Cipher Partners With SCYTHE for Adversary Emulation
SCYTHE traditionally focused on enterprise organizations that had dedicated blue teams and red teams. We quickly realized that by partnering with managed service providers (MSPs) we can expand our offering, help many other organizations level the playing field, and be able to detect and respond to the type of attacks that are happening out in the wild to all other organizations. By partnering with CIPHER, SCYTHE has the opportunity to work with a great team that performs cyber threat intelligence, Red Team services, and comes with a vast experience on the Blue Team side including detection and response. Our ultimate goal is to enable organizations to detect and respond to an attack before they are impacted- before that Boom.
SCYTHE CTO Jorge Orchilles, sat down with Ricardo Encinosa, VP of Managed Security Services U.S. at CIPHER, to discuss their partnership experience with SCYTHE. CIPHER is a global managed security service provider (MSSP) that offers a wide range of services including a 24/7 security operations center, Red Team services, cyber intelligence services, as well as GRC services and compliance teams. Jorge and Ricardo discussed the different ways that CIPHER has used SCYTHE to test their controls and answer some of their top questions. The question that is most often asked after a new attack surfaces on the news is, “can this happen to us?” Ricardo shared how CIPHER has been able to answer that question since utilizing SCYTHE in their customer environments.
“As soon as a new threat comes out, we notice that a lot of these threats mimic the same techniques from the MITRE Attack framework. SCYTHE allows us to run the test and show the client exactly how the environment would react to the specific threat if it were to happen.”
CIPHER has been a customer of SCYTHE for about three months now, and Ricardo and his team have been working to integrate SCYTHE with the service lines from the Blue and Red Teams.
“We’ve been having a lot of fun with SCYTHE and using them with various service lines. As mentioned, one of my responsibilities is running our 24/7 security operations centers. I get asked a lot of questions, especially when we do threats in the wild like” ‘Ricky, am I protected against this?’ SCYTHE gives us the opportunity to answer that question and take a look for ourselves.”
Standard behaviors are considered normal behaviors performed by users. Ricardo shared how SCYTHE has enabled CIPHER to distinguish between normal behaviors and behaviors that need to be logged, to alert, and or responded to.
“More visibility is always good. As you mentioned before, some attacks are normal. Some people are doing whoami, and most people are running scheduled tasks which are allowed in the environments on occasion. In some cases, it’s not. It’s really important to understand the correlation between actual actions that are occurring and an anomalous event when understanding what a normal behavior looks like within an organization. Keep in mind that normal looks different for each of our clients, environments, and with each of the clients within the environments. Some have more leniency to do certain things and others are more locked down so it’s easier to see when something is out of the ordinary.”
CIPHER tools and operators need to be able to distinguish the good from the bad. Ricardo shared how SCYTHE helps them get there:
“SCYTHE definitely helps us distinguish where the tool begins and where it ends. It enables us to understand its capabilities, where it has left off or if there are any gaps with the logging or monitoring, and really helps us to do a full gap assessment to see where we need more tools or if we have enough to ensure proper visibility with altering and the prevention that we need. The SCYTHE partnership has been great. Working alongside them has allowed us to understand where we can fit their program into our various service lines. As we mentioned, we do a lot of things as a full Managed Security Service Provider (MSP). SCYTHE has helped us not only from SOC (Security Operations Center) services to continue making sure that we’re in a good place, but it can also help to streamline some of our service lines and give them another tool to use in our portfolio.”
SCYTHE can be used to test other security controls as a training tool or process for a vast amount of security operation analysts.
“Since we are the Blue Team, we are constantly being tested by our clients to make sure we’re doing what we’re supposed to be doing. SCYTHE has helped us to not only validate in assisting correlation rules so that when we write a rule, it allows us to test and make sure that it is working as intended. We’re also able to trigger certain rules that may not happen all the time and see how the software reacts to make sure that in the event that something critical happens, it reacts accordingly and on time.”
SCYTHE values our partnerships because they allow us to join forces with other consulting companies, service providers, and cyber ranges. Leveraging the SCYTHE platform ensures a safe, custom, and controlled exercise will be executed consistently and reliably in your live, production environment.