Cybereason CEO was in a bomb shelter in Israel to tell the world about DarkSide
In early May, Cybereason CEO Lior Div made his first trip to Israel since before the pandemic to visit its 300 employees based there. It’s a trip he used to take every few months from Boston, where his company is headquartered.
The visit was much more eventful than he had expected. Days after the Div’s stay, news broke that the operator of America’s largest pipeline had been crippled by a cyberattack that destroyed a 5,500-mile fuel line.
Any big business hack piques Div’s interest because her startup’s business is keeping bad guys out. Of particular concern was the attack on the Colonial Pipeline as the group responsible, a team called DarkSide, had attempted to infiltrate one of Cybereason’s clients nine months earlier.
“They were quite sophisticated, active and looked very professional,” Div said in an interview. Cybereason placed 23rd on this year’s CNBC 50 disruptor list.
Tracing DarkSide’s roots, Cybereason researchers were so shocked at what they learned that the company published a blog post in early April outlining some of its findings. He describes DarkSide as a team of extortionists who steal private data and threaten to make it public unless the victim pays a large sum of money – typically between $ 200,000 and $ 2 million.
They are called ransomware attacks, and Cybereason had learned that DarkSide was not only a major perpetrator of these cybercrimes, but also sold a product described as Ransomware as a Service that allowed other groups to use its tools. premises and similarly wreak havoc for money. .
When the FBI determined that DarkSide was the source of the colonial pipeline breach, Div took it upon themselves to publicize the group, how it works, and what companies should do to protect themselves. He went to the press, speaking with CNBC, CNN, Reuters, Bloomberg and other media.
During one of those talks, emergency alarms in Tel Aviv started sounding, a signal for everyone to be nearby to find the nearest bomb shelter. Cybereason’s office has four on each floor.
The alarms were ringing because Israel and the Hamas-backed Palestinian militants were at the start of a bloody 11-day battle. Residents of Tel Aviv and surrounding areas faced incoming rockets, while Israeli forces rained down airstrikes on the Gaza Strip.
“I continued the interview but went to the bomb shelter,” said Div, who previously served as the commander in Israel Defense Forces Unit 8200 which deals with military cybersecurity. “For someone who grew up in Israel, it’s kind of the switch to an automatic response.”
Israel and Hamas agreed to a temporary ceasefire last week. The death toll from the airstrikes in Gaza has reached 240, while at least 12 people have been killed in Israel.
Massive growth in cybercrime
Div started Cybereason in Israel in 2012, before moving the company to Boston two years later. It is now one of the fastest growing players in the burgeoning endpoint protection market, which involves securing large corporate and government networks and their many devices against tools and techniques. advanced hacking devices that proliferate across the world.
The cyber season hit around $ 120 million in annual recurring revenue at the end of last year, roughly doubling in size from the year before, Div said. While Div and its management team are in Boston, Cybereason’s 800 employees are spread across Israel, Japan, Europe and the U.S. In 2019, the company raised $ 200 million from SoftBank for valuation. of about $ 1 billion.
Cybereason faces a wide range of competitors, ranging from tech conglomerates Microsoft, Cisco and VMware to cybersecurity vendors CrowdStrike and SentinelOne (ranked # 4 on this year’s Disruptor 50 list).
Div says Cybereason’s special sauce, and what allowed it to recognize and stop DarkSide before a successful attack, is a network of sensors around the world that automatically identify anything suspicious or unknown that hits a network. . If an unrecognized line of code lands on a Cybereason-protected server, the incident is reported and the company’s technology and analysts get to work.
“We hunt proactively,” Div said. “We don’t just wait for our software to block things. We sift through the information we collect at all times to look for new clues.”
In August, when its software detected DarkSide, the company reverse engineered the code and followed the group’s virtual footsteps. He found that the relatively young organization apparently sought “targets in English-speaking countries, and appeared to avoid targets in countries associated with former Soviet bloc countries,” the company wrote in the April blog post.
Div said Cybereason found 10 attempts by DarkSide to attack its customer base – eight in the United States and two in Europe.
Increased cost of hacking
With no technology to protect against DarkSide, Colonial Pipeline was forced to pay a ransom of $ 4.4 million. According to research firm Cybersecurity Ventures, ransomware damage will reach $ 20 billion this year, up more than 100% from 2018 and 57 times higher than in 2015.
More important than money, the pipeline incident exposed a serious vulnerability in the country’s critical infrastructure, which is increasingly connected to the internet and protected by a loose patchwork of disparate technologies.
The shutdown also caused an interruption of nearly half of the fuel supply to the country’s east coast. Gasoline prices hit a seven-year high as consumers panicked during the outage and waited hours in line to refuel.
The attack was costly and frightening, but Div said the size and scale was nothing compared to what the United States saw last year during the SolarWinds intrusion, which hit around nine. government agencies and 100 private companies.
As many as 18,000 SolarWinds Orion customers downloaded a software update containing a backdoor, which hackers used to gain access to networks. The hack was discovered in December, when cybersecurity software provider FireEye revealed that it believed a state-sponsored actor was breaking into its network primarily to gain information about government clients.
US authorities pinned the hack on Russia.
“The DarkSide sophistication was not at all close to what SolarWinds did,” Div said. “This is the difference between a nation state and a non-nation state.”
Div said SolarWinds attackers scanned networks to determine if Cybereason software was installed. If they saw that he was present, they bypassed him and switched to another network.
“This is how malicious code worked,” Div said. “It would automatically end if it should be detected.”
SentinelOne said its customers were also spared, based on the so-called Indicators of Compromise (IOCs) in the SolarWinds hack.
“In the SolarWinds attack, dubbed ‘SUNBURST’, SentinelLabs research confirmed that devices with SentinelOne agents deployed are specifically exempt from malicious payload used in reported IOCs,” the company wrote in a Dec. 13 post. .
Whether it’s ransomware, common hacks like phishing and malware, or complex spy efforts like with SolarWinds, Div said the frequency of attacks today is forcing companies to secure their networks with the most modern threat detection technology.
For Cybereason, large customers typically pay hundreds of thousands of dollars a year, which Div says is pretty cheap given what just happened to Colonial Pipeline.
“To see someone paid $ 5 million on a relatively small transaction that we could have helped is crazy from my point of view,” he said.
LOOK: Robinhood tops CNBC’s 2021 Disruptor 50 list