To stop and deflect attacks and targeted malware Amity University has deployed Advance Threat Protection Sensor (ATP). In the next phase, ATP will use artificial intelligence to simulate the IT infrastructure of the entire country
By Rashi Varshney
“The threat to education sector is certainly getting worse. With vast stores of personal data and expensive research, universities are becoming prime targets for hackers. And mind you, these aren’t just college kids trying to change their grades but potentially “nation-state actors” much like the hackers who target large corporations,” says JS Sodhi, VP & CIO, Amity Education Group and Executive Director-Cyborg Cyber Forensics & Information Security (CCFIS). The Amity Education group has over 1,00,000 students studying across 1000 acres of hi-tech campuses spread over Delhi, Jaipur, Lucknow, Noida, Ghaziabad , Gurgoan and many National & International Campuses across the globe.
To stop and deflect attacks and targeted malware to its IT Infrastructure, JS Sodhi and his team created a National Cyber Alert System with its flagship technology Advance Threat Protection Sensor (ATP). In an interview with Rashi Varshney of Express Computer, Sodhi shares the journey about how making cyber walls unbreakable for Amity across the globe led formation of the startup Cyborg Cyber Forensics and Information Security Pvt Ltd (CCFIS), a Research Organization at Amity Innovation Incubator, by Amity Education Group for securing cyber walls for enterprise and government organization.
Edited excerpts
Please tell us about the National Cyber Alert System
The National Cyber Alert System is a project where we intend to deploy the network of our flagship product, Advance Threat Protection Sensor (ATP) across all Internet service providers (ISPs) of India in order to safeguard the country’s IT infrastructure. The ATPs installed on different ISPs shall create a ‘Ring of Fire’ across India which shall not only capture general and targeted attacks along with malware but also deflect them, before they enter the country.
The data from all ATP sensors installed across ISPs would be collected at our Central Threat Intelligence Collection Center and at our Global Security Operation Center (GSOC – Malware Analysis Lab). The malware captured would be reverse engineered by our highly skilled attack analysis team who would generate reports and security bulletins observing trends of malwares on different parameters and give recommendations on how to safeguard enterprises from such lethal malware. Also a real time alert of attacks would be generated to share research analysis, intelligence report forecasting future attacks, attackers and attack patterns and other malware trends with ISPs, government agencies, security researchers and companies which will foster an environment of research collaboration where the Internet community can fight together. Along with a real-time online forum, a graphical real-time map will also be created.
The technology used for National Cyber Alert System which is our flagship product, Advance Threat Protection Sensor (ATP) got developed out of the need to secure the internal IT network of Amity University from any dreadful compromise. And then because of the threat landscape that the national IT infrastructure faces today, the idea of National Cyber Alert System got originated.
Though organizations have already deployed some kind of security solutions either hardware or software to safeguard their network from cyber threats and even ISPs have deployed several high end firewalls that blocks malware and attacks on ISP levels from reaching end users, only a few of them are doing analysis of attacks or malwares to understand the key reasons behind the targeting. So the National Cyber Alert System has played a pivotal role in gathering intelligence information, and passing real time alerts of targeted attacks.
Could you please elaborate more on the technologies used for the successful setup of the National Cyber Alert System?
The technology used for setting up of national cyber alert system is Advance Threat Protection Sensor (ATP-Sensor) which is in-house developed technology of CCFIS. It is a malware and targeted attack capturing appliance. It captures malwares and attacks targeted to any network infrastructure by simulating as actual network and deflecting attackers from actual network to itself (ATP sensor). Within this one device, it is possible to simulate 100 of servers, web applications and users and hence can replicate the entire network infrastructure.
Whenever an attacker tries to intrude any network, the attacker is presented with two different networks. One being the original production environment network and another being the virtual monitored decoy of that network i.e.the ATP sensor.
Our research proves that 70% of the times, attacker chooses to attack the network with weak entry points and hence will target the ATP sensor. All the information about the attacker like IP, attack type, tools used, methodologies used, intentions, malwares, exploits, etc. are captured and are saved in the ATP sensor for further analysis. The key features of ATP sensor are that it stops and deflects attacks and targeted malware to the network infrastructure. It also generates real time alert of attacks and identify critical infrastructures that are being targeted.
The ATP sensor also captures targeted malware and collects attack logs to analyze and do research analysis by reverse engineering. It also exposes attackers’ information further helping in forecasting future attacks, attacker and attack patterns.
What has been the impact of the system? How far does the cyber security system keeps the cyber criminal away?
The first ATP Sensor got deployed at Amity Lucknow campus, and we captured a lot of malware and information about attacks. With successful results from the first deployment, we installed this ATP sensor in Amity University campuses of Noida, Gwalior, Jaipur, Manesar, Dubai and Singapore. While adopting different network topologies and different techniques each time to lure, attract and deflect attacker from actual network to this ATP sensor, we captured an overwhelming number of attacks and malware in a very short time span of 4 months after deployment. We received around 500+ malwares and more than 20 lakh attacks to our network.
After analyzing all the captured malwares, we realized that most of the malwares were designed to work on Windows XP and some of them were information stealing malwares. The very next month, we received Windows XP 0-day in multiple campuses and attacker tried to compromise many systems. But our ATP sensor gave us alert one month before the attack happened and thus we were prepared.
Can you give us a small description of the expertise of your CCFIS technology team?
Our team of cyber forensic experts can recover data from any given storage media. They can safely extract electronic data from almost any computer system or iPads, GPS devices, CD-Roms, USB memory sticks, digital cameras, and other sources, even if the data has been previously destroyed, deleted or hidden. Sometimes, they have to recover data from broken hardware, damaged hard disks, wiped out files or data without the properties of the data files etc. In addition, they can recover data after formatting, virus attacks, and even from password protected files. Our forensics team also specializes in cell phone forensics.
Our incident response team gathers all available information by assessing the incident or computer-network intrusions and also identifies the impact such as network down time, duration of recovery from the incident, loss of revenue, and loss of confidential information.
We not only analyze the non-volatile data or data at rest that exists on a system when the power is on or off, e.g. Documents in HD. But also conduct Live-box computer forensics that gives access to the entire running system, including the volatile information contained in the memory chips (RAM) and whatever is on the live hard drive. A computer’s volatile information, the data that is contained in the memory chips is lost when we remove power from the system or shut down the computer. The information found in memory includes user names and passwords, encryption keys, instant-messenger chat sessions, unencrypted data, open documents and e-mails, hidden code like rootkits, registry information, and other critical evidence. Since the runtime information found in memory is critical to many types of investigations, all of this data can help provide contextual information about the target subject’s activity on the computer.
Under non-volatile data collection, we copy the content of the entire target system through forensic imaging tools such as FTK. Imaging helps to preserve the original data as evidence without any malfunction or changes in data. We use a write blocker to connect to the target system and copy the entire contents of the target drive to another storage device. Forensic imaging contains metadata i.e., hashes and timestamps and it compresses all the empty blocks while ensuring the integrity of digital evidence.
In a reputable case dealt by our forensic experts, they disinfected machines affected with malware, to ensure that no other machines in the premises or across the network have been infected and under recommendations and policy formulation for the organization, our forensic experts suggested various counter measures. For example, to protect against malware, they suggested Authentication and password protection, Anti-virus software, Firewalls (hardware or software), DMZ (demilitarized zone), IDS (Intrusion Detection System), Packet filters, Routers and switches, Proxy servers, VPN (Virtual Private Networks), Logging and audit, Access control time and Proprietary software/hardware that is not available in the public domain.
While ensuring the clients’ confidentiality and privacy, we take full precautions while obtaining and analyzing digital information to maintain authenticity and totality of the evidence and also to ensure adherence to the jurisdictional requirements especially in civil, criminal or administrative cases as evidence may later be presented in the court.
The CCFIS is supported by The National Science and Technology Entrepreneurship Development Board (NSTEDB), Department of Science and Technology (DST), Technology Development Board (TDB), Ministry of Micro, Small and Medium Enterprises (MSME) and Ministry of Science & Technology, GoI.
What is the next phase of the national cyber alert system?
The technology supporting national cyber alert system, ATP sensor can, as of now simulate IT infrastructure & IT appliances. It can also emulate gas stations that are connected to Internet and various other SCADA appliances to capture SCADA based attacks and malware.
In the next phase of ATP Sensors, we will work on artificial intelligence and will communicate with each other while simulating the IT infrastructure of the entire country. These ATP sensors will be synchronized on a common platform to generate automated alerts and share their captured data with each other to plan self-defense accordingly.
Did you like the above article? Do you think we could have covered it differently or what else would you like us to cover? Feel free to share your opinion or idea in the comment section below or write to rashi.varshney@expressindia.com