How Cybereason is reversing the adversary advantage

Malop provides the context to fend off ransomware attacks


Sponsored Here's something you might not know about Lior Div, one of the most accomplished people in protecting the world's computing infrastructure from attack: he struggles to read a page of text. Yet, that's one of his biggest strengths.

Div, the CEO and co-founder of Cybereason, is dyslexic. What he lacks in reading skills, he makes up for in his ability to chew through mountains of numerical and log information. "I may not be able to read that well, but I can digest massive amounts of data," he says. That's the kind of skill you need when you're busy defending clients from nation-state-level attacks.

He's typical of the seasoned security pros working at his Boston-based company. His workforce is different to many others. While some big tech companies seem to battle with diversity, Div embraces it. Women comprise 30 percent of his workforce, and the numbers are growing.

"In fact, on the spectrum between men and women we have probably every gender identity that exists," he says. "We're super proud of it and we celebrate it because we believe it creates a diversity of thought."

That's important for a company tackling the kinds of problems that Cybereason was designed to overcome. They work with organizations that face constant online attacks from governments and criminals alike. They took the lead in stopping the infamous NotPetya ransomware attacks, and they developed technology that, if the government had used it, would have stopped the SolarWinds attacks in its tracks.

Think different

Div, like many of his employees, began his career as an intelligence community insider working out how to infiltrate networks rather than defend them. His intelligence background began with a stint as an officer in Israel's 8200 unit, which is the Israeli Defense Force's equivalent of the NSA, where he was awarded the Medal of Honor for his work.

"I was focused in the field of offensive operations," he says. "I came from a deep background of understanding how to use software as a weapon to achieve military and government objectives.” When given a target, he'd have to figure out a way to infiltrate it, no matter how secure it was. "You'd figure out a way to do it by thinking laterally," he continues. "You wouldn't just think outside the box – you'd get rid of the box altogether."

That's why the Cybereason offices, like those of the intelligence services he worked at, are so diverse. You need a range of perspectives and talents to outclass a smart, advanced set of adversaries. "After you remove all the hoodies and stickers, all these men and women are different," he says.

When cyber-espionage went mainstream

For years, organizations had been able to conduct espionage with fewer physical agents on the ground, he says, relying instead on cyber operations. This was well-understood in intelligence circles, but when Stuxnet was uncovered in 2010 it changed everything by bringing it out into the open.

The Stuxnet malware, tailored to attack Iran's Natanz nuclear facility, was the first time a large-scale sophisticated cyber operation was documented to have real kinetic outcomes, bridging the cyber and physical worlds. That sparked an immediate change in perception as people realised that offensive cyber operations could have a tangible outcome in the physical world. From there, it wouldn't be long before people realised that these kinds of complex attacks were not just the purview of governments, but that it was possible for criminal groups to similarly wreak havoc.

That realization started a conversation with his two co-founders, chief visionary officer Yossi Naar and Yonatan Striem-Amit, who serves as CTO. They knew that they had a 100 percent success rate in infiltration operations; give them a target, and they would eventually crack it. "But we also knew that China and Russia had the same capability back then. So we asked ourselves how an organization can protect itself against this type of force. And we realised that it's almost impossible."

Jumping the fence

Once an adversary is in your network, it's not always easy to detect them, especially with complex, tailored attacks. These include the use of fileless malware and living off the land techniques, where attackers use every day administrative tools to advance their attack against a targeted infrastructure. These days, PowerShell is an intruder's best friend.

However, just because an attacker can get in doesn't mean that they can complete their operation, Div points out. A successful infiltration doesn't mean game over. You can still mitigate the attack if you can spot the attack sequence early. So, what if he and his team could develop a technology that would detect a malicious operation earlier by spotting the most subtle chains of behavior?

"What would enable us to reverse the adversary's advantage by taking any network and turning it into a kill zone for hackers?" Div pondered. "They might be able to get in, but we could quickly spot the adversary, see everything that they're doing, and then expel them."

In January 2012, Cybereason was born. The team didn't immediately begin selling products. It took its time, developing an AI-based system that used a graph-based data model to analyze massive amounts of infrastructure event data and process it in the cloud. It took three years to engineer a system that could handle multiple terabytes of data a day, Div explains.

Malop: the unique sales prop

Rather than focusing on alerting against individual network events that lack actionable correlations and context, the technology uses a concept called a 'Malop' – short for malicious operations – which takes the whole intrusion activity together as a single operation, surfacing individual attacker actions even when those behaviors resemble benign activity one would expect to see on a network.

"Nobody else in the industry has the concept of a Malop at the core of their detection capabilities," Div says. "Everybody can tell you that there's malware on a machine or anomalous behavior on the network, but the lack of correlated context leaves the hard work of identifying the entire sequence to inefficient manual processes that can take weeks or more to uncover an attack. But organizations do not have weeks to spare, by then the damage has been done."

Cybereason spent three years developing the technology that will tell you the story of the attack from root cause to every identity, device and platform whether on-prem or in the cloud, he explains, putting it in context and providing SOC analysts with guided remediation to stop the attack earlier by a simple click of the mouse.

"Other companies won't correlate different events for you across devices and users," he adds. Instead, they deliver hundreds of alerts for the analyst to triage and prioritize. We will give you one Malop that shows the same adversary in 500 of your machines, and the ability to stop the attack instantly on every one of those devices."

Ransomware crooks beware

This software isn't just for governments fending off sophisticated state-sponsored attacks, Div says. It's for the kinds of ransomware attacks that lock up operations daily at large and small businesses alike. That's truer now than ever, as ransomware evolves.

Today's ransomware groups are expanding in number thanks to ransomware-as-a-service (RaaS) operations that franchise malware like Ryuk to anyone for a modest subscription fee. Those franchisees are becoming more sophisticated, moving increasingly to double extortion attacks in which data isn't just encrypted; it's stolen. The crooks then blackmail the victims, threatening publication if the ransom demand is not satisfied. This tactic renders anti-ransomware business continuity strategies like off-site data backups moot.

Cybereason has spent a lot of time tackling the ransomware threat, and Div's intelligence background has helped him identify some subterfuge along the way. The company led the world in finding a vaccine for the NotPetya ransomware that ravaged organizations globally in 2017. It was also instrumental in finding links between Russia and the ransomware, which its GRU officers developed for political motives.

Cybereason continues to refine its technology and its operations, but Div always comes back to the value of its people. While his tech team hones the Cybereason AI capabilities, he instils a culture of diversity and original thought at the company based on five key values. He calls the first "UBU".

A culture of cooperation

"I judge based on merit alone," he explains. Color and creed matter not one jot. It's how well you engage and deliver results that count. That fuels the second value: "daring to dare." You have to be able to take risks when you're thinking laterally, which also means avoiding the kind of blame-culture that can stifle innovation. He also encourages tenacity and persistence, which is a necessary quality that he learned over years of trying to crack seemingly impossible defenses on the other side of the fence.

The fourth value, "ever-evolving", encourages employees at Cybereason to evolve quickly to keep up with a dynamic, innovative adversary. Div knows from first-hand experience that attackers never stop evolving, which means that his team can't either.

Finally, he advocates that his employees "win as one". Everything has to be a team effort, because it takes a team to defeat adversaries who increasingly draw on a dark supply chain involving potentially dozens of groups for their attack tools and techniques.

"This is one industry where you just can't do it alone," he concludes. As diverse as Cybereason's team might be, they still all understand the importance of pulling together.

Sponsored by Cybereason


Biting the hand that feeds IT © 1998–2021