Assess Your Resiliency with SCYTHE’s Adversary Emulation Platform: A Proactive Approach to Server Protection

TL; DR: The SCYTHE platform, built for the enterprise and cybersecurity consulting market, enables teams to develop and emulate real-world adversarial campaigns in mere minutes. This proactive approach helps organizations continually assess risk posture and exposure while tuning existing cybersecurity tools to better protect servers. The SCYTHE team introduced several new features with the recent release of SCYTHE version 3.2, many of which were inspired by customer feedback.

Professional boxers train for several hours a day in preparation for a fight. A mix of techniques — from strength training and cardio to sparring and pad work — help the athletes get in the best shape possible. Boxers also work with trainers to simulate real fights, practicing various punch combinations intended to knock out opponents.

No boxer in his or her right mind would skip training and depend solely on headgear, mouth guards, and other body protectors to deflect jabs, crosses, and uppercuts.

According to Jorge Orchilles, CTO of SCYTHE, the same is true in cybersecurity. Still, many businesses expect their IT teams to jump into the ring without any training.

“You don’t go into a fight with Mike Tyson with no training, and it’s the same with attackers,” Jorge told us. “The SCYTHE platform allows you to prepare yourself for the inevitable cyberattack while looking at your organization holistically to see how reliant and resilient it is.”

The next-generation technology allows teams to emulate adversarial campaigns to gauge where they stand with real-world threats to their servers. This proactive, rather than reactive, approach empowers IT professionals to respond quickly and effectively while tuning existing cybersecurity tools for maximum performance.

“More and more organizations are working under the assumption that they will be breached,” Jorge said. “We know that the antivirus is going to get bypassed. Or that, at some point, someone’s going to fall for a phishing email or forget to patch that one system that opens the door to attackers. The question is, once they’re in your house, will you be prepared to respond?”

SCYTHE Founder and CEO Bryson Bort also launched the boutique cybersecurity consultancy GRIMM.

According to the SCYTHE website, the platform is rooted in GRIMM’s core values of innovation, passion, and agility. The platform is unique in the market, disrupting the traditional approach to security and vulnerability assessments.

“SCYTHE was launched after a larger retailer was breached — they had a robust information security program, and it still happened to them,” Jorge said. “If technology alone doesn’t hold up, you need people and processes in your response.”

The need for such a solution remains evident in the market today, as breaches at large organizations, like SolarWinds and Microsoft, show us that no one is immune to the current threat environment.

“It’s no longer about preventing things — antivirus software is very 1990s,” Jorge said. “If even mature organizations with significant security budgets are getting breached, there’s a clear need for continual training. Our platform emulates adversary behaviors in your environment to train your people, train your process, and improve your technology.”

The company recently began using its advanced technology to help healthcare organizations detect and respond to threats before becoming victims.

“Pandemic hospitals were getting hit very hard by ransomware to a point where some had to turn people away,” Jorge said. “We’ve been working with hospitals to raise awareness as well as give them the platform for free. This allows them to test themselves against a ransomware attack without actually losing their systems or data.”

SCYTHE has a firm place in the market as the only provider of its kind.

“We’re very innovative in that we’re not simulating this traffic,” Jorge said. “We’re not sending things back and forth between systems that you have disposed in your organization. We’re creating a piece of synthetic malware and running it in your endpoint, just like a real piece of malware.”

In the cybersecurity world, red, blue, and purple teams perform ethical hacking exercises. The red team plays the attacker’s role, conducting vulnerability assessments, while the blue team serves as the defense. The purple team represents a blended methodology of the red and blue groups.

SCYTHE’s goal is to help blue teams succeed in protecting their server infrastructure. The platform acts like a red team force multiplier, allowing users to create campaigns across the potential attack space.

A free Purple Team Exercise Framework (PTEF) is available to facilitate the creation of a formal purple team program. The tool works by performing adversary emulations, either as purple team exercises or continuous purple-teaming operations. This circular educational cycle results in a more robust security presence for the enterprise.

“You can use our platform as a stealthy red team at a zero-knowledge engagement where the blue team defenders don’t know about it,” Jorge said. “When you’re done with your assessment, you can replay it and then walk them through it behavior by behavior.”

Businesses can also execute the training as purple team engagement that is planned out with both teams.

“The first time you run it, you’re actually both there,” he said. “The red team demonstrates the adversary emulation plan they’re going to execute with the blue team watching. And then it’s the blue team’s turn to show the red team. Offense informs defense, and defense informs offense.”

In addition to refining people through training, SCYTHE allows teams to fine-tune their security systems for maximum effectiveness.

“We find that people spend a lot of money on technology, but once they put it in production, they have to turn a lot of it off,” Jorge said. “They end up using maybe 3% of the capabilities of that security product.”

By emulating adversaries, SCYTHE can help users set up their existing tools to boost security with zero dollars spent on new technology. The goal is to help people grow with their technology.

“We did a purple team engagement for six weeks with one client that had about a 98% nondetection rate at first,” Jorge said. “The adversaries that we were emulating would have been successful, but by optimizing what they already had, they were able to get up to a 70% detection rate simply by implementing a program.”

Purple team approaches like this show users the path for leveraging existing assets, instead of attempting to weave multiple solutions together.

“You can keep buying products and still end up in the same place,” Jorge said. “All we want to do is bring value to everyone in the organization, from training the people on the front lines to educating the C-suite on the ROI of their products.”

The SCYTHE team’s recent release of version 3.2 introduced several new features — many of which were directly inspired by customer feedback.

Exciting additions to the platform include the ability to upload and sign payloads using operator-provided certificates, support for Single Sign-On (SSO) via the OpenID Connect standard, and a new MITRE ATT&CK Navigator layer output.

Jorge said the company is also offering a SCYTHE Software Development Kit (SDK), which provides developers with a seamless module creation and validation experience to create custom modules in Python or native code.

“We have an SDK that you can build modules in for Windows, macOS, and Linux, and then import those into SCYTHE,” he said. “You can also share those modules through a marketplace. It’s kind of like an app store of adversarial Tactics, Techniques, and Procedures (TTPs).”

Follow Jorge and SCYTHE on Twitter to stay updated on the Adversary Emulation Platform and other security-focused topics.