The ongoing fight between good and bad actors in the cyber world has often been compared to a battle or a war. More recently, the threat of nation-state attacks on critical infrastructure has led to a more real military interest in the cyber realm, as we have seen in Ukraine.
The Israel Defense Forces unit 8200 is often referred to as the SEALs or SAS of military cyber units and its veterans are powering many of Israel’s tech startups.
We speak with Omer Zucker, Product Team Leader at pentera and former member of IDF 8200, to learn more about what cybersecurity can learn from the military.
BN: How did you first get involved in cybersecurity?
OZ: I grew up like many children in Israel who find their way to cyber security, playing soccer in the neighborhood and living a normal child’s life. I wasn’t programming at a young age nor was I considered a technical prodigy.
I always had an affinity for math and science. In high school, I took advanced chemistry, physics, etc. Shortly before I started my military service, I received a letter informing me that I had to arrive at a certain place at a certain time, without further details. I ended up taking the first exams on my way to join the IDF 8200 unit.
BN: What was the training regimen like at the 8200, how is it different from a typical academic or private sector setting?
OZ: The training was very intense and tailored to my specific role.
When you’re a college student, you sit in class, you absorb the material, whether it’s very abstract or practical concepts, you have homework and tests, but you never really get to put the concepts you’ve learned into practice in the real world. around. Practical does not necessarily translate to operational.
On the 8200, even as a trainee, tasks are extremely operational with a high sense of urgency. You need to deliver something that provides real-world impact in a given period of time.
BN: What is your current role at Pentera and what exactly is automated security validation? How is it different from Penetration Testing or Breach and Attack Simulation (BAS)?
OZ: Organizations have long understood the importance of testing their defensive posture. Penetration tests, BAS and additional strategies are common. Despite all the security measures companies invest in, successful attacks continue to make daily headlines. The reason legacy vulnerability-focused programs and simulations fail is that they don’t show CISOs where they are most exposed based on how adversaries actually think and act.
The cornerstone of security validation is continuous testing, focusing on the adversary’s point of view. Where we go one step further is that we automate these tests and eliminate the manual burden on security teams. This means automating the actual attacker tactics and techniques (reconnaissance, discovery, sniffing, phishing, cracking, malware injection, exploitation, lateral movement, and privilege escalation) all the way to data exfiltration. This exposes the actual kill chain, giving security teams an accurate view of the attack operation and a true assessment of their resistance against real attacks.
At Pentera, I am the lead of the product team, specifically responsible for research across the platform. In my role, this means researching attack vectors and flows, CVEs, vulnerabilities, and producing our own exploits so customers can safely expose their environments to real-world attack scenarios.
BN: How did your time at 8200 prepare you for this role?
OZ: The unit gave me the opportunity to get involved in the real world of cybersecurity from different perspectives. It exposed me to both cybersecurity methodologies and practices, which are crucial to my current job.
My role at Pentera is basically putting real cyber attacks and capabilities on the Pentera platform, so my experience in the military was invaluable. In my current role and in so many others related to cybersecurity, the ability to learn new concepts and stay one step ahead of the adversary is crucial. My team and I are constantly researching and learning new attack vectors and exploits so we can translate them into our automated security validation platform.
BN: What are the trends driving the adoption of security validation?
OZ: The ever-evolving threat landscape is a major factor. Attackers are constantly introducing new exploits, and the only way to ensure an optimal security posture is to continually expose your environment to the latest malicious activity. Another big one is vulnerability fatigue.
More than 15,000 vulnerabilities were found in 2020 according to Gartner, while only eight percent were exploited by attackers. The accepted train of thought among security operations teams is to be ‘perfect patch’. This mindset fuels the never-ending game of patching whack-a-mole: when one vulnerability is found and added to the queue to patch, another pops up. This number of patches can be overwhelming – exhausting already overworked and understaffed security teams, and making it impossible to effectively mitigate risk.
Although not labeled as security validation, in a recent Binding Operating DirectiveThe Cybersecurity and Infrastructure Security Agency (CISA) set specific timelines for federal civilian agencies to fix vulnerabilities that are actively exploited by known adversaries, noting that “attackers don’t just rely on ‘critical’ vulnerabilities ‘ to achieve their goals; some of the most widespread vulnerabilities and devastating attacks have included multiple vulnerabilities rated ‘high’, ‘medium’ or even ‘low’.”
This aligns closely with the concept of security validation. An organization with 3,000 total assets will often have 30 times as many critically rated vulnerabilities, and 90 percent of them present zero legitimate danger because there is no exploit available or, from an environment architecture point of view, simply impossible. In essence, the directive urges organizations to adopt the attacker mindset and prioritize vulnerabilities based on real-world impact, not a CVSS score, as we do.