September 29, 2022

Threat Emulation: Yanluowang

The Yanluowang ransomware group has been around since at least late 2021, but many people had never heard their name prior to their involvement in the Cisco incident in August 2022. SCYTHE posting this threat in no way should be construed as victim blaming. On the contrary, there is sufficient data in the public domain to discuss at least in part because of the great work by Talos. 

September 27, 2022

Easy LOLBAS Wins for Purple Teams

Living Off the Land Binaries and Scripts (LOLBAS) is a technique used by adversaries and red teamers alike to abuse, misuse and execute malicious payloads on target. This is a great open source project of known binaries which provide resources to adversaries.

September 16, 2022

New OMB Guidance to Software Producers

On September 14, 2022, OMB released memorandum M-22-18, detailing requirements for federal agencies procuring software from producers.

September 8, 2022

SCYTHE New Version 4.0 Enhances Collaboration Across Multiple Security Team Roles

SCYTHE, a leader in adversarial emulation, announced the release of version 4.0 of the company’s flagship cybersecurity platform, offering new features and functionality that will extend capabilities for greater collaboration between blue, red, and purple teams.

August 25, 2022

Threat Emulation: GootLoader

Welcome to the August 2022 SCYTHE #ThreatThursday! This edition features a GootLoader emulation based on the write-up from our friends at The DFIR Report.

July 28, 2022

Threat Emulation: Qakbot

Welcome to the July 2022 SCYTHE #ThreatThursday! This edition features an emulation of Qakbot, a piece of malware that is no stranger to the threat intel community.

June 30, 2022

Windows Telemetry Persistence

June’s Threat Thursday will focus on a unique persistence method that is not widely used by threat actors, but works all the way through at least Windows 11 21H2. In 2020 a few researchers from TrustedSec outlined a unique method of persistence that leverages Windows Telemetry.

May 30, 2022

Breaking: Follina (MSDT) Vulnerability

There’s a new vulnerability abusing the ms-msdt protocol handler to execute arbitrary code in Office. Since “msdt vulnerability” is hard to track, Kevin Beaumont dubbed this vulnerability Follina (and we’ll continue to use that nomenclature in this post).

May 26, 2022

Threat Emulation: Industroyer2 Operation

Welcome to the May 2022 SCYTHE #ThreatThursday! This month we are featuring the recent Industroyer2 operation observed in Ukraine with a new campaign. Per the reporting from ESET, the Sandworm threat actor group was most likely responsible for deploying the Industroyer2 malware.

May 20, 2022

Version 3.7 of the SCYTHE Platform Released - Demo Video

Now you can easily collaborate with Blue Teams to strengthen cyber defenses. Be more effective and efficient with a centralized dashboard and enhancements to user experience.

May 17, 2022

F5 Big-IP appliances vulnerability - Follow-up

Last week, SCYTHE released emulation plans detailing post-exploitation activity by threat actors targeting F5 Big-IP appliances (CVE-2022-1388). To add to the fun, SCYTHE’s own Brandon Radosevich created a module to test for the F5 Big-IP vulnerability. SCYTHE normally focuses exclusively on post-exploitation and vulnerability scanning really isn’t our thing. This is the second time SCYTHE has built vulnerability scanning modules (the other being log4j).

May 12, 2022

Actionable Purple Teaming: Why and How You Can (and Should) Go Purple

If you are curious about the emerging and maturing concept of purple teaming in cybersecurity, look no further. Purple teaming power houses Chief Technology Officer Jorge Ochilles from SCYTHE, Purple Team Lead and Senior Security Engineer Maril Vernon from Aquia, and Founder and CEO Dan DeCloss of PlexTrac recently combined forces to discuss why and how you need to get started in purple teaming as a way to be more proactive and mature your cybersecurity program.

May 9, 2022

VULN ALERT: F5 Big-IP appliances vulnerability - CVE-2022-1388

There’s a new vulnerability out there impacting F5 Big-IP appliances, and our CTI team created not one, but two emulation plans for it

May 2, 2022

Adaptive Emulation (Part 2): Execution Methods

This is part 2 of our adversary emulation lead, Tim Schulz's series on adaptive emulation.

April 28, 2022

Operationalizing Red Canary's 2022 Threat Detection Report

April 21, 2022

A Lesson from the Okta Incident: Scaling Purple Teaming for Better Controls Validation

SCYTHE's Executive Director of Threat Intelligence, Jake Williams, examines the Okta incident postmortem, and highlights the importance of purple teaming for effective controls validation

April 12, 2022

Why is SCYTHE Building a CTI Team?

Our new Executive Director of Cyber Threat Intelligence, Jake Williams shares with us his plan for SCYTHE's new CTI team!

April 11, 2022

Building an Internal Red Team? Go Purple first

Building a Red Team? Our CTO, Jorge Orchilles makes the argument for running a Purple Team Exercise before you do.

March 31, 2022

#ThreatThursday FIN13

Welcome to our March 2022 SCYTHE #ThreatThursday! This month we will do a deep dive on the threat actor FIN13 who has been tracked by Mandiant since 2017 and is known to target Mexican organizations. We will examine the phases of their attacks, and extract TTPs from Mandiant’s report to build a SCYTHE Campaign that emulates their post-breach behavior.

March 24, 2022

Cybersecurity and Your Board

The role of a board member continues to evolve in response to shifts in the business landscape. Cybersecurity is a key component of business continuity and success, and board members’ will demand more from their companies’ leadership.

March 16, 2022

Summiting the Pyramid of Pain: The TTP Pyramid

Tactics, Techniques, and Procedures often get lumped together as the phrase TTPs. Each though is a drastically different level of Cyber Threat Intelligence. So often, the phrase TTP is thrown around but only represents getting to the technique level with no procedure data. Here we will cover the significant benefits of getting to the procedure level of TTPs.

February 24, 2022

Threat Actor APT35

Welcome to the February 2022 SCYTHE #ThreatThursday! This edition covers some recent intelligence from Check Point Research on post access tools and procedures leveraged by APT35. In addition, we recommend reviewing Check Point’s excellent write-up to complement our post if you have the time.

February 4, 2022

Breaking Down LOLBAS Attacks With The Help Of Hunter-gatherers

Read how Nathali Cano compares hunter-gatherers techniques to the LOLBAS attacks!

January 27, 2022

Adversary Emulation Diavol Ransomware #ThreatThursday

We have created our most elaborate automated threat, emulating a real Diavol ransomware attack, in a 5-stage attack

January 27, 2022

Emulación de Adversarios Diavol Ransomware

Hemos creado nuestra amenaza automatizada más elaborada, emulando un ataque real del ransomware Diavol, en un ataque de 5 etapas.

December 16, 2021

#ThreatThursday - UNC2452

Ben Finke from OnDefend will go through our typical #ThreatThursday format to introduce the threat actor, UNC2452, ingest Cyber Threat Intelligence, build an adversary emulation plan, and discuss detection and response.

December 15, 2021

Porting the Log4J CVE PoC to SCYTHE

A walkthrough of SCYTHE's Log4j module

November 30, 2021

Threat Thursday - Red Canary October Detection Opportunities

Our new Adversary Emulation Detection Engineer, Christopher Peacock, shares this #ThreatThursday where he dived into Red Canary’s new blog and reviewed the methods they used in order to develop emulation plans to validate the detection opportunities in your environment.

November 8, 2021

SCYTHE Announces Series A Funding Round

Today, the SCYTHE team and I are thrilled and proud to announce the closure of our $10 million in Series A funding which acts as an endorsement of our hard work, innovative technology, and commitment to solving customers’ cybersecurity challenges. 

November 3, 2021

Simplifying the MITRE ATT&CK Framework

The immeasurable value of ATT&CK truly lies in being an open source tool, meaning it’s data has been shared from contributors from all over the globe. All the intelligence captured in the ATT&CK framework has brought communities of blue and red teamers that are looking to understand how adversaries operate, what they do, what tools they use, etc.

October 27, 2021

The Risks of Supply Chain Corruption from IoT Devices

A recent report highlighted by the National Cyber Security Centre uncovered a 37% increase in supply chain attacks in the previous year. Unsurprisingly, this increase coincides with a growing demand to integrate Internet-of-Things (IoT) and Industrial IoT (IIoT) into company networks. Supply chain corruption via (I)IoT is an area that demands further research and attention. 

October 25, 2021

SCYTHE Partner Spotlight: CIPHER

SCYTHE CTO Jorge Orchilles, sat down with Ricardo Encinosa, VP of Managed Security Services U.S. at CIPHER, to discuss their partnership experience with SCYTHE. Jorge and Ricardo discussed the different ways that CIPHER has used SCYTHE to test their controls and answer some of their top questions.

October 21, 2021

Blue Team Training, Assumed Breach, and Shifting Security Left

The movement to “shift security left” focuses on mitigating risk as early as possible within the development cycle by engaging in open source code reviews and monitoring for reachable vulnerabilities. However, as part of this shift left movement, organizations are also changing their approach to post-implementation security monitoring. By taking an assumed breach approach to security, organizations shift security from reactive to proactive.

October 21, 2021

Threat Thursday - NetWire RAT

Christopher Peacock, the newest Unicorn to join the herd as an Adversary Emulation - Detection Engineer shares his first #ThreatThursday, covering the recent NetWire RAT report from BlackBerry’s ThreatVector Blog. It focuses on the emulation and detection opportunities of the threat in order to help organizations measure and defend against the threat’s behaviors.

September 21, 2021

SCYTHE is thrilled to announce that we have been chosen as a 2021 Timmy Awards Best Tech Startup Finalist!

SCYTHE is thrilled to announce that we have been chosen as a 2021 Timmy Awards Best Tech Startup Finalist! Thank you to everyone who voted and made this possible. SCYTHE is continuously honored and grateful for the recognition that has been granted to us.

September 10, 2021

SCYTHE was recently selected as one of SINET’s companies to watch for 2021

SCYTHE was recently selected as one of SINET’s companies to watch for 2021, along with Corsha and DEEPFACTOR. SINET recognizes companies to watch by the value they bring in the beginning stage as a startup company. SCYTHE is continuously honored and grateful for the recognition that has been granted to us.

September 9, 2021

ThreatThursday - Phobos Ransomware

As usual, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We will create an adversary emulation plan, share it on our Community Threats Github, and we will show how to Attack, Detect, and Respond to Phobos attacks.

September 7, 2021

T1030- Testing Data Transfer Limit Sizes

Ransomware is not the only threat. Data exfiltration can occur in many scenarios. SCYTHE can be used to test detection of data exfiltration by testing the transfer limits of data. Enjoy our latest blog by Elaine Harrison-Neukirch.

September 7, 2021

SCYTHE named one of 101 Leading Virginia Risk Management Firms and Startups – The Future of Risk Management

SCYTHE is honored to be named one of the 101 Leading Virginia Risk Management Firms and Startups by Daily Finance.

September 2, 2021

Threat Thursday - Hive Ransomware

The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations including Memorial Health. As usual for #ThreatThursday, we will consume the Cyber Threat Intelligence and map it to MITRE ATT&CK, we create and share an adversary emulation plan on the SCYTHE GitHub, and discuss ways to prevent, detect, and respond to this threat. 

August 31, 2021

SCYTHE’s Virtual File System

If you follow SCYTHE’s Threat Thursday posts and utilize SCYTHE’s Community Threats Github Repository, you are probably familiar with the VFS (Virtual File System) folders used with some of the Community Threats.

August 26, 2021

A New Paradigm for Recovery: Shifting Your Mindset

Over the last two years, it's been pretty clear that ransomware is a pervasive problem, one that fundamentally challenges an organization’s ability to recover. A technology gap still exists when looking at how to address the onslaught of ransomware.

August 20, 2021

SCYTHE Domain Fronting through Azure CDN

Domain Fronting is a MITRE ATT&CK technique (T1090.004) where the attacker takes advantage of the routing mechanism of Content Delivery Networks (CDNs) to bypass egress (outbound) controls and establish Command and Control (C2). Proxying C2 traffic through various hosts/domains is an ideal technique to not expose your SCYTHE (or any C2) server to the target organization directly.

August 16, 2021

Malware Risks in Open Source Code

Over the last year, threat actors have focused increasingly on attacking critical supply chain members. Malicious actors seeking to disrupt digital or physical supply chains manage to find organizations that sit at the epicenter of an industry.

August 10, 2021

CISO Stressed Episode 9: Aldan Berrie

On this episode of CISO STRESSED, Host Liz Wharton is joined by Aldan Berrie. Berrie is the founder and Director of Technology Solutions with years of experience in the security industry.

August 6, 2021

The Real Costs of Ransomware: Hidden Costs

As threat actors continue to target organizations, the direct costs of a ransomware attack are often easy to calculate. For the most part, news outlets will report the ransom requested and the amount paid. However, organizations that get hit with a ransomware attack know that the reported amounts are only a small portion of the total costs.

July 29, 2021

Threat Intelligence Sharing: Democratizing Risk Information

Deadlines are closing in on private and public sector entities following the Executive Order on Improving the Nation’s Cybersecurity. Prior to the release of this executive order, organizations will be able to share threat intelligence with the FBI, CISA, and other intelligence community members. The timelines and expectations of the EO are provided.

July 27, 2021

CISO Stressed Episode 8: Robert “RSnake” Hansen

On this episode of CISO STRESSED, SCYTHE Chief of Staff and Host Elizabeth Wharton is joined by Robert Hansen. Hansen is the Chief Technology Officer at Bit Discovery and a floating CISO for multiple companies.

July 26, 2021

Adaptive Adversary Emulation (Part 1): Execution Details

Back in 2019 at the inaugural SANS Purple Team Summit I gave a talk titled “Adaptive Adversary Emulation with MITRE ATT&CK®”. In the talk I go over how small changes to adversary emulation plans can provide significant results and allow a deliberate approach to generating iterative tests.

July 22, 2021

You can’t detect 0-day exploits but… you can detect what happens next

A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation).

July 22, 2021

Malicious Uses of Blockchains

SCYTHE’s engineering team shares their most recent article on the malicious uses of Blockchains. Here’s why this is important: Bitcoin and other cryptocurrencies are versatile tools for cybercrime since they can be used as infrastructure for botnets and as an equivalent of gold bullion in cybercrime and cyberwar.

July 21, 2021

Gravwell Integration with SCYTHE

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective and efficient for the end user. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior.

July 19, 2021

Beachhead Access in Industrial Control Systems

Attackers will continue to attack industrial control systems (ICS) because they can get the biggest “bang for their buck.” They want to disrupt critical infrastructure either for financial gain or to cause social chaos. Threat modeling gives organizations a way to reduce cybersecurity risk without leading to costly system outages.

July 15, 2021

SCYTHE provides new insights on Vulnerability Assessments  in TAG Cybers New Report

SCYTHE has been selected by TAG Cyber on behalf of our leadership in the cybersecurity industry and our management of information as a technology solution provider to participate in the creation of its newest report. This report contains vital information regarding vulnerability and identity management, data breaches, and more

July 15, 2021

Exfiltration Over Alternative Protocol

Blue Teamers, have you been looking for an automated method of discovery for ports that are allowed in outbound, North/ South (egress) traffic within your network? Your search is over! SCYTHE’s Marketplace offers a free module, Let Me Out (LMO), a SCYTHE port of mubix’s Let Me Out project. This module tests egress traffic for specific ports.

July 13, 2021

Attack, Detect, and Respond a UniChat with Ed Amoroso and Bryson Bort

This UniChat was something special. SCYTHE Founder and CEO, Bryson Bort sat down to discuss Attack, Detect, and Respond with ADR collaborator and friend, Ed Amoroso. Ed is the CEO of TAG Cyber, a cyber expert, and a long-time friend. Bort and Amoroso opened the UniChat by sharing the story of ADR and how it originated. Attack, Detect, and Respond was born out of a need for companies to prioritize aligning risk assessments with business.

July 13, 2021

CISO Stressed Episode 7: Matthew Dunlop CISO at Under Armour

On this episode of CISO STRESSED, Elizabeth Wharton is joined by Matthew Dunlop. Matt is an Army Veteran, and VP CISO at Under Armour responsible for global security across all corporate, retail and eCommerce functions, as well as its connected fitness application MapMyFitness.

July 8, 2021

Threat Thursday - Exfiltration Over Web Service: Exfiltration to Cloud Storage

This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data.

June 28, 2021

CISO STRESSED Episode 6 with Ed Rojas, Director of Tactical Edge.

On this episode of CISO STRESSED, SCYTHE Chief of Staff Elizabeth Wharton is joined by Ed Rojas, Director of Tactical Edge. Tactical Edge is an organization focused on creating large-scale events within Latin America for Cybersecurity and AI.

June 24, 2021

Threat Thursday Top Ransomware TTPs

At SCYTHE we are constantly collaborating with industry experts and organizations. Recently, someone reached out as they are building out a ransomware readiness assessment. “We are looking for a consolidated mapping of major ransomware actors on the ATT&CK framework, like SCYTHE does for individual actors on #ThreatThursday.

June 17, 2021

Threat Thursday - Evading Defenses with ISO files like NOBELIUM

Microsoft released a blog post late on Thursday May 27, 2021 about a new sophisticated email-based attack from NOBELIUM, the SolarWinds threat actor, where they compromised Constant Contact to send malicious emails with a weaponized ISO file.For this post, we look at the recent attack from NOBELIUM and show how to emulate these techniques with SCYTHE. We also committed an atomic test to the Atomic Red Team project.

June 17, 2021

TSA Pipeline Security Guidelines and ADR

In April 2021, the Transportation Security Administration (TSA) updated its TSA Pipeline Security Guidelines. The Colonial Pipeline ransomware attack means more attention will be paid to the cybersecurity posture of the oil and natural gas (ONG) industry. Understanding the changes to the TSA Pipeline Security Guidelines shows how Attack, Detect, and Response (ADR) can enhance security.

June 9, 2021

The Real Costs of Ransomware: Direct Costs

Ransomware is a growing problem for organizations of all sizes and it is becoming a national security threat. As threat actors continue to look for new ways to hold companies and data hostage, security teams can feel like they’re always one step behind.

June 8, 2021

SCYTHE is proud to be recognized on the CyberTech100 for 2021

SCYTHE is honored and inspired to be listed among the many exceptional companies named on the CyberTech100 List for 2021. Our hats go off to each company that rose to the challenge of combating one of the most active years in cyber-attacks during 2021, and we look forward to continuing to rise to the occasion, as we face challenges in the years to come.

June 8, 2021

CISO Stressed Episode 5: Nick Andersen

On this episode of CISO STRESSED, Elizabeth Wharton SCYTHE Chief of Staff is joined by Nick Andersen, CISO for Public Sector at Lumen Technologies and Nonresident Senior Fellow with the Cyber Statecraft Initiative at the Atlantic Council.

June 7, 2021

SCYTHE & ATT&CK Navigator

How are Blue Teams utilizing SCYTHE? One way the Blue Team can use SCYTHE is by reviewing its reporting. SCYTHE’s reports can be used by the Blue Team in determining how gaps in security controls can be mitigated. In this post, we will be discussing the MITRE ATT&CK Navigator and NIST 800 Navigator Summary reports.

June 4, 2021

SCYTHE and PlexTrac Integration

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective and efficient for the end user. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior. This post covers how to integrate your SCYTHE attack platform with PlexTrac’s reporting platform.

June 3, 2021

An In-memory Embedding of CPython with SCYTHE

In this blog we discuss a project we are open sourcing: An In-memory Embedding of CPython. We provide a brief overview of this research and also share our results with the community. A paper [1] on this research was accepted in the USENIX Workshop on Offensive Technologies (WOOT 2021), which was co-located with IEEE Security and Privacy Workshops this year.

May 27, 2021

Threat Thursday - Conti Ransomware

For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently.

May 24, 2021

Introducing the Purple Team Maturity Model

Today we are proposing a preliminary answer to that question, which initially started out as Advanced Purple Teaming and evolved into something even larger in scope (sidenote: Advanced Purple Teaming is coming). Our answer is what we are calling the Purple Maturity Model.

May 21, 2021

We joined 18 other companies to call for a prioritization of Critical Infrastructure security in the American Jobs Plan.

What a time to be alive. A group letter has been created and sent, asking Congress and the Biden Administration to prioritize cybersecurity in infrastructure legislation SCYTHE would like to thank each of the 19 companies that signed the letter for taking the initiative to strengthen the US infrastructure.

May 14, 2021

Why assume breach?

Are you wondering why you and your organization should assume breach? SCYTHE’s Adversary Emulation Lead Tim Schulz answers this frequently asked question, and covers scenarios in which using an assumed breach model can help focus on strengthening detection capabilities.

May 11, 2021

The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation

Knowing the different between cybersecurity simulation and cybersecurity emulation helps enhance information security posture by validating teams and tools.

May 10, 2021

CISO Stressed Episode 4: SCYTHE Chief of Staff Elizabeth Wharton interviews Dr. Pablo Breuer.

On this episode of CISO STRESSED, SCYTHE Chief of Staff Elizabeth Wharton interviews Pablo Breuer, CISO of Security BSides Las Vegas.

May 10, 2021

Backdoors and Breaches Expansion Deck

You have heard us say this many times, security is about people, process, and technology. SCYTHE allows you to test, measure, and improve all three. One way that we facilitate training people about what an attack looks like is to display the adversary emulation plan, step by step, prior to execution.

May 10, 2021

#ThreatThursday - DarkSide Ransomware

In this blog we consume Cyber Threat Intelligence to understand how the DarkSide ransomware behaves, we create and share an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology for similar attacks, and we discuss how to detect and respond to DarkSide ransomware.

April 30, 2021

Loading Capabilities from Memory: Open Sourcing SCYTHE's Windows C In-memory Module Loader

There are three well-known mechanisms a program can choose to use other software [3]: static linking, dynamic linking, and dynamic loading. In Windows, dynamic linking and dynamic loading are handled by the Windows loader, and are done at load time and runtime, respectively.

April 29, 2021

Florida Water Plant Breach

TeamViewer was at the forefront of an attack on a Florida water facility in February 2021. A malicious actor logged into the water treatment facility’s computer system through the remote desktop software and tried to increase the amount of sodium hydroxide to a dangerous level.

April 19, 2021

SCYTHE Named 2021 TAG Cyber Distinguished Vendor

SCYTHE is proud to be an industry leader in breach and attack prevention, and would like to announce our designation as a Distinguished Vendor in this year’s Second Quarter 2021 TAG Cyber Security Quarterly.

April 19, 2021

Vulnerability Management is Hard! Using CVSS and other scoring to prioritize patching

Vulnerability prioritization focuses on the real, urgent vulnerabilities that need to be patched at a much faster timeline than the "business as usual". This post covers various methods to determine which of those vulnerabilities fall into this category of "patch now":

April 15, 2021

UniCon21 Recap

It was a day packed with amazing presentations as we celebrated National Unicorn Day. UniCon21 is a free virtual conference for the security researcher and defender community. Check out all the UniCon21 videos.

April 15, 2021

Using SCYTHE payload as Shellcode

Guest blog post by one of our partners, Jean-Maes from NVISO. During Unicon21, I (Jean-Maes) presented how I leverage the D/Invoke project from TheWover to load a SCYTHE campaign using the SCYTHE DLL that is automatically created for each campaign.

April 7, 2021

Adversary Emulation Metrics Time to Detect

Offensive security professionals and program coordinators have a learning curve as they mature through the different ethical hacking assessment types. In Vulnerability Assessment/Management and Penetration Testing, we use Common Vulnerabilities and Exposures (CVE IDs) and the Common Vulnerability Scoring System (CVSS) to report a finding using two criteria:

April 2, 2021

Setting up SCYTHE-VECTR integration

Many SCYTHE customers like to track their red and purple team exercises in a free reporting tool called VECTR. VECTR is maintained by Security Risk Advisors and we have been working with them on integrations for over a year. Naturally, we help our customers set up VECTR so that they can import SCYTHE campaigns more easily. This is a quick start guide that should help you set up VECTR with SCYTHE integration.

March 25, 2021

Threat Thursday - Lazarus

The Lazarus Group (aka HIDDEN COBRA/Guardians of Peace/ZINC/NICKEL ACADEMY)! Lazarus was an extremely active adversary in 2020 and has continued to build capability over the past decade. They are responsible for many high profile hacks seen over the years, such as the Sony hack in 2014. Lazarus Group has been attributed as a North Korean state sponsored hacking group by the FBI.

March 2, 2021

Defense Evasion with SCYTHE

“Do you have any tips and tricks to avoiding Anti Virus (AV) and Endpoint Detection and Response (EDR) for initial execution so we can focus on testing the post access adversary behaviors with SCYTHE?” We get this question all the time and figured we should share the answer(s) here in our library. While we will focus on doing this with SCYTHE, you can apply these practices to other tools as well.

February 25, 2021

#ThreatThursday - menuPass with special guest Shane Patterson

For this #ThreatThursday is menuPass! Tim Schulz caught up with Shane Patterson to discuss MITRE Engenuity's plan release, challenges in creating emulation plans, and what makes this threat unique!

February 25, 2021

#ThreatThursday - menuPass

For this Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.

February 18, 2021

How to Defend Against Ransomware

At the RSA Conference in 2020, I gave a joint talk with Chris Krebs, CISA Director at the time, on the formal collaboration between the agency and the non-profit, ICS Village. One of our biggest concerns for the future was ransomware. And unfortunately, we were right.

February 18, 2021

SCYTHE v3.2 is Available!

We are excited to announce the release of SCYTHE version 3.2! This release brings a number of new features, many of which were specifically created out of feedback from our amazing customers!

February 17, 2021

The continuing pain of PowerShell

Microsoft’s PowerShell has long been used by system administrators, and in 2013 when Dave Kennedy and Josh Kelley gave the infamous talk: “PowerShell...omfg”, it was brought to the attention of many security professionals.

February 10, 2021

Our Founder and CEO Bryson Bort breaks down the Florida water treatment facility attack.

The attack on the water treatment facility located in Oldsmar, Florida, disclosed last week highlights security shortages in the water utility sector and the rest of the U.S. critical infrastructure sector.

February 4, 2021

Introduction to Adversary Emulation

What is adversary emulation? Adversary emulation leverages adversary tactics, techniques, and procedures, enhanced by cyber threat intelligence, to create a security test based on real world intrusion campaigns.

January 28, 2021

Red Team Non-Attributable Infrastructure and the Executive Order

The January 19, 2021 Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (mouthful) naturally started various debates and discussions around how this affects Red Team Non-Attributable Infrastructure.

January 20, 2021

Parsing an Executive Order: Streaming on Your TV Soon

The Executive Order’s proposed know your customer-style and information sharing regulations are more geared towards addressing intellectual property piracy than thwarting a SolarWinds style attack.

January 19, 2021

Why you should embrace Purple Team today

We are not introducing a new job role where you have to hire more people or have to spend more money. See, a purple team is a virtual, functional team that fosters collaboration and efficiency in testing, measuring, and improving your current cyber security people, process, and technology (security controls).

January 14, 2021

#ThreatThursday - Egregor Ransomware with Sean Gallagher

Jorge Orchilles sits down with Sean Gallagher, a Senior Threat researcher at Sophos Labs. Sean walks us through understanding how this ransomware operates, creating an adversary emulation plan, and the best defense against a similar attack.

January 14, 2021

#ThreatThursday - Egregor Ransomware

This week we will take a look at Egregor ransomware that has breached, exfiltrated data, and brought down multiple networks since September 2020. Stealing data before deploying ransomware has been a common modus operandi of the Egregor group.

January 8, 2021

Leveraging Resources When Chock Full of Challenges.

Elizabeth Wharton interviews Guest Mitch Parker, Exec. Dir./CISO at Indiana University Health. Healthcare security is present on all of our minds these days. The security and medical communities are working together towards the same goal: protecting the people. You may be wondering, what does that look like in today’s world?

January 7, 2021

10 Benefits of Red Team Engagements

We have all heard that, “practice makes perfect'', right? This may have been motivating during school, or while playing on a sports team, but what about today? By now, you’ve probably figured out that it’s impossible to be perfect, and that is perfectly fine (pun intended). In the information security field, all organizations are bound to experience a breach at some point.