In early May, Cybereason’s CEO Lior Div made his first trip back to Israel since before the pandemic to visit his 300 employees based there. It’s a trip he used to make every few months from Boston, where the company is based.
The visit was much more eventful than he had anticipated. A few days after Div’s stay, news came that the operator of the largest pipeline in the US had been paralyzed by a cyberattack that destroyed a 5,500-mile fuel network.
Any big corporate hack captures Div’s interest because the business of its startup is keeping the bad guys out. The Colonial Pipeline attack was of particular concern because the group responsible, a group called DarkSide, had attempted to infiltrate one of Cybereason’s clients nine months earlier.
“They were quite sophisticated, active and seemed very professional,” Div said in an interview. Cybereason was ranked 23rd on CNBC’s Disruptor 50 list this year.
Tracing the roots of DarkSide, the Cybereason researchers were so disturbed by what they had learned that the company published a blog post in early April presenting some of its findings. He described DarkSide as a team of extortionists who steal private data and threaten to make it public unless the victim pays a large sum of money, usually between $ 200,000 and $ 2 million.
They are called ransomware attacks, and Cybereason had learned that DarkSide was not only a major perpetrator of such cybercrimes, but was also selling a product described as Ransomware as a service that allowed other groups to use their own tools and wreak havoc for money. . .
When the FBI determined that DarkSide was behind the Colonial Pipeline breach, Div took it upon himself to spread the word about the group, how it operates, and what companies should do to protect themselves. He went to the press, including CNBC, CNN, Reuters, and Bloomberg.
During one such interview, emergency alarms in Tel Aviv began to sound, a signal for everyone in the vicinity to find the nearest bomb shelter. Cybereason’s office has four on each floor.
The alarms sounded because Israel and the Hamas-backed Palestinian militants were at the start of a bloody 11-day battle. Residents in and around Tel Aviv were facing incoming rockets, while Israeli forces launched airstrikes in the Gaza Strip.
“I continued the interview but went to the bomb shelter,” said Div, who previously served as a commander in Israel Defense Force unit 8200 that deals with military cybersecurity. “For someone who grew up in Israel, it’s like switching to an automatic response.”
Israel and Hamas agreed to a ceasefire last week. The death toll from airstrikes in Gaza exceeded 240, while at least 12 people were killed in Israel.
Massive growth of cybercrime
Div founded Cybereason in Israel in 2012, before moving the company to Boston two years later. It is now one of the fastest growing players in the burgeoning endpoint protection market, which involves protecting large corporate and government networks and their many devices from the advanced hacking tools and techniques that are proliferating around the world.
Cybereason reached about $ 120 million in annual recurring revenue at the end of last year, roughly doubling in size from the previous year, Div said. While Div and its management team are in Boston, Cybereason’s 800 employees are spread across Israel, Japan, Europe, and the US In 2019, the company raised $ 200 million from SoftBank with a valuation of around $ 1 billion.
Cybereason faces a wide swath of competitors, ranging from tech conglomerates Microsoft, Cisco and VMware to cybersecurity providers CrowdStrike and SentinelOne (ranked No. 4 on this year’s Disruptor 50 list).
Div says that Cybereason’s special sauce, and what allowed it to recognize and stop DarkSide before a successful attack, is a network of sensors around the world that automatically identify anything suspicious or unknown that reaches a network. If an unrecognized line of code lands on a server that is protected by Cybereason, the incident is flagged and the company’s technology and analysts go to work.
“We’re proactively hunting,” Div said. “We’re not just waiting for our software to crash things. We are reviewing the information we collect at all times to look for new leads. “
In August, when its software detected DarkSide, the company reverse-engineered the code and followed in the group’s virtual footsteps. It found that the relatively young organization was apparently seeking “targets in English-speaking countries, and appears to avoid targets in countries associated with former Soviet bloc nations,” the company wrote in the April blog post.
Div said Cybereason found 10 attempts by DarkSide to attack its customer base: eight in the United States and two in Europe.
Rising cost of piracy
In the absence of technology to protect against DarkSide, Colonial Pipeline was forced to pay a $ 4.4 million ransom. According to research firm Cybersecurity Ventures, ransomware damage will reach $ 20 billion this year, more than 100% from 2018 and 57 times more than in 2015.
More important than money, the pipeline hack exposed a serious vulnerability in the country’s critical infrastructure, which is increasingly connected to the Internet and protected by a loose patchwork of disparate technologies.
The shutdown also caused an outage in nearly half of the country’s east coast fuel supply. Gasoline prices rose to a seven-year high when consumers panicked during the outage and waited hours in line to fill up.
The attack was costly and terrifying, but Div said the size and scale were nothing compared to what the United States saw last year in the SolarWinds intrusion, which affected approximately nine government agencies and 100 private companies.
Up to 18,000 SolarWinds Orion customers downloaded a software update that contained a backdoor, which hackers used to access networks. The hack came to light in December, when cybersecurity software provider FireEye revealed that it believed a state-sponsored actor had penetrated its network primarily to obtain information on government customers.
The US authorities blamed the attack on Russia.
“The sophistication of DarkSide was nowhere near what SolarWinds did,” Div said. “It’s the difference between a national state and a non-national state.”
Div said the SolarWinds attackers scanned networks to determine if Cybereason’s software was installed. If they saw it was present, they ignored it and moved to another network.
“This is how the malicious code worked,” Div said. “It was automatically terminated if it was going to be detected.”
SentinelOne said its customers were saved too, based on the “indicators of compromise” from the SolarWinds hack.
“In the SolarWinds attack, dubbed ‘SUNBURST,’ SentinelLabs research has confirmed that devices with SentinelOne agents deployed are specifically exempt from the malicious payload used in reported IOCs,” the company wrote in a December 13 post.
Whether it’s ransomware, common attacks like phishing and malware, or complex spying efforts like with SolarWinds, Div said the frequency of today’s attacks forces companies to protect their networks with the latest threat detection technology. .
For Cybereason, large clients typically pay hundreds of thousands of dollars per year, which Div says is cheap given what just happened with Colonial Pipeline.
“To see someone pay $ 5 million on a relatively small deal that we could have helped them with is crazy from my point of view,” he said.
LOOK: Robinhood tops CNBC’s 2021 Disruptor 50 list