Ep 7 – Cyber Attack Cycle Deconstruction w/ Lavi Lazarovitz, Head of Security Research at CyberArk Labs

[00:00:00.370] – David Puner
You’re listening to the Trust Issues. I’m David Puner, a Senior Editorial Manager at CyberArk, the global leader in identity security.

[00:00:23.310] – David Puner
Threats and vulnerabilities. In cyber, the arguable fourth [inaudible 00:00:28]. The landscape is treacherous and a petri dish from [inaudible 00:00:34]. The landscape itself is cordoned off by boundaries that we know are riddled with vulnerabilities. But there are basic steps we can all take to avoid falling [inaudible 00:00:43] tried and true and still very successful threats. But when it comes to the unknown emerging threats, in many cases novel techniques are attacks that exploit hidden vulnerabilities.

[00:00:59.830] – David Puner
It’s because in large part, there are researchers at the cutting edge dedicated to the pursuit and understanding of these emerging threats. By thinking just like attackers do, they dissect threats, track, discover critical security holes, and share proactive security measures.

[00:01:18.970] – David Puner
Our guest today is Lavi Lazarovitz. He’s Head of Security Research at CyberArk Labs, and he leads an elite group of white hat hackers and cybersecurity practitioners, many of whom served in the Israeli Defense Force, himself included. Working side by side, they examine emerging attack techniques and post exploit methods. In [inaudible 00:01:43] these threats, they also pop the proverbial hood on them and try to deconstruct the attack cycle and better understand how threat actors operate, in efforts to defuse them or stop variants from evolving or spinning off from them.

[00:01:55.580] – David Puner
I caught up with Lavi. He was heading into his weekend in Israel. It was great speaking with him outside of the constraints of our typical intercontinental video meetings. I hope you enjoy our unthreatening conversation.

[00:02:12.030] – David Puner
[inaudible 00:02:12] CyberArk Labs and what do you do? What does the team do?

[00:02:16.170] – Lavi Lazarovitz
Yeah, absolutely. CyberArk Labs is actually a unit built on three smaller units, the research unit, which, as you mentioned, I lead. We are focusing on the offensive perspective. Our goal is to think like attackers, find emerging security gaps. I’ll dig into it in a moment.

[00:02:46.110] – Lavi Lazarovitz
We have another unit sitting close to us here in these early offices, the innovation team working on producing new security line of defenses. Some of those are protecting against the gaps that we found in the research side. It’s a combination between those two red and blue forces. Last team that we have under CyberArk Labs is the… And they are responsible in bringing in new technologies into CyberArk to make sure that we are using the top notch technologies.

[00:03:19.810] – Lavi Lazarovitz
This is the CyberArk Labs. Just a few words about the research unit. As I mentioned, focus on the offensive perspective. Our mission statement is to know the offensive perspective the best way we can. Our holy grail is to find emerging [inaudible 00:03:42] or vulnerabilities, attack vectors that will be used in the near future by threat actors. This is a mission statement, a few awards about CyberArk Labs.

[00:03:52.290] – David Puner
How hard is it to accomplish that mission [inaudible 00:03:55] like an attacker? I can’t imagine attackers all think one particular way. How do you cover that spectrum?

[00:04:02.080] – Lavi Lazarovitz
There are several challenges here. First challenge is, as you mentioned, the spectrum of technologies out there. There are so many new technologies and new attack surfaces. It’s really difficult to prioritize and I know that organizations and blue teams have [inaudible 00:04:24] so many technologies we need to adapt and so many tech surfaces we need to get to know.

[00:04:30.620] – Lavi Lazarovitz
Another challenge, any technology that we are looking into—and I can share with you that at the moment, for example, we are looking into decentralized identity [inaudible 00:04:40] and blockchain and ledger—based identity infrastructure—when looking at this technology, the attack surface is just huge.

[00:04:52.130] – Lavi Lazarovitz
Looking at it, there are so many threat actors who try to penetrate. There is the ledger itself, there is the wallet on mobile phones, so there’s also a mobile perspective, protocols, so much stuff. Our challenge here, is to prioritize and find the lowest point. This is how threat actors operate as well; trying to make their life as easy as possible. [inaudible 00:05:22] is prioritizing and finding where is this easiest way.

[00:05:29.670] – Lavi Lazarovitz
You ask how we manage it. First of all, talented people, I guess it’s always [inaudible 00:05:37]. We are blessed to have super talented researchers that live the offensive side. There they have experience. They came from intelligence corps, they came from other places where [inaudible 00:05:52] done offensive work and now coming into CyberArk Labs to do blue hat stuff or white hat stuff, working for the good guys. They know, they have this [inaudible 00:06:08] and this is one way we handle it.

[00:06:13.480] – Lavi Lazarovitz
Second mitigation that we have or a way that we handle is just the community. The security community in Israel and globally, we are communicating, security research groups, we are learning from each other. I guess you see it in Twitter and Reddit a lot. A lot of discussions from security experts. This is another way we learn.

[00:06:38.040] – David Puner
When it comes to the community, there isn’t a lot of holding your cards as it were, there is a lot of knowledge and best practices and things like that?

[00:06:48.420] – Lavi Lazarovitz
Yeah, absolutely. I can share with you that [inaudible 00:06:51]. From my perspective, I’m in touch with many security researchers in Israel and globally and we talk a lot about the research we do, the insights, things that happen in the news.

[00:07:07.960] – Lavi Lazarovitz
We also talk about our projects that fail from time to time. Doing research and looking for vulnerabilities is super daunting and sometimes frustrating. Because you’re digging in, looking in the code, sometimes could be thousands of lines of code and in many cases you end up with nothing. We also share our frustrations.

[00:07:31.410] – David Puner
On any given week, month, whatever it may be, I’m presuming you have a plan for where your research may take you or where you want to go. But obviously crisis situations happen fairly frequently. How do you prepare for [inaudible 00:07:49] and then everything that seems front and center the moment before the crisis happens, how do you balance continuing to do your work while attending the crisis situations?

[00:08:02.480] – Lavi Lazarovitz
I think that planning is key and planning for such scenarios we need to respond quickly. You need to analyze the malware, ransomware, you need to get to know the techniques used or the tools used to give some insights is crucial, it’s critical. This is cardinal to allow our team respond in time. Maybe I’m stating the obvious here, but we have a specific plan. The people that know that once something happened and we flag it, we know what we need to do.

[00:08:41.080] – David Puner
Taking a step back for a second, you’ve been with CyberArk for almost eight years. How did you get into the cyber [inaudible 00:08:48]?

[00:08:50.930] – Lavi Lazarovitz
I love this question. I actually had a few chances during last week to share my story because of Cyber Week here in Israel. I actually serve for these [inaudible 00:09:03] for twelve years. I’ll share with you the story. As an intelligence officer, when planning for a mission, one of the things that you have to do [inaudible 00:09:18] obstacles and of course threats for the aircraft that will be traveling or will be flying really low, close to the ground to avoid radio detection.

[00:09:31.490] – David Puner
I saw that in Top Gun.

[00:09:33.890] – Lavi Lazarovitz
Exactly. Very quickly, it’s really fun, but it’s super scary. Because it’s a matter of milliseconds to fly into [inaudible 00:09:47]. Anyways, what we do as part of preparation is, for example, take a satellite image and then analyze the strip where the route is planned. This is where you map threats and [inaudible 00:10:01]. But for routes at 3,000, 4,000 kilometers in length, you can imagine how huge this analysis task is.

[00:10:15.410] – Lavi Lazarovitz
One day our intelligence partners, the documentation and map with all the obstacles right in front of us and it saved us so much time, it was so much [inaudible 00:10:31]. The source of this—well, I don’t really know what the source of this was—but my assumptions was that it was the work of cyber warriors. Those guys [inaudible 00:10:46] information, took it from somewhere and put it on our desk.

[00:10:51.930] – Lavi Lazarovitz
A few years later when I completed my services at the Israeli Air Force, I was really curious how this whole thing work. 2012 — 2013 I think it was, there were two super interesting and critical vulnerabilities. There was one Heartbleed SSL protocol and the other one Shellshock.

[00:11:19.900] – Lavi Lazarovitz
Those even more triggered my curiosity and this is where I knew I want to find these, I want to work with people that know how to do that. Step by step I [inaudible 00:11:30] the way working with the best researchers and Israel is a good place to meet brilliant researchers. But I can admit, David, that like other researchers, I don’t have [inaudible 00:11:46] where I was eight years old and I find my way or cracked some PC game or something like that.

[00:11:54.650] – David Puner
I know most folks listening to this podcast probably know what [inaudible 00:12:00] software vulnerabilities is, but if you could quickly [inaudible 00:12:03] what responsible disclosure is and then we’ll get a little deeper into it.

[00:12:09.720] – Lavi Lazarovitz
Yeah, so responsible disclosure is a process where the researcher, for example, finds a vulnerability—which also requires a definition here I’ll touch on it—finds a vulnerability, disclose it in a responsible manner. Not exposing details or more specifically to threat actors before the software vendor had the chance to produce a fix, a patch for it, and before customers using the vulnerable software had the chance to deploy the patch.

[00:12:45.390] – Lavi Lazarovitz
This whole process, responsible disclosure process, is aimed to allow both software vendors and customers, and everyone using the software, enough time to protect [inaudible 00:12:58] before the vulnerability becomes public.

[00:13:02.860] – Lavi Lazarovitz
We need this responsible disclosure because on the other side, what used to happen is that vulnerabilities were deemed down or pushed aside. Years ago when a researcher found a vulnerability in an application, the vulnerable software vendor could have sued the researcher that found it, which we don’t want. We really do want the white [inaudible 00:13:27] improving overall security.

[00:13:33.010] – Lavi Lazarovitz
Or in other cases just ask him or the researcher not to talk about it, just to silence it down. In this case, probably imagine the vulnerability might still exist and customers might not be aware. They started saying this whole responsible disclosure process is something that developed with time and might [inaudible 00:13:58] the nonprofit organization, define what a vulnerability is and have this all CVEs organized those vulnerabilities, assigned a number so it would be easier.

[00:14:13.450] – Lavi Lazarovitz
This is the responsible disclosure process definition. The vulnerability part, as I touched before, also has few definitions and it’s pretty broad definition.

[00:14:26.170] – David Puner
Do you think [inaudible 00:14:29] definition and is it possible?

[00:14:32.290] – Lavi Lazarovitz
There is a shared definition of a vulnerability. One of the things that we are missing as a community between a vulnerability that impacts the software itself, the confidentiality, integrity, and vulnerable software itself and the functionality it provide [inaudible 00:14:56] explain.

[00:14:58.270] – Lavi Lazarovitz
Security vendors have tools and products that secures a system. Let’s say Agent X, this is the product and it could allow an attacker or threat actor to escalate privileges or even run arbitrary code on some system. It is vulnerable, I think that everyone agrees on that.

[00:15:24.670] – Lavi Lazarovitz
On the other hand, a functionality, for example, to detect certain malware or prevent execution of certain application. The threat actors successfully bypass this type of functionality [inaudible 00:15:39] it’s not that Agent X is vulnerable, it just can be bypassed. It’s not always defined as a vulnerability.

[00:15:48.900] – Lavi Lazarovitz
This is the gap that I see now when we disclose vulnerabilities to the software vendor. When it comes to the function, in some cases the priority gets lower, in some cases it’s not considered a vulnerability, it’s not a security boundary gap. This is where I think that the community [inaudible 00:16:08] pay attention to this point because now more than ever, the loss of technologies, parameters are not clear.

[00:16:19.670] – Lavi Lazarovitz
There’s not only on premise stuff, there’s data and application and we really need to differentiate between those type of vulnerabilities and prioritize with the right parameters and circumstances both. This is one [inaudible 00:16:40] working with many security vendors recently.

[00:16:43.910] – David Puner
We’ve got so much more to talk about, but I know that you’ve got your weekend coming up on you very hard and fast here and you’ve got [inaudible 00:16:52] very soon creative vulnerability there. I was hoping we could ask you one last thing to wrap up.

[00:17:00.570] – David Puner
I realized while we were talking that more often than not, when I see you on video calls, you’ve got a backdrop. You’re a man of mystery to a certain degree, at least around here. I was wondering if there’s something interesting about yourself that might surprise people. I know that might seem a little bit like an interview question, but [inaudible 00:17:23] here so let’s give it a shot.

[00:17:28.290] – Lavi Lazarovitz
My surprise, people. I have an easy one. You can’t really see me right now, or at least the lower part, but [inaudible 00:17:38] 192, so I think it’s about 6 feet. When I tell people that I play soccer and not basketball, they’re usually surprised [inaudible 00:17:50] something surprising, I play soccer, I don’t play basketball. I use my height to go for the highballs, but I’m not trying to.

[00:18:04.880] – David Puner
Do what position do you play?

[00:18:08.170] – Lavi Lazarovitz
Usually I play either a defense or back midfield, protecting the crown jewels and preparing for attack.

[00:18:21.030] – David Puner
Definitely [inaudible 00:18:21] back on again so we can talk more things, soccer and everything else. We really appreciate you coming on the podcast. Thanks so much Lavi.

[00:18:32.460] – Lavi Lazarovitz
Thank you, David. It was a pleasure.

[00:18:41.990] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment constructive [inaudible 00:18:48] but it’s a question, please drop us an email at [email protected]. Make sure you’re following us wherever you listen the podcast.