Standing
before a crowded room of entrepreneurs and investors at a conference in
San Francisco last summer, former Vice President Al Gore described how
climate change could be contained, possibly even reversed.
Next
to take the stage was Kevin Mandia, the founder of Mandiant, a security
company acquired by another security company called FireEye, who said
nothing could be done to stop hackers from conducting digital attacks.
The
juxtaposition did not sit well with Oren Falkowitz, a former analyst at
the National Security Agency. “I thought, ‘Really? We can solve global
warming but we can’t stop cyberattacks?’” Mr. Falkowitz recalled. He
didn’t buy it.
For the last two years, Mr. Falkowitz’s start-up, Area 1 Security,
has been trying to persuade the owners and operators of computer
servers that have been compromised by state spies, criminals and
hacktivists to allow the company to tap into those servers to monitor
the attackers’ activities.
Those
servers have given the Area 1 team a much clearer picture of who is
being targeted and what tools and websites attackers are using. And the
security company has started to block attackers, heading them off days
or even months before they hit their targets.
It’s
a new tack in an industry that in recent years has appeared less
confident that it can block digital attacks. Most security start-ups
seeking funding today have resigned themselves to the inevitability of a
breach and are focused more on identifying an attack as it plays out
and praying that they can respond before the perpetrator makes off with
something important.
It’s as if everyone in the cybersecurity industry forgot that customers pay them to keep from being hacked in the first place.
Mr.
Falkowitz and his co-founders, Blake Darché and Phil Syme, think they
have found a new way to turn attackers’ tools against them.
For
as long as there have been cyberattacks, hackers have relied on a vast
network of compromised servers around the globe to funnel their
malicious code, search out targets and steal data. By watching what
happens on those compromised servers at dentists’ offices, farms,
welding shops and tech companies, Area 1 believes it has secured a
unique vantage point for monitoring and even blocking attacks.
Area
1’s technology addresses one of the most pernicious digital threats:
so-called spear-phishing attacks, which bait unsuspecting workers into
clicking on links in emails and unknowingly giving attackers a toehold
in their employers’ systems.
Phishing
attacks have become an epidemic. To date, more than 90 percent of
breaches have begun with a phishing attack, according to Verizon.
Intelligence
experts say that phishing attacks are the preferred method of Chinese
hackers who have managed to steal things as varied as nuclear propulsion
technology and Silicon Valley’s most guarded software code.
“Oren
does not take it as writ law that we have to live that way, and he
wanted to do something about it,” said Ted Schlein, a venture capitalist
at Kleiner Perkins Caufield & Byers, which has invested in Area 1.
“If
we could look every company in the eye and say, ‘We can stop your
phishing attacks,’” Mr. Schlein said, “then Oren could look Kevin Mandia
in the eye and say, ‘Thanks for the inspiration, but you’re wrong.’”
One
of the biggest challenges in combating phishing attacks has been a lack
of information-sharing among victims, security firms and law
enforcement. Victims are reluctant to publicize security breaches,
potentially keeping competitors from heading off similar attacks.
And
the role of the government in sharing threat data has been constrained
since the former intelligence contractor Edward J. Snowden leaked
documents revealing the scale of government monitoring. The Obama
administration has been pushing to collect and share more threat data
with the private sector. But few companies want to share any more data
with the government than they are compelled to by law.
Intelligence agencies say the lack of information-sharing works to attackers’ advantage.
“We
are in a very complex digital world that’s only going to get more
complex as innovation presents challenges we haven’t even anticipated,”
said Daniel Ennis, former director of the Threat Operations Center at
the N.S.A. “People have incredible expectations of the government to
keep them safe” online.
“My
concern is that the bad guys are going to out-innovate us,” he added.
“The only way we’re going to out-innovate them is a partnership between
the government, the private sector, the victims and academia.”
Until
that happens, Area 1 may have found a way to circumnavigate the
politics by recruiting the owners of those compromised servers around
the globe.
“Cyber
is perceived as this ‘Matrix’-like structure, but people forget that
it’s also physical in nature,” Mr. Falkowitz said. “The players are not
just the attackers and the victim; there’s an entire underbelly of the
web that has been subverted.”
Area
1 discovers, on average, 859 new targeting phishing sites a day. Now it
can use its unusual vantage point to help its customers stave off
attacks.
It
is still early days, but Area 1 aims to eventually end phishing attacks
altogether, Mr. Falkowitz said. “We just went to Mars and found water,
and people are saying we can’t solve this?”
