Dirk WAHLEFELD, Head of Presales EMEA & US, CYFIRMA-PRIANTO @ CYBERWAR CONFERENCE – HOW DO WE BUILD OUR CYBER RESILIENCE organized by Digital Transformation Council, Mobile Communications Magazine and TelecomTV.ro on April 1, 2022.
We know cybersecurity leaders face an uphill battle – outsmarting hackers, averting digital risk, and protecting data and infrastructure require super-human effort. CYFIRMA was founded to address this precise challenge – identify hackers (who), understand their motive (why), interest (what), attack readiness (when), and methods (how). Only by connecting these dots, can cyber defenders mount effective strategies to counter cyber risk before they occur with CYFIRMA’s predictive Cyber Intelligence.
I’d like to explain to you the value of prediction or predictive intelligence. Cyfirma is a market leader in the area of external threat landscape management, which means we are viewing organizations from the outside as hackers would do with all the available information, but with a different objective, obviously.
So who is Cyfirma? Just some brief words ahead. Cyfirma is still considered to be a startup founded in 2017 upon a great idea, by our CEO, Kumar Ritesh, who has some reputation history in intelligence services in general and cyber intelligence in particular. Out of this experience, and business background, he has founded an idea, which was then proposed to some investors. And I would like to mention Goldman Sachs in particular, in this case, as its policy to invest in startups or into organization is usually to start in a third or second round of funding. But Goldman Sachs must have seen something valuable in us and our solutions, as they decided to be one of the initial investors. We were able to win a decent number of well known customers and we were also able to win different awards in a particular cyberspace.
LIVE VIDEO CONFERENCE
So why are we doing what we are doing? You need to understand that threat actors campaigns attacks on assets, they have a history. With the invention of networking, the capabilities were given also, to try to somehow provide harm to systems to individuals also back in the 70s. But with the rise of the Internet in the 90s, and the new capabilities of this international technological networking, the methods the services offered, and provided and also the methods how to have grown significantly. They’ve turned from simple into sophisticated and solid also the possibilities of threat actors of hackers of bad guys.
So what does that mean for today? We have a mindset today. First of all, you may be aware of the saying „you have been breached, you have been hacked. So you either know or you don’t know.” That’s the current situation. And interestingly enough, this particular situation applies to really many organizations, not all of them, but many, many more than you would expect. What does that mean? Organizations have understood that they have to put in security controls, because the overall objective of IT security is to protect valuable assets, valuable digital assets, might it be a construction plan, might it be a customers list, might it be a vendors list with all the details about discounts and certain other critical numbers. So this is something which needs to be protected, because this is the foundation of the operation of the financial success of an organization.
For them, these organizations have already taken actions to protect the access to those IT services by implementing privilege management, by securing the infrastructure, the networking segregation also then agile networks. Now with the last two years of COVID, and the implications on our work behavior, working from home office being out of a secured physical infrastructure, the endpoint security has become even more important. And we’ve also identifying that the security parameters may change now that the focus is set on identities on accounts and their access permissions. So but this is the inside view, and the outside view is still something shady. So this is not something which organizations may have understood how to achieve a security or a level of security of a high standard from that particular outside view. So you may have these SOC implementations, which is then also an interesting effect, which I would like to show.
So what it comes down to is everything is focusing on that particular point in time when a breach happens when an attack happens when the execution of malware is initiated. So what customers and organizations from our point of view are missing are the predictive element to know when and how and why by whom something bad will appear towards me, towards my organization.
So what does that mean? You might be aware of the Kill Chain. So this is a seven stage experience. From a hackers perspective, it starts with the stage number one, where information is gathered, are there any weak spots? Is there any vulnerability detected, which is not publicly announced. Are there any misconfigurations out there to IT assets which are exposed to the internet. So these are all the information which may be used in a combination to start the weaponization, which means that code is constructed code is developed to make use of that weakness, which is then delivered, you might be aware of the different methods of delivery? Is it spoofing? Is it intrusion? Is it fishing?
So these are the common methods you might have heard off from media. But once that delivery was successful, the exploitation starts. And that’s the point between station number three and station number four, the actual campaign is enrolled into execution, which means that is the point in time where the attacker is starting with the ultimate objective to either gain back the financial benefits of this activity or to exfiltrate data, which is then used in other manners, or to take over control of infrastructure parts.
So these are then the traditional approaches to react. And this is the point where we find that that is not enough, we would like to be able to enable our customers to predict that upcoming event, so that we are applying and providing to our customers, the predictive intelligence as we call it, that doesn’t mean that we’re solely focusing on stage one and stage two, it’s also that we have capabilities and features around for the other five stages still, but the most important part is not being attacked, but knowing of the upcoming attack, which allows the organization to step out of the way to remove itself as a target. And I think this is the most valuable information and the most valuable approach, because reacting to something which you might experience and the pronunciation is explicitly on might experience doesn’t mean that you experience everything. Right? So it’s a combination of multiple approaches, multiple tools to raise the level of security, we all need must be aware that there will be no 100% of security. But we are able and we support our customers to introduce our tools into the security concept, into the IT security concept of an organization to raise the level of security up to 100%.CYFIRMA-ETML-Strategies-to-Counter-Emerging-Threats-Ver1.2-15Mins
Our solutions target both the individuals and the companies. Right now our main focus is on companies and organizations but we also are sharing a tool which is called Defense from Cyfirma, which is available in the iOS App Store and Google Play Store which is for your personal objective. So what does that mean in terms of our competitive landscape?
So, stage number one and stage number two – reconnaissance and intrusions -, these are the actual domains where we are the leading organization, the leading vendor of solutions compared to others, as said, we do have also our support for the rest of the stages, but being that predictive and providing predictive intelligence is kind of unique in the market right now. I would like to give you a real world example. So when we look at the particular kill chain on the one hand, and also take our intelligence results, on the other hand, there is an organization which is called Toyota Japoauto and this one has been specifically targeted. The reason why we know this is we have infiltrated and we are able to absorb and harvest information out of various different kinds of sources. So we’re looking at the Internet of course, we’re looking at the deep web and also the dark web. And we’re looking into the dark web, we’re actually in every kind of web into communication channels, File Exchange repositories, even if they are secured and encrypted.
So we are able to track communication within and close Telegram groups on site and chat rooms. This is all something where we extract data from with the objective to use the data in correlation to build a complete picture about the cyber threat landscape, the actual situation either in a generic approach, like you would see here with the target industry as automotive or financials or energy, we also focus geographies. So, this is something where we correlate the data. We know which campaign is enrolled, which ransomware in that particular case is used to attack that particular organization. We give background information about the time to live in terms of when did it start, we give the insider threat information. So, what is the objective of the individual attacker, we also give the context about any kind of use vulnerability or exploit and also the target of that particular exploit which means in that particular case that malware is focusing on Active Directory infrastructures to exfiltrate.
It’s an overall procedure is an ongoing procedure to collect that particular information to correlate the data and to build and paint a picture every new day. Because the landscape is constantly changing. You might not be a target today, but you will be a target most probably tomorrow and you need to know and this is not a situational at a point in time. Relevant information is an ongoing stream of information. So with that particular real life example we set we know what type of malware will be used. And we also are available to understand where in that particular kill chain that campaign is right now. It’s like a project forth going. We’re also able to understand the attack methods, the technology is being used, the procedures being used. And this is also something we then condense into a report for our customers to allow them to understand what is going on. So in that particular case, there are particular sensitive files taken into hostage where the threat actors are demanding a decent amount of money from that particular organization to release and to give back that property. And they are publishing a countdown until, for instance, these files are now being published. So that’s the real live example.
So, if you receive such a report from us, it means that there is some substance behind this and with that, you will be frightened at first, but understanding that this is exactly the predictive approach gives you time to react. Yeah, but react before that particular event will happen, unlike the traditional approaches to react after that particular event has happened. With that, we are proposing our what we call six intelligence views. So, we are gathering information from our customers and they provide us about their attack surface, which means we are asking them for acid information, which means what type of hardware software services are you using, we are also then asking for what we call keywords which means are the particular areas of interest like specific domain, like specific users, like specific business outcomes, revenue outcomes, all that kind of business related information which might have some beneficial information to the dark world is something we put into consideration.
On the other side by harvesting that critical information out of these three layers of the of the web is something where we understand the current vulnerability situation. So we are creating vulnerability intelligence saying so these are the weak spots, these are the weak activities right now. And we map those we correlate those and we tell the customers according to their given asset and keyword list, this is heading towards you, which means in the third step, that we are also able to provide brand intelligence. So given the current situation in the Ukraine, let’s say, it is most important for certain organizations to understand for instance, if they are part of a supply chain which results in a product which might have impacted the Ukrainian situation either supporting Ukrainian forces or people or the Russian side, which then puts them onto a particular spot of targets of interest. So, there has been a food and beverage organization out of fear of being attacked last week by Anonymous for that exact reason and this is the reason why we provide also we create a digital risk protection profile saying okay, so, this is your situation out there, this is the reason why you are under attack with the following approaches or possible approaches by the following threat actors.
As I said before the situational awareness, so geopolitical situation, financial worldwide financial situations, also like the US elections two years ago the COVID situation. So these are all certain situation we take into consideration for the correlation which then ends up in that very centric and very focused cyber intelligence approach, which means we are able to create information for our customers which is predictive, personalized, multi layered, so for the different objectives out of the organization for executive level management level, but also the operations level, where we provide the most possible value to our customers being predictive, being proactive and take themselves out of a critical situation.
In Romania, our main targets are energy and financial sectors right now, but that is not only related to Romania, it’s overall. So given the current geopolitical situation with the in with Russia invading the Ukraine, and also with the subsequent activities, for instance, taking Russia and Russian financial systems out of the Swift, and also discussing in Central Europe, the situation about energy supply in terms of oil and gas, and therefore, that the Western or European countries are now discussing what will be the alternative instead of a Russian vendor. So, this is then the initiative for cybercriminals per state order in certain cases, to attack the one or other industry to give some implications to rethink or to make rethink their decisions, whether or not to turn away from Russia supply or remain in that particular situation. So, there’s a bunch of influencing factors from a business perspective, from a political perspective, which result into certain campaigns and certain activities in the cyber world as threat actors try to do harm to organizations, whether it’s business or also governmental. That’s also the case. So there’s a lot of things going on right now.
The cyber world is not necessarily bound to geographical territories. So what Romanian organizations (business related organization or a governmental related organization) should be aware of is a possible attack surface. And the situational awareness or so given the political situation financial situation, economical or health situation is something that has to be taken into consideration, because business decisions are a key driver to become a target.