Cyber-attacks and negotiations: A deep dive into the world of cybersecurity with Ram Elboim, CEO of Sygnia
The digitalization of enterprises is a process that has required a lot of effort from entrepreneurs, especially small and medium-sized enterprises, but is starting to show benefits. It’s become clear in fact that an undigitalized company is cut off from the market, as if it did not exist.
In today’s connected world, there are numerous online threats. Cyber-attacking can mean accessing, transforming and/or destroying sensitive information, but also extorting money, disrupting business processes, and stealing others’ identities.
Cybersecurity protects the online world, defending computers, servers, mobile devices, electronic systems, networks, data, IT infrastructure – essentially anything with a digital footprint – against attacks.
Cybersecurity has become increasingly essential given the number of connected devices in use today and the skills and tools available to those who carry out cyber-attacks. But what happens when one becomes a victim? What should be done? Is there a guide on the subject?
To help us better understand and prepare ourselves for what’s out there, let’s see what Ram Elboim, CEO of Sygnia, has to say on the topic.
Starting with yours and the company’s profile, tell me about your professional history and what Sygnia is.
“My interest in technology and cyber began 35 years ago, when I was 19 and joined the military. I worked my way up to become a senior member of Unit 8200, the Israeli Defense Force’s (IDF) elite cyber and intelligence unit and from there held several positions, leading technology, and business in various companies in Israel’s hi-tech ecosystem. I have a background in Mathematics and a Master of Science degree in Physics from the Hebrew University which proved invaluable when I entered new and innovative domains. After completing my MBA, I founded several startups and, as it turns out, the ones that did not end in a major exit gave me more insights into business, technology, and the relations between the two, than the ones that did.
I joined Sygnia more than seven years ago and have been the CEO for three years – having been involved in every aspect of the company’s work. Sygnia is the foremost global cyber readiness and response team, working with organizations all over the world, including Fortune 100 and Global 2000 companies. Our teams apply creative approaches and battle-tested solutions to help organizations beat attackers and stay secure. We bring ingenuity to each phase of a company’s security journey, from assessment and preparedness to detection and response. At every step we meet our clients where they are and deliver the tailored insight and decisive action needed to be unstoppable in the face of cyber threats.
We created Sygnia in response to an unsupported market need of holistically managing and containing cyber risks and defeating the full spectrum of attacks against businesses. Tackling cybercrime requires a multitude of skills, including a predictive and adaptive mindset to uncover the threats that no one else would suspect. That’s why our talent is carefully selected from the ranks of elite cyber and technology units as well as trained experts from the cyber industry including intelligence officers, digital combatants, hostage-turned-ransomware negotiators, and more with honed skills in technological supremacy and data analytics.
We augment and optimize our incident responders and cybersecurity consultants’ skills with the best proprietary technology. That’s how we’re building the world’s most cyber-ready organizations.”
We often imagine cyber-attacks as scenes from science fiction or situations that cannot affect us directly. This is why we need an overview of today’s cyber threat landscape. How do you describe this situation, its threats and the major risks for the victims involved?
“In older movies, we saw threat actors as these stereotyped ‘basement-dwelling’ teenagers – but that’s simply not the case anymore. Threat actors are not operating alone – they are large organizations that have business goals and standardized operations – some of them have HR and payroll functions that extend through to training and ‘sales’ teams. Cybercriminal gangs are so widely dispersed and disguised that some of their affiliates are not even aware they are working for cybercriminals because of their pure business ‘look and feel.’
For these cybercriminals, organizations that hold astronomical amounts of private and sensitive data serve as large books of business that they can extort on a regular basis to pay their monthly ‘salaries.’ Companies that fail to recognize this reality are ultimately the ones who suffer the greatest losses.
When we look at the evolving cyber threat landscape, technological innovations like AI, IoT and Cloud are moving faster than we can control, and while they have huge benefits, they also now present an additional attack surface that can be exploited. Whenever a new technology is introduced, it’s often layered over legacy infrastructure that then becomes ‘ignored’ or forgotten. Unfortunately, in doing so, businesses are inadvertently creating the holes that threat actors use to access information because they simply cannot keep up in securing this changing landscape.
AI is specifically making it easier for threat actors to source vulnerabilities and scale the size of their attack without necessarily being all that sophisticated. In the same way in which industry leaders are using AI technology for good to source vulnerabilities and fix, threat actors are using AI to find and exploit vulnerabilities.
We are also seeing a rise in supply-chain attacks as we adopt more technologies that share data between organizations too. As we digitize services and move to the Cloud to improve customer services or create more personalized experiences, we are seeing threat actors target the ‘connectors’ of that data – cloud and service providers and their third-party companies.
The Cloud requires different layers of protection that in many cases are not being fully utilized. It leaves the entire ecosystem or supply-chain of companies using that service provider open to a cyber-attack. We only need to look at the way the SolarWinds and Log4Shell attacks spread like wildfire to see how.
We are seeing threat actors become more vicious. From wanting to gain notoriety and monetary rewards, we are now seeing more fractured motives. Vertical industries, like healthcare and education – which have typically been protected by ‘thieves honor’ in the past – have now become part of the game, and under continuous attack. The victims of these attacks are not only the organization itself – each piece of data might be a person’s livelihood.
The motives of cybercriminal gangs can be politically charged too. There are a few nation states that have taken cyber-attacks to the next level. In many cases the line between nation-state attackers and cybercriminals is blurred – sometimes they cooperate, sometimes criminals use nation-state tools, and in many cases, the states just turn a blind eye. While some countries are more aware and act, there are many that have not yet recognized the threat and rely on basic protection for their critical infrastructure. Same for large enterprises – they believe they are safe, but they might be an actual target of a nation state, or criminals that use the same tools.
Unfortunately, at this stage, attackers are way ahead of security teams, because they do not have the same security protocols, regulations, or company policies to adhere to and obviously, there isn’t a technological silver bullet to protect businesses. That’s why organizations that wish to protect themselves and their clients, must take a holistic approach to cybersecurity that does not rely on being compliant with regulators’ demands, but rather on top-notch security thinking, advanced planning, constant vigilance in detection, and an ability to immediately respond to threats as soon as they materialize.”
When and how are the victims of these cyber-attacks selected?
“Financial gain or notoriety are the most common reasons why some businesses are attacked more than others. In many cases, attackers are not looking for a specific business or a company. They look at a set of companies and industries that are likely to pay and use a plethora of methods to find vulnerable victims.
While social media, information brokers and the dark web are being used to glean information, the most common way is still a phishing email that an employee responds to unwittingly as they see ‘a request from the boss,’ ‘a question from a customer,’ or an ‘update from a vendor.’ If you add new publicly available AI tools like Chat GPT to the mix, it’s actually becoming easier for attacks to mimic genuine approach. Lulled into a false sense of security, the victim opens an attachment or answers the email, and malware is deployed and/or data is taken to facilitate the next step of the attack, which might cripple the entire organization.
Targeted attacks towards a specific organization are, in many cases, at a time when the company is particularly vulnerable or for political purposes to gain intelligence. For example, we have seen attacks on organizations that are about to be acquired, IPO’d, or changed an element of their critical infrastructure.
There are some empiric trends that may also be recognized. Some attackers are less active in August for example. More importantly, as an IR company, we see evidence of many attacks taking place during the evenings and night on weekends – when victims are less observant, and their ability to respond is reduced.”
Are there specific industries that are catching the eye of cyber-attackers? What should they do to be more prepared?
“Over the past year, and likely moving into 2024, industries that traditionally invested less in security while having highly sensitive data and societal impact are being targeted more and more. These include healthcare and educational organizations that are catching the eye of threat actors. Nothing is off limits – the vulnerability of exposing potential victims – ill or young – adds urgency to extortion. In parallel, attackers find easy targets in the industrial and critical infrastructure sectors that are traditionally using legacy systems that are hard to fully patch and modernize and are digitally transforming to the cloud with basic approach to security.
There is an ongoing trade-off between security and operations and businesses should err on the side of caution as the risk is becoming more severe. We need to keep pace with threat actors and that means investing and enlisting the help of security experts who can review your security stack from the ground up and see what you may not be seeing. No business is exempt from a cyber-attack and having robust security solutions in place that focus on cyber readiness and response, which is often the overlooked element of security services, is imperative. This will help lessen the toll of a cyber-attack and ensure businesses are cyber-ready.”
Where are the majority of attackers coming from – which markets?
“It is generally known that many attacks are coming from specific countries such as China, Russia, North Korea, and Iran. In some cases, like with Iran, the main motivation is political. For others, like North Korea, cyber-attacks are also a means to gain funding. In many cases, the governments that turn a blind eye to cyber operations often facilitate the attack. An attacker that operates from the US, using US infrastructure is much more likely to be caught and punished than a peer in countries such as Russia. That said, as I mentioned previously, threat actors are international players that run as a business and the threat is truly global.”
Let’s focus our attention to the negotiation. When should one negotiate and when should one not? How can one understand what is the right amount to pay? When does paying become the wrong choice?
“Ransomware negotiation serves as a way to limit the amount of damage to a company, create time for incident responders to uncover the threat, allows the organization to contain the attack, recover, and ultimately minimize the ransom payment. It’s also a means to better understand the level of the threat and the extent of the damage that the attacker may inflict, especially through leaking precious information.
We would never recommend negotiating with a threat actor unless you have the necessary experience and right skills for the job. Most in-house security teams are vital for their knowledge but have probably no specialized expertise in digital combat, negotiations, understanding the mindset of the threat actor, or even the legal implications. Enlisting and being confident you have the right support is vital as you usually have one shot when negotiating.
It’s also important to have set expectations in mind. Success means paying little or no money while securing the stolen data, but you also need to know what you are willing to negotiate and where your limits may lie. Ultimately the decision whether to pay is on the business owners who need to consider the actual risk to the company, the legal impact, and their ability to securely recover operations. Naturally, if during the negotiations you gained more control over your network and operations, and if the actual data that has been taken is found to be less sensitive, you are better equipped not to pay, or pay a relatively lower sum.
While we recommend negotiating for multiple reasons, there are cases where it doesn’t add value and might even harm the organization. The most notorious example is when nation state threat actors hide behind a criminal front and have no intention of releasing keys or stopping leaked information from being published. While attribution is usually hard to achieve, utilizing investigation teams that are experienced with these threat actors, will allow the victim to have better chance of doing the right thing.”
How can businesses mitigate and recover from an attack and avoid being a victim of repeated attacks or double extortion attempts?
“There is no guarantee that a business can avoid repeat attacks. However, finding the source of vulnerability, true containment and diligent remediation are key success factors. In addition, continuous monitoring and periodic hunting in peacetime can significantly increase the chances that a threat is identified before damage is inflicted on the organization, and thus are a way to break the cycle of threats.
Business leaders must take into account that cyber threats are becoming one of the most important risks for their organizations, and in many cases, the main one. Furthermore, executives might face personal liability if the business is significantly affected. It is just not enough to be complaint – it is critical to be secure. While there is never a one hundred percent solution, the C-Suite and the Board can significantly reduce the exposure of the organization and their personal risk by introducing an enforcing message of security into the organization, carefully considering the inherent trade-off between security and operations, and planning for a potential crisis. Some organizations are equipped to follow these steps on their own, but as most organizations are focusing on their own business, external assistance is necessary to help in prioritization, planning, preparing, and responding when an attack takes place.”
What is the evolution of the threat landscape, particularly for 2024?
“We are expecting ransomware extortion to continue being a huge threat in 2024. While many governments are working to avoid ransomware payments, it’s expected that ransomware extortion will continue to be one of the major aspects of cyber-attacks.
Another trend that will continue is the combined involvement of nation states with cyber-attacks. It can be either direct nation state attacks or nation states that work in coordination with the criminal activities or criminal organizations for geopolitical reasons and there are various nations that take this position. This happens either because there are specific tools from nation states being used by criminals, or because there is an underlying collaboration of some kind where that nation state is turning a blind eye to their activity.
Another aspect is the growing risk that involves the more vulnerable organizations, especially the ones that have a lot of what we call operational technology (OT). OT is the underlying infrastructure in manufacturing plants, hospitals, utilities etc. These systems are usually older, legacy systems that are now being converged with modern technology, and as I had mentioned previously, an entire area that has been neglected to be updated with the appropriate levels of security protection. Organizations will typically protect their corporation, financial systems, ERP systems etc., but not their factories and yet even aspects like air conditioning and inventory are now all connected to wider management systems that cannot be neglected. The outcome is that these kinds of systems will be attacked more and more because they are more vulnerable and easier to attack.
Another area that is interesting is AI, that will have a huge impact on humanity. Like all technology, it is a tool and how we use it – for good or bad – will be down to the motive of the person who is coding the algorithms and using it.”
How may AI evolve the threat landscape? Can AI be an ally in this fight against cyber-attacks?
“AI will affect us and cybersecurity in two ways: it has the potential to be used by defenders as tool to help identify the most important IP to prioritize and protect in the case of a cyber-attack, but on the flipside, it can also be used by attackers for malicious intent. Like any technology, AI can be used in a good or bad way, depending on the intentions of the person using it.
In general, I would say the following. Usually, attackers have an advantage over defenders. The reason is that defenders have to go through regulations that they must abide by, for example, corporate policies, while attackers do not have these same ‘limitations’. Therefore, usually when new technology and new trends come up, attackers are ahead in comparison to the defenders.
AI is largely unregulated and as a result, there are not enough stringent controls in place to protect people’s privacy nor business intelligence. As mentioned previously, AI makes it easier to source vulnerabilities quickly and at scale while also reducing the time attackers spend in preparing and implementing an attack. While the first known examples are in phishing and impersonation campaigns, we are aware of threat actors that are using AI tools to further develop their capabilities.
However, in the same vein, AI will help security teams reduce effort and time spent on more manual tasks like scanning data for strange anomalies, unpatched software, and systems, and most importantly – make it easier to detect threats, allowing the organization to focus on more strategic security objectives. The field is just starting to evolve and no doubt, these capabilities will be increasingly available in additional areas such as enhancing attack prevention mechanisms and allowing focused response capabilities. Nevertheless, even with that, the cyber threats are not going to disappear – the constant war between attackers and defenders is not expected to end soon. To be cyber-ready, businesses can’t rest. So, neither does Sygnia.”
While you were explaining the role of AI, you said that technology is a tool in the hands of humans and how it is used is up to them. Is it possible to profile these cybercriminals?
“Cyber-attackers are users of technology like anyone else, and when they look at technology, they analyze what vulnerability they can find using that technology or through that technology. Attackers invest a lot of energy and money to identify vulnerabilities – it’s their day job – and therefore spend time to plan how to penetrate the organization and how to leverage access to the organization’s technology to get their way.
They also try to understand their victim’s perspective, for example, why a person responds to an e-mail that is sent to them. This is something that they will later use to frame an email in such a way that the user is more likely to click on and open it, allowing them to install malware on their computer, and so on. With the use of AI, these emails are becoming more appealing and personalized.”
What message would you give to the CEOs and managers of the various companies?
“I would like to give them the following message: a cyber-attack is not only a technological attack that should be handled by the Chief Information Security Officer of the organization. A cyber-attack should be considered as a business risk, and you should prepare for it accordingly.”
Have you read?
The world’s top 50 most popular luxury brands for 2023.
Richest Tennis Players In The World.
Richest Actors In The World.
The World’s Richest People (Top Billionaires, 2023).
Revealed: Countries With The Best Health Care Systems, 2023.
Top Most Valuable Coins For Collectors Across The Globe.
Add CEOWORLD magazine to your Google News feed.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
This report/news/ranking/statistics has been prepared only for general guidance on matters of interest and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, CEOWORLD magazine does not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Copyright 2024 The CEOWORLD magazine. All rights reserved. This material (and any extract from it) must not be copied, redistributed or placed on any website, without CEOWORLD magazine' prior written consent. For media queries, please contact: info@ceoworld.biz
SUBSCRIBE NEWSLETTER
