Far away from the North Korean capital of Pyongyang, and even further away from Sony Pictures Entertainment offices in Los Angeles, Israeli cybersecurity experts – of which there are many – are scrambling to understand the hack job everyone is talking about, and figure out how – and even if - they will be able to predict and combat future such attacks.
- Obama: U.S. will respond to North Korea cyberattack
- Despite all the publicity, the Sony hack was small-time; much worse is yet to come
- Not just 'The Interview': Welcome to movie purgatory
- Obama issues new sanctions on North Korea over Sony hack
- Has Hezbollah’s cyber spy ring been exposed?
- Cyber spies hacked Israeli army networks, security researchers say
Between Sony succumbing to pressure to cancel, at least temporarily, distribution of “The Interview,” its screwball comedy about the assassination of North Korean ruler Kim Jong-un, U.S. President Barack Obama entering the fray to scold Sony and threaten Pyongyang, North Korea’s Internet service temporarily collapsing and the computer systems at South Korea’s nuclear plant also reported hacked – what is going on, says cybersecurity maven Ron Davidson, is no small deal. It is, he claims, nothing less than “the first ever, public, large-scale cyber war.”
It started, of course, with a hack – one the FBI claims can be traced to the North Korean government – of Sony Pictures’ system, which exposed tens of thousands of the corporation’s emails and other classified documents, embarrassing executives, ruining relationships, damaging reputations, bringing on the specter of lawsuits, costing big bucks and generally creating chaos and confusion.
Could the hack have been thwarted?
It seems that Israel – which has, per capita, more cybersecurity startup companies than any other country in the world, more companies dedicated to fighting hackers than in all of Europe combined, significant government investment in the field, strong collaboration between business, military and academia and even incentives for multinationals – does not have a simple answer.
“We think we are a great cyber-secure nation, but we are kidding ourselves,” says Tanya Attias, a Belarus-born, Israel-based cyber intelligence consultant working for S2T, a Singapore company that develops big data and cyber intelligence solutions for governments and large corporations. Like many of the engineers and executives in Israel’s cybersecurity sector, Attias served in the Israeli Defense Forces’ elite and secretive technology intelligence unit.
“What happened to Sony, technically speaking, could happen here, anytime,” she says. “In fact, it already does. We just don’t hear about it.” She continues: “Israeli companies, corporations and government agencies, big and small alike, are attacked on a daily basis by all sorts of hackers – by Russians, or Palestinians, or Arabs from various countries.”
“Typically, such breaches of security go unreported, at least publicly,” says Davidson, who heads the cybersecurity arm of a Tel Aviv-based security company with more than $1 billion in sales annually. Davidson is a veteran of 8200, probably the most famous of the IDF’s intelligence units, which parallels many of the functions of the U.S. National Security Agency and, like Attias’ unit, also feeds Israel’s booming private cybersecurity sector.
The reason no one hears about these hacks, continues Davidson, is that attackers are often trying to gather information for purposes of espionage – and not to publicly shame their targets, as seems to have been the case with Sony. As such, making their work public rarely furthers the hackers’ goals – and the targets themselves, if they know they have been hit, have little incentive to take the stories public either.
“There are two aspects of breaking in – the easy part is to hack in the harder part is to eliminate the log and any evidence of you being there,” says Moran Cerf, a child prodigy hacker and 8200 alum turned neuroscientist. “The best attacks are the ones where the target does not even know you were there.”
Hack work indeed
While there is clearly a lot that cybersecurity folks can learn from the attack on Sony and the fallout – the hack in and of itself, according to observers-in-the-know, was not particularity creative, innovative or sophisticated.
“The hackers in this case were not using new pieces of code,” says Nimrod Kozlovski, a professor of cyber studies at Tel Aviv University and a partner in JVP Cyber Labs, the cyber incubation and investment arm of a leading Israeli venture capital firm, Jerusalem Venture Partners. It was a “cut and mutate job,” he explains, in which the hackers reused a virus code, tweaked and relaunched “at least six components of previous malware.”
The old malware reused in the Sony case, according to media reports, included two data-erasing pieces of software called Shamoon and DarkSeoul, which can easily be found on the Internet – and which were used two years ago in attacks on South Korean banks and a Saudi Arabian oil company.
Dr. Nimrod Kozlovski in New York in 2012. Photo by Natan Dvir.
Besides tweaking the malware, what the Sony hackers almost definitely relied on, agree the experts, was simple human error they could take advantage of.
“Ninety nine percent of attacks are not pure cybersecurity attacks at all, but rather results of human error. Every attack I have seen in my life involved human error,” says Cerf, who is today an assistant professor at the Kellogg School of Management and the neuroscience program at Northwestern University. “It doesn’t even matter how much security you have if one guy at Sony gave out his password or clicked on a link they should not have, that basically could have allowed a hacker entrance through the main door.”
The ability of hackers to modify viruses and keep ahead of the security systems, as well as the inevitability of human errors, means that it is all but impossible to guarantee that the next similar such hack can or will be stopped. But this does not mean, stresses Kozlovski, who served in the IDF’s electronic warfare unit, that there is not a growing cache of weapons to fight such attacks.
Gigabyte of prevention
One promising way to stem a future such attack, says Kozlovski, has to do with mapping out all the potential variations of a virus ahead of time. He points at an Israeli company that JVC invests in, CyActive, which he says is a trailblazer when it comes to preempting, rather than waiting to detect, an attack. “They created something like a genetic lab, took the existing viruses and then created hundreds of thousands of potential mutations on them – as well as antidotes.”
Another innovative approach being developed by several companies in Israel, continues Kozlovski, involves creating a more advanced system for investigating and prioritizing security violations.
“It seems that Sony’s existing security technologies did alert them that they might be under attack. But so many such alerts come in that no organization can cope immediately or take automatic action to disable the system,” explains Kozlovski. Typically, if the system identifies a suspicious event, it is reported back to the security information management platform (SIM), and only then investigated. Companies like RSA (co-invented by an Israeli) or the smaller (Israel based) SecBI use technology developed in the Israeli army to cut through the back-up of such reports and do big-data analytics of alerts, thus speeding up the process.
In addition to beefing up security, says Attias, she would advise anyone looking to thwart an attack to do serious intelligence work. “There are very few companies that have the money and the wherewithal to protect themselves adequately – and even those who do are not totally safe. Hackers are just faster and better,” she states.
“The answer is to combine the protection with intelligence. Companies need to find ways to get into the closed forums and the deep web, where it’s possible to foresee what is being planned,” she says. “You need to know what your enemies are planning,” and, she adds, “You have to know who your enemies are.”