No one wants their company’s business to be hacked. And yet, hundreds of Fortune 500 firms pay Reuven Aronashvili and his Herzliya-based CYE to break into their presumably secure servers.

CYE is based on the “red team” expertise Aronashvili developed in the Israel Defense Forces, where he established the army’s center for encryption and cybersecurity.

So-called red teams hack into computers to find vulnerabilities. Blue teams, by contrast, defend a company’s infrastructure once an attack is identified.

CYE – it stands for “cyber-eye” but is pronounced simply “sigh” –was established in 2012 and employs 70 “ethical hackers” using its proprietary software, Hyver. (Total company headcount is close to 100.)

CYE’s offices in Herzliya. Photo courtesy of CYE

 It can take a CYE red team anywhere between three minutes and three weeks to take complete control of an organization.

“Our approach is to be as realistic as possible,” Aronashvili tells ISRAEL21c. “We don’t ask you to white-list us. We mimic the enemy without making you feel the consequences. If you’re a bank, we’ll transfer $100 million from your account to ours to demonstrate that it’s possible not just theoretically.”

Bank clients shouldn’t worry: CYE always returns the money.

Vulnerabilities usually occur when a software misconfiguration opens an accidental door that should be shut. “Or someone just forgot something,” Aronashvili says.

Once CYE is in, the red team works with its clients to build defenses the organization can use to ensure the same attack won’t happen with real hackers.

Multiple vulnerabilities

Hackers often play the long game. Criminals could break into a company’s network months or even years earlier.

“If information gets stolen and published on the Dark Net, this is a very bad situation. We work hard to ensure that time to respond is minimal,” Aronashvili notes.

Not everything can be defended against simultaneously, so Hyver recommends how a company can prioritize its actions.

CYE doesn’t do the hacker-proofing for its clients but does work with their IT teams to mitigate the problems.

“Let’s say we’ve found 50 different vulnerabilities in your organization,” Aronashvili says. “We know that in your budget you can’t address more than 10. So, we determine which are the most important. We build an ‘attack graph’ and search for the bottlenecks, the places hackers have to go through, and those will be the first items we’ll disconnect.”

Even large organizations don’t have the time and staff to fix everything. Aronashvili estimates that about between 20% to 50% of vulnerabilities identified will be rectified.

VIP customers identified

CYE has clients of varying sizes, although most are large multinationals. Understandably, Aronashviliis not at liberty to name them.

He did share that at one large bank, CYE’s red team was able to identify customers including prominent royal families, prime ministers and other VIPs. Then they extracted contracts, patents and intellectual property.

“We removed their names and just used their client ID number, then we showed how we could breach the privacy of those VIPs.”

Had this hack been real, it would have been a disaster – as it was for Shirbit, a prominent Israeli insurance company that was hacked in December 2020. The hackers held Shirbit’s client data ransom. Shirbit refused to pay and the Israel National Cyber Directorate advised victims of the hack to apply for new identity cards and driver’s licenses.

The Shirbit hack was relatively simple, Aronashvili says. Another recent and well-publicized breach –SolarWinds, a company that builds software for computers – was more sophisticated and involved tapping into a backdoor that allowed hackers into any organization that used SolarWinds’ IT management tools. Around 18,000 SolarWinds customers installed the tainted software update.

“The initial foothold could not have been prevented,” Aronashvili admits.

“We assume that any vendor can be compromised, then we evaluate the consequences. Even if the first leg is compromised, we can make sure the impact you feel as an organization is minimized.”

Hyver uses predictive analytics to calculate risk and determine where the next attack is likely to occur. Vulnerabilities are shown on a map of a company’s servers and access points.

Other hacks-for-good that CYE has been involved with: Gaining access to a large municipality’s electricity gid; manipulating sensitive systems inside a major hospital; overriding the temperature settings of a chocolate manufacturer; and shutting off the refrigeration in a global pharmaceutical producer.

The latter is of particular concern these days as the Pfizer and Moderna Covid-19 vaccines must be stored at very cold temperatures.

$100m investment

Cyberattacks have been on the rise during the Covid-19 crisis.

“A lot of people are bored sitting at home and are starting to play with things,” Aronashvili says. “It’s very easy to go to the Dark Net, pay $20 and have a fully equipped attack capability or to hire ransomware-as-a-service.”

This ominous trend represents an excellent opportunity for CYE’s red team to embark on more extreme adventures in hacking.

CYE’s management team, with founder and CEO Reuven Aronashvili second from left. Photo courtesy of CYE

CYE has annual revenue of some $100 million, and recently raised $100 million in a round led by global investment firm EQT. The financing included existing investor 83North.

For the first half-decade of the company’s existence, it was a manual operation; CYE’s Hyver launched in 2018, introducing a hybrid human-software approach.

“With all due respect to technology, it’s still not at the level of the human brain,” Aronashvili points out.

Getting hacked – even if you’ve asked for it – doesn’t come cheap.

“We have a very expensive premium, almost 10 times more than other defense products,” Aronashvili says.

Prices for CYE’s subscription-based business range from tens of thousands to millions of dollars. That hasn’t stopped several hundred Fortune 500 organizations and governments – sometimes while they’re already under attack – from turning to the company.

“A company CEO should assume that at some point in an organization’s life it will be attacked, its suppliers will be attacked, and its employees will be exposed,” Aronashviliconcludes.

For more information, click here