Adversarial Emulation - Bryson Bort

Join us at Way West Wild West Hackin' Fest in San Diego in March 2020:

Today’s Red Team isn’t enough

Why do we care? Because we want to move our defenses and understanding beyond a detection-based approach which has repeatedly been demonstrated to fail.

Why did I build SCYTHE? What led me here?
- Fortune 50 Retailer Use Case
- Bounded Attack Space Philosophy - the atoms of an attack (different way to look at ATT&CK)
- Lessons Learned as a CNO expert coming into commercial/industry red teaming

Red Team vs Adversary Emulation - what’s done today vs what should be done

To white box or black box

Threat Intelligence
- Such a disappointment = static identifiers, but no way to machine read for emulation
- Analyst reports! Sigh, you have to read and analyze to pull out capabilities and TTPs
- Neutered malware - awesome! But… risky and takes a decent amount of work to do, plus very prone to signature-based detection response


MITRE ATT&CK - what it can and can’t do for you.
- Common mistakes - rigid adherence, signature-based

Open Source Options:
- CALDERA - APT3 example (although, they didn’t really use CALDERA for this…)
- Powershell - great. Seen in the wild. But, not hard to defend… so limitations.
- Empire - based on… Powershell.
- Living off the Land -

Host Activities
- Destruction: ransomware, wiper
- Escalation
- Persistence
- Credential Theft


Network Activities
- Communication/Traffic
- C2 infrastructure

Lateral Movement
- Combination of host/network
- Mapping

Going Purple
- Combined visibility and reporting
- How do you technically do this - SIEM/Analytics, red team strings/tagging
- Program strategy and direction - shared gap analysis

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a boutique cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a National Security Institute Fellow and an Advisor to the Army Cyber Institute. Prior, Bryson led an elite offensive capabilities development group. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain.

Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.

Wild West Hackin Fest,Deadwood,John Strand,Bryson Bort,Black Hills Information Security,BHIS,Infosec,Hacking,Hackers,Penetration Testing,Pentesting,Red Team,Blue Team,Purple Team,Information Security,Cybersecurity,Computer Security,MITRE ATT&CK,Malware,CALDERA,PowerShell,Threat Intelligence,WWHF,