When I talk to companies offering connected devices, I often ask them how they design their products with security in mind. I usually get a lot of information about encryption, secure elements on the chips, and bug bounty programs. Some of the companies I talk to actively hire researchers to do penetration testing on the device — and the organization — once a year or ahead of their product launches to make sure security efforts work.
Now enterprise IT organizations will have another tool to add to their repertoire, with Scythe. The Arlington, Va.-based company provides software and services that emulate system hacks and teach organizations how to respond. Its approach goes beyond penetration testing, which is like seeing if someone can get in the door, to seeing how a bad actor would behave once they’ve gotten in.
The idea isn’t totally new, but it’s uncommon. I saw a company offering emulations of an attack back in 2016 at a tech conference, though I cannot recall its name. But I liked the concept back then and I still like it today. And investors are apparently on board because they just gave Scythe $10 million in first-round funding.
Scythe offers software that companies run themselves on their own hardware. The software emulates attacks that seem likely to strike the customer. For example, a hospital likely to get hit with ransomware could use the software to create a cache of false data, monitor how the malware spreads from device to device, and then send emails out to affected workstations. From there, the hospital could see how the ransomware spreads as well as see how its security team and other employees handle it. Ideally, this isn’t a punitive exercise, but an educational one that leads to better training.
Ransomware is top of mind for many organizations, but Scythe’s approach is also useful when it comes to battling malware that invades enterprise software and then makes the leap to control systems or other connected devices that can affect the physical world. Bryson Bort, the CEO of Scythe and a well-known expert in the security industry, noted to me that attackers can compromise enterprise computers or a human-machine interface that connects to factory equipment, such as programmable logic controllers, and then take control of those systems. He cited the attack on a Florida water plant that started with accessing remote access software and then getting access to a machine that controlled the dispersion of lye into the water.
Because it’s designed for enterprise computers, the Scythe software runs on Linux, Windows, and macOS. It won’t run on embedded hardware or real-time operating systems, so this isn’t going to emulate malware on your SCADA system, for example. Bort said the ability to run on embedded devices is a future possibility, although everyone who reads this newsletter knows embedded systems are so diverse and fragmented that it’s a pain to build for them.
In addition to software, Scythe also provides customers with consulting services; it will help them deploy an emulation, then monitor how the customer’s employees handle the malware, and help the customer develop strategies for specific types of malware. (More sophisticated clients tend to have teams that can do that on their own.) Scythe is also constantly adding new types of attacks and emulations to its software because security threats are not static. I like the emphasis on continuous education and adaptation; that’s exactly the right approach to take with an evolving threat like cybersecurity.
Bort told me the recent funding will go to staffing up a sales team, but also to R&D, which will enable the company to rationalize its codebase so it runs faster without consuming as many resources. The goal is to build a modular set of attack emulations that companies can piece together to train their employees and tweak their computing environments so as to prevent or limit damage from attacks. It’s a compelling vision.