Share this post

🔑 Key Takeaways

  1. Disappointed with not becoming a combat pilot, Lior Div found his fascination with wireless technology led him to Unit 8200. Surrounded by creative individuals, he gained valuable insights and skills that later helped him co-found Cybereason and become a successful CEO.
  2. Rigorous training and hands-on experience can help individuals become experts in their fields - as shown by Lior's journey from Unit 8200 to his own hacking company, mastering everything from cellular networks to internet functions.
  3. Hacking is not just about infiltrating a system, but a detailed and complicated process that can have serious real-world consequences if successful. It's important to understand the full scope of potential risks and take appropriate security measures.
  4. Malop is a data analytics approach that uses real-time monitoring to identify malicious behavior and anticipate attackers' next move. Cybereason has successfully deployed this method to detect and prevent attacks, highlighting the importance of endpoint detection and protection.
  5. Identifying every step of an attack, from the code used to the specific individual responsible, can prevent massive-scale cyber attacks. Installing endpoint software on all computers is essential for detecting malicious activity and ensuring network security.
  6. Cybereason's multifaceted approach to cybersecurity, including threat detection and response, threat intelligence research, and global context analysis, helps expose and disrupt malicious activity groups, contributing to a safer world.
  7. When investigating threats, it's essential to consider the political climate and context as one piece of information may reveal the entire infrastructure of the threat actor.
  8. Hackers use various backdoors to evade sandboxes and use remote communication channels to send commands to malware. They hide in plain sight using Dropbox or Google Drive without detection, while both hackers and defenders have a mutual love for technology and exploiting systems.
  9. Connecting the dots and understanding the motivation behind the attack can help narrow down the list of possible suspects and effectively detect and respond to cyber threats. Curiosity and problem-solving skills drive top-performing cybersecurity professionals.
  10. Cybereason's technology helps in identifying indicators of potential cyber attacks by Molerats, but it is important to avoid online trust, including those who may be perceived as friends or enemies.
  11. Cybereason's Defense Platform provides real-time monitoring and analysis of endpoint data to identify abnormal processes and connections, and offers multi-evidence correlation to identify suspicious activities and stop malicious operations, helping enterprises be more future-ready to prevent attacks and be more secure.

📝 Podcast Summary

From Unit 8200 to CEO: Lior Div's Journey in Cybersecurity

Lior Div, the CEO of Cybereason and a former member of Unit 8200 in Israel, reveals how he was initially disappointed when he didn't get assigned to the combat pilot unit and instead was assigned to work in Unit 8200, which is like Israel's version of the NSA. He describes how his fascination with wireless technology led him to this unit, where he found himself surrounded by highly intelligent and creative individuals who were working on signal intelligence. This experience gave him valuable insights and skills that later helped him to co-found Cybereason, a cybersecurity company that investigates and uncovers malicious activity, as well as to become a successful CEO.

From Hacking Company to Impossible Missions

Lior's experience in Unit 8200 and his own hacking company provided him with the knowledge to take on impossible missions involving hacking, cracking, and reverse engineering. His team used deception to distract targets while they infiltrated their computers, making it easier for them to work undetected in a noisy environment. He gained hands-on experience during his six-year stint in Unit 8200, where he learned everything from how cellular networks work to how the internet functions. Lior's story highlights how rigorous training and hands-on experience can help individuals become experts in their fields.

The Intricate Process of Hacking and Its Impact on the Physical World.

Hacking is not limited to just entering a system, it is a lengthy process that involves mapping the environment, locating and collecting data, exfiltrating it outside the organization and staying in the system to keep collecting information. The Stuxnet attack was the first demonstration of the ability to leverage software and code to achieve military or government goals and create a link between the cyber world and the physical world. This attack changed the world and sparked the imagination of people to understand that we are not just talking about IT security anymore. Attackers can be determined to go after a target and can bend physics to their benefits with enough creativity and ingenuity.

Traditional Indicators of Compromise are Outdated - Meet Malop

Traditional indicators of compromise are not enough to detect advanced attacks. The Malicious Operation approach, or Malop, invented by the founders of Cybereason, assumes that attackers have many steps to perform in order to carry out their operation. By analyzing data in real-time, collecting massive amounts of data and looking for malicious indicators of behavior, defenders can anticipate the next move of the attacker and detect and prevent the attack. Cybereason is a big data analytic company that can analyze massive amounts of data to find malicious operations in organizations, not just malware. Endpoint detection and protection is crucial to this method, and Cybereason was successful in deploying 50,000 sensors on a large network to detect an attacker.

Installing Endpoint Software to Prevent Massive Cyber Attacks

Installing endpoint software on all computers is essential for preventing massive-scale cyber attacks. Companies often face the problem of not knowing what computers are on their network, which leaves them vulnerable to malicious activity. The ability to tell a story of what hackers are doing inside an environment is crucial to preventing attacks. This was proven when a group of Chinese hackers was identified on a cellular network with 50,000 endpoints. The hackers had the admin password for every system, but the company was able to replace it after being presented with evidence of the attack. Identifying every step of the attack, from the code used to the specific individual responsible, made it clear that the company had been compromised.

Cybereason's Approach to Combatting Cyber Threats

Cybereason's success lies in not only detecting malicious activity in a network but also having a response team to fix those issues, in addition to a threat intelligence team to research on emerging threats. They strive to reverse the adversary advantage by finding out how hackers hack, and exposing their tactics and techniques to the world, making it a safer place. The Nocturnus team at Cybereason hunts through the data collected to find new threats in the security community, and investigates them by reverse-engineering the malware. Their linguistic capabilities, combined with technical knowledge, enable them to tie the threats to a global or a geopolitical context. Cybereason aims to make the world a safer place by exposing shady activity groups and releasing major research that disrupts their ability to operate for a long time.

The Importance of Understanding Geopolitical Context in Threat Research

Understanding the geopolitical context is crucial in threat research. The Spark malware discovered by Cybereason in February 2020 was used in phishing e-mails that appeared to target political figures associated with the Fatah movement. The e-mails contained fake news about secret meetings and other sensitive information. The malware gave attackers full access to the endpoint computers, allowing them to steal information and run commands. In October/November 2020, Cybereason discovered new tools being used in phishing lure documents related to the Israeli peace process and internal Palestinian affairs. When doing threat research, one piece of information can lead to many others, and researchers must pull on strings to uncover all aspects of the threat actor's infrastructure.

The Tactics of Hackers and their Complex Ways to Avoid Detection.

Hackers use various backdoors for different targets to take full control over the victim’s computer. SharpStage is installed on a victim’s machine that can control the machine, run arbitrary commands, fetch information, and uses a Dropbox client for exfiltration. The backdoors themselves target Arabic-speaking users as a clever way to avoid most sandboxes and to blend right in without detection. The most interesting one is DropBook that uses Facebook fake accounts for remote C2 communication channel to send commands to malware. The attackers use Dropbox or Google Drive to hide in plain sight as it looks like normal traffic and blends right in without detection. Hackers and defenders have a certain respect for each other's work as they share a love for technology and learning ways to exploit systems.

Geopolitical Awareness and Cyber Threat Analysis

Geopolitical awareness is crucial to cyber threat analysis. Cybereason's team was able to connect dots and enrich their tools to effectively detect and respond to the Molerat threat. Understanding the threat actors in a specific geopolitical space helped narrow down the list of possible suspects and identify the motivation behind the attack. The Molerat group is a well-defined, politically-motivated activity group that mostly targets government entities, political activists, and diplomats in the Middle East and North Africa region. Being curious, solving problems, and uncovering new activity is what drives top-performing cybersecurity professionals to put in extra hours and work on exciting cases.

Molerats/Gaza Cyber Gang and their targets

The group known as Molerats or Gaza Cyber Gang has been involved in cyber attacks for the past nine years, targeting various countries including Palestine, Israel, US, and UK. While there are reports suggesting that the group may have some alliance with Hamas, there is no concrete evidence to support this claim. The group's targets include high-level Fatah officials and stealing information from them may give them leverage in certain negotiations. Cybereason's machine learning algorithms and behavior-based detection help in identifying indicators of the group's presence in a network, making the world more secure. However, it is important to note that 100% attribution is rare and it is crucial to not trust anyone online, including friends or enemies.

Cybereason Defense Platform - Next-gen Protection for Enterprise Endpoint Security and Prevention

Cybereason's Defense Platform offers comprehensive protection from endpoint to everywhere in an enterprise environment. It collects data from every endpoint and analyzes it in real time to create a network of relationships that enables it to identify abnormal processes and connections, and mark them as evidence. The system correlates multiple evidences and identifies suspicious activity, and if there is a malicious operation, it stops it and provides a detailed story of what happened. Thus, it helps an organization be more future-ready to deal with attacks. Cybereason offers full protection on endpoints with next-gen antivirus, anti-ransomware, and anti-virus attack, and collects endless amounts of evidence as data flows through the system. The Defense Platform is an operation-centric approach that makes an enterprise more secure.