TO TRULY DEFEND, YOU MUST THINK LIKE THE ATTACKER

It was no routine cyber incident, and nor did it feel like one that morning in the gas and energy company's war room. Panic was palpable as lines of code from a foreign attack group raced across the screens, and servers began locking down one after another one in a predatory cascade of encryption.

"The company called us in extreme distress," recalls Shay Nachum, founder and CEO of Cyght, a company specialized in detecting, penetrating and preventing cyberattacks in real-time. "They were watching 20 machines being encrypted before their eyes, and realized they were losing control of a critical piece of national infrastructure."

At that stage, time was the greatest enemy. Cyght had no prior access to the client's network. Under normal conditions, establishing secure remote access is a bureaucratic and technical process, requiring VPN connectivity and configuring permissions across organizational systems. It can take hours,— time that the energy company did not have.

Nachum and his team acted quickly, initiating an emergency Microsoft Teams call with the company's IT staff. Using Teams' remote control of an endpoint computer, they injected a dedicated PowerShell script they had developed in advance.

The outcome reads like a scene from a thriller. Within 60 seconds of the call being placed, Cyght's code disrupted the attacker's operation inside the network and halted the encryption process. "That was the moment when the tension in the room transformed into a collective sigh of relief," says Nachum. "We proved that it's possible to stop a nation-state attack in real time, even when starting from a position of total disadvantage. For us, protecting the client is foremost. We don't stop until we achieve an unprecedented result."

Combining defense and offense as a critical force multiplier
This ability to act decisively and with precision at the heart of the storm is not something that simply happens. It is part of Cyght's extensive arsenal of capabilities, which blend into a unified operational approach that combines offensive cyber operations, advanced penetration testing and rapid incident response (IR).

Beyond being able to disrupt encryption processes and neutralize malicious files without shutting down operations (capabilities developed exclusively in-house), Cyght offers Red Team services to assess an organization's cyber resilience. In doing so, it brings nation-state cyber techniques to the workbench of civilian organizations and critical infrastructures.

"To truly defend, you must think like the attacker," explains Nachum. "Contrary to the conventional market approach, which separates the defensive and offensive teams, we integrate the two capabilities, both inherently and simultaneously. This combination is a critical force multiplier. It allows us not only to detect breaches in real time, but also to stay a step ahead of the attacker and neutralize threats at source."

The blend is not only technological, he says, but also strategic. "Ultimately, we know how to provide the client with clear, unequivocal answers. We reconstruct the attacker's moves, analyze the intrusion path and verify whether there has been data manipulation. This allows us to determine with certainty the impact of the attack,— whether data were leaked and, if so, their scope and sensitivity. There's a vast difference between a 100-megabyte leak and one comprising terabytes. These figures are critical when dealing with regulators and can decide whether an organization faces hefty fines and sanctions."

Examining the intrusion path, explains Nachum, is essential for preventing future breaches of this kind. Even when an attack succeeds, his team can identify whether the attacker has embedded persistence mechanisms that will allow them to regain later access after, say, a system reboot. Cyght can also determine whether files remain trustworthy following an invasive attack. The ultimate goal is to restore the company's confidence in its digital assets, processes and in the systems themselves.

Artificial intelligence — an entirely new attack surface
Shay Nachum is a graduate of the IDF's Center of Computing & Information Systems (Mamram), where he held roles ranging from offensive positions to head of Cyber Defense. Today he remains active in the Center's alumni association. Concurrent with his military service, he completed bachelor's and master's degrees in information systems engineering at Ben Gurion University and the Technion. Following his discharge at the rank of captain, he continued working in sensitive state projects. Their details remain classified but his efforts, together with those of his team, were recognized with the Israel Defense Prize.

In 2018, Nachum decided to leverage his extensive experience as a cyber researcher, ethical hacker and expert forensic and malware analyst to build a business. He created Cyght, a company which serves both startups and large organizations with high-risk profiles, handling sensitive information and subject to strict regulation. Among them are banks, financial institutions, insurance companies, industrial plants, energy firms and critical infrastructures. Cyght's solutions are essential for their risk management and serve as a foundation for informed managerial and security decision-making.

As a cyber warfare expert, how do you see the impact of AI on the digital battlefield?
"We're at the dawn of a transformation greater than the Industrial Revolution," responds Nachum. "The shift is evident in the collapse of entry barriers,— operations have become easier, more accessible and, above all, exponentially faster. AI enables attackers to operate with previously unseen scale and precision. It represents an entirely new attack surface, far beyond being a tool for attackers. Compromise of an organization's AI systems can give attackers the key to full control over the entire enterprise."

A new operational concept
On the offensive side, Nachum points to emerging capabilities for penetrating systems, machines and operational technologies. He emphasizes another equally dangerous dimension. "We're witnessing a move from purely technical attacks to large-scale influence operations targeting human perception and decision-making," he says. "AI enables aggressive, highly personalized influence campaigns that are extremely difficult to identify as fabricated."

These capabilities take on even greater significance in the face of nation-state threats. "This brings us directly to Iran," notes Nachum. "Iran is no longer just targeting servers. It's using these tools to create cognitive chaos and strike critical infrastructures in ways that are increasingly autonomous."

The growing cyber threat from Iran
Iran has become a significant cyber player, combining technological expertise with psychological warfare, continues Nachum. "A key driver of this evolution is its tightening cooperation with Russia. We're seeing a steady transfer of knowledge, tools and methodologies from Russia to Iran,— a dangerous combination of Russian technology and experience in targeting critical infrastructures, and the Iranian wish to destabilize Israel. They're no longer just breaching servers, they're trying to create disruption and chaos by damaging, for example, hospital systems and energy grids, then amplifying the impact on social media to generate public panic."

This shift, he argues, demands a new mindset from Israeli organizations. "The Iranians exploit the fact that many organizations still defend themselves with yesterday's methods. Our enemies use automation and AI to identify Israeli supply-chain vulnerabilities, and, once inside, their goal is to inflict maximum damage in minimal time."

Cyght is responding with its unveiling of a new operational action concept at the upcoming Cybertech conference. "Our approach combines offensive tactics, threat intelligence and real-time defense," concludes Nachum. "At the conference, we'll demonstrate how combining offensive capabilities with early-threat detection not only blocks breaches, but also disrupts the attacker's logic before any damage can occur."

In cooperation with Cyght

To our website