14 June 2016

Indian CISOs need to build a wartime mindset towards security: Bryce Boland, CTO, FireEye

07 June 2016

In an interview with ETCIO.COM, Bryce Boland, CTO, APAC, FireEye discusses the types of threats that FireEye is seeing in India, factors that elevate vulnerability levels and best practices for the enterprise security landscape in India.

India is fast evolving into one of the most attractive targets for targeted threat actors globally. according to a recent survey by security firm, FireEye India has a threat exposure rate of 24% - compared to the global average of 15%. Indian organizations across the public and private sector are ill-equipped to detect, leave alone deal with, advanced cyber attacks.

In an interview with ETCIO.COM, Bryce Boland, CTO, APAC, FireEye discusses the types of threats that FireEye is seeing in India, factors that elevate vulnerability levels and best practices for the enterprise security landscape in India.

What is the reason behind the high threat exposure of Indian organizations? Can you state the factors that elevate vulnerability levels in India?

Hope is not an effective security strategy. Far too many businesses in India are hoping that their cyber security strategy is working - that's not a good strategy.

We have observed that Indian organisations both public and private sector are pretty much ill-equipped to deal with advanced cyber attacks. We have seen quite a large number of consistent, sophisticated operations, targeting organisations in India.

A lot of the investments that have been made in cyber security, effectively pre-date the current types of small sophisticated attacks and so, many organisations despite having invested in firewalls and anti-virus - are unable to see many of the sophisticated attacks that are happening and therefore they are don't even realize that they have been breached or their business information has been stolen. In many cases, they never ever find out.

In other cases, they find out much longer after the damage is done. We have done a number of investigations in Asia recently, in one case we saw an IT service provider that was consistently being abused by multiple advanced threat groups and one of the breaches had been going on for two years. In another case, the attack group had been inside that service provider for as long as five years. They never knew that they had been breached. It was only when the customers of that service provider had issues, that investigations were done and we were able to identify the source outside the IT service provider. This is a very significant risk obviously not just for India but for the wider economy which was dependent on this IT service provider in India.

The vendor has been breached for as long as five years and did not know about it. They had invested in security but they hadn't realized that they were breached because they invested in tools that couldn't combat the modern attacks.

Frankly, most organizations have not figured out how to respond effectively to security breaches. Recently, IRCTC website was breached, and presumably about 10 million customer identities were stolen in that breach. IRCTC didn't know how to deal with it. In fact, they even came out denying that there was a breach and at the same time said that they had formed a committee to investigate the breach. So they clearly weren't well organized on how they should respond.

This is probably because awareness is low and most of the breaches that happen don't get notified - no one finds out about them unless it becomes a public issue. It is often seen as a failure if you get breached and so the victims don't want to admit that they have become a victim. So they keep quiet about it and pay the criminals or try to hush up the matter.

So the reasons are organizational weakness, lack of awareness and regulatory gaps (such as the absence of breach disclosure notifications).

What are the types of threats that FireEye is seeing in India?

In a majority of the cases that we investigate the initial attack vector is an email spear phishing and that's not the only mechanism but certainly the most common with the advanced attackers to use the tool to target the end user as a victim, rather than trying to target the infrastructure and breaching that.

Either way, it works but we most of the times the end user is targeted as a victim and this benefits an attacker because he gets access to credentials inside the network. So once you compromise the user, you will be able to easily steal their credentials and the credentials of any other user that has ever used that workstation. From there it is a relatively straight foot job to gain access to other systems and gain access to the administrative credentials on the network.

Then there are specific attack vectors like APT 30. The attack group was specifically targeting Asia, South-East Asia and India. They had been operating since 2004, without being detected until 2014 - which is quite scary because they have been targeting government organizations and journalists to steal information on economic interests to China.

Another group that we have seen in the region is called SEEDOOR. We suspect this group is Pakistan- based. They conduct operations primarily using spear phishing emails, with weaponized malware attachments and they tend to be focused on lures that use issues related to issues to regional military and defence issues, often target things around India-Pakistan relations and current events relating to that, especially change of power, military activity, etc.

Then there is WATERMAIN which is an APT group that we believe is based out of China. They also use spear phishing emails, primarily using weaponized Microsoft word documents - mailing those to the victims and when they open the document, they actually have a script called WATERMAIN that creates backdoors on infected machines. We detected it in April last year, about one month ahead of Prime Minister Narendra Modi's state visit to China. The group actually targeted over 100 different victims, but 70 percent of them were in India. So we are fairly confident that this group has been targeting activists in other groups in South East Aisa. They are very focussed on governmental, diplomatic, scientific and educational organizations.

Another group that we saw targeting India is a group called Arachnophobia, and we reported on that back in 2014. That group is a Pakistan- based attack actor that specifically focuses on some government officials in India and we found that that group had managed to access the computers of some of the Indian government officials, through malicious emails that were referring to referring to Sarabjit Singh, Devyani Khobragade and they also had one which was very tempting for people to click on which said: "Salary hikes for government employees"- that's very effective to get people to open documents.

So these are few groups that are specifically targeting India and you will notice that in all of those cases, Email Spear Phishing was the primary mechanism that was used to get the initial foothold into an organisation.

What should CISOs do create a culture of preparedness?

Let me give you an analogy. Imagine an army in peacetime. In peace time, an army spends all of its time doing drills, making sure the inventories are maintained , doing testing of their processes and so on. And then you think of a militaries/army in war time. A military in wartime spends all of its energy and time thinking about the enemy. They think about how is the enemy going to attack them, how are they going to defend against the enemy, how to detect if the enemy infiltrates them, how are they going to attack the enemy, how are they going to defeat the enemy - that is all that they think about - the enemy and we need to adopt the same approach to cyber security.

Today most organisation have a peacetime mindset, they are locked in compliance, doing checklists and playing drills to make sure that things are looked after appropriately and that the tools are running. But that's not what you need to do, to find attackers who are skilful - they are going to need to change to an adversarial mindset - a mindset that says the attackers are coming after me, How am I going to find them, how am I going to root them out, how am I going to respond if I get attacked. That is the kind of mindset we need to see a shift towards. I call it building a wartime mindset, an adversary focussed mindset - that's what we need to see more from the CIO's and the CXO's of the businesses in India.

How serious is the problem of ransomware in India?

Ransomware has become the simplest and easiest way for criminals to make money by extorting businesses. It is interesting to note that there are changes in the attacks - the tools are getting better and we have started to see the changes in the attacker behaviour and how they deliver the ransomware. So for most of the ransomware, the attackers get the list of email accounts and use spam techniques to send ransomware to the victims.

But we have seen a number of cases now where the attack group used an APT-style email spear phish to get a foothold inside an organization and then they will escalate their privileges so that they can become a network administrator and then they distribute the Ransomware that they want to use to every machine in the network and then they encrypt all the machines in the network all at once.

The difference is that obviously if you are a victim of Ransomware and you are a large company and one or two machines get infected - a day or week or month whatever, you can recover from that pretty easily you might not have to pay any money. But if someone encrypts all of your files on all of your machines, you are really going to be out of business if you are dependent on that technology. So we are finding that when these sorts of breaches happen organizations are having to pay a lot more money than they would otherwise. So that is a real shift in the behaviour in the Ransomware over the last few months.

We have also seen some ransomware variants that actually leak data on to the internet every hour to incentivize you to pay. So criminals are constantly evolving their techniques in India. I can only see it getting worse in the short term - the reality is most organizations or individuals can't identify this before it becomes a problem for them. When an attacker targets an organization and chooses to distribute ransomware to every single machine, they could start putting companies out of business if they don't pay. So criminals are making plenty of money doing that.

No comments: