What We Do
How We Do
Get Started

Cyber threat study highlights mid-market weak spots

BY Eldon Sprickerhoff

October 4, 2016 | 13 MINS READ



Cybersecurity Strategy

Threat Intelligence

Want to learn more on how to achieve Cyber Resilience?


Cybercrime has become prolific. The complexity of attacks and the armies of threat actors driving those attacks has morphed so quickly that today reported breach events dominate daily news headlines. Perhaps more troubling though, are the numerous unreported security events.

We’re three-quarters of the way through the year and already hackers have decimated cyber-heist records. From the Panama Papers hack (which publicly released more 11 million sensitive documents from global law firm Mossack Fonseca), to the DNC email hack (which leaked 20,000 emails), to the Yahoo email hack (with 500 million user accounts compromised), breach events are yielding staggering results.

Consider the rash of ransomware attacks impacting businesses operating in every segment and the giant bank heists this summer that routed millions of dollars by compromising bank transaction systems. Whether it’s credentials, personally identifiable information (PII) or cold, hard cash, threat actors have hit pay-dirt this year.

Even in summary, this mid-year review is a sobering reality check. What’s more frightening is what’s revealed when we go deeper than the headlines; sure, it’s alarming that major multi-national corporations have fallen victim to attack. If the big guys are struggling to defend their networks from attacks, what does that mean for small and mid-sized enterprise?

The truth is, businesses are scrambling to better understand what their unique risk profile looks like and how they can defend against cyber-attacks. Small and mid-sized organizations now represent more than half of security incidents that result in data loss. Unfortunately for businesses operating in this space, they’ve become a popular attack target.

Unlike their larger peers, mid-sized enterprise often lacks the resources and budget required to maintain the robust defenses required to defend against today’s complex attacks.

However, this year’s cases demonstrate that even if you can afford and support teams and technologies to fortify defenses, bad guys will surely find a way to get into your network.

Healthcare organizations, investment firms, credit unions, law firms, retail outfits and even the DNC itself all find themselves in the crosshairs as mid-sized organizations. While larger outfits grab the headlines, buried in the news are stories about a smaller hospital recovering a disabled system after a ransomware attack, or a hotel scrambling to reassure patrons that their cards weren’t compromised as part of a newly discovered data breach. Those kinds of stories give a glimpse into why mid-size enterprise now accounts for more than half of reported breaches.

Government and regulatory bodies, recognizing the vital role SMB plays in regional and global economies, are increasing their focus, defining new frameworks and audit processes to help ensure businesses remain compliant with governance measures, and therefore, are better prepared for cyber-attacks.

Emerging compliance requirements and sophisticated cyber-attacks further complicate the situation that SMB’s already find themselves in when it comes to cybersecurity. At the center of the storm lives one fundamental reality – technology simply isn’t enough.

eSentire focuses on mid-sized enterprise, protecting clients with a highly customized, high-touch, eyes-on-glass service. Our clients aren’t unlike the organizations profiled in many of today’s breach stories: they often have limited funds and internal resources available to manage cybersecurity programs themselves. Usually they will already have various security technologies in place.

When an organization becomes an eSentire client, significant time is spent ensuring that appropriate policies are in place and that a network is ‘hygienic’. Whether large or small, a common characteristic shared by all clients is the likelihood that they’ll be targeted for attack. A notable, and significant difference is that while larger organizations may find themselves defending against highly sophisticated attacks, many small and mid-sized organizations still struggle with rudimentary threats.

As part of our own industry profiling initiatives, eSentire commissioned a study analyzing its own data of all incidents actioned by its Security Operations Center (SOC) from January 2014 to January 2016. What the study reveals is that contrary to popular opinion (driven mostly by mainstream media), the greatest risk facing mid-sized enterprise isn’t coming from sophisticated, targeted threats. The most common vectors affecting organizations in the small to mid-size space are rudimentary, unsophisticated attacks.

Exploring the Data: Visible Trends

Easy Wins & Low Hanging Fruit

As we examine the data, four common types of security incident keep showing up as heavy hitters in the SOC over and over again regardless of what month we look at: Brute Force, Exploit Attempts, Security Advice (General), and Unusual Situation (General). These are overwhelmingly frequent security incidents, but they aren't particularly exciting and almost all of them could be handled by automated defenses instead of waiting for attention from a human in the SOC. Below, we discuss some ways to proactively stop these incidents at the door before they escalate to the point where we need to intervene with an analyst in the SOC.

Follow Up on Unusual Activity & Act on Advice
Incident Type(s): Security Advice (General) & Unusual Situation (General)

About a quarter of all incidents opened by the SOC either provide generic recommendations on how to implement better security hygiene or to track situations that we consider unusual and don't know how to explain without feedback from you. One of the easiest ways to improve our ability to protect you is to respond to these alerts and get your help desk to conduct a quick investigation of your own when the SOC sends an alert about unusual activity to look into. For clients who routinely respond to these alerts, we rapidly build up a much better picture of what is going on within their environment and can identify and investigate suspicious behavior. For example, if we open an incident to notify a client about SSH activity within their network, a response to confirm whether that activity was expected or not helps us focus on situations that require more thorough, immediate attention. If the client doesn’t respond, our default operating policy is to filter the situation from our SOC's radar for 24 hours after sending the alert. What’s worse is that in unusual situations, without client response we have no way to baseline the normal behavior of the network and can't identify threats unless something clearly malicious happens or a signature-based rule fires.

Brute Force
Incident Type(s): Brute Force Attack Bypassing Perimeter

Consistently, around a third of all incidents opened by our SOC describe intervention in a preventable Brute Force situation that originated as a result of poor perimeter defenses. Generally speaking, a remote login service exposed to the Internet without a perimeter configured to automatically block these sorts of attacks, this situation will frequently occur. For clients that do not expose services or protect them with good perimeter defenses, the number of incidents in this category is almost nil. For those who leave a service exposed, we generally intervene in dozens or more of these situations each month. While our manual intervention does provide a layer of protection, it is much slower than an automated response and should be a layer of last resort after all possible automated perimeter controls have failed to detect the Brute Force attack. If you need to run a service that allows remote logins and/or you see a bunch of these alerts from us, there are a number of things that can be done to drastically reduce exposure:

Exploit Attempts
Incident Type(s): Service Exploit Attempt

As can be expected, exposed service ports through the firewall present your 'clean', internal network to the 'dirty' public Internet (websites, remote access portals, etc.), and those exposed services instantly become targets for attacks of opportunity. This type of incident remains one of the most common security situations our SOC intervenes in. This type of exposure represents the vast majority (over 99%) of all SOC incidents opened for Exploit Attempts. Keeping exposed services up to date with patches is a given, but here are some easy ways to beef up your perimeter and reduce the number of these incidents getting through:

What's Next?

Compromised Assets & Potential Compromised Assets
Incident Type(s): Payload Downloaded to an Asset, Payload Executed on an Asset, Payload Attempting to Spread, Malware Payload Blacklisted, Viral Payload Blacklisted

If you've already dealt with the easy wins and/or don't expose vulnerable services to the public Internet, this bucket, on average, represents the biggest area of risk for our clients. These incidents are usually opened as the result of users visiting attack web sites and getting infected, either via an exploit kit or through some sort of phishing/social engineering attack targeting the end-user's credibility and lack of security awareness. There are some steps you can take that stop many of these incidents from getting off the ground and help protect your users from those that do:

Adware & Spyware
Incident Type(s): Adware Detected (Risk Vector), Spyware Detected (Exfiltration)

After we've knocked out the above, the next most likely risk is users installing applications that flag as spyware or adware. These are often free applications that have some sort of legitimate business purpose, but you should be aware that the software is essentially paying for itself by exposing your users to security risks and/or exfiltration data off the system. If a paid solution exists for the purpose that doesn't serve ads or steal data, it's probably worth a couple dollars to close that security hole.

External Scans
Incident Type(s): External Scan Crossing Perimeter

Scans of your perimeter happen pretty much all the time, and that's not really a problem or worth opening a security incident for if your firewall is doing what it's supposed to and dropping those inbound connections on the floor. We generally open incidents when a scan crosses through your firewall and starts to trigger alerts on your internal, 'clean' network - which often happens if you have configured port forwarding through your firewall. The easiest way to deal with this is to have a completely opaque firewall on the outside, and only allow incoming connections through to a designated DMZ if you absolutely must expose services. Never allow random IPs on the internet to establish inbound connections to your clean network.

The Stuff That's Barely a Blip

Active Intrusions
Incident Type(s): Active Intrusion

These are the rarest type of incidents we see, but they are the situations that everyone worries about - and there is no easy technology or solution that deals with them. The only way to really protect yourself is to be engaged in the security process and action all of the incidents you know about as fast as possible. If a criminal or other malicious actor gains access to your network and we can't lock them out or catch them in time, eventually, this type of incident is what happens next. When these situations occur, our general goal remains the same: contain the situation and limit the impact of the threat as much as possible. However, in these incidents, tools like Host Interceptor and Log Sentry by eSentire dramatically increase our effectiveness.

Denial of Service Attacks
Incident Type(s): Denial of Service

While a common and easy way to shut down a public service, these sorts of attacks are generally not something most of our clients need to worry about. If you have some sort of publicly facing service that needs to be protected, it may be worth it to consider some sort of DOS protection technology as our ability to action an incident of this type targeting you is extremely limited. However, if we open an incident because you have a misconfigured service participating in an attacker's DOS attack against someone else, it's a good idea to fix that as fast as possible if you want to avoid being blacklisted.

Drawing Conclusions

Small and mid-sized organizations and their networks are regularly targeted with rudimentary attack vectors that are bypassing perimeter defenses. While sophisticated attack vectors are still a chief concern, if organizations fail to build defenses against basic attack vectors they won’t stand a chance in guarding themselves against highly sophisticated ones. That said, because of the continued effectiveness of rudimentary attack vectors, those same organizations may buckle before they have a chance to confront a sophisticated attack.

Cybercrime has become everyone’s problem; by extension cybersecurity is now everyone’s responsibility. Top-level leadership must lead by example, by understanding their organization’s unique risk profile and constantly working to bolster the defenses when attack vectors that bypass them are discovered (through employee awareness, appropriate security technology and continuous monitoring).

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Advisor

Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.

Read the Latest from eSentire