In early Might, Cybereason CEO Lior Div took his first journey again to Israel since earlier than the pandemic to go to his 300 workers primarily based there. It is a journey he used to make each few months from Boston, the place his firm is headquartered.
The go to was way more eventful than he’d anticipated. Just a few days into Div’s keep got here the information that the operator of the biggest U.S. pipeline had been paralyzed by a cyberattack that knocked out a 5,500-mile gas community.
Any massive company hack catches Div’s curiosity as a result of his start-up’s enterprise is to maintain out the unhealthy guys. The Colonial Pipeline assault was of specific concern as a result of the group accountable, an outfit known as DarkSide, had tried to infiltrate one among Cybereason’s shoppers 9 months earlier.
“They had been pretty subtle, lively and appeared very skilled,” Div mentioned in an interview. Cybereason ranked No. 23 on this yr’s CNBC’s Disruptor 50 Checklist.
In tracing DarkSide’s roots, Cybereason researchers had been so jarred by what they’d realized that the corporate printed a weblog put up firstly of April laying out a few of its findings. It described DarkSide as a group of extortionists who steal non-public information and threaten to make it public except the sufferer pays a big sum of cash — sometimes between $200,000 and $2 million.
They’re known as ransomware assaults, and Cybereason had realized that DarkSide was not solely a giant perpetrator of such cybercrimes, however was additionally promoting a product described as Ransomware as a Service that allowed different teams to make use of its homegrown instruments and equally wreak havoc for cash.
When the FBI decided that DarkSide was behind the Colonial Pipeline breach, Div took it upon himself to get phrase out concerning the group, the way it operates and what firms needs to be doing to guard themselves. He went to the press, talking with CNBC, CNN, Reuters, Bloomberg and different shops.
Throughout a kind of interviews, the emergency alarms in Tel Aviv began blaring, a sign for everybody within the neighborhood to seek out the closest bomb shelter. Cybereason’s workplace has 4 on each flooring.
The alarms had been sounding as a result of Israel and Hamas-backed Palestinian militants had been firstly of a bloody 11-day battle. Residents in and round Tel Aviv had been going through inbound rockets, whereas Israelis forces had been raining airstrikes on the Gaza Strip.
“I continued the interview however went to the bomb shelter,” mentioned Div, who beforehand served as a commander within the Israeli Protection Pressure’s 8200 unit that offers with army cybersecurity. “For someone who grew up in Israel, it is sort of switching to automated response.”
Israel and Hamas agreed to a short lived cease-fire final week. The demise toll from airstrikes in Gaza topped 240, whereas a minimum of 12 folks had been killed in Israel.
Large development in cybercrime
Div began Cybereason in Israel in 2012, earlier than shifting the corporate to Boston two years later. It is now one of many fastest-growing gamers within the burgeoning market of endpoint safety, which includes securing massive company and authorities networks and their many gadgets from the superior hacking instruments and strategies which can be proliferating throughout the globe.
Cybereason hit about $120 million in annual recurring income on the finish of final yr, roughly doubling in measurement from the prior yr, Div mentioned. Whereas Div and his administration group are in Boston, Cybereason’s 800 workers are unfold throughout Israel, Japan, Europe and the U.S. In 2019, the corporate raised $200 million from SoftBank at a valuation of around $1 billion.
Cybereason faces a wide swath of competitors, ranging from tech conglomerates Microsoft, Cisco and VMware to cybersecurity vendors CrowdStrike and SentinelOne (ranked No. 4 on this year’s Disruptor 50 list).
Div says Cybereason’s special sauce, and what allowed it to recognize and stop DarkSide before a successful attack, is a web of sensors across the world that automatically identify anything suspicious or unfamiliar that hits a network. If a line of unrecognized code lands on a server that’s being protected by Cybereason, the incident is flagged and the company’s technology and analysts get to work.
“We’re proactively hunting,” Div said. “We’re not just waiting for our software to block things. We’re sifting through information that we’re collecting at all times to look for new clues.”
In August, when its software detected DarkSide, the company reverse engineered the code and followed the group’s virtual footsteps. It found that the relatively young organization was apparently seeking “targets in English-speaking countries, and appears to avoid targets in countries associated with former Soviet Bloc nations,” the company wrote in the April blog post.
Div said Cybereason found 10 attempts by DarkSide to attack its client base — eight in the U.S. and two in Europe.
Increasing cost of hacking
In the absence of technology to shield against DarkSide, Colonial Pipeline was forced into a ransom of $4.4 million. According to research firm Cybersecurity Ventures, ransomware damages will reach $20 billion this year, up more than 100% from 2018 and 57 times higher than in 2015.
More important than the money, the pipeline incident exposed a severe vulnerability in the country’s critical infrastructure, which is increasingly connected to the internet and protected by a loose patchwork of disparate technologies.
The shutdown also caused a disruption in nearly half of the nation’s East Coast fuel supply. Gas prices surged to a seven-year high as consumers panicked during the outage and waited hours in line to fill up.
The attack was costly and scary, but Div said the size and scale was nothing compared to what the U.S. saw last year in the SolarWinds intrusion, which hit an estimated nine government agencies and 100 private companies.
As many as 18,000 SolarWinds Orion customers downloaded a software update that contained a backdoor, which the hackers used to gain access to the networks. The hack came to light in December, when cybersecurity software vendor FireEye disclosed that it believed a state-sponsored actor penetrated its network primarily to get information on government customers.
U.S. authorities pinned the hack on Russia.
“The DarkSide sophistication was not anywhere near what SolarWinds did,” Div said. “It’s the difference between a nation-state and non-nation state.”
Div said that SolarWinds attackers scanned networks to determine if Cybereason’s software was installed. If they saw that it was present, they bypassed it and moved along to another network.
“This is how the malicious code worked,” Div said. “It was self-terminating if it was going to be detected.”
SentinelOne said its customers were also spared, based on the so-called Indicators of Compromise (IOCs) in the SolarWinds hack.
“In the SolarWinds attack, dubbed ‘SUNBURST,’ SentinelLabs research has confirmed that devices with SentinelOne agents deployed are specifically exempt from the malicious payload used in the reported IOCs,” the company wrote in a post on Dec. 13.
Whether it’s ransomware, common hacks such as phishing and malware, or complex spying efforts like with SolarWinds, Div said the frequency of today’s attacks is compelling companies to secure their networks with the most modern threat detection technology.
For Cybereason, big clients are typically paying in the hundreds of thousands of dollars per year, which Div says is quite cheap given what just happened to Colonial Pipeline.
“To see that somebody paid $5 million on a relatively tiny deal that we could’ve helped them, it’s crazy from my point of view,” he said.
WATCH: Robinhood tops CNBC’s 2021 Disruptor 50 list