Lessons the military can bring to cybersecurity [Q&A]
The ongoing struggle between good and bad actors in the cyber world has often been compared to a battle or warfare. More recently the threat of nation state attacks on critical infrastructure has led to more actual military interest in the cyber arena, as we've seen in Ukraine.
The Israel Defense Force's 8200 unit is often referred to the SEALs or SAS of cyber military units and its veterans are driving many of Israel's tech start ups.
We spoke to Omer Zucker, product team lead at Pentera and former member of IDF 8200, to learn more about what cybersecurity can learn from the military.
BN: How did you first get involved in cybersecurity?
OZ: I grew up like many kids in Israel who find their way into cybersecurity -- playing soccer in the neighborhood and living a normal kid's life. I wasn't coding at a young age or deemed a technical prodigy.
I did always have an affinity for math and science. In high school, I took advanced chemistry, physics, etc. Shortly before I was set to begin my military service, I received a letter informing me to arrive at a certain location at a certain time, with no further details. I ended up taking the first exams on my way to join the IDF 8200 unit.
BN: What was the training regimen like in the 8200, how is it different from in a typical academic or private sector setting?
OZ: The training was very intense and tailored to my specific role.
When you're a university student, you sit in class, absorb the material -- be those highly abstract or practical concepts -- have homework and exams, but you never truly get to operationalize the concepts you've learned in a real-world setting. Practical does not necessarily translate into operational.
In the 8200, even as a trainee, tasks are extremely operational with a high sense of urgency. You must deliver something that provides real-world impact in a certain time period.
BN: What is your current role with Pentera and what exactly is automated security validation, how is it different from pen testing or breach and attack simulation (BAS)?
OZ: Organizations have long understood the importance of testing their defensive posture. Pen testing, BAS and additional strategies are commonplace. Despite all the security measures companies invest in, successful attacks continue making daily headlines. The reason legacy vulnerability-centric programs and simulations fail is they don't show CISOs where they're most exposed based on how adversaries actually think and act.
The cornerstone of security validation is carrying out continuous testing, focusing on the adversary point of view. Where we take it a step further is we automate these tests and remove the manual burden from security teams. This means automating the actual tactics and techniques of the attacker -- reconnaissance, discovery, sniffing, spoofing, cracking, malware injection, exploitation, lateral movement and privilege escalation -- all the way to data exfiltration. This exposes the real kill chain, providing security teams an exact attack operation view and true assessment of their resiliency against real attacks.
At Pentera, I'm the product team lead, specifically responsible for the research in the entire platform. In my role, this means researching attack vectors and flows, CVEs, vulnerabilities, and productizing our own exploits so customers can expose their environments to real-world attack scenarios in a safe way.
BN: How did time in the 8200 prepare you for this role?
OZ: The unit created the opportunity for me to engage the real cybersecurity realm from different perspectives. It exposed me to both cybersecurity methodologies and practices, which are crucial to my job today.
My role at Pentera is basically putting real cyberattacks and capabilities into the Pentera platform, so my army experience was invaluable. In my role now and in so many others across cybersecurity, the ability to learn new concepts and stay one step ahead of the adversary is crucial. My team and I are constantly researching and learning new attack vectors and exploits so we can translate them into our automated security validation platform.
BN: What are the trends driving the adoption of security validation?
OZ: The ever-evolving threat landscape is a primary driver. Attackers are constantly introducing new exploits and the only way to ensure optimal security posture is to continuously expose your environment to the latest malicious activity. Another big one is vulnerability fatigue.
There were more than 15,000 vulnerabilities found in 2020 according to Gartner, while only eight percent were exploited by attackers. The accepted train of thought among security operations teams is to be 'patch perfect'. This mindset fuels the never-ending game of patching whack-a-mole -- when one vulnerability gets found and added to the queue for patching, another pops up. This amount of patching can be overwhelming -- tiring already overworked and understaffed security teams, and making it impossible to effectively mitigate risk.
Although not labeled as security validation, in a recent Binding Operational Directive, the Cybersecurity and Infrastructure Security Agency (CISA) established specific timeframes for federal civilian agencies to remediate vulnerabilities that known adversaries actively exploit, noting that, "Attackers do not rely only on 'critical' vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included multiple vulnerabilities rated 'high', 'medium', or even 'low'."
This aligns closely with the concept of security validation. An organization with 3,000 total assets will often have 30 times that many critically ranked vulnerabilities, with 90 percent of them presenting zero legitimate danger because there's either no exploitation available, or from an environment architecture standpoint, it’s simply impossible. At its core, the directive urges organizations to adopt the attacker mindset and prioritize vulnerabilities based on real-world impact, not a CVSS score, like we do.