It’s dangerous to go alone! Evolving threat landscapes and shifting resources.

CISOs need all the swords and unicorns available and at the ready — leveraging their team, time, and budget to focus on the adventure at hand. CISO Stressed — SCYTHE’s latest release focuses on the quests that CISOs face. Join Liz Wharton (Chief of Staff at SCYTHE) for conversations on what is top of mind with CISOs — what causes stress and what they’re stressing within their organization.
Come join and listen in.

Follow along on YouTube or wherever you listen to podcasts.
Please subscribe, rate, and review to help others find the show!

Watch on YouTubeListen to the Podcast

Coming Soon...

Watch on YoutubeListen to the podcast

CISO Stressed

New!

August 10, 2021

CISO Stressed Episode 9: Aldan Berrie

On this episode of CISO STRESSED, Host Liz Wharton is joined by Aldan Berrie. Berrie is the founder and Director of Technology Solutions with years of experience in the security industry.

VIEW

CISO Stressed

New!

July 27, 2021

CISO Stressed Episode 8: Robert “RSnake” Hansen

On this episode of CISO STRESSED, SCYTHE Chief of Staff and Host Elizabeth Wharton is joined by Robert Hansen. Hansen is the Chief Technology Officer at Bit Discovery and a floating CISO for multiple companies.

VIEW

CISO Stressed

New!

July 13, 2021

CISO Stressed Episode 7: Matthew Dunlop CISO at Under Armour

On this episode of CISO STRESSED, Elizabeth Wharton is joined by Matthew Dunlop. Matt is an Army Veteran, and VP CISO at Under Armour responsible for global security across all corporate, retail and eCommerce functions, as well as its connected fitness application MapMyFitness.

VIEW

CISO Stressed

New!

June 28, 2021

CISO STRESSED Episode 6 with Ed Rojas, Director of Tactical Edge.

On this episode of CISO STRESSED, SCYTHE Chief of Staff Elizabeth Wharton is joined by Ed Rojas, Director of Tactical Edge. Tactical Edge is an organization focused on creating large-scale events within Latin America for Cybersecurity and AI.

VIEW

CISO Stressed

New!

June 8, 2021

CISO Stressed Episode 5: Nick Andersen

On this episode of CISO STRESSED, Elizabeth Wharton SCYTHE Chief of Staff is joined by Nick Andersen, CISO for Public Sector at Lumen Technologies and Nonresident Senior Fellow with the Cyber Statecraft Initiative at the Atlantic Council.

VIEW

CISO Stressed

New!

May 10, 2021

CISO Stressed Episode 4: SCYTHE Chief of Staff Elizabeth Wharton interviews Dr. Pablo Breuer.

On this episode of CISO STRESSED, SCYTHE Chief of Staff Elizabeth Wharton interviews Pablo Breuer, CISO of Security BSides Las Vegas.

VIEW

CISO Stressed

New!

January 8, 2021

Leveraging Resources When Chock Full of Challenges.

Elizabeth Wharton interviews Guest Mitch Parker, Exec. Dir./CISO at Indiana University Health. Healthcare security is present on all of our minds these days. The security and medical communities are working together towards the same goal: protecting the people. You may be wondering, what does that look like in today’s world?

VIEW

CISO Stressed

New!

November 10, 2020

Episode 3: Leveraging Resources When Chock Full of Challenges with Guest Mitch Parker

Healthcare is chock full of adventure - rising number patients, increase in malware attacks, and a shift towards remote work. On this episode of CISO STRESSED Liz sits down with Mitch Parker, Exec. Dir./CISO at Indiana University Health and talks about leveraging and maximizing resources and building trust to solve security challenges facing healthcare systems.

VIEW

CISO Stressed

New!

October 27, 2020

CISO Stressed Episode 2: Digital Empathy in the Customer Experience (Guest Shawn M Bowen)

Building security in the customer experience, not “compliance helmets” - Shawn Bowen, CISO with Restaurant Brands International, joins CISO Stressed Host Liz Wharton to discuss the value of experience-based learning, digital empathy, and the customer experience.

VIEW

CISO Stressed

New!

October 13, 2020

CISO Stressed Episode 1: Wendy Nather & Tyrone Wilson

Conversations stimulate ideas, solutions, and help us feel connected. In our inaugural episode of CISO Stressed guests Wendy Nather and Tyrone Wilson join Liz to discuss how to adjust to shifting work environments while still providing team members with hands-on training experiences, keeping motivated, and favorite ways to cap off the day.

VIEW

#ThreatThursday

New!

October 21, 2021

Threat Thursday - NetWire RAT

Christopher Peacock, the newest Unicorn to join the herd as an Adversary Emulation - Detection Engineer shares his first #ThreatThursday, covering the recent NetWire RAT report from BlackBerry’s ThreatVector Blog. It focuses on the emulation and detection opportunities of the threat in order to help organizations measure and defend against the threat’s behaviors.

VIEW

#ThreatThursday

New!

September 9, 2021

ThreatThursday - Phobos Ransomware

As usual, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We will create an adversary emulation plan, share it on our Community Threats Github, and we will show how to Attack, Detect, and Respond to Phobos attacks.

VIEW

#ThreatThursday

New!

September 2, 2021

Threat Thursday - Hive Ransomware

The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations including Memorial Health. As usual for #ThreatThursday, we will consume the Cyber Threat Intelligence and map it to MITRE ATT&CK, we create and share an adversary emulation plan on the SCYTHE GitHub, and discuss ways to prevent, detect, and respond to this threat. 

VIEW

#ThreatThursday

New!

July 8, 2021

Threat Thursday - Exfiltration Over Web Service: Exfiltration to Cloud Storage

This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data.

VIEW

#ThreatThursday

New!

June 24, 2021

Threat Thursday Top Ransomware TTPs

At SCYTHE we are constantly collaborating with industry experts and organizations. Recently, someone reached out as they are building out a ransomware readiness assessment. “We are looking for a consolidated mapping of major ransomware actors on the ATT&CK framework, like SCYTHE does for individual actors on #ThreatThursday.

VIEW

#ThreatThursday

New!

June 17, 2021

Threat Thursday - Evading Defenses with ISO files like NOBELIUM

Microsoft released a blog post late on Thursday May 27, 2021 about a new sophisticated email-based attack from NOBELIUM, the SolarWinds threat actor, where they compromised Constant Contact to send malicious emails with a weaponized ISO file.For this post, we look at the recent attack from NOBELIUM and show how to emulate these techniques with SCYTHE. We also committed an atomic test to the Atomic Red Team project.

VIEW

#ThreatThursday

New!

May 27, 2021

Threat Thursday - Conti Ransomware

For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently.

VIEW

#ThreatThursday

New!

May 10, 2021

#ThreatThursday - DarkSide Ransomware

In this blog we consume Cyber Threat Intelligence to understand how the DarkSide ransomware behaves, we create and share an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology for similar attacks, and we discuss how to detect and respond to DarkSide ransomware.

VIEW

#ThreatThursday

New!

April 29, 2021

Florida Water Plant Breach

TeamViewer was at the forefront of an attack on a Florida water facility in February 2021. A malicious actor logged into the water treatment facility’s computer system through the remote desktop software and tried to increase the amount of sodium hydroxide to a dangerous level.

VIEW

#ThreatThursday

New!

March 25, 2021

Threat Thursday - Lazarus

The Lazarus Group (aka HIDDEN COBRA/Guardians of Peace/ZINC/NICKEL ACADEMY)! Lazarus was an extremely active adversary in 2020 and has continued to build capability over the past decade. They are responsible for many high profile hacks seen over the years, such as the Sony hack in 2014. Lazarus Group has been attributed as a North Korean state sponsored hacking group by the FBI.

VIEW

#ThreatThursday

New!

February 25, 2021

#ThreatThursday - menuPass with special guest Shane Patterson

For this #ThreatThursday is menuPass! Tim Schulz caught up with Shane Patterson to discuss MITRE Engenuity's plan release, challenges in creating emulation plans, and what makes this threat unique!

VIEW

#ThreatThursday

New!

February 25, 2021

#ThreatThursday - menuPass

For this Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.

VIEW

#ThreatThursday

New!

January 14, 2021

#ThreatThursday - Egregor Ransomware with Sean Gallagher

Jorge Orchilles sits down with Sean Gallagher, a Senior Threat researcher at Sophos Labs. Sean walks us through understanding how this ransomware operates, creating an adversary emulation plan, and the best defense against a similar attack.

VIEW

#ThreatThursday

New!

January 14, 2021

#ThreatThursday - Egregor Ransomware

This week we will take a look at Egregor ransomware that has breached, exfiltrated data, and brought down multiple networks since September 2020. Stealing data before deploying ransomware has been a common modus operandi of the Egregor group.

VIEW

#ThreatThursday

New!

December 10, 2020

#ThreatThursday - FIN6 Phase 2

FIN6 is a cyber crime group that specializes in stealing payment card data and sells it in underground marketplaces. This group, also known as Skeleton Spider and ITG08, has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2017.

VIEW

#ThreatThursday

New!

November 20, 2020

#ThreatThursday - Berserk Bear

As usual for #ThreatThursday, we will understand Berserk Bear’s behavior, map to MITRE ATT&CK and share the ATT&CK Navigator JSON, create and share an adversary emulation plan in the largest, public adversary behavior repository, and discuss how to defend against this energy sector adversary.

VIEW

#ThreatThursday

New!

November 5, 2020

#ThreatThursday - Ryuk

This week, we take a deeper dive into emulating and defending against the ransomware behind a recent spike in healthcare sector attacks - Ryuk Ransomware. Researchers estimate that Ryuk has been behind a third of the ransomware attacks detected in 2020, including the latest surge in hospital and healthcare IT system attacks.

VIEW

#ThreatThursday

New!

October 22, 2020

#ThreatThursday - FIN6

Welcome to another week of #ThreatThursday! This week’s Threat Thursday is going to be slightly different from the standard as we discuss the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense. We will focus on the importance of machine-readable Cyber Threat Intelligence at the adversary behavior and TTP level, sharing adversary emulation plans, and YAML-to-JSON conversion

VIEW

#ThreatThursday

New!

October 15, 2020

#ThreatThursday - APT41

Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41.

VIEW

#ThreatThursday

New!

October 8, 2020

#ThreatThursday - SlothfulMedia

On October 1, 2020, US-Cert published a Malware Analysis Report (MAR) in relation to a new malware they have seen in the wild called SlothfulMedia. The report suggests this is a “sophisticated cyber actor” but as you will see, it seems like a very typical Remote Access Trojan. As usual, we will review the Cyber Threat Intelligence, create an adversary emulation plan, demonstrate the emulation, and discuss how to defend against this threat.

VIEW

#ThreatThursday

New!

October 1, 2020

#ThreatThursday - MAZE

Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component.

VIEW

#ThreatThursday

New!

September 17, 2020

#ThreatThursday - HoneyBee

Welcome to another edition of #ThreatThursday. This week we look at Honeybee, a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. This post coincides with a talk I gave at EkoParty on Adversary Emulation.

VIEW

#ThreatThursday

New!

September 10, 2020

#ThreatThursday - PowerShell

This week we will look at a MITRE sub-technique that deserves a #ThreatThursday of its own, PowerShell. As an interactive command-line interface and scripting environment included in all supported versions of the Windows operating system, many threat actors have some history of leveraging PowerShell. This sub-technique is an example of a TTP you cannot prevent in your environment; Microsoft includes PowerShell as part of the underlying operating system and it is virtually impossible to remove.

VIEW

#ThreatThursday

New!

September 3, 2020

#ThreatThursday - SpeakUp

This #ThreatThursday we are releasing our first macOS threat to the SCYTHE Community Threats GitHub. As more and more customers migrate to Apple products, we want to provide adversary emulation plans that work against macOS as well. SCYTHE has the ability to create campaigns for Windows, Linux, and macOS. This post will look at emulating a macOS threat known as SpeakUp.

VIEW

#ThreatThursday

New!

August 27, 2020

#ThreatThursday - Custom Threats

At SCYTHE, we spend a lot of time focusing on adversary emulation as it is an ideal method to maturing your red team engagements and purple team exercises for providing the most business value (see our Ethical Hacking Maturity Model). For this post, we want to cover custom threats. What if a new technique is not seen in the wild?

VIEW

#ThreatThursday

New!

August 6, 2020

#ThreatThursday - Evil Corp

This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong.

VIEW

#ThreatThursday

New!

July 30, 2020

#ThreatThursday - Emotet

On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE.

VIEW

#ThreatThursday

New!

July 23, 2020

#ThreatThursday - Deep Panda

This week we interviewed Bradford Regeski, a Cyber Threat Intelligence analyst at H-ISAC, about the top threats the healthcare industry is seeing. He shared a number of excellent resources on threat actors, told us a little more about H-ISAC, and dove deeper into Deep Panda.

VIEW

#ThreatThursday

New!

July 16, 2020

#ThreatThursday - Orangeworm

This week on #ThreatThursday we cover the latest release of MITRE ATT&CK (with sub-techniques), announce a healthcare partnership, and look at a threat actor that has been targeting the healthcare sector for years: Orangeworm. As usual, we consume Cyber Threat Intelligence, create a threat profile and adversary emulation plan, and discuss how to defend against Orangeworm.

VIEW

#ThreatThursday

New!

July 9, 2020

#ThreatThursday - Managing Threats

Welcome to another edition of #ThreatThursday! We now have a section on this blog exclusively for #ThreatThursday so that you may efficiently find the resources for CTI analysis, threat emulation, and remediation in one location every week: https://www.scythe.io/threatthursday Feel free to bookmark or subscribe to the RSS feed.

VIEW

#ThreatThursday

New!

July 2, 2020

#ThreatThursday - Ransomware

A day hardly goes by without hearing about another ransomware attack. Just this week I read, on SANS NewsBites, that University of California San Francisco (UCSF) paid $1.1 million to regain access to their data. This week’s #ThreatThursday we take a look at a ransomware example, learn how criminals are evolving to get paid, create an adversary emulation plan that is safe but valuable for enterprises, and speak to industry thought leader, Olaf Hartong, about defending against ransomware attacks using Sysmon.

VIEW

#ThreatThursday

New!

June 25, 2020

#ThreatThursday - Cozy Bear

This week on #ThreatThursday we look at Cozy Bear, or APT29, a Russian government threat group that has been operating since at least 2008. This group is most famous because of the attribution to the Democratic National Committee hack in the summer of 2015.

VIEW

#ThreatThursday

New!

June 18, 2020

#ThreatThursday - APT33

This week on #ThreatThursday we look at an Iranian Threat Actor, APT33 or Elfin. We introduce the MITRE ATT&CK Beta with sub-techniques, create and share an adversary emulation plan for APT33 on Github, show how to execute PowerShell (both powershell.exe and unmanaged PowerShell) through SCYTHE and show how to perform lateral movement within the SCYTHE user interface as well as on the command line.

VIEW

#ThreatThursday

New!

June 11, 2020

#ThreatThursday - Buhtrap

In this #ThreatThursday we will be looking at Buhtrap, a criminal team attacking financial institutions. We are presenting new concepts this week such as consuming Cyber Threat Intelligence that has not been mapped or tracked on MITRE ATT&CK website and explaining the concept of Short and Long Haul C2.

VIEW

#ThreatThursday

New!

June 4, 2020

#ThreatThursday - APT19

Adversarial Emulation is a threat intelligence driven process. Leveraging threat intelligence is required for more effective defense (Blue Team) and offense (Red Team). We must understand how threats operate and their behaviors (tactics, techniques, and procedures) to stay ahead of them and prevent or detect when they attack our organization. For these reasons, we want to share our vision for being threat-led with our readers and introduce #ThreatThursday.

VIEW

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.

Contact Us

LEARN MORE