SCYTHE is thrilled to welcome a new unicorn to the executive team as Jorge Orchilles comes on board as Chief Technology Officer. Jorge will bring his industry and enterprise expertise, having led the offensive security team at Citi for 10 years, to drive SCYTHE’s upcoming SCYTHE Marketplace and further innovations in adversary emulation. Jorge (along with SCYTHE’s CEO and Founder, Bryson Bort) co-created the C2 Matrix project, a comprehensive breakdown and comparison of over 45 command and control frameworks. Jorge is also a SANS Certified Instructor and the author of SANS Security 564: Red Team Exercises and Adversary Emulation course.
We caught up with Jorge and discussed his vision for leveraging adversary emulation for Red and Purple Teaming to provide the most business value. Check out his interview below.
SCYTHE is an innovative offensive security startup that believes in giving back to the community. The SCYTHE platform for performing adversary emulation is the best enterprise-grade solution for organizations doing Red or Purple Teaming. The vision to innovate while building community is very important to my values. We have all benefited so much from the community and we should give back. I find it very fulfilling to teach and share my knowledge and this is in line with SCYTHE culture. I really believe in where the SCYTHE platform is going to make a real difference.
At Citi, we spent a lot of time evaluating new products and services that bring value to the offensive security team and our core business. When I was introduced to SCYTHE I had a lot of questions; was this an attempt to replace Red Teamers with automation? As we evaluated the platform we soon learned it would help Red Team automate a number of tactics, techniques, and procedures (TTPs) we had already performed manually but had to continually emulate for the engineers, operations teams, and security operations center as they implemented controls. SCYTHE automation saved our Red Team countless hours of manual emulation allowing Red Team to focus on stealth and new TTPs. As we implemented SCYTHE, we began using it for our Purple Team Exercises allowing us to consistently emulate adversary TTPs so we could focus on the business value: improving people, process, and technology.
Over the past 5 years I built one of the best Red Teams in the financial industry from scratch using the experiences I had obtained in vulnerability assessment and penetration testing. I found that a Red Team is a program encompassing people, process, and technology. Most organizations mature enough to create a Red Team tend to focus on the people, paying high salaries and investing in training but there is little guidance around process and technology.
On the process side, I worked with peers in other financial institutions to create a process for performing adversary emulations in a repeatable and professional manner that met global regulatory requirements: A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry.
On the technology side, Red Teams have used open source tools and spent countless hours customizing or creating their own toolset. While this is generally a fun process, it takes away from the value the Red Team can provide the business.
To create a successful Red Team program means showing the value to the business and prove the program is improving the overall security posture of the organization. This has been a big area of focus for me the past 2 years . My CISO came to me and said “Jorge, the red team does awesome work but how can I show this to the board of directors in a manner they understand and see the value of the Red Team program?” Many red teams that are starting or in the early years have these same challenges and I want to help them overcome some of these challenges with solutions we have implemented.
Purple Teaming is not a replacement for Red Teaming. Blind (or black box) Red Team engagements continue to bring significant value in providing a holistic view of the organization’s security posture, tests assumptions, and measures and improves people, process, and technology. Purple Team Exercises, where the Red Team shares the adversary TTPs before performing them in front of the Blue team, can be performed after a blind Red Team engagement, to train new people, and can be operationalized for testing new exploits or TTPs. Purple Teaming adds efficiencies for improving detective controls and alerts.
The soon-to-launch new version of SCYTHE (v3.0), python SDK, and Marketplace are all extremely exciting. The platform itself is an enterprise-grade command and control framework, something the industry really needs. Thanks to the C2 Matrix, we have been testing 40+ command and controls frameworks, all but 5 are open source, and few are enterprise grade because of limited use cases. Most organizations spend hundreds of thousands of dollars on tools but don’t give Red Teams budgets for enterprise-grade tools; that needs to change. The python SDK will allow anyone to create custom modules for SCYTHE which is where Red Teams should be spending time, not troubleshooting tools. Lastly, the marketplace will create an ecosystem where offensive security tool developers can securely share their custom modules without the risk of malicious actors obtaining the code and contributing to the problem.
I really look forward to this new journey, working with an innovative company, and making the information security community better!
About SCYTHE
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.