As technology continues to evolve more rapidly than ever, the demand for companies to continuously update their policies and practices is more vital than ever. No longer are hackers continuing to throw sophisticated attacks that can cripple a business (Ransomware) at the largest companies. Small and medium-sized businesses (SMBs) are no longer safe and in many cases after a cyber-attack are rarely prepared for both the attack and the cost of recovering from such an incident. According to IBM, “The average cost of a data breach involving theft of assets totaled $879,582 for these SMBs. They spent another $955,429 to restore normal business in the wake of successful attacks.”

The other aspect of this that is almost guaranteed to have the biggest effect on the business affected, is loss of reputation and clientele. If a business becomes exposed in an attack or a loss of customer data occurs, the company is legally obligated to disclose the breach to each customer effected. In an article from January, 2016, the Wall Street Journal stated, “But offering either too much or too little information to investors can be fraught with consequences. Executives could come under fire from investors and consumers if it appeared their company attempted to hide a problem or failed to disclose a data breach in a timely and accurate way.”

So what are the types of attacks facing many of these SMBs? The most popular attacks SMBs are facing according to Business News Daily, are APT (Advanced Persistent Threats), Phishing Campaigns, DDoS, Inside Attacks, Malware, Password Attacks & Ransomware. Our managed cloud solution, CyberSHARK, can detect all of these attacks, and help prevent a breach from happening.

APT: Advanced Persistent Threats are a little more difficult to determine where specifically the attack is coming from or what method will be used. These attacks use multiple phases to gather information, and then strike at a certain time. These phases include: Reconnaissance, Incursion, Discovery, Capture, & Exfiltration. Often, these attacks are sponsored and are drawn out over a long period of time. The best way to prevent an APT is to keep up with software patches, continuously monitor all network and insider activity from all points of entry, keep up with best practice guides from both government and private security agencies as well as their compliance requirements, and finally investigate and remediate any potential or concerning issues that arise on a network. With CyberSHARK, we use multiple detection methods to help you avoid such attacks. We will alert you to any and all suspicious network activity, whether it comes from our open-source & commercial threat intelligence groups, our SOC analysts, or if a rule is broken by our Advanced Security Correlation Engine. Finally, we will provide you with the remediation steps to eliminate the issue and an exact break down of how the event was correlated in our system for your better understanding.

Phishing: Phishing is a type of scam where criminals try to gain access to a network via email or other online social engineering methods to have you provide sensitive information, to gain network access. For example, a cybercriminal may have you click on a link that may download something malicious to be introduced to the network or that link may take you to a fake site where they often ask you to input specific information about yourself and the company you work for.

DDoS: DDoS (Distributed Denial of Service) is an attack in which multiple sources target a web-server, website, or other known network device, and overwhelm it with a flood of messages, packets, & connection requests, causing the target to slow down or “crash”, rendering it unavailable to its users. CyberSHARK works with multiple open-source and commercial threat intelligence groups that detect known Botnet sites and addresses where such attacks come from. If one of these known sites reaches out to a network onboarded with CyberSHARK we can pick up on this activity and alert the network administrators with specific attack details and remediation steps to prevent this incident from being successful.

Inside Attacks: Inside attacks are on the rise more than ever. Insider attacks often come from trusted users, employees, & external contractors that have specific authorized access on a network. Often times in insider attacks the following occurs: Unintentional mistake that affects one or more components on the network, trying to ascertain specific data that they do not have access to, checking the network for weaknesses, intentionally trying to cause harm or disruption to a business (often times this happens with a former or current disgruntled employee). CyberSHARK can track specific user activity and access across a network, providing you with exact logs of when they were on/off the network, the exact path/s they accessed, and if any special privileges were applied to this specific user. Secondly, via our Compliance Reporting, we can provide several reports on user activity, for different compliance reports that different industries have to adhere to. Thirdly, we have several rules in place, including for same internal user login/activity.

Malware: As defined by Norton, “Malware is an abbreviated term meaning “malicious software.”  This is software that is specifically designed to gain access or damage a computer without the knowledge of the owner. There are various types of malware including spyware, keyloggers, true viruses, worms, or any type of malicious code that infiltrates a computer.” Here at CyberSHARK, if any type of malware is downloaded the system, we can pick up on that network traffic, by monitoring the firewall, switches and anti-virus that it may detected and pass through. As well, if that malware comes from any globally known intruder groups that hit your network, our threat intelligence will pick up on that traffic and will alert you in an incident ticket with remediation steps to follow.

Password Attacks: Password Attacks (aka Brute Force attacks) often use some type of automated system to perform the attack in which different password combinations are used to try to gain entry to a network, such as a dictionary attack list or using rainbow tables. Best ways to avoid this type of attack from being successful is to implement best practices where the passwords for users, service accounts, & domain/admin credentials change on a consistent timeline, i.e. monthly, quarterly, etc. Through the CyberSHARK platform, we have implemented a number of different rules to detect successful and failed password attacks for both the internal and external malicious actor. We can tell you what username was used, the device or network path they tried to gain entry to, if they are successful we can show you how they moved laterally across a network and where other successful logins may have occurred during the incident.

Ransomware: Ransomware is the attack that keeps most security engineers, administrators, CSO’s and other IT personnel awake at night. It is a type of malware that locks down and encrypts devices on a network to prevent someone from using a that device unless a ransom is paid. Once the ransom is paid the encryption will be unlocked and removed, or in some cases the hackers will not unlock the devices, causing the company affected to incur other expenses to recover. Through CyberSHARK with our behavior correlation, IP patterning and threat intelligence groups, we can detect activity from certain known ransomware sites, as well as activity that may indicate a possible ransomware attack is imminent.

While many SMBs will only do something when its too late, too many government regulations and compliance mandates are forcing them to gain a solution such as CyberSHARK to show they are compliant when it comes to keeping up with their network and the cybersecurity threats it could be facing. For example, the one of the latest regulations passed, NY DFS 500 requires businesses in New York State to adhere to certain requirements to protect their network and the information of their customers. These regulations include penetration testing, continuous monitoring, and a thirdparty audit of the network. CyberSHARK can help keep you in line with such policies being passed.

Julie Kittka