As malicious actors increasingly create cybercriminal business models, small and medium-sized businesses (SMBs) face a changing cyber threat landscape. Today, being a cybercriminal no longer requires advanced technical skills, expanding the number of attackers and their attack capabilities. Unlike larger corporations, SMBs often lack the financial and staffing resources necessary to implement robust security programs and defend against cyberattacks. To protect themselves and their customers, SMBs need to understand how they can cost-effectively implement threat intelligence into their security programs.
Current Cybercriminal Threat Landscape
As SMBs expand their digital operations, they open themselves up to the same risks as any business operating online, including exposure to the many business models employed by cybercriminals.
Ransomware-as-a-Service (RaaS)
Ransomware-as-a-Service (RaaS) is a cybercriminal business model based on the legitimate Software-as-a-Service (SaaS) model. Ransomware groups provide payloads and set up operations for less sophisticated cybercriminals. The malicious actors who deploy the attacks receive a commission, usually a percentage of the ransom paid. This model expands the number of malicious actors and attacks.
Artificial Intelligence (AI) for Phishing Emails
Phishing Kids remain a popular business in the cybercrime world, as a product sold to make phishing page creation simplified for malicious operations. Phishing remains a threat vector, especially as SMBs increasingly rely on interconnected SaaS applications. Phishing attacks often begin with spoofed emails that appear to be from legitimate sources, tricking employees into revealing sensitive information or downloading malicious software. Employees may be tricked into sharing information like their usernames and passwords, making it easier for attackers to gain unauthorized access to systems and networks.
Leaked Data
Leaked data is monetized in many ways by malicious actors, and is occasionally given away for free, as a demonstration of goodwill by a threat actor to their cybercrime or hacktivist community. Sensitive information that leaves the SMB’s boundaries and can include:
- Credentials leaked through a data breach
- Hardcoded credentials stored in a code repository
- Data stolen through infostealer malware then sold on the dark web
Common technology stacks
SMBs often use the same technologies as their enterprise counterparts, like Point of Sale systems, IoT devices, or SaaS applications. As cybercriminals seek to make the most money with the least effort possible, they often target commonly used technologies. Rather than targeting an organization, an attack may focus on a common vulnerability and exposure (CVE), a known security weakness in a software, application, or operating system. If the SMB has not applied the security update, the technology remains vulnerable.
Common Threat Intelligence Challenges SMBs Face
Small and medium-sized businesses (SMBs) face several common challenges in implementing threat intelligence, primarily due to limited resources and a lack of expertise.
Budgetary constraints
SMBs often have limited financial resources compared to the large enterprises that have a top-down effect across the rest of its security initiatives. While an SMB may be doing well compared to peers, cybersecurity tools can be expensive. Often, these organizations need to balance the “must have” and “nice to have” security tool options. Many SMBs focus their financial resources on tools defined by compliance requirements. When faced with a limited cybersecurity budget, an SMB may choose to purchase a compliance-mandated anti-virus monitoring tool instead of a threat intelligence solution.
CTI Analyst Hiring Challenges
Budgetary constraints often impact an SMB’s ability to hire deeply experienced cybersecurity staff. Analyzing threat intelligence often requires even more specialized skills since many locations, like dark web forums where cybercriminals chat, are in foreign languages. Many SMBs cannot afford the salaries for experienced security analysts to collect and translate data from these sources manually.
Time constraints
Limited budgets combined with the technical resource constraints means that the people engaging in SMB security programs wear many hats. Collecting and analyzing threat intelligence is a time-consuming task that requires:
- Identifying the types of threat intelligence to collect
- Collecting threat intelligence from different locations including government websites, vendor blogs, dark web forums, illicit telegram channels, and social media
- Processing the data by filtering out irrelevant information, structuring data, or grouping similar items together
- Analyzing the data to gain insights related to the business’s interests, like information about technologies in the IT stack or the organization’s industry vertical
How SMBs Can Overcome the Challenges of Threat Intelligence?
Finding cost-effective solutions for collecting, monitoring, and analyzing threat intelligence is critical for SMBs.
Automate monitoring
A threat exposure management platform can provide automation that monitors the clear and dark webs, as well as illicit Telegram channels, to identify threat intelligence about:
- Stolen credentials
- Infected devices
- Third-party data exposures
- Cybercriminals mentions of a company or assets
- Credentials stored in source code
Leverage AI
When validated, AI can help solve several challenges that SMBs face, including:
- Cybersecurity skills coverage: AI can automatically translate foreign languages into the user’s native language to make reading dark web information easier.
- Processing data: AI can also help consolidate similar information and remove duplicate entries to provide improved insights.
- Analysis and reporting: AI can generate reports based on the collected and processed data, analyze it for relevant points, and summarize it for internal stakeholders.
Integrate with security tools
Threat intelligence provides important insights into cybercriminal thinking, activities, and resources. For example, cybercriminals often have access to databases containing information such as:
- Devices compromised by malware
- User credentials, cookies, files, browsing history
- Technologies containing security vulnerabilities
- Companies compromised by ransomware
Each of these attack vectors can be used against the SMB’s networks, systems, users, and devices. When working with threat intelligence, SMBs should incorporate this data into their overall security monitoring programs by integrating their threat intelligence solution with cybersecurity tools like their centralized log management, security information, event management (SIEM), and Endpoint Detection and Response (EDR) technologies.
Insights for Improving SMB Security
Often, SMBs find themselves victims of cybersecurity attacks because their systems are swept up in cybercriminals’ financially motivated activities. Most cybercriminals deploy low-effort attacks, hoping to make money from a ransom payment or selling data on the dark web. To protect themselves, SMBs should look for cost-effective threat intelligence tools that allow them to understand the current state of cybercrime and its potential impact on their operations.
Editor’s Note: The opinions expressed in this article belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
Nick Ascoli is a Senior Product Strategist at Flare and an experienced threat researcher who is recognized for his expertise in data leaks, reconnaissance, and detection engineering. Nick is an active member of the cybersecurity community contributing to open-source projects, regularly appearing on podcasts (Cyberwire, Simply Cyber, etc.) and speaking at conferences (GrrCON, B-Sides, DEFCON Villages, SANS, etc.)
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.