Death Rides a Unicorn – Bryson Bort on Attack Emulation, the Human Element, and Why More Tech Isn’t the Answer

SINC interview Nate Arnold GE

SINC’s Director of Content Annie Liljegren spoke with Bryson Bort in October 2021 for this interview, which has been edited for length and clarity.

Bryson Bort is founder and CEO of the adversary emulation platform SCYTHE, and co-founder of ICS Village, a nonprofit advancing awareness of industrial control system security. A former U.S. Army captain, Bryson currently serves as Advisor to the Army Cyber Institute at West Point and DHS/CISA, and is a Senior Fellow for Cybersecurity and National Security at R Street Institute.

Bryson_Bort

Bryson is a featured speaker at our 2021 West IT & Security Leaders Forum, Dec. 5-7 in Scottsdale, AZ, where he'll be presenting "Attack. Detect. Respond: Know Where You Stand to Prevent the Next Attack," and leading an audience-interactive incident response exercise, "Blue Team: Choose Your Own Adventure."

Thanks for being here, Bryson. First, I’d like to ask about your definitional difference between “attack simulation” versus “attack emulation.” You're pretty firm about the need to demonstrate exactly how a specific org would be affected rather than relying on a linear checklist. What’s informing that distinction?

Bryson Bort: When we had the idea from a Fortune 50 consulting engagement to do this, we had no idea there was even the space or anybody else doing anything like this, which is why we went ahead and built it. We’re a cross between a red team and the traditional breach-and-attack simulation vendors, which is where the simulation part comes in.

And then all of a sudden, Gartner and Forrester come out saying, this is the breach-and-attack simulation space, and we’re thinking Well, who are these other folks?

And as we went through the marketing language repeatedly over time to figure out what exactly they did, what we realized is they were technical solutions to technical problems. You mentioned the checklist approach—that’s what they do: they look at the complexity of an attack and think, we can boil it down into this checklist, and think that with this checklist you’re going to be able to measure technical controls, and since it’s repeatable you’ll be able to identify configuration drift.

Well, that’s not security. Security is understanding the largest risk surface area that’s a part of every enterprise, which is the employees, your own staff—how did they actually respond? It’s not just looking at the tool side: what was stopped or what did we see, because it’s more complex than that. Attacks are more complex than a simple checklist.

One of the easiest things I always like to point out: my ability to do something on a computer changes based on where I am or what privileges I have. That’s a state basis of an attack and those are the kinds of things an attacker is doing as part of their attack chain, and affects what they might do, what happens next, and how it would happen.

So that’s simulation versus emulation: actually doing the thing to see what would happen, versus a simple view of it.

Your session abstract for your presentation at our West Forum declares “the solution is not more technology.” I’m curious to what degree your military background informs that emphasis on people and process: you're a West Point graduate and a former U.S. Army Captain. I might venture to say, it seems clear even from a civilian perspective, that although there’s countless cutting-edge technologies developed for and by the military, the mentality is people-first, and almost the opposite of a product-first, bigger, better, faster product type of solution—that in the military, personnel training is absolutely foundational to everything else.

Bryson Bort:  Yes. The talk I’m giving is specific to a purple team, which is the collaborative approach of bringing people and process into those assessments. So, Red and Blue work together for immediate goals and improvement, and then there’s all these additional benefits that come out of that process.

The reason I went into the Army was that focus on people. In the Navy, it’s ships; in the Air Force, it’s planes; in the Army, it’s people. Without a person holding something, nothing happens—it’s why we call it boots on the ground.

So throughout my life and career I’ve always had that people focus, which is what I bring to the cybersecurity realm. I understand the technical side, and I can dial it in and speak to it easily, but I think that understanding, tying into the people element and the people aspect, is one of my personal differentiators. Being in the Army was a reflection of who I am.

Tying it back on the assessment side, one of the things we talked about in the military: the more you sweat in peace, the less you bleed in war.

And while that’s a stark aphorism, what it really means for us is the more you prepare your defenses correctly, with realistic training, the better you’re going to be when something does happen, because the reality is everybody is hackable. You’re going to get breached. it’s just a question of how quickly you can minimize the impact.

"The more you prepare with realistic training, the better you're going to be when something happens. (E)verybody is hackable...it's a question of how quickly you can minimize the impact."

Right, when the technology fails—how good are your people, and how well-rehearsed is your process. I've watched your interview from the RSA conference discussing the Florida water plant breach. I’m currently in Kansas, where they recently sentenced a young man who in 2019 shut down the entire rural water district in Ellsworth, Kansas. He was a former employee who had not worked there for almost three months but was able to access and shut down the system from a cell phone using a shared password, and states he was intoxicated at the time. Clearly a failure of people, processes, and tech. We've been speaking about security as far as risks to companies and consumers, and a breach of public utilities are another matter altogether. You've actually started a nonprofit focused on industrial control system security.

Bryson Bort: Yes, I co-founded a nonprofit 501(c)(3), the ICS Village. We go around the country, and sometimes the world, with critical infrastructure exhibits to teach industrial control system security. The starting point for everyone is education.

Going back to the people aspect, I made a comment to the Washington Post recently, about how in a time where the phone and my ability to download apps is the limit of the average citizen’s knowledge, a knowledgeable citizenry is an armed citizenry in this case.

And in this case you mention, it’s not that I expect the government to go in and defend water utilities, but it’s all about priorities, and the state budgets, and at the community level, which is where most of this stuff happens. And if our citizens are more aware of these problems, they’re going to be more likely to have governments at the local level fund and do these things.

One of the things I’m doing is raising awareness at the national level so there’s more federal resources deployed appropriately down to those communities. But these are neighborhood problems; the water utility is not something the federal government is part of at all. That’s a local problem, and so far, the cavalry ain’t coming.

To that point, I’d love to get your response to something Ken McGee, Research Fellow at Info-Tech, said when I interviewed him about the digital economy. I’ll give you the full quote: “It is time to call out the cybersecurity world as a profound, abject and complete failure and to arrive at a better solution than having individual companies, individual agencies, and individuals use their limited resources to combat what is very obviously state-sponsored cyberterrorism...Let's not ask companies to be the sole source of funding for security, let's take a look at what it is: it is war.”

Bryson Bort: He sounds like me—I’ve given that talk. The answer is yes. First of all, the industry is an abject failure on the tech side because there is no formal definition of security and there is no approach to that answer. The entire attack path—going back to that emulation versus simulation—is infinite, because it’s not just technical. There are all sorts of physical parts to this, and social parts of this, and people parts. It’s not as if we’ll just come up with a better mousetrap; no, the system is inherently flawed that way.

Now, to Ken’s comment, I just gave a talk at the Department of Defense last week, and I’ll quote Dmitri Alperovitch on this: we don’t have a cyber problem, we have a Russian, Iranian, Chinese, and North Korean problem.

What’s happening is happening because, geopolitically speaking, it’s the best move on the chessboard, and the US government made a strategic decision years ago that private industry was on its own. It has only recently, in about the last three years, started to change on that, but this is a generational gap we’re trying to overcome now.

"The entire attack path—going back to that emulation versus simulation—is infinite, because it's not just technical. There are all sorts of physical parts to this, and social parts of this, and people parts."

The point you made a moment ago, that the federal government is not going to come rescue rural water districts, is well-taken. But on the other extreme, and I’m being a bit facetious here, it's almost as if this won't be solved by teaching people not to click malicious links.

Bryson Bort: Oh yeah, that doesn’t do a damn thing. It’s one of those things everybody thinks is intuitive—if we just train the users—nope, that’s not going to do it. I’m an anti-hygiene person; there’s no point, build a better system and stop depending on your users to be better at it.

Going back to the water plant example and Kenneth’s quote from earlier… The thing I’ve been advocating for the last three years has been that each water plant (so to speak) is solving the same problem, so why are we depending on them to solve the same problems?

For one, that’s inefficient, and two, with the talent they have available it’s going to be a mixed bag. So that’s an example where the federal government shouldn’t come in and regulate you, they should come in and say Here’s a shared catalog of things we’ve already figured out for the 115,000 of you that there are, which is how many different water plants there are in the United States. They should say, come pick of our bounty that we’ve centrally curated.

What's top-of-mind for you as far as something that either you wish got more play and more attention, or gets plenty of buzz but you feel the conversation needs to be different, to be deeper, or take a different approach. If you could get everybody to focus in on something, what would it be?

Bryson Bort: I’ll give you an apocryphal one… Because of asymmetric cyber capabilities, I think the United States in the next 10 to 15 years is going to be humbled on the world stage in such a way that we are no longer seen as the superpower. I think it’s going to be the Chinese that do it, and I think how they do it is they’re going to take Taiwan, and how they take Taiwan will be by causing just enough disruption to fix US forces in a response in place.


The loss of Taiwan in that manner is going to be a smack across the face heard around the world, and American hegemony will be on a permanent slide.


And I think cyber is going to be how it happens, because nobody wants to fight an M1 Abrams on the battlefield, but it’s fine when it stays in the US.

Is that dark enough?

"Cyber is going to be how it happens because nobody wants to fight an M1 on the battlefield, but it's fine when it stays in the U.S."

I'm so glad my last question is about unicorns: What's with the unicorns?

Bryson Bort: (laughs) At the consultancy that I founded, GRIMM, we would do an annual t-shirt contest for DEF CON, and I came up with the idea of the Grim riding a unicorn. I thought the juxtaposition was really funny, and our brand style is more like Disney villain: it’s not too dark, it’s not too fluffy.

It’s a nice mix that matched the juxtaposition and the design just blew up—everybody wanted it. Shortly after that, when we spun out SCYTHE, we needed something and didn’t want brand confusion with the GRIMM, and people seemed to be really into this unicorn thing, and the design was born.

Now, we have unicorn hoodies in the five colors representing black and white hats, and red, blue, and purple teams. I’ll bring the blue one with me out to Arizona to wear when I lead the Choose Your Own Adventure incident response interactive.

Excellent—we’re looking forward to having you out at West, and certainly these sessions. Appreciate your time, Bryson.

Bryson Bort: Certainly; thank you.