Lavy Shtokhamer is the former head of Israel’s National CERT and Executive Director at the Israel National Cyber Directorate. He previously founded the Financial Cyber & Continuity Center at the Israeli CERT.
Our friends at The Record talked with Shtokhamer about lessons learned at CERT. The conversation has been lightly edited for length and clarity.
TR: You recently stepped down as executive director of Israel’s National CERT. Which measures or initiatives did you take while at Israel’s CERT that you’re most proud of or were the most impactful?
LS: There have been a lot of things we’ve done the last couple of years. I think one of the most important ones was establishing our national information sharing platform. After a few months it became our immune platform—it would help immunize entire organizations in Israel by having a full API for indicators. That’s how we had the possibility, for example, to share indicators by the click of a button, to share it to an API and have it received by monitoring and patching systems in less than a second. In addition to that, we established some new sectorial CERTs. I was the founder of the financial CERT, we have an energy CERT, we just established a telecom CERT, we have a military CERT that we’re going to announce a few weeks from now, as well as a few others.
TR: How did you come up with the API initiative? Was that something that you saw other organizations do?
LS: Eventually we just needed this system to be established. We understood that our alerts and publications weren’t enough, because the maturity of the organizations we worked with in some cases… the chief information security officer doesn’t know how to deal with those kinds of indicators. In some cases, the CISO is changing all the time, some organizations don’t invest in cybersecurity but invest in threat intelligence. We had to build an infrastructure to be able to share on a short amount of time indicators to entire sectors. I think it came from the need to be fast—to be faster than the attacker—and just regular section alerts and publications weren’t enough. And most of it came from the WannaCry experience. We got the indicator from a relevant company and we were able to share it in a short amount of time. And then we brought in insights from our customers, who needed efficient government technology—a state of the art technology—with the right features. So, for example, the feature of anonymous sharing, there is an option for all the companies to share information anonymously with one another. And so there are no limitations in order to keep the trust. There are a few other important features, like the automation feature within the system. Each and every feature came from customer pain, basically.
TR: I read about how Israel’s CERT could receive more than 100 calls a day from cybersecurity victims. Is that normal? And how did you make sure that all of these incidents were properly investigated?
LS: In general, I think especially nowadays, with what’s happened across the globe, we must understand that cybersecurity is very similar to the physical world. We’re dealing with COVID-19 in the cyber domain, and it’s very similar with how we’re dealing with it in the physical world—containing it, identifying it, scanning the infrastructure. Regarding the amount of calls, yeah, there are more than 100 phone calls a day and requests for help. Not all of them are related to pure cybersecurity or demand any kind of action. There were many calls asking for additional information and questions for the CERT, but there are also calls regarding new incidents, and we built an algorithm that says basically what response is needed—do we provide help remotely, do we need to initiate boots on the ground and activate the incident response team. This is the mechanism that we built on a very advanced ticketing system and orchestration for all the other parts of investigation.
TR: As the director, did you ever wish that there were policies because maybe you got pushback from organizations or they didn’t want to collaborate?
LS: Across the world there must be a guideline and policy for the cybersecurity domain. This is I think crucial, and I think the policy should be similar across all the countries. We need global standards for these kinds of situations. So definitely, there is a need for bold guidelines for all organizations and governments.
TR: What do you think those guidelines should look like?
LS: I think the guidelines should relay all of the concepts that I mentioned earlier—to have the option to do everything so that other companies are not hit from the same incidents. Not only providing help to specific compromised organizations but providing help in order to keep all the others from getting compromised. You see that with the recent SolarWinds incident—thousands of big companies and government organizations are affected. So this is the concept needed—to be able to contain a compromise in order to keep all the others safe.
TR: Do you think cyber defense is easier for the Israeli government, because the country has so many cybersecurity companies and a strong talent pool of cybersecurity professionals?
LS: Yes, it definitely helped. I think Israel is a hub of cybersecurity professionals who really help one another. It’s crazy to see the distance between what happened in Israel and other countries because every second guy within this industry is coming from a special unit within the army that got hands-on experience for three or four years and had access to top edge technology. It’s crazy, and you see that most of the veterans nowadays go and build their own startups, because nothing else excites them afterwards. And they have the options—I think this quarter was the biggest quarter in history for investment in Israeli cybersecurity companies. Something like 40% of the global investment in cybersecurity was in Israel. It’s been crazy what has happened to this industry in the last couple of years.
TR: What surprised you the most during your role at Israel’s CERT?
LS: I think the amount of attacks that I was exposed to was huge. And then to see how each and every organization dealt with incidents. How they referred crucial vulnerabilities, other incidents that they suffered, how the cybersecurity guys handled it and how the C-level referred to it. I like to say it’s too expensive to not invest in incident response. It’s from a Hebrew expression. It will cost you a whole lot of money when you’re dealing with an attack—you have to bring in one company, then another, then another. You’re eventually going to lose a lot of money… A cheap incident response costs a lot.
TR: Incidents like WannaCry?
LS: Yeah, WannaCry, and a lot of other incidents that can spread across the world that come from things like supply chain attacks. The supply chains are becoming a regular question for cybersecurity teams, but there’s still not enough invested in protecting the supply chain. I don’t know if eventually we’re going to be able to identify and be able to mitigate risk from all the supply chains because it’s an endless game and you can’t be the CISO of all the other companies that you’ve worked with.
TR: Do you think that’s the most serious threat right now?
I think the craziest incidents were the incidents that were like epidemics and spread around a lot of companies in a short amount of time. It made us understand that we must recognize the specific hub of the incident—where it’s spreading from.”
LS: The supply chain is basically an attack vector, so it could be used to deliver something also serious, like ransomware. That attack vector that comes from the supply chain I think is the most crucial, because it could bypass almost all the security technology and measurements that an organization implements. If phishing ransomware comes through email and you have the right mitigation, you can deal with it. If an attack comes through the supply chain, I think in some cases it’s bulletproof. So yeah, it’s the most crucial vector even for big, strong, and secure organizations.
TR: What government partnerships were the most critical to your success at Israel’s CERT?
LS: I think the most crucial partnership was with the private sector, actually. Building trust with the private sector I think was the most important thing to do in general within a CERT because all the other parties don’t have the whole picture. The company has the big picture eventually. And if you manage to build trust, eventually they will share insights with you and share what happened within the organization in order for you to take it, explore it, and share it with all the other companies. I think that is eventually the main role of a CERT. All the other vendors have their many agendas for this relationship—we are without an agenda, we are objective about it.
Nowadays, there’s a very open discussion with vendors across the world. Vendors are more and more open to talk with the government and with other vendors about information sharing. It’s becoming a real open community, with everyone getting faster at information sharing and actionable intelligence.
TR: What is a big threat that you don’t think companies are prepared for?
LS: Lack of talent—it’s always true, but in recent months I’ve seen in LinkedIn a lot of CISO positions for many companies that haven’t dealt with cybersecurity until now.
TR: Why do you think there’s a skills gap? Cybersecurity is a high paying job.
LS: I think there’s still a huge difference between what we thought we would need for cybersecurity and what we actually need right now. I’m seeing many companies that didn’t invest in cybersecurity until now, they have chief information officers that act as CISOs, and outsource all their services and only really focus on compliance so they can continue working with their own customers. It’s not enough to have state of the art technology. You need to know how to maintain, upgrade, and build an operation around it. I think there’s a lot of people who want to learn cybersecurity but there’s still many more positions that need to be filled.
This conversation has been edited for length and clarity. The full interview is at The Record.
Read more expert-driven national security conversations in The Cipher Brief