Lessons Learned: Three Israeli cyber experts offer their hot takes on the Shirbit hack
After the crushing hack of Israel-based insurance firm Shirbit, executives from Guardicore, BDO Global, and MonsterCloud share some industry insights
Last week, an Israeli insurance firm was hacked by a group calling itself the Black Shadow. A message posted by the hackers on Telegram last week demanded a ransom of 50 Bitcoins, worth roughly a million dollars or it would leak sensitive information to the public. However, that was just the start of the story.
The cyberattack on the Israeli insurance company has left the organization’s ego battered and bruised as it admits its data was stolen and its poorly judged negotiation efforts were all in vain. The cybersecurity community has been following the week’s case almost as a textbook example of what not to do. CTech spoke with executives from three cybersecurity firms - Guardicore, BDO Global, and MonsterCloud - to find out what the heck happened to Shirbit.
Communication and Response
One of the main criticisms that the companies mentioned was the fact that Shirbit attempted to fix the problem of the hack internally, without turning to a third-party professional.
“It was quite obvious that the management of the situation in the early stages was ad hoc and not well prepared,” said Ophir Zilbiger, who heads BDO Global’s Cyber Security Center. “There are ways to reduce the chance of a cyber breach happening, but once it happens, the company’s management needs to be better prepared.”
According to those close to the matter, management at Shirbit sent out an SMS message to their clients saying that they had experienced a cyber breach and some data had leaked out. However, they claimed it wouldn’t harm anyone. “It was obvious a few hours later that the text message was inaccurate,” Zilbinger said.
Meanwhile, Shirbit was acting behind the scenes, without assistance, trying to mitigate the damage they knew had already been done. “They tried to solve it internally, but that proved to be a complete disaster,” explained MonsterCloud CEO Zohar Pinhasi. “Those criminals (the hackers, a group calling itself the Black Shadow) posted the transcripts online, which I’ve never seen happen. It’s extremely rare that the criminal will post transcripts of conversations between him and the victim.”
If the attempt to communicate with the criminal was to try to avoid the ransom, it would prove to be disastrous for their reputation. “It is a recommendation of law enforcement agencies and security organizations that victims not negotiate with their attacker and not pay a ransom,” said Guardicore’s VP of Business Development Sharon Besser.
“If you don’t know what you’re doing, you should have negotiators,” said Pinhasi, who compared it to the kidnapping of a child. “You’re invested in that problem.”
Regulation… or lack thereof
One of the biggest flaws in Shirbit’s system was leaving themselves open to being hacked in the first place. “Shirbit is a regulated entity, and therefore there are a couple of regulatory issues they should adhere to,” explained Besser, highlighting conventional requirements such as compliance, software and hardware updates, and more. “It looks like some of the things they should have done were not performed properly.”
Shirbit’s regulations fall in the same category as Israel’s banking industry. “The banking industry is extremely obedient in terms of compliance,” explains Zilbiger. “Any regulation the Bank of Israel throws at them, they take it seriously and it’s done without a lot of arguments… The insurance industry, as part of the financial sector in Israel, is less compliant and obedient.”
When any entity—regardless of scale or sector—fails to keep up with regulations issued to them, their vulnerabilities are a timebomb for the inevitable. Criminals are looking for a quick and easy way to make a buck - and the regulations are designed to make it harder for hackers to penetrate networks and steal classified information.
“It’s like a lion chasing you. You don’t need to run faster than the lion, just faster than the other animal that will get caught before you,” Besser says.
No one knows the extent of the damage caused by the criminals and the impact it will have on Shirbit. While some say that this is the end of Shirbit as a reputable insurance company, they don’t seem too concerned about it. “Believe it or not, the public has a very short memory, and those insurance companies recover dramatically and very quickly,” said Pinhasi.
“We have seen examples in the past of companies that once impacted have gone out of business,” Zilbiger recalls. “It’s rare but it happens. I cannot speak to Shirbit’s stability or to the overall impact of this incident. I think it is going to have a serious impact on their financials, but I don’t know to what extent.”
The biggest lesson that all of the experts told CTech about related to education, both on the industry and managerial sides, to try to prevent future attacks while recovering from a terrible breach that left their wallets and ego bruised. “It’s great to have it all with files and software, but at the end of the day, to protect a network it all comes to knowledge. Investing in knowledge is better than investing in fancy hardware,” Pinhasi said.
One main way to ensure companies like Shirbit can recover is to admit their errors and continue forward with humility and transparency. That may mean paying off the ransom, or the legal bills of the breach, or even for a third-party to intervene and take the reins going forward.
“Shirbit could actually emerge from his incident, like the Phoenix from the ashes, and rise again to become more powerful. I don’t know, it doesn’t sound too common in Israel to take responsibility and provide full disclosure,” Besser admits.