Cyber Attacks In Business: Case Studies And Prevention Tips | Real Case Study Lessons | Simplilearn

Hi Aai, I can see some messages coming in. Nice to uh have you here. Yes, all of you please do drop your introductions. Please let us know your name and where you're joining us from. Hi Balashandra, you're joining us from Mumbai. Great. Hi, I think Mutu. Um okay we are also live on LinkedIn and YouTube um and we have participants uh viewing us from all over the world. Once again a very warm welcome to everyone. Uh hi say if you're joining us from Chhattisgarh. Hi Ashish from U M Uttar Pradesh. Um we have Muhammad from Pakistan. Hi Manu from Delhi. Hi Ana, you're joining us from Chennai and Yanra from Bangalore. Okay, someone from Uttar Pradesh. She I think great. Okay, it's amazing to have such a lively bunch of audience here. Let me quickly introduce myself. My name is Ana and I will be hosting the session on behalf of Simply Learn. Um I think this is going to be one of the most eyeopening sessions that we have ever hosted. So please uh do stay tuned. Um I'll hand it over to our speaker in just a moment. But a few quick points before that. Uh number one, please drop any questions you have in the Q&A box and not in the chat box. As you can see, we keep getting a lot of messages in the chat box. So we might end up missing your uh question. Please ensure that you're using the Q&A box effectively. Um secondly, avoid sharing any external links or personal details on the chat box and keep conversations only relevant to the topic. And finally, for those of you who participate in the session till the end and give us your full name in the poll that we'll be launching at the end of the webinar, we will provide an attendance certificate that you can share on your social media, at your resume and even update on LinkedIn. But please note that only if you participate in the poll, we would be able to generate the certificate. We cannot unfortunately take any manual entries, right? Um yes. So at simply learn everything we do revolves around one idea which is helping professionals build skills that actually move their careers forward and today's session is also very very much part of that mission. Uh over the years we have worked with millions of learners from around the world across roles across industries and career stages. Uh we have more than 50 partnerships globally and speaking of partners we are proud to partner with um many global universities, educational institutions, organizations and companies that you can see here. Um this means the learning that you get here is grounded in both academic rigor and industry application. Um so today's session is structured around four big areas. Uh firstly, how cyber attacks become business prices. Um secondly, we're going to deep dive into three real world case studies. Um and thirdly, we're going to um uh understand the key concepts, cyber concepts that you know we can learn from uh these case studies. And fourthly, uh the role of AI in modern defense. And finally, we'll quickly preview ITM Praert's AI powered cyber security program as well, its curriculum features and how it would impact your learning and career. Okay, I'm going to get um this webinar started with this with this quote uh because it frames uh pretty much everything we're going to talk about um talk about today. There are only two types of companies, those that have been attacked and those that will be. So, it's not you know a question of whether your organization will face a cyber threat. It's a question of when and more importantly how prepared you are. And who better to walk us through uh that than someone who spent their career building exactly that kind of preparedness. Um so it's my pleasure to introduce our speaker today, Nithan Krishna. Uh Nithan is the head of cyber defense center at Jefferson for recognized as Sweden's top cyber security professional and ranked among the world's top cyber security influencers by cyber security champions in the US. Um he's known for creating resilient intelligence-driven security programs that have made a true difference in this world. Um he's also a speaker, a mentor, an active community member. Uh Nathan, it's an absolute pleasure to host you again. Um I want to ask you um you know uh in addition to your uh introduction um you know what drives you to keep working in the cyber space and like you know keep sharing your uh knowledge with communities and learners like um this in this webinar? Yeah, thank you so much Alan. It's been a pleasure last time and you know be part of this discussion again. So see most of my work is not just around preventing attacks. It's like dealing with what happens when things go wrong right because that's what you have to be prepared on. And that's exactly why I like this topic today because that's that's something which we have to talk because many companies will be attacked or will be hacked but they have to come out of situation that's what we have to bring them up and know how they respond under pressure during real incidents and that's why I spend a lot of time mentoring people sharing this kind of experience with them like I normally do the similar case study experience with them make sure they understand what they have to do first when they have a live crisis. So um I really love the topic Ana thank you so much again but I don't want to take more time on this because people know me I I'm sure almost everyone knows me by now so I don't want to take much time on introducing myself on that but let's dig deep into this and this is a very interesting topic perfect right so um Nathan adding on to that I absolutely love this framing you know like the best classroom is the crisis that already happened uh so before we get into the case studies can you tell us in your experience leading a cyber Defense Center. Um, have you found that like real incidents teach you things that like you know a textbook or like a certification program like cannot like what is learning from actual crisis look like in practice? I can give you a simple example of that. You know do you think attackers do based on ISO or they follow this framework or they think about oh this company is having a 3 weeks patching cycle I will not attack them during then right they don't look at those. So we when you put security frameworks what we say is we are clean structured and predictable but real world attacks doesn't follow any of this they attack based on a vulnerability which they can find if they find a vulnerability in you even if you have ISO N sock to you are following every framework in the world if you still have a uh one vulnerability which is exploitable they will exploit it. And I always tell this in my uh you know when whenever I talk to people also. We have hundreds of tools to protect ourself but hackers or the the advisories are always a step above us because they they the technical skills what they are looking at is only to attack us or break into our systems. They're not looking at anything else. And that's where you know we have to come up with such case studies instead of if I ask you or if I ask someone in ISO we have like 93 controls in ISO. Do I remember all of the controls by myself? I don't know. I may have to look into that. But when an attacker is looking at one vulnerability they have everything they need to do on that and they would have developed an exploit which can actually exploit the vulnerability also. So now now I I will ask you this back to you or you know to the team actually when when you see situation like this right especially when you are under attack or when when something like this happens we know like this is what I have to do like all the NIST frameworks tells us that once you have an attack you should probably do this you should probably do this but if we do not do a tabletop exercise or if you are not prepared for that particular event to happen then there is nothing and I think we called it out last year last time when we had discussion also right if you have a backup and if you have not tested the backup there is absolutely no use of it so that's the same thing you know that's what we can actually learn from case studies like this real world scenarios not just memorizing myself on the controls I have on sock or on NIST or ISO to answer in in a very simple way and yes yes yes absolutely I agree with you we learn best from our you know experiences or like you know other people's experiences which is what we're going to look to um so let's get into the main topic this is um you know this statement is really the thesis of today's session that cyber attacks are not just technical events they are business crisis um many and most attacks cross the threshold of being an IT problem or this cyber security team's problem you know it becomes something that the top leadership or even the entire organization has to own, has to face, has to deal the impact of. So we will look at some data points that sort of prove this statement. Um these numbers are honestly quite staggering, right? 10.5 trillion is projected as the cost of cyber crime annually. Um it could take up to nearly 9 months on average to identify and contain a breach. Uh $4.88 million again is the average cost per cyber breach incident. and 74% of breaches involve human element which means more than 25% of the attacks are AI net. Um again like you know quite staggering statistics but with that context let's get into our first case study which is Microsoft SharePoint and the tool shell exploit. Um this is quite a recent incident um and one that hit organizations at a very very serious scale. So Nan over to you please um set the scene for us. What was the environment like before this happened and why were so many organizations caught off guard? Yeah, and it's good that we are moving from theory into something very real now, right? So, this vulnerability was something to do with Microsoft and uh I think it was with the Microsoft SharePoint tool shell and to be very honest with everyone this is one of the best best example of how modern attacks are really happening. Now what really happened was at first glance when we looked at this vulnerability researchers find an issue as normal it gets disclosed a patch was released and we thought okay the life cycle was ending there but what really made this particular incident different from that was the moment when a working proof of concept like normally what happens is when a when a researcher finds it or a attacker create a public uh proof of concept they we will we will have our own ways to actually mitigate the problem and we thought our patch could actually do that but when the proof of concept here became public the complete analogy what we had in our mind was changed overnight it was just complete different what we controlled uh through all the patches what we could do was really good but the actual problem was not there. It was in the defensive process what we had. It was in the patching process what we had. It was the validation of the patching what we had the change management process. It was affecting everywhere. And nobody really had this much of time to actually do this. And one thing which we want to remember here attackers doesn't care about our patching. They don't care about our change management. they just attack us from the day one the P becomes available and that's what really happened here. So the moment the P became public, they had a very good automation in place and they just automated it. They scaled it and started exploiting from the next second I would say. And here the gap what we are not talking about is not just technical we didn't have people to do to do this patching right now. It was also an operational damage and the difference is how fast we can respond to because attackers were attacking us every every second I would say because now we have all these AI agents and AI bots. So the attack was coming every now and then and we didn't have any ways to actually prepare for that and one thing which reminds me also is that in in in today's very sophisticated environment the gap is too wide and when we think oh we will wait for an attack to happen we would have already been attacked and we would have already influenced it a lot and that again comes back to the same topic where you said cyber incidents are not an IT specific speific incidents now it is more of a business case right that's where I like the slide when you presented it so again you know the impact was huge in in terms of that but I would say the difference what it made with the real impact of that was ana uh you know uh if you could actually move okay so if if you could actually see there are thou thousands of exploitation or hundreds of organizations has been targeted at at a single entity. Previously the attackers used to time you know they will take some couple of days to actually move from public sector to private sector or from to the federal organization but here they just had a scale of like everything was happening it at the same time and the SharePoint versions which was exposed was like we didn't have time to actually patch it because you have your documents available there you have people were like oh no that's not a business critical thing but is it Okay, if it is get exploited because that could be also a path for some other entry points into the system. So do you want to expose that to public? So people were really in a very difficult situations like on how to actually mitigate it and also I would say I I wouldn't go with the percentage of here but at least as per Akamai and as per some other crowd strike informations what we could actually gain on this was it was at least 20% of environments were still exposed after patches were available at least. I'm not saying it is 20%age because was it called as a zero day? If you ask me, I wouldn't really call it as a zero day because it was not a new release or something. But still when a patch was released, it came into like a zero day sort of thing and you have to patch it immediately. And here we always talk about this. Oh, if if you have MFA, if you have single sign on, if you have multiffactor authentication, that's all good. You know, you are all you know, you you can act like a god. But that was not enough here because when you have everything at one segment uh without having any network segmentations, you all your production systems, all your crown jewel systems, crown gels are your most critical systems are at a single network layer. Then if I can actually infiltrate into one of that that that means every other system can be compromised. It is only a matter of time. Maybe the attacker would take additional couple of minutes because these days the signature also changes a lot. You know it's not the same signature what the attacker would already use before. That's the biggest challenge what we see these days because previously we know okay this is an attack actor and this attack this actor will only use such signatures. But now absolutely not he keeps changing. So those are the things which we have to see and you know and I would also say you know the takeaway from here was very simple. It's a very simple takeaway to everyone. Patching is absolutely necessary but that's not only sufficient. We you need to look at a lot of other things other than patching. It could just protect you at that point. But that's not everything. So you have to plan yourself. You have to look into things. You have to come up with better ways on how to actually prepare and you know close the complete uh loop of the attack. So that's something you know something which I would really take away from this. And I would also say uh one thing if you if you if you could you know uh the key concepts from this what made me think was uh we always talk about zero trust. Does anyone know about what is zero trust? If someone could actually pass in the message we can actually look into that. And also let me ask this to Ana. So what what do you think Ana is zero trust? Why do you think zero trust is very important here? I am uh you know yeah I can I I can I can also give an answer for this. Yeah. So um you know take a guess uh maybe like you know it's it's like a framework or like you know in an environment where um you know uh you sort of do not um um you have your controls very high and you do not have like you know any you don't exhibit any trust on any um external uh sources or vendors or anything like that. Maybe that's just like a very random nontechnical guess. Yeah very good. You know you made a very good example of zero trust when you started the session. What you did was you said when people join you asked them to actually push their names and also from where they are coming from and from what they do that is absolutely zero trust. So you are making you are you don't trust anyone. It could be bots joining in we don't know right but can a bot enter all this information? Maybe yes with this AI but not to the level of information what we have already seen people typing in. So with zero trust you don't trust anything. So that's where the zero trust becomes very important. It's not a bus word. It's actually a practical control wherein you are limiting your blast radius. You are saying okay I can I only trust you if you confirm me couple of things about yourself. these are things which I want to know from you and once that trust is made yes then I trust you. So that's where this zero trust is very important you know for everyone to understand in cyber security and here also we spoke about if it is at a single layer of security it's not contained at all. So whenever you do any network segmentation you can try it in your personal home lab itself you can see when you set up your home network at one domain and if you have every workstations designed into that you can probably see it becomes so easy to actually ping those IPs at least I can know how many IPs are there in that particular range very easily but if it is a different range then it becomes so different so the question becomes are we designing ourself for only preventing attacks or are we designing our systems also for a containment perspective. So that's the question we should ask ourself you know to the organizations also when you when you are attending uh different different seminars or different webinars or when you're talking to your leaders you should ask them you should really ask these questions to them are we designing the system for prevention then I don't think we are doing a proper security here we should also work towards containing what happens after an incident happens right so that's something which which is a real uh real thing which I like about this tool shell and it's a wonderful case to work with, right? And and that contain containment that you spoke about is how you know you prevent it from being becoming a huge business crisis. So I think that like you know perfectly rounds up um and connects with the topic at hand here. Great. Okay. So we will um move on to our second case study. Um I think this is um fascinating uh Nathan for a completely different reason because this wasn't exactly you know a cyber attack as such nobody um you know technically hacked crowd strike. So um yet you know it caused the largest IT outage I think um you know one of the largest IT outages in history. So I think this you know this particular case study challenges how we define cyber attack or cyber risk right. So um can you you set up the story for us? Yeah. So this one actually like you said it's a complete different thing. People talk about everything when when a system is halted or system h happens to have a crash. We all think it is a it's a it's a cyber incident but this one was a complete different one where there was no uh attack groups or an attack actor be part of it. Right. So and that is the same reason why it stands out because there is no attacker involved in this. But still if you look at this caused the largest global IT outage I can remember of and no I think there was another one but this was one of that at least because we had recently cloud flare which also had the same problem. So this this also relates to the same thing. And what really happened here was when you trust something like in reality what happens is we trust something like I said that the zero trust what we had we think the trust would only come from a trusted ecosystem but in many case that's where the real impact comes from and that's huge than we would actually think of and this is not about hacking what we are talking about Yeah, it's more of a a system failure or a or actually a vendor third party risk management. If the vendor is not properly m properly having controls in in their place, that could also be a problem for us because we at this micro service world what we are living right now, we depend a lot on some other organizations. It's not just about us. we are depending a lot on various other organizations to make sure our business runs smoothly and that's where it becomes an ecosystem right so if you if you do the payment itself you know you buy something from your food app and the map what it actually shows there is from Google the payment gateway what you might use maybe from some other uh you know stripe or some other payment gateways and then it talks your bank through a different API and then it talks to maybe your Apple Pay or Google Pay through a different API. So it's all connected. It's a different ecosystem what we have and that's where the impact. So if you think if you're opening your app uh your food delivery app today and you cannot see a the map there, do you think it's a problem with the food delivery or is it a problem with Google? Whom do you blame first? You blame the food delivery app first. You don't blame Google for that. You you don't know whether Google is providing it because we know because we are talking technical here. But does a normal user know whether the map which is actually shown that has been delivered by Google? No. So that's the same thing you know the crowd strike incident also makes it a little different from the normal cyber incidents is that the risk what we always look at we would have planned well for the services what we have but what people actually forgot was what would happen if crowd strike goes off. Oh should we plan for that risk? We never plan for it. This was something which we considered as a shared risk between the vendor and the organization and that's where the biggest problem was. If it goes wrong they would have clearly called out in their SLA that they will take maybe one or two hours to come back the service. But imagine it was a critical service and you cannot risk even one hour of SLA but you never thought crowd strike will go off. So you signed the contract with them and you now in contractual terms you are within that SLA itself but you your services are down because of that. So now if you ask me who is wrong here, I will say the organization who is actually doing the cyber security for themsel that's what it really unfolded for them. This really started as a routine update. You know, we you know, there was no alerts. I would say when this thing happened really I I I did not actually see any alerts. There was no warnings. Nothing unusual. But within like couple of minutes or couple of hours, I would say there was like se one incidents coming from all over the world. People were like this is down, this is down, this is down. And the news became so cute. You know this was like if it became global I would say within like 30 minutes to 1 hour time it became a global incident that was a penetration what it had and it didn't just focus on business critical it happened to be hospitals so hospitals are considered the business critical one imagine the uh you know the oxygen cylinders was not operating because the crowd strike was not working. We never thought you know this could really happen or a surgery was going on and there was a computer in need there and the computer didn't start to do what it was supposed to do and airlines every airlines had problems with because of this not just the airlines has the the planes I would say but the airline operations because everyone needs computer and I remember I still remember people posting the images of blue screens what we had on that day you know there was no information about which flight was going, which flight was delayed, no information at all. And it was like completely unusable, right? It was all blue screens everywhere. Every missions was becoming completely unusable. And this was I'm not just talking about it happened only in Asia. It happened across. So at least I think it was it in in a in a in a scale of millions if you would talk about I I I really resonated with something around you know 8.5 million Windows devices and this was a this was actually published in the Microsoft blog also you know they really published the numbers it was the impact of it and also the the biggest standout for this again is this was not an attack. So do you really think always attack group or a hacker is required to create a global panic? No, this was just an update or you know it was just a system change which they had to do which really didn't happen in the way they wanted. So the more we go digital you know you have to have proper risk mitigation plan proper risk management and that is where again like to the same point which ana made at the beginning cyber security is not just an IT problem it is a business crisis and this really resonated around this is not a cyber incident people talk people ask me nan do you still say this is a cyber incident I would say it's not a cyber incident in a Okay. But still when you say cyber that is something which we always say it is it's related to computers it's related to technology then yes this was something into that same thing. So and also uh you know the key things what you can actually learn are the one which we already spoke about which is third parties management. So which you have to have proper understanding of how your third parties are connected, how your third parties are managing their risk. If I don't know what the third parties have and very good point from ragav availability was lost from the CIA triad absolutely CIA triad plays a vital role in this everything in CIA triad availability everything you know. So availability is very vital in that. So if I want to have a system at this particular time this particular day if I have if I don't have that then it is completely fall back. So TPRM is something which if if you are from organizations and if your organizations are not doing uh TPRM I would definitely ask you to go back and tell them you know we should do this TPRMS and also DPIA which is data protection uh you know data privacy impact assessment that is also something which you have to do in every organization where you work for. So that is when you know uh you you really understand what could actually do better and what is that we should really think of doing. And one other thing is what I would also relate to this ana is that this is a classic example of how we can actually trust combined with I would say high privilege because this one was like people wanted to have this particular system at this particular time and there was no containment anything on that and it was we were heavily considering on one vendor. We didn't have an alternative vendor to go to. That's a clear example of DR, disaster recovery. We thought, oh, Crowd Strike, right? They are a million-doll company. We can vouch on them. What could do if Crowd Strike goes wrong or what could happen? We didn't even have that in a turbit of exercises. We never thought about it. We thought, okay, that's easily good. We didn't have any roll back mechanism. If crowd strike goes down, can we roll back to some other vendor? No, we didn't have that. So now now at least you know when when when we consider this uh the crowd strike example itself, we look at different ways to be live always. So how does the recovery becomes more of a proactive way not become reactive to it and not more become manual to a situation? How are we automating it? Because if you just be reactive in such scenarios then it's biggest challenge for us. So I would say again on this it is more about preparing yourself. I know you would have documented maybe you know the every organization would have a full fallback mechanism documented. Oh this is what my DR plan will look like. But if you do not actually test your DR then that's just a document like lying in some ground uh document of no use. So go back to you know to your organization and also see what are the things which you can bring to the table like if you have a DR tell them why don't we test it we should test this DR just not document it let's prepare for this and you know I have a question also to the team here you know if someone wants to answer this I'm sure when you go through the scenarios right Uh you would you would think do I have real time to actually test this DS because we have lot of things which is on us. Uh cyber security is like everyday job. We have like lot of playbooks to work on lot lot of operations to go through. Do you really think Nan I have time to do this test to the app? I get this question a lot and my answer to them is during a real incident you will not have any clue to whom to go to or what you have to do if you do not test it. So if you have tested it at least once then you know oh this is this is a step one this is step two I can fall back because imagine you are you are having five steps in your DR and the step one it didn't work at all it's complete fall back step two is not working for you and it's a real incident you're talking about and step three no absolutely not I'm sure as a human being we would be panicked absolutely absolutely panic because your first three steps of your incident manage incident response plan and didn't work at all. Are you prepared for this? We are not to be honest. No human beings would be prepared for that and we will panic and that panic would cause more delays. But what happens if you do this in a real tabletop exercise is you know okay if the first step doesn't work second also doesn't work third also doesn't work fourth one yes I know it is going to work because I have already tested it and you are prepared for that because you have to go in the process because you cannot directly escalate it to level four so you have to follow the process you are following the process and you know you are in a very calm situation to actually take it through. So it's not about documenting it, it is about how you prepare yourself and how you take it to the process. That's a key learnings and key concepts of crowdstrike incident which I want to bring to the table. Perfect. But if you have any specific to ask Ana please, you know, we can discuss on that as well. Yes. Uh I mean it was uh hearing you um uh it was uh sounding almost like a fire drill uh for me like you know how how uh effective uh uh uh drill would be to ensure that you are uh prepared and you're you're you're calm uh you know during when when the attack happens. Um so um maybe like you know if you can um shed some light on what questions like you know uh should people should security professionals be um asking their vendors like um you know before getting them on board to ensure that like you know they are compliant um what what are like some checklist what should we check? So we normally have uh every organization these days have a at least uh 60 to 80 questions what we normally ask third parties it's not like a simple question and what we have so in our organization also we have something which would probably talk about their governance practices their compliance the data protection their identity management their infrastructure their application security how do they manage vulnerability management ment what do they do if situation something like this comes up what is their incident response plan what is the supply chain management so all this is something which we should know from a third party and I cannot just give one question here but you have to know your risk appetite you should know your applications you should know your infrastructure and then you can play it well and I'm so happy to see one of my favorite person in this so Nitan Sony is there so I know him in and out. He's from H&M. So he he had a very good thing there. You know he he said a very good point. Backup should be mutable. Yes. So imagine there's a very good example of that. Anya uh I have a backup. Say I have a backup in place and attacker can actually come and delete the backup. What do you think? Is it worth to have a backup? No. Right. So that's where immutable comes in place. Nobody can delete a backup. So if you do not have an immutable backup in place, then you are not prepared for an attack because the first thing what an attacker would look for are the backup files because you don't have a restore point to go back cuz you would have kept the backup in a situation where I know I can reach back to the backup. Oh, I have a backup in place. I can go back to the backup. Right? That's why you take a backup. But if you if it is not immutable, attacker can actually come in. It's wiped off. There is nothing to restore. So you have a big big problem there. And that's a very good point by Nathan, you know. So very good to think of that way. You should really think what you would do as an attacker. What are the things which you consider to be safe? Think of your house. Where do you keep your more secure items? Where do you keep your you have a locker in place, right? You don't keep your locker open. You always keep your locker closed. Or if you keep your valuables in bank, why do you do that? Because you want to secure the most valuable things. And that's the same thing what we say in it also. If we have crown jewels and if your crown jewels are in the same network segment, is it enough? Absolutely not. We have a bigger problem there. So that's what you have to you know I always think in this way an you know you have to first secure yourself as a human being bring the hygiene in yourself then you can protect any systems you know it's about bringing that into the table set an example to others how we can actually do this and what we can actually do with that then it's the the perfect world for you but again attackers will evolve that's when you have to start learning learning and that's what I like about simply learn again you know you you have something like this coming up with the case studies which I've never did so far with any other platforms so such things are really good because I talk a lot about other normal best practice and everything but a case study like this is really making difference in what people should understand and people like Nidan can actually come in and say because he's he's also a veteran in IT world in cyber security so he can also talk about things and that's that's something which case studies and brainstorming make a difference in this world and it's all about collaboration if if it is like we have lot of uh information sharing communities available where we talk about threat intel where we talk about vulnerability management and all these forums are really helpful because sometimes like cloud strike is it something which I can only manage absolutely not it's not something which I can manage myself because of the global event so it has to be collaboration between each other and how do we properly totally plan it out. So those are things which which is the key concept to learn from this and absolutely you know really good to go through this crowd strike incident. Perfect. Okay. Uh thanks Nathan. So we will move on. Um and I think like you know now we come to the case study that is going to stay with people uh the longest. It represents something like you know very new very fresh. So um a Chinese state sponsored group used an AI system as the primary attack engine. So um Nathan I think like you know this was the first documented AI orchestrated cyber attack uh at scale at this scale. So um help us understand why this is such like you know a landmark moment in the industry. Yeah this this was indeed a landmark moment you know we never thought this was this was so cute. We were expecting this this could really happen but we never thought this was going to happen so fast. So how this really came out was we we were every one of us was vouching for AI. We wanted AI to be like you know everywhere any tool you buy any EDR any MDR any NDR or any SIM applications you wanted AI to be there but we were not sure of how attackers are going to use it we didn't plan for that so in this case what happened was attackers didn't try to directly misuse the AI system they really used it in a way how a developer will actually use it. They broke down their key objectives into very small I would say very small harmless task and each request looked absolutely legitimate and there was no suspicions. you know when a DDOS attack or when a uh you know fishing attack or any such attacks or a ransomware attack happens into our systems it always raised some suspicions with either one of the platform what do you have but here there was nothing absolutely nothing it was all clear there was no information there was you know there was I would say there was to be honest there was nothing you know it was completely easygoing. We didn't even think about anything. But what really caught us off guard was you had to actually connect everything together, all the single pointers together to understand what really happened. And that was late. That was really late when we actually looked at the step seven and we thought oh oh my god we we are really gone here because the attack is already inside they are doing a lot of things how come this was not captured by any of your events. So they broke every security architecture what we have actually built. They analyzed the code and it always improved themsel and that's where it didn't trigger any red flag to any of the systems what we had and behind the scenes all the steps were actually chained in a perfect way which we were not at all prepared on and that's what I said when you connected it together it is it's an attack but if you see individual steps No, this was all. Oh wow. No, absolutely not. This is a real situation. What is happening here? You connect the complete attack vector and the threat actor workflow. Oh my god, this is a big thing. The full attack flow if you see it's an attack what we had to actually go through. So this became one of the key thing in our in in our in the way we think about how AI can also evolve and when you look at the small isolated task you don't get the full picture but attackers can actually get it because they know all the small things what they're actually doing is really going to impact the organization which they are targeting but for us it didn't make any sense at all. So that's what we need to understand here. The risk what we are talking about using AI or having a misconfiguration in your system is not just about an obvious misuse. It's all it's also about how normallooking actions can be combined into something highly malicious. If you see one activity like someone is trying to infiltrate your servers, you saw an IP address which is coming and hitting your servers that's okay. It's one IP but is that IP address connected to a threat actor? Is that IP address being attacked in your region before? Is they targeting your in your kind of infrastructure anywhere else? You need to connect the dots because attackers are doing it. If you do not do it, then you are behind. And it is very difficult. It's not an easy task. I know it's not very easy to detect it with our traditional controls what we have in place. We need to evolve how attackers are moving forward. We also need to evolve in a way that you know what would an attacker do. moving away from your legacy thoughts like okay I will wait for an attack to happen or I will wait for someone to infiltrate my system I'm prepared for it does that even make sense absolutely not so the problem with here is once they are able to actually get past your initial controls it's just a mass exploitation what is going to happen there. And the other thing which also noted through this was the signature of the malar was changing on the go. It was not like you had a signature before and that signature was blocked by. Normally what happens in the regular situations in a you know normal way of blocking IPs that IP gets blocked or that signature or the hashes gets blocked but imagine I attacked you the organization the hash got blocked and that's the only signature what I have from this particular attacker the next hash I I'm going to change my hash the next time when I attack and that hash is nowhere were there. It's not even related to this one. So I am already in there was no blocking for me there and we are not talking this like one instance or one at a time. The scale what we are talking is like very difficult for human to actually match. It's like millions of requests coming at seconds or milliseconds and no systems are actually ready to do it. What would actually take at least days or week to actually have a complete compromise situation and what we are talking about here is maybe max to max an hour. A week to an hour is what we changed with this particular AI incident. And was there a human involved in this? We don't know. We don't think so. It was purely bot driven. Maybe they would have created the bot to do this kind of attack. But during the attack phase, the complete exploitation phase, there was no human involved. So the scale of operation was so huge and that's where the the biggest thing you know how the attackers are also executed in this right that's where the biggest the fundamental shift what I can also think is how the attack was executed in the in the way that was just the start now imagine those kind of situation happens again and that's where you know we need to probably learn from this what are the things which we can actually improve on what are things which we should learn from this incident right so that's something which we would talk now the I would say the main issue ana was the the visibility like I said we always looked at did they become a circle oh no it was just an attack we will ignore it but from a security standpoint from a sock standpoint you have to look at individual actions Don't just look at whether that that particular IP address became an incident for you. Even if you think that's a small one IP address hitting you or maybe 10 IP address hitting you or 20 IP address hitting you, you should probably know what is the sequence of the behavior. What would that potentially be? Try to understand from that and always you know look at things where you know what could go wrong and what kind of systems are they targeting for. Is it something a crownel for you? Is it something which is really important? Is it a will that become a business crisis for you if that particular service goes down? So all that is something which you should really consider and the I would say the biggest gap what I actually found in this was we don't actually monitor access and like you said u I think in one of the slide which we also spoke about the the incidents which we happen to triage It takes a lot of time actually when you have a incident created. You don't triage the incident then and there and you don't know exactly what was the root cause of it. we may secure an access like okay I will not allow an to access this particular page but what I didn't do was I didn't monitor how that access were was being used by someone over time I don't have any visibility on that then that means I have a very vague answer on do I have a strong access control in place if I don't know what that particular access was doing then I have a big problem in my access management and that's again again the same point which we'll talk the threat modeling that's a biggest topic in AI or any other uh you know incident management things you know everyone will agree you know threat modeling is something which we need to evolve based on what AI is bringing onto the table these days we cannot I can say we we we cannot think or we cannot assume attackers are limited by time or effort. Previously we used to say this. It used to be my go-to phrase you know na we say attackers don't like to spend more time with one resource. If it is an easy target they will target you if they but with bot there is no time limit for them. If they think that you are a critical resource, even if you have thousand controls to protect you, still they will try to attack you. Reason being there is no time limit and there is no effort behind it. They just run a bot. It keeps attacking you until the bot finds a vulnerability in you which can be exploited. There is no effort. It's just a cloud instance which I need. And you know there are platforms like digital oceans or AWS itself or IBM which can actually give you one month free servers to run. I can just run it on them. Keep it running for one month. Find all the vulnerabilities across the globe and give me a result and attack them or even submit uh research because that that's a good thing. You know, I'm not always targeting the advisories here, but there are good vulnerability disclosure programs available where people are also making use of this AI platforms because using AI you can really if in my organization also we have a very good vulnerability disclosure programs. So if you have vulnerability which you want to disclose it to us you can always do it through our vulnerability disclosure management programs and every organization has that which means you can use AI for good and bad it's your conscious mind which have to choose what is that which you have to do about it and with with the defense center which we currently run you have to have the detection strategies thinking from a normal behavior behavioral based, pattern based or anomaly based to something previously which we used to have only signature based like if this hashes are coming in then we block it but we have to change it now. If someone is accessing this particular server at this particular time or at this particular pattern then that's not something really good to have. We need to contain the situation. So you need to put it more of a behavioral pattern based anomaly detection rather than a predefined rule or a predefined signatures what we have and that's where this is changing with the attack uh modeling aspect or threat modeling aspects and sock is evolving here whenever I'm talking to sock team these days they are saying uh Nathan we don't know how to prepare for a cyber incident with AI I'm like nobody's actually prepared for it but make sure that you change from your signature based or predefined rule based threat detection to more of a behavioral or pattern based anomalies. So it means for the sock team you are actually adapting to a world in a way that activity happens faster and it may not be malicious when you see the first instance. So the legacy old sock is like you have to bring the complete circle only if you think that they are actually trying to attack you, you stop the attack. But now if you see a pattern or if you see a behavior of it, you start to block it because you don't know because there is no such behavior or pattern which you can actually define for a AI humans. Yes, we know. I I'm not gonna if I'm actually typing my keyboard, I know the the the the fast how fast I can actually type a message. But imagine you are getting a message from me. Before even you will send a message, you are receiving a message back from me with full instruction like 10 pages or 10 lines of messages. Do you really think I can type that fast? Absolutely not. That means something is wrong somewhere. So that's the kind of anomaly detection, behavioral pattern detection. what you need to have in your sock and this is where we are going to upskill and learn more about AI use AI we every organization is pushing towards AI so use it in a way that you can use it against attackers also that's what we are trying to do in defenses as well so if someone is trying to attack you using AI bot block it AI bot you have an AI bot which can actually prevent it because AI can actually understand it in a in a much better then a human can actually do it. So human can be a level two level one defender would be attacker the the AI itself. So that is something which is constantly moving towards the threat modeling is moving towards that and it's a longgoing topic like you said it's a more interesting topic also to talk to these days and this is just a start you know this attack is just a start in the AI world it's happening every day every now and then so I don't know where we are headed to but this is a fun world yes and to add on to your point I think the real irony here is that the same technology that uh GTG the AI system you know used uh to weaponize is also what anthropic used to detect um the attack. Um absolutely. So yeah uh so you know if if AI is on the right side of this equation um then uh what is the scenario like like would it actually be able to catch uh you know what human analysts might miss? So how can AI be used um more strongly in a in defense? Uh yes, see you already answered this. Andropic you, if you recall, I think it it was a month ago, Andropics actually put down a bot which could actually do vulnerability scanning and fixing and that disrupted the cyber security market. All the companies who was depending on vulnerability management like uh you know all the companies I would say there were there was a lot of companies which even I had investment on they all collapsed overnight and the the percentage of collapse was almost 20 to 30%age. and the DTG group what we're talking about here like you said itself they use the same concept and that's the same thing which we are talking about here right it's not always AI like I don't know how much it changed over the last couple of weeks or couple of months it changes enormously changes in a very drastic scale because you are you are feeding them with a lot of information. It's not like you know if you look at cloud itself there is an option where you can add skills in cloud. It can work from the skills what anthropic is giving you. But if you want to make clot to learn a new programming language say example rest or go which andropic is not having the skill you can upload a skill to them like you learn the skill next time when you develop a piece of code for me you develop in rest framework or in go framework and and the cloud will actually do it for you. You think how much of time that will take for a human to actually do that to learn a new programming language. It will take at least a month in normal time or if you are if you are young or if you are doing colleges yes maybe overnight but in in our age if you want to develop something some playbook or something we take at least some time. So this is what the the real problem here right because it can scale at at a very high level and it becomes so different to see how the the the platforms actually detect it and also how how we can actually say this is an anomaly which we're actually seeing by the time you think it is an it's it's an anomaly it should have already been attack so That's the the ratio what we're actually talking talking about and that's where this is becoming more of a AI the the last point if you see you can see that is a AI augmented sock and that's what we are looking or going towards I don't think every organization has reached the place where we can say we have an AI agent who's actually triaging every incident or every uh cases what we have at sock right now but that's something which we are looking Like I said, an attacker would be triaged by a defender. Both are AI talking to each other. It's like the olden IR robot movies where a robot is talking to a robot and they really understand each other than and a human talking to them. They don't have any consciousness. They just know we have given a task to attacker has given a task to attack and we have given a task to defend. They that's the only thing what they do. There's nothing else. But we when it's a human being looking into it, we look at all angles, multiple places. Does it really connect all the dots? No, they are just focused on one activity. And that's where all this identity detection also comes in. That's what I told about the behavioral patterns. What we look at how this could actually be something which you have to see. So it's all in a in a nutshell like and here the other thing also which I like to call out Ania is that the importance of threat intelligence in an organization. uh how would threat intelligence could relate to it is something which we also need to understand on because we should really know who are the state actors who are the national bad actors who are espaniers who are this who are that all that information a threat intelligence would have and they bring a lot of lot of things to the table so if you have at least know this attack group is targeting saying this type of organizations in this particular group or this particular region then you are more prepared for it. If you do not have that then you are like completely blind when it happens. So that's where it becomes more important for you and there are a lot of lot of other AI threat modeling also available in the market these days. You can actually just give a link like a imagine you have you know about DTG group now just give them the MITER framework link and ask them to actually prepare a ask the AI threat model to prepare a complete threat model for you. It will prepare it for you the complete end to end model for you. So just do a tabletop with that and you're good. You are prepared for an AI attack. So but are you future ready still? Maybe not because it it keeps evolving and that's where this threat intelligence will come in. That is where this a augmented sock will come in. Your ITDR will come in. Your saw will come in. So everyone in the organization would actually play a vital role. When I say organization, I'm talking about cyber security organization. So everyone in the team will actually play a vital role in AI based or AI based attacks or AI based defending going forward. Yes, Nathan. very interesting that you mentioned uh uh threat intelligence because uh um I'm skipping a few slides here because one of our upcoming webinars is about uh threat intelligence. Allow me just a minute to talk about it. Um it's an exciting master class on cyber threat intelligence and how you can build a career in this specialty uh which is um it's going to be led by President Kumar GK cyber security leader currently a chief uh uh in um security officer and also a LinkedIn top voice in information security. It's happening on the 8th of April which is a Wednesday um on 8:00 p.m. IST. So you will receive our email updates about it. If you would like to quickly register right away, you can scan on the QR code right here or click on the link um that I have just uh shared on the chat. Um sorry to hijack from you Nathan. Just um because you mentioned it, I thought it was relevant to um uh you know, talk about our upcoming session. I'm just you know sort of indicating that we are in alignment with what's in trend you know what's uh uh um you know um widely spoken about concepts. That's what like you know we want to bring into our webinar. So just wanted to come uh with that uh perspective and yes uh I know we are about an hour uh into the webinar so I will try to keep this last portion very very quick. Um we want to quickly introduce the AI powered cyber security mastery from IIT Praertak and Simply in collaboration with Microsoft. Um this program is designed to equip you with the cutting edge skills in threat detection, automation, modern cyber defense and a lot more. There's a emphasis on um hands-on learning through over 70 exercises and routine case studies uh much like what um you know we previewed in this webinar. So you're not learning just theory but also applying knowledge uh to practical security challenges. Um the capstone projects here are particularly interesting. They simulate real real cyber attacks and incident response scenarios. Uh so this gives you like you know very valuable experience in both offensive and defensive security operations. And definitely one of the standout aspects is the industry recognized program completion certificate from IIT Pragart uh which is a technology innovation hub at IIT Madras. Uh you will also be receiving a course completion certificate from Microsoft. Right. So here is quickly the program curriculum um for interested learners. Uh this um learning module cover provides a comprehensive exploration of AI threat analysis, ethical hacking, vulnerability management, um red team tactics, blue team strategies and a lot more. Um so here are quickly the skills and the tools that you will be learning that you will be exposed to. Um but adding on to this I also want to say that an interesting part of the program something that like you know usually attracts and is very valuable to a lot of learners is a two-day campus immersion um um you know program uh at IIT Madras research park and yes so this is you know not just about a program completion certificate you also get career services uh through simply learns job assist feature um which includes AI powered profile optimization for your LinkedIn and resumeum, interview prep, mock assessments, handpicked job opportunities curated by simply learn along with group mentoring and networking with peers, industry mentors. Uh so this is sort of like a full ecosystem um you need in order to hand um land uh your next role. Um for those of you who are interested, here are the fee details for Indian learners. The fee is 1 lak 55,45 and a 15% discount currently with no cost options also available from 6,958 per month. Right? So uh for those of you who are interested to know more about the program um uh you can explore um in the link here you can also download the curriculum from the program page that I've just uh shared um or you can like you know scan the QR as well and get to know more about the program. So uh with that I will quickly launch a poll to take um interest in um enrolling the program. So um all you have to do is uh click on a yes or a no. Um even if you have any queries, you need more details, you are a little unsure, you would like to talk more with an expert, just please click on yes. Our um advisor will be getting in touch with you within 24 hours um and guide you forward. Right. Um so while we wait for everyone to show their interest, then let's look at a couple of questions that have come our way. Um just read that out. Okay. Uh so we have uh Ragav um asking about um AI powered red teaming. Um is that kind of like has this has it become a basic necessity these days with all the attacks that are happening? I wouldn't say uh it's a it's a necessity but it's more of a it's it's important you to have it you know it's not I wouldn't say every is everyone going towards that but if you look at f if you look at the way how it was in past we need to have a pen testing done we need to have a security research done then we do a patching then we do the vulnerability management and and then we do the next release for the application. Right? But here if you have a AI powered red taming, it is more of a I would say it can do everything together for you. The speed the traditional speed what we used to have was at least two weeks of pentesting which we used to at least contact for a specific product. But with AI powered the same kind of pent testing what we're talking about here is been done in a day of two compared two weeks to one day that's the difference and it could also improve your go to market right if you want to if you have a critical product which you have to go live immediately and you can really use some of the AI powered red taming but is that enough that's something which we should really ask do you have enough controls, do you have enough validations in place, do you have enough controls documented for this particular AI uh agents to actually do this kind of pent testing? What kind of access you are giving them? So I would say it's more of human-led strategy plus AIdriven execution at scale is something which we should look for. Don't give complete control for AI. human should be there to lead the strategy and then AI take it over at execution that's something which we should really consider but a very good question thank you so much yes thank you Nan and thank you Raav as well for that question um okay so with that I'm going to end the poll to take uh your interest in enrolling in the program and we know that most of you would be eager to know about the ating certificate uh I would be launching another poll now to um take your name um please uh one second right please share your full name in this poll we don't need um your email ID or anything else just your full name as to how you want um um you know it to display in uh the certificate um and we will be able to generate the certificate and share it with you within the next 48 working hours. Uh meanwhile um one more question to you. Um okay so we have question from Scanda. He is a final year BCA cyber security student. Um he wants to build a career in cyber security and eventually reach a level like yours. Uh so he wants to know in today's industry what are some key skills or experiences uh that a student should focus on to like you know enter the cyber security field and like you know handle um high impact cyber incidents. Okay a very interesting question. Thank you so much Kanda. But let me be very direct here. Cyber security today I would not call it just knowing about tools or knowing about certifications will not let you become something which we thought we could be 20 years ago. So it's about how you think under pressure and how you solve problems when you don't have a clear indication of how to handle it. So I would say you must build your skills in maybe it all depends upon where do you want to be right. So it depends upon if you want to go deep into cyber security then you should know about at least have a very high level understanding about networking your operating systems your basic cyber security hygiene uh how to detect your detection thinking I'm not talking about how do you detect an attack but you should know from a normal perspective what would an attack really be so don't just stop at theories you know come into come into seminars like this or webinars like this where people are talking about lot of case studies where you get more knowledge on and also go to platforms like try hackme hack the box uh create a home lab simulate attacks detect them log analysis what more you know I can I can talk an a full seminar on this question actually because that's a big thing and always be curious to learn. Ask questions. Don't hesitate yourself from asking questions. You should always ask what did I miss? So what did I miss? Ask questions at at times. If something breaks in production, how bad is the impact? Or if something breaks, you should really ask what impact did this make? Does it make like again going back to the same topic of business crisis? So that's what every cyber security person to think be curious be learning you know completely don't just chase tools understand the concepts there will be like 100 tools you cannot be master of all the 100 tools but if if you know the concept of one tool how it is made and what the tool is actually doing then you can do anything with the other 99 tools as well. So that's how you have to you know you have to understand about it. So in a nutshell yes that's how it is but like I said be curious ask questions and learn continuous learning is something which we should have. Perfect. Yes. Thank you so much uh Nan and thank you so much Kanda also for that uh uh question. Uh we have one more question from Raghav. Um so Rahab I think in the interest of time we will not be able to take up within the session but let me take your question to the team maybe it's something that we can help you with um uh post uh the webinar we'll see if we can uh compile some materials uh for you okay great uh so with that uh I am also ending the poll for the certificates and yes we are almost like you know uh 20 minutes uh past um our 1 hour time limit. So I would have to close uh the webinar. Uh apologies for uh you know a couple of you um whose questions we are unable to answer but we will try to get back to you on email with uh the answers. Great. So we are wrapping up this session. Um if you have any more questions please do feel free to write to us at webinars.net. uh or if you have any feedback to share uh we'd love to like you know hear from you and improve based on uh your uh suggestions and Nan thank you so so much for your guidance and sharing your knowledge. It's been um this this was a very different session for me as well uh to you know learn from all these uh real incidents. Um so uh thank you so much uh for being here. Uh any final remarks to share any advice for our learners? Uh yes I have a very small thing to talk just maybe I'll just take one on one liner uh always we used to talk about bringing awareness and with all this what we spoke is not just about awareness it's about how you execute it so don't just learn try to practice what you learn don't just read try to do it in real time how we can actually do it. So that's something which I want to you know make sure you take it forward from this learnings. So the capability what you want to learn comes from practice exposure and learning from real scenarios. So Alenia I would like to see more sessions like this from simply learn which could really bring a difference to the people who are looking forward to coming into cyber security. So I must thank you for bringing up this session. Thank you so much Anan and the team. Of course and I think that's very very well put. Uh so with those wise words uh we are wrapping up the session. Thank you everyone for spending your last one hour with us. Uh we hope that you'll be able to apply the learnings from this session as well as what you get from our cyber security program get ahead in your career and I hope hope to see all of you in our next webinar as well on threat intelligence. Great. Uh, have a great day everyone. Thank you so much.