by Nirmal John
The Indian business ecosystem, security professionals say, is broadly divided into companies that know they are in danger and take precautions or are forced to take precautions, thanks to strong regulatory bodies governing them—like banks, major outsourcing firms, pharma companies and the large conglomerates, companies that are guided by and adhere to some security protocols; and then the vast majority of the companies, which believe breaches happen to others.
Make no mistake. Breaches are a major global economic risk. Market analysts Juniper Research1 said the cost of data breaches would cross $2.1 trillion globally by 2019, ‘increasing to almost four times the estimated cost of breaches in 2015’. To put that in context, India’s GDP in year 2015 was $2.07 trillion.
When that is the scale of the challenge at hand, it is but natural that the business of keeping data safe becomes lucrative. Globally, the cybersecurity business is expected to cross $200 billion by 2020, on the back of the constant stream of news of breaches.
India is no different. Security budgets are increasing, and according to Gartner, enterprise security spending2 (hardware, software and services) in India will cross $1.24 billion, up from $1.12 billion in 2016 and $1.01 billion in 2015. The report adds: ‘. . . security services (including consulting, implementation, support and managed security services) revenue accounted for 61 per cent of this total revenue in 2015, and this proportion will increase to 66 per cent by 2020.’
There are many players up and down the chain eyeing this pie that will only grow as breaches continue to become front page news. The opportunity is large enough for a diverse group of companies with a diverse set of products—from the big audit firms setting up specialized cybersecurity and cyber-forensics practice to young hackers like Modi, who have morphed into security researchers and entrepreneurs.
Saket Modi’s Lucideus is now not just a company that investigates breaches or helps companies define and execute their cybersecurity. It is now also a software products company, with a vision of creating and selling software and services that will help chief executives manage cyber-risk.
The launch of their first product—Security Assessment Framework for Enterprise—predictably shortened to the more marketing-friendly SAFE, started with a demonstration of a live hack at the Taj Palace hotel in New Delhi. Two of Modi’s engineers stood at either ends of the stage, their screens projected on the big digital display on stage. The first sent an email to the second. It was a typical phishing mail, with a few sentences and a link. The second engineer clicked on the link, and voila!, the other gained access to his system and files.
The enactment may have looked a little silly, but such a gimmick was needed to create awareness, considering the lack of nous among most journalists about cybercrime. That the media’s knowledge on cybersecurity is still patchy was evident from the lack of questions at the press conference. Most journalists seemed a tad unsure of what to ask. Stories in the media on cybersecurity are still few and far between.
The problem SAFE is meant to solve is an extremely relevant one. One of the issues most chief executives grapple with when it comes to cybersecurity is the fuzziness of the idea itself. It is much easier to understand theft of physical goods and the paraphernalia that seeks to protect them—locks and keys, cameras and access cards, alarms and guards. With most CEOs not well versed in the art of digital security, it has become difficult for them to answer the singular question—how safe is my company?
Modi says his product, SAFE, is a real-time quantitative indicator of a company’s cyber-risk. The basic premise of SAFE is to plug into the different facets of known threats that a company faces to gauge the preparedness of the company on a scale of one to five. The latter being the most secure a company can be. The software works by connecting to various security software that the clients already run. Data from all these software is then compared in the context of risks that are present at any given moment. This is what churns out the number.
The media-savvy Modi is pitching this index as something that chief information security officers in companies can point to when executing their security plan, in particular to review the investments that their company would make in security. One of the issues that most corporates struggle with is the lack of indicators to show how much needs to be invested in shoring up their data and their perimeter. Simply put, how much should a company invest in security for visible improvement? Can there be a way to track whether the money that has been invested is making the company more secure?
Theoretically, the idea behind SAFE should help answer some of these questions and help the decision-making process along. But it remains to be seen how well the index serves in real-life scenarios. There are some who don’t believe the security readiness of a company can really be distilled through mathematical formulas into a singular number, considering the left-field nature of security threats.
Nonetheless, Modi is optimistic, and has raised money to take this product far and wide. SAFE would, Modi claims, ‘Make cyber risk an informed business decision.’ That is a rather unique selling proposition, and is a pitch that could help his product stand out in the highly competitive global cybersecurity business.
* * *
Sahir Hidayatullah and Raviraj Doshi, the security researchers who saved the journalist from the false accusation of espionage, have meanwhile embarked on their own unique entrepreneurial journey.
Their company, Smokescreen, has developed a product called Illusion Black, which uses the idea of deception as an active defence to prevent corporate espionage and cyber snooping. Illusion Black deploys a decoy server, which looks and feels like the real thing, with folders and files similar to the real data, but contains irrelevant information. Hidayatullah elaborates on it: ‘We deploy honeypots on our customer networks with juicy-looking information: financials, salary details, research. These are perfect replicas of the real thing [the real servers]. If there are intruders, they would want to peek in.’
The moment they get the bite, the team starts working on identifying the source and learning more about it, all the while lying low so as to not arouse the suspicion of the intruder. To lower the incidence of false positives, the decoys are triggered only if a user starts behaving in ways that are consistent with hacker behaviour.
‘Cybersecurity is like guerrilla warfare. A guy sitting in the basement of his house can break down companies that spend hundreds of millions on cybersecurity. Companies need to take a more active approach to fighting it and investigating it,’ says Hidayatullah.
Rather than merely barricading the network, it’s preferable to ‘seek out anyone who might have broken through and find the human behind it, if possible’. Hidayatullah also recommends conducting periodic ‘intrusion response simulations’, a fire-drill for networks, to get administrators responsive to handling breaches.
Hidayatullah and Doshi have been working with banks and defence contractors, who have deployed Smokescreen. The two also claim to have attracted investor interest in the technology in their push to go global.
Hidayatullah and Doshi are betting on the power of deception because it has worked for them in the past. A few years back, the two helped the MD of a Fortune India 500 company, in their earlier avatar as white hat hackers, ramp up their security. They were at the time working for Securus First, a company that was founded by D. Sivanandhan, who retired as director general of police, Maharashtra, in March 2011 before embarking on an entrepreneurial journey with a private investigation set-up.
Doshi recalls that it was 8 a.m. that day, and he was contemplating breakfast before heading out to work when he got a call from the MD’s executive assistant, asking (what else, but?) to ‘come at once!’ Doshi called Hidayatullah, and the two raced from Doshi’s home in Santacruz (in north Mumbai) to the business district where the MD’s office was situated.
They found the MD sitting with a fourteen-page email, which contained allegations of financial impropriety on his part, with detailed references to confidential docu
ments and a warning that unless he ‘came clean’ within twenty-four hours the contents of the email would be sent to the media, to the prime minister’s office and to the CBI.
Doshi and Hidayatullah’s task: to find out who had sent the mail—in less than twenty-four hours. They set up a war room next to the MD’s, manned by seven of the sharpest minds in Securus First, brought in from their office in Lower Parel. Ideas were tossed about, software programmes were suggested and, finally, a course of action was laid out.
The sheer amount of sensitive dope in the email suggested this was an inside job. With the MD’s help, the team drew up a long list of fifty persons who could have possibly accessed the confidential documents and the MD’s email.
The email from the person who was threatening the MD was also run through an authorship attribution programme, a great tool in the arsenal of cybercrime fighters to narrow down the pool of suspects. The software essentially matches writing styles with authors by scanning all their emails, looking at patterns such as length of sentences, style, words used, number of syllables per word, and so on. It’s handwriting recognition in the era of pixels.
The Securus First team decided to use the popular JGAAP (Java Graphical Authorship Attribution Program). After filtering and re-filtering, JGAAP narrowed down the list to a dozen names, but that was still eleven too many. That’s when they had a brainwave.
An ardent fan of military history, Hidayatullah says tactical use of deception is something the greatest commanders share with great criminals. He can talk passionately for hours about how Genghis Khan used to win against huge armies by sending out a small force of his best warriors in distinctive uniforms. The strike force would gallop up to the army, start a skirmish and then retreat. The army, believing it had won, would almost always give chase, only to find Genghis Khan’s massed army drawn up behind the nearest hill. Genghis Khan would strike at the moment of confusion, inevitably winning. In the Iliad, the Greeks used the same strategy to defeat the Trojans; the army, in this case, was hidden inside the Trojan horse. Hackers too have been using the idea for a while now, best exemplified by the use of malware of the Trojan horse type.
So, deception it was. The Securus First team sent an email to the MD, supposedly from the MD’s financial planner, with details of his investments. They gambled on the fact that someone accusing the MD of financial impropriety would definitely want to see his investments.
There was a lot of thought put into the honeypot they created. It wasn’t just a random email that screamed ‘scam’; this one came from a seemingly reputed financial services company (fictional) with employees with LinkedIn pages (all fictional).
Creating and maintaining fake profiles on social media is something most private investigative agencies and cybercrime fighters do as a matter of course. It always helps to have one at hand to make a play at cracking cases. Back-stories for the characters are important to create credibility, and there are better ways to make that work than to have social media profiles for them. They are, in essence, easy-to-access autobiographies of individuals. The bonus trivia about this sort of tactic is that most of these fake profiles tend to be of females, the theory being that it is mostly men who are perpetrators of crime and they can be manipulated easily by a woman.
Hidayatullah, Doshi and the rest of the team in the war room were sure the email they had created would be enough to fool almost anyone. It happened exactly as they had anticipated. The criminal clicked the link in the email, hoping to find more juicy details about the MD.
That action, in turn, activated tracers put in place by the Securus First team. As soon as the perpetrator clicked the email that evening, Hidayatullah got a call. ‘There has been an incident,’ the cold computerized voice informed him. This was the automated call that the tracer software makes when activated. A ridiculous stream of details started pouring in—everything from the IP address to the screen resolution of the thief’s computer.
The team had guessed right about it being an inside job. It turned out that a person in the IT department had blackmailed the MD. But the MD was convinced that the techie, by himself, stood to gain little by doing all this. He had to have assistance, and the MD was certain that the techie was only a cog in the wheel operated by someone who had a bigger motive.
The Securus First team continued their wait, all the while tracking the IT guy’s computer. Sure enough, the employee wasted no time in forwarding the email with the fake details of the MD’s investments to the perpetrator. It was no small fry. It was someone in the MD’s core team, a senior vice-president.
The MD then confronted the criminal. The rest of the story is subsumed in silence because Securus First left; the company wanted to take its own action without making much of a noise, making sure the bare minimum number of people knew about the breach. What was remarkable was that the entire investigative process had taken less than twenty-four hours.
* * *
What connects Modi and Hidayatullah is that both of them started out investigating cybercrime and theft of data, and then broadened their horizons, moving to software and services. They are both targeting the trend in cybersecurity where, rather than encouraging a reactive approach to breaches, they are creating products to encourage companies to actively manage their cybersecurity. It is certainly a more lucrative market, one where security is offered as a service than as an intervention.
Investigating breaches may not be as lucrative as providing a cybersecurity service, but is still something that has to be done. Police aren’t always the best option for most companies, but the police are certainly trying to ramp up their efforts. A couple of years back, Twitter was abuzz with a new trending topic, #EthicalHackersWithPolice, a hashtag started by Bengaluru deputy commissioner of police (crime), Abhishek Goyal. He asked ‘Bengaluru Hackers who were interested in working against Cyber Crimes’ to email their CVs to him.
#EthicalHackersWithPolice garnered much attention on the Internet. Why did Goyal do this? Mainly, he says, because much of ‘what we learnt in the academy has become obsolete now’. (Goyal was quick to clarify that it was not the police department looking for hackers, saying that ‘it is me who was looking for hackers.’) Goyal was following the time-honoured advice of ‘set a thief to catch a thief’.3
The lethargy of the government mechanism, with the exception of individuals like Goyal, is the foundation on which private cyber-investigation entities have become popular. These private detectives (from boutique firms, some small with a handful of employees and others 800-employee behemoths) come armed with programming skills and high-tech gadgets that criminals boast of.
Cracking cases isn’t all that it is cracked up to be. It’s a lot of drudgery and involves coding and ploughing through reams of data. Even with the rapid strides in analytics, cracking a case can be time consuming. But the results are something companies are prepared to pay huge amounts for, which is why financial consulting firms have set up digital forensics units.
It is a natural progression. Forensic accounting has been in the DNA of these companies, but the capabilities needed for that have changed over the last few years. Ernst & Young’s partner and national leader, fraud investigation and dispute services, Arpinder Singh, said a few years back that he understood the potential of technology in forensics during his involvement in investigations into one of the major corporate accounting scams of the 2000s. ‘Prior to the scam, our investigations were primarily about books and records. Post the scam, we started imaging computers and cell phones, recovering deleted information and using software like Clearwell so that the information collected could be produced for litigation purposes outside India. Around the same time, a lot of police officers started joining us and brought in skills like asset-tracing and background checking.’4
KPMG, E&Y, Deloitte, PwC—all these names have large and growing teams involved in forensics and fraud investigation in India. Investigating cybercrime requires specialized skills and is almost always done under the highest secr
ecy because of the reputational risk involved. Their existing relationships with companies meant that firms like EY and KPMG are the first port of call when companies need to investigate cybercrime situations.
Singh says that between 2010 and 2015, the forensics practice grew 50 per cent every year.5 ‘We have hackers, big data analytics guys, coders. This is in addition to the eighty-odd people who are on the intelligence side, going out and gathering information and doing surveillance. We have MBAs, CAs and lawyers.’
* * *
In India, private investigators have always functioned in a shadowy area that’s not quite sanctioned by law. There’s been little legislation, and as long as the bulk of them dealt with small-time, low-key domestic cases (snooping on a spouse, pre-marriage screening of the couple in arranged marriages, etc.) there was no real call for supervision.
With cybercrime, you’re looking at a different class of investigator altogether, far removed from the slightly shady guy sitting alone in a one-room office with paan-stained walls. It is a class of investigator who has the power of technology on his side, with little regulatory oversight of his investigation practices. That might result in problems as issues of snooping and data theft become increasingly mainstream.
This lack of accountability, coupled with the easy availability of a host of gadgets and software, such as spy cams, bugs and listening devices, makes these investigators sometimes cross the line between surveillance and invasion of privacy.