/ Imagine a supermarket full of advanced persistent threats for your security team to throw at you. That’s what Scythe is aiming to be.
, when it was still known as Crossbow), wreaking havoc on a set of victim systems in our lab and doing hands-on-keyboard things that a red team would typically do to simulate an attack. The platform allowed for the construction of “malware” that would work only on systems within a specific network-address range tailored to the task and capable of downloading additional modules of functionality once installed. The faux malware is deployable as executable files or dynamic linking libraries, allowing the emulation of more advanced malware attacks. Since it is custom generated, its signature does not match known malware; endpoint protection software has to catch its behaviors. (Windows 7’s Windows Defender did not catch on, but my limited malware crafting skills were caught by other endpoint systems in custom campaigns I built; the packaged modules did much better in crushing my intentionally limited defenses.) The Scythe campaign console allows security testers to build a custom malware campaign against their organization. Those capabilities were what drew several security professionals that spoke to Ars to Scythe early on, as they were looking for tools that went beyond “threat simulation” tools — systems which in many cases essentially broadcast packet captures of malicious traffic or agents installed on targeted systems (such as with (AttackIQ and Cymulate) to verify security controls. But from early on, Scythe CEO Bryson Bort talked about his vision for turning the platform that would not only allow internal and external red teams to develop their own attacks to manage from Scythe’s platform, but it would share them or sell them to others on the platform.
At the RSA Conference this month in San Francisco, that marketplace will be officially launched. “Consultancies use us for the services they sell,” Bort told Ars. “The marketplace will allow them to build their own modules.” Those modules of capability can either be open source and shared freely across the platform, or the developers can resell their modules to customers or other consultancies.
The modular approach is something that’s familiar to people in the security testing and research world — particularly those who’ve used the Metasploit framework for Web and application security testing over the years (or used it for the FBI to unmask child-porn site visitors . The big difference in Scythe’s approach is that they’ll be essentially available in an “app store” within Scythe’s interface and ready to adapt to an organization’s specific needs.
According to one person Ars spoke with who uses the platform as part of an internal red team at a Fortune 576 corporation (who spoke on background because of the sensitivity of his work and employer), the marketplace will make Scythe even more valuable to red teams. And it should also make the tool more accessible and useful to a broader range of companies looking to raise the game on their vulnerability management.
GIPHY App Key not set. Please check settings