'Ransomware incidents aren’t personal attacks against an organization's management'
Dr. Yaniv Harel, Senior Vice President Cyber Defense at Sygnia, describes his behind-the-scenes experience handling cyberattack incidents. An exclusive interview
Ami Rojkes Dombe
| 08/09/2021
Yaniv Harel. Photo: Cybertech
Is it right to keep a cyberattack a secret? As a business, how do you deal with such an unusual experience? "A cyberattack incident is a different experience from any other that an organization goes through. It is a significant crisis for an organization," explains Dr. Yaniv Harel, Senior Vice-President Cyber Defense at Sygnia.
"You’re talking about a crisis that immediately involves the organization’s entire management cadre. The incident is rapidly 'escalated' to the direct control of the CEO or owner, and it has an immediate impact on relationships with investors and customers, your public image, reputation, and your relationship with regulators, if you have one. Suddenly, in a single instant, everything changes."
The incident becomes public knowledge
Harel points out that it's impossible to expect that the event will remain behind closed doors. According to him, in a publicly owned company, an incident can quickly become public knowledge. "Many levels of management oversee professional staff during such incidents. In case the incident becomes public, the organization needs an organized methodology to deal with the new situation," Harel explains.
"One of our roles is to streamline communications between the professional and managerial cadres ahead of time. Real incidents occur suddenly, and unexpectedly, without advance preparation. If the CISO doesn't know how to make the technical information understandable to the CEO and the legal team, real-time handling of the incident becomes more difficult."
"When Sygnia encounters an event of this sort, anywhere in the world, we try to understand what happened, decipher the root of the attack and how it developed over time. That's our starting point. If you don't know what happened in the incident, it could lead to the wrong decisions being made. We work in collaboration with the local technical team."
"In many cases, incidents begin when the company receives a ransom email. Over the course of the investigation, we find that the incident already started three weeks earlier. We are familiar with many groups of attackers and can identify what they want. Even if this is not the case, we can tell what their intentions are."
"In some cases, you find an attacker has been online for a long time and who intended to access a data analysis system. He wanted access to information from there. By understanding the incident, you know what he’s looking for and how he operates."
Harel explains that the client's goal is to resume operations as soon as possible. "There is a balance between the technical and the business sides. Some companies can halt operations for several days, while others can’t afford to stop for even a single day; this also affects the time it takes to restore a company's systems," comments Harel. "Alongside the forensic investigation, the organization is required to respond to the attackers. To negotiate with them. We help with this as well, and we support the company in making the decisions, including communications among various company officials."
Organizational resilience
Another issue that Sygnia confronts and works with many of its clients to resolve is how to build a company's resilience. "If your organization has not built its architecture correctly - so that intruders will not have access to all its resources - you are in trouble. What's more, without systems to monitor abnormalities, you are also vulnerable. There are many other technical and methodological components involved in creating cyber resilience. If your organization has been built with cyber resilience in mind, you have a good chance of an attack early detection and, thus, reduced damage," Harel explains.
"If an organization begins working with us before an incident occurs, we assist in performing a deep and comprehensive cyber posture enhancement process. In addition, we help to prepare the organization towards such an event; running drills, training the technical staff and cyber officials, holding role-playing games, making decisions under pressure, etc. This helps in the case of an actual incident. Often, CEOs consider attacks a personal offense against them. We try to explain that the attacker wants money and there’s nothing personal about it; from the attacker's perspective, it’s just work. We try to take the emotion out of the decision-making process."
Automation is mostly a buzzword in this context, claims Harel. According to him, an organization's resilience derives primarily from proven technologies, policies, and procedures. And how they all work together. "It is true that the larger the organization, the more automation you need for running defined processes more efficiently; nevertheless, automation is often sold as a band-aid solution. If you have installed an automated analyst in your SOC, it doesn't necessarily mean that you are protected; automation is part of the concept of resilience - it is only a part of it, not the entire picture," he explains.
"We also provide recommendations after an incident or during our posture enhancement engagements, but we don't recommend which equipment an organization should purchase; on the contrary, our goal is to work with the organization to make the most of the technologies they have, that is, making more effective use of what they already bought."
Coordinating expectations
During an incident, each person in the decision-making chain has different expectations for the situation, which can lead to unpleasantness. In certain cases, the CEO may start from the basic principle that he’s not going to pay a ransom. Another may be willing to pay, but as little as possible. "The main idea is to be true to the company's primary goal. Some things are less dependent on this however their importance is so high, such as forensic investigations, restoring business processes, and more," adds Harel.
"In large companies, not all operations are affected, only some of them. If the attacker focused on the Human Resources Department, it makes no sense to halt the production floor. In large and complex organizations, the attacker won’t have taken over every single location. Using forensic investigations, we try to understand what the risk to the organization is. Based on this, we appraise the impact on business processes. What courses of action are possible."
The repercussions of the incident are also considered. Harel explains that it's necessary to understand what happened from a technical perspective and how the organization can be better rebuilt to reduce risks. "There have been quite a few cases in which we checked system files when managing an incident and found additional backdoors in the network unrelated to the specific incident we were working on. Maybe they were waiting for a future event or an additional infiltration," he adds.
"You have to deal with customer claims, restore the company’s image, build trust with customers. These are processes that companies deal with after an attack. Some incidents can have legal consequences. In that case, the law enforcement authorities of that country come into the picture, which further complicates the management of the incident."
How do you choose an IR company?
"It's like choosing a doctor or a lawyer. An incident occurs, and you have to choose who will handle it for you. Likewise, in the cyber arena, you have to choose the company that handles an incident for you," says Harel. "Solutions are available at a variety of prices and quality levels. When it really matters, you’d rather rely on someone with previous experience handling numerous cyberattacks."
"Throughout our company's years of operation, we’ve gained a great deal of experience working with clients worldwide, and in a great many attacks, our staff successfully identified the attacker's intentions and reduced the damage caused to our clients. Additionally, Sygnia works with unique technologies; not just over-the-counter solutions, but also dedicated tools developed especially for the purposes discussed in this article."
Another subject: Summary of operations in Beersheva
Along with his start in Sygnia, at the end of 2020 Harel finished six years as the General Manager of the Dell Cyber Solutions Group led from the Beersheva center. The group he led, which was founded as part of EMC, won the tender to build the national CERT and the sectorial energy CERT projects. "In 2020 we created the right structure to integrate the Cyber Solutions Group into Dell Technologies. In large companies, an integration can be just the start of a long process - even after a successful acquisition - and in many cases it fails. These cases are less often reported in the news," comments Harel.
"To succeed, we divided the Group into subgroups so that each one was integrated into a different business unit of Dell. These subgroups operate these days as part of those divisions. The R&D Department, which currently operates as part of the Global Products Division, recently launched a product. Departments that serve customers belong to the Services organization, and likewise for others. Our entire presence in Beersheva is complete, and the parts of the Group have been affiliated with existing global Dell Technologies business units."
Dr. Yaniv Harel, Senior Vice President Cyber Defense at Sygnia, describes his behind-the-scenes experience handling cyberattack incidents. An exclusive interview
Yaniv Harel. Photo: Cybertech
Is it right to keep a cyberattack a secret? As a business, how do you deal with such an unusual experience? "A cyberattack incident is a different experience from any other that an organization goes through. It is a significant crisis for an organization," explains Dr. Yaniv Harel, Senior Vice-President Cyber Defense at Sygnia.
"You’re talking about a crisis that immediately involves the organization’s entire management cadre. The incident is rapidly 'escalated' to the direct control of the CEO or owner, and it has an immediate impact on relationships with investors and customers, your public image, reputation, and your relationship with regulators, if you have one. Suddenly, in a single instant, everything changes."
The incident becomes public knowledge
Harel points out that it's impossible to expect that the event will remain behind closed doors. According to him, in a publicly owned company, an incident can quickly become public knowledge. "Many levels of management oversee professional staff during such incidents. In case the incident becomes public, the organization needs an organized methodology to deal with the new situation," Harel explains.
"One of our roles is to streamline communications between the professional and managerial cadres ahead of time. Real incidents occur suddenly, and unexpectedly, without advance preparation. If the CISO doesn't know how to make the technical information understandable to the CEO and the legal team, real-time handling of the incident becomes more difficult."
"When Sygnia encounters an event of this sort, anywhere in the world, we try to understand what happened, decipher the root of the attack and how it developed over time. That's our starting point. If you don't know what happened in the incident, it could lead to the wrong decisions being made. We work in collaboration with the local technical team."
"In many cases, incidents begin when the company receives a ransom email. Over the course of the investigation, we find that the incident already started three weeks earlier. We are familiar with many groups of attackers and can identify what they want. Even if this is not the case, we can tell what their intentions are."
"In some cases, you find an attacker has been online for a long time and who intended to access a data analysis system. He wanted access to information from there. By understanding the incident, you know what he’s looking for and how he operates."
Harel explains that the client's goal is to resume operations as soon as possible. "There is a balance between the technical and the business sides. Some companies can halt operations for several days, while others can’t afford to stop for even a single day; this also affects the time it takes to restore a company's systems," comments Harel. "Alongside the forensic investigation, the organization is required to respond to the attackers. To negotiate with them. We help with this as well, and we support the company in making the decisions, including communications among various company officials."
Organizational resilience
Another issue that Sygnia confronts and works with many of its clients to resolve is how to build a company's resilience. "If your organization has not built its architecture correctly - so that intruders will not have access to all its resources - you are in trouble. What's more, without systems to monitor abnormalities, you are also vulnerable. There are many other technical and methodological components involved in creating cyber resilience. If your organization has been built with cyber resilience in mind, you have a good chance of an attack early detection and, thus, reduced damage," Harel explains.
"If an organization begins working with us before an incident occurs, we assist in performing a deep and comprehensive cyber posture enhancement process. In addition, we help to prepare the organization towards such an event; running drills, training the technical staff and cyber officials, holding role-playing games, making decisions under pressure, etc. This helps in the case of an actual incident. Often, CEOs consider attacks a personal offense against them. We try to explain that the attacker wants money and there’s nothing personal about it; from the attacker's perspective, it’s just work. We try to take the emotion out of the decision-making process."
Automation is mostly a buzzword in this context, claims Harel. According to him, an organization's resilience derives primarily from proven technologies, policies, and procedures. And how they all work together. "It is true that the larger the organization, the more automation you need for running defined processes more efficiently; nevertheless, automation is often sold as a band-aid solution. If you have installed an automated analyst in your SOC, it doesn't necessarily mean that you are protected; automation is part of the concept of resilience - it is only a part of it, not the entire picture," he explains.
"We also provide recommendations after an incident or during our posture enhancement engagements, but we don't recommend which equipment an organization should purchase; on the contrary, our goal is to work with the organization to make the most of the technologies they have, that is, making more effective use of what they already bought."
Coordinating expectations
During an incident, each person in the decision-making chain has different expectations for the situation, which can lead to unpleasantness. In certain cases, the CEO may start from the basic principle that he’s not going to pay a ransom. Another may be willing to pay, but as little as possible. "The main idea is to be true to the company's primary goal. Some things are less dependent on this however their importance is so high, such as forensic investigations, restoring business processes, and more," adds Harel.
"In large companies, not all operations are affected, only some of them. If the attacker focused on the Human Resources Department, it makes no sense to halt the production floor. In large and complex organizations, the attacker won’t have taken over every single location. Using forensic investigations, we try to understand what the risk to the organization is. Based on this, we appraise the impact on business processes. What courses of action are possible."
The repercussions of the incident are also considered. Harel explains that it's necessary to understand what happened from a technical perspective and how the organization can be better rebuilt to reduce risks. "There have been quite a few cases in which we checked system files when managing an incident and found additional backdoors in the network unrelated to the specific incident we were working on. Maybe they were waiting for a future event or an additional infiltration," he adds.
"You have to deal with customer claims, restore the company’s image, build trust with customers. These are processes that companies deal with after an attack. Some incidents can have legal consequences. In that case, the law enforcement authorities of that country come into the picture, which further complicates the management of the incident."
How do you choose an IR company?
"It's like choosing a doctor or a lawyer. An incident occurs, and you have to choose who will handle it for you. Likewise, in the cyber arena, you have to choose the company that handles an incident for you," says Harel. "Solutions are available at a variety of prices and quality levels. When it really matters, you’d rather rely on someone with previous experience handling numerous cyberattacks."
"Throughout our company's years of operation, we’ve gained a great deal of experience working with clients worldwide, and in a great many attacks, our staff successfully identified the attacker's intentions and reduced the damage caused to our clients. Additionally, Sygnia works with unique technologies; not just over-the-counter solutions, but also dedicated tools developed especially for the purposes discussed in this article."
Another subject: Summary of operations in Beersheva
Along with his start in Sygnia, at the end of 2020 Harel finished six years as the General Manager of the Dell Cyber Solutions Group led from the Beersheva center. The group he led, which was founded as part of EMC, won the tender to build the national CERT and the sectorial energy CERT projects. "In 2020 we created the right structure to integrate the Cyber Solutions Group into Dell Technologies. In large companies, an integration can be just the start of a long process - even after a successful acquisition - and in many cases it fails. These cases are less often reported in the news," comments Harel.
"To succeed, we divided the Group into subgroups so that each one was integrated into a different business unit of Dell. These subgroups operate these days as part of those divisions. The R&D Department, which currently operates as part of the Global Products Division, recently launched a product. Departments that serve customers belong to the Services organization, and likewise for others. Our entire presence in Beersheva is complete, and the parts of the Group have been affiliated with existing global Dell Technologies business units."
