Get to know Intezer’s community manager, Shaul Holtzman. Shaul is a former cybersecurity analyst helping organizations detect and classify advanced cyber threats.
1. When did you start working at Intezer?
I joined Intezer in April 2018. I had heard about the company when it was founded in 2015. I knew of the founders, specifically Itai Tevet [CEO] from the Israel Defense Force (IDF). I was familiar with the initial team and learned about the technology, identifying code reuse among software to detect malicious threats and reduce false positives. The ability to automate malware analysis and classification, when security teams are flooded with a high volume of daily alerts, sounded truly revolutionary to me and I wanted to be a part of it.
2. How did you get started in cybersecurity?
My initial training began in the army with the Israel Defense Force. I was enrolled in an IT course and I enjoyed learning about the subject matter. Several months later a cyber defenders course was founded in the army and my commander assigned me to be one of the instructors. I became an officer about one year later and I was responsible for developing the curriculum and training for the next two years.
The training I received in the army gave me a comprehensive knowledge of the cyber threat landscape, methodologies and defense strategies. Having the IT background was also important for me to understand security. Learning how a network is built and how different endpoints communicate helped me understand the vulnerable points where attackers can infiltrate and what they can exploit.
After my time at the army I became a cyber analyst at Verint, providing endpoint and incident response training for customers in Israel and abroad. I also supported the SOC team for their higher level investigations.
3. How do you apply your previous experience to the work you perform at Intezer?
Most importantly I am able to talk to present and potential customers to understand their current security infrastructures. We discuss the gaps they have in their malware investigations – whether it is dealing with a high volume of alerts, generating too many false positives or dealing with in-memory or fileless threats. I try to understand where our solution can address these challenges. You can have the best technology in the world but if the solution is not implemented properly or if it is not being used correctly it will not provide value. Having a diverse knowledge of security systems and methodologies is an important part of my job.
4. In your opinion, what is the most valuable feature Intezer Analyze offers?
In speaking with Intezer Analyze community users they have mentioned the advantages of identifying code reuse particularly when they have a file that does not have a signature or when sandboxes do not detect the malicious file. In my opinion, Intezer Analyze is the best tool for detecting and classifying unknown cyber threats.
When other methods fail it is so important to check the binary code. Our product gives users the capabilities of a full fledged reverse engineer. Identifying code that was used in previous attacks can tell you a lot about the threat – is it a potentially unwanted program (PUP), ransomware, trojan or adware? Many tools do not provide classification of malware. SOC and incident response teams need to understand what type of threats they are dealing with because it will affect how they prioritize alerts and tailor their response.
5. What are your near and long term goals for the community?
In the short term I want users to have more visibility into what is happening in the community. We recently started a newsletter and I have been publishing monthly blog posts where I highlight interesting samples uploaded to the community. In March users detected threats from cyber espionage groups Leviathan and OceanLotus (APT32). Another user detected a malware from Group 123 (APT37), an APT believed to work on behalf of the North Korean government.
In the long term I would like to see the community become more personalized. For users to be able to create their own profiles, collaborate with one another and to be able to vote and comment on shared analyses. I would like to highlight top users based on engagement criteria such as the quantity of uploads. It is all about fostering collaboration and encouraging users to share more information about the analyses they receive. I see today users sharing their analyses on social media but I think it can reach a much larger scale.
6. Are there any interesting features that people may not know about the community?
The API! Many people are unaware that they can create their own automated tools using the community API. For example, users can create cluster graphs to demonstrate code reuse connections between malware samples: https://github.com/intezer/analyze-sdk
A few weeks ago we released our new Endpoint Analysis solution. In addition to file analysis, community users can scan the code running in their machine’s memory to detect advanced in-memory threats.
7. You recently spoke on a panel at Fintech Week. Can you tell us more about it?
The title of the panel was “The Evolution of the Financial Cyber Threat.” Cyber threats to the financial services sector are advanced, fast paced and evolving. This industry is a lucrative target because of the money involved. It is easier to create a banking malware as opposed to robbing a bank because cybercriminals do not need access to the bank’s funds. Instead they can steal the identity of a user and then transfer the money to their own account.
Identifying code reuse is so important. Once you have detected and indexed an attacker’s code, even if he or she employs small portions of the code again defenders will be able to detect any future variant of the malware.
We have many financial services clients who deal with a variety of malware. A good example of that is Emotet, one of the most common banking trojans being used by attackers. Emotet is considered a polymorphic threat, which means it has the ability to change its composition in order to avoid signature-based detection. Surprisingly, what you find out when you analyze Emotet with Intezer Analyze is that its underlying code has barely changed since its inception. What typically changes is the packing mechanism that is used to hide the code from static engines. Intezer Analyze has the capabilities to statically or dynamically unpack a file, to detect advanced threats like Emotet.
With Genetic Malware Analysis technology we force the attacker to spend time rewriting the malware, which deeply hurts his or her ROI and makes the attack less likely. We want adversaries to make the difficult, inconvenient choices.
8. What do you enjoy most about being at Intezer?
The people are by far the best part about working at Intezer. Every new employee is talented and professional, but also very humble. It is fun to speak with them, work with them, eat lunch together. We have a lot of fun team outings as well. It really does feel like I am part of a family here.
The technology also plays a big part. It is rare to be able to work in cybersecurity and not feel like you are selling nonsense. It is a congested industry and many products and solutions are similar. Intezer is the only company applying the concept of code reuse at scale. As a former cyber analyst what really excites me about the technology is the threat intelligence component. Not only do we classify malicious files to their relevant malware families but we can tell you information about the threat actor behind the attack and the level of sophistication. I believe Genetic Malware Analysis technology has the potential to change the future of malware detection and analysis.
9. What activities do you enjoy outside of work?
I watch a lot of TV. I enjoy spending time with friends and watching Netflix. Rick and Morty, The Office, Brooklyn 99. I try a lot of new shows. I am also very excited that Game of Thrones is back!
Shaul on a recent trip to Mexico.
For more information about the Intezer Analyze community, please visit http://intezer.com/intezer-analyze/.
Intezer is hiring! To view the current job openings, please visit http://intezer.com/careers/.