Expert insights 2: Cyber threats and security in the Caribbean 2017 update

Our 2017 Expert Insight series on network intrusion and security in the Caribbean continues with Hector Dias, a network/IT security professional based in the Dominican Republic.

In this the second in our Expert insights series for 2017 on cyber threats and security in the Caribbean, we are thrilled, once again, to have Hector Diaz of Cylance, a cybersecurity products and services company, who is based in the Dominican Republic. Previously, Hector was Regional Account Manager, Caribbean, at Intel Security (formerly known as McAfee). He has extensive experience in the IT security space, and possesses a diverse skills set, which includes a strong technical background in infrastructure and security.

ICT Pulse:  Hector, give us a quick recap of what have been the most prevalent types of incidents in the Dominican Republic and/or in the Caribbean region over the past year or so? How has the threat landscape changed?

Hector Diaz:   Hi Michele, thanks for having me as part of the series once again in 2017. The threat landscape in Caribbean region has evolved to incorporate new techniques and to cover a wider spectrum of targets. Every year more and more companies and consumers are depending on technology for pretty much each process from CRM systems to an individual purchasing some goods on the web. Per the 2016 Verizon Data Breach Report, and I quote “in a [whopping] 93% of the cases they analyzed, systems were compromised in minutes or less and data exfiltration happened within minutes in 28% of cases. But even where exfiltration took days, the criminals didn’t need to worry. In 83% of cases, victims didn’t find out they’d been breached for weeks or more”.

If we add to this the growing and visible threat of ransomware, I think we still have a lot of room for improvement in the region in the adoption of proper policies and user education which should be complemented also with technologies that can coexist with the user and provide protection without interfering with business processes or the actual user computing experience.

In terms of providing real/objective data about incidents in the region, it is almost impossible to get our hands in some reliable data other than telemetry that vendors can collect to identify the origin of a threat or the number of detections that occur in a region, other than that, the region still lacks of regulations that obligate them to disclose IT security incidents.

ICTP:  Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?

HD:  Ransomware continues to be the most prevalent and visible threat and it has evolved from our last conversation on this topic, criminal campaigns today are more advanced compared to what we have seen in the past, with the added problem that samples and toolkits can be easily obtained and used successfully by criminals that have little to no hacking skills, often referred to as Ransomware as a Service (RaaS) and there are plenty of examples of this “business model” where cybercriminals even provide Service Level Agreements (SLA) and Technical support to their “customers” massifying this problem to exponential levels, these ransomware-as-a-service (Raas) offerings are being released more and more frequently. Only three years ago, we would see maybe three or four legitimate RaaS offerings appear every year. Now, we see far more, often several per month.

Some of the features that some of these ransomware as a service “subscriptions” include:

• Full interactive technical support, with an SLA of 24 or 48 hours on complex issues 
• Full C2 functionality for tracking and managing infected hosts
• The ability to generate multiple binaries (the actual ransomware). The system appears to require between 5-10 minutes between requests
• The ability to create multiple, unique campaigns, and assign binary generation to those campaigns
• The ability to interact and chat with infected clients (a feature rooted in PadCrypt – more on that soon)
• Ransom amounts that can be altered per binary or per campaign

In addition to that, we are seeing ransomware being used for much more than just the typical ransoms.

Our Cylance SPEAR research team have seen it used as a diversion; first harvesting credentials for later use, and then encrypting the drive to keep IT staff occupied while the attacker covers their tracks and accomplishes even more nefarious objectives. And more recently, we are seeing highly opportunistic campaigns that encrypt entire networks in an organization and delete host backups prior to encryption, leaving the entire organization held hostage and unable to operate.

Another problem with Ransomware’s proliferation is how easy is for an attacker to create a new variant of a known piece of malware making it invisible for most Antivirus solutions that rely on signatures or file hashes to provide protection, that’s why we have seen so many cases where a user or company gets infected a ransomware, they report the situation to their provider and despite the fact that they generate a signature to protect from this threat, maybe a couple of weeks after, the person or company gets affected again by the same problem. That makes evident that a new approach is needed to provide an appropriate level of protection and we have seen how many innovators are now exploring and developing new and innovative ways to tackle this problem, some of them from an endpoint detection and response perspective and some others, like Cylance, from a prevention standpoint.

ICTP:  What are some of the new and emerging threats of which we should be more aware? And are there any areas of concern that you have for Caribbean organisations?

HD:  At Cylance, we focused on how threats evolve to adapt to security products and still evade security controls, we have seen several areas where threats have evolved in a special manner and we have written extensive blogs and research papers on the following areas, some of this are not new but attackers are still using the same methods, they just adapt them to evade security solutions, some of these are:

• Universal Unhooking: a very technical threat to explain in this interview, but in a nutshell, Code hooking is a technique used for redirecting a computer’s execution flow to modify software. Essentially, a ‘hook’ is something that will allow the developer to see, view, and interact with something that is already going on in the system. Code hooks can perform a wide variety of functionality both innocent and nefarious, including:
  •  Patching a bug
  • Performance monitoring
  • Disabling digital rights management systems
  • Capturing keystrokes (AKA keylogging)
    
  • Hiding processes and files (rootkits)

The antivirus (AV) industry uses code hooking to monitor processes for potentially malicious behavior, protect applications by injecting anti-exploitation checks, and isolate processes by sandboxing or virtualization. The technique can also be used by the bad actors, for instance to implement a rootkit to hide processes and network connections from the end-user and security software. Cylance has done extensive research on how attackers are using these techniques to evade traditional endpoint security solutions and become invisible in the victim’s machine.

• POS Malware: Point-of-Sale Malware is nothing new in the region, but we have seen how attackers are modifying existing pieces of POS malware to create new samples that are again, invisible to traditional security solutions. A couple of examples we have seen in the wild are:
  • RAWPoS Malware: where attackers have even removed functionality from their programs to create new variants and obfuscate the code to make it difficult to identify by signature-based solutions or file hash lookups having a big impact on companies that rely on POS systems to conduct business.
  • Flokibot POS Malware: this is a piece of malware that uses RAM scraping to search for and collect credit card information that is exposed briefly during a PoS transaction. After a period, this data is then exfiltrated off-site to an attacker-controlled server. Flokibot, like most PoS malware, attempts to gains access to PoS devices via phishing attempts, stolen credentials, or a rogue insider. We have seen many cases of this malware attacking not only POS systems but ATMs as well in the region.

• Social Engineering: This is still one the biggest problems in achieving a good level of security in companies of all sizes and at Cylance we consider this as the second most dangerous problem after malware execution, when attackers are not able to execute a piece of malware, they jump into social engineering techniques to try to get information about the user’s identity so they can later utilize this in more elaborated attacks. We have written some blog entries on this problem, identifying campaigns on popular social media websites such as Linkedin: https://www.cylance.com/en_us/blog/social-engineers-target-linkedin-how-to-protect-your-organization.html and also one effective technique that hackers commonly use which is to drop usb’s around the building and wait for someone to connect it on a company’s computer: https://www.cylance.com/en_us/blog/social-engineering-beware-strangers-with-candy.html we think education is the only way to strengthen security against this threat.

ICTP:  At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders for something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in the Dominican Republic, and/or perhaps regionally? What might still be missing?

HD:  The Caribbean region’s awareness on cybersecurity is growing, we see more and more efforts from governments across the region to take this issue seriously. We have seen an increased participation of security professionals in multiple conferences representing their respective countries to advance the conversations around the implementation of cybersecurity laws and best practices.

We have seen also the creation of multiple regulations and guidelines for public entities to follow and implement those which is a dramatic advancement in the way public institutions are dealing with cybersecurity.

In my personal case, I’ve been invited to meetings where the CIOs of multiple Caribbean countries have outlined their plans and policies and it’s been good to see cybersecurity as a big part of their general Information technology frameworks.

The region lacks of orchestration and/or regional guidelines on how to tackle the cybersecurity problems and the level of maturity varies from country to country.

You can see more information around the state of cybersecurity laws and regulations on this report from OAS: https://publications.iadb.org/bitstream/handle/11319/7449/Cybersecurity-Are-We-Prepared-in-Latin-America-and-the-Caribbean.pdf?sequence=1

ICTP:  Does it even make sense for small companies to send their network administrators to security training courses when security is not their full-time job, and given the pace at which the security landscape is changing? Or should such companies just accept the fact that they need to outsource this function?

HD:  I think the problem lately has been the focus on learning about point products (which is also important) and not necessarily an investment in cybersecurity knowledge, this is also changing, we have seen an increase in the number of certified security administrators in multiple certifications in variety of contexts from risk management to actual penetration testing as well security awareness training for the general employees.

Per ISACA, 82 percent of organizations expected to experience a cyberattack. But, they felt they were relying on a workforce that was not qualified to handle complex threats and on average, 59 percent of enterprises got at least five applicants for each open cyber security position, but most of these applicants are unqualified.

When asked how long it takes for an enterprise to fill a cyber security position, only six percent of respondents indicate that they cannot fill open positions, 55 percent of respondents indicate that open positions take at least three months to fill.

This gives you an idea on how important is to prepare a training strategy for cybersecurity responders against this reality of more and more advanced threats targeting business processes.

ICTP:  Do you agree that user naiveté is the number one security threat facing organisations? If not, what do you think is the most significant threat?

HD:  I think social engineering and user dependence on technology for virtually everything is one of the main threats, but we need to understand that for the regular user, cybersecurity is not their domain, it is not what they do for a living or an important part of their day to day task list. Over the years, the security industry has built several complex solutions increasing what we call “control friction” which is how much we affect the user experience for the sake of security.

At Cylance we believe that the industry should focus on providing a decent level of security while reducing that friction, making security solutions effective and also making them easy to use for the regular user and also to make the lives of cybersecurity responders more focused on prevention, control and prediction.

ICTP:  Should any organisation still be using tapes for data backup purposes?

HD:  In this case I will say that backup is still a big part of an incident response and disaster recovery plan, the way companies store this information is beyond the scope of my experience and I know some folks at backup companies that can comment with much more authority in this portion of the interview, but again, backup is VERY important and staying on top the latest advancements in this area is something that every CISO should be paying attention to.

ICTP:  And finally, what are the top three (3) things businesses should be doing this year to improve your network/IT security?

HD:  

• Reassess their security strategy to reduce control friction and increase the preventative and predictive capabilities of that control strategy.

• Invest in consulting services and education

• Participate in associations, communities and professional groups to exchange information about best practices, trends and overall security awareness

• Align Cybersecurity with the Business, we cannot continue to be a technology division, a Cybersecurity strategy most consist of having all the key areas of a company, together to enhance the way we address and also understand security risk because today everything is connected and we depend on technology for pretty much every process in a modern business.

Do you have any questions for Hector, or views you would like to share? Please leave them in the Comments section below. 

Image credits:  Rihards (flickr);  H Diaz

____________