In early May, Cybereason CEO Lior Div traveled back to Israel for the first time since the pandemic to visit its 300 employees based there. It’s a trip he took every few months from Boston, where his company is headquartered.
The visit was much more eventful than expected. A few days after Div’s stay, news came that the operator of the largest US pipeline had been paralyzed by a cyberattack that shut down a 5,500-mile fuel network.
Every major corporate hack piques Div’s interest because it’s his start-up business to keep the bad guys out. The attack on the Colonial Pipeline was particularly worrying given that the responsible group, an outfit called DarkSide, had attempted to infiltrate a Cybereason customer nine months earlier.
“They were pretty sophisticated, active, and looked very professional,” Div said in an interview. Cybereason was ranked 23rd on this year’s CNBC Disruptor 50 list.
More coverage of the 2021 CNBC Disruptor 50
In searching for DarkSide’s roots, Cybereason researchers were so shocked by what they learned that the company posted a blog post in early April detailing some of its findings. It described DarkSide as a team of blackmailers who steal private information and threaten to make it public unless the victim pays a large amount of money – usually $ 200,000 to $ 2 million.
They are called ransomware attacks, and Cybereason had learned that DarkSide was not only a major perpetrator of such cybercrime, but also sold a product called ransomware as a service that allowed other groups to use its self-developed tools and to wreak havoc for money in a similar way.
When the FBI discovered that DarkSide was behind the breach of the Colonial Pipeline, Div took it upon themselves to provide information about the group, how it worked, and what the companies were doing to protect themselves. He went to the press including CNBC, CNN, Reuters and Bloomberg.
During one of these interviews, the emergency alarms sounded in Tel Aviv, a signal for everyone in the area to find the nearest bomb shelter. Cybereason’s office has four on each floor.
The alarms sounded as the Israeli and Hamas-backed Palestinian militants stood at the start of a bloody eleven-day battle. Residents in and around Tel Aviv faced rockets while Israeli forces rained air strikes on the Gaza Strip.
“I continued the interview but went to the bomb shelter,” said Div, who previously served as a commander in the Israel Defense Forces 8200 unit dealing with military cybersecurity. “For someone who grew up in Israel, it’s sort of a switch to automatic response.”
Israel and Hamas agreed a temporary ceasefire last week. The death toll from air strikes in Gaza exceeded 240, while in Israel at least 12 people were killed.
Massive growth in cyber crime
Div started Cybereason in Israel in 2012 before moving the company to Boston two years later. It is now one of the fastest growing players in the burgeoning market for endpoint protection, protecting large corporate and government networks and their numerous devices from the advanced hacking tools and techniques that are spreading around the world.
Cybereason posted annual recurring revenue of around $ 120 million at the end of last year, doubling in size from last year, Div said. While Div and his management team are in Boston, Cybereason’s 800 employees are spread across Israel, Japan, Europe, and the United States. In 2019, the company raised $ 200 million from SoftBank, valued at around $ 1 billion.
We hunt proactively. We’re not just waiting for our software to block things.
Cybereason faces a wide variety of competitors ranging from technology conglomerates Microsoft, Cisco and VMware to cybersecurity providers CrowdStrike and SentinelOne (4th place on this year’s Disruptor 50 list).
According to Div, Cybereason’s special sauce and what enabled DarkSide to detect and stop DarkSide before a successful attack is a network of sensors around the world that automatically detect anything suspicious or unknown and hits a network . If a line of unrecognized code ends up on a Cybereason-protected server, the incident is flagged and the company’s technology and analysts are ready to go.
“We hunt proactively,” said Div. “We don’t just wait for our software to block things. We search information that we are constantly collecting to look for new clues.”
In August, when the software recognized DarkSide, the company reversed the code and followed the group’s virtual steps. It emerged that the relatively young organization apparently “sought destinations in English-speaking countries and seems to avoid destinations in countries affiliated with former Soviet bloc states,” the company wrote in its April blog post.
According to Div, Cybereason has found ten attempts by DarkSide to attack its customer base – eight in the US and two in Europe.
Increasing costs of hacking
In the absence of any technology to protect against DarkSide, Colonial Pipeline was forced to pay a ransom of $ 4.4 million. According to research firm Cybersecurity Ventures, ransomware damage will reach $ 20 billion this year, an increase of more than 100% from 2018 and 57 times more than 2015.
More important than the money, the pipeline incident exposed a serious vulnerability in the country’s critical infrastructure, which is increasingly connected to the Internet and protected by a loose patchwork of different technologies.
The shutdown also disrupted nearly half of the country’s east coast fuel supply. Gas prices soared to a seven-year high as consumers panicked during the outage and waited for hours to fill up.
The attack was costly and scary, but Div said the size and scope were nothing compared to what the U.S. saw last year in the SolarWinds infiltration, which affected an estimated nine government agencies and 100 private companies.
Up to 18,000 SolarWinds Orion customers downloaded a software update that included a back door that gave the hackers access to the networks. The hack came to light in December when cybersecurity software provider FireEye announced that it believed a government-sponsored actor had broken into its network to get information mainly about government customers.
The US authorities hacked Russia.
“The DarkSide sophistication wasn’t nearly what SolarWinds did,” said Div. “It’s the difference between a nation-state and a non-nation-state.”
According to Div, SolarWinds attackers scanned networks to see if Cybereason software was installed. If they saw it was there, they bypassed it and went to another network.
“This is how the malicious code worked,” said Div. “It was self-terminating when it was discovered.”
SentinelOne said its customers were also spared, based on the so-called Indicators of Compromise (IOCs) in the SolarWinds hack.
“In the SolarWinds attack, dubbed” SUNBURST “, research by SentinelLabs confirmed that devices with SentinelOne agents were specifically cleared of the malicious payload used in the reported IOCs,” the company wrote in a post on Jan. December.
Whether it’s ransomware, common hacks like phishing and malware, or complex espionage measures like SolarWinds, the frequency of attacks today forces companies to secure their networks with the latest threat detection technology.
Large customers typically pay hundreds of thousands of dollars a year for Cybereason, which Div says is cheap given what is happening with Colonial Pipeline.
“To see someone pay $ 5 million for a relatively small deal that we could have helped them with is crazy in my opinion,” he said.
CLOCK: Robinhood tops CNBC’s 2021 Disruptor 50 list