Blog

What type of hacker targets SMBs?

Ted Gruenloh
CEO @ Nomic Networks
July 31, 2022

This is kind of a trick question, but – they all do. However, they do so in different ways, so there are different things to be aware of; especially now that attacks are getting so advanced, widespread, and expensive. Not being knowledgeable about the different types of hackers and their attack methods could be a costly mistake in today’s threat environment, and any small business knows you can’t afford too many of those.

First off, let’s debunk some jargon. The term “hacker” refers to “an individual who uses computer, networking or other skills to overcome a technical problem.” So, if you’re trying to solve the challenge of network protection within your own business, you may be considered a hacker. That said, the sexier definition is specific to cybersecurity: Someone who uses those skills to break into networks with unauthorized access and wreak havoc (a la criminal activities). This is more closely aligned with the definitions of “cybercriminal” and “bad actor.” In the industry though, all three are used interchangeably so I’ll stick with that here.

The Types of hackers (and all of them target small businesses)

Hackers operate within an economy of their own right. There are specialists, generalists, “get the job done” types, opportunists, novices and suppliers of specialty goods (like credentials only). While I’d discourage a plumbing of the Dark Web, you can find them all there, lurking in digital back alleys. However, they do group roughly into three categories, all of which you should watch out for. And, as long as your small business is making money, is important to public safety or the wider economy, or can grant them notoriety in any way – they’re coming after you.

Script kiddie

You might think these are listed in order of importance but given the rise of Ransomware as a Service (RaaS), script kiddies might be more dangerous than you remember. This classification of hacker earned the nickname by being low-level, nuisance type threat actors that couldn’t hold their weight on the command line, as the name suggests. And, while that still may not have changed, the evolving ransomware economy has now placed some big (easy to use) guns in their hands.

Everything is becoming commoditized, and on the Dark Web you’ll find some who specialize in reconnaissance, some who can break in, some who produce already pilfered lists of passwords, and some still who can supply you the code for your own out-of-the-box ransomware attack. Known as Ransomware as a Service, this business model produces fatal (yet affordable) results. Often, sellers will just take a share of the winnings. Because these are so effective and easy to launch, small businesses should watch out; with so little skin in the game, these guys have little to lose. RaaS-wielding script kiddies use this bot-based approach to combine the spray-and-pay method with advanced attacks, creating the worst of both worlds and catching unsuspecting small businesses in the crosshairs. And, to anyone who still remembers this batch as “not that dangerous”, keep in mind that Darkside was the RaaS gang behind the Colonial Pipeline attack. While this one hit the news (and the economy), thousands of others of similar weight indiscriminately hit smaller victims that are quietly paying the ransom.

Hacktivist

Just because you’re not an SMB selling baby otter pelts doesn’t mean this type of hacker won’t target you. Hacktivists attack based on their moral leanings, not yours. And those have notoriously been diverse. While typically not motivated by financial gain (at least on the surface), these attackers do target data, with the intent to cripple an organization, deface a public image, or prove a point. They are politically, socially or religiously motivated, and that’s often where the differentiation stops. Attack methods are often the same – a lot of doxing, geo-bombing, DDoS attacks, website redirects and data leaks.

Hacktivist activities have targeted organizations such as the CIA, Sony PlayStation, WikiLeaks, the US Senate and Fox.com as well as controversial or rogue governments and child pornography sites. And the very fact that money is not a motivation leaves municipalities, government agencies, and smaller businesses (not a financial draw for most hackers) still on the table for these guys. It just depends on what you stand for and who may or may not like that. Keep in mind, supply chains for the big guys are still fair game.

Advanced Persistent Threats (APTs)

These are more threats than threat actors, but a certain type usually produces them. Nation-state actors. That’s because it takes a lot of manpower, time, patience, reconnaissance and sophistication to launch one of these. These are the “low and slow” attacks that infiltrate critical national infrastructure sectors and get joint advisories issued about them by the FBI, CISA and the Department of Defense. Also known as RansomOps, APTs sneak into a network then remain undetected for months, siphoning out data undetected. When they have what they need (usually a fatal amount), they’ll typically follow the path of a usual ransomware attack, which itself is far trickier than it used to be. APTs will encrypt data, threaten to publish it online if payment isn’t met (double-extortion), contact stakeholders, executives, even customers and demand payment out of them (triple extortion) and often publish data on leak sites anyway.

So why would a nation state actor be after you? Ask Linkos Group, the small software firm that sells M.E.Doc, an accounting software package. Never heard of them? Neither had Maersk, global shipping titan, until one of their computers in Odessa regretted the day it ever installed M.E.Doc on their system. A Russian state-sponsored attack infected Linkos servers with NotPetya, a sophisticated exploit that set off one of the biggest supply chain attacks in recent history. Once the infection – carried within that small M.E.Doc software package – hit the Odessa machine, “Maersk’s entire booking system went down, as well as the complex loading systems used to systematically load container ships to avoid capsizing them… port facilities shut down, and tens of thousands of truckloads of goods were turned away.” Attacking companies worldwide (from FedEx to Merk pharmaceuticals to the Chernobyl Nuclear Plant), it caused $10 billion in global damages. Said the White House homeland security advisor at the time, Tom Bossert, “It was the equivalent of using a nuclear bomb to achieve a small tactical victory.”

What was aimed at rival state Ukraine bled into the rest of the world, thanks to the boundary-lessness of the internet, and started with a single, little-known software seller. APTs are nothing if not sneaky, so if they’re aiming for big game, they’re likely to use a backdoor route, which nearly always involves SMBs. As the first line of defense, you need to be more wary than ever. Because they employ super sophisticated, never-before-seen tools, the key is to monitor anomalous behavior and logging so you can go back and gain visibility into where they’ve been on your network, and what they’ve been doing.

Best practices, no matter which attacker you’re up against

One great rule of thumb, and I’ve mentioned this before, is to get a basic layer of security down by following the CIS Controls. I keep beating that drum because it works. IG1 (Implementation Group 1) is one area in particular that really helps to plug some of the holes that a lot of small businesses come to us with. Because there are 18 detailed CIS controls (a lot to implement), the Implementation Groups exist to tell you how to prioritize, and they start with training, patching and knowing what’s on your network.

Great for small businesses, CIS states that “an IG1 enterprise is typically small to medium-sized with limited IT and cybersecurity expertise” and one that can’t afford a lot of downtime. It protects you against the most common forms of attack, which could actually close most doors against attackers. These are attack vectors like phishing, brute force attacks, credential stuffing and the like. While these seem like “the basics,” the Verizon 2022 DBIR cites that “82% of breaches involved the human element, including social attacks, errors and misuse”. Closing these gaps (with basic, affordable measures) is, in my opinion, the most bang for your buck for small businesses looking to firm up their security strategy right off the bat.

Sentinel IPS is a leader in small business security, and we deal with these kinds of cases every day. Hackers don’t pull punches for the little guy, and you’re going to want to put up security controls that are effective, affordable, and that you can understand – as a first step. We’ll help you through this, and then onward as you continue to mature your security posture to be able to fend off whatever kind of hacker may come your way.

Ted Gruenloh
CEO @ Nomic Networks

Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.

Subscribe to our newsletter
By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.