It might sound counter intuitive, but having more targets on the field does not always mean you are protected because you are just one of many. Over the last few years there has been a noticeable pattern in how attackers; large, small, new, and experienced, are testing out their tools and tactics on smaller organizations even if the payoff is not significant, or they get caught. I believe that this is because smaller organizations are less likely to report an incident or be able to share indicators of compromise like larger ones can (and often must). Attackers can almost indiscriminately pick a small target, begin the campaign and assess how things went without tipping off the rest of the heard. It is almost mimicking how predators work in the wild, pick off the slow and the sick quietly without alerting the rest.
I recently had a great conversation with Jamie Levy, Director of Adversary Tactics for Huntress about this topic. It seems that there has been telemetry which links attacks on organizations below the cybersecurity poverty line and some larger threat groups. These attacks appear to be specifically targeting organizations with a small number of staff (10 or less). Some of the attacks are ransomware style attacks while others appear to be new tools possibly being tested out for the first time.
Talk of this pattern had me considering something which could account for this, and possibly explain the appearance. Is it possible that what look like links to larger attack groups are due to a splintering in an existing group, or a leak of “source code” as we see from time to time. After all there is some evidence to suggest that larger groups might abandon tools via leaks to muddy the waters and encourage new groups to join in the fray. Sadly, while there may be some of that happening, this does not seem to cover all of what is being observed. Does this mean organizations should panic and disconnect from the internet? God Lord no. It does mean that the previous cover from security by obscurity might not be enough to protect you in the way it used to.
Jamie and I also talked about a few other interesting areas of security (in the SMB space) that often get either forgotten, or ignored and are part of the many issues that face the SMB space.
One of the most interesting ones is that there does not seem to be the same level of tactical and logistical rotation that has been previously observed. Attackers are reusing tools, techniques, etc. because they are still working. This means that defenders are still not doing even basic things to limit their exposure to these style attacks. Social Engineering (all of its flavors), PowerShell pivots, RMM compromise, single factor authentication, SMS MFA, and even Macros are still being used because they are still viable options for attackers… I have said it before, and I will say it again: attackers want to expend the least amount of effort for the biggest return so why spend time and money to make the new thing, when they are still “cashing checks” from the old.
Now let’s throw in another wrinkle in the mix: bad MSPs and MSSPs. While there are many very good MSPs and MSSPs there are also a load of bad ones. These are the companies that are offering prices too good to be true, but all too often are not really taking care with their clients’ environments. Old and/or outdated tools, weak passwords for agents, poorly secures access to client environments and no proper hygiene on entry or exit all can put smaller organizations at risk. I have seen smaller organizations with multiple RMMs sitting on servers and other endpoints from multiple MSPs during a Mergers and Acquisitions (M&A) security review. I have also had to respond to an incident because a proper security review was not done prior to connecting the new organization to the main environment.
In the end, no matter the size of your business, you should think about the what ifs. You do not have to become paranoid about it or spend all your profits on every tool that comes out, but you should be looking at what you have and how exposed you might be. In most cases there are some basic and fundamental things you can do with existing tools to make you a more costly target for attackers. While it seems like it could be true that larger and more experienced groups are targeting small organizations, they are still not looking to spend a lot of time or effort on getting in. This means having the best options you can with what you have could make them move on to the next target. If enough people begin to make these changes, it can create a bit of a shift in the general target landscape for attackers and move the needle on cybersecurity even if just a bit. I will repeat, all is not lost, by making some basic changes to how your systems are configured you can create some breathing room and, in a hostile environment, anything you can do to allow yourself some breathing room is a good thing.