Loading…
Attending this event?
Thursday, October 24 • 3:00pm - 3:50pm
Adversarial Emulation

Sign up or log in to save this to your schedule and see who's attending!

Today’s Red Team isn’t enough

Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.

Why did I build SCYTHE? What led me here?
- Target Corporation Use Case
- Bounded Attack Space Philosophy - the atoms of an attack (different way to look at ATT&CK)
- Lessons Learned as a CNO expert coming into commercial/industry red teaming

Red Team vs Adversary Emulation - what’s done today vs what should be done

To white box or black box

Threat Intelligence
- Such a disappointment = static identifiers, but no way to machine read for emulation
- Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
- Neutered malware - awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response


MITRE ATT&CK - what it can and can’t do for you.
- Common mistakes - rigid adherence, signature-based

Open Source Options:
- CALDERA - APT3 example (although, they didn’t really use CALDERA for this…)
- Powershell - great. Seen in the wild. But, not hard to defend… so limitations.
- Empire - based on… Powershell.
- Living off the Land - https://lolbas-project.github.io/

Host Activities
- Destruction: ransomware, wiper
- Escalation
- Persistence
- Credential Theft


Network Activities
- Communication/Traffic
- C2 infrastructure

Lateral Movement
- Combination of host/network
- Mapping

Going Purple
- Combined visibility and reporting
- How do you technically do this - SIEM/Analytics, red team strings/tagging
- Program strategy and direction - shared gap analysis

Speakers
avatar for Bryson Bort

Bryson Bort

SCYTHE
Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a National Security Institute... Read More →


Thursday October 24, 2019 3:00pm - 3:50pm
Track 2
Feedback form isn't open yet.

Attendees (17)