When I started GRIMM, I had a vision to tackle the greatest cybersecurity challenges that face our clients, industry and the greater business and government communities. Two and a half years ago, one of those challenges was brought to the company because of our reputation. A Fortune 50 company had been breached and suffered significant damages. As a result, the IT Security team was given a significantly increased budget which they used to hire incredible talent and have their choice of any assessment/penetration testing software available. Which they did. Extensively. They found they eventually exhausted what these tools could accomplish since they were built to do what they did well, but not for scale or extensibility.
So, they called us. The initial requirement was to build another one of these tools, effectively a custom implant with C2 that would be new and thus evade signature. Recognizing they had done thorough product market research (and internal testing through use and experience) for a make-buy decision, I realized this was a product idea the market needed. Instead of building another implant that would need to be continually re-factored, we would build a platform from the ground up to infinitely spin up dynamically configured campaigns on demand. From there, we’ve worked together with them in their production environment iteratively deploying and improving the platform.
Has compliance also driven the need for automated breach simulation?
From regulatory and compliance requirements to a genuine interest in understanding, there are a variety of customer interests in this space. Currently, compliance is met with a manual consulting audit or a one-off penetration test. The value is limited to checking the box versus understanding let alone improving security. What if you could have your cake and eat it too? With an automated platform, an organization could meet its regulatory requirements and gain meaningful insights into the organization.
How does SCYTHE allow a SOC or incident response team to get better at what they do and what are the biggest challenges for a SOC?
- False positives - it’s hard enough looking for the needle in the haystack, why do our tools keep adding more hay? SCYTHE helps configure tools to dial them in to what real threats would look like in that organization’s specific environment.
- Talent Pyramid - to handle all of those false positives, SOCs are stacked with Tier 1 analysts to sift through the data to escalate potential items of interest up to a smaller group of experts. What if this could be inverted? By reducing the false positives, not as much effort needs to be put toward sifting through the haystack and those resources can be repurposed.
- Training - personnel get lots of training on the tools they need to use. They can even get training on known malware. But, what about the next campaign? With SCYTHE, an organization can create an unlimited amount of malicious behavior and traffic that is behaviorally focused instead of signatured.
Can I use SCYTHE to test the effectiveness of security products?
We are the only tool that allows an analyst to holistically test security. The largest surface area of any organization is the people. They should be in scope of all tests. From the other side, conducting simple phishing testing and training doesn’t address this either. The cost difference between sending 1 email and 1 billion emails is marginal. Just improving user training doesn’t solve the risk, it only reduces the percentage of incidence, in other words, it’s still going to happen because of the statistical probabilities. All clicks are not created equal. An organization wants to understand the specific impact and risk of a particular campaign when that specific employee clicks it. What could happen? What does it mean? How far will it get and to what? How do all of the security controls behind that employee hold up?
There are two ways to use the platform to test security products:
- Adversarial - using the Threat Catalog’s already defined campaigns or easily creating your own, you can conduct continuous and holistic security assessments. The behavioral logic for these can be easily automated which means the campaigns will run and automatically deliver reports for remediation.
- Security Instrumentation - the easiest way to use it! While we are not agent-based, it can still be deployed that way. Choose end points inside your enterprise, install the user-level application and the platform will generate activity and traffic to test products and deliver performance reports.
Where can users go to learn more?
If you are interested in seeing a demo, please contact us. We are also coming to a conference near you! We will be at most of the offensive security conferences offering hands-on opportunities with the platform and demos. Our background is offensive security and we will continue to participate and support the community. Additionally, you will begin to see the SCYTHE platform used in several large vendor training classes and live exercises ranging from red, blue, and penetration testing subjects.
Also, I co-founded a non-profit in Industrial Control System (ICS) security, the ICS Village, which will be at even more conferences. ICS is a relatively esoteric space to most people; even very technical IT professionals rarely know what a Programmable Logic Controller (PLC) is let alone what one looks like and how they work. SCYTHE does the same thing for enterprise risk assessment. We combined the two with several custom ICS versions of SCYTHE so that attendees can easily conduct malicious operations on the ICS exhibits (it is a slice of a smart city: power and water plants connected to a fully interconnected smart house).