Chained Breach Simulation

The first time I saw signatures used to detect attacks more than two decades ago, I knew that intrusion detection systems (IDS) would become a new protection category. It was thrilling to see a new security control come to life, and I give credit to the Air Force Information Warfare Center for leading the way on practical implementation. I became so enthused with IDS that I spent a year writing a textbook on the topic.

More recently, the first time I saw platforms used to simulate attacks, I knew that this method would also become a new protection category. Dubbed breach and attack simulation (BAS) by Gartner (I suspect the redundant A was included to avoid calling the category BS), I give credit to several commercial vendors for bringing this important control to life. If you read my column, then you know that I endorse attack simulation.

I had the good fortune to spend time last week with Bryson Bort, founder of Arlington-based start-up SCYTHE. Bryson, who studied computer science at West Point, eventually went on to serve as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom. I was keen to learn more from Bryson about his team’s work in this area of simulating breaches in the enterprise. Here’s what I learned:

“After returning from military service, the consultancy I founded was helping to secure a major retailer,” Bort explained. “They asked us to find a way to assess the effectiveness of their security, so we created a test platform that could programmatically generate implants to prove the concept. Through a series of refinements, we arrived at a superior way to do this, and several years later, we launched the SCYTHE platform.”

Bort described how the starting point for most attack simulation platforms involves use of a comprehensive taxonomy of individual techniques. He went on to describe the MITRE Adversarial Tactics Techniques and Common Knowledge (ATT&CK) framework as perhaps the most popular such construct today with its extensive matrix of entries. This resonated since I’d just completed research for a webinar with MITRE on their framework.

But Bort described a challenge that exists with any categorized list of techniques. He explained that simulation can devolve into a check-the-box approach, where individual breaches are tested in context-free manner. “Modern offensive actors do not approach cyber threat campaigns in this manner,” Bort explained. “So, this approach does not provide a meaningful simulation of how an attack is likely to advance within an enterprise.”

What the SCYTHE platform supports, in contrast, to address this challenge involves essentially chaining together techniques from frameworks such as MITRE ATT&CK. The resulting test structure will be more complex than an individual technique execution, and allows an enterprise to create attacks within their business context that will better resemble campaigns by capable actors. The result is an improved estimation of risk.

I asked Bort whether such complex simulation structures might be more difficult to contain in a live enterprise, and he was quick to respond: “We carefully manage the controls of the simulations to ensure that they properly test what is intended,” Bort said. “We learned to do this through our many years of experience in government settings where the cyber risk is more intense, and the consequence of failure is significant.”

We spent some time discussing the funding, management, and advisory teams supporting SCYTHE, and I must say that Bort has put together an all-star team. The names of expert luminaries from our industry came up, such as Ron Gula and Dmitri Alperovitch, as did the names of fine funding organizations such as Paladin and Evolution Equity. SCYTHE is thus clearly well-positioned for success in terms of its senior leadership.

The business risk I see for SCYTHE, and all other vendors supporting breach and attack simulation, is the challenge of advancing a new control category in this ridiculously competitive commercial market for cyber security platforms. As I alluded to earlier, I fully support the emergence of this new category, but with budgets for enterprise security no longer in hyper-growth mode, such introduction will be challenging.

If you’ve read this far, then I suspect you’re already sold on attack simulation. It thus becomes your responsibility and mine to extend this enthusiasm to our entire industry. One ripe target for this is the compliance and regulatory community. And please make sure to include SCYTHE in this promotion work, because their approach to chained techniques looks like a winner, and will help demonstrate the practicality of the control.

As always, please share your views and experiences.