How to protect Middle East companies from a Careem-style attack

Opinion: Enterprises in the Middle East must substantially reduce attacker dwell time to prevent a successful breach, writes Rajesh Gopinath, cyber security professional, Paladion
By Rajesh Gopinath
Thu 07 Jun 2018 01:11 PM

You are an enterprise in the Middle East. You feel confident your security systems are thoughtfully set up and provide you with comprehensive protection.

So, instead of thinking about incoming threats, you go about your day-to-day operations, focusing primarily on your business’s key value driving functions. Everything seems to be progressing smoothly…until you get the news.

Another enterprise in the Middle East has been breached. Millions of files have been compromised. The public outcry deafens. Suddenly, you can’t focus on your business operations. Suddenly, a whole set of other questions enter your head: “How did they get breached?”, “What can we learn?”, “Are our defences strong enough?”, “Are we next?” And so on.

Unfortunately, this is not a hypothetical situation for enterprises in the Middle East. Recently, Dubai-based ride-sharing platform Careem announced a breach. Cybercriminals had infiltrated their systems and walked away with over 14 million records on the company’s customers in the Middle East. For many enterprises in the region, this became the week they had to ask how their colleagues at Careem got breached, whether their own defences are strong enough, and whether they will be the next enterprise in the Middle East to make headlines.

Many enterprises appear to be simply less careful with  their customer, vendor and third-party data than their own in-house data”

What happened to Careem?

On April 23, 2018, Careem announced via a blog post that its data was breached on January 14 of this year, and that 14-plus million records had been stolen. Careem is a major enterprise in the Middle East, based in Dubai and operating in 80 cities spread throughout 13 countries.

The cybercriminals who committed this successful attack stole the records of both Careem’s drivers and their customers – or “riders” as they call them. The information they stole included names, email addresses, phone numbers and trip data. It still remains unclear how much geo-data related to drivers’ and customers’ trips was stolen.

While no credit card data was stolen, and while Careem’s representative stated they have seen no evidence of “fraud or misuse related to this incident”, it is naive to believe the individuals whose information was stolen are safe. The criminals behind the attack can still cause plenty of havoc utilising the data accessed. For instance, the records give criminals enough personal information to perform additional phishing, or even social engineering, attacks against the affected parties.

What can we learn?

At first glance, Careem’s breach appears to be a repeat of Uber’s breach, announced last November. The similarities go beyond the fact that both are ride sharing companies: both companies lost massive amounts of records (Uber’s loss was put at around 56 million records); both companies took a substantial amount of time to announce the breach (Uber took nearly a year); and both companies lost driver and customer data but not corporate data.

This last point deserves further elaboration. Uber explicitly stated it only lost customer and driver data, and that its corporate network was not breached. Careem implied this fact, by only mentioning that customer and driver records were stolen, and without mentioning any loss of corporate data.

This fact is not as heartening as it might initially seem, however. Instead of speaking to the strength of corporate defences within both companies, it leads to the uncomfortable realisation that many enterprises appear to be simply less careful with, and to apply fewer defences to, their customer, vendor and third party data than they offer their own in-house data.

Given the increased interdependence between customers, companies and vendors, it is distressing to see many prominent enterprises in the Middle East accept even one “weak link” in their security. After all, today it can only take one breach in one corner of a company to create system-wide failure, substantial internal damage and lost reputation.


Careem attack

On January 14, a cyberattack on Careem resulted in the theft of personal data of up to 14 million people in the Middle East, North Africa, Pakistan and Turkey. In its statement, Careem said it “understands the importance of privacy.

We regularly review and update our security systems – this time it wasn’t enough to prevent an attack… we are committed to meeting these threats and protecting the privacy and data of those that have placed their trust in us”.

The company urged customers to implement good password management by updating their Careem password, and remain cautious of any unsolicited communications that ask for personal information.


Are you next?

Careem’s representative noted that it takes the company an average of 106 days to identify a breach. So while it is wise to ask if your current defences have already been breached, or whether you will be the next enterprise in the Middle East to suffer a breach, another question may be even more important to ask: “Is our security programme proactively hunting for attackers or waiting for an alert or breach to respond?”

At Paladion, several of our customers have reduced their dwell time from an average of 90 days to under two days. This is possible only using proactive threat hunting. And since manual threat hunting is slow, and speed is the primary success driver in cyber defence, we use a combination of AI-driven and manual threat hunting to achieve these results.

This means using a four-pronged approach. Firstly, using an experienced team to detect and anticipate current threats, usually from an external specialist. Secondly, they should be using a leading analytics platform. Paladion, for instance, uses a proprietary platform to generate actionable outcomes based on network threat analytics (NTA), user behaviour analytics (UBA), endpoint detection and response (EDR), and application threat analytics (ATA).

Thirdly, it’s important that any outsourced supplier engages your managed security service provider (MSSP) to understand specific concerns to create a custom threat profile.

Finally, every company should seek insider threat detection training. Taken together, this series of steps is the right – and perhaps only – approach to cyber security today.

Rajesh Gopinath, cyber security professional, Paladion

For all the latest tech news from the UAE and Gulf countries, follow us on Twitter and Linkedin, like us on Facebook and subscribe to our YouTube page, which is updated daily.

Last Updated: Mon 18 Jun 2018 11:22 AM GST

Subscribe to our Newsletter

Subscribe to Arabian Business' newsletter to receive the latest breaking news and business stories in Dubai,the UAE and the GCC straight to your inbox.