Inside the Attacker’s Mind

In the eight years following my fifteen years of service in the main cyber division of the military, I set out on a mission. I dedicated my professional career to unraveling, understanding and confronting the complexities of   all kinds of cyber attacks. I learned the attackers’ methods, capabilities, motivations and technological arsenal.

This rigorous investigation led to a profound understanding of the adversary's perspective and modus operandi. I constantly relayed this critical information to security teams around the world to empower them with the tools and knowledge that helped them prevent breaches.

The Turnaround of Events

But in the past few years, things have changed. Ever since the pandemic hit, I’ve seen countless breaches that could have been avoided or significantly mitigated. The relevant control that could have prevented the breach was not properly applied, on time or at all.

One of the last investigations involved a major hospital in the north of Israel during the COVID-19 crisis. Attackers were able to exploit a zero-day vulnerability to infiltrate the hospital's network. Then, they progressed laterally for three months before injecting ransomware that crippled most of the hospital’s operational systems.

As a Senior Manager at Mandiant at the time, the leading cyber security services company, I led the investigation team. Despite the collective expertise of some of the best cyber security calibers, we were unable to crack the ransomware's encryption nor retrieve the lost data, given the governmental body's stance against paying ransoms.

Feeling Powerless

Imagine the chaos of a life-saving medical organization, in the middle of the pandemic, whose medical team is unable to access their computers and retrieve patient data like blood types, medical histories, or scan results. It was such a frustrating experience that words fall short of expressing. 

 

What Went Wrong?

In-depth investigations revealed that the attack vector was a previously disclosed zero-day vulnerability with a publicly available patch. The vulnerability was present on a critical infrastructure appliance for supporting remote work. Yet, there were enough preventive controls that could have alerted, identified and blocked the exploit, from EDR (Endpoint Detection and Response) solutions to network tools.

Sadly but not surprisingly- the hospital had all the right systems in place. But, none of them were configured correctly to stop the attack. As a result, it remained undetected for months until a cybercrime group, likely from China, deployed the ransomware and demanded an exorbitant ransom.

This episode was among the most challenging moments of my tenure as a civil defender at Mandiant. I had accumulated vast amounts of knowledge about attackers’ behaviors, the defensive capabilities available in the civilian enterprise market and protection gaps. We knew which steps the attacker took and how they operated. Yet, despite this knowledge and the availability of technological platforms, the damage was done. The battle against attackers seemed unwinnable.

An Asymmetric Battle

During the investigation, I got to know Ben Seri and Snir Havdala, my eventual co-founders and partners at Zafran, who at the time led research departments in their previous roles. We collaborated during the investigation, and, in the trenches, throughout the intensive work that was going on, we realized we could not afford to lose again.

The battle against attackers is currently not in a state where any defense entity can claim decisive victory. Quite the contrary. The rate at which new vulnerabilities are discovered and the complexity of enterprise systems are growing exponentially. Threat actors now also benefit from technological advancements like AI, combined with an effective business model that allows them to collaborate together and scale their offensive operations.

According to a recent Rapid7 report, more than half of vulnerabilities were exploited within seven days of public disclosure, an 87% increase over 2020. This rapid shrinking of the exploitation window is making it impossible to address all the vulnerabilities on time.

Our epiphany to answer this glaring gap came when we realized that the most effective strategy was to pinpoint the “exploitables” - the 1-2% of vulnerabilities likely to be exploited.

The question was - how?

Manually, this is not feasible. There’s an acute shortage of exploit mechanics talent in the market: the experts capable of reversing, investigating and mitigating attacks 24/7. Instead of a manual approach, we decided to develop a scalable and automated platform that could help any organization preemptively close the exploitation window and stay ahead of attackers.

Winning the Battle

And so, Zafran was born. We poured in over 70 years of collective expertise in offensive and defensive cybersecurity of pinpointing the exploitables to developing a Risk &Mitigation platform.

This platform reflectsthe profound understanding we have of how attackers see the network, how they approach it, which attack vectors they choose, their technologies, their business model and how they collaborate with other attackers

Zafran helps defenders win the battle by:

  • Pinpointing exploitables
  • Implementing effective mitigations at the right time based on your  existing security tools
  • Adding Human-in-the-Loop automation to empower mitigation capabilities

This approach has bridged the gap between knowing what needs to be done and actually doing it. Zafran not only enhances visibility into vulnerabilities but also provides a clear, quick and cost-effective path to improve security and defense postures, at the click of a button.

You are Protected

We know you've already invested countless resources in an overflowing security stack, which can be difficult to manage at times. Yet at the same time, you never know if you’re actually protected, if you’ve done enough or need more tools, or which steps to take to identify vulnerabilities and mitigate them with your existing tools. Have you been asked by leadership if your organization is protected against the latest threat, not knowing quite what to answer?

Despite the advancements in defensive systems, security leaders still face the daunting question of whether their organizations are truly protected against the next Log4j or APT29. Zafran provides clear answers, including which step to take to defuse exploitation.

Hope - When the revolutionary vision turns in to reality

The past 17 months have been a dream come true for Zafran. Born on the foundations of failure, Zafran is here to help CISOs, CIOs and security teams answer the question “Are we protected?” Zafran can answer the questions of "Where am I most at risk? What are my immediate exploitables? How can I mitigate it with my existing controls while keeping the business up and running?”

Fighting the asymmetric battle against the attackers requires exclusive visibility, innovation and a comprehensive approach. We invite each and every one of you to share your insights, thoughts and feelings about this issue. If you have also experienced frustration and helplessness against the rapid pace of exploitation, we would love to speak and discuss so we can learn from each other. We are committed to changing the dynamics of cybersecurity defense, ensuring that we are part of a strong defender community that is protecting our world and winning the battle.