What Helping Secure SMBs Shows About Attack Trends

In this week’s Future of Threat Intelligence podcast, Alex Bovicelli, Senior Director, Threat Intelligence at Tokio Marin HCC, joins Will Baxter for a wide-ranging discussion. Running CTI across more than 20,000 insured companies, Bovicelli has unique insights into the overall threat environment—beyond what’s just making headlines. 

In this week’s discussion, Bovicelli talks about how organizations should focus on threat modeling their own environments, the need to understand and secure initial access vectors, and how small and medium-sized businesses (SMBs) are getting consistently attacked with ransomware. 

Why organizations should focus on securing initial access vectors 

With more than 20,000 organizations covered by Tokio Marine HCC’s insurance, Bovicelli and his team need to take a prioritized and intelligence-focused approach to security. In practice, this means less of a focus on CVSS scores or hypothetical threats and more understanding on how threat actors are targeting specific organizations. 

“Instead of caring for all of the risk, let's really focus on what truly matters, what's going to impact the customer with a catastrophic event,” says Bovicelli. 

And to Bovicelli, this means focusing then on the full spectrum of initial access opportunities that threat actors may target. Then, focus on the threat actor view to understand what threat actors are targeting and what opportunities they are currently looking for. This brings cooperation with partners to identify threat actor behavior and targeting, allowing for proactive security solutions. 

“We're very heavy with partners,” says Bovicelli. “We have great partners with getting as much proximity as we can in underground places with the threat actors themselves to really recognize what they're doing and try to understand what they're doing. But that's how you scale it. You're essentially just focusing on the initial access vectors that you can detect that, you know, are accurate.”

With that knowledge in place, Bovicelli’s team can then proactively reach out to their clients and alert them to potential risk. Depending on the client’s sophistication and IT setup, this can be a quick call to warn of a threat or a longer dialogue. The goal, though, is to not overwhelm the client with numerous alerts. 

Instead, keep security actionable, understandable, and relevant. This can eradicate initial access before an incident occurs. 

Why modeling organizational threat environments is critical

Part and parcel with securing initial access vectors is that organizations need to understand their own environment. This may mean walking backwards away from the news. Organizations should prioritize the development of proactive intelligence, Bovicelli says, and focus less on generic news stories of attacks or patch warnings.

In practice, this means organizations need to be focused on modeling and understanding their own threat environment, across different attack types—whether that be technical or more focused on the human element.  

“It really does come down to threat modeling and understanding if social engineering attacks are going to be your weak spot,” says Bovicelli. “Because you're relying on some third party IT help desk. Well, so be it. So that is a vector that you have to address…[on the other hand], if they're attacking every Exchange server, and if you're using Exchange, you're going to be targeted.”

Relatedly, organizations need to rethink what it means for a vulnerability in their environment to be considered critical. This requires understanding how the organization structures its environment, as well as understanding the likelihood of a specific vulnerability being exploitable. 

For example, organizations frequently scramble to address vulnerabilities with a CVSS score of 10. But, it may end up that a lower-rated vulnerability is significantly more likely to be exploited. In these cases, organizations need to be flexible and prioritize patching vulnerabilities that are most likely to impact them. 

How attackers are targeting SMBs

As part of his visibility into over 20,000 organizations, Bovicelli also warns of a larger shift in the threat landscape. While the news still focuses on attacks and breaches of large organizations, SMB attacks often fly under the radar. However, SMBs are being increasingly targeted. 

These attacks are often at-scale, leading to large opportunistic campaigns against numerous SMBs at a time. However, SMB IT administrators may be unaware of the targeting as the news does not cover these operations, giving them a “false sense of security,” according to Bovicelli. 

In particular, Bovicelli warns of a tide of ransomware attacks targeting thousands of SMBs per year. These attacks often start with threat actors using optimized brute forcing tools to compromise SSL VPN and other services as initial access vectors. This focus can yield thousands of initial access opportunities. 

Threat actors also realize that many SMBs may not properly secure their devices and networks. For example, SMBs may not have in place security controls like account lockout policies, multi-factor authentication (MFA), or checks for multiple failed login attempts. Should SMBs implement security measures like MFA, securing administrative account access, and lockout policies, Bovicelli estimates that it would reduce over 90% of the risk impacting global SMBs. 

Listen to the full episode of the Future of Threat Intelligence Podcast with Alex Bovicelli, Senior Director, Threat Intelligence at Tokio Marine HCC HERE.