This is an excerpt from the book ‘Breach: Remarkable Stories of Espionage and Data Theft and the Fight to Keep Secrets Safe’ by Nirmal John. Nirmal John has worked in advertising and journalism. He was earlier the assistant editor of Fortune.
This book brings to light several incidents which till now were brushed under the carpet. It has instances of piracy, data theft, phishing, among many others. Even though he focuses on India, Nirmal John takes great pains to show links between underground international networks working to undermine data security. This excerpt has been taken from the chapter, ‘WHITE HAT Is GrEEnBACK’. This excerpt throws light on the normal routine of Saket Modi, a young CEO of a data security company, Lucideus.
Fear. Urgency. Desperation. Panic. The themes that dominate that call for help are almost always the same. Pretty much everyone working in the cybersecurity business knows what it is to get that call, especially in the middle of the night. There used to be a time when break-ins were reported first to the police. But with the crime itself changing in nature, the way it is reported is changing too. The cops aren’t in control when it comes to new-age crime and theft of data. Dialling 100 may not get you far when it comes to data breaches.
Saket Modi has been receiving these calls for a few years now. Modi is a baby-faced young man in his twenties who boasts an easy charm. His company is named Lucideus. It is a mash-up of two names from the ancient scriptures— Lucifer, the Latin word which came to be used to describe the devil, and Zeus, the supreme Greek deity who, among other things, dispensed justice.
The mash-up is meant to be a reference to how the ‘bad’ and the ‘good’ come together online. Modi’s earlier office in Safdarjung Development Area market near IIT in Delhi was small and tastefully appointed in white (perhaps to accentuate the idea of the white hat hacker). He has since moved to a new, much larger space in Okhla, still tastefully appointed, still in white.
He started out when he was in his teens, helping companies investigate breaches and shore up their cybersecurity. His carefully constructed reputation as a young white hat hacker brought him many projects over the years. These days he is among those advising the Government of India on matters of cybersecurity.
Most of his projects for companies started with a call from a panic-laden voice. Modi particularly remembers one call from nearly five years back. It was the chief executive of one of India’s largest services companies at the other end of the line. The CEO introduced himself. He had met Modi on the sidelines of a conference; they’d exchanged visiting cards, and the chief executive had fished out Modi’s card to call him.
‘We think we are in major trouble. How quickly can you fly to Bengaluru?’
Modi was used to such requests from panic-stricken executives. He asked for a bit more context on what exactly had gone wrong.
‘The CEO of one of my top five clients, who is a huge name internationally, called me earlier today. He asked me to immediately stop all the operations I was doing for his company. He didn’t explain why. He just said that he will be calling me later to explain further.’
This was a client that contributed a very significant chunk to the Indian company’s top line. There were hundreds of employees from the Indian company working on the client’s projects.
‘I suspect there has been a breach, because of which all this could be happening. There are a few other things that would explain this reaction from the client. The truth is, I can’t afford to lose this client under any circumstances,’ the executive confessed.
Saket Modi took the next flight to Bengaluru.
It was when he reached the office of the chief executive that Modi realized he wasn’t the only one who had got a call from him. There, sitting in the conference room and waiting to be briefed, were cyber-forensics experts from big accounting firms and other security researchers like himself.
Even though this was par for the course when it came to how Indian companies reacted in such situations, Modi says he was taken aback. He says this has become a common practice when it comes to investigating breaches—the targeted company invites the names known to have cyber- forensics experience for a briefing post an incident and then gives the job to whoever bids the lowest. The question he asks is whether matters of security can be treated like other supplier relationships, especially in a crisis situation?
This is probably how things work in many Indian corporations but, as he points out with evident displeasure, that is not how security and breach protocol should roll, particularly in a crisis situation. ‘security is not an L1 business.’
The chief executive briefed the gathering about the situation. There had indeed been a breach. He was looking for partners who could immediately deploy resources to find the vulnerabilities that had led to the breach and could help plug them. That was the only way he could convince the client not to terminate the contract.
Modi ended up with the project even though his quoted fee was high. He flew in his team from New Delhi and, during the investigation, found several vulnerabilities in the organization that had resulted in the breach.
The team started by pouring over the access logs which list the requests for individual files from a website. They then isolated the sectors which were compromised and sandboxed them. That meant that they used a separate machine, not connected to the company’s main network, to run programmes and test the behaviour of the malicious code.
The idea behind doing this was to deduce if there were patterns in the type of data that was being compromised. If they could unearth a pattern, it could theoretically lead them to the hacker.
Unfortunately, as in many such instances, Modi says, he couldn’t identify the source of the breach as its origins were from beyond Indian borders and hidden in a complex trail of IPs. His team couldn’t definitively pinpoint the location, but they pushed the chief executive and his company to shore up every single facet of its security protocol.
The client continued the shutdown of the handling of his operations by the Indian company for a month, while Modi and his team worked on overhauling the Indian company’s security system. A month later, Modi had a call with the CEO of the company’s international client to detail the steps they had taken to make sure that breaches such as the one that had happened would not recur. Later, the client sent a team to audit the changes, and only when it was satisfied did the client allow the company to resume work on its projects. It cost the Indian company thousands of billable hours, not to mention damage to their standing in front of the client.
If you like this excerpt and want to read real-life thriller stories full of hackers, police, and corporates, you can read the book; ‘Breach’ by Nirmal John.