Targeted Attacks and SMBs
Targeted attacks are sophisticated bespoke pieces of malware written with a specific purpose in mind. They are sent by email to recipients that have been researched by attackers and have been identified as having access to data or systems to which the attacker wishes to gain access. Such attacks are very much in the news at the moment. Rare is the month that passes without another multi-national organisation having been forced to admit to losing large amounts of data to a successful attack. But how exposed are small and medium sized business to such threats? Are SMBs too small to attract the attention of advanced attackers?
Symantec.cloud through their heuristic based malware detection system, Skeptic, is able to identify and block these low copy number, sophisticated targeted attacks against their clients and distinguish them from the large number of non-targeted attacks. To give some context, during 2011 Skeptic detected approximately 500 000 non-targeted malware-containing emails per day, and approximately 85 targeted malware attacks per day.
The rare nature and high sophistication of the targeted attack means that unless security systems are primed to detect these attacks, they are likely to penetrate companies and breach confidential systems without anyone being aware of the breach until it is too late. The attackers are aware that they do not need to send thousands of malicious emails to many recipients. For their purposes, a single malicious email sent to a single identified individual is usually sufficient to gain a toehold within an organisation from which they can gain access to the systems and data that they desire.
According to the logs of targeted attacks kept by Symantec.cloud, from the beginning of 2010 to date, 40.0% of all targeted attacks have been sent to SMB companies of less than 500 employees. 8.0% of attacks have been sent to companies of 501 – 1000 employees, 24.0% to companies of 1001 – 5000 employees and 28.0% of attacks to large companies of greater than 5000 employees.
Figure 1. Proportion of targeted attacks sent to Symantec.cloud customer base according to number of employees in recipient organisation.
If we consider the number of distinct companies and organisations that have received at least one targeted attack since the beginning of 2010, 50.5% of these are companies of less than 500 employees.
The average number of employees within a single organisation sent a targeted Trojan during 2010 was 7.8; for companies of more than 1000 employees this was higher at 11.8; for companies of 500 or less employees the figure was 5.187. However, the average size of companies of less than 500 employees that are sent targeted Trojans is only 178.9 employees; that for large companies of more than 1000 employees is 27 738.4. Therefore the proportion of employees targeted for the SMB sector is far higher than that for large businesses, since although fewer employees receive attacks the size of these organisations is much smaller.
One particular small business had, as far as we can tell, targeted Trojans sent to all 488 of their employees during 2010. One must wonder how the attackers came to learn the email addresses of the entire company.
Some SMB industry sectors receive more attacks than others. SMB companies operating in the Mineral and Fuel, Non-Profit, Engineering, Marketing and Recreation industries are particularly at risk compared with other industries. These sectors are over represented in number of small businesses that receive targeted attacks compared with the overall number of small businesses in these sectors.
Indeed, 3 companies within our top 20 most attacked SMB clients are Engineering companies at the forefront of innovation within their sector. Any innovative company large or small needs to consider the lengths that unscrupulous competitors or foreign governments may go to in order to gain access to the intellectual property that underpins the success of the company.
The Education sector is often overlooked as a source of intellectual property creation. Attackers are well aware of the value of original research and 2 research institutes are among our most attacked customers. Additionally, a further member of our most targeted SMBs is a commercial organisation conducting market research. As with high-tech industries, intellectual property generating organisations which may not be for profit in nature, attract targeted attacks. It can be surmised that novel market leading research is of great interest to the gangs behind these attacks.
A further 3 organisations within the top 20 are non-profit organisations predominately working in overseas development. The motivations of attackers may be financial, being attracted by the potential reward of development contracts, or political, in wishing to use organisations in place in developing countries as a source of information regarding the political situation.
It’s also important for SMBs to consider the nature of their customers. While business owners might not consider their business as a high priority target, an attacker may wish to target a particular organisation and consider the companies that provide services to the main target as ‘weak links’ in the security of the main target. Hence SMB companies that provide services to other companies may come under attack by attackers who wish to compromise the SMB as a means of attack against another organisation. Two of our top 20 most attacked SMBs provide IT services as their main business. As service organisations these companies are likely to have access to the IT systems of many companies. If an attacker compromises the service provider this may mean the attacker is able to gain access to the systems that the SMB maintains on behalf of other clients. In this case a successful attack is likely to have serious consequences for the target organisation as well as for the service provide who unwittingly facilitated the attack. SMBs who provide services to companies and organisations in the public sector, financial and high tech industries especially need to consider their own security in respect to that of their clients.
Small- and medium-sized businesses are not too small to escape the notice of sophisticated attackers. Either by being at the forefront of innovation in their industry, by supplying goods and services to companies and organisations that are highly prized by attackers, or by possessing high value assets that may be intangible in nature, the SMB sector is under constant attack by the most sophisticated of attackers . Although SMBs may not be able to afford a dedicated security department of their own, they can partner with suppliers like Symantec.cloud who specialise in providing security to organisations large and small and who can provide the best possible security offerings to their customers regardless of their size.