CYBR Whitepaper: Executive Summary
Over $1B in financial losses occurred in the cryptocurrency space in 2018… and these were just the reported incidents. The primary cause was due to hackers who were able to circumvent the countermeasures and safeguards that exist in the crypto ecosystem. With an ever‑increasing market cap, these financial losses will continue to mount until a “standard of care” is established and proper cybersecurity policy, procedures and controls are established.
Enter CYBR.
A Stolen Horse
Growing up in Virginia, I am often reminded of an expression Southerners use: “You don’t lock up the stable after the horse has been stolen.” When weighing the need for cybersecurity in the blockchain space, this old adage could not apply more nor be more appropriate.
An Abbreviated History
The parabolic rise and volatile nature of cryptocurrencies portends the enormity of its potential impact. There is widespread speculation. Some pundits predict a cashless society in less than a decade, and the more outspoken supporters of Bitcoin predict a price that shall eventually crest seven figures. The detractors, irrespective of authority and stature, utter a single word in dismissing the viability of widespread adoption, and that word is “scam”. Not a pretty word. While it certainly speaks to the level of threat the old guard senses from the emergence of crypto and decentralized systems, it also smacks of a fundamental concern that these “monies” can be taken as easily as they can be created.
While swindlers and charlatans can be found in all businesses, if digital assets and virtual currencies cannot be secured, they can not be widely adopted. The irony of course is that crypto and blockchain technologies have garnered public support as a result of a collective distrust for our existing governments, monetary policies and fiat currencies on the whole. Certainly, there is compelling evidence that points to governing corruption across the globe. What can be said about crypto?
Consider the following:
- In June 2016, Decentralized Autonomous Organization (DAO) had 50mm stolen. Running on the Ethereum network, written in the language of Solidity, a simple flaw was responsible.
- In 2014, Mt. Gox filed for bankruptcy claiming it had lost 750,000 Bitcoin.
- In January 2018, Coincheck, a Japanese cryptocurrency exchange, was hacked for approximately 534mm USD.
- After being hacked in April 2017, South Korean Exchange Youbit stated it did its “best to improve the security, recruitment and system maintenance.”
- In December 2017, Youbit was hacked again, losing 17% of its total crypto holdings. Parent company Yapian filed for bankruptcy.
- Bancor raised 153mm in June 2017 to develop a decentralized liquidity network, i.e. a decentralized exchange of the highest order. In July, it was hacked for 23.5mm.
- On the same day as Bancor, a hack on a popular VPN compromised “My Ether Wallet (MEW),” a widely-used service to manage ethereum network cryptos.
The list could go on. Still, it would be remiss not to mention the astonishing number of individuals who have been hacked or scammed out of their crypto. The laundry list continues as high-profile ICOs have been victimized by phishing attacks, and there has been no shortage of exit scams in the space. Even simple human error can be costly as one unfortunate individual learned when he inadvertently spent 50 Bitcoin in transferring fees.
Hacking and Internet-based crimes are not unique nor confined to crypto. A 2017 Norton Report stated that $172 billion was hacked from nearly a billion consumers worldwide. More than half the adult population online can count themselves as victims of cybercrime and mainstream stories like the Equifax breach have grabbed headlines.
However, the nascent asset class that is crypto and distributed ledger technologies (“DLT”) is acutely vulnerable. Nothing can destroy a revolutionary overhauling of a monetary system faster than a plague of theft.
Stateside Measures
Security has become such a concern that congress introduced the “hack back” bill, allowing businesses to attack their attacker’s computers or networks. Active Cyber Defense Certainty Act introduced this amendment to the Computer Fraud and Abuse Act anti-hacking law. Two clichés come to mind when I see this — “sometimes the cure is worse than the disease,” and “an ounce of prevention is worth a pound of cure.”
- Identifying a hacker often takes time and analysis
- Hackers have become more savvy and readily circumvent detection
- Ordinary researchers are not capable of performing such analyses
- Hackers often leave clues in the code and spoof that evidence, e.g. leaving code from known hacking organizations in malware
- The amendment only applies within the United States
- Most attacks come from abroad, and those that don’t are often routed through servers that come from overseas.
Governing bodies have already enacted a number of stops on the “hack back” amendment:
- Before taking action against attackers, the National Cyber Investigative Joint Task Force (NCIJTF) must be alerted.
- Prying into hacking networks may be an obstruction to ongoing investigations and non-permitted retaliation is potentially criminal.
The NCIJTF is led by the FBI and the FBI defense review is worried that actions taken by private organizations could effectively trigger our government’s international legal responsibility. As DLT winds its way into the mainstream, the stakes are rapidly being raised. Quantifying prevention is not easy, but it is easy to overlook.
When Equifax hackers made off with the private information of 143 million people, who is responsible for what is an en masse modern‑day home invasion? Is it a victimless crime if insurance pays?
The reality is that the ultimately accountable Equifax is not held liable and as of now, no one is reimbursing lost crypto. If the last four digits of our social security numbers can be sold on the dark web, in what stead should we hold the security of digitized currency?
Digital assets are currently being used as mediums of exchange, as stores of value and more. They are the equivalent of money, bartering tools, precious metals as well as the lifeblood of emerging ecosystems. Make no mistake, horses have been stolen and many more thieves are coming.
We can no longer overlook the clear and present threat to the technologies that are poised to reshape our world. It is time to secure the blockchain.
Enter CYBR.
Good Cyber Threat Intelligence (TI) is continuously refined information that hones in on potential or current attacks that can threaten any system.
CYBR is an ever-expanding compendium of information combined with state-of-the-art software solutions that will be optimized for the blockchain. CYBR is a holistic security solution that will endeavor to secure wallets, smart contract transactions, and associated transactions and activities that take place in the blockchain space.
Unlike most token generating events (“TGEs”), where a theoretical idea is presented and implementation is to follow, much of the CYBR solution is already built and being utilized in enterprise environments.
To this point, it is safe to say there is a truly pressing need for top-flight cybersecurity in the realm of crypto. However, there are very few parties qualified to provide the needed level of security. With that in mind, let us momentarily stray from the traditional structure of a white paper. Thus far, the “why” has been addressed. Now, let us the broach the most critical component of such an undertaking — “the who.”
The Vision and the Visionary
CYBR’s founder, Shawn Key is a cybersecurity veteran of some notoriety. He is attributed as the person first described as an “ethical hacker,” based on an article in a governmental trade magazine. The term presaged the popular “white hat hacker” by more than a decade after Shawn successfully found his way into numerous federal networks in 1999.
Shawn’s facility and acumen in the field were widely noted and his early contributions to “information security,” aka“information assurance,” were seminal. A few years later, the industry would become known as “cybersecurity.”
Some of his early work included one of the first patch management solutions, which was acquired by a company that eventually sold to IBM for some $500M USD. He quickly garnered a reputation as someone who could “see around the corner.”
Over the last ten years, Mr. Key’s cyber services company has maintained a flawless reputation, and is currently a subcontractor to Raytheon (see CYBRtoken.io under “Partners”). Raytheon has the distinction of earning the largest cybersecurity contract awarded in US history of 1.115B USD.
In recent years, Shawn’s focus has been on the underlying solutions that make up the CYBR Ecosystem:
- CYBRSCAN — a real-time vulnerability analysis solution that can assess the security posture of ANY public facing IP address. The solution is highly scalable and its database of digital identifiers is crypto-centric, meaning it seeks out the vulnerabilities and potential exploitations that primarily are relative to the crypto and blockchain infrastructure.
- BLINDSPOT — The endpoint solution that roots out malicious code using fuzzy logic, machine learning and artificial intelligence (AI). BlindSpot incorporates proprietary algorithms that identify exact AND partial matches of malicious code, preventing advanced persistent threats (APTs) from exploiting operating system, application and other code flaws that can lead to data and / or financial loss.
The software solution has gone through its share of iterations and pivots but the concepts of detecting malicious code and associated bad actor activity were consistent themes throughout his numerous grants and awards received for his work. These include, but are not limited to:
- Mach37 Cyber Accelerator: awarded $150,000 in grants via Mach37 and the Center for Innovative Technology (CIT).
- Dell Founders 50 Club: recognized Shawn’s technology as one of the top 50 most disruptive technologies in the world.
- Tandem NSI, associated with the National Security Agency (NSA), awarded Mr. Key for one of the best technologies in the D.C. metro area.
- MALWARE INFORMATION SHARING PLATFORM (MISP) — a centralized location for emerging threat data that can be turned into actionable intelligence. With the CYBR MISP, proliferation of threats can be minimized and financial losses significantly reduced.
- THREAT INTELLIGENCE PORTAL (TIP) — If two minds are better than one, then thousands are better than two. The TIP accepts threat intelligence “tips” from the CYBR community, which in turn is rewarded in CYBR tokens for its contributions. Think of the TIP as a 365 / 24 / 7 bug bounty on steroids.
Origin of Solutions’ Concepts
Mr. Key was intrigued by cryptocurrency and with each passing hack, this interest morphed into the central preoccupation in his life. He quickly found that many of the exploitations were similar to “traditional” attacks. What he dealt with in every day enterprise systems mirrored the methodologies used in the majority of reported hacks. He determined that BlindSpot was applicable to the blockchain and it became his mission to optimize it for cryptocurrencies in securing smart contracts and associated transactions. Although it poses some unique challenges and there are inherent differences, Mr. Key realized that his experience could improve the security posture of the world of crypto. The last year has been solely focused on what has evolved into CYBR.
Welcome to the CYBR Security Ecosystem and Utility Token.
Not Your Father’s Antivirus
While antivirus (“AV”) software hasn’t sounded relevant for a long time, threat detection and eradication has remained at the fore for government and many private sector organizations. Sensitive data and the protection of these assets have grown in scope, commensurate with our advancements in technology. Unfortunately, the general public has not benefited from this growth and the displays of negligence in corporate America provide unimpeachable evidence to this point.
There have been numerous data breaches of sensitive information and despite the headlines they’ve captured, it has ceased to be a priority to those responsible for securing said data. Society pays the cost for the mishaps of Target, Equifax and similar while specialized agencies have continually evolved against growing threats.
As crypto takes hold and drives towards critical mass, the need for a gold standard of security and an attendant solution has never been greater.
Elegant, Robust
CYBR, like good TI itself, is a multi-fisted attack that provides real-time safeguards, countermeasures, threat intel and secure transactions via three distinct methods:
- CYBRscan — proprietary software solution that identifies vulnerabilities on ANY IP-based device in ANY language.
- BlindSpot — A proprietary software that powers a potentially borderless landscape of threat identification.
- Portal (MISP/TIP) — CYBR utilizes a real-time, pedigreed data feed heretofore not available to the general public.
Identifying a threat is one thing, removing it is another and it’s still another to prevent its return. Standard issue solutions can tell you something is wrong, but can’t necessarily eradicate the problem nor detect the evolution of threats. They are simply obsolesced by current malware.
Work-a-day antivirus software is nothing more than a compilation of known threats with basic search capabilities. Today’s malware has adapted and can morph into a slightly different version of known viruses. The result is that malicious code is no longer identifiable by standard AV software. The permutations of known viruses that can continually plague networks are known as advanced persistent threats (“APTs”) and standard software has no solution for it.
BlindSpot not only detects “bad actor,” associated illicit file activities and APTs; soon they will be disrupted. The three primary tenets of risk management in relation to TI and ensuring data are as follows:
- Confidentiality
- Integrity
- Availability
BlindSpot captures attack signatures by deploying a combination of fuzzy logic, machine learning in concert with artificial intelligence. Whence identified, this information is distributed to the protected community via the blockchain. As previously mentioned, to augment the supporting data that runs concurrently with BlindSpot, one of the CYBR’s token initiatives is to reward community members for identifying suspicious activities via the TIP. This influx of data will also provide CYBR with TI that will differentiate it from other competitors and allow CYBR to have the largest repository of TI digital identifiers in the world.
Being Smarter
Smart contracts are a protocol that execute the terms of a contract. The potential efficiencies they offer are myriad and game-changing. It is a revolutionary time-saver that can considerably reduce expenses, sidestep legal entanglements and associated costs. The applications for smart contracts are growing by the day and they are the lifeblood of distributed ledgers. The company believes that the primary stumbling block for mass adoption of blockchain technology is security and aims to establish a “best practices” standard. Any executor of code is aware of the inherent issues, but unfortunately, even the most outspoken and vocal leaders of the blockchain neglect to properly acknowledge this growing risk.
We can ill afford to analyze vulnerabilities after an attack. While open source is inspired and shall pave the way for innovation, there must be a standard. Auditing can go a long way but ultimately, the safe harbor that CYBR can provide shall raise the bar and be the benchmark by which security on the blockchain shall be measured.
For example, smart contract programming in Ethereum is known to be error-prone and many of these common errors are known quantities. The DAO hack, for example, was the result of a recursive calling vulnerability. Essentially, hackers with an initial minimum balance were able to repeatedly withdraw that balance. There was no fallback function and thus, repeated withdrawals were made, as balances were not updated in real time. Such gaffs are imminently avoidable. This contract would not have met any security expert’s minimum standards, yet some 50mm was heisted.
To summarize, CYBR is an advanced cybersecurity solution that deploys its proprietary software, BlindSpot and layers it with a comprehensive data feed to proactively identify hackers.
Mission Critical
There is a pressing need to dramatically reduce the average time of detection in identifying and contending threats. Without it, the adoption of DLT hangs in the balance. The implementation of a proactive defensive as well as preventive approach to cybersecurity is sorely lacking in the space.
CYBR seeks to solve that problem.
CYBR’s mission is to provide a seamless continuum of threat security and establish a gold standard of cybersecurity on the blockchain.
Governance, Risk Management and Compliance (GRC)
In traditional cybersecurity, the term GRC is abuzz. The acronym stands for Governance, Risk (Management) and Compliance. Currently, an enormous number of vendors are providing this service in integrated, point solutions or domain specific capacities.
Each of the core disciplines is comprised of four basic characteristics — processes, technology, strategy and people. Dependent upon an organization’s risk tolerance, company policies and any external regulations are what determine the level of engagement. Once identified and assessed, operational rules or parameters that the GRC “quotient” supports are integrated or merged holistically across an organization.
As nebulous as it sounds, the field is rapidly growing and its efficacy remains unquestioned. What this translates to for CYBR is the need to establish a robust community as their input creates the checks and balances for a decentralized world. GRC implemented into security is the voice of a unified whole that lacks central authority, but compensates with efficiency and consensus. Although the world of crypto is an ever-moving target, establishing best practices, attracting key opinion leaders (“KOLs”) as well as supporters is paramount. The CYBR token itself shall derive much of its utility by the provision of token to active members who can successful identify and report threats.
From a business standpoint, this “open-sourcing”of security creates an enviable dataset and encyclopedia of intelligence.
All this leads CYBR to lay claim to an overused buzzword. Although the word “ecosystem” is bandied about in tech circles, let us remember what the definition actually states:
Ecosystem: a biological community of interacting organisms and their physical environment. (In general use) a complex network or interconnected system.
And this is precisely what CYBR’s governance is.
