UnICORN Library

SCYTHE aims to educate and engage in order to inspire the art of the possible in cybersecurity. Adversarial threats, risk management, and security innovation don’t pause when working from home. We have curated a collection of presentations, research, and conversations from our team. Come enjoy our library and stay tuned for the new unicorn content that will be added regularly.

Article

New!

October 25, 2021

SCYTHE Partner Spotlight: CIPHER

SCYTHE CTO Jorge Orchilles, sat down with Ricardo Encinosa, VP of Managed Security Services U.S. at CIPHER, to discuss their partnership experience with SCYTHE. Jorge and Ricardo discussed the different ways that CIPHER has used SCYTHE to test their controls and answer some of their top questions.

VIEW

Blog Post

New!

October 21, 2021

Blue Team Training, Assumed Breach, and Shifting Security Left

The movement to “shift security left” focuses on mitigating risk as early as possible within the development cycle by engaging in open source code reviews and monitoring for reachable vulnerabilities. However, as part of this shift left movement, organizations are also changing their approach to post-implementation security monitoring. By taking an assumed breach approach to security, organizations shift security from reactive to proactive.

VIEW

#ThreatThursday

New!

October 21, 2021

Threat Thursday - NetWire RAT

Christopher Peacock, the newest Unicorn to join the herd as an Adversary Emulation - Detection Engineer shares his first #ThreatThursday, covering the recent NetWire RAT report from BlackBerry’s ThreatVector Blog. It focuses on the emulation and detection opportunities of the threat in order to help organizations measure and defend against the threat’s behaviors.

VIEW

Announcement

New!

September 21, 2021

SCYTHE is thrilled to announce that we have been chosen as a 2021 Timmy Awards Best Tech Startup Finalist!

SCYTHE is thrilled to announce that we have been chosen as a 2021 Timmy Awards Best Tech Startup Finalist! Thank you to everyone who voted and made this possible. SCYTHE is continuously honored and grateful for the recognition that has been granted to us.

VIEW

Announcement

New!

September 10, 2021

SCYTHE was recently selected as one of SINET’s companies to watch for 2021

SCYTHE was recently selected as one of SINET’s companies to watch for 2021, along with Corsha and DEEPFACTOR. SINET recognizes companies to watch by the value they bring in the beginning stage as a startup company. SCYTHE is continuously honored and grateful for the recognition that has been granted to us.

VIEW

#ThreatThursday

New!

September 9, 2021

ThreatThursday - Phobos Ransomware

As usual, we will consume Cyber Threat Intelligence and map it to MITRE ATT&CK. We will create an adversary emulation plan, share it on our Community Threats Github, and we will show how to Attack, Detect, and Respond to Phobos attacks.

VIEW

Blog Post

New!

September 7, 2021

T1030- Testing Data Transfer Limit Sizes

Ransomware is not the only threat. Data exfiltration can occur in many scenarios. SCYTHE can be used to test detection of data exfiltration by testing the transfer limits of data. Enjoy our latest blog by Elaine Harrison-Neukirch.

VIEW

Announcement

New!

September 7, 2021

SCYTHE named one of 101 Leading Virginia Risk Management Firms and Startups – The Future of Risk Management

SCYTHE is honored to be named one of the 101 Leading Virginia Risk Management Firms and Startups by Daily Finance.

VIEW

#ThreatThursday

New!

September 2, 2021

Threat Thursday - Hive Ransomware

The FBI released a Flash Alert on August 25, 2021 warning organizations about the Hive ransomware that has affected at least 28 organizations including Memorial Health. As usual for #ThreatThursday, we will consume the Cyber Threat Intelligence and map it to MITRE ATT&CK, we create and share an adversary emulation plan on the SCYTHE GitHub, and discuss ways to prevent, detect, and respond to this threat.

VIEW

Blog Post

New!

August 31, 2021

SCYTHE’s Virtual File System

If you follow SCYTHE’s Threat Thursday posts and utilize SCYTHE’s Community Threats Github Repository, you are probably familiar with the VFS (Virtual File System) folders used with some of the Community Threats.

VIEW

Blog Post

New!

August 26, 2021

A New Paradigm for Recovery: Shifting Your Mindset

Over the last two years, it's been pretty clear that ransomware is a pervasive problem, one that fundamentally challenges an organization’s ability to recover. A technology gap still exists when looking at how to address the onslaught of ransomware.

VIEW

Blog Post

New!

August 20, 2021

SCYTHE Domain Fronting through Azure CDN

Domain Fronting is a MITRE ATT&CK technique (T1090.004) where the attacker takes advantage of the routing mechanism of Content Delivery Networks (CDNs) to bypass egress (outbound) controls and establish Command and Control (C2). Proxying C2 traffic through various hosts/domains is an ideal technique to not expose your SCYTHE (or any C2) server to the target organization directly.

VIEW

Blog Post

New!

August 16, 2021

Malware Risks in Open Source Code

Over the last year, threat actors have focused increasingly on attacking critical supply chain members. Malicious actors seeking to disrupt digital or physical supply chains manage to find organizations that sit at the epicenter of an industry.

VIEW

CISO Stressed

New!

August 10, 2021

CISO Stressed Episode 9: Aldan Berrie

On this episode of CISO STRESSED, Host Liz Wharton is joined by Aldan Berrie. Berrie is the founder and Director of Technology Solutions with years of experience in the security industry.

VIEW

Blog Post

New!

August 6, 2021

The Real Costs of Ransomware: Hidden Costs

As threat actors continue to target organizations, the direct costs of a ransomware attack are often easy to calculate. For the most part, news outlets will report the ransom requested and the amount paid. However, organizations that get hit with a ransomware attack know that the reported amounts are only a small portion of the total costs.

VIEW

Blog Post

New!

July 29, 2021

Threat Intelligence Sharing: Democratizing Risk Information

Deadlines are closing in on private and public sector entities following the Executive Order on Improving the Nation’s Cybersecurity. Prior to the release of this executive order, organizations will be able to share threat intelligence with the FBI, CISA, and other intelligence community members. The timelines and expectations of the EO are provided.

VIEW

CISO Stressed

New!

July 27, 2021

CISO Stressed Episode 8: Robert “RSnake” Hansen

On this episode of CISO STRESSED, SCYTHE Chief of Staff and Host Elizabeth Wharton is joined by Robert Hansen. Hansen is the Chief Technology Officer at Bit Discovery and a floating CISO for multiple companies.

VIEW

Blog Post

New!

July 26, 2021

Adaptive Adversary Emulation (Part 1): Execution Details

Back in 2019 at the inaugural SANS Purple Team Summit I gave a talk titled “Adaptive Adversary Emulation with MITRE ATT&CK®”. In the talk I go over how small changes to adversary emulation plans can provide significant results and allow a deliberate approach to generating iterative tests.

VIEW

Blog Post

New!

July 22, 2021

You can’t detect 0-day exploits but… you can detect what happens next

A zero day (or 0-day) is a vulnerability that is not known by the software vendor nor the end users. They are a great way to gain initial access into an organization without being detected. Zero days are rarely used in widespread attacks as they are a high cost to the attacker (identifying a vulnerability that has a high chance of successful exploitation).

VIEW

Blog Post

New!

July 22, 2021

Malicious Uses of Blockchains

SCYTHE’s engineering team shares their most recent article on the malicious uses of Blockchains. Here’s why this is important: Bitcoin and other cryptocurrencies are versatile tools for cybercrime since they can be used as infrastructure for botnets and as an equivalent of gold bullion in cybercrime and cyberwar.

VIEW

Blog Post

New!

July 21, 2021

Gravwell Integration with SCYTHE

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective and efficient for the end user. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior.

VIEW

Blog Post

New!

July 19, 2021

Beachhead Access in Industrial Control Systems

Attackers will continue to attack industrial control systems (ICS) because they can get the biggest “bang for their buck.” They want to disrupt critical infrastructure either for financial gain or to cause social chaos. Threat modeling gives organizations a way to reduce cybersecurity risk without leading to costly system outages.

VIEW

Blog Post

New!

July 15, 2021

SCYTHE provides new insights on Vulnerability Assessments in TAG Cybers New Report

SCYTHE has been selected by TAG Cyber on behalf of our leadership in the cybersecurity industry and our management of information as a technology solution provider to participate in the creation of its newest report. This report contains vital information regarding vulnerability and identity management, data breaches, and more

VIEW

Blog Post

New!

July 15, 2021

Exfiltration Over Alternative Protocol

Blue Teamers, have you been looking for an automated method of discovery for ports that are allowed in outbound, North/ South (egress) traffic within your network? Your search is over! SCYTHE’s Marketplace offers a free module, Let Me Out (LMO), a SCYTHE port of mubix’s Let Me Out project. This module tests egress traffic for specific ports.

VIEW

Video

New!

July 13, 2021

Attack, Detect, and Respond a UniChat with Ed Amoroso and Bryson Bort

This UniChat was something special. SCYTHE Founder and CEO, Bryson Bort sat down to discuss Attack, Detect, and Respond with ADR collaborator and friend, Ed Amoroso. Ed is the CEO of TAG Cyber, a cyber expert, and a long-time friend. Bort and Amoroso opened the UniChat by sharing the story of ADR and how it originated. Attack, Detect, and Respond was born out of a need for companies to prioritize aligning risk assessments with business.

VIEW

CISO Stressed

New!

July 13, 2021

CISO Stressed Episode 7: Matthew Dunlop CISO at Under Armour

On this episode of CISO STRESSED, Elizabeth Wharton is joined by Matthew Dunlop. Matt is an Army Veteran, and VP CISO at Under Armour responsible for global security across all corporate, retail and eCommerce functions, as well as its connected fitness application MapMyFitness.

VIEW

#ThreatThursday

New!

July 8, 2021

Threat Thursday - Exfiltration Over Web Service: Exfiltration to Cloud Storage

This #ThreatThursday is all about leveraging cloud storage to exfiltrate data. We also cover a tool that leaves credentials unsecured on the file system. In particular, we are going to look at how threat actors leverage cloud services like MEGA and use open source tools like rclone to exfiltrate data.

VIEW

CISO Stressed

New!

June 28, 2021

CISO STRESSED Episode 6 with Ed Rojas, Director of Tactical Edge.

On this episode of CISO STRESSED, SCYTHE Chief of Staff Elizabeth Wharton is joined by Ed Rojas, Director of Tactical Edge. Tactical Edge is an organization focused on creating large-scale events within Latin America for Cybersecurity and AI.

VIEW

#ThreatThursday

New!

June 24, 2021

Threat Thursday Top Ransomware TTPs

At SCYTHE we are constantly collaborating with industry experts and organizations. Recently, someone reached out as they are building out a ransomware readiness assessment. “We are looking for a consolidated mapping of major ransomware actors on the ATT&CK framework, like SCYTHE does for individual actors on #ThreatThursday.

VIEW

#ThreatThursday

New!

June 17, 2021

Threat Thursday - Evading Defenses with ISO files like NOBELIUM

Microsoft released a blog post late on Thursday May 27, 2021 about a new sophisticated email-based attack from NOBELIUM, the SolarWinds threat actor, where they compromised Constant Contact to send malicious emails with a weaponized ISO file.For this post, we look at the recent attack from NOBELIUM and show how to emulate these techniques with SCYTHE. We also committed an atomic test to the Atomic Red Team project.

VIEW

Blog Post

New!

June 17, 2021

TSA Pipeline Security Guidelines and ADR

In April 2021, the Transportation Security Administration (TSA) updated its TSA Pipeline Security Guidelines. The Colonial Pipeline ransomware attack means more attention will be paid to the cybersecurity posture of the oil and natural gas (ONG) industry. Understanding the changes to the TSA Pipeline Security Guidelines shows how Attack, Detect, and Response (ADR) can enhance security.

VIEW

Blog Post

New!

June 9, 2021

The Real Costs of Ransomware: Direct Costs

Ransomware is a growing problem for organizations of all sizes and it is becoming a national security threat. As threat actors continue to look for new ways to hold companies and data hostage, security teams can feel like they’re always one step behind.

VIEW

Announcement

New!

June 8, 2021

SCYTHE is proud to be recognized on the CyberTech100 for 2021

SCYTHE is honored and inspired to be listed among the many exceptional companies named on the CyberTech100 List for 2021. Our hats go off to each company that rose to the challenge of combating one of the most active years in cyber-attacks during 2021, and we look forward to continuing to rise to the occasion, as we face challenges in the years to come.

VIEW

CISO Stressed

New!

June 8, 2021

CISO Stressed Episode 5: Nick Andersen

On this episode of CISO STRESSED, Elizabeth Wharton SCYTHE Chief of Staff is joined by Nick Andersen, CISO for Public Sector at Lumen Technologies and Nonresident Senior Fellow with the Cyber Statecraft Initiative at the Atlantic Council.

VIEW

Blog Post

New!

June 7, 2021

SCYTHE & ATT&CK Navigator

How are Blue Teams utilizing SCYTHE? One way the Blue Team can use SCYTHE is by reviewing its reporting. SCYTHE’s reports can be used by the Blue Team in determining how gaps in security controls can be mitigated. In this post, we will be discussing the MITRE ATT&CK Navigator and NIST 800 Navigator Summary reports.

VIEW

Announcement

New!

June 4, 2021

SCYTHE and PlexTrac Integration

VIEW

Blog Post

New!

June 3, 2021

An In-memory Embedding of CPython with SCYTHE

In this blog we discuss a project we are open sourcing: An In-memory Embedding of CPython. We provide a brief overview of this research and also share our results with the community. A paper [1] on this research was accepted in the USENIX Workshop on Offensive Technologies (WOOT 2021), which was co-located with IEEE Security and Privacy Workshops this year.

VIEW

#ThreatThursday

New!

May 27, 2021

Threat Thursday - Conti Ransomware

For this #ThreatThursday we are looking at one of the most common ransomware threat actors, Conti. We are leveraging Cyber Threat Intelligence from a new partner, TrukNo, that provides adversary behavior all the way down to the procedure level, facilitating the creation of adversary emulation plans so that you can test against these behaviors in your production environment more efficiently.

VIEW

Blog Post

New!

May 24, 2021

Introducing the Purple Team Maturity Model

Today we are proposing a preliminary answer to that question, which initially started out as Advanced Purple Teaming and evolved into something even larger in scope (sidenote: Advanced Purple Teaming is coming). Our answer is what we are calling the Purple Maturity Model.

VIEW

Announcement

New!

May 21, 2021

We joined 18 other companies to call for a prioritization of Critical Infrastructure security in the American Jobs Plan.

What a time to be alive. A group letter has been created and sent, asking Congress and the Biden Administration to prioritize cybersecurity in infrastructure legislation SCYTHE would like to thank each of the 19 companies that signed the letter for taking the initiative to strengthen the US infrastructure.

VIEW

Blog Post

New!

May 14, 2021

Why assume breach?

Are you wondering why you and your organization should assume breach? SCYTHE’s Adversary Emulation Lead Tim Schulz answers this frequently asked question, and covers scenarios in which using an assumed breach model can help focus on strengthening detection capabilities.

VIEW

Blog Post

New!

May 11, 2021

The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation

Knowing the different between cybersecurity simulation and cybersecurity emulation helps enhance information security posture by validating teams and tools.

VIEW

CISO Stressed

New!

May 10, 2021

CISO Stressed Episode 4: SCYTHE Chief of Staff Elizabeth Wharton interviews Dr. Pablo Breuer.

On this episode of CISO STRESSED, SCYTHE Chief of Staff Elizabeth Wharton interviews Pablo Breuer, CISO of Security BSides Las Vegas.

VIEW

Blog Post

New!

May 10, 2021

Backdoors and Breaches Expansion Deck

You have heard us say this many times, security is about people, process, and technology. SCYTHE allows you to test, measure, and improve all three. One way that we facilitate training people about what an attack looks like is to display the adversary emulation plan, step by step, prior to execution.

VIEW

#ThreatThursday

New!

May 10, 2021

#ThreatThursday - DarkSide Ransomware

In this blog we consume Cyber Threat Intelligence to understand how the DarkSide ransomware behaves, we create and share an adversary emulation plan so you can quickly test, measure, and improve your people, process, and technology for similar attacks, and we discuss how to detect and respond to DarkSide ransomware.

VIEW

Blog Post

New!

April 30, 2021

Loading Capabilities from Memory: Open Sourcing SCYTHE's Windows C In-memory Module Loader

There are three well-known mechanisms a program can choose to use other software [3]: static linking, dynamic linking, and dynamic loading. In Windows, dynamic linking and dynamic loading are handled by the Windows loader, and are done at load time and runtime, respectively.

VIEW

#ThreatThursday

New!

April 29, 2021

Florida Water Plant Breach

TeamViewer was at the forefront of an attack on a Florida water facility in February 2021. A malicious actor logged into the water treatment facility’s computer system through the remote desktop software and tried to increase the amount of sodium hydroxide to a dangerous level.

VIEW

New!

April 19, 2021

SCYTHE Named 2021 TAG Cyber Distinguished Vendor

SCYTHE is proud to be an industry leader in breach and attack prevention, and would like to announce our designation as a Distinguished Vendor in this year’s Second Quarter 2021 TAG Cyber Security Quarterly.

VIEW

Blog Post

New!

April 19, 2021

Vulnerability Management is Hard! Using CVSS and other scoring to prioritize patching

Vulnerability prioritization focuses on the real, urgent vulnerabilities that need to be patched at a much faster timeline than the "business as usual". This post covers various methods to determine which of those vulnerabilities fall into this category of "patch now":

VIEW

New!

April 15, 2021

UniCon21 Recap

It was a day packed with amazing presentations as we celebrated National Unicorn Day. UniCon21 is a free virtual conference for the security researcher and defender community. Check out all the UniCon21 videos.

VIEW

Blog Post

New!

April 15, 2021

Using SCYTHE payload as Shellcode

Guest blog post by one of our partners, Jean-Maes from NVISO. During Unicon21, I (Jean-Maes) presented how I leverage the D/Invoke project from TheWover to load a SCYTHE campaign using the SCYTHE DLL that is automatically created for each campaign.

VIEW

Blog Post

New!

April 7, 2021

Adversary Emulation Metrics Time to Detect

Offensive security professionals and program coordinators have a learning curve as they mature through the different ethical hacking assessment types. In Vulnerability Assessment/Management and Penetration Testing, we use Common Vulnerabilities and Exposures (CVE IDs) and the Common Vulnerability Scoring System (CVSS) to report a finding using two criteria:

VIEW

Blog Post

New!

April 2, 2021

Setting up SCYTHE-VECTR integration

Many SCYTHE customers like to track their red and purple team exercises in a free reporting tool called VECTR. VECTR is maintained by Security Risk Advisors and we have been working with them on integrations for over a year. Naturally, we help our customers set up VECTR so that they can import SCYTHE campaigns more easily. This is a quick start guide that should help you set up VECTR with SCYTHE integration.

VIEW

#ThreatThursday

New!

March 25, 2021

Threat Thursday - Lazarus

The Lazarus Group (aka HIDDEN COBRA/Guardians of Peace/ZINC/NICKEL ACADEMY)! Lazarus was an extremely active adversary in 2020 and has continued to build capability over the past decade. They are responsible for many high profile hacks seen over the years, such as the Sony hack in 2014. Lazarus Group has been attributed as a North Korean state sponsored hacking group by the FBI.

VIEW

Blog Post

New!

March 2, 2021

Defense Evasion with SCYTHE

“Do you have any tips and tricks to avoiding Anti Virus (AV) and Endpoint Detection and Response (EDR) for initial execution so we can focus on testing the post access adversary behaviors with SCYTHE?” We get this question all the time and figured we should share the answer(s) here in our library. While we will focus on doing this with SCYTHE, you can apply these practices to other tools as well.

VIEW

#ThreatThursday

New!

February 25, 2021

#ThreatThursday - menuPass with special guest Shane Patterson

For this #ThreatThursday is menuPass! Tim Schulz caught up with Shane Patterson to discuss MITRE Engenuity's plan release, challenges in creating emulation plans, and what makes this threat unique!

VIEW

#ThreatThursday

New!

February 25, 2021

#ThreatThursday - menuPass

For this Threat Thursday we are going to look at menuPass (aka APT10/Stone Panda/Red Apollo/CVNX/Potassium/Cloud Hopper), a cyber threat actor responsible for global intellectual property theft that is thought to be affiliated with, or working at the behest of, the Chinese Ministry of State Security.

VIEW

Blog Post

New!

February 18, 2021

How to Defend Against Ransomware

At the RSA Conference in 2020, I gave a joint talk with Chris Krebs, CISA Director at the time, on the formal collaboration between the agency and the non-profit, ICS Village. One of our biggest concerns for the future was ransomware. And unfortunately, we were right.

VIEW

Announcement

New!

February 18, 2021

SCYTHE v3.2 is Available!

We are excited to announce the release of SCYTHE version 3.2! This release brings a number of new features, many of which were specifically created out of feedback from our amazing customers!

VIEW

Blog Post

New!

February 17, 2021

The continuing pain of PowerShell

Microsoft’s PowerShell has long been used by system administrators, and in 2013 when Dave Kennedy and Josh Kelley gave the infamous talk: “PowerShell...omfg”, it was brought to the attention of many security professionals.

VIEW

Blog Post

New!

February 10, 2021

Our Founder and CEO Bryson Bort breaks down the Florida water treatment facility attack.

The attack on the water treatment facility located in Oldsmar, Florida, disclosed last week highlights security shortages in the water utility sector and the rest of the U.S. critical infrastructure sector.

VIEW

Blog Post

New!

February 4, 2021

Introduction to Adversary Emulation

What is adversary emulation? Adversary emulation leverages adversary tactics, techniques, and procedures, enhanced by cyber threat intelligence, to create a security test based on real world intrusion campaigns.

VIEW

Blog Post

New!

January 28, 2021

Red Team Non-Attributable Infrastructure and the Executive Order

The January 19, 2021 Executive Order on Taking Additional Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities (mouthful) naturally started various debates and discussions around how this affects Red Team Non-Attributable Infrastructure.

VIEW

Blog Post

New!

January 20, 2021

Parsing an Executive Order: Streaming on Your TV Soon

The Executive Order’s proposed know your customer-style and information sharing regulations are more geared towards addressing intellectual property piracy than thwarting a SolarWinds style attack.

VIEW

Blog Post

New!

January 19, 2021

Why you should embrace Purple Team today

We are not introducing a new job role where you have to hire more people or have to spend more money. See, a purple team is a virtual, functional team that fosters collaboration and efficiency in testing, measuring, and improving your current cyber security people, process, and technology (security controls).

VIEW

#ThreatThursday

New!

January 14, 2021

#ThreatThursday - Egregor Ransomware with Sean Gallagher

Jorge Orchilles sits down with Sean Gallagher, a Senior Threat researcher at Sophos Labs. Sean walks us through understanding how this ransomware operates, creating an adversary emulation plan, and the best defense against a similar attack.

VIEW

#ThreatThursday

New!

January 14, 2021

#ThreatThursday - Egregor Ransomware

This week we will take a look at Egregor ransomware that has breached, exfiltrated data, and brought down multiple networks since September 2020. Stealing data before deploying ransomware has been a common modus operandi of the Egregor group.

VIEW

CISO Stressed

New!

January 8, 2021

Leveraging Resources When Chock Full of Challenges.

Elizabeth Wharton interviews Guest Mitch Parker, Exec. Dir./CISO at Indiana University Health. Healthcare security is present on all of our minds these days. The security and medical communities are working together towards the same goal: protecting the people. You may be wondering, what does that look like in today’s world?

VIEW

New!

January 7, 2021

10 Benefits of Red Team Engagements

We have all heard that, “practice makes perfect'', right? This may have been motivating during school, or while playing on a sports team, but what about today? By now, you’ve probably figured out that it’s impossible to be perfect, and that is perfectly fine (pun intended). In the information security field, all organizations are bound to experience a breach at some point.

VIEW

Blog Post

New!

December 30, 2020

Red Team and Threat-Led Penetration Testing Frameworks

We are presenting a curated list of all Red Team Frameworks in a central, easy to find location. Leveraging frameworks and methodologies for offensive security assessments is a best practice to show your customers and clients you have a repeatable, professional offering.

VIEW

Announcement

New!

December 22, 2020

SCYTHE Welcomes Megan Samford to Advisory Council

As SCYTHE looks boldly ahead into the new year, the Unicorns welcome the expertise of Megan Samford to the Advisory Council. Her accomplished security background, Master’s degree in Public Administration, and strong presence on numerous security boards are some of her many accomplishments in our community.

VIEW

Article

New!

December 16, 2020

No Rest for the Weary: Breaches are Inevitable

In the past week, we learned that both FireEye and SolarWinds were breached. These two breaches are significant because of the companies targeted and the service/products they sell to the industry. Both of these large companies being breached prove once again that anyone can be hacked.

VIEW

#ThreatThursday

New!

December 10, 2020

#ThreatThursday - FIN6 Phase 2

FIN6 is a cyber crime group that specializes in stealing payment card data and sells it in underground marketplaces. This group, also known as Skeleton Spider and ITG08, has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2017.

VIEW

Article

New!

December 3, 2020

Attack Infrastructure: Red Teams vs. Malicious Actors

Setting up Attack Infrastructure is an important task performed by Red Teamers and malicious adversaries alike. This week, we chat with Joe Slowik, Senior Security Researcher at Domain Tools, about the differences between Red Team and malicious adversary set ups.

VIEW

#ThreatThursday

New!

November 20, 2020

#ThreatThursday - Berserk Bear

As usual for #ThreatThursday, we will understand Berserk Bear’s behavior, map to MITRE ATT&CK and share the ATT&CK Navigator JSON, create and share an adversary emulation plan in the largest, public adversary behavior repository, and discuss how to defend against this energy sector adversary.

VIEW

CISO Stressed

New!

November 10, 2020

Episode 3: Leveraging Resources When Chock Full of Challenges with Guest Mitch Parker

Healthcare is chock full of adventure - rising number patients, increase in malware attacks, and a shift towards remote work. On this episode of CISO STRESSED Liz sits down with Mitch Parker, Exec. Dir./CISO at Indiana University Health and talks about leveraging and maximizing resources and building trust to solve security challenges facing healthcare systems.

VIEW

#ThreatThursday

New!

November 5, 2020

#ThreatThursday - Ryuk

This week, we take a deeper dive into emulating and defending against the ransomware behind a recent spike in healthcare sector attacks - Ryuk Ransomware. Researchers estimate that Ryuk has been behind a third of the ransomware attacks detected in 2020, including the latest surge in hospital and healthcare IT system attacks.

VIEW

Blog Post

New!

October 28, 2020

Active Directory Attacks with Kerberoasting

Kerberoasting is now available in the SCYTHE Marketplace. In this post, Tim Medin explains how Kerberoasting works during Unicon and also releases a Kerberoast module in the SCYTHE Marketplace to enable SCYTHE operators to seamlessly Kerberoast from within SCYTHE.

VIEW

CISO Stressed

New!

October 27, 2020

CISO Stressed Episode 2: Digital Empathy in the Customer Experience (Guest Shawn M Bowen)

Building security in the customer experience, not “compliance helmets” - Shawn Bowen, CISO with Restaurant Brands International, joins CISO Stressed Host Liz Wharton to discuss the value of experience-based learning, digital empathy, and the customer experience.

VIEW

#ThreatThursday

New!

October 22, 2020

#ThreatThursday - FIN6

Welcome to another week of #ThreatThursday! This week’s Threat Thursday is going to be slightly different from the standard as we discuss the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense. We will focus on the importance of machine-readable Cyber Threat Intelligence at the adversary behavior and TTP level, sharing adversary emulation plans, and YAML-to-JSON conversion

VIEW

Blog Post

New!

October 16, 2020

SCYTHE Updates: Purple Team Programming

Meeting today's security challenges requires the Red Team and the Blue Team working together simultaneously - creating a Purple Team. Our CTO, Jorge Orchilles, has been leading the charge developing the standard for Purple Team program materials and trainings. Read more to engage, implement, and experience purple.

VIEW

#ThreatThursday

New!

October 15, 2020

#ThreatThursday - APT41

Welcome to another week of #ThreatThursday. This week we leverage an adversary emulation plan created and shared to the community by a third party: APT41 Emulation Plan. As usual, we will cover Cyber Threat Intelligence, create a threat actor profile, create an adversary emulation plan from the work done by Huy, share the plan in our Github, explain some of the new TTPs we will leverage, and discuss how to defend against APT41.

VIEW

CISO Stressed

New!

October 13, 2020

CISO Stressed Episode 1: Wendy Nather & Tyrone Wilson

Conversations stimulate ideas, solutions, and help us feel connected. In our inaugural episode of CISO Stressed guests Wendy Nather and Tyrone Wilson join Liz to discuss how to adjust to shifting work environments while still providing team members with hands-on training experiences, keeping motivated, and favorite ways to cap off the day.

VIEW

Blog Post

New!

October 9, 2020

FAQs - Getting Started in Ethical Hacking

How do I get started in ethical hacking, penetration testing, or red team? I get this question all the time from people with all sorts of goals. Whether you are getting into vulnerability management, wanting to find 0day vulnerabilities, to red teaming, to emulating adversaries against your organization to test, measure, and improve people, process, and technology, this FAQ is for you.

VIEW

#ThreatThursday

New!

October 8, 2020

#ThreatThursday - SlothfulMedia

On October 1, 2020, US-Cert published a Malware Analysis Report (MAR) in relation to a new malware they have seen in the wild called SlothfulMedia. The report suggests this is a “sophisticated cyber actor” but as you will see, it seems like a very typical Remote Access Trojan. As usual, we will review the Cyber Threat Intelligence, create an adversary emulation plan, demonstrate the emulation, and discuss how to defend against this threat.

VIEW

Blog Post

New!

October 2, 2020

Defend Our Healthcare

Hackers are targeting hospitals with increasingly sophisticated ransomware attacks putting patients at risk. Keeping up with what occurs in information security is a daily task for most practitioners. We have seen how ransomware has gone from an opportunistic, unsophisticated attack against end users to more sophisticated, targeted attacks against organizations.

VIEW

#ThreatThursday

New!

October 1, 2020

#ThreatThursday - MAZE

Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component.

VIEW

#ThreatThursday

New!

September 17, 2020

#ThreatThursday - HoneyBee

Welcome to another edition of #ThreatThursday. This week we look at Honeybee, a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. This post coincides with a talk I gave at EkoParty on Adversary Emulation.

VIEW

#ThreatThursday

New!

September 10, 2020

#ThreatThursday - PowerShell

This week we will look at a MITRE sub-technique that deserves a #ThreatThursday of its own, PowerShell. As an interactive command-line interface and scripting environment included in all supported versions of the Windows operating system, many threat actors have some history of leveraging PowerShell. This sub-technique is an example of a TTP you cannot prevent in your environment; Microsoft includes PowerShell as part of the underlying operating system and it is virtually impossible to remove.

VIEW

#ThreatThursday

New!

September 3, 2020

#ThreatThursday - SpeakUp

This #ThreatThursday we are releasing our first macOS threat to the SCYTHE Community Threats GitHub. As more and more customers migrate to Apple products, we want to provide adversary emulation plans that work against macOS as well. SCYTHE has the ability to create campaigns for Windows, Linux, and macOS. This post will look at emulating a macOS threat known as SpeakUp.

VIEW

#ThreatThursday

New!

August 27, 2020

#ThreatThursday - Custom Threats

At SCYTHE, we spend a lot of time focusing on adversary emulation as it is an ideal method to maturing your red team engagements and purple team exercises for providing the most business value (see our Ethical Hacking Maturity Model). For this post, we want to cover custom threats. What if a new technique is not seen in the wild?

VIEW

Blog Post

New!

August 25, 2020

UniCon CTF - Know Your Payload

On August 20, 2020 we ran our first SCYTHE User Conference, UniCon, our very own unicorn conference. It was a day packed with amazing speakers, lightning talks, briefings, the release of the Marketplace, and a brand new Capture the Flag called “Know Your Payload”. This post will focus on the CTF which was created in collaboration between SCYTHE, the C2 Matrix, SANS, and CounterHack. The scoreboard was hosted by Netwars.

VIEW

Presentation

New!

August 10, 2020

Purple Team Exercise Framework (PTEF) Workshop

SCYTHE's Purple Team Exercise Workshop, introducing the newly released Purple Team Exercise FrameworK (PTEF), is now live and available in our library. Purple Team exercises provide an efficient and effective “hands-on-keyboard” adversary emulation method for Red and Blue Team collaboration.

VIEW

#ThreatThursday

New!

August 6, 2020

#ThreatThursday - Evil Corp

This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong.

VIEW

Blog Post

New!

August 6, 2020

SCYTHE version 3.1 with MITRE ATT&CK Sub-Techniques

SCYTHE 3.1 is here and will be debuted at DEF CON Red Team Village on 8 AUG! With MITRE ATT&CK sub-techniques going live shortly after our major release of v3.0, we wanted to ensure that you are aligning to the latest and greatest framework in the cybersecurity industry across all of your SCYTHE Campaigns and Reports!

VIEW

Blog Post

New!

August 5, 2020

VECTR Integration

We are proud to announce that SCYTHE campaigns can be imported into VECTR! VECTR is a free platform for planning and tracking your Red Team engagements and Purple Team Exercises by aligning to Blue Team detection and prevention capabilities across different attack scenarios. Many SCYTHE customers leverage VECTR to show the value of the overall Red and Purple Team programs and will now be able to import entire SCYTHE campaigns with just a few clicks. First, make sure to upgrade VECTR to the latest version.

VIEW

Blog Post

New!

August 4, 2020

Virtual Hacker Summer Camp 2020

It's that time of the year again, Hacker Summer Camp! The SCYTHE team has a busy week scheduled as we love to give back to the community. We are giving talks, panels, workshops, releasing tools, and even have two Choose Your Own Adventure games for Red and Blue Teams. Here’s a quick guide to where you can find us virtually over the next few days during Black Hat USA and Def Con Safe Mode.

VIEW

Blog Post

New!

July 31, 2020

Porting Tools to SCYTHE: An SDK Proof of Concept

With the release of the SCYTHE Software Development Kit (SDK), we released two new and important components to help make the development of SCYTHE modules frictionless for third party developers: the Module Buster application and the Python3 runtime. We feel that one of the best ways for us to demonstrate how easy it is to create a new SCYTHE module is to demonstrate how we ported an open source tool, written in Python, to SCYTHE.

VIEW

#ThreatThursday

New!

July 30, 2020

#ThreatThursday - Emotet

On Friday, July 17, many of us woke up to a bunch of new phishing emails. What happened over night? Well, like Sherrod DeGrippo from ProofPoint wrote, emotet returns after a 5 month hiatus. Emotet is a banking trojan that gains access to end user machines and steals their financial information such as login information and personal identifiable information (PII). This week, we met with Sherrod and discussed Emotet. As usual, we create an adversary emulation plan based on Cyber Threat Intelligence and then emulate it with SCYTHE.

VIEW

Blog Post

New!

July 29, 2020

SCYTHE’s Ethical Hacking Maturity Model

SCYTHE’s Ethical Hacking Maturity Model enables leading organizations to assess and strengthen their security posture through ethical hacking. There are a number of assessment types an ethical hacker can perform against an organization and this document goes through the process. Enterprises can use SCYTHE’s Ethical Hacking Maturity Model to evolve to the more advanced assessments and operationalize Adversary Emulations via Red Team Engagements and Purple Team Exercises.

VIEW

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.

LEARN MORE