Lavy Shtokhamer is a busy man. As the executive director of the Israel National Computer Emergency Response Team (CERT), he monitors the operation of the ever-active cyber- hotline which was launched last year. The revamp of Cybernet, Israel’s cyber-security social network that has broadened its ambit from national security organisations to CISOs of major businesses and organisations, is on-going.
Shtokhamer’s typical work day starts with scanning the overnight security news and in-house updates at 5.30 am, sometimes as early as 3 am if his toddler decides to wake him up. He later heads to the National CERT base at Beersheba, where he meets with the executives manning the individual subdivisions of the organisation, such as financial, telecom and transportation CERTs. Daily assessments happen over internal and external threats and the defence posture, decisions are taken and alerts are issued if necessary.
Factor in the irregular press, diplomatic and stakeholder visits, and the work extends up to 8 pm. The ever-alert nature of the role was evident in his firm posture, as he sat on the couch in the Tel Aviv hotel lobby in semi-formal attire for an interview with SC Media UK, his boyish smile doing a good job at hiding the fact that this jovial person used to be the commander of a special unit in the Israeli army.
The IL-CERT, which operates under the Israel National Cyber Directorate, calls itself “an unaffiliated and professional organisation” that acts as a civilian centre to tackle cyber-security issues, though for practical purposes it is the eyes and ears of its stakeholders -- the Israeli government, players in Israel’s industry and economy, and the cyber-vigil organisations of its allies.
“I think we're in a stage where I can say that we are one of the most attacked countries in the world,” he said.“This is what brings us to have to invest in cyber-security, in the innovative part of cyber-security. It is one of our main engines that accelerates new initiatives to invest in Israel.”
Establishing individual CERTs and an apex organisation to control them was a necessity, explained Shtokhamer.
The need for subdivisions is demonstrated by the fact that the most frequent cyber-attacks happen on the financial sector, which Shtokhamer equates to nation-state attacks.
“This (sectoral CERTs) enables us to be much more focused in meeting threats and engagement. And on a wider scope, we have an additional section for international cooperation, where anything wrong is alerted by other organisations.”
Hacker groups usually start by targeting the financial sector, gain funds to structure their operations and then go for targeted attacks on a nation-state level, he explained. All these call for coordinated action between countries, a reason for establishing Cybernet.
“The ‘bad guys’ are doing amazing coordination between one another. They share threats, TTPs (tactics, techniques and procedures) and tools. Similar to that, the ‘good guys’ need, and are also doing in some way, the collaboration of their defence units,” he pointed out.
Cybernet, the social media platform to engage the private sector, the public sector, and government security operations, share threats, ideas and IoCs (indicators of compromise) on an immediate basis, Shtokhamer explained.
Yigal Unna, director general of the Israel National Cyber Directorate, under which the National CERT operates, dismisses the notion that Cybernet is a Facebook for infosecurity decision-makers.
“You're not going to be as fast or faster than the adversaries. We need a special form of infiltrating system,” he told delegates at Cybertech Global in Tel Aviv.
“It's something where we distribute IoCs and even patches directly to our members, 1400 of them.” The newly revamped project is on a pilot phase and Israel plans to launch an international Cybernet “in a couple of months”, he added.
According to Shtokhamer, Cybernet facilitates the cooperation of more than 80 security organisations across the world. However, he is careful not to mention which allies of Israel are involved in its security initiatives.
Manning such a large operation is a great challenge. Shtokhamer ranks Israeli army as “the most important resource for human capital in the cyber-security sphere”. It was evident from the rota of the CXOs of the Israeli cyber-security companies that virtually all went through mandatory military training. Even non-tech combat soldiers are selected and given cyber-security training under the auspices of the Israel National Cyber Directorate, and are later employed in the industry.
All these policies have resulted in quick implementation and execution of projects such as the 119 call-in number to the Computer Emergency Response Centre, where anyone can alert the centre about a possible cyber-situation.
The CERT made more than 3,000 calls to the companies affected by the Pulse Secure VPN flaw. A similar action was taken against the the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability, mitigating its reach and effect, said Shtokhamer.
About 20 percent of the information was deemed serious and attacks were nipped in the bud, Shtokhamer explained at the CERT nerve centre in Beersheba later, taking the delegates around the facility with the pride of a school prefect showing guests around his school.
“We do get calls about an alien in the backyard or about an air conditioner trying to kill them,” he added with a smile.