Meet the expert: Igor Gutierrez to speak at PrivSec Global

Streaming live November 29 and 30, PrivSec Global unites experts from both Privacy and Security, providing a forum where professionals across both fields can listen, learn and debate the central role that Privacy, Security and GRC play in business today. 

Leveraging over 23 years’ Cybersecurity, Data Privacy and GRC experience, Igor Gutierrez combines deep technical knowledge with a wealth of practical industry skill. He is the winner of two national awards as a Security Leader and is well-known on national and international speaking circuits.

Igor appears exclusively at PrivSec Global to discuss Ransomware as a Service (RaaS), the evolving tactics of cybercriminals who exploit RaaS, and what businesses can do to optimise digital defences.

Below, Igor answers questions on his professional journey and the themes of his PrivSec Global session.

Could you briefly outline your career so far?

I’m an Information Security Officer and Data Protection Officer with over 23 years dedicated to Cyber Security and GRC and the last six years to Data Privacy. I am also winner of two national awards as a Security Leader 

I started out in an IT BitTech, then moved on to the financial sector to help define cyber security strategies. For the last 12 years I have been working in the automation and electromobility industry. 

Working in different business areas has helped me to have a very broad view of how to apply cybersecurity strategically in complex scenarios, helping me to develop the ability to create cybersecurity departments from scratch.

What factors have enabled RaaS to become such a tactic of choice for cybercriminals?

RaaS has become increasingly lucrative for criminal organisations because it allows its services to be contracted by anyone and a fee is charged on the value of all ransoms. 

The service is usually contracted via the Darkweb through a monthly subscription; a one-off fee; an affiliate program, and even profit sharing. Ransomware has become a major industry in the criminal underworld, worth billions of dollars a year. For this reason, attacks will probably continue to proliferate over the next few years. Ransomware might cost companies nearly $265 billion annually by the end of 2031.

The number of victim organisations surged in the first half of 2023 at 2.001, a 45.27% increase compared to the second half of 2022. Small and large enterprises were most targeted in the first half of 2023.

Many imagine that the people behind cyberattacks such as ransomware are highly skilled programmers. However, many attackers don’t write their own code and may not even know how to do it. Cybercriminals with coding skills often sell or rent the exploits they develop rather than use them.

RaaS providers generally offer 24/7 customer support and also offer step-by-step guides on how to carry out a ransomware attack with their tools, as well as closed discussion forums.

An example of RaaS is LockBit, which is one of the most widespread RaaS variants today, accounting for 17% of the ransomware incidents, more than any other variant. LockBit usually spreads via phishing emails. BlackCat also made waves in 2022 as it targeted several high-profile victims that include German oil companies and a European government.

A recent growing concern is the use of generative AI to develop malicious code that manages to evade a considerable number of protection tools, as well as the adoption of DarkGPT and WormGPT, which exponentializes criminal intelligence.

What action can companies take to avoid falling victim to such attacks?

The focus is on reducing the attack surface and making attacks on your environment increasingly expensive to the point of discouraging criminals from targeting your company.

Using Digital Risk Protection tools that monitor your company’s information on the DarkWeb and OSINT is an important step in understanding how exposed your company is.

Having complete visibility of your infrastructure is essential. I can give you some indication of what we can use to reduce our exposure:

Firstly, use the main frameworks and best practices on the market to improve your strategic plan. I suggest using frameworks and best practices such as CIS Controls, NIST, ISO27k series, SOC2, HIPAA, FISMA, COBIT, GDPR. Use your country’s regulations and frameworks, but don’t disregard what other nations also have.

• A robust and dynamic security awareness program: training employees, contractors, and other users to recognise phishing attacks and social engineering attacks decreases the likelihood of a RaaS attack being successful.

• Demand the same level of security from third-party companies connected to your infrastructure, and carry out due diligence and audits.

• Have an efficient vulnerability management program, not only for endpoints and their software but also for all types of equipment connected to your infrastructure, including firmware.

• Carrying out periodic pentests with a commitment to fixing all critical threats and not underestimating less critical ones.

• Use two-factor authentication (2FA).

• Implement endpoint security with EDR/XDR with behavioral analysis and integrations with other security layers.

• Segment networks to prevent widespread network proliferation.

• Email security: many ransomware attacks start with an infected email attachment. Scanning emails for malware and blocking email attachments from untrusted sources can help eliminate this attack vector. Using digital signatures through certificates helps employees to avoid phishing attacks carried out through spoofing.

• Frequent data backups and periodic recovery testing: ransomware makes organizations unable to access or use their data. But in many cases, an organization can restore its data from a backup rather than pay the ransom to decrypt it or rebuild the entire IT infrastructure from scratch. By the way, backups should be thoroughly analyzed, because imagine the chaos when you recover your environment and there are still traces of Ransomware in the backup.

• A good Incident Response plan.

• Use a Zero Trust model.

More mature companies still have controlled attack simulations using their RED/BLUE teams, but we know that this is not the case for most unregulated, privately held companies.

Finally, I have always maintained that companies in the same industry should share in closed discussion groups the types of attacks they have faced and how they are defending themselves. Based on this, industries in the same sector can speed up their defense strategies.