Back To Schedule
Thursday, October 24 • 3:00pm - 3:50pm
Adversarial Emulation

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Today’s Red Team isn’t enough

Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.

Why did I build SCYTHE? What led me here?
- Fortune 50 Retailer Use Case
- Bounded Attack Space Philosophy - the atoms of an attack (different way to look at ATT&CK)
- Lessons Learned as a CNO expert coming into commercial/industry red teaming

Red Team vs Adversary Emulation - what’s done today vs what should be done

To white box or black box

Threat Intelligence
- Such a disappointment = static identifiers, but no way to machine read for emulation
- Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
- Neutered malware - awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response

MITRE ATT&CK - what it can and can’t do for you.
- Common mistakes - rigid adherence, signature-based

Open Source Options:
- CALDERA - APT3 example (although, they didn’t really use CALDERA for this…)
- Powershell - great. Seen in the wild. But, not hard to defend… so limitations.
- Empire - based on… Powershell.
- Living off the Land - https://lolbas-project.github.io/

Host Activities
- Destruction: ransomware, wiper
- Escalation
- Persistence
- Credential Theft

Network Activities
- Communication/Traffic
- C2 infrastructure

Lateral Movement
- Combination of host/network
- Mapping

Going Purple
- Combined visibility and reporting
- How do you technically do this - SIEM/Analytics, red team strings/tagging
- Program strategy and direction - shared gap analysis

avatar for Bryson Bort

Bryson Bort

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow for Cybersecurity... Read More →

Thursday October 24, 2019 3:00pm - 3:50pm MDT
Track 2