31: Industry Plague with Aviv Grafi

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris Glanden  0:00

Aviv Grafi is the CEO and founder of Votiro, an award-winning cybersecurity company specializing in neutralizing weaponized files of all kinds through Secure File Gateway solutions. Aviv is the principal software architect for Votiro’s enterprise technologies, which protect against 100% of file-born cyberthreats within an organization. Beyond Votiro, Aviv’s areas of expertise span the cyber product lifecycle from strategy and development, through go-to market along with network security IDS/IPS/firewalls, defensive programming, enterprise security penetration testing, vulnerability research, and virtualization. Aviv, thanks for stopping by BarCode!

Aviv Grafi  0:41

Hey, Chris, and thank you for inviting me.

Chris Glanden  0:44

Yeah, absolutely. Well, first, tell me about your background. How did you get into the cybersecurity realm?

Aviv Grafi  0:51

So first, I’m based in Tel Aviv, Israel. I think, in the last 20 plus years, I’m in the sub security arena. I was studied at about probably the age of 13 with Linux boxes and hacking some stuff. And after graduating, I actually joined the intelligence forces here in Israel and was dealing mostly offensive and defense operations for several years before I actually moved to the private market, where we’re doing penetration testing and some other cool stuff before establishing Votiro. So basically, I think my knowledge was starting from high school went through the intelligence forces and through several companies, startups that I was working for.

Chris Glanden  1:43

Very cool. So I’d like to talk to you about the topic of ransomware. It’s a major threat across all industries today, although I’d quickly wnt to talk about the evolution and rise of ransomware. The first recorded attack, I believe was the AIDS Trojan in 1989, where the ransom was only 189 bucks and had to be sent to a PO Box. So it’s come a long way and I think the development of cryptocurrency has really taken it to a new level. Would you mind talking to that a bit and from your perspective, how have you seen ransomware development occur and how frequent are organizations getting hit?

Aviv Grafi  2:25

So as you mentioned, I think ransomware has been around for several years, and that the roots actually, started probably 10 years ago, and before ransomware, we’re all talking about malware, adware, or viruses in the early days of the malicious piece of code. But the reason as you mentioned, why ransomware is so popular, I think that’s mainly two reasons. One is that it gets very easy to produce your own malware and I’ll describe more about that. You can actually find online kits of generating unique malware samples, unique weaponized documents, and it’s gotten very easy for hackers. You can generate your own campaign on a budget of probably less than $100 you can build your own ransomware campaign.

But this is a thing, not what actually brought that to the front page. It’s mostly, as you mentioned, the cryptocurrency rise. As we all know, before, we had anonymous cryptocurrencies. It was pretty hard to get someone to wire something to you because everything can be trackable but I think thanks to that, cryptocurrency rise, it’s now that easy to move from malware that was usually destroying stuff, or maybe if you remember, we had Adware back then about 15 years ago, that were presenting ads and some other stuff on the endpoints, and then stealing data and maybe selling it but now it’s pretty easy to lock everything up and just ask for money, which is virtually untraceable, just got that industry booming.

Chris Glanden  4:10

Yeah, I agree. It was Adware and then you had Scareware. And then it sorts of morphed into this lucrative business for underworld cybercriminals. Although, ransomware operation centers have become quite sophisticated. They have these customer service centers. They have helpdesk support, some really intricate infrastructure.

Aviv Grafi  4:34

Yeah, I would add that those organizations are well organized in a way that they have their IT department. They have their recruiting department. They provide customer service, as you mentioned, you can buy kits for attacking or producing those phishing campaigns. And if you need support you would get that. They’re also providing you if you buy a weaponize document, some of them provide you a warranty. So if you get caught by one of the traditional solutions, they will give you the replacement instead of that document, and all those organizations. And we see, for example, from last week, that it was reported by “Recorded Future” that two Carbanak hackers were responsible for the crime. They were sentenced to about eight years in prison. So they according to that publication, they were stealing more than four and a half million dollars from an organization over two years, using payment cards, using those phishing campaigns that we’re talking about, and this is a big deal. This is actually a business, a sector that is growing in some places in the world, as we all know.

Chris Glanden  5:56

They even have a payment department that can help you understand how to pay in Bitcoin.

Aviv Grafi  6:01

Of course, they would help you to get the money and get their cut out of it. And for them, that is huge.

Chris Glanden  6:10

So there’s a wide array of new variants emerging with criminals getting creative and different ways to gain entry into organizations or even with tactics in order to get organizations to pay. What are some of the more clever ways that you have seen over the past, let’s say one year, that are evading detections and really getting businesses to consider paying the ransom?

Aviv Grafi  6:34

Actually, what I’ve seen in the last few years, especially after establishing Votiro and working specifically on that area is that organizations where they start to receive ransomware, most of them were not very sophisticated. It was mainly generic text, not very targeted from a fake email address. So it was really easy also for some of the technologies out there to block it. It was pretty actually easy for the user to spot it and ignore it but when we saw more and more threat actors actually doing their homework, so they were sending emails with the right text, the right format, so it looks like a genuine email. And okay, so that would be harder for the user to ignore.

But then we see actually on the last, I think that was six months ago, or four months ago, we saw with one of our customers that one of the partners was hacked, a law firm was hacked. And that mailbox after it was hacked. The hacker was just replying to an existing thread. And just saying, okay, the following is our discussion and see the attached file and for the recipient in the company, that financial institution for them, I know that guy. So probably he needs to send me what we talked about in the recent email. So the social engineering gets much more clever. So that’s for sure, that’s one aspect.

The second aspect is actually, that they found ways to evade a lot of the technologies, for example, storing the actual malware of a malicious document on a shared collaboration platform. We see documents shared on OneDrive, SharePoint, Dropbox, and Box. So it’s pretty hard to block those and the fact that users say, okay, that makes sense, because I’m usually working with Dropbox with that partner, makes it even difficult for the user to spot it. So this is some of the techniques and probably the more techniques actually to learn that those user to open those malicious document and as they share, these are legitimate emails and legitimate transactions that lead to that infection ransom inflation.

Chris Glanden  8:50

That’s a great point, rather than training users on one attack vector, say, email. Now, you’re looking at potential infections within the network where a user may feel comfortable with or feel like it is a trusted source. Not always safe!

Aviv Grafi  9:06

Exactly. I mean, as you mentioned, email is definitely accountable for probably most of the malware and ransomware deliveries out there. More than 94%, but we know the hackers trying to find that hole that no one actually is protecting well enough. And for us as the defenders, we need to protect all sources of documents out there. For them, they just need to find one source or document that is not protected enough. So that’s why they move into those attack vectors we did not see years ago, but now we see more and more file-sharing collaboration platforms, and some others as part of their attack chain.

Chris Glanden  9:51

So because the development of ransomware has just been so aggressive over the past few years, the development of cybersecurity toolsets that aim to mitigate this risk has sort of been running in parallel. Although, ransomware still continues to plague the industry, why are organizations still susceptible to attack if there is an investment into end-user training..if there’s an investment into EDR? There doesn’t seem to be a silver bullet.

Aviv Grafi  10:25

Yeah, that’s correct. I think you mentioned training, and phishing awareness, and security awareness. This is definitely something that needs to be in place but it’s just not enough. I mean, we cannot rely on the user. We cannot move the responsibility to users to spot those malicious emails. And if you think about that, even a day after those phishing campaigns, where you might get in some organization, and near-perfect score, just send an email to the entire team and say, “Hi, there was a problem wiring your paycheck, please fill in the attached form”, all of them are going to open that. They just want to do the job; they want to get their paycheck. So I think this is the tension between productivity and security, that we tried to apply security by harming productivity. And this is why this cannot be solved in the traditional ways.

So for the awareness, it should be there but it’s not enough. And for the technology, I would mention that EDR and sandboxing technologies. They all rely on the same thing. They’re trying to find signs or spots for something suspicious going on, but this is a cat and mouse game. We all know that. So that’s why the hackers are faster than us. And as I mentioned, they need only one vulnerability to get to the user and into the network. So I think the problem is that we not addressing that, as you should be. One is, as I mentioned, the productivity and the security tension, that we should find some techniques that allow us to keep productivity, but not compromising security and vice versa. The idea of trying to find the bad stuff just works to some capacity, we all know that EDR is and definitely AVs, and Sandboxes, they cannot catch 90%, not even 80% because of that.

Chris Glanden  12:26

Yeah, you made a great point in that cyber attackers are always ahead of us. And unfortunately, I don’t think it’s a race that will ever win because you not only have the ease of use and accessibility to malware these days, but you also have end users focused on business productivity or complete the compliance checkbox and just not always be cognizant of what threats exist.

Aviv Grafi  12:54

And I’m not blaming them, to be honest.

Chris Glanden  12:57

Right, I think that you have end users complete security awareness training which is a very comprehensive security program too. Although, attackers will take advantage of the human psyche, and in many cases that overrides what those end users have been taught.

Aviv Grafi  13:15

Yeah, I definitely agree with you, I think they want to do the job. As you mentioned, when they are under compliance or phishing awareness training, they are aware that maybe they failed the previous training. So now they will just want to pass that test. And it’s like, getting that driver’s license, but then, not having the seatbelt on. We do know from staff that phishing emails with attachments, the failure rate in that testing and training is much higher than links because attachment seems to be okay, I have it in my hand. This is here, this is in my email client, this is on my phone; I would just open it. I’m not sure what I’m clicking on whether it takes me to a different browser, or something else. And apparently, what we’ve seen is that phishing emails with attachments actually are much more likely to be open than links.

Chris Glanden  14:12

Very true. So most of us are familiar with the Cyber Kill Chain, although, for those that aren’t aware: It’s essentially a series of steps that trace the anatomy of a cyber attack from phase one, which is Recon all the way to Data exfiltration. Where does ransomware fall into the Cyber Kill Chain, and would you be able to explain how it gets to that state?

Aviv Grafi  14:39

Sure, the Cyber Kill Chain, that’s a term that was coined by Lockheed Martin years ago, but they find it actually pretty good and pretty relevant for these days, as well. As for those who are not familiar with it, we’re talking about having those steps of research of the target. And maybe just an example, let’s say that hacker 1 executes an attack on the financial institution. Let’s say one of the banks, and they say, okay, I want to understand who is the bank and now I want to choose that department that I want to target. So let’s say I want to target the department that gets a lot of documents, like HR or recruiting department. So once we have that target, and we move into the organization phase, which means I need to get that malware tied to a deliverable payload. It means I need to get either a Microsoft Office file a weaponized one, or a PDF, or maybe a zip file with something in it. I have to get that into something that I can actually deliver.

And the next thing is actually doing that delivery. And as I mentioned, email is the easiest one, that’s the cheapest one for hackers but it can be also delivered using a file-sharing platform, or even thumb drives. Those old thumb drives that we used to carry. And once this has been delivered, and exploitation has been done means the attachment is being opened. That’s it, the next day is just the malware can be just installed on the target. This is practically game over. And maybe if you have any EDR- you just need to cope with something that is already practically installed. And for that ransomware, the only thing I need to be done is to communicate with the command and control and just encrypt everything, and that’s it. So these are basically those steps for the Kill Chain. And from what we’ve seen the ransomware is actually implementing all those steps, including weaponization and delivery as well.

Chris Glanden  16:37

So Votiro has a unique approach to help prevent ransomware attacks. How does your solution address this issue?

Aviv Grafi  16:46

Yeah, just to give background to the audience, when I started to do my research, it was years ago before establishing Votiro. I found that one technique, as I mentioned, maybe to hack a kind of bank. There is something that’s always working, just sending that weaponized document, and that weaponized document is part of that weaponization and delivery. It’s a mandatory step towards the installation of ransomware. If that step would fail, the ransomware won’t install. Most of the solutions these days are trying to find or stop that malware installation or even encryption, post-installation. I found that’s just too late. If we would focus on weaponization and delivery, that means once every document that goes into the organization, needs to actually be disarmed.

So anything that might be malicious won’t be post-processing, that malware won’t be installed. This is the idea behind Votiro. Not trying to find the bad stuff in a document that goes in. What we know to do is to deconstruct the document and reconstruct it in a safe way. Which means generating a replica, which feels exactly the same as the original but without anything that might be malicious. And by delivering 100%, say files, without the user just to open a new document without the need to think twice.

Chris Glanden  18:21

Got it and this is using what you call Positive Selection Technology.

Aviv Grafi  18:26

That’s correct. So under the hood what we’re doing, let’s say, for example, there is an evil coming with attachment and that’s a word document. And that word document might contain something malicious, let’s say a malicious macro, or something else. By applying positive selection means instead of selecting the negative part of the document, and then trying to exclude it. Most of the solutions out there trying to select the negative parts in documents. This is impossible, because then as we mentioned, hackers are just faster than us. We are actually turning the problem on its head. We’re not looking for the bad stuff. We positively selecting the good parts, selecting only the positive parts. And then by taking all those parts, let’s say we have the word documents, so the text, the links, bookmarks, structure, paragraphs, images, all of it and then reconstructing that to a safe word document, delivering that.. we allow the users to get that one sense of document by doing the selection only for the positive parts.

Chris Glanden  19:34

I love that approach because that’s the point. You aren’t relying on the end-user to be conscious of the threat at that time. They can click away and perform their standard workflows without executing one malicious file.

Aviv Grafi  19:49

Exactly, and it’s not just that. It’s being done in milliseconds because that’s a deterministic approach. It’s not relying on detonating the file. It’s not relying on executing, not relying even on signatures because we know what the positive parts are– we know that text is safe, we know that those paragraphs and images post our reconstruction are safe. So by doing that process, which is done in milliseconds, we allow every file to go in blazing fast, 100% safe and this is for documents. But also, as I mentioned, not just for email, as we’re introducing the solution across the sources of documents, as I mentioned. So let’s say, for example, I shared with you about the OneDrive and SharePoint, all those platforms actually being protected by but you as well, because you get documents traveling into the organization from those and we see more and more usages of web downloads, email, and file sharing.

Chris Glanden  20:51

You mentioned speed, and that’s a crucial component when organizations are performing a product evaluation. Would you be able to highlight the Votiro architecture, and then help us understand how you’re able to keep speed a factor without causing performance impact?

Aviv Grafi  21:09

So Votiro security gateway, a SasS that provides Votiro’s cloud and agentless security for every document that comes into the organization means we can attach the image traffic through Votiro cloud before it hits the corporate email network, either Office 365, or on prem exchange. We can also connect the Votiro cloud service to web downloads, or file-sharing services, without installing a thing on the premise or without installing a thing on the endpoints.

Chris Glanden  21:49

Okay, got it.

Aviv Grafi  21:50

If you think about a document: there is a specification for that document format. So by understanding the document format, reading it, and of course, we’re doing that the customer doesn’t need to know anything about documents. We’re experts here. So by reading the format and extracting the content, pasting it on a clean template, we’re allowing that to be done in milliseconds. There is no need for detonation. That’s how we implemented the basic process.

Now, we implemented that for a variety of file types, and formats, like Office documents, like Word, Excel, PowerPoints, PDFs, but also images and also archives, like zip files, etc. So we know how to do that, and our main solution is offered in SasS So we are hosting that on our cloud, doing that using our resources and the customer, actually, the end-user doesn’t need to know anything. So when the document gets to Votiro, it can be either by email, integration with Office 365, or any other provider, or integrating with the browser or the file-sharing platform. It goes through Votiro first and then in less than a second you land in the user-designated destination without even knowing that you were there.

Chris Glanden  23:10

Yeah, that’s incredible. How about addressing the remote workforce? And also, have you seen an increase in attempted ransomware attacks to those who may be home and more comfortable and possibly more distracted than if they were in the office?

Aviv Grafi  23:26

Yes, the fact that we are deployed before the corporate email traffic, the servers, or the mailbox. We actually protecting from all those emails and file download based attacks. We don’t need to be deployed on the end-user machine, or even we saw an organization that went with bring your own device, and the first month of the COVID, the pandemic. So they were protected as well but one thing I’ve learned also from my personal experience with, you know, running a company, where we all were in it had to work from home for several months, is that there were a lot of distractions. I had the kids running around, and now someone needs to get a file from me. So yeah, hold on a second, and it just opened the laptop send that or maybe replying to someone. And to be honest, it was easier to do mistakes in that way.

So what we’ve seen is that employees were working from home and not always understanding the impact of what they’re doing. So basically, they were used to working in an office so I can just go to your office and say, Chris, regarding the email you just sent me do you really need that? But now I’m working from home. I’m not asking that question and if I have a presentation that I need to watch in two hours, It’s highly reasonable that I will get an email with the presentation for today’s meeting, and I would just open up the presentation because I really have a presentation in two hours. So I think the pandemic actually raised a lot of social engineering opportunities for hackers that did not exist earlier or not as easy as today.

Chris Glanden  25:17

Yeah, I appreciate that approach where you’re safe anywhere. You’re always on the go. Does Votiro offer support for mobile devices?

Aviv Grafi  25:27

So as we work on the corporate infrastructure, we email the web download which is proxied, or anyway, protected by Votiro, if we think about your corporate email which you consume through your phone, all the emails that you read off your phone are already protected.

Chris Glanden  25:45

Awesome. So we spoke about the work from home use case and have really been focused on ransomware throughout this conversation, although I’m curious to know, what other use cases can Votiro help organizations solve?

Aviv Grafi  25:59

One of the things that we see more and more in the last years, and thanks to the digital transformation is we see organization moving their applications to the cloud. Now, if you’re thinking about an application that needs to get content from end-users or phone clients, or for any cloud or any client-facing portal out there, you need to get documents. They used to store those documents for processing on their backend and they used to be file servers in the organization. Back then, we had the AVs/EDRs that we’re running on the file servers and were compliant.

But now when we moved everything to the cloud, now, I might be storing those loan documents that I’m receiving from clients on my AWS S3 buckets or maybe I will be storing those on Azure file storage, Blob storage, and there is nothing protecting those documents at rest. And if the banker or the loan processing department needs to open those documents, those driver license copies, stuff like that, they would open those documents without any protection. And that’s something a lot of organizations are realizing recently. And that’s why we’re seeing more and more demand for mature solutions for Cloud Storage. That’s what we see, and all of those cloud storage services can benefit from Votiro, by providing this on and save documents, and allowing the business, which is the most important thing in those cases, allowing the business just to open any file without the need to think twice. And actually a lot of peace of mind both for ourselves and for the employees.

Chris Glanden  27:49

Yeah, great point. I’m interested to know about your technology partner integration. Are there any key integration points that we should be aware of?

Aviv Grafi  27:59

Yeah, sure. So we have tight integration with other security vendors, like if you are familiar with the, for example, Office 365, which is the email provider. This is one, but also we have tight integration with web-isolation vendors, like Menlo Security, Broadcom Fireglass, and those solutions play well together. So essentially, by integrating with Broadcom Symantec, or with some others, every download can be intercepted and disarmed. When we integrate with a vendor, we provide safe documents right to the desktops and as I mentioned, we have integrations with some email providers, and also file-sharing platforms like Box and SharePoint.

Chris Glanden  28:45

You mentioned Office 365, you know, a lot of organizations are making the push to go strictly Office 365 so having that integration is crucial.

Aviv Grafi  28:55

Yeah and I think our customers understand that also. We’ve seen that trend where enterprises, I mean, it’s unbelievable, but it was less than two years ago that huge enterprises, the top banks in the country, they were asking for having some of the solutions on their premises back then. Now, as part of the pandemic, they are struggling to spin up new servers. Everyone is moving to the cloud. They don’t want to maintain any exchange servers. They want within any security solution on the premise. So we saw a huge spike in our cloud service.

Chris Glanden  29:30

One aspect I’d like to bring up are industries such as healthcare, where not only are there are critical legacy applications in place but the elevated impact if one of those systems were to be compromised, it may not be data at risk, it may be someone’s lifeline at risk. Will the Votiro platform address those organizations with critical infrastructure that may hold assets that extend way beyond data and if so what is the approach?

Aviv Grafi  30:02

I think that the critical infrastructure piece is relevant for more and more sectors these days, but mostly healthcare, as you mentioned, where they’re relying on a lot of document traffic coming in. If you think about healthcare organizations, they get tons of doctor reports, and sending the documents from even insurance companies, getting those documents from their clients, from their partners, from hospitals from clinics. They cannot afford ransomware because that effectively is affecting the business, but also the reputation. And as you mentioned, it’s not like having a company that is not dealing with documents coming in. This is something we see more and more and, as those third-party risk based organizations, like as I mentioned, healthcare, those are organizations that most would benefit from solutions like Votiro.

Now, what we’ve seen, so we have a cloud solution, some of them actually asking us to deploy new or their cloud or, even on premise. Sometimes the use cases are very unique. If you have a legacy File Transfer Protocol, this is something that sometimes we provide the solution for that as well. A lot of those organizations, they’re relying on those 20 or 30 year old data transfer protocols. Some of them are FTP, FTPS but some of them relying on Managed File Transfers. And for them, they cannot change that mechanism, because changing that will affect all their partners, but they have to put something on it. That’s what we see a lot of healthcare companies protecting their legacy source of documents, by applying Votiro, and to be honest, some of it using our SaaS, and we understand that, and we are deploying that on their cloud.

Chris Glanden  32:07

I see. How about an environment with an air gapped network, or maybe a hybrid environment where a lab is air gapped, although files can still enter and get run locally, on an off-network device?

Aviv Grafi  32:22

We usually see that kind of deployments in governments or in manufacturing infrastructures. The solution that we recommend to our customers is to deploy Votiro’s Secure File Gateway. So every document, every file that comes into the internal segregated network has to go through Votiro secure file gateway, which has one [leg] on the outside interface saying, if you want to get a document in, it has to be processed by Votiro. And of course, once it’s cleansed and approved. It is routed to the internal network. So that’s an automatic system. So every file, for example, lands in a specific folder, or being consumed from a specific source is being processed and then being shared into the internal server. This is usually the architecture. We have seen less USB, thumb drive-based deployments. To be honest, we’re seeing less usage of that. I don’t think that in five or ten years from now, we still carry these.

Chris Glanden  33:29

Yeah, it’s protection from all angles. So you are based in Israel, where hopefully the pandemic is in its final phase as it is here in the US. After a long day of combating the threat of cybercrime. Are there any cool bars you go to or would recommend us to go to?

Aviv Grafi  33:51

Yeah, I think two places that I would say, in Tel Aviv if someone coming to visit here I would recommend. One is a cool wine place called Tasting room, which allows you with the automatic kind of dispense of wine with plenty of great Israelian and also foreign wines, like red and white wines. I would definitely recommend it, and this is in the Sarona markets area in Tel Aviv. The second place probably I would recommend that cool bar restaurants with plenty of draught beers called PORTER & SONS, also in Tel Aviv. I would think that those two places, one for the wine lovers and the second one for the beer addicts are great choices.

Chris Glanden  34:46

Nice! Well, I’m making a hit list of bars mentioned on the show that I’d like to go to and this one’s definitely on that list. So I just heard “Last Call” here. Do you have time for one more?

Aviv Grafi  34:54

Sure.

Chris Glanden  34:56

If you open a cybersecurity-themed bar, what would the name be and what would your signature drink be called?

Aviv Grafi  35:01

Hopefully, I would do that before retirement. The name of the bar will be “Localhost”. I think I would choose that name. And as this is our home so I would call it “Localhost” and probably the signature drink, I will call it the “Root” drink. If all of us want to get that root access, want to protect that, then this is the best thing that we can have. So come to the Localhost and ask for the Root drink, I think that’d be the best.

Chris Glanden  35:40

Nice. So I like that angle. Number one, for those that need to find it. What will be the address of Localhost?

Aviv Grafi  35:47

Oh, so I mean, that will be pretty easy. It’s 127.0.0.1…. but street?

Chris Glanden  35:57

Oh, undisclosed street, is not really needed in order to find it!

Aviv Grafi  36:01

Exactly.

Chris Glanden  36:02

And then secondly, root access. It’s what the attackers or the bar patrons are after.

Aviv Grafi  36:08

Exactly, you got to the Localhost and now you want root access, that’s exactly.

Chris Glanden  36:13

Perfect, man. Hey, I want to mention to our audience that BarCode will be hosting an interactive webinar with Votiro, July 13, at 1 pm eastern. I’ll get the registration link up on the BarCode website. And you can register to ask questions, we can get into a more of a technical deep dive if you want. So I’m really looking forward to that. Hey, thanks, Aviv. I really appreciate you joining me today and sharing your knowledge. Stay safe. We’ll see you soon.

Aviv Grafi  36:39

Great. Thank you very much, Chris, for hosting me. It was a pleasure speaking with you today and I look forward to our next call.