Fo­cus Must Shift to Attacks ‘De­tec­tion’

The Economic Times - - Econ­omy -

“What has hap­pened is some­thing of a very so­phis­ti­cated na­ture and we have not seen this in our other in­ves­ti­ga­tions. I will not able to pro­vide fur­ther specifics of Hi­tachi breach as SISA re­spects client con­fi­den­tial­ity in foren­sic in­ves­ti­ga­tions… We have re­ceived a di­rec­tion from Na­tional Se­cu­rity Co­or­di­na­tor, Gov­ern­ment of In­dia, to share this re­port only with Hi­tachi…” Dhar­shan Shan­thamurthy, founder-CEO of SISA, the com­pany which was hired by Hi­tachi for the foren­sic au­dit, told ET. SISA has shared some of its learn­ings with var­i­ous gov­ern­ment agen­cies. Af­ter re­peated re­quests from NPCI, Hi­tachi is learnt to have shared the re­port with the na­tional pay­ments com­pany.

THE KILL-CHAIN

There are four stages in the ‘kill-chain’ of a cy­ber breach: (1) how the mal­ware gets in; (2) how it es­ca­lates within the sys­tem; (3) how data is taken out; (4) how ef­fec­tively the hacker cleans the sys­tem it pen­e­trates. Be­sides the scale and ex­tent of the com­pro­mise, what dis­tin­guishes the Hi­tachi breach com­pared with past attacks is the pace at which the mal­ware trav­elled within the Hi­tachi net­work once it was in­side. “The code was writ­ten in a way that it made sure the mal­ware worked on the Hi­tachi sys­tem... it was vir­tu­ally sit­ting on the ad­min­is­tra­tor’s lap­top,” said an­other per­son fa­mil­iar with the in­ves­ti­ga­tion. Ac­cord­ing to KK Mookhey, founder of Net­work In­tel­li­gence, which in­ves­ti­gated the mat­ter on be­half of one of the banks, the Hi­tachi breach, with its ad­vanced and tar­geted na­ture, was a “wa­ter­shed mo­ment in the In­dian cy­ber­se­cu­rity space”. “In­ci­dent re­sponse is an area in which most In­dian or­gan­i­sa­tions have very nascent ca­pa­bil­i­ties. This breach brought those gaps to light. It also served no­tice that at­tack­ers see In­dian fi­nan­cial in­sti­tu­tions as lu­cra­tive tar­gets,” he said. While banks have fo­cussed on pro­tect­ing against ma­li­cious code (or mal­ware), at­tack­ers are us­ing spear-phish­ing to get valid user­names and pass­words, and then use built-in ca­pa­bil­i­ties of the op­er­at­ing sys­tems like Win­dows to com­plete the hack. “Trying to catch mal­ware is a strat­egy doomed to fail­ure. Banks have a lot of fo­cus on guard­ing the perime­ter (city walls). How­ever, once some­body sneaks through, they can­not de­tect the ‘priv­i­lege es­ca­la­tion’ and ‘lat­eral move­ment’ phase of the at­tack (be- hind the city walls). I feel the Hi­tachi at­tack was highly tar­geted, with a spe­cific goal in mind and also succeeded with­out any prior de­tec­tion,” said Sahir Hi­day­at­ul­lah, CEO of Smoke­screen, which spe­cialises in de­cep­tion tac­tics to bat­tle cy­ber crime.

BE­YOND ATMS

Be­sides the sin­is­ter power of smartly coded mal­ware, other lessons from the Hi­tachi breach are:

** It’s a mis­take to be­lieve that such an at­tack is iso­lated to ATM pro­ces­sor en­vi­ron­ment and will not im­pact other ver­ti­cals and es­tab­lish­ments in the pay­ments in­dus­try. “This at­tack vec­tor can hap­pen to any pay­ment en­vi­ron­ment — banks, wal­let com­pa­nies, UPI (Uni­fied Pay­ments In­ter­face), IMPS (Im­me­di­ate Pay­ment Ser­vice), re­tail­ers (ecom­merce/brickand-mor­tar), na­tional switches and pro­ces­sors. These attacks are not re­stricted to card­holder en­vi­ron­ment and can ap­ply to any pay­ment form fac­tor,” said SISA’s Shan­thamurthy.

** For busi­nesses, the fo­cus has to shift to ‘de­tec­tion’ rather than ‘pre­ven­tion’ as pre­vent­ing the at­tacker get­ting an ini­tial foothold is al­most im­pos­si­ble. A mal­ware has to be de­tected be­fore the at­tacker suc­ceeds at ‘lat­eral move­ment’ and ‘priv­i­lege es­ca­la­tion’, said Hi­day­at­ul­lah.

** If an at­tack has been suc­cess­ful in one en­vi­ron­ment, it will most likely be used again and it is not nec­es­sary that it will hap­pen in the same in­dus­try ver­ti­cal. “The bad guys have a bet­ter in­for­ma­tion-shar­ing mech­a­nism than what we have. They in all prob­a­bil­ity will go be­hind the next most vul­ner­a­ble or­gan­i­sa­tion where they can com­pro­mise larger pay­ment data,” said Shan­thamurthy.

The Hi­tachi breach, with its ad­vanced and tar­geted na­ture, was a ‘wa­ter­shed mo­ment in the In­dian cy­ber­se­cu­rity space’

ET ARCHIVES

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.