Repelling A Ransomware Attack: Varun Talwar of Tetrate On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Assess your risk. Think through what you would stand to lose if a ransomware attack were successful. For instance, a teenager might only suffer the loss of further use of their computer if it were locked down. But that attack might spread through wifi to the entire family, which might include small business, large business, or even highly secret or classified information. You can think this through now, and take the right level of steps to protect whatever you have that needs protecting.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?
In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Varun Talwar, Co-founder, Tetrate and Co-Creator Istio and gRPC.

Varun has co-created not one but two very widely used open source projects — the Istio service mesh and the gRPC framework for remote procedure calls. He wants Istio to do for networking what Kubernetes did for compute. The philosophy that has driven him to create these open source projects: Solve a hard problem and make it easier for people to adopt the technology. He developed a first-hand understanding of the challenges that enterprises are going through with modern applications on heterogeneous infrastructures and wanted to solve for those. Varun and JJ Jeyakirthi founded Tetrate to create a safer and more responsible path to application modernization for enterprises.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in Delhi and got my first access to computers in the mid-1990s, when Linux was starting to become widely used and the Web was just taking flight. My interest in computers was born out of my love of mathematics and I dove deep into logical experiments.

I had a high-energy teacher we called “Dash” who drove me to have a deeper interest in the PASCAL programming language, and he was instrumental in getting me interested in computer science. For a few years, I was part of a club that worked together to improve our programming skills.

My friend Virat and I won most of the programming competitions in Delhi during this time. In 1998, I “earned” my first personal computer, once my parents were convinced I could do something with it.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

It was a bit by chance that I pursued a career in cybersecurity. I was initially enamored with the cloud and large infrastructure (YouTube, Google Maps, Google Cloud). Upon joining the Google Cloud Platform (GCP) team, I began to grasp the impact that cybersecurity would have in the future.

The Snowden leaks were happening around the time I joined GCP in 2014, and this was mega-news for months and months. It gave me a new perspective and a bit of appreciation for what can happen if things go wrong.

Cyber attacks were happening frequently at Google, and some of the technologies that we are building today are inspired by the effort to defend against attacks like those. The consequence of one certificate being bad could be catastrophic, so Google built very strong security.

But people without the engineering power of Google struggle to build security that can prevent attacks. At Tetrate, we build application networking products where security is the default and not something that application developers need to add separately.

Can you share the most interesting story that happened to you since you began this fascinating career?

One of the most exciting projects of my career was at YouTube in 2012, when the skydiver Felix Baumgartner jumped to Earth from space. This was one of the biggest live events in the history of YouTube at the time.

Six months of planning went into this, with a “war room” and multiple fire drills. As Baumgartner was going up, traffic kept building. At the peak moment, when he was about to jump, nearly 10% of all internet traffic was on this live stream.

Working on the infrastructure to keep all that traffic flowing and the experience seamless was ​​invigorating. This experience also got me more interested in infrastructure and ultimately played a key role in me moving to infrastructure space and co-creating the Istio and gRPC open source projects.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

The first is seriousness. I enjoy my work, and I have fun with my colleagues at Tetrate and beyond. But we are working on important topics that make a difference in people’s lives. That requires us to be serious in our work. And I’ve been serious about technical contributions since my boyhood in India.

The second is a collaborative spirit. In open source projects, it’s not about ego. Everything is a team effort. It’s remarkable what can get done in the open source world when no one worries about who gets the credit. At Google, we were encouraged to contribute, and they had our backs as to spending the time and effort needed, without worrying about public recognition.

The third is a desire to change the world. I’ve been able to contribute to open source projects that help developers everywhere create and deliver exciting new applications — many of which I don’t even know the details of. But they’ve helped change the world, and I want to keep doing that, now from my position at Tetrate.

Are you working on any exciting new projects now? How do you think that will help people?

Everything we’re doing at Tetrate, and in our continuing open source work, is exciting to me. Let me choose something we are doing that the world already knows about, so I don’t spill any secrets.

For three years now, we have co-sponsored an annual conference with the National Institute of Standards and Technology (NIST) on service mesh and zero trust architectures. This puts deep discussions about cutting-edge technical topics in front of hundreds of attendees, and the recordings go in the public domain. You can go view them right now! With this one effort, we accomplish a big lift — often, again, with results we may never even know about directly.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

IT security and its implications have been at the core of my working life for fifteen years now. Ransomware is not only a professional concern; it’s personally offensive to many of us who work in this space. So I understand all too well how ransomware works, and how important it is that we eliminate the ability of criminals to hold our critical computer systems hostage.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

There are three issues with ransomware: How they get access to your system, what they do once they have access, and how criminals try to get you to pay them to make it stop. The main types of ransomware vary across these three issues.

Crypto ransomware and lockers block you from accessing your own system. Crypto ransomware takes a valuable feature — the ability to protect your information — and turns it you, encrypting your files so you can’t access them anymore. Lockers accomplish roughly the same purpose by locking your system completely. This is actually tougher on the attacker, because they can’t use your system to complete the ransom cycle; they have to communicate with you some other way.

Doxware or leakware is similar, but you keep access to your files. Unfortunately, so does the hacker. They threaten to distribute the files widely unless you pay them off, or meet some other demand. The more sensitive your data is, the scarier the threat is.

Scareware is a way for hackers to get access to your system. It claims to have detected malignant software on your computer, and offers to fix it for you. When you click to agree, that actually gives the scareware access to your system. The hackers can then do any number of things, from flooding your screen with pop-ups to encrypting your files or locking your system.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

All of the above. There are businesses that have backups and can easily recover from a locker attack, for instance. And there are private individuals who would give almost anything to keep their computer files from being made public,

The threat that really concerns us is when ransomware is used on critical infrastructure, such as a railway or a public utility. Lives and economic viability can be at stake. And these are the attacks that seem to have motivated a new level of concern, from the US federal government and others.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

First, the police. You have to start the paper trail on what’s happened to you, and no one else you alert will take you seriously until you’ve done this. And at some point down the road, if you have to file an insurance claim, you will routinely be asked for the ID number for a police report.

Then, additionally, in the United States, contact the FBI. There are a couple of ways to do this; the FBI provides details here. In other countries, you will have to do research online to find the equivalent procedure in your country.

Now if you have concerns about reaching out to law enforcement, you will need to contact an attorney first. Look for an attorney with expertise in security issues.

If you reach a knowledgeable resource at one of these sources, ask them what to do next. But yes, you may then want to contact a cybersecurity expert. Be extremely careful, however. Many of the resources you find online for these kinds of things are untrustworthy. This can range from charging you a lot for very little help to actually being cybercriminals themselves, who will get you and possibly others in much worse trouble than you’re already in. Find trustworthy support for whatever claims a given provider may be making, and verify that the support is real, before you proceed.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

I’m sorry to dodge a bit here, but if you have been successfully attacked, you’ll need expert guidance on your specific situation. Doing the wrong thing can easily make your plight much worse, or involve others who are trying to help.

The fact I have to be so vague actually conveys the most important lesson about ransomware: protect yourself before, not after. Consult with cybersecurity experts to find the most important steps to take, depending on the stakes for you and your level of risk. A bank will have a different level of concern than a retail , and that will be different from a private citizen.

Should a victim pay the ransom? Please explain what you mean with an example or story.

Do everything possible to resist, but in some cases, yes, you will find it necessary to pay. Only do that after taking the steps above, because law enforcement can still help you a great deal.

I’m aware of some cases the public doesn’t know about, but of course I can’t speak to them. However, a publicly known case, the Colonial Pipeline attack, is a useful example.

Attackers locked up Colonial Pipeline’s infrastructure, disrupting gasoline supplies to the US East Coast. This caused economic disruption well beyond the company itself, as gas stations, for instance, quickly ran out of gas.

The company paid a ransom of more than $4 million and service was restored. The FBI was able to recover most of the money shortly afterward, but the attackers remain at large. Experts said that an organization of Colonial Pipeline’s size and importance should have had better protections in place.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

You can sum it up as people, processes, and protection. Employees need to be trained not to, for instance, click on links in suspicious emails. Processes need to be put in place to prevent as many suspicious emails as possible from reaching their intended victims. And “protection” means that hardware and software systems can be put in place to prevent many attacks, to isolate an attack that has initial success — for instance, locking up one user’s computer — from spreading further, and to efficiently recover from an attack once it has happened.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

There are bottom-up and top-down approaches, and I’m reminded of the old quote from baseball manager Yogi Berra: “When you come to a fork in the road, take it.” I mean that leaders need to take bottom-up approaches first: education, improved processes, and yes, paying for protective steps. But they also need to take top-down approaches: higher standards for hardware and software companies to build in security, better capacity for law enforcement to detect and prosecute offenders, even international agreements around sharing information about attacks, so as to find and prosecute the criminals involved.

Here is the main question of our interview: What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)

There are many more than five things, of course. But here are five steps you can take today:

Assess your risk. Think through what you would stand to lose if a ransomware attack were successful. For instance, a teenager might only suffer the loss of further use of their computer if it were locked down. But that attack might spread through wifi to the entire family, which might include small business, large business, or even highly secret or classified information. You can think this through now, and take the right level of steps to protect whatever you have that needs protecting.

Reduce your risk. Does information X really need to be stored on every employee’s computer? This can apply to a company that’s sloppy with confidential information — or to an individual who has embarrassing photographs from a few years ago in a “secret” (not secret to hackers) folder on their computer or phone. Sometimes deleting information — and then using a utility program to really get rid of it — is the simplest way to protect it.

Keep your systems up to date. Security experts are constantly playing whack-a-mole to stop new threats by updating software. If you don’t keep up with updates, it’s your mole that might get whacked. In particular, apply system software updates as soon as they appear.

Protect your passwords. Maintaining your own passwords safely is probably not practical for most of us. Use a commercially available — and widely trusted — password locker or similar tool to keep your passwords safe and secure.

Get expert help before, not after, you’re attacked. FInd the appropriate level of expert help for your situation. Then engage and take the steps they recommend to reduce your exposure and risk. The old saying was never more true: an ounce of prevention is worth a pound of cure.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

For technically oriented people like myself, perhaps the single best thing we can do is to contribute to the open source movement. Luckily, for years now, I’ve been able to do that every day. As you say, you never know what your idea — even a relatively small contribution, like fixing a security hole or helping write a “how to” guide in software documentation — can trigger.

How can our readers further follow your work online?

Well, at Tetrate, we’ve had to hire a marketing team. They’re very good, but they don’t let me say much without cleaning it up first. But I’m still involved in the Istio and Envoy projects, so probably following those on Github is the easiest way to keep up with my work.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!