1. About Fortra (the new face of HelpSystems)
Fortra produces Cobalt Strike, a software platform for Adversary Simulations and Red Team Operations. Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response.
Cobalt Strike’s Mission
Close the gap between penetration testing tools and advanced threat malware.
Cobalt Strike’s Vision
Relevant and credible adversary simulations that:
- produce battle-hardened security analysts
- drive objective and meaningful security advances
- educate security professionals and decision makers on advanced threat tactics
2. Compliance and Ethics Statement
Fortra is committed to execute its mission and achieve its vision in a lawful, professionally responsible, and ethical way.
Fortra uses the following tools to meet this commitment:
- A public commitment to and summary of Fortra’s lawful and ethical behavior measures (this document)
- An internal use business operations manual that documents policies and procedures in conjunction with their compliance and ethical considerations
- Proprietary software that aids consistent application of internal procedures related to user screening and export compliance
- A team of expert service providers that assist with and advise on general business actions, accounting, trade compliance, and matters specific to offense software
3. Product Control Statement
Functionally, Cobalt Strike aspires to differ little from the advanced threat malware it emulates. As Cobalt Strike makes progress on its defined mission, the dual-use potential of the product becomes a greater challenge. Fortra’s goals are to ensure Cobalt Strike is a force for good that empowers security professionals.
Towards those ends, Fortra has processes and technology measures to:
- Limit distribution of Cobalt Strike to security professionals who will use the product for ethical penetration testing purposes only
- Make Cobalt Strike less attractive to malicious actors
- Discourage uncontrolled proliferation of the licensed Cobalt Strike product
The Export Compliance Statement documents some of these measures. In addition, Fortra degrades the trial product’s ability to evade defenses and adds a customer identifier to files generated by the licensed product.
4. Export Compliance Statement
Fortra’s Cobalt Strike product is controlled by U.S. export control regulations and the company is committed to compliance with all U.S. laws, to include the U.S. Department of Commerce Export Administration Regulations and the regulations administered by the Department of Treasury Office of Financial Assets Control.
The Department of Commerce issued a Commodity Classification determination to Strategic Cyber LLC (which was subsequently acquired by Fortra) classifying Cobalt Strike under Export Control Classification Number 5D002.c.1. This classification dictates the circumstances, countries, and types of end-users to which Fortra may export Cobalt Strike. Fortra only makes export sales and trial fulfillments that comply with these restrictions. Fortra reports all export sales and trial fulfillments of Cobalt Strike to the U.S. government.
Fortra maintains a comprehensive export control compliance program to comply with U.S. export control regulations. This program also prevents fraud, denies adversary access to Cobalt Strike, and preserves the trust of Fortra’s customers.
As part of its export compliance program, Fortra:
- obtained U.S. government confirmation of export controls applicable to Cobalt Strike;
- screens every trial request and order for signs of subterfuge and other red flags;
- screens every export order and export trial request against U.S. Government prohibited party lists, to include the OFAC Specially Designated Nationals List, which includes known terrorists, agents of oppressive regimes, and persons subject to sanctions related to malicious cyber-enabled activities;
- performs a risk assessment on every trial request and order, which takes into consideration such factors as an end-user’s plausible use case and geographic location;
- limits downloads of its product to approved trial requests and customers;
- expressly requires customer agreement to U.S. export control restrictions and ethical use of Cobalt Strike in its End User License Agreement; and
- requires that certain customers certify their agreement to the terms of an End Use Statement with more specific explanations of allowed uses and the limitations imposed by U.S. export controls.
5. Legal Requests
Fortra is committed to cooperating with U.S. government law enforcement agencies and complying with valid legal process.
As a general matter, non-public information about our customers will not be disclosed in response to a request from a third party except when we receive a subpoena, court order, or other valid legal process.
Fortra’s legal counsel carefully examines each records request to ensure compliance with the law, including the Stored Communications Act. If we believe a request is overbroad, we may negotiate to narrow it or ask the issuing party to seek an adequate form of legal process to obtain the requested information.
6. Intellectual Property Statement
Fortra respects the intellectual property rights of others and aims to comply with all applicable U.S. laws regarding intellectual property.
A list of third-party components (both open source and commercial) incorporated into Cobalt Strike is available in the product’s readme.txt file. This file also documents the license of each component and its source. Fortra complies with these licenses and keeps this information up to date.