Presented at
Wild West Hackin' Fest 2019,
Oct. 24, 2019, 3 p.m.
(50 minutes).
Today’s Red Team isn’t enough
Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.
Why did I build SCYTHE? What led me here?
- Target Corporation Use Case
- Bounded Attack Space Philosophy - the atoms of an attack (different way to look at ATT&CK)
- Lessons Learned as a CNO expert coming into commercial/industry red teaming
Red Team vs Adversary Emulation - what’s done today vs what should be done
To white box or black box
Threat Intelligence
- Such a disappointment = static identifiers, but no way to machine read for emulation
- Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
- Neutered malware - awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response
MITRE ATT&CK - what it can and can’t do for you.
- Common mistakes - rigid adherence, signature-based
Open Source Options:
- CALDERA - APT3 example (although, they didn’t really use CALDERA for this…)
- Powershell - great. Seen in the wild. But, not hard to defend… so limitations.
- Empire - based on… Powershell.
- Living off the Land - https://lolbas-project.github.io/
Host Activities
- Destruction: ransomware, wiper
- Escalation
- Persistence
- Credential Theft
Network Activities
- Communication/Traffic
- C2 infrastructure
Lateral Movement
- Combination of host/network
- Mapping
Going Purple
- Combined visibility and reporting
- How do you technically do this - SIEM/Analytics, red team strings/tagging
- Program strategy and direction - shared gap analysis
Presenters:
-
Bryson Bort
- SCYTHE
Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a National Security Institute Fellow and an Advisor to the Army Cyber Institute. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain.
Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.
[@brysonbort](https://twitter.com/brysonbort)
[@scythe\_io](https://twitter.com/scythe_io)
Links:
Similar Presentations: