Yuval Wollman has a rare holistic view of the complex -- and often-siloed -- cybersecurity ecosystem. With time spent in the Israeli legal, financial, and intelligence sectors, most recently as director general of the Ministry of Intelligence Affairs, he is intimately familiar with the impact of cyberattacks across all aspects of government and enterprise. Now, he deploys his decades of knowledge as managing director (Israel) of IT giant UST and president of its security subsidiary, CyberProof.
Here, he talks to InformationWeek’s Richard Pallardy about how cyberattackers are changing their strategies, who they are targeting, and what to do about it.
Tell me about your background.
I am a product of the Israeli intelligence community. In Israel, we have compulsory military service for most of the population. I started my career as a very young person in Unit 8200, a unit of the Israeli Defense Force. Until recently, I still paid my duty as a reserve officer. Since I moved from Israel, I've been based out of California where I work for UST and CyberProof.
My affiliations with Israeli public sector were wider than the cybersecurity of defense. I was also part of the legal and judiciary branch and also of the executive branch in different capacities -- notably the Ministry of Finance. I'm less engaged with Israeli espionage affairs now.
There are overlaps between terror and ransomware, which is a key part of our discussion. Understanding the financial side of defense is super important. I dealt with technology from different angles -- policy, how to enhance the Israeli tech industry. The public-private sector connections are very strong. Israel is a small place, but it’s a superpower when it comes to technology and cybersecurity specifically -- not only in the public sector, but also in the private tech industry. I developed my career in this space between the public and private sector.
My last position in the public sector was as director general of the Intelligence Ministry -- equivalent to the American director of national intelligence. In that capacity, I was working closely with Western allies -- agencies, senior diplomats, joint researchers. I visited London and Paris and Washington, D.C., many times because collaboration, when it comes to intelligence, is key. Now we are seeing a unique approach -- more collaborations between the public and private sectors. We're facing a geopolitical threat, namely the invasion of Ukraine by Russia.
How are cyber attackers changing their strategies these days? Are they using any notable new tactics?
There are several trends that we’ve been seeing in recent years that have accelerated over the past few months. I'm having discussions with CISOs of large enterprises and national security experts. Ransomware is probably the No. 1 challenge that companies and government agencies are facing.
The new term that has emerged over the past two years is ransomware as a service. They are looking at it almost as a business. You have an ecosystem of actors working together in different roles.
If it's a state-oriented group, they're already organized. But if they're not directly state-backed, they need to create their own group. They collaborate. There is a market. There is the attacker, but he wants to work with affiliates. So he recruits affiliates.
You see publications on the dark web for recruitment of those affiliates, each one with a different role -- some offer tools, some offer access. What we're also seeing is a shift from a wide approach -- what we call spray and pray -- to something deeper and more verticalized to get a higher ROI. They need the right tools, patience, and knowledge.
And we cannot ignore the state level. In the past few months, we've seen more and more enhanced support coming from the state level, mainly from the Russians or Russian proxies. There are tensions taking place on other fronts all the time -- between Israel and Iran, for example.
We're seeing more geopolitical trends. One of them is the collaboration between the private and public sector. We saw that in March, right after the outbreak of the war in Ukraine. Microsoft and Google and other tech giants were collaborating openly with the government.
And even more importantly, there have been a few public statements made by the US administration about deterrence. Usually, Western agencies or authorities do not make those types of statements publicly.
Which older tactics remain useful to cyber criminals? Which have become stale?
I would say that you have a fusion. Let me give you an example. In the past, you saw two-step extortion. The first step is to encrypt and extract the information. The second is to negotiate the ransom. Now you have a third step. They’re adding on to an old process -- while negotiating they’re making a DDoS attack.
It's all over. We're seeing that against enterprises and government agencies. We've seen that in Ukraine. Old tools are super relevant. You have new generations of experts coming to the dark side all the time. The old knowledge is still there, and it’s being used when it fits the new challenges.
Sometimes patterns are new, but the tools are old. Take the 2020 Solar Winds supply chain attack, for example. It was probably one of the biggest moves ever made in the cyberwar space. But they used tools that have been there for many years. They were developed and adjusted to a new pattern. These actors plan quietly in advance -- sometimes years in advance. You sit and wait. Then you strike and you blow it.
Are different types of businesses being targeted? Has there been a shift in who is hit?
They want to go after those who are most likely to pay. We're seeing more and more attacks on the financial sector and on critical infrastructure. When you go deeper, you can allow yourself to invest more and more as an attacker -- breaching the perimeters, extracting information, and waiting for the right moment to start negotiating. But at the same time, they need to constantly invest [in new tools and techniques]. You can’t just go in and assume that everything will be okay. You will be found.
We’re going to see more involvement from the government. This is a long-term trend that is being accelerated by recent geopolitical developments. We're seeing more governments assuming responsibility over the private sector in terms of support, load-sharing.
We're seeing a new generation of agencies being put in place in Western governments to guide and regulate and support the private sector. Interestingly enough, there was new legislation introduced in the US forbidding enterprises from negotiating. So this is a game theory play here. If you are forbidden by law from negotiating, you're less vulnerable in a way. The attacker would know that regulators might take action.
We don't know what the effect of this is going to be. In game theory, there are unexpected factors at play. It's not a closed system. But this is a very interesting development in terms of how the government perceives its place when it comes to the private sector.
How do these bad actors choose their targets?
They look at the expectation of the gain that they want to achieve against the investments they're making. They don’t just identify someone who is vulnerable. They have to identify someone who will pay enough to make the effort worthwhile. The combination of those factors are the main criteria used when an attacker is planning an attack.
We're seeing more attacks on critical infrastructure because of the magnitude of the effects --when it comes to energy supply, for example. They’re more willing to pay because of the potential damage to essential utilities. The willingness to pay is even higher when it comes to financial institutions today. Data privacy and reputation are everything to them, so they're willing to pay as well.
How do they go about scoring their potential victims? What makes them appealing?
We have not identified a formal scoring system, but we can assume that they have something very close to it. There is a mirrored score on the defensive side that has been developed over the past five years. It is updated all the time, based on the attack. Many companies are now working on a methodology of scoring and ranking and understanding exactly what the vulnerabilities are in a given enterprise that might be attacked. These methodologies provide a great projection of the presumable scoring system that the attackers are using.
Are attackers asking for different types of ransoms?
They just want to make money. They need a system through which they can be paid. This requires a segment in the market for laundering these funds -- you do have professionals that do that.
In the case of proxies of state agencies, I wouldn't say that they are solely incentivized by making financial profit. There are also political or national perspectives when it comes to some Eastern players. But I still think that most of their motivation is financial. Profit is key.
How are they going about improving the persistence of the attacks?
They need to develop new tools all the time as they encounter new defensive products.
The defensive side needs to protect huge volumes of data -- terabytes and terabytes a day in a large enterprise. And it is spread around many entities within the enterprise. So you don't have consistency. CIOs and CISOs need to consolidate the perimeter. That consolidation takes years. And large budgets.
The attackers need to take this type of activity into account, especially when it comes to large enterprises. They will need to update their tools and their presence and lateral movement all the time. They trade and pay for those tools. We're seeing a constant development of these kinds of capabilities on the offensive side.
Explain how they move laterally through the system, targeting increasingly privileged users.
We're seeing more investment in lateral movement. Once you're in, it's easier to move because the defense is mostly on the outer echelons of the network. But first, you need to make sure that you have a path to extract the data, the assets that you attack. Otherwise, the attack is very easy to contain.
It's not only about how to move inside. It's also about keeping a close watch on the outside so you can extract the information and make sure that it is encrypted. Then you can secure a ransom in a more effective way. This is the ransomware as a service that I mentioned earlier.
You can add another step to the extortion and attack other organizations to distract them, make them lose their balance. We're seeing that more and more, especially in the attacks against financial and critical infrastructure, a trend that is probably being enhanced the past few months because of the current tensions.
We're now looking at a more disruptive war because of the weight of government-backed defense capabilities. General Paul M. Nakasone [head of the US Cyber Command] publicly said the US was simultaneously taking extensive defensive and offensive action at the same time.
Initially, the Russians were very focused on Ukrainian assets. It was leaked by various agencies that the Foreign Intelligence Service of Russia was making vast attacks in the West -- something not seen at the beginning of the war. That is probably what made US officials acknowledge it publicly. We were asking ourselves when they would start to take actions against the Western Allies of Ukraine, because they were indirectly involved in the conflict through economic sanctions.
The ransomware market is being disrupted by huge investments that are materializing in front of our eyes. Over the past few years, we've seen more investment across the globe, whether it's Eastern actors such as China, Iran, North Korea and Russia or Western actors such as the UK, US, and the EU. We can use 2016 as a landmark because of the intervention in the US presidential election that year. In a few months, when the dust has settled a bit, it may be easier to evaluate the meaning of how these investments have materialized in terms of the motivation and the effectiveness of the attackers.
How do companies prevent attackers from deleting their backups?
It's about containment, first and foremost. When I say containment it is not only digital -- circling the attacker -- but also understanding what exactly they took, what exactly you lost, making sure that there are no other attackers already within the perimeter. Distract the attacker while you're deciding whether to take some of the risk or pay the price of the attacker releasing the information.
These are steps that will take a few days -- crucial days. You need this information if and when you decide to negotiate, depending on the criticality of the information and the reputation risk. If you’re a publicly traded company, there’s another layer of risk.
But of course, these are the short-term answers. The longer-term management theory is the ringing of the bell and acknowledging that something is not working. Even a very well protected enterprise can be hit. Nothing is 100% sealed. The question is how you manage the risks.
We are seeing a new generation of visionary CISOs. They understand where the market goes, where the threats are going to manifest. And they're building three-year plans, five-year plans, and they're looking for the right partners to build them.
Are there ways of preventing attackers from disabling security systems once they’re in?
Absolutely. Again, you need to plan and design. Did you choose the right products? It's not easy. You don’t always have all the information about the market. You don’t always know what to ask the different vendors. You don’t even always know the correct preliminary actions that you need to take to find the right team members that would ask those questions on your behalf. As a security leader in an organization, it's hard. There is a shortage of talent. You need the right partners. This is where you need more vendors actually to help you.
If you pick the right vendor, everything else will be easy. Then you can start asking yourself, “Okay, do I have the second wave tools in order to continue to mitigate?” There is no silver bullet. The question is what organization? What industry?
How often are attackers leaving backdoors once a ransom is paid?
We don't see that as much as we expected. The likelihood of an enterprise paying on the next round of attacks is lower. They want to go where it makes sense in terms of ROI. When you calculate the likelihood of them paying in the next round, it is much lower. They’re probably just going to go on to the next target instead.
Are there any areas where you see businesses are really failing to adapt?
We're seeing more vulnerabilities when it comes to manufacturing and some retail businesses. I want to be very general in my answer because we have customers from various industries. Because of the nature of the business, we’re seeing vulnerabilities that we don’t see in more regulated and digitized industries.
Do these changes impact risk strategy? How are businesses adapting?
A good CISO will ask himself or herself what the business risk is. If the cyber risk is significant, but it does not have business implications, or the implications are rather small, you don't need to invest millions of dollars to protect it.
You need to rethink where the business goes from a digital perspective. The major trend that we're seeing is cloud migration. Assets are being shifted to the cloud. You need to protect the shift itself, which is a long-term process, and the cloud backed assets as well. The more the security leaders understand that the more effective their policies will be.
With the advent of big game hunting, how are small- and medium-sized enterprises affected? Has their risk increased or diminished?
SMEs are a significant part of every economy. When attackers want to increase ROI, it is less likely that they will invest time in attacking smaller businesses. But smaller businesses are also less protected because they have less to invest in those tools. Over the past five years, we’ve seen a new layer of vendors that are focused on SMEs. The biggest companies in the world, Microsoft and Google and others, are already embedded in those small businesses. Who doesn't have Windows?
They’re using their presence in those organizations to generate security offerings. I definitely don't want you to take away that this is not a high-risk area. It is. Look at the investment that Microsoft, for example, is making to support the SME market. The SME market may be less vulnerable to the enterprise market, but it is still a lucrative target. We're seeing that through the huge investments made to protect them by large vendors to create the right cost-effective offerings to secure them.
How has the hybrid work environment affected cybercrime? What new risks have arisen and how should companies go about mitigating them?
From the outset of the pandemic, the bulk of the digital workforce has been at home. It’s less hybrid and more remote in many organizations. The attackers are well aware of it. It requires a new layer of protection. It's more about policy. How do you enforce and train and educate your workforce to be more careful with the assets that are being managed? So the risk is larger, but it's being mitigated properly? Still, I wouldn’t say we're seeing higher ROI from attacks because of remote work.