When you hear Persistent Threat, you probably think of a team of state-sponsored hackers, working on exfiltrating a particular prize of data, like defense plans, or satellite blueprints, from a large strategic enterprise or government entity. Why would an SMB need to care about this type of attack?
It’s actually a misnomer – the description above, in cybersecurity circles, is called an Advanced Persistent Threat (APT). And you would be right in thinking an attack like that isn’t targeting SMBs too often. Only one rung down on the ladder of cybersecurity threats are Persistent Threats (without the advanced); it refers attacks that are sustained over an extended period. In this post, we explain why SMBs are falling victim to persistent threats, and how to avoid the pitfalls of further exploitation.
Let’s begin by imagining that your company has around 300 employees and about as many endpoints. Then let’s imagine that one such employee falls victim to a phishing attack; notoriously these attacks can avoid preventative technologies like Anti-Virus and Firewalls. With phished credentials, a hacker can gain access to your network, identify an asset that is mission-critical (that you need to run your business), and encrypt it using Ransomware.
Note, this is not a ‘persistent’ threat, yet.
Now let’s imagine that they demand a ransom. And, because the ransom is ‘affordable’ relative to the cost of being unable to conduct business, the company pays it. The hackers decrypt the asset, and you are back to normal business operations.
Case closed… right?
Some companies think that they can operate this way – looking at attacks like these as the cost of doing business. The issue is incidents like the one above have downstream consequences – and they don’t end when you pay the ransom. The threat becomes persistent.
Here are five reasons that hackers persist in targeting victims:
1) They know whether your company is ‘low-hanging fruit’
Like any business, hackers are trying to maximize their return, and minimize their effort. Once a company has fallen victim to an attack, the hacker likely has visibility into what defenses are in place. Or at least, how easy it was for them this time. This enables them to determine whether a given business is ‘low-hanging fruit.’
2) Their ability to move laterally through your network does not end when the ransom is paid
Sure, you changed the credentials of the compromised account - but are you aware of the fileless threat looming in the memory of systems that were not attacked? Hackers know that if they don’t decrypt the asset, people will never pay their ransom. So, once they are paid, it makes sense for them to release your data.
The part they don’t tell you is that this won’t prevent them from doing it over and over again.
3) They can target increasingly valuable assets (which means ever-increasing ransoms)
Just as a legitimate business would nurture and upsell their clients, hackers can target and gain access to increasingly sensitive data, with a greater impact upon your business. This is analogous to ‘premium pricing’ of standard products and services.
4) Your status as low-hanging fruit is shared, sold, and broadcast on the dark web
The business of hacking has evolved into an economy within the black market. Cybercriminals can not only procure malware and other tools to achieve their goals but lists of potential targets. This is similar to companies acquiring purchase-intent data or lists of leads.
5) You remain low-hanging fruit (until you improve your security prevention posture)
As long as your company remains in business, and remains an easy target, there is no reason for hackers to stop. SMBs are particularly vulnerable, given their limited cybersecurity budget and access to qualified people and technology to improve their cybersecurity posture.
The hypothetical company we considered initially has now become a revenue stream to a cybercriminal ‘business’.
We encounter companies who have fallen into the trap of “it’s the cost of doing business” all the time. SMBs can’t afford a SOC to combat persistent threats effectively, so as long as they can afford the ransoms that are demanded (at first), they pay. Hopefully, the discussion above serves as a warning that the risks and vulnerabilities that SMBs face don’t end if they pay a ransom.
How can you prevent your business becoming a victim to persistent threats? See below:
You could strive for good hygiene by remediating the vulnerabilities that enable hackers in the first place.
You could have a rigorous DR strategy, with a regular cadence of decentralized and redundant backups. Note that Ransomware is often engineered to delete your backups first, hence the redundancy described above.
You could educate your users to make phishing incidents less likely.
You could ensure that your existing prevention technology is optimized - though that won’t help with ransomware, fileless attacks, and other tactics that traditional security technology is ill-equipped to deal with.
You could hire a CISO to help formulate your prevention strategy, design an incident response plan, and implement the policies to minimize the risk and impact of such an attack.
You could build your own SOC, and staff it with a 24/7 threat-hunting team, embracing the Detection and Response strategy that accepts that there will be breaches.
Alternatively, you can invest in our MDR service for around 90% less than building a SOC. Let ActZero do the threat hunting for you, to detect when you are breached, and respond to it to minimize the impact. Let us provide you with the prioritized shortlist of vulnerabilities to remediate, reducing the most risk, with the least effort. Have us respond to incidents for you when they happen. Leverage our virtual CISO service to guide your organization on improving your prevention posture as you grow.
Our competition is not usually other MDR providers – our competition is doing nothing. So many organizations fall into the trap of paying the ransom and seeing it as a solution, without taking steps to improve their security posture. Fortunately, SMBs are starting to understand the risk and cost presented by persistent threats; and are choosing MDR as the solution.
Related Content: Check out our other Threat Intelligence posts: