Repelling A Ransomware Attack: Israel Barak of Cybereason On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Device Control: Device control and personal firewall capabilities prevent unfamiliar USB devices from accessing the machine and unsafe websites from being visited.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Israel Barak.

Israel Barak, Chief Information Security Officer at Cybereason, is a cyber defense and warfare expert with a background developing cyber warfare infrastructure and proprietary technologies, including that of proprietary cryptographic solutions, research and analysis of security vulnerabilities. Israel has spent years training new personnel, providing in-depth expertise related to cyber warfare and security, threat actor’s tactics and procedures. As Cybereason’s CISO, Israel is at the forefront of the company’s security innovation, research and analysis of advanced threats.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was fortunate enough to begin my career in the Israeli Defense Forces, where I had the opportunity to focus on both defensive and offensive cyber initiatives. Following that, I transitioned into the commercial sector and became engrossed in threat intelligence, particularly as it relates to advanced cybercrime groups and the development of advanced cybersecurity technologies. Today, I’ve brought these cumulative experiences together to develop a solution stack at Cybereason that enables organizations to prevent, detect and respond effectively to cyberattacks.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’d say that it was an accumulation of a number of stories. Cybersecurity has always been a passion of mine, and I’ve had the opportunity to work alongside extraordinary, inspiring people — from my first mentor in the Israeli Defense Forces to my team today — who I collaborate with on a daily basis. Their ingenuity, dedication and team spirit are what inspire me every day.

Can you share the most interesting story that happened to you since you began this fascinating career?

For as long as I can remember, I was keenly interested in technology. During my early University days, I became fascinated with finding loopholes in systems and the intricacies of security controls. This is often referred to as a form of “reverse thinking.” But, that’s essentially what you’re learning when you begin to learn about any new technology — what can be done by exploiting vulnerabilities — and that’s what drew me into a career in cybersecurity.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

First, I think that my tendency for a reverse sort of thinking, and to naturally ponder on ways to find loopholes in systems, is one aspect of my character that drives my continued passion around cybersecurity. That passion is so important for us to help drive ourselves and our people forward. Additionally, over the years I also learned that I’m passionate about sharing what I’ve learned and helping develop and empower others in my organization, specifically by bringing young and new talent into this space. Through this, I’ve gained the ability to not only execute larger and larger goals, but first and foremost, friends for the journey, which has helped me throughout my career and will continue to do so..

Are you working on any exciting new projects now? How do you think that will help people?

Absolutely. For over 6 years I’ve been working as CISO at Cybereason, and have had the good fortune to be at the forefront of the company’s innovation. The technology innovation and service orientation that we continue to build and deliver every day is enabling our customers to disrupt attacks that are targeting them. In some cases, they’re threatened by some of the most sophisticated threat actors out there, every hour of every day, and we must prevent any disruption to their business by ransomware or other threats. On a constant, daily basis I see how our technology and service are successfully disrupting attacks on medical services organizations and preventing damage from cyberattacks that target service providers. This is both exciting and inspiring to me, especially at a time like this. Helping people live their lives the way they know them is at the forefront.

Another thing that I’m truly excited about is the work that we’ve been doing at Cybereason to not only provide an open and inclusive work environment for people from all backgrounds, but first and foremost encouraging people to be themselves. We spend leadership time and attention to make sure we’re actively reinforcing this culture every day, or as we call this value at Cybereason “You-Be-You” (#UbU). It’s inspiring to see how many talented people we’re fortunate to have with us, many of which may have not have come from a traditional background in terms of access to resources or wanting to know that they can be who they are.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

As a cyber defense/warfare expert and the CISO of Cybereason, I am at the forefront of security innovation — sharing threat research and analysis into advanced threats — with ransomware at the heart of it all. Cybereason raises the bar through impactful research of ransomware attacks and the tools/processes that organizations can implement to defend against these attacks effectively in today’s climate. In the past year alone, Cybereason has dug into the increase in ransomware attacks over weekends and holidays (that CISA, FBI and the U.S. Secret Service were all briefed on) and the true cost to business of ransomware attacks. I have also helped define groups like the Darkside and ReVil ransomware threat groups, around crucial times of need such as the Colonial Pipeline breach at Cybereason. Most recently, we developed a vaccine for Log4j that offered a permanent mitigation option against the vulnerability. I can share insights from my background in developing cyber warfare infrastructure and proprietary technologies, from cryptographic solutions to research & analysis of security vulnerabilities that makes me a strong knowledge base to discuss the evolution of ransomware. My 20+ years of experience all allow me to help cybersecurity professionals/businesses detect & address threats before a ransomware attack has a lasting effect on an organization.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

At its core, ransomware attackers are using specialized malware to encrypt critical information, making it inaccessible to the victim. After attackers encrypt the user’s data, they’ve effectively shut off all access to files, applications, and databases. The attacker then demands payment in the form of a ransom to give the victim access to their data. These attacks are dangerous because attackers often design ransomware to continue to spread across the victim’s systems, escalating the damage as they consider their options. These work through a variety of means. Typically, users receive a spam email and inadvertently download the malware onto their machine. Other methods may include social engineering, malicious website links, chat messages, or thumb drives. After the malware is on a device, it’s typically introduced to the network by an executable file or embedded in macros. As soon as this occurs, ransomware begins its dangerous work of encrypting data and adds extensions to files that make them inaccessible. Some newer, more sophisticated versions of ransomware can infect systems on their own via vulnerable browser plugins. Once a system is infected and critical data is encrypted, attackers have tremendous leverage over organizations and individuals to demand payment.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

While ransomware attacks can affect private individuals, the potential cost to businesses is incredibly high. Cybereason conducted a study on the true cost to business of ransomware attacks and found that 46% regained access to their data following payment. However, some or all of the data was corrupted and 53% reported that their brand suffered as a result. It is estimated that there is a ransomware attack on a business every 11 seconds on average, and the FBI reported an increase of more than 225% in total losses from ransomware in the U.S. in 2020 alone. Longer term impacts can include diminished business revenue, damage to the brand reputation, loss of key executives and employee layoffs, loss of customers and strategic partners, and –in some circumstances– can even impact the viability of the business altogether.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

When business organizations are impacted, the first call should be to the cybersecurity incident response team, either one that is organic to the organization or one that is on contract with the capabilities to step in. Similar to a trauma response, the first step needs to be to contain the situation, prevent further damage and reduce risk to unimpacted, sensitive data. Parallel to this, to execute the recovery and mitigation plan, multiple internal parties must be called in as legal counsel heads for the various different business functions, as well as potential external parties, like cyber insurance providers, law enforcement, among others.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

First, you need to have a plan. That is paramount. Secondly, you need to test that plan during times of peace. Based on a recent survey that Cybereason did, encompassing over 1,200 organizations globally, only 73% of businesses believe that they have an effective plan in place to mitigate a ransomware attack. This means that over a quarter of businesses sampled are relying on nothing but the mere hope that the next ransomware bullet won’t have their name on it. This is the ground that ransomware groups thrive on, and one that can be avoided through proactive forethought.

Should a victim pay the ransom? Please explain what you mean with an example or story.

A victim should never pay ransomware attackers. First off, paying the ransom doesn’t mean that your organization will regain access to their encrypted data. Too often that is because the decryption utilities provided by those responsible for the attack sometimes simply don’t work properly. Such was the case with the ProLock ransomware strain back in May 2020. As reported by Bleeping Computer at the time, the FBI found that ProLock’s decryptor might corrupt files larger than 64MB. Investigators went on to warn that victims could experience integrity loss of as much as 1 byte per KB for files over 100MB. Additionally, organizations could incur penalties from the U.S. government for paying ransomware actors who may reside or operate out of countries who are subject to U.S. sanctions. Finally, organizations who pay the attackers are sending the message that extortion schemes work on them, a message which malicious actors could use to justify subsequent attacks and extortion attempts.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

By not properly addressing the most common ways that hackers can get access to an organization’s information, attackers are able to get into their network — essentially leaving the front door open through things like phishing emails. If proactively mitigated and protected, an organization can dramatically reduce the attack surface of an organization. Additionally, another key mistake is organizations assume if they run proper security hygiene protocols, threat and ransomware actors will not be able to access their networks. The reality is a lot of cybercrime gangs today operating ransomware campaigns have humans in the loop, not automated machines, who are driving the processes. With an intelligent opponent, they will find a way to get in. To mitigate this, plans must create a high walled barrier for an organization, and also become apt in finding, detecting and responding to an attack that has made its way into the network.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

Ransomware is a lucrative business, and cybercriminals will continue to use it as long as it is profitable. Once an organization has been hit with ransomware, there are no good options, so it’s important that we work together — between the public and private sectors and as a global community — to disrupt RansomOps. While we work toward that goal, though, organizations need to be able to defend against ransomware today. You have to have an operation-centric solution to prevent ransomware from happening in the first place.

What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why?

1. Device Control: Device control and personal firewall capabilities prevent unfamiliar USB devices from accessing the machine and unsafe websites from being visited.
2. Phishing Protection: A strong phishing protection mechanism will be able to detect suspicious document behavior and prevent any malicious macros from running.
3. Fileless Protection: If a threat is able to gain initial access and start to run, a layer of fileless protection can recognize and analyze that activity, as well as the malicious use of PowerShell or .NET.
4. Exploit Protection: Exploit protection identifies when an attack is trying to exploit a vulnerability in the OS or to execute a zero-day and block it.
5. Anti-malware: Anti-malware capabilities detect known and unknown malware and block them once executed.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I would feel passionate about an opportunity to inspire a movement to increase diversity in cyber security, to help close the talent shortage, by investing in helping people from more diverse social and educational backgrounds grow as cyber security practitioners.

How can our readers further follow your work online?

Check out Cyberason’s blog (my posts can be found here) and Cybereason’s Nocturnus research for details into ransomware prevention and detection.

This was very inspiring. Thank you so much for joining us!