A team of ethical hackers uses proprietary software to expose vulnerabilities and works with the client’s IT team to fix them.
The Fortune 500 Companies That Want To Be Hacked
No CEOs want their company’s business to be hacked. And yet, hundreds of Fortune 500 firms pay Reuven Aronashvili and his CYE to break into their presumably secure servers.
CYE, in Herzliya, Israel, is based on the “red team” expertise Aronashvili developed while in the Israel Defense Forces, where he established the army’s center for encryption and cybersecurity.
So-called red teams hack into computers to find vulnerabilities. Blue teams, in contrast, defend a company’s infrastructure once an attack is identified.
CYE, which stands for “cyber-eye” but is pronounced simply “sigh,” was established in 2012 and employs 70 “ethical hackers” using its proprietary software, Hyver. (Total company headcount is close to 100.)
It can take a CYE red team anywhere from three minutes to three weeks to take complete control of an organization.
“Our approach is to be as realistic as possible,” Aronashvili said. “We don’t ask you to white-list us. We mimic the enemy without making you feel the consequences. If you’re a bank, we’ll transfer $100 million from your account to ours to demonstrate that it’s possible, not just theoretically.”
Bank clients shouldn’t worry: CYE always returns the money.
Vulnerabilities usually occur when a software misconfiguration opens an accidental door that should be shut. “Or someone just forgot something,” Aronashvili said.
Once CYE is in, the red team works with its clients to build defenses the organization can use to ensure the same attack won’t happen with real hackers.
Hackers often play the long game. Criminals could break into a company’s network months or even years earlier.
“If information gets stolen and published on the Dark Net, this is a very bad situation. We work hard to ensure that time to respond is minimal,” Aronashvili said.
Not everything can be defended against simultaneously, so Hyver recommends how a company can prioritize its actions.
CYE doesn’t do the hacker-proofing for its clients, but it does work with their IT teams to mitigate the problems.
“Let’s say we’ve found 50 different vulnerabilities in your organization,” Aronashvili said. “We know that in your budget you can’t address more than 10. So, we determine which are the most important. We build an ‘attack graph’ and search for the bottlenecks, the places hackers have to go through, and those will be the first items we’ll disconnect.”
Even large organizations don’t have the time and staff to fix everything. Aronashvili estimates that between 20 percent and 50 percent of vulnerabilities identified will be rectified.
VIP customers identified
CYE has clients of varying sizes, although most are large multinationals. Understandably, Aronashvili is not at liberty to name them.
He did say that at one large bank, CYE’s red team was able to identify customers including prominent royal families, prime ministers and other VIPs. Then they extracted contracts, patents and intellectual property.
“We removed their names and just used their client ID number, then we showed how we could breach the privacy of those VIPs.”
Had this hack been real, it would have been a disaster — as it was for Shirbit, a prominent Israeli insurance company that was hacked in December 2020. The hackers held Shirbit’s client data ransom. Shirbit refused to pay, and the Israel National Cyber Directorate advised victims of the hack to apply for new identity cards and driver’s licenses.
The Shirbit hack was relatively simple, Aronashvili said.
Another recent and well-publicized breach at SolarWinds, a company that builds software for computers, was more sophisticated and involved tapping into a back door that allowed hackers into any organization that used SolarWinds’ IT management tools. Around 18,000 SolarWinds customers installed the tainted software update.
“The initial foothold could not have been prevented,” Aronashvili said.
“We assume that any vendor can be compromised, then we evaluate the consequences. Even if the first leg is compromised, we can make sure the impact you feel as an organization is minimized.”
Hyver uses predictive analytics to calculate risk and determine where the next attack is likely to occur. Vulnerabilities are shown on a map of a company’s servers and access points.
Other hacks-for-good that CYE has been involved with: Gaining access to a large municipality’s electricity gid; manipulating sensitive systems inside a major hospital; overriding the temperature settings of a chocolate manufacturer; and shutting off the refrigeration in a global pharmaceutical producer.
The latter is of particular concern these days as the Pfizer and Moderna COVID-19 vaccines must be stored at very cold temperatures.
$100 million investment
Cyberattacks have been on the rise during the pandemic.
“A lot of people are bored sitting at home and are starting to play with things,” Aronashvili said. “It’s very easy to go to the Dark Net, pay $20 and have a fully equipped attack capability or to hire ransomware-as-a-service.”
This ominous trend represents an excellent opportunity for CYE’s red team to embark on more extreme adventures in hacking.
CYE has annual revenue of some $100 million, and recently raised $100 million in a round led by global investment firm EQT. The financing included existing investor 83North.
For the first half-decade of the company’s existence, it was a manual operation. CYE’s Hyver launched in 2018, introducing a hybrid human-software approach.
“With all due respect to technology, it’s still not at the level of the human brain,” Aronashvili said.
Getting hacked — even if you’ve asked for it — doesn’t come cheap.
“We have a very expensive premium, almost 10 times more than other defense products,” Aronashvili said.
Prices for CYE’s subscription-based business range from tens of thousands to millions of dollars. That hasn’t stopped several hundred Fortune 500 organizations and governments —sometimes while they’re already under attack — from turning to the company.
“A company CEO should assume that at some point in an organization’s life it will be attacked, its suppliers will be attacked, and its employees will be exposed,” Aronashvili said.
More information can be found here.