The biggest cyberattack in history started with a murmur.
In December, the cybersecurity firm FireEye noticed a seemingly small breach of its system and alerted its IT management company, SolarWinds. One of the most trusted software firms in the world, with clients representing both Fortune 500 companies and the United States government, SolarWinds began a routine check and soon made a horrifying discovery: Thousands of its clients had been breached. Attackers had used a supply-chain attack to embed malicious code in the companies’ networks and gain backdoor access. SolarWinds soon admitted that 18,000 of its customers—including Cisco, Intel, and the U.S. Treasury and Defense Departments—had been compromised.
The cyberattack was shocking in its scope, but also notable for its sophistication. The attackers, who were soon traced back to Russian state actors, had used malware that could assess the security systems running on the networks they targeted before launching malicious operations. The Russian operatives took months to test the security systems of each network in order to avoid detection—and then fully infiltrated them, with devastating results.
The historic breach underscored the principal weakness of most security systems: they require manual investigation of thousands of individual alerts, a time-intensive process that makes it difficult to identify the larger pattern of an attack. This alert-centric approach allows attackers to remain hidden in a network’s seams because it’s too difficult to spot them.
Yet one company has developed a new approach to thwart these types of security breaches, one that quickly identifies and responds to an attack so it doesn’t become a full-scale event. That company is Cybereason.
Unlike most security systems, Cybereason uses what it calls an operation-centric approach. A unique blend of prevention, detection, and response, Cybereason leverages machine learning and behavioral analysis to monitor an entire network in real time for malicious operations (what the company calls Malops.) The system is revolutionary because it constantly assesses an entire network for the slightest anomalies; if a malicious program slips through while masquerading as a legitimate one, it’s quickly discovered—and expelled.
“During their attack, the Russian operatives specifically checked if Cybereason was running on each companies’ computer system before deciding to proceed with the Malops,” says Lior Div, the cofounder and CEO of the cybersecurity firm. “If we were on the network, then the attackers decided not to run their code, because they knew we would catch them.”
In the aftermath of the SolarWinds attack (the full scale of which is still not fully understood, as new revelations come to light), one fact has become clear: Corporations and governments need a new type of security system, one that understands the mindset and techniques of the world’s top attackers, crafted with inside knowledge of how advanced operations unfold.
“The Russian attackers avoided us for a simple reason,” Div says, smiling. “We’re using an unpredictable new method to beat them at their own game.”
The Pressing Need for Better Cybersecurity
Cybercrime is at an all-time high.
According to a December 2020 report by the Center for Strategic and International Studies, global losses from cybercrime totaled over $1 trillion in 2020, double the amount from only two years before. According to an estimate by Cybersecurity Ventures, cybercrime will cost the global economy $10.5 trillion annually by 2025, an amount greater than the GDP of every country on the planet except China and the United States.
A major reason for the surge is that most security is simply outdated when trying to identify highly-sophisticated attack methods. Traditionally, companies use approaches that require manual analysis, investigation, and triage to keep bad actors out of endpoints like desktop computers, mobile devices, and network servers. Yet as the SolarWinds attack—along with dozens of others in recent years—demonstrates, this approach is no longer effective. Give a criminal attacker enough time and they will almost certainly find a way into a system, and remain undetected for long periods. They can do this because companies and governments are unable to manage the sheer quantity of alerts generated by most security tools.
Traditional security methods focus only on the assets they are designed to protect. This means there is often just one solution for endpoint protection, another for cloud computing, another for mobile, for identity, and so on. While working in these silos, security teams are often forced to look at each alert as an isolated event with no correlation across devices, platforms, and users—the exact opposite of how Malops actually unfold. As a result, advanced attackers have numerous opportunities to stymie these security measures and remain undetected.
Even more troubling, everyone is at risk today. According to a 2020 report by Interpol, cybercriminals are shifting their attacks from individuals and small companies to corporations, governments, and even critical infrastructure. And online attackers can cause major damage—over $700,000 per incident to businesses for long periods of downtime, on average.
“Criminal attackers are super motivated,” Div says. “They’re generating tons of money by breaking into companies’ networks, so the problem of security is becoming harder and more sophisticated. The only solution? Evolve faster than your adversary.”
A New Security Approach
Cybereason is more effective against sophisticated online attacks for a simple reason—its founder is a former special forces attacker himself.
Growing up in Tel Aviv, Div entered the Israeli Defense Forces (IDF) at 18 and specialized in cyber operations—putting him on the front lines of today’s cold wars between Russia, China, and the West. In addition to guarding against state-sponsored attackers attempting to break into Israeli networks, he conducted cyber operations against various adversaries around the world. Eventually, he came to understand the winning strategies of both attackers and defenders, and even earned a Medal of Honor for his work in the IDF.
And what Div saw during these years troubled him.
“In Russia and China, government entities are responsible for malicious operations,” he says. “In addition, there are independent criminal groups attacking for profit. Half the time these groups are contracted by the government, and half the time they’re working for themselves, using the same sophisticated methods.”
After leaving the IDF, Div had an idea. If cybercriminals were more advanced than the systems designed to thwart them, then the world needed a new cybersecurity approach—one as sophisticated as the attackers themselves.
“We knew the days of just creating a big wall and preventing people from coming in were over,” he says. “To offer real protection, we needed to create something that would consistently have the upper hand.”
Whereas most security systems simply check once to determine whether a file process or other network activity is good or bad, Cybereason monitors system activity on an ongoing basis in real time. In the SolarWinds case, for example, the criminal attackers used the guise of a known product update to spread malicious code. The update was allowed entry by other security solutions for a variety of reasons—including that it originated with a trusted source and was signed with a valid digital certificate. Once in the system, however, it was not revalidated by other security systems, and began its malicious behavior. Cybereason, by contrast, continually monitors activities to detect when a supposedly “good” update begins behaving maliciously and then shuts it down.
To understand this approach to cybersecurity, compare the following two buildings.
One has a team of security guards that checks everyone at the front door. If someone presents a threat, an alert sounds and they’re denied access. If the person is not a threat, the guards let them in and they can do whatever they want, including behave maliciously. This is how most cybersecurity systems work, offering only a single security check upon entry.
Cybereason’s approach, by contrast, is comprehensive and ongoing. Its building has guards at the entrance that block known threats. In addition, every room is outfitted with cameras and sensors that asses what is happening every second. If someone is granted access and then begins acting suspiciously, Cybereason can lock them down before a full-scale attack unfolds.
“We basically built a brain to look for malicious operations based on subtle behavior chains,” Div says. “We have the ability to constantly assess what’s happening to determine if it’s good or not. And even if the system says it’s good, it’s only good for now. We’ll continue to observe every operation, and if something starts acting maliciously, we’ll stop it.”
The technology required to analyze a network in real time—to monitor all the activities of, say, a corporate network of 500,000 individual computers—is revolutionary, and it took the team three years to develop it. Most cybersecurity firms store and analyze data from companies in the cloud, but only after a significant portion of the data has been eliminated. This is done to mitigate the difficulty of processing huge volumes of information. The result is an incomplete picture. By contrast, Cybereason uses a pioneering approach that harnesses machine learning to analyze all the intelligence that’s available about activity on a network in real time, as the data is generated and sent to the cloud—making the analysis more comprehensive, more effective, and faster.
The Cybereason Defense Platform is able to crunch this immense amount of data—an average of 80 million events per second—because, rather than looking at it en masse, it simply analyzes any changes that have occurred. Even vast computer networks tend to act in predictable ways. Cybereason’s method works because it analyzes chains of behavior and assesses them as malicious or benign. By approaching security in this way—identifying suspicious behavior in real time—Cybereason is able to stop threats earlier in the kill chain, as it’s called.
“Criminal attackers typically know what security systems are looking for and what intelligence they omit, and are then able to bypass them,” Div says. “But when they encounter Cybereason, they don’t know exactly what we’re looking at to determine malicious intent, because we’re collecting and evaluating everything. This way, we’re always able to stay ahead of the attack.”
Today, Cybereason works with banks, governments, pharmaceutical companies, and other clients who are constantly under attack—protecting their information against the most sophisticated criminals on the planet. Two years ago, for instance, Cybereason uncovered attacks targeting a number of telecom companies in what was dubbed Operation Soft Cell. During the investigation, Cybereason determined that Chinese actors had compromised ten of the companies, gaining complete access to their networks. The breach was massive, and obtaining clues about what was unfolding was like searching for a needle in an entire hayloft. Other cybersecurity firms failed to detect it. But Cybereason was able to come in and see the operation, retrace what had happened to let the attackers in, and then fend them off. It was a remarkable feat of digital security, made possible because Cybereason was able to look at the entire picture, isolate malicious behaviors, and correlate them across all users and devices on the network. In essence, it not only saw each tree in the entire forest, but was able to identify—and remove—every bug-infested branch.
Securing Companies for the Future of Cyberwarfare
Cybercriminals are skilled attackers. But they’re also opportunists. If there’s an easy target, they’ll go after it, which is part of the reason cybercrime exploded in 2020. COVID-19 created a significant increase in digital activity, which in turn created a host of vulnerable new targets.
And this trend isn’t going to change anytime soon.
Moving forward, criminal attackers will continue to hone their methods and identify new targets. Hospitals, health care companies, and schools and universities are already frequent victims. Hospitals experienced a spike in ransomware attacks in 2020, prompting the FBI and other government agencies to issue warnings. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery,” stated a November update.
In this new era, no one is immune. So far, the most common attack techniques are malware and VPN exploits, according to Microsoft’s recent Digital Defense Report. But the first half of 2020 also saw an approximately 35 percent increase, compared with 2019, in Internet of Things (IoT) attacks—criminals exploiting systems through network-connected devices like refrigerators, smart speakers, and even baby monitors.
In response, Cybereason is working around the clock to stay ahead of attackers. In addition to monitoring networks, Cybereason has a predictive analytics research arm that assesses how criminals are developing attacks for the future—and it uses those insights to tweak its systems and anticipate attack trends. A primary aspect of Cybereason’s operation-centric approach is understanding where attackers are focusing their efforts, based on prior successes, then intercepting attacks at their earliest stages. This is especially important in combating ransomware attacks, which have evolved beyond simply encrypting and holding data hostage to exporting that data and threatening to sell or release it if the demands aren’t met.
“Today, we’re seeing ransomware attacks that start with a single extortion and then move toward a double extortion,” Div says. “Soon it will be a triple extortion—as long as they can make money. Then the criminals will take that money and reinvest it to engineer even bigger attacks.”
Looking ahead, Malops will only increase in complexity, and become more and more difficult to detect. But with Cybereason advancing its technologies ahead of the attackers, new security options will continue to be available to companies, ensuring a safer way of working for the future.
“It’s an evolving problem, so companies need an evolving solution,” Div says. “Cybereason is built to keep outsmarting attackers.”
*This story was produced by WIRED Brand Lab for Cybereason.*
