Busting the Citadel Trojan developers

Brian Krebs recently reported about the Citadel developers getting busted by the FBI. What is most interesting is the bait that FBI used to trap them.

Citadel boasted an online tech support system for customers designed to let them file bug reports, suggest and vote on new features in upcoming malware versions, and track trouble tickets that could be worked on by the malware developers and fellow Citadel users alike. Citadel customers also could use the system to chat and compare notes with fellow users of the malware.

It was this very interactive nature of Citadel’s support infrastructure that FBI agents ultimately used to locate and identify Vartanyan, the developer of Citadel.

Advertisements

WannaCry ransomware – My thoughts

WannaCry ransomware – My thoughts

The beginning of this weekend, started on a very rough note, for most of us in the cyber security domain; thanks to the WannaCry / Wcry / WannaCrypt ransomware.

At the time of this writing, this malware has infected more than a million machines across the world, impacting organisations in more than a dozen countries, with UK, Russia, Spain and India being the most hit. 

There has been enough written about the WannaCry / Wcry / WannaCrypt. And so in this post I want to focus on the technical aspects of how this malware has been constructed and it’s propagation. 

I found Talos analysis of this malware to be the most comprehensive and is an excellent read for anyone who is keen to understand this malware under the hood. 

Let’s approach our analysis alongside the cyber kill chain framework. 
There is enough evidence that email was used as the “Delivery” mechanism to deliver the payload of this attack. Once delivered onto a machine, this malware spreads via SMB; that is the Server Message Block protocol typically used by Windows computers to communicate with other file systems over a network. An infected computer then propagates the infection to other vulnerable machines in the same network. The same vector is also used to spread across hosts which are externally facing, and have inbound connections allowed on on TCP ports 139 and 445. 
It also appears, in order for the malware to “Laterally move”, it uses the notorious Doublepulsar backdoor, as Talos notes:

Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

And if there are no machines found which have been previously compromised and implanted with DOUBLEPULSAR, the malware uses ETERNALBLUE for the initial exploitation of this SMB vulnerability. And this is exactly the cause for this activity to look like a worm propagation across the World Wide Web. 

The Kill switch

The security researcher tweeting from @MalwareTechBlog has become the #AccidentalHero, in the last two days, for saving the mankind (or “machinekind”) from this whole fiasco. 

The researchers from Cisco Umbrella team first observed DNS requests for one of WCry’s kill switch domains (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com), early on May 12th, with the hit count going as high as 6000-7000 requests per second by late evening. 
If you look closely, the domain composition looks nearly human typed, with most of the characters falling into the top rows of a typical keyboard. 
The reason why this domain is being called a kill switch is due to the role it plays in the overall execution of this malware, as shown in the code below:


As Talos notes, 

The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity.

Dwelling deeper into the dropper and the payload itself, it is observed that there are two files which are essential for the exploit to be run – mssecsvc.exe which executes the file tasksche.exe. Once the kill switch domain is checked, and the logic as explained earlier is checked, the file mssecsvc.exe is run. The second execution is run to check the IP address of the infected system and then attempts to connect on TCP port 445, of every IP address in the same subnet. When a successful response is received proving that the IP address is of a node in the network, the SMB vulnerability is used to connect and then transfer the data. This is the vulnerability that Microsoft has addressed in the bulletin MS17-010.

Talos goes further and explains how this malware scans for local and network disk drives and identifies files with certain extensions, before starting to encrypt them all. Post the encryption is complete, the @wanadecryptor@.exe is run which is the pop-up or note that shows up on the computer screen of the victim’s machine. Then an external connection is launched onto Tor networks, in order to proxy their communication outbound, through the Tor network. 

All this sounds exciting and quite sophisticated to be detected by any intrusion detection system, isn’t it? But the key to detecting this kind of attack, wouldn’t be possible by using signatures or fingerprints (hashes of the malware file or the IOCs that have been discovered so far), but by using a good anomaly and behaviour detection system. 

I will write more on this once more information about the propagation of this malware comes to light. But I think in this particular case, it is very evident that prevention is and has to be the key focus are for all the organisations and individual computer users alike. 
Before I get into that, I would also like to highlight the political angle to this entire story. 
Political angle

Edward Snowden has been quite vocal about NSA’s involvement in this, on his twitter account. 


I am not that interested in getting into the political angle here, as it only causes anger and frustration, but I would just like to recall the drama played last year when a whole bunch of people wanted Apple to create a special version of iOS for the U.S. government, under the promise that it would never escape their safe hands and get into the wild. What happened this time folks? How did this vulnerability got out loose and into the hands of these adversaries, impacting businesses, important government departments (impacting German Auto Bahn) and people’s lives (impacting UK’s NHS)”?

So what now?

Well, we’re pretty much in clean-up mode. All the major anti-virus vendors have released signatures for WannaCry / Wcry / WannaCrypt. And while everyone is busy investigating what and how it happened, and some resting in peace thanking the #AccidentalHero for the kill switch, I am sure the advisories are already working on newer variants of this malware. 
But the most important lesson to be reiterated here is something that the security community has been preaching for a long long time – keep all your software up to date, and apply all the security patches on a regular basis. It’s more about the processes and the governance around it, that is more important than waiting for a machine learning and artificial intelligence based intrusion detection system to pick all this up and block them for you. As our old doctor used to say, prevention is better than cure!
Calling some of these preventive steps again, many of which are obvious to most people:

  1. Keep your operating system and the applications running on them, up to date
  2. Test and apply the patches, especially the security patches, early on
  3. Have a fool-proof backup strategy, and test them at least once every yea
  4. Do not open emails or attachments from unknown or suspicious senders
  5. Lock down computers, by providing minimal access, based on need basis
  6. Limit the access to network resources; in this case ransomware can only lock down files on systems that it can access 
  7. Only open ports that are essential for your business to operate. In this particular case, it was found in many cases that inbound TCP 139 and 445 was allowed in many of the perimeter firewalls. 
  8. Block all unnecessary outbound connections – especially the ones that use anonymity like Tor. Only thieves want to conceal themselves. 
  9. If you are still having difficulty in implementing all of the above measures, then one must depend on a strong treat “detection” system, beyond conventional anti-virus applications and use intrusion detection systems that use machine and deep learning to detect and block the “unknowns”. 

I have blogged about the last point, in various bog posts. More on using those techniques for WannaCry, in another blog post. 
Happy patching!

Hunting through Log Data with Excel

SANS just published an interesting paper on using Excel for incident investigations. 

A good read for incident responders to learn how to use Microsoft Excel and some of its more advanced features during an intrusion if a SIEM or similar product is not available (who doesn’t have them these days!?)

This guide will contain up to three methods for each example presented. First, the paper will show some of the things you can do with Excel by just using the toolbar commands. Second, if available, an Excel Function will be created to show how it can be slightly automated. Third, to enhance the Excel Function process even further, Visual Basic for Applications (VBA) code will be provided. Knowing alternate ways of manipulating different types of data will allow you to incorporate the results into the standard output described below.

AI powered Cyber Security startups

AI powered Cyber Security startups

Artificial Intelligence (AI) and Machine Learning have become mainstream these days, but at the same time, they are some of the most used (abused) term/jargon in the last 2-3 years.

Last year’s Gartner hype cycle report (2016 Hype Cycle for Emerging Technologies – shown below) shows this trend clearly.

emerging-tech-hc-2016.png;wa59f7b006c484099e.png

Why do we need AI in Cyber security

The biggest challenge in the Cybersecurity Threat Managment space today, is the ability (or lack of) of effective “detection” of cyber attacks. One of the key levers in making “detection” work is reducing the dependency on the “human” element in this entire threat management lifecycle:

  • Let it be the detection techniques (signatures, patterns, and for that matter ML models and their hyper-parameters), or,
  • The incident “response” techniques:
    • involving human security analysts for analysing the detections, or,
    • human security administrators to remediate/block the attacks at the network  or system level

Introducing automation and bringing in cognitive methods in each of these areas, is the only way forward, to take the adversaries head-on. And there has been numerous articles, presentations and whitepapers published on why Machine Learning (ML) and AI will play a key role in addressing the cyber threat management challenge.

In my pursuit of understanding how AI can be used effectively in the cybersecurity space, I have come across products developed by some of the leading startups in this domain. And in this blog post, I attempt to share my thoughts on 10 of these products, chosen primarily on their market cap/revenue, IP (intellectual property) potential, and any reference materials available about their successful detections so far.

Note:

  • I have tried to cover as much breadth I can, in terms of covering Products falling under various domains of Cybersecurity – Network detection, UEBA, Application security and Data security, and so there is a good chance I have missed some contenders in this area. AI in Cyber is a rapidly growing plateau, and I hope to cover more ground in the coming months.
  • These Products are listed below in no particular order.

Lets get started.

1. PatternEx

Founded 2013, San Jose, California
https://www.patternex.com/
@patternex

PatternEx’s Threat Prediction Platform is designed to create “virtual security analysts” that mimic the intuition of human security analysts in real time and at scale. The platform reportedly detects ten times more threats with five times fewer false positives compared with approaches based on Machine Learning-Anomaly Detection technology. Using a new technology called “Active Contextual Modeling” or ACM, the product synthesizes analyst intuition into predictive models. These models, when deployed across global customers, can reportedly learn from each other and achieve a network effect in detecting attack patterns.

The process of Active Contextual Modeling (ACM) facilitates communication between the artificial intelligence platform and the human analyst. Raw data is ingested, transformed into behaviors, and run through algorithms to find rare events for an analyst for review. After investigation, an appropriate label is attached to each event by the analyst. The system learns from these labels and automatically improves detection efficacy. Data models created though this process are flexible and adaptive. Event accuracy is continuously improved. Historic data is retrospectively analyzed as new knowlege is added to the system.

Training the AI happens when the AI presents a set of alerts to human analysts, who review the alerts and define them as attacks or not. The analyst applies a label to the alert which trains a supervised learning model that automatically adapts and improves. This is a trained AI, and interesting concept, that attempts to simulate a security analyst, helping the AI system to improve the detection over a period of time.

PatternEx was founded by Kalyan Veeramachaneni, Uday Veeramachaneni, Vamsi Korrapati, and Costas Bassias.

PatternEx has received funding of about $7.8M so far.

2. Vectra Networks

Founded 2011, USA
http://www.vectranetworks.com/
@Vectra_Networks

Vectra Networks’ platform is designed to instantly identify cyber attacks while they are happening as well as what the attacker is doing. Vectra automatically prioritizes attacks that pose the greatest business risk, enabling organizations to quickly make decisions on where to focus their time and resources. The company says that platform uses next-generation compute architecture and combines data analytics and machine learning to detect attacks on every device, application and operating system. And to do this, the system uses the most reliable source of information – network traffic. Logs only provide low-fidelity summaries of events that have already been seen, not what has been missed. Likewise, endpoint security is easy to compromise during an active intrusion.

The Vectra Networks approach to threat detection blends human expertise with a broad set of data science and machine learning techniques. This model, known as Automated Threat Management, delivers a continuous cycle of threat intelligence and learning based on cutting-edge research, global learning models, and local learning models. With Vectra, all of these different perspectives combine to provide an ongoing, complete and integrated view that reveals complex multistage attacks as they unfold inside your network.

They have an interesting approach to use Supervised and Unsupervised ML models to detect cyber attacks. They have a “Global Learning” element, where supervised ML algorithms are used to build models to detect “generic” and “new known” attack patterns. “Local learning” element uses Unsupervised ML algorithms are used to collect knowledge of local norms in an enterprise, and then detecting deviations from those norms.

Vectra networks has received funding of about $87M so far, and has seen very good traction in the Enterprise Threat Detection space, where ML models are a lot more effective than using conventional signature/pattern based detections.

3. Darktrace

Founded 2013, UK
https://www.darktrace.com/
@Darktrace

Darktrace is inspired by the self-learning intelligence of the human immune system; it’s Enterprise Immune System technology iteratively learns a pattern of life for every network, device and individual user, correlating this information in order to spot subtle deviations that indicate in-progress threats. The system is powered by machine learning and mathematics developed at the University of Cambridge. Some of the world’s largest corporations rely on Darktrace’s self-learning appliance in sectors including energy and utilities, financial services, telecommunications, healthcare, manufacturing, retail and transportation.

DarkTrace has a set of products, which use ML and AI in detecting and blocking cyber attacks:

DarkTrace (Core) is the Enterprise Immune System’s flagship threat detection and defense capability, based on unsupervised machine learning and probabilistic mathematics. It works by analyzing raw network data, creating unique behavioral models for every user and device, and for the relationships between them.

The Threat Visualizer is Darktrace’s real-time, 3D threat notification interface. As well as displaying threat alerts, the Threat Visualizer provides a graphical overview of the day-to-day activity of your network(s), which is easy to use, and accessible for both security specialists and business executives.

Darktrace ICS retains all of the capabilities of Darktrace in the corporate environment, creating unique, behavioral understanding of the ‘self’ for each user and device within an Industrial Control systems’s network, and detecting threats that cannot be defined in advance by identifying even subtle shifts in expected behavior in the OT space.

Darktrace Antigena is capable of taking a range of measured, automated actions in the face of confirmed cyber-threats detected in real time by Darktrace. Because Darktrace understands the ‘pattern of life’ of users, devices, and networks, Darktrace Antigena is able to take action in a highly targeted manner, mitigating threats while avoiding over-reactions. It basically performs three steps, once a cyber attack is detected by the DarkTrace Core:

  • Stop or slow down activity related to a specific threat
  • Quarantine or semi-quarantine people, systems, or devices
  • Mark specific pieces of content, such as email, for further investigation or tracking

DarkTrace has received funding of about $105M so far.

4. Status today

Founded 2015, UK
http://www.statustoday.com/
@statustodayhq

StatusToday was founded by Ankur Modi and Mircea Danila-Dumitrescu. It is a SaaS based AI-powered Insights Platform that understands human behavior in the workplace, helping organizations ensure security, productivity and communication.
Through patent-pending AI that understands human behavior, StatusToday maps out human threats and key behavior patterns internal to the company.

In a nutshell, this product collects all the user activity log data, from various IT systems, applications, servers and even everyday cloud services like google apps or dropbox. After collecting this metadata, the tool extracts as many functional parameters as possible and present them in easily understood reports graph. I think they use one of the Link analysis ML models to plot the relationship between all these user attributes.

The core solution provides direct integrations with Office 365, Exchange, CRMs, Company Servers and G-Suite (upcoming) to enable a seamless no-effort Technology Intelligence Center.

StatusToday has been identified as one of UK’s top 10 AI startups by Business Insider, TechWorld, VentureRadar and other forums, in the EU region.

Status Today has received funding of about $1.2M so far.

5. Jask

Founded 2015, USA
http://jask.io/
@jasklabs

Jask aims to use AI in solving the age old problem of tsunami of logs fed into SIEM tools which then generate events & alerts, and other indicators that security analysts face every day, which produce a never ending flood of unknowns which forces these analysts to spend their valuable time sorting through indicators in the endless hunt for real threats.

At the heart is their product Trident, which is a big data platform for real time and historical analysis over an unlimited amount of stored security telemetry data. Trident collects all this data directly from the network and complements that with the ability to fuse other data sources such as threat intelligence (through STIX and TAXII), providing context into real threats. Once Trident identifies a sequence that indicates an attack, it generates SmartAlerts, which analysts can use to have the full picture of an attack, also allowing them to spend their time on real analysis instead of an endless hunt for the attack story.

They have really interesting blog posts on their site, which are worth a read.

Jask has received funding of about $2M so far.

6. Fortscale

Founded 2012, Israel
https://fortscale.com/
@fortscale

Fortscale uses a machine learning system to detect abnormal account behavior indicative of credential compromise or abuse. The company was founded by security engineers from the Israeli Defense Force’s elite security unit. The products key ability is to rapidly detect and eliminate insider threats. From rogue employees to hackers with stolen credentials, Fortscale is designed to automatically and dynamically identify anomalous behaviors and prioritizes the highest-risk activities within any application, anywhere in the enterprise network.

Behavioral data is automatically ingested from SIEM tools and enriched with contextual data, and multi-dimensional baselines are created autonomously and statistical analysis reveals any deviations, which are then captured in SMART Alerts. All of this can viewed and analysed in Fortscale Console.

Fortscale was named Gartner Cool Vendor (2016) in the UEBA< Fraud Detection and User Authentication category.

More info about the product can be found here.

Fortscale has received funding of about $40 million so far.

7. Neokami

Founded 2014, Germany & USA
https://www.neokami.com/
@neokami_tech

Neokami attempts to tackle a very important problem we all face today – keeping a track of where all our and an enterprises’s sensitive information resides. Neokami’s CyberVault uses AI to discover, secure and govern Sensitive Data in the cloud, on premise, or across their physical assets. It can also scan images to detect sensitive information, as it uses highly optimized NLP for text analytics & Convolutional Neural Networks for image data analytics.
In a nutshell, Neokami uses a multi-layer decision pipeline, wherein it takes in data stream or files, and performs pattern matching, text analytics, image recognition, N-gram modelling and topic detection, using ML learning methods like Random Forest, to learn user-specific sensitivity over time. Post this analysis, a % sensitivity Score is generated and assigned to the data, which can then be picked up for further analysis and investigation.

Some key use cases Neokami tackles are – isolating PII to meet regulations such as GDPR, HIPPA, etc., discovering a company’s confidential information and intellectual property, scan images for sensitive information, protect information in Hadoop clusters, cloud, endpoints or mainframes.

Neokami was acquired by Relayr in Feb this year, and has received $1.1million funding so far, from three investors.

8. Cyberlytic

Founded 2013, UK
https://www.cyberlytic.com/
@CyberlyticUK

Cyberlytic call themselves the ‘Intelligent Web application security’ product. Their elevator pitch is they provide advanced web-application security using AI to classify attack data, identify threat characteristics and prioritize high-risk attacks.

The founders have had a stint with the UK Ministry of Defense, where this product was first used and has been in use support critical cybersecurity research projects in the department.

Cyberlytic analyzes web server traffic in real-time, and determines the sophistication, capability and effectiveness of each attack. This information is translated into a risk score, to prioritize incident response and prevent dangerous web attacks. And the underlying ML models adapt to new and evolving threats without requiring the creation or management of firewall rules. They key to their detection, is their patented ML classification approach, which appears to be more effective in detecting web application attacks than the conventional signature/pattern based detection.

Cyberlytic is a combination of two products – the Profiler, and the Defender. The Profiler provides real-time risk assessment of web-based attacks, by connecting to the web server and analyzing web traffic, to determine the capability, sophistication and effectiveness of each attack. And Defender, is deployed on web servers, and acts on the assessment performed by Profiler, by blocking and preventing web-based cyber-attacks from reaching critical web applications or the underlying data layer.

Cyberlytic has also been gaining a lot of attention in the UK and EU region; Real Business, an established publication in the UK, has named Cyberlytic as one of the UK’s 50 most disruptive tech companies in 2017.

Cyberlytic has received funding of about $1.24 million.

9. harvest.ai

Founded 2014, USA
http://www.harvest.ai/
@harvest_ai

Harvest.ai aims at detecting and stopping data breaches, by using AI-based algorithms to learn the business value of critical documents across an organization, and offer what it describes as an industry-first ability to detect and stop data breaches. In a nutshell, Harvest.ai is an AI powered advanced DLP system having the ability to perform UEBA.

Key features of their product MACIE, includes:

  • Use AI to track intellectual property across an organization’s network, including emails and other content derived from IP.
  • MACIE understands the business value of all data across a network and whether it makes sense for a user to be accessing certain documents, a key indicator of a targeted attack.
  • MACIE can automatically identify risk to the business of data that is being exposed or shared outside the organization and remediate based on policies in near real-time. It not only classifies documents but can identify true IP matches to protect sensitive documents that exist for an organization, whether it be technology, brand marketing campaigns or the latest pharmaceutical drug.
  • MACIE not only detects changes in a single users behavior, but it has the unique ability to detect minor shifts in groups of users, which can indicate an attack.

Their blog has some interesting analysis of some of the recent APT attacks, and how MACIE detected them. Definitely work a read.

Harvest.ai has received funding of about $2.71 million so far, and interestingly, they have been acquired by Amazon in Jan this year, for reportedly $20 million.

10. Deep Instinct

Founded 2014, Israel
http://www.deepinstinct.com/
@DeepInstinctSec

Deep Instinct focuses as End point as the pivot point, in detecting and blocking cyber attacks, and thus fall under the category of EDR. There is something going on in israel, for the last few years, as many cybersecurity startups (Cyberreason, Demisto, Intsights, etc.) are being founded by ex-IDF engineers in Israel, and a good portion of these startups are to do with Endpoint Detection and Response (EDR).

Deep Instinct uses deep learning to detect unknown malware in real-time, just by analysing the binary raw details of the binary picked up by the system. The software runs efficiently on the combination of central processing units (CPUs) and graphics processing units (GPUs) and Nvidia’s CUDA software for running non-graphics software on graphics chips. The GPUs enable the company to do in a day what would take three months for a CPU.

I couldn’t find enough documentation on their website to understand how this deep learning system actually works, but their website has a link to register for an online demo. So it must be definitely worth a try.

They are also gaining a lot of attention in the EDR space, and NVIDIA has selected Deep Instinct as one of the 5 most disruptive AI startups this year.

Deep Instinct has raised $50 million so far, from Blumberg Capital, UST Global, CNTP, and Cerracap.

Thoughts on Union Bank hack

Thoughts on Union Bank hack

It was recently reported in the media, that Union Bank, one of the leading Public sector banks in India, was hacked last year (July 2016). Funds to the tune of about $171 million was siphoned off, and a 7 country hunt had to be spearheaded at the top levels of government to reverse the theft. 

Though the events involved in the breach itself are interesting and needs a detailed analysis, what caught my attention is how the Bank managed to track the trail of the fund transfer to the last mile and how quickly they recovered every single penny that was stolen, within a week’s time. 

Gopika Gopakumar and Leslie D’Monte of Live Mint have the best analysis report of this incident, I’ve seen so far. 

I highly recommend their report. 

I have taken some excerpts from their report and shared my thoughts on them. Let’s get straight to how the hackers got into the Bank’s systems:

Phishing e-mails were sent to 15 email IDs. “Three people reported that the email was suspicious to the IT security. The other Union Bank employees were “technically-savvy” persons. They noticed that although the email address said @rbi.org.in, it had an attachment that a zip file. Within the zip file, there was a dot (xer) file and not a dot pdf file, which is why they reported it as suspicious”

I am curious to know how legitimate was the RBI email ID that was used here – if it was a real RBI domain and a valid RBI email address, then this is a matter of larger concern as this raises questions about RBI’s email system being hacked before this incident. This requires a lot more serious investigation. 

If you look at these sequence of events, from Cyber Kill Chain perspective, this is a successful demonstration of “Delivery” followed by “Exploit & Installation”. 
Then, the malware once downloaded on one system, started spreading across the Bank’s network and eventually onto the Bank’s servers, demonstrating a successful “Internal Recon”, followed by “Lateral movement”. 

To me, this looks like a classic case of externally originating exploit attempt, followed by internal recon and lateral movement. Though it is easier said than done, I feel that a good security anomaly detection system would have been able to flag this off, considering the sequence of events revealed by this report – pre and post exploit. Also, I am curious to know what were the Intrusion and Anomaly detection tools and techniques the bank had deployed, which failed to detect these events occurring within the bank’s internal systems and network. 

So, if the Bank didn’t detect these patterns while they were occurring, how did the Bank discover this anomaly? Thanks to SWIFT’s (Society for Worldwide Interbank Financial Telecommunication) daily reconciliation report, as Live Mint goes on to report:

“When a bank does a SWIFT transaction during the day, they typically get a reconciliation report the next day and all the corresponding banks send them the “end-of-the-day balance” report the following morning.

When Union Bank got it from the originating bank, they saw a difference of $170 million and that alerted them because of one mistake—the hackers deleted the six entries they had made.”

This is an interesting revelation of how the SWIFT system actually tracks any transaction anomalies, and I am sure this system is a lot more sophisticated. But what the hackers did, appears to be utterly dumb to me – deleting their transaction logs, whilst leaving the funds debit logs unchanged! 

Coming to the recovery of the funds itself, and where it took the Bank a few extra days:

“One tricky negotiation was with the Taiwanese government with which India doesn’t have diplomatic ties, particularly as a court order was needed to secure the banking reversal instruction. However, with some pushing from U.S. officials, the entire $171 million was traced.”

It is commendable to see how the bank, worked with the Indian Govt. agencies, including CERT-IN and RBI, and other international banks in getting the money back in a few days. This entire episode is worth a case study on how other national and international banks should mobilise the right tools, people and government and inter-country legal processes, for executing an effective cybersecurity incident response procedure. 

The CEO of SWIFT India, acknowledged the impact of cyber threats to the banking industry, and thanks to the various guidelines laid out by RBI (Reserve Bank of India), there appears to be good momentum amongst the public and private sector banks in India, in implementing cyber security controls in thwarting such security threats. 

“Cyber threat is real and is growing”. According to him, the pace of digitization that we have seen in the last decade and at a more accelerated pace, requires the same level of investment on the cyber side as well. The regulator (RBI), he added, has introduced regulations around a CISO (chief information and security officer) directly reporting to the board. There is also a customer security programme where “we are now mandating 27 controls, of which 16 are mandates and 11 are advisory. If you don’t have 16, we will start reporting to the regulator.”

Closing thoughts:

Though the Incident report of this breach will never be made public, and it shouldn’t, the most important learning from this incident, for other banks and the cyber security community, would be, to know what controls worked and what didn’t:

  • both technical control in terms of the intrusion detection tools/techniques that worked and didn’t work, or could have worked (if the bank didn’t have them – for ex., Machine Learning based threat detection tools which can detect new/unknown patterns of threats a lot more efficiently than tradition systems”, and
  • non-technical controls (security awareness initiatives amongst the bank’s employees, and the processes and SLA established between the Bank and CERT-IN, RBI, Legal depts (Cyber Vigilance committee), and the cross-border relations with other nations).

Finally, the fact that caught my attention and made me read more about the Union Bank hack – the recovery of the stolen funds – Kudos to the collaborative effort between the officials from Union Bank, Cert-In, RBI in not only investigating and tracking the trail of the money flow, but also recovering every cent of the theft, in 6 days. Great work!

One of my friends in the cyber security industry, posed a very logical question to me – if Google can keep a track of where am I going, what and where am I eating, what I am watching and what am I reading, inspite of me being in the general public domain and Google merely using the open internet to track all this, why is an Enterprise/Organisation, still unable to track the use of its own resources and assets by its entities (users, machines, devices), within the network that the organisation has provisioned and controls?