For the next instalment in our series of interviews asking leading technology specialists about their achievements in their field, we’ve welcomed Israël Hallé, Co-Founder of Flare Systems.
Israël’s experience includes working with the Merchant Protection and Checkout team at Shopify. After that, he was a malware analyst and a reverse engineer at Google where he hunted down new malware threats and introduced automation operations through big data analysis. Israël has also been involved in the computer security ecosystem as a conference speaker, workshop host, bug bounty hunter and an open-source developer.
Tell us about the business you represent, what is their vision & goals?
I co-founded Flare with a vision to bring cybersecurity expertise to all organizations. Our goal is to build a platform that enables any organization to monitor their digital footprint in real-time and proactively address their cybersecurity risks. We believe organizations of all sizes can manage their cybersecurity risk with the right tools, and we’re developing this solution.
What inspires and energizes you within your work?
I have both a background in software engineering and cybersecurity. I’m inspired to use both skill sets to build a product that will empower all employees to be as efficient as cybersecurity professionals.
Building this platform comes with a lot of unique challenges and opportunities to innovate through data engineering, distributed systems, and artificial intelligence. Most importantly, we are working to develop a solution that focuses on simplicity and convenience. These continuous challenges are what energizes me the most.
Can you share a little bit about yourself and how you got into cybersecurity?
I started teaching myself programming when I was a teenager and since then, I’ve always been interested in better understanding how these digital machines work (and break)! I got into cybersecurity when I participated in my first Capture the Flag event and figured out how to run arbitrary assembly code by exploiting a buffer overflow. At that point, I developed an expertise in reverse engineering and memory corruption exploitation that eventually landed me a contract as a Malware Analyst at Google.
Can you tell us a bit more about your experience working as a reverse engineer at Google? What were some of the most interesting projects that you worked on?
While at Google, I was working with the Safebrowsing and Chrome team to investigate a campaign of Potentially Unwanted Program (PUP) targeting Chrome and worked on the Chrome Cleanup Tool.
Up to this point, my experience as a reverse engineer had always been about looking at one executable and extracting insight from it. At Google, I was able to learn how to scale reverse engineering processes by extracting insight from thousands or millions of executable data and metadata. My most interesting projects were all about how to use software engineering skills to scale reverse engineering processes that are usually manual and human-driven.
Are you able to share some of your most interesting experiences as a bug bounty hunter?
Since most bounty hunting is dedicated to web applications, this is not something I focused on. Except once, when Shopify added a ruby sandboxing project that was all about exploiting the « mruby » interpreter to get out of the restricted execution.
I started looking at the open-source project all written in C with a friend and we quickly began to find memory corruption opportunities and were able to find a few remote code executions in the Shopify application. This experience made me realize how software security is much more about systems and architecture than bug-free code.
What are best practices for today and how can businesses avoid cyber threats such as ransomware, phishing attacks, etc.?
Just like secure software is not about bug-free software, a secure business is not about perfect IT controls and behaving employees. Organizations' threat modeling should be as much about preventing and containing risks as addressing them.
I believe good security practices should not only focus on how to prevent employees from getting phished and running arbitrary software but instead, how they can build a system that will detect employees leaking passwords and running malware on their computers and how they are going to deal with the issues.
What one vital tip would you give to companies who are reviewing their cyber security?
Your threat is very unlikely to be some advanced hacker using a never seen exploit to get inside your organization's IT systems. Focus on the obvious, and focus on your top threat actor: your employees.
They are the ones who publicly share private documents because they get ad hoc requests that were required yesterday. They are the ones who re-use simple passwords because our human brain has not evolved in learning high entropy master keys. They are the ones setting up shadow IT because waiting on the IT department for access or resources just won’t allow them to get their deadline met. I believe all organizations share these risks and none can eliminate them.
Does your organization use log and metrics data to improve and secure your systems? How do you find managing logs assists your day-to-day work?
If we believe bug-free employees do not exist, then logs and metrics become one of the most important aspects of any security program. To secure systems, an organization has to think about what and how they are going to analyze metrics to detect risky patterns.
From a software engineering perspective, it is easy to think of logs as something an application spews out to help monitor and debug. But cyber security logs and metrics are anything that tracks behaviour and allows for finding anomalies. It can even come from the outside world, where metrics reflect the things you care about that can be found on the Internet.
Are there any books, blogs, or other resources that you highly recommend?
My favourite books focused on cyber security are “Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks” and “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software”. The first one is looking at many ways to extract insight by only looking at bits on cable. This makes you think about how much you can learn just by looking at system behaviours.
The second is a great reference to the technical process of looking at malware and how to look at them. Finally, I want to add a special mention to the webzine, “POC||GTFO”, available for free online and now published as a very good-looking compilation. This webzine is to me, the very essence of Hacking and brings you back to a different time even if some of the content is very modern. Go check it out!
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
I believe the next big innovation we need in cybersecurity is not bleeding edge systems or processes that big corporations will be able to put in place to make themselves more secure.
Nowadays, every person and organization is using IT in their day-to-day tasks. I believe cybersecurity needs to be democratized such that every person and organization can be as secure as the top performer. I believe that is possible with the right technology and that is yet to come.