| Follow Us: Facebook Twitter LinkedIn RSS Feed

Features

Made in DC: Entrepreneur defends electronic borders from cyber-espionage

Raphael Mudge helps companies protect against hackers by giving them the tools to think like one



Raphael Mudge, founder of Strategic Cyber, LLC, considers Washington, D.C. his home. And he's chosen to locate his business in the District. "Washington, D.C. is a great location for a business like mine," Mudge explains. "There's a high concentration of security professionals in both Maryland and Virginia. The U.S. government and many of the companies that depend on it have their top security teams here. I founded my business here because D.C. is my home now."

His business is a suite of tools and training opportunities that allow government contractors and large corporations to emulate sophisticated security threats on their own networks, also known as advanced penetration testing. By using Mudge's products, security professionals can examine the safety of their networks from a hacker's point of view.

The software known as Cobalt Strike "looks for and exploits network vulnerabilities, launches 'spear phishing' campaigns, hosts web drive-by attacks, and generates malware-infected files. It gives the good guys tools to test what bad guys do to their networks to see how secure they are," Mudge explains.

Mudge sells Cobalt Strike to a host of customers: academic programs, including the U.S. Military Academy at West Point and Johns Hopkins University; boutique consulting firms, retail outfits, and U.S. Department of Defense contractors. One license runs $2,500 per year.

"My market is niche," Mudge states. "Organizations buy one license at a time. But there are larger organizations out there. I'm hoping to nail down larger DoD teams this year. [But] I'm thrilled to death for how young my product is that people working for organizations of this size are willing to take a chance on a product like mine."

In today's world, information = money
According to Mudge, cyber threats in the 21st century are all about stealing information that leads in some way to financial gain. The Zeus malware, for example, was designed to compromise bank account information and at its peak infected more than 3.6 million computers in the U.S. alone. A ring of eastern European hackers stole $70 million using Zeus in 2010 before they were arrested.

In a more recent example, a branch of the Chinese army was recently tied to one of the world's most prolific group of computer hackers, which was found to have stolen hundreds of terabytes of data from 141 companies. Mudge believes China was trying to gain industry knowledge that it could parlay into an "upper hand" over the United States. "I expect awareness [for these issues] to go up. We're doing the basics, but the basics aren't enough."

If the modern day cloak-and-dagger sounds militaristic, Mudge comes by it honestly. He's a veteran of the U.S. Air Force, having left active duty in 2008 after working as an acquisitions researcher. "I was working for a defense contractor," Mudge explains, "doing threat emulation for a Department of Defense customer. I had to mimic what an adversary would do. But I also like to write software."

"I founded my business here because D.C. is my home now."
In October 2011, Mudge was invited to teach a class about penetration testing and advanced threat tactics. He was looking for open-source tools to use in his class that would simulate an adversary on a network. "The tools didn't exist. So I built a tool set." That tool set became Armitage, an open-source precursor to Cobalt Strike.

His first job after leaving the Air Force was developing and selling a grammar-checking program called AftertheDeadline.com. "I was a bit off for the market," he reflects. "It touched millions of people. It was never a commercial success, but it got out there and it got users."

Upon further reflection, Mudge offers that as an inventor, in the past, he feels he has been "too far ahead of the problem set or [he] has ignored the mainstream." With Armitage and Cobalt Strike, however, he believes his position is correct.

"The problem set is catching up now," he states. "In two years, I expect [advanced penetration testing] will be a very standard thing. I'm not that far ahead this time."

Read more articles by Allyson Jacob.

Allyson Jacob is a writer originally hailing from Cincinnati, Ohio, and is the Innovation and Job News editor for Elevation DC. Her work has been featured in The Cincinnati Enquirer and Cincinnati CityBeat. Have a tip about a small business or start-up making waves inside the Beltway? Tell her here.
Signup for Email Alerts
Signup for Email Alerts