Cyber Intelligence From the Deep Web - A Rare Interview with SenseCy CEO Gadi Aviran
Gadi Aviran is a man of many talents. Formerly the head of the technical intelligence analysis desk at the IDF (Israeli Defense force), Aviran has been involved in technical terror intelligence analysis for over a decade, serving as one of Israel's leading authorities in the field of Explosive Ordnance Disposal (EOD) and in Disposal of Improvised Explosive Devices (IEDs). Since his retirement from the military, Aviran has founded a number of companies that all deal with different aspects of OSINT/WEBINT intelligence, including SenseCy, where he currently serves as CEO. In this rare interview he talks about cyber intelligent from the detective's perspective, and explains why successful cyber intelligence can never be done by machines only. Share
vpnMentor: Please tell us about your personal background and the companies you're involved in.
Lets not start in the middle ages, we'll start when I got out of the military and founded a company which ended up being Terrogence in 2004. Terrogence took it upon itself to look for intelligence in the open web, but use a different methodology than what most of the companies out there are doing. Normally, a company would set up crawlers to collect all the data they can, and then look through the data to find those pieces of information that are important for them, but like a needle in the hay, it’s a long and insufficient process.
At Terrogence, we decided to answer questions instead, meaning, we ask our clients what kind of information are they interested in, and use assumed identities or 'virtual humant' in order to penetrate and infiltrate closed areas within the web to find the answers.
As time went by, we developed our own technology, which supports us very much in doing what we do. We incorporated a new technological company called "Webintpro", which provides software solutions for intelligence gathering, while Terrogence remained a service provider.
About 5 years ago we started receiving requests from customers, asking about threats in the cyber domain, and that's when we started dealing with cyber security. We changed our name to SenseCy about 2 years ago due to market responses to the word 'Terrogence', bearing in mind that the market is mainly civilian.
vpnMentor: So what can you tell about the work of SenseCy?
SenseCy is an interesting creature. It's very focused on the customers, providing them insights from dark and distant parts of the web. In order to do that we look into their DNA and see who's talking about them, who's selling their information, who's interested in their domain, their software and their personal activities, and that gives us a very unique perspective. There are only about 5-10 companies in the world that actually do what we do, so it's a very interesting and very challenging business to be in.
We have been operating in the cyber domain for the past 5 years, offering very unique capabilities which attract the attention of potential customers and partners. We represent a very narrow and interesting niche in the cyber protection arena. As you know the industry had gone through a whole set of changes, but at the end of the day the answers are not sufficient; what people are interested in is not how dangerous the web is as a whole, but what are the dangers FOR THEM?
For example, if someone is interested in buying emails of your c-level personnel, or shows specific interest in your company in order to obtain information or funds from and about the company, it’s a dangerous situation for everyone involved. This is what we call a personalized threat, and if you were a target, you'd definitely want to know about it.
vpnMentor: One of the ways you do this is by operating virtual entities. Can you elaborate?
We employ Virtual Humant that does not rely on anything or anyone alive, meaning we don’t call ourselves names of real people and we don’t assume identities of real people. We create people from scratch, a legend which we use to establish presence within areas where we'd like to be present in.
We started 10 years ago with counter terrorism but now, with SenseCy, we moved on to the cyber domain and we have entities who are participating in the exchange of information in very dark and exclusive places which are not mapped by google. In fact, they don’t really exist according to google. The only way you can be part of that is by participating and contributing to discussions. Of course, we do not contribute any information about our customers, but it allows us to see what kinds of discussions are taking place, and in some cases to buy information and malware, which we later analyze to see if and how they affect our customers.
vpnMentor: One might argue that your work is a threat to personal privacy. How do you address such claims?
Why would it be a threat to personal privacy if I never assume any living person's identity? I communicate through identities which I have created and obtain information which is vivid to my customers only to better their defenses. So where is the problem? If one of your email addresses doesn't include your full name, then you're basically doing what I'm doing but on a different plain.
vpnMentor: What type of clients do you work with and what types of threats are they facing?
Our customers come from different walks of life. We have of course clients from the finance, health and insurance industries which are constantly threatened by cyber activities, but it’s a changing landscape. Finance used to be the hottest thing and get the most threats, but now we can see that the health industry is becoming a much greater target, because they have information that's worth a lot of money.
Hackers who do it for money will find whoever's willing to pay, and exploit them in every way they can. In some cases they may sell the information to many people, or ask their victim to pay a ransom for receiving their data back. As you probably know, ransomware is a huge business these days.
vpnMentor: Surely, money isn't the only motive for attackers of such scale.
That's right. Bear in mind though that the world of cyber is segmented into 3 general types of threats. I've already mentioned the money-driven hackers. There are also of course state sponsored threats, where we have very little visibility over what is going on. There are exceptions, for instance, in places like Iran, where state and private activities are often mixed up, but generally speaking, we do not investigate or report about state abilities because states normally don’t operate on the web, they do it in a much more private way.
The third type of threat is hacktivism, where each player has his own sources and in some cases his own malware or tools. In their eyes, they do it for "justice".
Take Anonymous for instance, who attacked Japanese companies and government institutions, including those of Prime Minister Shinzo Abe, the Ministry of Finance, the Financial Services Agency and Nissan Motors, because they endanger dolphins and whales. It used to be that the hacktivists were relatively low key. Their technology wasn't very advanced and relied mainly on DDOS capability, but that is completely changed now. The tools that are now being used for hacktivism campaigns are the most advanced tools that we are finding, but they are not tools that are made to make money, they are tools made to destruct.
vpnMentor: What is the difference between your work and the work of a professional hacker?
The 2 companies that came out of Terrogence only deal with open source intelligence (OSINT). A source can be a news article in the New York Times, or an Arabic newspaper, which is published online but is only available to people who understand Arabic.
The information can hide behind various doors of privacy but at the end of the day it's all in the public domain. We don’t hack into sources of information, we don’t use backdoors into them, and we are very overt about what we do.
In addition to our business clients, we've also been working for many governments, meaning that what we do is legal. We are very careful not to cross the legality lines, so whenever we're asked to do something, we look into it, and if a task's legality is uncertain, we will not follow it through. To sum things up, we are not hackers and we're not hacker-wanabees: We're a business. We've been doing it for quite a long time and we do it well.
vpnMentor: Can you give us an example of a success story where the information you provided helped prevent an attack beforehand?
We get these cases on a daily basis, because we are dealing with intelligence, and intelligence is always new. It's hard to find glorious stories though in regard to what we do. I understand it is interesting but we don’t work in a glorified way. We collect data for our customers on a daily, weekly or monthly basis; in some of the cases we talk to their machines or to their people, and we provide the intelligence.
From what we've been hearing and the fact that our customers keep coming back, our intelligence is valuable to them. There are lots of companies out there that claim to fame because they do cyber intelligence. At the end of the day, the cyber threat intelligence that the market is currently anxious to get is almost none-machinable, meaning that intelligence providers are very limited. You cannot put crawlers to get that information. You may put crawlers to get information about a pin number or a credit card number that has been compromised, but in order to understand why someone is picking you as a victim or as a future victim, what procedures they will go through in order to incorporate you as a victim, how is it going to affect you as a business or an organization, and how would you even know that an attack is coming your way, and mitigate it before it's too late...
With cyber intelligence, every day it’s a new story; it's never a repeatable market. The type of malware threats we are facing is not a rerun of last week's threat. Every time it's something new and innovative, because this is the industry, it's not fixed and it's very innovative.
vpnMentor: It seems like much of your work revolves in counter terrorist activity. What is your gain from these operations?
We're a commercial company that works for profits. Counter terrorism has nothing to do with SenseCy, it has been dealt by Terrogence from day one. Still, we have customers ranging from governments, private companies and organizations, who are interested in understanding what threatens them as a country or as a business.
For example, if you wanted to open a company in Egypt, and had to develop your counterparts in Egypt, we would provide information about the Egyptian landscape: Is it safe for you to go there? Who are the people you've been communicating with and do they belong to a company or organization that you should be aware of? If you're opening offices, what are the threats to offices? If you employ local employees, are they clean? Have there been problems with them in the past? And things like that.
vpnMentor: I suppose as an intelligence provider you'd prefer to remain under the radar.
Yes our work is very tailored, we work for customers that have a name and that name is something we hold very closely. We share some of it in our blog and give lectures here and there, but generally we go into the light very little. We don't participate in trade conferences and things like that, and it's not where we find our customers- the customers normally come to us. The fact that I'm talking to you is not something that we normally do.
At the end of the day, it's an industry of essence. You are not judged by how much PR you have, but by the intelligence that you provide to the customer.