Cybereason CEO in early May Lior Div made his first trip to Israel since before the pandemic to visit its 300 employees there. It’s a trip he took every few months from Boston, where his company is headquartered.
The visit was much more eventful than expected. A few days after Div’s stay, news came that the operator of the largest US pipeline had been paralyzed by a Cyber attack that knocked out a 5,500 mile fuel network.
Every major corporate hack piques Div’s interest because it’s his start-up business to keep the bad guys out. The attack on the Colonial Pipeline was of particular concern as the responsible group called an outfit called Dark sidehad attempted to infiltrate a Cybereason customer nine months earlier.
In tracking down DarkSide’s roots, Cybereason researchers were so shocked by what they learned that the company released one blog entry Present some of his results at the beginning of April. It described DarkSide as a team of blackmailers who steal private information and threaten to make it public unless the victim pays a large amount of money – usually between $ 200,000 and $ 2 million.
They are called ransomware attacks, and Cybereason had learned that DarkSide was not only a major perpetrator of such cybercrime, but also sold a product called ransomware as a service that allowed other groups to use its self-developed tools and to wreak havoc for money in a similar way.
When the FBI discovered that DarkSide was behind the breach of the Colonial Pipeline, Div took it upon themselves to provide information about the group, how it worked, and what the companies were doing to protect themselves. He went to the press and spoke to CNBC, CNN, Reuters, Bloomberg and other outlets.
During one of these interviews, the emergency alarms sounded in Tel Aviv, a signal for everyone in the area to find the nearest bomb shelter. Cybereason’s office has four on each floor.
The alarms sounded as the Israeli and Hamas-backed Palestinian militants stood at the start of a bloody eleven days of battle. Rockets were exposed to residents in and around Tel Aviv while Israeli forces rained air strikes on the Gaza Strip.
“I continued the interview but went to the bomb shelter,” said Div, who previously served as a commander in the Israel Defense Forces 8200 unit dealing with military cybersecurity. “For someone who grew up in Israel, it’s sort of a switch to automatic response.”
Israel and Hamas reached a temporary agreement Armistice last week. The death toll from air strikes in Gaza exceeded 240, while in Israel at least 12 people were killed.
Div started Cybereason in Israel in 2012 before moving the company to Boston two years later. It is now one of the fastest growing players in the burgeoning market for endpoint protection, protecting large corporate and government networks and their numerous devices from the advanced hacking tools and techniques that are spreading around the world.
Cybereason posted annual recurring revenue of around $ 120 million at the end of last year, doubling in size from last year, Div said. While Div and his management team are in Boston, Cybereason’s 800 employees are spread across Israel, Japan, Europe, and the United States. The company was founded in 2019 raised $ 200 million from SoftBank, valued at approximately $ 1 billion.
Cybereason faces a wide variety of competitors ranging from technology conglomerates Microsoft, Cisco and VMware to cybersecurity providers CrowdStrike and SentinelOne (4th place on this year’s Disruptor 50 list).
According to Div, Cybereason’s special sauce and what enabled DarkSide to detect and stop DarkSide before a successful attack is a network of sensors around the world that automatically detect anything suspicious or unknown and hits a network . If a line of unrecognized code ends up on a Cybereason-protected server, the incident is flagged and the company’s technology and analysts are ready to go.
“We hunt proactively,” said Div. “We don’t just wait for our software to block things. We search information that we are constantly collecting to look for new clues.”
In August, when the software recognized DarkSide, the company reversed the code and followed the group’s virtual steps. It emerged that the relatively young organization apparently “sought destinations in English-speaking countries and seems to avoid destinations in countries affiliated with former Soviet bloc states,” the company wrote in its April blog post.
According to Div, Cybereason has found ten attempts by DarkSide to attack its customer base – eight in the US and two in Europe.
In the absence of technology to protect against DarkSide, Colonial Pipeline was forced into one $ 4.4 million ransom. According to the research company Cybersecurity VenturesRansomware damage will hit $ 20 billion this year, more than 100% more than 2018 and 57 times more than 2015.
More important than the money, the pipeline incident exposed a serious vulnerability in the country’s critical infrastructure, which is increasingly connected to the Internet and protected by a loose patchwork of different technologies.
The attack was costly and scary, but Div said the size and scale was nothing compared to what the US saw in the US last year SolarWinds penetration, which hit an estimated nine government agencies and 100 private companies.
Up to 18,000 SolarWinds Orion customers have downloaded a software update that included a back door that gave the hackers access to the networks. The hack came to light in December when the cybersecurity software provider FireEye disclosed that it believed a government sponsored actor broke into its network to get information on government customers.
The US authorities pinned the hack Russia.
“The DarkSide sophistication wasn’t nearly what SolarWinds did,” said Div. “It’s the difference between a nation-state and a non-nation-state.”
According to Div, SolarWinds attackers scanned networks to see if Cybereason software was installed. If they saw it was there, they bypassed it and went to another network.
“This is how the malicious code worked,” said Div. “It was self-terminating when it was discovered.”
SentinelOne said Customers were also spared, based on the so-called Indicators of Compromise (IOCs) in the SolarWinds hack.
“In the SolarWinds attack known as the” SUNBURST “, research by SentinelLabs confirmed that devices with SentinelOne agents were specifically used freed of the malicious payload used in the reported IOCs, “the company wrote in a December 13 post.
Whether it’s ransomware, common hacks like phishing and malware, or complex espionage measures like SolarWinds, the frequency of attacks today forces companies to secure their networks with the latest threat detection technology.
Large customers typically pay hundreds of thousands of dollars a year for Cybereason, which Div says is quite cheap given what is happening with Colonial Pipeline.
“To see someone pay $ 5 million for a relatively small deal that we could have helped them with is crazy in my opinion,” he said.