 Okay, hello everyone. Thanks for joining today. So as Kate mentioned, we are going to discuss some cybersecurity aspects, but maybe more importantly, how hackers perceive cybersecurity when they attempt to perform a successful attack. So as Kate mentioned, most of my training is in the Unit 8200 of the Israeli Intelligence Unit, but more than just vulnerability research, which is something I did for plenty of years, the most interesting part of the job was actually crafting exploitations because finding a vulnerability is one thing that is interesting, but developing a scalable attack that could remotely penetrate assets and gain intelligence was really the interesting part. And I want to walk you through how such exploitations work and why it's actually an advantage from a defender perspective to understand it. So the importance of security is something that everyone is already very familiar with, but I think that what's the most important part is when you add software to something, you make it hackable. And this is true for pacemakers, gateways, PLCs and really anything. So when you add software to a device, you make it hackable. And when you connect the device to the internet, you make it exposed. Yeah, so this is pretty much it. And this is what's going on with IoT and embedded devices. We took embedded devices that was previously unconnected. We connected them and we see more and more attacks. Why? Why hackers love IoT devices? Honestly, hackers love everything they can hack. So it's just one other thing. But IoT devices are everywhere. The number speaks for themselves. Their security level, though, is usually very low. And what hackers is looking for is always the path of least resistance. There is no goal targeting the most secure system. You just need one entry point, one way in. And IoT devices usually have the basics, like encryption, stick canneries, best practices, I hope, but not on device endpoint protection, not malware detection, and not zero day prevention. So it means that it might be easier to hack into them. And the stakes are high, medical, industrial, infrastructures, enterprise IoT that can use as an entry point to the network, like the casino hack through the aquarium and so on. Lacking advanced security solution skips the door open. So as I mentioned, unlike other assets, IoT devices, even though now they have some security in place and operating systems like Zephyr that have advanced security in the infrastructure itself, they're still missing application level security and point security and so on. So this is what we're actually seeing. 2000s, new CVEs each month. CVEs, a new vulnerability that is disclosed. It means that as we keep using static analysis and so on, we still have new vulnerabilities every month. 70% of patched Tuesdays are due to memory vulnerabilities. Patched Tuesdays, for those of you who don't know, is a patch that Microsoft releases every Tuesday. So every week, Microsoft have new vulnerabilities that they need to patch. That means that even though they are using all the best practices, they still have new vulnerabilities. 58% of companies have a publicly available exploit. And the most important number, in my opinion, is 15 vulnerabilities per 1000 lines of code. So vulnerabilities is really a matter of how big your code is. It's not a matter of how good you develop. And I want to say a word about static analysis. So static analysis are great tools, but the numbers are, they are missing 50% of the vulnerabilities. And the best example that I can give is those recent vulnerabilities in large third party libraries. Bluetooth libraries, TCP, IP libraries, Ripple 20, urgent 11. And what's interesting about them is they are integrated in millions of devices and were scanned by multiple static analysis tools. And yet, when researchers researched them, they were able to find new vulnerabilities. So really, the only reasonable conclusion is that for a hacker, they know a vulnerability exists. Whatever and whichever assets they are researching. And this was really our feeling in the unit. We knew that we are going to be successful. We wasn't starting a research project thinking, oh, maybe this system doesn't have vulnerabilities. Because something like that do not exist. Every system, every software have vulnerabilities. We just need to find them. And this is how hackers feel confident when they come to research a new system. So, and of course, there are also a few examples of what we already discussed. By the way, some of the examples of vulnerabilities that Sternum disclosed in a WiIMO smart plug by Belkin, QNAP devices, XIXO devices, and really everywhere we looked into. Some of the vulnerabilities are productive and detected automatically. So why is it so different to secure embedded systems? The obvious reasons, right? One is limited resources. You don't have the battery capacity memory CPU to run CrowdStrike on your system. Second, there is a different attack landscape. So if we are talking about protecting endpoints or servers, we need to think about phishing, emails, downloading malicious applications, all these attack surfaces that hackers penetrate through. So endpoint protection, traditional ones, are handling these attack surfaces. But IoT devices are different. They are deterministic. They are aiming to do one specific thing or a few things, but in a deterministic way. That means that the most attractive attack surface is software vulnerabilities. Really programming mistakes, command injections, buffer overflows, and so on and so forth. This also means an advantage for us as defenders, because if you have something that's supposed to behave deterministically and not allowing downloading or surfing the Internet, you can actually leverage that to maintain the integrity of the software in real time. And I think one of the most difficult parts of security devices is the diversification. So we're talking about more than 100 different operating systems. Most security solutions today are leveraging operating system capabilities to protect the system. The kernel permissions policies, when you have very much, so a very different operating system, it's hard to build endpoint protection that is based on kernel services. Also, the diversification in hardware application makes it hard to develop one solution that can really feed them all. So when attacker wants to actually be successful in attack, there are two main ways to penetrate. One is I want to target one specific company, one specific device. In that case, you can read our research on the Belkin smart plug, how we do female extraction, how we start investigating, how we found the vulnerability and exploited it. But this will be applicable to one specific device, and it's somewhat easier than a more scalable attack when we want to attack millions of devices. In that case, hackers will target third parties. Libraries, communication protocols, Bluetooth, encryption, because those libraries goes into multiple different types of devices, and the way to exploit them remains the same. So if there is a communication library in a medical device or a gateway, the way to exploit it is the same. So I can have a scalable attack without researching multiple devices, without even the need to acquire the device physically. I just need to research a piece of code that is within the device. Many times, it's an open source code. So inside the device, there are many attack vectors. So many people ask me, but how do they get in? So the entry point to hack a device goes through user input. And sometimes we are even not aware of some of the penetration points that we have. For example, when you build a device, you use modules, Bluetooth modules, Wi-Fi modules, those modules have software within them, parsing packets remotely, parsing the Bluetooth protocol and so on. In many cases, we've seen attacks that are able to penetrate directly through a module vulnerability. Third-party code, we discussed your own application code, of course, and mainly through protocol vulnerabilities and communication with the outside world. Be it through a mobile application or through a server, whenever you connect outside, there is also some incoming data. And this incoming data can use the attacker to craft an exploit. So really, this slide says it all. When we try to patch vulnerabilities, when we try to catch all the vulnerabilities in advance, when we try to use best practices, we actually are trying to remove 100% of the vulnerabilities because that's the only way to be protected. A hacker, on the other hand, he only needs to score once. He needs to find one way in. So even if you remove 99% of your vulnerabilities, the hackers still just need one. And I think everyone would prefer to be messy in this situation and not the goalkeeper, even though I was a goalkeeper, but that's something else. So really, if we dive into a real exploitation, so this is the recent sternum disclose vulnerability. And Belkin really uses all the best practices, static analysis, encryption, secure booths over the updates to patch devices, everything that you keep hearing, S-bomb, of course, and yeah, which is important. But still, what I want to show is how reactive it is, how when there is a new vulnerability, a zero day, there is nothing that those tools and techniques can do. And what's sternum disclose, and I invite you to read the research, is a memory vulnerability that enables us remotely to get on the device and take complete takeover on the firmware and software. What that means is that the data was unencrypted anymore, right? What's up is encrypted, but when you read messages on your phone, they are decrypted. So if someone is running code on the phone itself, it is able to read the messages, especially if it's on the kernel. That's the same for every asset out there. If you are running code on the endpoint itself, the data is not encrypted and it can be leaked. So all the tools that help patch one day and so on cannot really help against what we disclosed. So the current approaches are reactive, imposing from other industries. What I mean by that is that we're trying to take techniques from other industries and just use them on the embedded systems. That is really not a great thing to do, because embedded system is a different ecosystem, different attack landscape, different architecture. So patching. Patching is reactive, for sure, because we are patching something only after we know it existed, but also very costly. So patching could be an nightmare in some industries. It's not like updating your Windows or iPhone device. And in many cases, devices left unpatched for many months, making them even more vulnerable. Encryption. So I really like this quote because it's by Adi Shamir, the S in RSA, basically the inventor of one of the most used encryption algorithms. And usually he says there are much simpler ways of penetrating a security system than cracking the crypto. What it means is that nobody is going to crack your encryption algorithms. What they are going to do is find a simpler way to get on the device or to bypass your certification checks, and then everything is exposed. And this is really how security vulnerabilities or attacks look like. Lastly, static analysis misses 50% of the vulnerabilities. So if you don't have 15, you have 7 per thousand lines of code. That's still pretty high. And of course, what's not being discovered by static analysis is then being discovered in post-production. So we can't find vulnerabilities. This is at least my opinion. Everyone has vulnerabilities and every software has vulnerabilities. So what can we do? So while every vulnerability is different, actually when you exploit a vulnerability, there is some specific set of techniques that you can use. So if you are exploiting a buffer overflow, you need to do something A. If you are exploiting a command injection, you have to do something different. But the things that you have to do, like overflow the memory, manipulate the execution flow, inject the command using malicious characters, those exploitation techniques are not changing. Even if you're exploiting 10 different vulnerabilities, if the vulnerabilities are from the same family, from the same type. So a CVE is an instance of a vulnerability, but a CWE is actually the type, the family that these vulnerabilities are associated with. And if we target not the vulnerabilities but the way of exploiting them in real time, how it looked like, we will actually be able to understand the exploit chain and detect it in real time. So what you see on the screen is the Wikipedia definition of exploitation. And what you can see is that every exploitation is linked to a system weakness. And an exploit is actually a piece of software intended to change the intended behavior of the device, of the software. So what we hear about, what we understand is that exploitation is deterministic. It's a piece of code. Second, it has to cause malicious operation. And this is the attack chain. Exploit is connected to a vulnerability. It has to exploit the specific vulnerability. So what if, instead of trying to stop the vulnerability, we will stop unintended behaviors from being executed, we'll stop overflows in the memory. We will stop malicious characters from being executed inside commands. Sternoc technology is the exploitation fingerprint. It's really about understanding what is the fingerprint of exploiting each type of vulnerability and identifying those fingerprints in real time execution. In many ways, it operates like zero day prevention in traditional endpoints. But the uniqueness of our solution is how you can do that in a way that is less than 3% overhead and can really fit real time operating systems as well as an embedded Linux smoothly. But what it really gives defenders is a power flip. Because now as a hacker, I not only need to find one vulnerability, I also need to find a vulnerability that the exploitation technique of it will bypass all the detection mechanisms on the system. The problem is, exploitation technique is connected to the vulnerability that I found. It's not something I can change without having a special vulnerability that I can exploit differently. That means that now I need to find this one special exploit technique and vulnerability that will bypass the protection solutions that operate in real time. And to visualize it, and because I don't have a lot of time, I'll go fast, Sternoc deployed our solution on all the devices that we were discovered to be vulnerable. And our exploitation fingerprint technology was able to stop memory corruptions, command injections, manipulation of execution flow. And by doing that, stopping in real time the attack attempt, sending a notification, including the line of code where the vulnerability existed. And now you can patch it, of course. But most importantly, you are not vulnerable. No malicious code is running on the system. So we really try to bring IT standards into the IoT space, including full observability, real time monitoring of the system, anomaly detection, zero day protection, and most importantly, operating in real time execution. What happens in real time cannot be found passively, statically during development. Yeah, a little bit about the company, three components to our platform, online protection, continuous monitoring, and operational insights from the devices and data that we monitor. We are already deployed on millions of devices, mainly in the medical space, industrial space, and consumer and enterprise IoT. And as you can see, we're already walking with leading companies like Metronic and others. So thank you very much.