Tim Schulz

July 26, 2021

Adaptive Adversary Emulation (Part 1): Execution Details

Back in 2019 at the inaugural SANS Purple Team Summit I gave a talk titled “Adaptive Adversary Emulation with MITRE ATT&CK®”. In the talk I go over how small changes to adversary emulation plans can provide significant results and allow a deliberate approach to generating iterative tests.

Read Now

July 8, 2021

Threat Thursday - Exfiltration Over Web Service: Exfiltration to Cloud Storage

This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data.

Read Now

May 24, 2021

Introducing the Purple Team Maturity Model

Today we are proposing a preliminary answer to that question, which initially started out as Advanced Purple Teaming and evolved into something even larger in scope (sidenote: Advanced Purple Teaming is coming). Our answer is what we are calling the Purple Maturity Model.

Read Now

May 14, 2021

Why assume breach?

Are you wondering why you and your organization should assume breach? SCYTHE’s Adversary Emulation Lead Tim Schulz answers this frequently asked question, and covers scenarios in which using an assumed breach model can help focus on strengthening detection capabilities.

Read Now

March 25, 2021

Threat Thursday - Lazarus

The Lazarus Group (aka HIDDEN COBRA/Guardians of Peace/ZINC/NICKEL ACADEMY)! Lazarus was an extremely active adversary in 2020 and has continued to build capability over the past decade. They are responsible for many high profile hacks seen over the years, such as the Sony hack in 2014. Lazarus Group has been attributed as a North Korean state sponsored hacking group by the FBI.

Read Now


July 22, 2021

You can’t detect 0-day exploits but… you can detect what happens next

A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation).

Read Now

July 22, 2021

Malicious Uses of Blockchains

SCYTHE’s engineering team shares their most recent article on the malicious uses of Blockchains. Here’s why this is important: Cryptocurrencies are discussed often, but few understand what they are or how they work. The engineering team defines each cryptocurrency type in detail.

Read Now

July 21, 2021

Gravwell Integration with SCYTHE

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective and efficient for the end user. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior.

Read Now