Cyber Defense: Bryson Bort of SCYTHE On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack

Know your assets. Configuration management, like system hardening and installing security updates quickly, is key. To do this, you need to know what you have. This means having a catalog of all devices, users, data storage locations, software, and systems. If you don’t know you have something, you can’t protect it or update it.

In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?

In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.

As a part of this series, I had the pleasure of interviewing Bryson Bort.

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow for Cybersecurity and National Security at R Street and the National Security Institute and an Advisor to the Army Cyber Institute. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain. He was recognized as one of the Top 50 in Cyber in 2020 by Business Insider.
‍
Bryson received his Bachelor of Science in Computer Science with honors from the United States Military Academy at West Point. He holds a Master’s Degree in Telecommunications Management from the University of Maryland, a Master’s in Business Administration from the University of Florida, and completed graduate studies in Electrical Engineering and Computer Science at the University of Texas.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My dad was an Army Officer, so I grew up in Germany and the Soviet Union. We left Berlin right before the Wall fell and Moscow in 1990 then moved to the United States. Growing up in Europe and behind the Iron Curtain during the height of the Cold War gave me a really strong perspective on the world.

As a kid, I used to tear electronics apart and put them back together. In high school, back when we had graphing calculators for math, in every class that I could get away with it, I would spend the time programming games like my own version of Street Fighter or elaborate Role Playing Games (i got really good at pixel art).

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’ve spent almost my entire life working with technology and computers so there’s no single experience that inspired me. After high school, I went to West Point where I majored in computer science and became the first Brigade Information Systems Officer there. I was a Signal Corps officer in the Army which is telecommunications, like satellites, mobile networks, cellular, all of it.

Before I got recruited back into technology, I worked in manufacturing where I built a global team and a fully fleshed-out Configuration Management Database (CMBD) which saved them millions of dollars a year. After that, I was recruited to oversee a technology refresh in support of organizations like the State Department for all of the embassies and consulates in the world before moving to support the Chief Technology Officer at ManTech. That’s where I was recruited into offensive cybersecurity.

Cybersecurity really was an innate interest even before it was a known career path.

Can you share the most interesting story that happened to you since you began this fascinating career?

My whole career has been interesting, but the top ones always come back to my experiences with the non-profit I co-founded with Tom Van Norman, ICS Village. It’s a non-profit focused on education and awareness for critical infrastructure security. At the end of 2019, Tom and I were flown out to Kuwait to support KIACS, a key security conference for regional energy, at the request of Dr. Reem Al-Shammari who’s the CISO at the Kuwait Oil Company. We had the opportunity to engage, educate, and learn for ourselves from folks who are on the frontlines of what’s happening in critical infrastructure.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Nobody creates a business alone, and I believe collaboration is key. I went out and sought advice from successful entrepreneurs because you may know some things, but you won’t know everything. You need to find people who can help you succeed, who understand your vision, and who want to work with you to achieve the shared goals.

You need to be humble to be able to accept that other people’s advice and experience can inform you. If you think you know everything, you won’t be able to collaborate. You also won’t be able to succeed.

Normally we talk about grit, we think about it in terms of failing and pivoting, but there’s more to it when you’re an entrepreneur. Creating new ideas and vision means going into the unknown and finding a way to get someone to buy into a new, innovative idea. When Henry Ford tried to explain cars to people who only had horses, saying that they were just faster horses. People wouldn’t understand that because then they’d wonder “why would a horse have rubber hooves?” I particularly remember spending 2016 to 2018 trying to explain to people what we were building at SCYTHE and training them on it because there was no comparison. The first attempt may not always work, and you have to keep trying until you find the right approach.

Are you working on any exciting new projects now? How do you think that will help people?

We are working on a way for everyone in the world to share the latest cyber attack techniques being used by criminals and nation states. This is a similar approach to what has been done with “bug bounties”: a way for developers to find issues or “bugs” in software, usually ones that lead to security problems. Companies would offer money, a “bounty,” for finding them. Effectively, anyone could be a security researcher or ethical hacker. In our case, we host the ability where anyone can contribute to a shared library containing one of the largest collections of techniques used in cyber attacks so companies can test their defenses with the latest threats.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Cybersecurity?

No one can really be an authority on cybersecurity. Most of us are authorities on thinking like cybercriminals, understanding the steps they take and technologies they use to get into systems and networks.

When I started my first company, GRIMM, I spent a lot of time doing penetration testing. That’s basically trying to break into companies’ systems and networks, like a cybercriminal would. In the end, it’s how I ended up creating SCYTHE. Companies needed to emulate these attacks to validate people, processes, and technologies, but the costs of running penetration tests meant they couldn’t do it regularly. I decided to take the pieces of the attacks apart — the tactics, techniques, and procedures, or TTPs — and give companies a way to automate testing for continuous validation.

By taking apart attacks, reviewing how they work, and looking for new ways to build them, I get a deeper understanding of how these cybercriminals think and deploy their attacks.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of cyber attacks that we need to be cognizant of?

It’s important to understand that there are multiple steps in any given attack. The way it’s reported in the news may not make that clear.

The three basic steps to any cyber attack are:

1. Reconnaissance: This is the time when the threat actors are doing their research, looking for people or technologies that may be vulnerable.
2. Initial Access: This is when the threat actors first gain access to a company’s networks or systems, trying to figure out where to go next and what next steps to take.
3. Post Access: This is when they’ve gotten what we call a “foothold,” gaining more access, elevating their privileges, or doing all the “bad stuff” like stealing the data.

When you read about a phishing attack, that’s the initial access step. After receiving the malicious email, users clicked on a malicious link or downloaded a malicious document. This is that first step in the attack because the phishing email usually gives the cybercriminals that first access by stealing a credential or executing a malware that creates a “backdoor” entrance.

When you read about a ransomware attack, you’re seeing the post access step. The malicious actors usually start a ransomware attack with a phishing attack or another way to gain initial access. Once inside the systems and networks, they can deploy and execute the malicious code — the ransomware program — that locks up data and allows them to steal it.

Who has to be most concerned about a cyber attack? Is it primarily businesses or even private individuals?

Everyone should be concerned. Cybercriminals don’t need to focus on a specific target. Anyone is at risk, no matter the business’s size. They can throw out a campaign, and hundreds of companies end up in the same boat. It’s not just one person coding at a computer. Cyberattackers use technologies and tools. They work together and share their methods.

The interconnectivity of companies makes everything more complicated. Just like cybercriminals have the dark web, companies have created this concept of the shadow internet. Legitimate businesses have created all these links amongst themselves which function as its own connected internet through each other. That makes companies vulnerable because if one company in the supply chain is compromised, everyone in the supply chain can be compromised.

Private individuals are more often victims of things like account takeovers or identity theft. They need to worry about things like email phishing attacks, especially around holidays or even tax season. We’re also seeing more cybercriminals using smishing attacks, which is sending fake texts with links that then deliver malware. Consumers need to stay aware of these attacks since they use connected devices more than ever. I wouldn’t be surprised if over the next few years we see something like ransomware attacks on connected cars. You go to turn on your car and the infotainment system displays a ransomware message.

Who should be called first after one is aware that they are the victim of a cyber attack? The local police? The FBI? A cybersecurity expert?

Before they do anything else, they need to get their incident response teams working to contain the attack. If they don’t have an internal team, they need a cybersecurity expert to help them contain the attack and recover their systems back to their original state. Cybercriminals work to evade security detection tools so they can remain hidden in systems and networks. This is how they get access to the data that they steal.

Companies need to bring in a cybersecurity expert who can collect the forensic data that the authorities need but who can also trace the attack, contain it, and put the systems back to their original state.

Most regulatory compliance requirements include contacting law enforcement, as well. Meeting the local FBI Special Agent and building a relationship with them before an attack might change how the company responds to one.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

The problem is that the business understanding of cybersecurity doesn’t always include context. I think this is an area where cybersecurity professionals don’t always explain risk correctly to the business. A ransomware attack may be happening in one industry or using one type of software as the entry point. If your business doesn’t know the context of the attack, you can’t understand the risk to your business.

Security professionals often treat cybersecurity as only a technology problem and try to solve it by adding more technology. Cybersecurity also includes having the right people with the right training who have the right processes to follow.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

The government needs to take a harder stance on ransomware attacks. It needs to start treating these activities like a crime and treating threat actors as criminals. This means preventing cybercriminals and nation state actors from finding a safe harbor. We need to change the math. We need to be able to locate threat actors and make them think twice before they act.

Technology leaders need to share what they know and make that information more widely available. Too often, the information isn’t shared widely. Larger organizations might have more information than smaller ones. That creates an inequality that puts everyone at risk. Collaborating, sharing information, and democratizing the process is one way to reduce the success and impact of these attacks.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” and why?

Know your assets. Configuration management, like system hardening and installing security updates quickly, is key. To do this, you need to know what you have. This means having a catalog of all devices, users, data storage locations, software, and systems. If you don’t know you have something, you can’t protect it or update it.

Continuously test and validate controls. Controls, like antivirus tools, only protect you when they work. You need to make sure that they’re doing what you want them to do. Test your controls. See if they detect threats fast enough. See if the alerts are working as intended. Cybercriminals are continuously looking for new ways to attack your business. You need to do more than an annual or quarterly test. You want to do this before a cyber attack because if you wait, the attackers can get — and stay — in your systems and networks.

Train your people. No matter how big or small your security team is, everyone needs the training that helps them — and you — successfully mitigate threats. Sit the team down and create a fictional attack scenario. Make sure everyone knows their role and the process to follow.

Assume breach. Assuming breach means treating everything like it’s already been compromised, like cybercriminals are already hiding in your systems. You’re assuming that there’s a device connected to your networks that’s already running malware or cybercriminals are already in a database. You’re assuming that a user password has already been stolen and used. If you assume breach, you’re taking the proactive steps to protect your business.

Back up. Back up. Back up. If you backup your business-critical data, then it’s easier to recover to a pre-attack state. Make sure to have three copies of all your data stored in two different media, with one of those being off-site, like in the cloud.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

If I could inspire anything, it would be teaching people to understand that critical infrastructure security is a human problem that affects everyone. Critical infrastructure is literally the very basis of modern society defining our quality of life. Without it, you have no power or water. Without protecting it, it’s not the problem “oh now, we lost some data”, but potentially physical harm.

Cybersecurity is really a human problem. That’s why I co-founded the non-profit, ICS Village. We need to support the human side of security, both to help those who protect critical infrastructure and those impacted by critical infrastructure.

How can our readers further follow your work online?

SCYTHE blog, Threat Thursday.

@brysonbort