Hugo Sanchez, rThreat: “all the money in the world won’t rectify faulty practices or make up for a missed breach”
As many companies struggle with choosing the right approach to identifying and patching vulnerabilities, experts develop new ways for organizations to test their preparedness for cyberattacks.
Risk simulation is currently the most popular method for securing an organization’s systems against cyberattacks – along with employing countless threat detection and elimination tools. Threat actors are constantly developing and improving their attack tactics, and while they may be drawing inspiration from previous incidents, it’s still nearly impossible for organizations to stay on top of their security game. Clearly, there’s a need for a new approach.
With this in mind, Cybernews reached out to Hugo Sanchez, Co-Founder and CEO of rThreat, a breach and attack emulation platform. Experts at rThreat help customers improve their cybersecurity stance by creating an opportunity to deal with real attacks in a safe environment.
How did the idea of rThreat come about?
I met Jesus Garcia, who is the brains behind rThreat, about eight years ago. Prior to the creation of rThreat, he was the Senior System Engineer of a major cybersecurity vendor. He has a deep understanding of networks and the skillset for coding -- and he is the most incredible ethical hacker I’ve ever met.
My background is not in cybersecurity, but he reached out with this idea of emulation to prevent cyberattacks and wanted me to see if it was something we could bring to the US. I did a 6-month study in the US on competitors and market research, and I quickly recognized the need for our platform. Since then, we’ve developed two versions of our program, and I have surrounded myself with true experts in this field, including one of our advisors, John Kindervaag, who is the creator of the Zero Trust framework and one of the world’s leading experts on cybersecurity. We’ve been successful in raising funds to grow the business and are currently full steam ahead on bringing this important technology to organizations of every size.
Can you tell us about what you do?
rThreat is a cutting-edge Zero Trust Validation platform that proactively allows users to test their cybersecurity tools and teams against real-world cybersecurity threats. Even the best cybersecurity and IT professionals out there - which few organizations can afford - don’t think in the same way as hackers do, and therein lies the danger of relying on legacy tools and services. The best analogy for what we do is that manufacturers don’t test bulletproof vests with blanks, so why would you test the capabilities of your cybersecurity system through simulated attacks? The benefit of this approach is that it’s entirely proactive instead of reactive, so you know where your weaknesses are and can address them immediately instead of being left to deal with consequences only once you’ve been breached.
What technology do you use to determine one’s state of security?
rThreat’s team of researchers utilizes real ransomware, trojans, crypto miners, and other types of malware to test cybersecurity tools and teams in a secure environment. This enables organizations to address gaps and build effective incident response plans. These plans encompass even the most recent threats in real-time through an automated SaaS platform using the Zero Trust security model.
Did you notice any new threats arise during the pandemic? Were there any new features added to rThreat as a result?
Yes, we experienced the two largest cyberattacks on supply chains during the pandemic, which was crippling in addition to the existing issues the country was facing. We didn’t add any new features as a result of these attacks because the reality is that they served as validation of the market need for rThreat. The only changes we’ve made in our second version of the platform have been to alter the look and feel for users, and add in some training wheels, so to speak.
The belief that only large and well-known companies are prone to cyberattacks is only one of many misconceptions still prevalent today. What cybersecurity myths do you come across most often?
The most pervasive and problematic myth I’ve come across is the belief that the more you spend, the safer you are. That couldn’t be further from the truth. All the money in the world won’t rectify faulty practices or make up for a missed breach, and most security platforms out there - and there are thousands - are more reactive than proactive. A product doesn’t have to be expensive to be effective, and at rThreat, one of our main goals is to make top-tier cybersecurity tools accessible to everyone, regardless of whether an organization is made up of 5 people or 5,000.
In the event of a breach, what are the first steps that should be taken?
It truly depends on the industry and level of data security at risk. Every attack is different, and the techniques are different.
The U.S. Congress has passed a new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. But for organizations that don't fall into that category, the answer isn't so cut and dry.
The technology to fight them, as well as the attacks themselves, are constantly evolving. It may seem simplistic, but the safest way to stop an attack, no matter the size of the breach, is to unplug the computer or close down the network. But the actual strategy is heavily dependent on each company’s policy and protocols.
The number of organizations affected by cyberattacks grows exponentially. And yet, many organizations take action only after an incident occurs. Why do you think people are reluctant to keep up with cybersecurity?
A big part of the problem is that there are thousands of products out there that claim to protect your company - at every price point - and most people think having any old product is sufficient. The monetary aspect of it, combined with the myth that you mentioned that only large organizations are prone to cyberattacks, are common barriers standing in the way of organizations putting sufficient effort into their cybersecurity strategy. On a broader level, regulations surrounding cybersecurity are also part of the problem, as they don’t go far enough in terms of required compliance in each industry. The recent White House requirements for federal agencies to adhere to Zero Trust standards are a step in the right direction, but we need better regulations throughout the public and private sectors to really bring the proper awareness to this issue and acquaint people with their options for protection.
In your opinion, which cybersecurity practices are a must these days, both for businesses and individuals?
The bottom line for both businesses and individuals is that you need to follow the basic premise of the Zero Trust framework: always assume that a connection is insecure and continuously validate the security of your network. Don’t click on anything suspicious in your email or from someone you don’t know. Make cyber hygiene an everyday priority, and if you have doubts about an attachment, file, or program, it’s always safest to assume that it is a threat.
Would you like to share what’s next for rThreat?
Even as more and more people become aware of the reality of cybersecurity threats, our technology is still ahead of the curve, and I believe we can keep that edge in the cybersecurity validation space by monitoring any changes as they arise and accounting for them within our platform. At its core, what we’re doing is more of a methodology than technology, and it’s the best way to make sure your assets are safe. We’re going to keep grinding and spreading awareness of this gap in the industry, and hopefully, within the next few years, our methodology will become part of the standard cybersecurity strategy for every company.