Former Israeli CERT Chief: 'A Cheap Incident Response Costs A Lot'
As the executive director of Israel’s National Computer Emergency Response Center, or CERT, Lavy Shtokhamer dealt with more cyberattacks in a week than many information security professionals see in a year. The Center acted as a hub for information sharing and response in the country, with victims constantly informing Shtokhamer and his team of new incidents, which would then be anonymized and relayed to other companies and government organizations to help protect them from similar attacks.
On a typical day, the CERT would receive more than 100 calls, said Shtokhamer, who departed the organization earlier this month. “The amount of attacks that I was exposed to was huge,” he said.
Last week, I caught up with Shtokhamer via video conference—he will be taking on a new role in the coming days, and was open to talking about his experience in the Israeli government. Among other topics, we discussed the most important partnerships for CERTs and the types of cyberattacks that worry him the most. The conversation below has been lightly edited for length and clarity.
The Record: Thanks for taking the time to talk—I know it must be late for you.
Lavy Shtokhamer: It’s OK! I’m in quarantine. I just moved to Singapore three days ago and now I’m in quarantine in one of the hotels for two weeks, so I have time.
TR: So you recently stepped down as executive director of Israel’s National CERT. Which measures or initiatives did you take while at Israel’s CERT that you're most proud of or were the most impactful?
LS: There have been a lot of things we've done the last couple of years. I think one of the most important ones was establishing our national information sharing platform. After a few months it became our immune platform—it would help immunize entire organizations in Israel by having a full API for indicators. That's how we had the possibility, for example, to share indicators by the click of a button, to share it to an API and have it received by monitoring and patching systems in less than a second. In addition to that, we established some new sectorial CERTs. I was the founder of the financial CERT, we have an energy CERT, we just established a telecom CERT, we have a military CERT that we’re going to announce a few weeks from now, as well as a few others.
TR: How did you come up with the API initiative? Was that something that you saw other organizations do?
LS: Eventually we just needed this system to be established. We understood that our alerts and publications weren’t enough, because the maturity of the organizations we worked with in some cases… the chief information security officer doesn't know how to deal with those kinds of indicators. In some cases, the CISO is changing all the time, some organizations don’t invest in cybersecurity but invest in threat intelligence. So we had to build an infrastructure to be able to share on a short amount of time indicators to entire sectors. I think it came from the need to be fast—to be faster than the attacker—and just regular section alerts and publications weren’t enough. And most of it came from the WannaCry experience. We got the indicator from a relevant company and we were able to share it in a short amount of time. And then we brought in insights from our customers, who needed efficient government technology—a state of the art technology—with the right features. So, for example, the feature of anonymous sharing, there is an option for all the companies to share information anonymously with one another. And so there are no limitations in order to keep the trust. There are a few other important features, like the automation feature within the system. So each and every feature came from customer pain, basically.
TR: I read about how Israel’s CERT could receive more than 100 calls a day from cybersecurity victims. Is that normal? And how did you make sure that all of these incidents were properly investigated?
LS: So in general, I think especially nowadays, with what’s happened across the globe, we must understand that cybersecurity is very similar to the physical world. We’re dealing with COVID-19 in the cyber domain, and it’s very similar with how we’re dealing with it in the physical world—containing it, identifying it, scanning the infrastructure. Regarding the amount of calls, yeah, there are more than 100 phone calls a day and requests for help. Not all of them are related to pure cybersecurity, or demand any kind of action. There's many calls regarding additional information and questions for the CERT, but there are also calls regarding new incidents, and we built an algorithm that says basically what response is needed—do we provide help remotely, do we need to initiate boots on the ground and activate the incident response team. This is the mechanism that we built on a very advanced ticketing system and orchestration for all the other parts of investigation.
TR: How did you use policy or legislation to defend the country from cyberattacks?
Across the world there must be a guideline and policy for the cybersecurity domain. This is I think crucial, and I think the policy should be similar across all the countries."
—Lavy Shtokhamer, former executive director of Israel's National Computer Emergency Response Center.
LS: There's a new law that is under construction, but it's not formal yet.
TR: Can you talk more about that?
LS: I don’t actually have the full details, but most of our action within the national CERT was through building trust and was under voluntary basis. We moved forward by providing them value, it's like a win-win situation. We on one hand kept their trust through our reporting and providing help and on the other hand they allowed us to help them and eventually—what our ultimate goal was—to help them in order to immunize all the other organizations. We would like to have only one hit, one incident and all the others would be safe. This is the concept that we tried to pursue.
TR: As the director, did you ever wish that there were policies because maybe you got pushback from organizations or they didn't want to collaborate?
LS: Across the world there must be a guideline and policy for the cybersecurity domain. This is I think crucial, and I think the policy should be similar across all the countries. We need global standards for these kinds of situations. So definitely, there is a need for bold guidelines for all organizations and governments.
TR: What do you think those guidelines should look like?
LS: I think the guidelines should relay all of the concepts that I mentioned earlier—to have the option to do everything so that other companies are not hit from the same incidents. Not only providing help to specific compromised organizations, but providing help in order to keep all the others from getting compromised. You see that with the recent SolarWinds incident—thousands of big companies and government organizations are affected. So this is the concept needed—to be able to contain a compromise in order to keep all the others safe.
TR: Do you think cyberdefense is easier for the Israeli government, because the country has so many cybersecurity companies and a strong talent pool of cybersecurity professionals?
LS: Yes it definitely helped. I think Israel is a hub of cybersecurity professionals who really help one another. It's crazy to see the distance between what happened in Israel and other countries because every second guy within this industry is coming from a special unit within the army that got hands-on experience for three or four years and had access to top edge technology. It's crazy, and you see that most of the veterans nowadays go and build their own startups, because nothing else excites them afterwards. And they have the options—I think this quarter was the biggest quarter in history for investment in Israeli cybersecurity companies. Something like 40% of the global investment in cybersecurity was in Israel. It's been crazy what has happened to this industry in the last couple of years.
TR: How did you get your start in cybersecurity? Was that part of your army training or did you get involved later?
LS: No, actually within the army I was commander in a special combat unit. It gave me a lot of tools—to be able to manage, to be able to be cool under huge pressure. It gave me a lot of tools to handle my future position in cybersecurity and I think a lot of advantages. How to look at things, how to look at operations, how to look at both sides of the fence—offense and defense. So, yeah, I was commander in a combat unit, and then I moved to the Israeli Security Agency, within the cybersecurity unit, and during that time I got my degree. Afterwards, I started a new positions within one of the largest banks in Israel. Then I came back to the government and established the financial CERT. On the way I mentored cybersecurity startups and accelerators and provided advice to venture capital investors, and then I became the head of CERT—that, in a nutshell, is my history in this domain.
TR: Which of those experiences or skills that you developed along the way made you most successful at your job?
LS: As I mentioned, working under pressure, being very analytic when looking at things and assessing the risk of an incident, and understanding how to how to address the C-level... I think this is one of the most important skills that people lack in cybersecurity. You need to be able to address executives and explain to them the risk and what they should do. And understanding the mindset of the attacker—I think that in order to be a good defender, you must understand the other side, you must experience the other side. The most valuable employee that I had was a white hat hacker.
TR: It's no secret that Israel has a lot of enemies. Did you ever feel concerned that state sponsored hackers, political activists, or just fanatics with a weapon would target your organization or even you personally?
LS: No, I don't think so!
TR: What surprised you the most during your role at Israel’s CERT?
LS: I think the amount of attacks that I was exposed to was huge. And then to see how each and every organization dealt with incidents. How they referred crucial vulnerabilities, other incidents that they suffered, how the cybersecurity guys handled it and how the C-level referred to it. I like to say it's too expensive to not invest in incident response. It’s from a Hebrew expression. It will cost you a whole lot of money when you’re dealing with an attack—you have to bring in one company, then another, then another. You’re eventually going to lose a lot of money… A cheap incident response costs a lot.
TR: That sounds like a good saying. I'm not sure if you can talk about this but I'm curious what is the most serious incident that you had to respond to?
LS: I can't refer to specific incidents. There were a lot of crazy things, a lot of crazy incidents, but I can't refer one specific one.
TR: What about without referring to a specific incident—what did the most serious ones have in common? Was it the type of hacker? The companies involved?
LS: I think the craziest incidents were the incidents that were like epidemics and spread around a lot of companies in a short amount of time. It made us understand that we must recognize the specific hub of the incident—where it’s spreading from. I think from a management perspective, those are the incidents that are the most concerning. If one or two companies shut down, it's still okay, but if it’s an epidemic across the region, there’s going to be havoc.
TR: So incidents like WannaCry?
LS: Yeah, WannaCry, and a lot of other incidents that can spread across the world that come from things like supply chain attacks. The supply chains are becoming a regular question for cybersecurity teams, but there’s still not enough invested in protecting the supply chain. I don't know if eventually we're going to be able to identify and be able to mitigate risk from all the supply chains because it’s an endless game and you can't be the CISO of all the other companies that you've worked with.
TR: Do you think that’s the most serious threat right now?
I think the craziest incidents were the incidents that were like epidemics and spread around a lot of companies in a short amount of time. It made us understand that we must recognize the specific hub of the incident—where it’s spreading from."
—Lavy Shtokhamer
LS: The supply chain is basically an attack vector, so it could be used to deliver something also serious, like ransomware. That attack vector that comes from the supply chain I think is the most crucial, because it could bypass almost all the security technology and measurements that an organization implements. If phishing ransomware comes through email and you have the right mitigation, you can deal with it. If an attack comes through the supply chain, I think in some cases it's bulletproof. So yeah, it's the most crucial vector even for big, strong, and secure organizations.
TR: What government partnerships were the most critical to your success at Israel’s CERT?
LS: I think the most crucial partnership was with the private sector, actually. Building trust with the private sector I think was the most important thing to do in general within a CERT because all the other parties don't have the whole picture. The company has the big picture eventually. And if you manage to build trust, eventually they will share insights with you and share what happened within the organization in order for you to take it, explore it, and share it with all the other companies. I think that is eventually the main role of a CERT. All the other vendors have their many agendas for this relationship—we are without an agenda, we are objective about it.
Nowadays, there's a very open discussion with vendors across the world. Vendor are more and more open to talk with the government and with other vendors about information sharing. It’s becoming a real open community, with everyone getting faster at information sharing and actionable intelligence.
TR: Did you communicate a lot with other CERTs or other international organizations?
LS: We had relationships with more than 90 CERTs across the world, and with nonprofit organizations and other organizations built to share information, like the Financial Services Information Sharing and Analysis Center (FS-ISAC) in the U.S. and the World Economic Forum—we did many initiatives with them—and of course with many vendors across the world.
TR: What is a big threat that you don’t think companies are prepared for?
LS: Lack of talent—it’s always true, but in recent months I’ve seen in LinkedIn a lot of CISO positions for many companies that haven’t dealt with cybersecurity until now.
TR: Why do you think there’s a skills gap? Cybersecurity is a high paying job.
LS: I think there’s still a huge difference between what we thought we would need for cybersecurity and what we actually need right now. I’m seeing many companies that didn’t invest in cybersecurity until now, they have chief information officers that act as CISOs, and outsource all their services and only really focus on compliance so they can continue working with their own customers. It’s not enough to have state of the art technology. You need to know how to maintain, upgrade, and build an operation around it. I think there’s a lot of people who want to learn cybersecurity but there’s still many more positions that need to be filled.
Adam Janofsky
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.