Vishal Salvi on Data Breaches and Attacks on Remote Assets

Yulia De Bari: Welcome to the Knowledge Institute podcast, the Cyber Bites Edition. In the last episode, we talked about how the threat surface has expanded during the COVID-19 pandemic. We also talked about Infosys' response to this crisis.

Yulia De Bari: Today, we will focus our discussion around data breaches and attacks on remote assets. According to IT Governance Blog, in May 2020 8.8 billion records were breached. Data breaches are becoming more frequent. Vishal, what are the cyber criminals after?

Vishal Salvi: Hi, Yulia. If you look at how the breaches and the attacks have evolved, in past we used to see attacks on banks and financial institutions, and the attackers were after your money, whether through your credit cards or your online banking assets, and they were trying to steal your credentials so that they can actually steal your money.

Vishal Salvi: Of course, since then there have been multiple types of attacks and multiple types of threat actors. We have state sponsored, non state sponsored, financial crime. We also have organizations which are focused on creating disruptions, creating denial of service attack, intellectual property theft, even Bitcoin mining, and so and so forth. There are multiple attackers with multiple motivations, multiple techniques and tactics to go across different industries.

Yulia De Bari: That's what we're going to talk about just in a bit, we will discuss all the techniques and motivations and tactics. From your personal experience, do you see maybe that some industries are more affected than others, or are they all pretty much the same?

Vishal Salvi: Every industry is now having an exposure to cyber risks. Like I said, it started with banking and financial institutes many years back, but at this stage, the growth of investments and the growth and rise of cybersecurity risks related to manufacturing, related to retail, to energy and utilities, has gone so high that each industry is now equally exposed. I would not want to pick up one industry or another right now, if you're asking me this question three or four years back, the answer would have been that the banking and financial industry was much more getting impacted, but not anymore.

Vishal Salvi: Very recently we are seeing a significant unprecedented rise of malware attacks, and specifically within that ransomware attacks, which are clearly not discriminating against any industry. Each industry is perhaps a target and is getting impacted by such attacks, Yulia.

Yulia De Bari: Got it. Thanks. Now let's go back to the beginning of our conversation. You said there are multiple motivations and multiple techniques and multiple tactics to go across different industries. What are the most common cyber attacks?

Vishal Salvi: 90% of the attacks are using social engineering methods, which means that they invariably are initiated through an email to an unsuspecting user and thereafter the credentials. Once they get in, you then have a lateral movement and the attacks get migrated to the rest of the organization.

Vishal Salvi: If you look at, it in terms of any of the attacks which have happened, and you look at the anatomy of these attacks, what you'll find is that all of them have an insider playing an active or a passive role. When you look at the issue of insider and insider threat from a risk point of view, the risk is about having an insider getting compromised unknowingly about the credentials, by which the threat actor can actually enter your organization and perform harm.

Vishal Salvi: The second is about an insider who is perhaps going to a competitor and can steal intellectual property, if not protected, and carry that competitive data or competitive assets to your competition.

Vishal Salvi: Number three is they can be recruited by a threat actor, state or non-state, and they could be either actively converted or they could be a sleeper cell, or it could be anything else, and they could act against the interest of your organization to perpetrate an attack.

Yulia De Bari: If we talk about tactics, do you see any new emerging tactics due to remote work? Are there any new patterns that companies must be aware of?

Vishal Salvi: We have also now started seeing that given the fact that now 75% of the people are working from home, the home routers are becoming a point of vulnerability. We have seen attacks where the vulnerabilities of the home routers are getting exploited. When you are at home, organizations have a split tunneling implemented, which means that you are able to connect VPN to your corporate network, but you also have a channel of communication open for internet browsing through your local router and that causes this risk of split tunneling, which is getting exploited by the fraudsters to come and initiate a command and control communication through the corporate network, through that vulnerable home router.

Yulia De Bari: Thank you. There are many different cyber attacks that exist today and criminals use different tactics. For the sake of time, we did not talk about all of them today, but the next question to you is, how can companies adapt to this new environment and what practical steps can they consider when defending their systems against such attacks as ransomware or insider threats or any other cyber attack?

Vishal Salvi: I think one of the most important, fundamental thing that you should do, you need to have a zero tolerance towards your IT hygiene. And what do I mean by IT hygiene is your patching, your vulnerability management, because most of the attacks that we have seen are the ones where the vulnerabilities are known.

Vishal Salvi: There are three important aspects of enterprise patching. The first is to understand what are the idea assets and the applications and inventory that you have, and have a good visibility around that, so that when there are patches released by tools or original manufacturers, you are able to identify which of those are applicable for your ecosystem.

Vishal Salvi: Once you have been able to do that, you are then having an automated method to go ahead and implement that particular patch, so that particular vulnerability can be remediated. That's the three step process that every organization needs to have for implementing a very robust and a very end to end life cycle for patch management.

Vishal Salvi: The second important aspect that you should do is that when you look at all the organizations which have got attacked and you do a root cause analysis, then you find that the primary reasons why they were breached or attacked was because they had very poor administrative privilege access controls. They had very poor management and upgrade of all their operating systems. A lot of their systems had become end of life and end of support. They had a very poor management of patching and keeping the system up to date. Very poor control over how the vulnerabilities were getting remediated.

Vishal Salvi: I think this is a very fundamental problem that every organization is grappling with. My response is not about implementing more additional security tools and other things, because that is not going to solve your problem. It is important aspect of your cyber-defense, but more fundamental aspect of your cyber defense is the getting the basics right, which is what I talked about.

Yulia De Bari: Apart from zero tolerance to IT hygiene and patching and vulnerability management that you talked about, are there any tools that companies can consider when in particular defending themselves against malware?

Vishal Salvi: You'll also want to do multiple things related to your preventative and detective controls. For example, beyond an antivirus, which is the endpoint protection platform, you would also want to implement something like EDR, which is endpoint detection and response, which would, in real time, look at any code which is running on your endpoint and identify, based on the behavior of the code, whether it is malicious or not.

Vishal Salvi: Most of the modern organizations are ensuring that they have not just the endpoint protection platform, but also endpoint detection and response implemented on all the host and all the endpoints.

Vishal Salvi: Point number two is, you need to have a 24/7 monitoring in place, which is constantly looking at what's happening on your environment, is able to receive those signals on a realtime basis, and then there are either manual cognitive or automated mechanisms, which are put in place to help you remediate that threat as it occurs.

Vishal Salvi: Today's modern organizations are fully focused on automating it end to end, so that the moment it is identified, it gets remediated.

Vishal Salvi: The third part is that investing in threat intel and threat hunting is becoming very critical. What do I mean by that? The virus or the malware can only be effective and impactful when it comes in contact with your assets, whether it is there on prem or cloud or on an internet.

Vishal Salvi: Now, the reality of any malware is that there is always a patient zero and the first 100 patients, and the likelihood of you being in that is much lesser as compared to you eventually being there. Therefore, the threat intel and threat hunting platforms help you to remediate and make your organization systems immune to any of that emanating threat by having quickly coordinated mechanisms to identify patients zero somewhere else, and identifying the indicator of compromise, indicator of attack, indicator of behavior, so that we can apply that to your organization context that you make your organization immune to that.

Vishal Salvi: This threefold strategy of preventing and protecting on the endpoint through EPP and EDR to have a 24/7 monitoring in place through your cyber defense center monitoring to help orchestrate remediation, and number three, to be able to implement threat intel platform and threat hunting so that you are able to move quickly to immunize your organization against these threats before they come in and hit you, is a good way to protect yourself against ransomware attacks.

Yulia De Bari: Thank you so much. I think those are great recommendations. Lastly, let's talk about the worst case scenario. If a breach does occur, what should be the first steps that the company must take and what should be their priority actions and how it should respond?

Vishal Salvi: This is a very hard and a tricky problem. I think the first thing that you would want to do is to really understand what is happening, what is the extent of damage, and what should be your immediate response to contain that particular breach to the only part of the organization which has got impacted and not allow it to propagate across your organization, which requires very quick thinking and quick incident response. That's point number one.

Vishal Salvi: Point number two is, then you get into the mode of recovery where once you're contained, you start recovering in terms of how do you identify what is happened and how do you start taking decisive steps towards remediation and recovery of those assets which got impacted.

Vishal Salvi: Number three, once you've done the recovery, the third thing you need to do is to start looking at root cause analysis, find out what went wrong, so that you can do analysis and fix that at roots core.

Vishal Salvi: These are the three steps, but I think more importantly, while these are happening, you need to also have your communication plans in place, where you can look at how you can communicate with your customers, how you can communicate with your legal entities, your contractual obligations, your regulators, your leadership, your board. All of that is very, very important. Communication plan and media outreach is very, very important.

Vishal Salvi: The other important aspect is in terms of how you are able to navigate with your businesses, because when you look at business continuity and crisis management, all of this need to be well orchestrated and planned much before something like this happen. You need to do tabletop exercises, need to have cyber residency process in place, you need to have clear accountabilities established, you need to have spokesperson identified. All of that is also very important aspect of your remediation plan and response plan. If you cover up all of these things, then this is the method and approach that you need to take for a breach response, Yulia.

Yulia De Bari: Thank you, Vishal. We came to the end of our discussion. If you could pick one final message that you could leave our listeners with, what would you say to them?

Vishal Salvi: We are seeing more high frequency of number of attacks, and we are also seeing high frequency of organization getting impacted. If I am to give one message to those organizations or the listeners, I would say that please consider cyber security threat as a very important and fundamental threat for your organization. You need to start working on it now, so that you're not too late to protect your organization and your interest to these type of threats.

Yulia De Bari: Vishal, thank you for your time and the highly interesting discussion today. Everyone, you can find details on our show notes at infosys.com/iki in our podcast section. I'm Yulia De Bari, cyber security lead and podcast producer for Infosys Knowledge Institute. We were here today with Infosys Chief Information Security Officer Vishal Salvi.

Yulia De Bari: You have been listening to the Knowledge Institute, the Cyber Bites Edition, where we reviewed some of the company's key responses to cyber security threats in the COVID era. Until next time, keep learning and keep sharing.