With nearly 15 years in the industry, Rohyt Belani is now firmly in “geek in suit” territory, having co-founded PhishMe in 2008. He told Mike Hine about the changing face of cybersecurity, the persistent threat of spear-phishing, and the importance of hands-on cybersecurity training
Few things illustrate the relative youth of the cybersecurity industry better than the way in which we brand people ‘veterans’. Compared with the financial or legal trade, infosec professionals can achieve the lofty position of respected industry old-timer in a relatively short timespan.
Rohyt Belani, co-founder and CEO of NY-based PhishMe, finds himself in this position. “I feel like an old guy in the industry having been in it 14 years and having seen the evolution.” In a career that has included positions at Mandiant and Foundstone, Belani has covered a lot of ground – but he recalls his background in incident response “back when incident response wasn’t considered cool and sexy – this is 2001/02.” The main ‘threats’ back then, he remembers, were “teenage pranksters and people hacking for fun.”
Rising Through the Ranks
Considering how quickly things have advanced in terms of cybersecurity and crime, it does seem like a lifetime’s-worth of development compared with some professions. This is perhaps also borne out in how quickly Belani has been elevated through the ranks.
Now he describes his role, and that of PhishMe co-founder, Aaron Higbee, as “geeks in suits.” Together they founded the company in 2008. The motivation for PhishMe – which, among other things, provides simulated spear-phishing attacks within enterprises to increase employee training and awareness – comes from the developments Belani noticed in the threat landscape during his time on the front-line in the industry.
“There was a huge shift in the landscape about ten years ago. Especially around 2005, we noticed that the nation states and cyber-criminals started becoming the real threat actors, and that spear-phishing was being used as the mechanism to break into organizations.”
The PhishMe concept was based on the idea that simulating a real-life phishing attack was the only way to actually set about mitigating the threat of these attacks, and building resilience in an organization’s workforce.
“We found that a lot of companies had posters in the hallway to educate employees about phishing. That is okay for awareness. But awareness doesn’t help if it doesn’t change behavior. We decided to simulate these phishing attacks, not at a [single] point in time, but on a continuous basis, so an employee will never know whether an email is a simulated attack, a real attack, or a legitimate email. So you’re always on your toes, which is really what we want.”
“We’re deploying technology on the end-point and hoping these pick up anomalies. The attackers are smart. They will encrypt things so you can’t really see what’s going on”Rohyt Belani
Human Sensors
Mitigating threats through hands-on education was the first part of the PhishMe project. But once employee susceptibility starts to decrease, that’s only half the job done, he says. The next step, Belani argues, is that employees must be turned into “human sensors,” able to provide continuous threat intel to IT departments as soon as they see a suspicious email. That way, even if one employee clicks, the damage can still be prevented by another employee reporting the attack.
To illustrate this point, Belani relates the story of a car-bomb plot in Times Square which was foiled by two vendors working street-side. They reported an unusual-looking parked car, the cops moved to investigate, discovered the bomb, and prevented an act of terror. All the CCTV and surveillance technology deployed in one of the world’s busiest tourist spots didn’t spot this threat. It was humans on the ground, with no security training, who spotted the anomaly.
“We’re deploying technology on the end-point on the network and hoping these technologies pick up anomalies and say ‘this doesn’t look right’. The attackers are smart. They will encrypt things so you can’t really see what’s going on.” The much-needed human intel factor augments the detection process.
But as Belani hinted, the trend reported by most security insiders is that, no matter how advanced the prevention mechanisms become, the bad guys always seem one step ahead. So in what way are phishing attacks becoming more sophisticated? One of the things people don’t realize, he says, is the amount of effort and money that gets spent setting phishing attacks up.
“[The bad guys] will do their reconnaissance on the organization to try to figure what systems it is using to catch malware. Then they’ll try to get bootleg copies of that software and run their malware through it and keep tweaking it until it bypasses it. Then they need to set up command-and-control infrastructure. That’s another expensive thing to do because you have to realize which ports the firewall is going to allow through, what stuff they are looking at on the outbound, data loss prevention...”
Getting to Know You
Research into individuals’ personal details in order to create ultra-targeted phishing attacks is another ongoing problem. “Conversational phishing,” Belani reports, “is something that the nation-state actors have been doing a lot of.” These attacks will masquerade as a real conversation started by a known associate of the target.
“Imagine we met at Infosecurity Europe,” Belani offers as an example. “The week after you receive an email from someone that says ‘Great to meet you at the conference, enjoyed your talk there; I’d love to share the slides with you. I’m sending this email from my iPhone but when I get back to my workstation, I’ll send it to you.’ A benign email.”
Belani continues: “Four hours later an email shows up with a PDF attached. ‘Hi, following up here are the slides I was talking about.’ Two hours later an email shows up saying, ‘That attachment I sent was 5MB, did it come through okay?’ They emulated a conversation here to the point where a normal human being out of niceness goes and clicks the attachment. That document is laden with malware and the next thing you know your system is compromised.”
“I think there’s a need for a more practical focus on cybersecurity at universities"Rohyt Belani
The lengths that criminals go to in order to perpetrate these highly targeted attacks is not surprising given the profit to be made. Given the cost to the victim, it’s clear that phishing attacks are still as much as a threat as they were 10 years ago – if not more. “There are a few studies out there that have been saying that the average cost of data breaches is to the tune of £2-3m. But the better way to think about it is that the percentage of revenue potentially impacted is fairly significant.”
Talking Plain English
Given the increasing sophistication of adversaries, and the escalating impact of breaches, it is clearly imperative that organizations step up the resilience of their defenses. Skilled professionals, as is constantly reported, are hardly in a superabundant supply, though. What does Belani suggest as a way to combat the recruitment shortfall?
“I think there’s a need for a more practical focus on cybersecurity at universities. The way cybersecurity is taught is very theoretical in nature. You get these PhD professor types who come in and say ‘We’re going to spend the next three weeks analyzing this protocol to death mathematically.’ That’s good – but I’m not going to remember any of that the moment I step out into the real workforce.”
At the same time, Belani acknowledges that cybersecurity is now “a truly board-level topic.” Given that development, communication between IT and senior executives is more crucial than ever – which raises the issue of the much sought-after ‘soft skills’ in the emerging workforce. Is it harder to teach the technical skills, or the ability to go beyond communicating in bits and bytes?
“As long as people have the right basis in an electrical engineering or computer science background, they can definitely learn the necessary skills. But you also have to be able to translate it into plain English and present it to the board, who have no idea what you’re talking about.”
Increasing board involvement in infosec issues is, to some extent, a double-edged sword though. “The media has done a great job of bringing this to people’s attention – but the downside is that if the Wall Street Journal writes a story about a data breach, the CEO of a large organization who’s reading it is going to say to the CIO, ‘Are we covered for this? Divert all funds to this kind of breach.’ There’s a kneejerk reaction.”
Belani is better placed than many to reflect on the changing face of the information security industry, having experienced “all the ramifications we’ve seen develop over the last ten years with social media, consumerization of personal ID, smartphones…” But one of the most striking changes he notes is not technical at all.
“When I see stories like the Sony breach, I think back to my time at Mandiant ten years ago. Back then it was not acceptable for companies to announce breaches or disclose clients. It was all confidential – we couldn’t disclose who we were working with because that was essentially announcing who had been breached. Now it’s being put out in press releases!”