I'm dyslexic, and when I was young I had problems learning how to read. The conventional, phonetic-based approach didn't work for me and I fell behind. I was teased relentlessly, but despite my classmates' taunting, I knew I wasn't stupid. If anything, it made me extremely determined to learn how to read.
While my teachers' methods didn't work for me, they did offer a reference point for my own efforts. Dyslexic people process visual information differently than most people, so instead of starting with letters or sounds, I looked at sentences or even paragraphs as a whole, and then broke them down into parts. That process – starting with the big picture and breaking things down – worked much better than the "normal" word-by-word, letter-by-letter approach taught in school. Essentially, I learned how to read by reverse-engineering my first-grade teacher's reading comprehension methods.
That was my introduction to hacking, and I've been at it ever since.
By the time I entered the Israeli army, not only had I become a prolific reader, I had learned to enjoy problem solving. The military is all about conforming to the chain of command and following orders, but there are plenty of areas within it where independent, out-of-the-box thinking is highly valued. I landed in one of them – the Israeli Defense Forces' cybersecurity intelligence group, Unit 8200. I became commander of a team that specialized in reverse-engineering intricate hacking operations.
Our job was to hack hackers. It sounded great to me since it was an undertaking that was heavy on problems and light on instructions. In a way, I was right back in grade school, but instead of looking at words, I was looking at seriously complex hacking operations, dismantling them piece-by-piece. And the stakes were high; we may not have been fighting a physical war, but we were engaged in conflict with real adversaries who were just as talented as we were. It was an incredible education.
Unsurprisingly, when I left the army, I was eager to put my unique experiences to use, but I was no longer surrounded by elite soldiers who shared my worldview and perspective on cyber defense. The mindset in the private sector was focused on compliance, expediting and prioritizing alerts, and trying to keep up as their networks grew. Organized criminal attacks may have been on the radar, but for most part, they were still on the periphery.
Now breaches are commonplace, but our approach to dealing with them has not changed. Security teams are still singularly focused on piecemeal tasks. When it comes to attacks, the conventional practice when malware is found is to remove it immediately. It's a knee-jerk reaction that's deeply ingrained into the culture. This myopic view of cyber defense leaves organizations extremely vulnerable to today's cybercriminals.
The advanced persistent attacks my team dealt with in the IDF were viewed as aggressive acts of war. Whether perpetrated by nation-states or organized crime, these kinds of attacks are now commonplace in the private sector. Enterprises are foolish if they don't start defending themselves as if hostile forces were aggressively attacking them, because they are.
It explains why so many people from Unit 8200 have started cybersecurity companies – including my co-founders and myself – are doing so well. But as amazing as our products may be, they are just one piece of the equation.
And that's why I am so excited about this blog.
Security myopia is deeply embedded in the culture of cybersecurity teams. Moving past it requires swimming against a very strong current. In my view, it requires organizations to change their fundamental mindset about cyber defense. That's a tall order – it includes re-evaluating what technology they use as well as why and how they use it.
Reaching this goal becomes a lot more achievable if we evolve our approach to the problem, even if it departs from the status quo. If a company is breached, it doesn't have to mean the defenders have lost and the adversaries have won. Rather, it becomes the starting point for the organization to turn a perceived failure into a major advantage. For example, rather than wipe malware the moment it's found, why not let it run and see how it operates? It might lead you to other code hiding out on the network that you had no idea was there.
Today's cyber-defense landscape is one in which businesses can and should be hacking the hackers. My experience has taught me that any adversary can be beaten at their own game.
In future posts, I'll be discussing the tradecraft of hacking hackers as it relates to security operations, but wanted to kick off this blog with a post about how the most powerful resource we have at our disposal is our minds. Corporate security teams need to transition out of security myopia. Once we get around the limitations of our own thinking, hacking the hackers is a lot easier than we would think.
Lior Div is the CEO and Co-Founder of Cybereason. This blog previously appeared in Network World.
