Join us at Way West Wild West Hackin’ Fest in Deadwood in September 2020: https://www.wildwesthackinfest.com/

Today’s Red Team isn’t enough.

Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.

Why did I build SCYTHE? What led me here?

  • Fortune 50 Retailer Use Case
  • Bounded Attack Space Philosophy – the atoms of an attack (different way to look at ATT&CK)
  • Lessons Learned as a CNO expert coming into commercial/industry red teaming

Red Team vs Adversary Emulation – what’s done today vs what should be done

To white box or black box

Threat Intelligence

  • Such a disappointment = static identifiers, but no way to machine read for emulation
  • Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
  • Neutered malware – awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response

MITRE ATT&CK – what it can and can’t do for you.

  • Common mistakes – rigid adherence, signature-based

Open Source Options:

  • CALDERA – APT3 example (although, they didn’t really use CALDERA for this…)
  • Powershell – great. Seen in the wild. But, not hard to defend… so limitations.
  • Empire – based on… Powershell.
  • Living off the Land – https://lolbas-project.github.io/

Host Activities

  • Destruction: ransomware, wiper
  • Escalation
  • Persistence
  • Credential Theft

Network Activities –

  • Communication/Traffic
  • C2 infrastructure

Lateral Movement

  • Combination of host/network
  • Mapping

Going Purple

  • Combined visibility and reporting –
  • How do you technically do this – SIEM/Analytics, red team strings/tagging
  • Program strategy and direction – shared gap analysis

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a National Security Institute Fellow and an Advisor to the Army Cyber Institute. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain.

Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.