EP 5 – Preparing for the Cyber Unknown w/ Shay Nahari, CyberArk VP of Red Team Services

[00:00:00.370] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

[00:00:23.970] – David Puner
There’s an old Mike Tyson quote you may have heard, “Everybody has a plan until they get punched in the face.” In the context of cybersecurity, the message is, when things get real, what will you do? How will you react? You can attempt to prepare for seemingly every scenario under the sun, but you never know when or how or where you’ll actually get punched. And you can’t know what the sun might illuminate next that’s never yet seen the light of day.

[00:00:50.780] – David Puner
In cyber, when you’ve been punched, you may not even know what’s happened. In cyber, adversaries don’t play by rules. They can punch below the waist when your eyes are closed and in the kidneys when your back is turned. It’s a battle. Things can get messy. So how do you prepare for the unknown, for that Iron-Mike punch to the face? What do you do if it happens? That’s what today’s guest and I try to tackle in the following conversation.

[00:01:20.590] – David Puner
Today I talk with Shay Nahari, who’s the VP of Red Team Services here at CyberArk. He’s a super interesting guy, and I’m not just saying that. We’re going to talk all about the Red Team and what Shay’s up to here. But before we get into that, we started talking about some of his favorite places around the world. I hope you enjoy the conversation.

[00:01:47.450] – David Puner
One of the things I wanted to ask you from the top, before we really get into the nuts and bolts of this, is you had mentioned in our company lunch-and-learn last week that you lived in New Zealand for a year. What were you up to in New Zealand?

[00:02:03.510] – Shay Nahari
I followed the same path most Israeli after the army did. I went and backpacked in Australia and New Zealand. I spent overall, I think, a little bit more than a year in both. In New Zealand, it was mainly just tracking, backtracking, and just enjoying the scenery of that amazing country. I did the same in Australia, but I also stayed for a while in Australia, lived there for a few months, soaked in the life there. The short answer to that question is travel, but the longer answer is just enjoyed being 23.

[00:02:40.320] – David Puner
If there’s one place that you could live in and stay in permanently, would it be one of those places?

[00:02:46.790] – Shay Nahari
It’s a good question. I’ve lived in three or four continents, depending on how you classify some countries. I think Australia would be my number one priority. I think Australia is an amazing country, have a mixture of both ability to travel but also easy, comfortable life. So I think the answer would be Australia for me.

[00:03:07.900] – David Puner
Sounds good. I’ve never been there. Want to go. Been to New Zealand, though, and it’s fantastic. Red Team Services or Red Team, what is that? For the folks out there who might not know.

[00:03:18.580] – Shay Nahari
I run a group of adversary simulation. It’s the group called Adversary Simulation or Red Teaming. The group really has three different goals. The first one is to provide adversary simulation to our customers and prospects, allow them to face against someone acting as a real adversary, and show them how well they would be doing in a real incident, testing their entire security posture from the technical controls to the human controls.

[00:03:51.140] – Shay Nahari
The second goal is to do the same thing for CyberArk itself, eating our own dog food, if you will, and simulate the necessary, going after CyberArk with specific threat actors in mind. The third thing we do is—and something that came organically throughout the years is—we provide incident response or provide help to our incident response team and provide a “think like an attacker” mindset in scenarios of breached organization when they reach out to CyberArk and trying to provide what an attacker would do during those incidents.

[00:04:29.940] – David Puner
How does somebody get into Red Team Services and how did you get to where you are today?

[00:04:36.310] – Shay Nahari
Obviously, different people take different paths to it. Today you can actually take university classes in offensive security, start as pen testing, testing application testing networks. When I started this, this wasn’t something you can just pick up at university. I initially started in the Israeli Defense Force, as you can hear by my… This is not a Boston native accent, right?

[00:05:02.310] – David Puner
It isn’t? I thought it was.

[00:05:04.010] – Shay Nahari
Close. I started my introduction to this in the Israeli Defense Force. But even before that, when I was a child getting access to computers, I was more interested in trying to understand how to hack computer games than to play them. So I spent most of my time learning this and that led me into an interest in breaking things. Obviously, wanted to do good there. The Israeli Defense Force obviously exposed me to things that I wasn’t aware of. Then later on in my career, I picked it up on my own, continued that research.

[00:05:38.880] – Shay Nahari
At some point in time, I moved to the States about 15 years ago. At the time, I worked for a telecommunication company. Then after that, I started my own company doing exactly that, adversary simulation and red teaming, offering our services to different organizations. At that time, CyberArk was actually one of my customers, so I spent a few years doing some work for CyberArk. At a certain point in time, I was offered to join CyberArk and build the adversary simulation team within CyberArk.

[00:06:12.150] – David Puner
Tell us a little bit about the team itself. You mentioned a little bit about adversary simulation, but how does that actually take place? When do you get involved?

[00:06:22.260] – Shay Nahari
We really offer full-blown adversary simulation. Imagine a bank coming to you and saying, “We want to test ourselves against an adversary trying to get access to our ATM network.” Think of everything that lies in between, from the technical controls of getting access to the human element, social engineering, to the internal security controls of detection and prevention of cyber attack, to move into sensitive networks, and all the way even to procedures.

[00:06:53.920] – Shay Nahari
What happens when there is a detection of the incident? Who do you notify? How do you notify? How do you react? It’s the famous words of the great philosopher Mike Tyson, “Everyone has a plan until they get punched in the face.” This is an opportunity to actually test yourself under real battle conditions.

[00:07:15.380] – David Puner
That’s great. I like that you’re taking some inspiration from Mike Tyson. When it comes to banks and the security, I assume this is going a little deeper than PIN numbers.

[00:07:26.750] – Shay Nahari
Correct. Every organization obviously have different crown jewels that they want to protect. So It really depends on what the organization does and what you want to test against. Banks, obviously, it could be ATMs. It doesn’t have to be ATM. It could be SWIFT System. It could be mainframes. It could be PAI. Critical infrastructure obviously have SCADA networks, infrastructure network that they want to protect, manufacturing sites.

[00:07:52.300] – Shay Nahari
Every organization is different, and every organization has a different secret sauce that they’re trying to protect. We try to look at it holistically, which means we try to look at the organization as a whole, ask the organization what is it you’re trying to protect, learn about the business, and then ask them to define the KPIs, the targets as the actual business targets.

[00:08:14.520] – Shay Nahari
We don’t want to come back and do, “Okay, we got certain privileges,” and that’s the end game, right? Because in reality, no attacker would say, “Oh, I got certain privileges, domain admin, and then this is it.” You want to measure yourself against what adversary would actually do. So we ask, “What are the targets? Tell us a little bit about the targets.” Obviously, there are legal framework around that to make sure that everyone is protected. But outside of that, almost everything else is a fair game if it would be something that a real attacker may try.

[00:08:48.380] – David Puner
Are customers and prospects sometimes hesitant to tap into your services for fear of what they might find?

[00:08:55.900] – Shay Nahari
This is interesting. When I started this business, my original company, that would have been the case, right? A lot of the time in the past, we used to get pushback from senior management. Because if you think about it, the one who are authorized to approve this needs to be senior, usually VP, C-level, board members, and so on. So there used to be some pushback there. Today we get called by board member directly, going above the C-level and saying, “We want to understand this security risk for our business.”

[00:09:31.240] – Shay Nahari
I’m happy to say that today this is a little bit different view than it used to be. Organizations are not concerned anymore. Most organizations out there above certain size already went through some sort of security testing in the past, whether it’s vulnerability assessment, penetration testing. They have internal teams. So the discussion is not about “we don’t want you to do it”, but mostly “how and when”. So it’s a very different world that we live in.

[00:09:59.390] – David Puner
As far as staying atop whatever the latest, greatest attack techniques may be and/or coming up with them yourselves, how do you do that?

[00:10:10.500] – Shay Nahari
I think what’s unique to us is that we do spend a lot of time doing exactly what you just described: research and development. So we develop our own set of TTPs, our own set of tools and techniques, try to emulate what other actors are doing. Obviously, you don’t always have insight to the nature of other attack groups, especially when you talk about nation-states.

[00:10:34.890] – Shay Nahari
You may know what they’re going after, you may have some insight into their techniques based on public information. But a lot of the internal stuff that is not detected yet, you don’t know. So we try to emulate and do internal research and develop our own equivalent tools to allow our customers to test again. The idea for them is to face an adversary with unknown set of capabilities.

[00:10:57.950] – Shay Nahari
As we go through this engagement with the customer, we would oftentimes switch to a more commoditized tool to allow them also to test themselves against what’s already public knowledge. That gives them a good idea of how would we face against unknown adversary with unknown capabilities, as well as how well are we facing public commoditized TTPs and techniques that are currently out there to give them a good range of testing against known and unknown at the same time.

[00:11:30.960] – David Puner
How much more complicated has the landscape gotten in the last two years?

[00:11:36.330] – Shay Nahari
This is interesting. When the whole COVID started and companies moved to work from home, there was a rush. We saw a rush going into building infrastructure that wasn’t there almost overnight. Even organizations that traditionally did not allow work from home—we’ve seen certain banks that had some compliance reason to not allow that—basically got an approval to do that and build the entire infrastructure overnight.

[00:12:02.330] – Shay Nahari
The second phase was this reaction of that. Obviously, a lot of security holes happened. I think today we’re basically left with the infrastructure that was built there is still there, whether the organization is using it or not, and it became part of their attack surface. If you built an infrastructure to allow external contractors to access your organization, that infrastructure is not going anywhere, whether you use it or not.

[00:12:27.090] – Shay Nahari
We’ve also seen a big shift, obviously, in ransomware. If you look at 2018, 2019, there was also a moment there when we saw a crypto miner running the same in ransomware. Nowadays you mainly see ransomware groups, and there’s almost not a day that you don’t hear about an attack. We did see a shift there as well.

[00:12:47.840] – Shay Nahari
Today we see more shift towards operator-driven attack. A human being actually drives the attack. It’s no longer just “go drop a ransomware and run it”. It’s an operator that knows what he’s doing. It’s going after privileges, escalating privileges, and as a final step, drop the ransomware, which is much harder for organizations to prepare because at that point in time, the attacker is already in the network.

[00:13:11.990] – Shay Nahari
We’ve also seen a shift in that from recent months where we’ve seen ransomware operator skipping the encryption part. They almost don’t even encrypt the data, just steal the data and get the same ransom just from not sharing the data. I’ve seen it with Lexus a lot, where they stole data and just ask for ransom to not release it. That’s obviously most healthy for them because if you don’t need to encrypt, it’s one less set of IOCs that give you less chance to get detected there.

[00:13:44.190] – David Puner
How does your team get involved when there’s an actual crisis?

[00:13:48.580] – Shay Nahari
This is something that came organically to the team. When we built the team, this wasn’t something we immediately thought about. But over time, we’ve noticed there’s organizations out there, when they get breached, the phone number zero always goes to attorney. You find out there’s someone in your network, the first thing you do is you call your attorney, no question asked.

[00:14:09.130] – Shay Nahari
The actual first call you make is to the incident response company. The company that will help you investigate what’s going on in the actual breach. Oftentimes, either at the same time or as the result of the finding of that incident response, they may call a company like CyberArk to help remediate and maybe block the attacker, rotate all the credentials in the organization, and help build a secondary infrastructure.

[00:14:36.120] – Shay Nahari
We get, oftentimes, called to scenarios where organizations are having an active breach on their hands. When that happens, this is led by our consulting group, not the red team group. But oftentimes, because there is an adversary and there’s an active adversary in the network, oftentimes they will call us to help come in and give the attacker perspective on this. “The attacker is here, he’s going after that system. How would you do that? Why do you think he’s doing that right now? How do you think he got to that point in time?”

[00:15:09.490] – Shay Nahari
We sit together with the incident response team and maybe law enforcement or whoever is part of the game, if you will, and help bring our own perspective of “if we were the attacker, what we would have done in that specific scenario.”

[00:15:26.940] – David Puner
How do you account for working with law enforcement in potentially any country in the world?

[00:15:31.920] – Shay Nahari
There is always legal already in place. Usually, there is an active responder, like an incident response company that is leading that incident or they’re handling the investigation. They were the one, oftentimes, telling the organization, “Hey, we need a company like CyberArk to come in, and we need their advice on how did the attacker move here or how did he use the identity.”

[00:15:55.370] – Shay Nahari
At that point in time, to answer your question, oftentimes there’s no law enforcement at that point in the game. If there is, then there is a certain framework that is already set by the legal teams to handle that communication. Obviously, our legal team is involved in every step of the way.

[00:16:15.660] – David Puner
What’s it take to get a job on your team?

[00:16:18.000] – Shay Nahari
I’m glad you asked. We do actively hire. We always actively hire red teamers. For my specific team, like I said, because we’re maybe a little bit different than other organizations that do that. We do spend a lot of time on research and development, coming up with our own techniques and tools. So probably looking for someone who has some offensive security development experience, someone who actually wrote offensive security tools, maybe did a exploitation research, or just weaponize existing vulnerabilities.

[00:16:50.970] – Shay Nahari
But definitely, we’re always looking for someone who can actually come up, develop tools, develop new techniques rather than traditional operators, people who just do the operation. We tend to prefer people who have that more offensive security development experience that can also do operation, rather than the operation who can also do some development.

[00:17:16.240] – David Puner
I’m taking it that you probably don’t get too many people transfer from the content team over to your team.

[00:17:22.850] – Shay Nahari
I wish. As most organizations in our field, we do have challenges in finding the right talent for us.

[00:17:33.840] – David Puner
So it’s a shortage of talent in the industry because of the lack of experience at this point? Or is it because there’s just not enough talent out there?

[00:17:42.520] – Shay Nahari
I think the cybersecurity field overall, it’s a big war in cybersecurity, right? But I think because of the huge expansion in the last couple of years, there’s just not enough talent overall.

[00:17:54.030] – David Puner
Does the industry invest in the training? Or is it relying on possible candidates to get this training elsewhere and then bring it to the industry?

[00:18:03.690] – Shay Nahari
This is a really, really good question. I will obviously can only comment on my own opinion. I feel that in some cases you’re right. I think that some organization, because of that expansion that cybersecurity had, don’t invest enough in talent or at least not enough in junior level to bring it up to senior level. But it’s also a matter of enough time. If the organization is expanding and they need to fill 200 positions right now, then it might not have enough time or capacity to invest in talent.

[00:18:36.920] – Shay Nahari
I think, and again, this is my own personal opinion, I do feel that we, as an industry, relying today on universities, government, the sector to provide us with talent, which, again, is not working well for us, from sheer capacity. We need to do things differently.

[00:18:56.120] – David Puner
Because when I think about what you do, it seems to me, and probably to other people who don’t know all that much about much, that what you do is very similar to the kind of stuff that we see in TV and the movies and stuff like that all the time. I’m probably dating myself here, but a Jack Bauer-type of character, maybe that’s a little bit extreme. But there’s a crisis and you call in the pit boss or the Viper or whomever it may be, and off you go, and things are solved relatively quickly. Is that how this goes in real life? Are there any movies or TV shows that this is actually similar to and get it right?

[00:19:38.730] – Shay Nahari
Are there any shows out there that show a real representation of this? I would personally think the one that I thought was the most accurate representation was Mr. Robot, at least the first season that I watched. I think they’ve definitely got a very good someone consulting them and making sure it’s close to real life. Everything there would be something that is feasible, and they use the real tool, the real techniques, even the real hardware.

[00:20:10.750] – Shay Nahari
The only thing that would have been different in that show, I would say, is the time. You would see operation that would take months to actually execute, done in five minutes. That’s TV, you have to make it interesting. But outside of that, I would say that’s a good representation of hacking or penetration testing or the best one I have seen today.

[00:20:36.210] – David Puner
So in real life, everything is much slower than the way that we might be accustomed to seeing it on TV or in the movies?

[00:20:42.570] – Shay Nahari
I would say there’s much more failure in real life. Like, you would try a million things before one successful thing happen. It’s rarely that you go, the first thing you try succeed. Think about it as someone who’s trying to poke holes in a door, in a wall. You need to spend time in trying to understand what’s working, what’s not working in order to succeed.

[00:21:05.820] – David Puner
I’m glad you mentioned success because I wanted to ask you what success looks like for your team.

[00:21:10.780] – Shay Nahari
I think if we actually look at what we’re giving to our customers, success should always be measured against what value did you bring the organization. It’s not always, “Yes, I succeeded. I got to your mainframe. Look how cool I am.” It’s really about, “Okay, we’ve tried different techniques. We want to give you a perspective of different level of attackers and we want to make you better.”

[00:21:35.720] – Shay Nahari
If the customer has an understanding they did not have when we started engagement and he has an actionable keys, actionable plan to improve his security posture, then I would call that a success. It’s not about solving all the problem you found. It’s about making steady progress. Because again, in real life, you don’t just finish an engagement and, “Oh, we’re now secure.” It’s just about making steady progress in security over time as a result of an insight you gain from that engagement, from that adversary simulation engagement.

[00:22:12.180] – David Puner
What’s the biggest misconception or gap you see when it comes to enterprise or organizational understanding of cybersecurity?

[00:22:19.530] – Shay Nahari
By far, from my experience, I would say focusing on the perimeter, focusing on getting in. A lot of organizations spend a lot of time in trying to make sure attackers are not in or not able to gain that initial foothold, which is, again, if you think of organizations out there today, especially when you look at Fortune 200 companies, they have hundreds of thousands of employees, tens of thousands of assets exposed to the Internet. The assumptions that nothing in your network is never compromised, I think it’s always going to be false.

[00:22:55.300] – Shay Nahari
So I think a lot of the time we would recommend organizations to assume that someone is already in their network or someone already gained access to cloud assets, and try to take that assumption. Start from there.

[00:23:08.660] – Shay Nahari
When you’re planning and building your security posture and your security controls, make the assumption that something is already compromised. Obviously, spend the effort and time trying to protect the perimeter. I’m not saying you shouldn’t do that, but like I said, hope for the best, prepare for the worst. Assume that something is already compromised and make all the security control with that assumption in mind.

[00:23:31.520] – Shay Nahari
So trust but verify. Always think, “What if attacker already has access to an employee’s laptop or has access to that cloud asset, is that a game over for me? Does that mean it took over my entire infrastructure?” If the answer is yes, you need to go back to your drawing table and redesign the entire security posture for that asset.

[00:23:52.320] – David Puner
So assume breach?

[00:23:53.950] – Shay Nahari
Assume breach.

[00:23:55.020] – David Puner
What’s the most challenging crisis you’ve ever been involved in and what did you learn from it?

[00:24:00.970] – Shay Nahari
I have an interesting story. I’m going to try to stay vague to make sure that I don’t give too much. But we’ve had an engagement with an organization and we’ve had a repeated one. So we’ve done a repeating engagement with them for two years straight. For the third year when they hired us, they’ve prepared for a full year for us, meaning they’ve had different security controls in place and had entire teams preparing the organization for our arrival.

[00:24:32.820] – Shay Nahari
We started engagement. We do the initial call, talking about what the client chose for the target. We’re given the green light to start, and we start engagement. So we go, we get in, we moved from one target to another. Then two days in, we got an email from the organization saying, “We caught you.” We say, “Really? Wow, that’s impressive. We didn’t think you will. Can you send us the evidence for that?” And they’re sending us the evidence of what they found and we look at that and say, “That’s not us.” They say, “What do you mean that’s not you?” We say, “That’s not us.”

[00:25:07.750] – Shay Nahari
We go back and forth and they keep sending us to say, “We found this and we found this.” And they keep sending us those list of IOCs and we looked at them and we say, “None of this is us.” Obviously, this is a very tense moment. At that point in time, as I mentioned, they involved an incident response company. Sure enough, they found out it’s a different nation-state actor that’s in their network, funny enough, for two years.

[00:25:35.250] – David Puner
Wow.

[00:25:36.130] – Shay Nahari
Yes. Obviously, we helped in the investigation. We looked at the data that was found. I won’t share more detail, obviously, but this was a very interesting scenario, to say the least.

[00:25:50.310] – David Puner
You can tell me the rest later.

[00:25:53.010] – Shay Nahari
I don’t think I can do that even offline.

[00:25:55.800] – David Puner
But when I join your team you can tell me.

[00:25:58.030] – Shay Nahari
Yes, I can tell you.

[00:25:59.400] – David Puner
I recently heard you referred to as the most interesting man at CyberArk. Is that something that you would agree with? And if so, why? And if not, why?

[00:26:11.460] – Shay Nahari
Wow, that’s a bold statement. I don’t even know what to say to that. No, absolutely not. I can think of a lot of people—some of them are in my team—that have interesting stories. But again, if you meet me in person, buy me a beer and I’ll tell you more.

[00:26:28.740] – David Puner
Sounds good, will do. When? Tonight?

[00:26:31.240] – Shay Nahari
Sounds like a plan. Thank you for having me, David. I had a blast.

[00:26:41.470] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment—constructive comment preferably, but it’s up to you—or an episode suggestion, please drop us an email at [email protected]. Make sure you’re following us wherever you listen to podcasts.