Javier Mertens: “Cryptojacking is one of the most brilliant attacks I've seen.”

The goal of hackers has always been, as a rule, theft or destruction / damage of information, but today, above all, they are trying to get financial gain in exchange for information. We can see how attacks become more professional, and business is built around them. A few years ago, it was quite problematic to buy a cryptographer or rent a botnet to launch attacks. Javier Mertens , an independent information security consultant and renowned IT security blogger , insists on the importance of traditional security in dealing with these new, highly effective threats. Mertens’s participation in the SANS Internet Storm Center, a global cooperative system for the prevention of cyber-threats, gives him a complete picture of the latest attacks.

Pedro Uria (PU) : How can information security specialists adapt to these new needs?
')
Javier Mertens (H.M.): Regular remedies are still important. If employees can follow typical security measures (implementing appropriate network segmentation, using secure passwords, properly configuring devices and not providing confidential information on the Internet), then I believe that they can be protected from any modern threat.

Most security problems arise from the fact that people need to perform daily tasks, but they are not aware of the elementary measures necessary to protect them. Recently, I tried to scan a document, and after checking the credentials, the firewall, and also making sure that the printer is working correctly, I realized that I could not do it because the outdated Server Message Block version 1 (SMBv1) protocol was configured Which is not recommended. Thus, this is the case when you need to decide: to turn it on or not.

Users usually include default settings, because they do not know how to change them, or they simply do not have time to do it, because they just want to continue their daily work. But it is not so difficult for industry experts to solve these basic problems and protect the security of such tools common in companies as printers.



PU: What is Internet Storm Center? What is your role as ISC Handler?

XM: The Internet Storm Center is an organization whose goal is to monitor the Internet and ensure its proper operation. Using automated tools, we collect information for industry professionals, generate useful content in the form of an information security magazine, and try to increase awareness of the problem. For example, using the dshield project, people can send their firewall entries to develop our database and create a detection system. We were able to detect the Mirai botnet because we had tools that showed activity peaks at certain ports. We are the firemen of the Internet.

P.U. : How can we avoid modern attacks, similar to those intended for mining cryptocurrency?

XM: Protection remains the same as against other types of malware, because cryptocurrency mining is done with the help of malicious code running on your computer. The standard tip is still this: have an information security solution that protects you completely, and do not click on unknown links or download unknown files. However, I think that cryptojacking is one of the most brilliant attacks I've ever seen. Criminals go from cryptographers to mining because they are much less intrusive, and you don’t need so many resources to avoid detection. With cryptographers, you do not know whether the victim will pay a ransom, because he may have backup copies of his files. But when mining cryptocurrency, you are sure that you will be able to return your investment, while not doing so aggressively and defiantly. You can run mining on any type of device, unlike cryptographers, which are limited to Windows, Mac, or Linux, and the victim's system will still work, despite the attack.

A colleague from ISC analyzed the power of his computer during mining cryptocurrency. The fans and processors of the computer were always under high load and worked in full force. So you can imagine the consequences that a company may face with a large fleet of computers during mining: energy consumption is increasing, a significant impact on data center traffic, and even an increase in office temperature is possible.

P.U. : You have GIAC certification in reverse malware engineering. Should companies invest in this type of analysis?

XM: I don’t think you should invest in reverse engineering if you don’t have a large budget and a lot of time. The goal of companies is not to understand the behavior of malware, but to ensure that normal activities can be restored as quickly as possible. When malicious files are analyzed, we want to know why they behave in such a way as to be able to generate the “Compromise Indicators” list and share it with other researchers in the sector and provide this information to clients.

PU: How to make an effective incident response plan?

XM : Incident response plans are not easy to make, especially if they are intended for companies that do not have the resources or appropriate personnel. In my opinion, you can always start small. The first step is to get ready, raise awareness and connect all employees, and this is exactly what any company can do.

P.U. : As deadline approaches, how can companies prepare for the entry into force of the GDPR?

XM : GDPR is designed to protect user privacy. Therefore, if you implement a comprehensive security strategy , if you know where the data is and how it is protected, and if you only collect information that is essential for running your business, then the GDPR should not be a problem for you. This policy takes us back to some basic, simple recommendations: encrypt your information, do not store passwords in open files, make sure that databases are not available on the Internet for everyone, and so forth.

Perhaps the biggest problem will be for small companies that do not keep an inventory of all the information they possess, not only internal data, but also those that they share with their suppliers and users. Companies are now in the process of revising all the information they have, and we hope that they will take the necessary measures to adapt to the requirements of the GDPR.