Y. is a clerk at a branch of a major bank in the center of the country. One day he arrived at work to find a surprise awaiting him – a new keyboard.
Truthfully, if he were going to get a present, Y. would have preferred a raise or a restaurant voucher to a keyboard. But as the saying goes, if they give you something, take it. The old keyboard was tossed in the trash and Y. connected the new one to the computer.
“In reality, there was a chip in the keyboard that enabled us to install malware in the bank,” said Ram Levi, founder of Konfidas, a cyber-defense consulting company. “There was a kind of device inside the keyboard that tells the computer it’s a keyboard, but it isn’t just a keyboard. The goal was to find out who wasn’t alert – and in this case, we succeeded.”
Success, for Konfidas, means being able to get its software into the bank’s system.
Levi founded Konfidas in 2013 with the goal of providing solutions to businesses on cyber issues. It advises its clients on regulation in the field and carries out mock attacks to examine their preparedness for and management of cyberattacks like the one on the Shirbit insurance company in December 2020, in which a group of hackers damaged the company’s information systems and leaked personal data about insured people.
In 2015, Levi was joined by Eli Zilberman-Caspi, who is now in charge of the company’s response to cyber incidents. Konfidas employs around 20 people.
It has also started to offer an outsourcing service to small businesses in which, Levi said, the company essentially serves as the client’s information security department. “This is a growing market segment,” he said.
- Does crime pay? A conversation with a hacker targeting Israel
- This Israeli dropout is on the front lines against Iran
- ‘Ideological cyber terror’: Israeli firm refuses to pay hackers’ ransom
When companies are required to meet stringent regulatory demands, he explained, “a small business has no chance of doing this on its own. This is a huge market failure that isn’t really being talked about.”
Together with the Zim shipping company, Konfidas has also formed a subsidiary that provides cyber-defense services to global shipping companies. “We take our knowledge and Zim’s and make it available to shipping companies abroad,” Levi said. “All shipping companies are under crazy assault by cyber attackers. There’s zero regulation, because shipping companies aren’t considered critical infrastructure, unlike ports.”
‘Insurance companies exclude cyber’
One industry for which the increase in cyberattacks has created problems is the insurance industry.
“Insurance companies exclude cyber from their policies, because they have to make sure they haven’t assumed a hidden risk – a risk they aren’t aware of,” Levi said. “We did some work with one of the world’s major car companies and the insurance firm Munich Re about the effect on insurance prices for autonomous vehicles with and without cyber defense.
“Tesla abroad is an autonomous vehicle, but there of all places, cyber insurance is excluded. The moment cyber insurance is excluded and you have an accident because of cyber, effectively, you don’t have insurance.”
So do owners of autonomous vehicles need to purchase cyber insurance as well?
“No, because this option doesn’t exist,” Levi said. “Nevertheless, the insurance commissioner required insurance companies to examine their exposure to cyber risk by the end of August. For instance, if they sold a car insurance policy and didn’t exclude cyber risks, they have assumed risk without noticing it and without taking it into account in the price.”
If I don’t understand cyber, who is supposed to protect me as an insured person?
“Insurance companies have excluded cyber from their policies, but it’s now possible to purchase special insurance for extra money. And that’s what they do.”
Which vehicles are vulnerable to attacks?
“Today, every car has an ABS system, and therefore, they’re vulnerable,” Levi replied, referring to anti-lock braking systems. “There are simple attacks on an entire vehicle fleet, or more complicated attacks – like taking control of the brakes so you can’t stop. But when the entire fleet is computerized, you can hit 1,000 vehicles at one go.”
How worried should I be about this?
“As a private individual, you don’t really need to be worried about this. In contrast, a company whose business is renting or leasing cars has to take this risk into account.”
How do you manage a cyber event? Do you have to bring in a bunch of media advisers, legal experts, programmers and so forth?
“Some of these people come from within Konfidas, and the rest from companies we work with.”
When do you need to start managing a cyber event?
Zilberman-Caspi took that question. “Immediately,” he said. “When you postpone managing the event, mistakes are made, and then it’s harder to fix them. But the right question is how long it takes to exit the crisis.”
Sometimes, a company doesn’t know it has been attacked. In 2012, thousands of Israelis had their credit card information exposed due to security flaws in the websites of Israeli companies, in what became known as the Saudi hacker affair. “He wasn’t Saudi, he was in the vicinity of Saudi Arabia,” Levi corrected.
Aren’t you blaming everything on Iran a little?
“No,” Levi replied. “Israel has a tendency to spotlight state-sponsored incidents, but most attacks worldwide, including in Israel, have financial motives. An attacker comes along, and he wants money. The media doesn’t cover this, because most such attacks are too small and the companies don’t report them.”
When is an attack “too small”? 1,000 euros in bitcoin?
“Even less,” Zilberman-Caspi said. “It’s called ‘spray and pray.’ If you attack a lot of companies and you get a small payment from each of them, it gives you a lot of money in the end.”
How new is your niche as cyber consultants?
“The consulting isn’t new; it’s a consequence of regulation,” Levi replied. “It began with two global trends – protecting privacy and information security. The demand is created by the companies.
“The coronavirus crisis produced a wave of cyberattacks that stemmed from the fact that companies opened their networks to allow working from home,” he added. “Organized crime rings lost their income in the physical world, so they were looking for other worlds and arrived at cyber. When there’s zero enforcement, it’s very hard to catch them, so it becomes a paradise for criminals.”
It's difficult, but is it possible to catch cybercriminals?
Levi: “It requires work and creativity, but if they catch pedophiles, it’s certainly possible to catch cybercriminals.”
How easy is it to carry out cyberattacks on companies?
Zilberman-Caspi: “It’s not complicated. You purchase an attack tool on the darknet, which will cost you $5,000, and a month later, you can attain revenues of $100,000.” (The darknet is an area of the internet that requires specific software or other access).
Do you need know-how?
Zilberman-Caspi: “Not really.”
Levi: “In the attack on the Colonial Pipeline oil pipeline on the West Coast of the United States, an attack organization called Dark Side was involved. There’s a small group that develops the original code, and the attackers leased the code from them and split the proceeds from the attack with them. In the case of Colonial, they demanded $4.5 million and the writers of the code received 20 to 25 percent of the ransom demand. In the Colonial case, the FBI seized the code writers’ account and returned a portion of the money. But that’s a rare instance. There are a considerable number of such groups sitting in Eastern Europe and in Russia developing the attack tools and dividing up the profits.”
Why would I share an attack tool that I created with someone?
Zilberman-Caspi: “You can work alone, but you need to do work on the ground, finding the companies that are easy to attack. It’s a question of specialization. The writers specialize in the technology, and they are constantly improving it. It’s the same as any technological development. There are those who do the development and those who distribute it.”
Levi: “Those who carry it out need entirely different capabilities. The don’t need to understand the code and how the encoding works, but rather the weaknesses of the other side. The need to know where to attack from and how.”
And doesn’t that require a certain education?
Zilberman-Caspi: “Yes. There are two types of attackers. The first type involves an attacker who is inside a company’s network for months, lurking around, studying it and only attacking after that. It can take eight months before he attacks. Such attackers are very sophisticated. But there are also the less sophisticated attackers who use attack tools that they buy on the internet.”
Dealing with cyberattacks
From the standpoint of the party that is attacked, how does the attack unfold?
Zilberman-Caspi: “It usually begins when the client receives a ransom notice or an alert from the Israel National Cyber Directorate, or discovers that things are not working correctly. After he carries out his internal checks and discovers that he isn’t managing to deal with it alone, he calls an outside firm – and that’s what we do on a day-to-day basis. A doctor also can’t operate on his grandmother, because he has emotional connections to the subject and needs someone from outside who is dispassionate. Many times, we discover management that doesn’t recognize the subject, a psychological repression of sorts.”
Why is it important for management to acknowledge that it is in the middle of a cyberattack?
Zilberman-Caspi: “Because it needs to shift the organization into emergency mode. There’s significance to the fact that everyone is mobilized, that everyone’s schedules are freed up and that they’re on combat footing. ]שעון לחימה[ The entire organization shifts to deal with the crisis. Every morning there is a situation assessment of various kinds – technical, public relations, intelligence. There’s a work team that oversees the tasks – how to sever the attackers’ connection to the information, how to contain what has been hit. A cyberattack incident is a very complex event from many perspectives.”
How much time does it take?
Levy: “When the attackers go in and extract information, the information is already on the outside. Notification needs to be made to regulatory agencies, to those with an interest and so forth. Around the world, on average, a cyberattack shuts down an organization for 23 days. In Israel, it’s less – 10 to 14 days. An organization that isn’t working is an organization that is losing money, so an incident like this needs to be managed. For example, if someone takes over all of an organization’s passwords and now needs to replace everything, it can take two to three days.
Zilberman-Caspi: “Especially when the passwords move among systems. It’s very complicated to rebuild the connectivity among systems and that can take a lot of time.”
Levi: “Both the police and the regulatory agencies get into the picture, and they want individual forensic reports and there will be a question regarding every section and reporters asking questions. This incident doesn’t end on the inside and that injects a great deal of pressure. You also need to know how to manage it vis-à-vis the regulators and the police so they don’t interfere in the course of the incident.”
How many companies have not recovered from a cyberattack?
Levy: “Very few. How the company deals with it depends on the questions of the extent to which is protected and what mechanisms it has, and how it managed the incident. There are studies that show that companies that have undergone a cyberattack have even shown better results afterwards, because its entire IT [information technology] network is revamped. Everything is updated and upgraded and the company becomes more efficient.”
Meaning that a cyberattack can be good for a company?
Zilberman-Caspi: “Every incident has its positive and negative side. If an organization manages an incident well and enlists management and interim management, it creates strength, and it emerges from such an incident more unified as a company. On the other hand, the Australian logistics company Toll, for example, didn’t manage a cyberattack incident well and two months later, it was attacked again.”
How did they go wrong?
Zilberman-Caspi: “The restart was not complete. When you restart a system, there’s a chance that not everything has been cleaned as it should have been and that the attacker is still in the system.”
How much does a cyberattack cost a company?
Levi: “About $250,000 on average.”
Most of the attacks are out of financial motives. Are there situations in which you still recommend paying the attacker?
Levi: “Yes. Sure, but in most instances not.”
How do you know that if you pay, you won’t be attacked again?
Zilberman-Caspi: “Cyberattack groups have a prestige of their own. If the attack is from the Ragnar Locker group, whose model is that if you pay, we won’t release the information and reveal your weaknesses on the internet, you probably won’t be attacked again.”
Levi: “There is a business logic to protect prestige, and if someone harms the prestige of a hacker group, they act against him, because it harms their business model. There are situations in which it’s not legal to pay – for example, American money-laundering or trade sanctions and it’s therefore important to check whom you’re paying.”