At SCYTHE, we spend a lot of time focusing on adversary emulation as it is an ideal method to maturing your red team engagements and purple team exercises for providing the most business value (see our Ethical Hacking Maturity Model). For this post, we want to cover custom threats. What if a new technique is not seen in the wild? It will not be in MITRE ATT&CK because that is a requirement for inclusion into ATT&CK by the MITRE team. Does this mean we should not test the new technique? Of course not! We should be able to deviate from adversary emulation plans to test new techniques, or in the event techniques in the plan are prevented or detected, the red team has the flexibility to try other procedures just like an Advanced, Persistent Threat (APT) would. For this, we give operators the ability to create custom modules (and share them in the Marketplace), as well as the ability to create and share custom threats in our Community Threats Github.
To enable the creation and sharing of custom modules, we have released the SCYTHE SDK so developers, researchers, and operators can create custom modules and share them in the SCYTHE Marketplace. The SCYTHE Marketplace is like an app store where SCYTHE users can share (for free) and download custom modules created by the community. These modules do not need to map to MITRE ATT&CK but they have the option to tag as such. We launched the technical backend of the Marketplace on August 20 during UniCon. Check out the launch and an introduction to the SDK by Adam Mashinchi:
Adam Mashinchi posted a step by step guide for porting a Python tool to SCYTHE. However, that suggests you know a little bit about Python. At UniCon, Marcello presented on a great primer on Python to share knowledge, and spare some headaches:
The Marketplace and SDK allow you to create custom modules that emulate adversary behaviors for the inclusion into the SCYTHE platform. You can also leverage the SCYTHE Community Threats Github to share custom threats or download custom threats to emulate in your own environment.
The release of the SCYTHE SDK for custom module development and the Marketplace for sharing the custom modules allow SCYTHE users to operate at the bleeding edge. The Community Threats Github allows SCYTHE users to do full emulations of custom adversary emulation plans created and shared by the community.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.