use by military law enforcement or intelligence gathering types of use cases and cobalt strikes generally used in an assumed breach type of scenario where an organization is either we're going to assume that we've already been breached or at some point we're going to be breached.

It differs a little bit from standard penetration testing where we're just looking to find as many vulnerabilities and open doors and windows as we can find, and we're actually looking to test fairly specific scenarios about how a threat actor might behave once they gain access to somebody's environment.

Definitely.

Yeah, so it sounds like a really useful tool on the defense side, but I know that there's been a history of threat actors abusing legitimate tools, not just Cobalt Strike, but other tools as well.

So I'm curious what makes those tactics successful?

How does abusing a legitimate tool like Cobalt Strike allow threat actors to really succeed in their efforts?

As you mentioned, unfortunately, there's always malicious use of all of the different tools that are out there.

Cobalt Strike included, the heavy lifting is being done by somebody else.

So we're developing a tool being used for certain types of scenarios, and if they can get ahold of it and repurpose it, they're going to use those tools for malicious uses.

Just like when they would abuse email service deliveries for phishing or offensive tools for pen testing or cobalt strike tools for red teaming, the way that they're being breached is very similar to the way that they're being tested.

So those threat actors, if they can get ahold of these tools, then of course can repurpose them for their malicious designs.

And that's definitely something that we're doing our best, along with many other entities to crack down on.

So the use of these tools that makes it harder for teams to detect when these threat actors are there.

It.

Makes it harder to defend, of course.

So it makes it easier on the threat actors of course, too, because they don't have to necessarily develop as much of their own infrastructure around these things.

If they can insert commercial pieces or open source pieces that do some of the same things, that just makes it a little easier for them to do what they're doing.

For sure.

And I'm curious with Cobalt Strike specifically, how widespread was abuse of this tool before that partnership formed in 2023?

How did it really impact organizations across all sectors including healthcare?

I think there's always been some level of abuse of all of these types of tools where we really saw anything more than zero to us is too much, of course, but where we really saw it starting to become more prolific was as the ransomware, as a service ecosystem started to grow and move around it.

So more and more times we were seeing as part of an attack chain Cobalt strike would be included or some tool very similar to Cobalt Strike.

So we really started to look at how those tools were being shared, where they were being acquired from and how these licenses were being abused.

As we started to dig into that led us to all these other efforts.

It's not every attack, like I said, if it's more than no attacks, then of course we're taking notice, but it was definitely being favored among some of the adversary toolkits, especially coming out of some of the usual geographic areas that you'd imagine.

Right.

So you started to notice that pattern kind of increasing of threat actors abusing this tool, and then your organization teamed up with Microsoft and Health isac.

Can you tell me a bit more about how that partnership came about and what each of those entities roles were in this effort?

Yeah, I think this was a really great, great partnership to have and we saw some great effects as we were starting to see those kinds of things happening.

After we acquired Cobalt Strike, we added a lot of additional security controls inside of the product itself to make it harder to abuse, and we started tracking where these different channels were that things were being shared and proliferated and some of the techniques being used and Fort was cracking down and engaging with law enforcement and working through the DMCA digital Millennium Copyright Act to go after the places the tools were being passed around.

So social media sites, telegram, Twitter file, hosting locations, the magazines and non files and places like that.

It was definitely a bit of whack-a-mole.

Of course though, as we'd take down two telegram channels and you'd see three Twitter feeds pop up sharing the files, it was having effect, but of course not as great as we would've liked to have seen.

And around that same time, Microsoft had started their own internal process and effort to track down in the malicious usage of these types of tools, and they reached out to us and actually wanted to know if we'd like to partner up and combine our efforts, share some data and DCU, the Digital Crimes unit had an interesting legal theory that they wanted to pursue based around intellectual property abuse and allowing us to go through the civil side of the court system, which is much faster than going through the criminal side efforts.

So we started working together.

We spent a lot of time building out processes and pipelines, so the ability to quickly share information between ourselves, we each had unique visibility into different places on the internet, and we're able to combine that different data and fort as the license holder of Cobalt Strike.

We can quickly determine if something is legitimate, a real customer doing their own red team operations expose themselves where they've been visible, or if it's somebody using it maliciously, and then bringing along all the law enforcement groups.

Of course, we also built a way to, in real time, be able to share the observations that we're seeing with law enforcement so that they'd be able to take further actions as needed against these different things.

And as we built out this court case, it was important for us to also be able to show the harm that was being caused by these malicious actors and activities.

And that's where Health ISAC came along and was that third leg of the stool being able to represent their clients and show the court this is what's really going on from these activities.

So it's not just Microsoft and Ttra complaining about somebody cheating on their licenses, but there's actual harm happening to outside entities based upon these different activities going in there.

So as we went in and built out that court case and then we were able to get a court order to begin to take action against these different environments.

So we spent a lot of time building out automated pipelines to be able to take action against these different places and around the world really start to push back against the abuse of these tools.

Yeah, it's so interesting to hear just how that partnership came together.

Each of these entities were looking into this on their own, and then you joined forces to really prove just how widespread this issue was.

Yeah.

So I know you got into this a little bit, but I'd love to hear more about just the results of this multi-year effort to disrupt cobalt strike abuse and reduce the number of unauthorized copies.

Are there any specific data points that you can share with us about the overall success of this operation?

Yeah.

The speed and scale that we're able to achieve working together has really been great.

So over time now, what essentially happens is when we observe a copy out in the, we can quickly determine is it unauthorized and malicious?

Is it real?

And then pass that into a notification pipeline where we send notices to the infrastructure providers where the systems are being run.

So your Amazons Azures, you name the hosting provider all around the world, and leveraged those different providers to take those systems offline quickly.

So as far as what we observe in the wild on a daily basis, we've seen roughly an 80% reduction in the number of systems that the different groups and the different entities that we're working with are able to observe out there.

And because of the automation of taking these systems down and getting 'em offline, that dwell time from when we see a system to when we see it go down, because we monitor and we continue to enforce those notices until we see it taken offline, has been greatly reduced.

So it's a much smaller window where a system can be observed doing this.

Hundreds of domains that were malicious have been seized and sinkhole that has allowed additional intelligence gathering to happen from the traffic that's going on in there as well, which has really been great.

And while our court order is in the US, of course, so we really have DMCA as a US-based law.

Most countries cooperate and observe that or they have something similar in their areas of the world similar to that.

So that allows us to enforce these different places around the world and have this done as expected.

The remaining systems we do see have been pushed into a much smaller geographic window.

Most of the traffic now originates from a very limited set of countries or hosting providers where they're either not as quick to action or they have enough cover from their states to ignore it sometimes, but that makes it much easier for us to defend against now that we see where that's happening from.

So it's really been a great result for us, and we've had great cooperation from Microsoft and a number of other organizations as well as global law enforcement.

And that brings up a great point.

I think that partnership between Fort Health isac, Microsoft is a big part of it, but it also takes cooperation collaboration between so many different entities to really make that work.

It really does.

It's able to see something, say something real.

Anybody who's seeing things now has places to get that information out.

We're able on a daily basis to we're realtime sharing what we see from things like cobalt strike, phishing kits, malicious websites and domains.

The whole ecosystem around that is really coming together with information sharing activities.

Fort and everybody else as well are working with more than just health isac, other industry ISACs to really push back on this all around the world.

Definitely.

And I know aside from this particular partnership for also took part in Operation Morpheus, which was a multi-year effort by the UK's national crime agency that also constituted a global takedown of misuse of Cobalt strike.

So I'm curious how those efforts also contributed to the success and the collaboration there as well.

Yeah, that was another great public private partnership that Microsoft and Fortor were able to take part in.

Initially, roughly 600 to 700 systems were identified and the majority of those immediately taken down once that law enforcement action commenced Fortria and Microsoft and other private partners working together with those law enforcement teams.

Again, we're able to push back on these.

And of course, having law enforcement around is great because they could do things we can't.

We can get an order to take down a provider or a site.

We can't put somebody in handcuffs where they can.

It's great to see.

It feels like the number of seized websites, seized servers, people getting arrested is continuing to increase worldwide, and that's really good to see to keep pushing back in the ecosystem.

For sure.

And I know we've already spoken a lot about just the importance of collaboration.

It seems to be the theme of the episode today, but I'm curious if we could even double down on that more and talk about just the importance of cross organizational collaborations and improving cyber resilience specifically in healthcare.

I know that it's such a highly targeted and highly regulated industry.

Yeah, I think really important, and we along with Microsoft, have definitely made an effort to share the techniques that we've used and how we came about doing this across different conferences and webinar and podcasts like this.

Having those friends, being able to work with you can really enhance your operational capabilities and having law enforcement coming along with us gives us that final place that we can go as we're seeing these different places and these different IOCs.

So we think it's super important to have these industry partnerships.

We work heavily with Microsoft who work with a lot of other worldwide intelligence providers and other defensive security technology places to do this as well.

Being able to share that information around and being able to get more pushback against these actors, the more friends you have doing these types of things, the more effect we can have and the greater you can make your security resiliency.

Curious also, how you see the landscape of cyber threats evolving over the next few years beyond just cobalt strike abuse.

Just in a general sense.

We're seeing more and more pickup in these types of tools.

Of course, there's other competing tools out there.

There's starting to be some open source frameworks.

As we push down at Cobalt Strike, we're seeing an increase in some other technologies that are similar or maybe now at this level of efforts going on.

They're starting to shift their tactics a bit, but in general, the way that they're initially breaching these environments is fairly constant over time.

Phishing is high in the list generally, number one, some form of business, email compromise or spearfishing targeted attacks, weak configurations by design or by mistake.

Missing patches is honestly still a big one, and I don't think those are going to change a lot in the very near term.

Those are really effective ways to breach an environment.

What we are seeing change a lot is the tactics around that.

It's allowing threat actors to be better at it and more efficient in that scale, especially using things like artificial intelligence and AI technologies where we used to see maybe a phishing email coming out of a foreign country with grammar mistakes, missing punctuation.

You could just tell it wasn't quite right.

They're translating it now with ai, they can do that at scale.

They can target anywhere in the world and be able to push those things out.

When we're doing our VUL management programs and we're looking for vectors and patches and maybe systems that are exposed to the internet, the threat actors doing that too, and they're doing it with better scale and technology than they used to in the past.

So they're accelerating what they can do and how they can do their intelligence gathering and have a better way to target our executives and our employees as they're trying to get into these systems initially.

And stopping that front line of defense is getting really important.

Definitely.

Yeah.

It's interesting to hear that these threat actors are going back to tried and true techniques, phishing, business, email compromise, those things still work, but as you said, they're using AI and things like that to make these attacks even more successful.

So I'm sure on the defense side it's tough.

And we're doing the same thing on the defensive side.

We're all starting to use more machine learning, more artificial intelligence to be able to detect things at scale, uncover what's going on across these different campaigns, and being able to more quickly target these threat actors as they're trying to get access to your environments.

And to close this out, I'm curious what advice you'd give to healthcare organizations that are looking to strengthen their cybersecurity posture in this environment where these threats are continuing and advancing.

A lot of it really is initially make sure you've got the basics right.

It's blocking and tackling kind of things.

Do you have a DR plan?

You probably do.

When's the last time you actually checked your incident response and tried to exercise it?

Do what's going to happen if you are breached?

And if something happens, like we said, in the same breach model, you're either assuming you're already breached or you're going to get breached at some point.

It's just a matter of what you do afterwards in that effect to make sure that you understand your change of command, what things are going to happen and when and how you're going to do that.

It's really important.

Do you have multifactor authentication enabled everywhere?

Are you segmenting your networks so that if you do get compromised, that blast radius is limited or things sitting wide open where they can move laterally all across the network as they come on?

How are you managing your vulnerability type programs?

A lot of times what we see is managing for the numbers.

I got 10,000 vulnerabilities today.

I can't close 'em all.

I'm going to knock off 2000 fast ones.

So I have 8,000.

It looks great on paper, but are you really making risk-based decisions on what is the most likely path someone's going to take to compromise your crown jewels patient data, getting access to devices and things, or are you just playing a numbers type game?

So doing a risk-based evaluation of what it is and how you need to protect yourself thinking like an attacker would.

Being able to arrange your defenses in those types of manners.

So those are all great ways to start.

We are definitely seeing more OT and iot type attacks.

So medical devices are right in that chain.

A lot of those are probably built with not great security in mind at the beginning, who's ever going to attack the electronic interface to my pacemaker?

But those kinds of things are happening these days, and we need to be mindful of all the different threat vectors.

And especially as now so many people have gone to a at least partial work from home model.

Your visibility used to be much more controlled.

People are coming into the office, they're signing into the network, they're sitting at a desk.

Now in many respects, people are connecting from anywhere, working from home, doing jobs, third party suppliers, they have people working from home.

Your area that you have to be concerned with has expanded a lot, and you need to take all of those different places into account.

And that's great advice to think like the attacker and really tackle it from that end.

So it was great to hear about this partnership.

Always nice to hear a success story in cybersecurity, and I'm sure these efforts will really continue.

So thanks so much for joining us today, Bob.

It was a pleasure.

Yep.

Looking forward to further updates in the future for Fortune, Microsoft and Hi Sac.

This is a long-term effort.

We're expecting many more years to keep going after this, and we'll keep you posted with more great details.

Great.

Thank you.

And thank you listener for tuning in.

If you liked what you heard, head over to Spotify or Apple and drop us a review.

We'll be choosing some of our reviews to be read on the show in appreciation.

So keep listening through to the end because you might get name dropped.

See you next time.

Music by Kyle Murphy and production by me Kelsey Widdle.

This is an Informa Tech target production.