Emerging Middle Market Cyber-Attack Vectors: Are You at Risk? | Ankura
The concept of “security by obscurity” is officially outdated. In recent years, cyber-attacks have become increasingly sophisticated, destructive, and indiscriminate. In today’s landscape, cyber threats can come from internal employees, hacktivist groups, and even nation-states. But, more often than not, it is financially-motivated hacking crews that are behind the attacks seen most commonly today. Unfortunately, for most companies, the security budget and resources committed to defending against attacks have not increased to meet the rising threats.
This is especially true for middle market companies who are often faced with limited resources to invest in cybersecurity despite their growing IT footprint. Hackers know that small and midsize companies are less likely to have strong security controls and threat detection capabilities in place and are therefore easier to compromise. In addition, many middle market companies are less capable of enduring an interruption in business operations than larger organizations – making them more vulnerable to ransomware and other attacks aimed at disrupting “business as usual.”
The average cost of a data breach is now estimated to be $4.35 million; for companies based in the U.S., that average is nearly twice as high at $9.44 million.  To make matters worse, the impacts of cyber breaches don’t just stop at the financial costs; there is also the reputational damage that can result from the fallout. For many midsize companies, the potential impact of a serious data breach represents an existential threat.
In addition, middle-market companies are being targeted more frequently by attackers and are more likely to experience a security breach.
- Since 2019, mid-sized businesses are 490% more likely to experience a security breach than large corporations. 
- 73% of middle market companies expect to experience a cyber-attack in the near future. 
- On average, it takes 197 days to discover a breach and up to 69 days to contain it. 
Now more than ever, in this heightened threat environment, it is paramount for middle-market companies to understand the different types of cyber-attacks and the risks they pose. Remaining vigilant and reducing the time it takes to detect, contain, and suppress a threat is the first step in building a cyber defense program.
So, what should middle-market companies be on the lookout for?
In this article, we will explore some of the most common and emerging cyber-attack vectors being used against middle-market companies, as well as some emerging trends to be aware of.
What is an attack vector?
An attack vector is a means by which an attacker can exploit a vulnerability to access a system or network. Attack vectors are typically viewed as a specific path or method that an attacker can use to reach their target. In many cases, an attacker will use multiple vectors in order to gain access to a system or network and then move laterally within the environment to achieve their objectives.
In general, there are two main types of attack vectors – passive and active.
What are the differences between passive and active attack vectors?
Passive Attack Vectors
Hackers use passive attack vectors to gain access to systems and networks without the user’s knowledge or consent and without disrupting the victim system’s operations. Hackers will often use an initial spear phishing email to install malicious software on a computer that allows them to capture and monitor traffic passing through the infected machine. Hackers are typically looking to obtain user log-in credentials – usernames and passwords – they can then use to gain initial access to a network and to maintain persistent access. Oftentimes, the passive attacks used to gain initial access are difficult to detect because the attacker behavior closely resembles that of a remote user. Once the hacker has gained access, they can then use active attack vectors to further exploit the system. Some of the most common types of passive attack vectors include spying on network traffic, sniffing passwords, and tampering with data.
Active Attack Vectors
Active attack vectors are used by hackers to interact directly with systems and networks in order to gain privileged access, make system changes, or create additional backdoors enabling ongoing access to a victim’s network. Unlike passive vectors, active attack vectors require the hacker to have some level of real-time interaction with the system or network. This can be through exploiting a known software vulnerability or taking advantage of a system misconfiguration. Active attack vectors are generally more difficult to execute than passive attack vectors, but they can be more damaging because the hacker can obtain direct control over the system or network. Man-in-the-middle attacks, whereby an attacker can eavesdrop or masquerade as a company executive, vendor, or other trusted party after compromising an email account, represent a growing segment of cyber attacks seen in recent years.
Now that we’ve covered some basics on attack vectors, let’s take a look at some of the most common cyber attack vectors being used against middle-market organizations.
Seven common attack vectors for middle market companies and how to avoid them
#1 Compromised Credentials
One of the most common ways that hackers gain access to a company’s network is by compromising, stealing, or otherwise obtaining user credentials – that is, the username and password of an authorized user. Once the hacker has these credentials, they can log in to the system as if they were the legitimate user and gain access to all of the data and resources that the user has permission to. There are a few different ways that hackers can obtain user credentials, including social engineering, brute force attacks, and SQL injections. And since many people use the same username and password combination for multiple accounts, obtaining the credentials from one platform may enable access to many others.
Tips for avoiding a compromised credential cyber attack:
- Implement two-factor authentication – While it is not foolproof, requiring users to have two different forms of identification, such as a password and a code that is sent to their phone, can greatly reduce the threat of compromised credentials.
- Establish strong organization-wide password policies – Establishing and enforcing password policies that require employees to use strong, unique passwords that are regularly changed can help improve overall security.
Social engineering via emails one of the most common ways that cybercriminals gain initial access to a company’s network. This is often done through phishing, where the attacker sends an email that appears to be from a legitimate source, such as a bank or service provider. The email will usually contain a link or attachment that, when clicked, will install malicious software on the victim’s computer. This software can then be used to gain access to the company’s network and data.
Tips for avoiding a phishing cyber attack:
- Conduct regular user awareness training – Making sure that employees are aware of and understand the dangers of phishing scams, how to avoid them, how to recognize them, and how to report them can help defend and detect one of the most common attacks that seek to compromise credentials.
- Implement and regularly update email filters – Unwanted email filters can help to block suspicious emails from reaching employee inboxes. It’s important to make sure that these filters are updated regularly to ensure that they are effective against the latest cyber threats.
- Implement advanced endpoint threat detection and response tools – Standard antivirus protection may not prevent malicious code delivered through a phishing email from executing on one of your endpoints. Deploying a threat detection advanced sensor on every endpoint that can detect unusual processes or suspicious files can make the difference between a successful attack and a close call.
Hackers may also gain access to a company’s network by compromising its configuration by taking advantage of vulnerabilities in the system that are not properly secured. For example, a hacker may find an error in how a company set up a cloud storage environment, allowing unauthorized access to the environment without being detected. Or, a rapidly expanding company may have short-term coverage gaps resulting in internet connected devices not having basic endpoint protection software enabled.
The nimbleness of growing middle-market companies can make them more likely to develop misconfiguration vulnerabilities as they are constantly in motion, migrating data to new platforms, systems, and cloud environments. Add acquisitions to the picture and the chances that even a temporary misconfiguration issue could emerge rise even higher.
Tips for avoiding a misconfiguration cyber attack:
- Perform regular security audits – Conducting regular audits of your system’s configuration can help identify any potential vulnerabilities that could be exploited by hackers.
- Carefully monitor network traffic and user access patterns – The ability to rapidly detect unusual inbound or outbound connections or recognize unusual system access is critical to defending against misconfiguration exploits.
- Ensure that data is properly encrypted – Encrypting data can help prevent it from being accessed by unauthorized users, even if they are able to bypass other security measures.
#4 Software Vulnerabilities
Attackers often learn about a software vulnerability the same way the rest of us do: when the vendor releases a patch. Once the word is out on a critical vulnerability, the race is on. Can you apply the patch faster than an attacker can identify and exploit your vulnerability? A healthy security program will put an emphasis on applying critical patches promptly to minimize this risk.
Zero-day vulnerabilities are a somewhat different story. A zero-day vulnerability is a security flaw that is unknown to the software developer or user community but may be known to an attacker. These types of vulnerabilities can be extremely dangerous in the hands of an attacker because they provide an information advantage that can be exploited by hackers before the developer has a chance to patch the hole. Zero-day vulnerabilities are often found in widely used software, such as web browsers and office suites. Not all zero-day vulnerabilities represent a high-risk to middle market firms since many would require significant time and expertise to exploit effectively. But some, such as Log4J or SolarWinds, represent real and present danger to any organization unlucky enough to be running the software.
Another famous case of a zero-day vulnerability is the Heartbleed bug that was announced in 2014 and affected the OpenSSL library – a widely used security protocol that, at the time, was used by most social media companies, including Facebook and Twitter. This vulnerability allowed hackers to access the private information of users, including passwords and credit card numbers, for over two years before it was discovered.
Tips for avoiding a software vulnerability cyber attack:
- Install updates and patches as soon as they are available – Keeping your software up-to-date with the latest security patches is one of the best ways to protect against zero-day vulnerabilities.
- Use reputable security software – Security software, such as antivirus and antimalware programs, can help protect your system against known threats, as well as new ones that have not been discovered yet.
- Monitor your system for anomalous activity – Keeping an eye out for signs of an attack, such as unusual activity on your network or strange messages from your contacts, can help you to identify a problem before it becomes serious.
#5 Browser Vulnerabilities
Browser-based attacks are a type of cyber attack that uses browser vulnerabilities to gain access to a system. These types of attacks are often carried out by planting malicious code on websites that are visited by the victim. When the victim visits the infected website, the malicious code is executed and can allow the attacker to take control of the infected system. Browser-based attacks can be extremely dangerous because they can be carried out without the target’s knowledge. In some cases, the only way to know that you have been attacked is if you notice unusual activity on your system.
Tips for avoiding a browser vulnerability cyber attack:
- Use a reputable browser – Some browsers are more secure than others. When choosing a browser, be sure to do your research to find one that offers good security features.
- Keep your browsers up-to-date – Browser developers regularly release updates that include security patches for new vulnerabilities. Therefore, it is important to keep your browser up-to-date in order to protect against these types of attacks.
- Implement advanced DNS connection monitoring – Your firewalls should block connections to sites known to be malicious. Attackers know this and will try to use new sites that are not on firewall block lists. Monitoring and scrutinizing new or unusual connections is an effective way to detect browser exploits.
#6 Supply Chain Attacks
Another cyber attack vector that is often overlooked is trust relationships with third-party vendors. In many cases, cyber-attacks are successful because hackers are able to exploit trust relationships between organizations. For example, if Organization A has a trust relationship with Organization B, a hacker may be able to gain access to Organization A’s systems by compromising Organization B’s systems. Therefore, it is important for organizations to carefully vet their third-party partners and make sure that they have strong security measures in place.
One of the most famous cases of a hacker exploiting a trust relationship occurred in 2014 when a cyber attack against Target resulted in the theft of over 40 million credit card numbers. The hackers gained access to Target’s systems by compromising the systems of a company that provided heating, ventilation, and air conditioning support services to Target stores. This trust relationship allowed the hackers to bypass Target’s security measures and gain access to sensitive data.
Tips for avoiding a supply chain cyber attack:
- Be aware of trust relationships – When setting up trust relationships between organizations, be sure to carefully consider the security implications of doing so. For instance, a third-party IT vendor has different security implications than a shipping vendor.
- Vet third-party partners – When working with third-party partners, be sure to thoroughly vet them to ensure that they have strong security measures in place. Establishing a seamless third-party due diligence and vetting process can help to ensure that only trusted partners are given access to your systems, and only the systems that they should have access to.
- Monitor third-party connections and access controls – Once trust relationships are established, it is important to monitor them for any unusual activity. For instance, if you notice that a third-party partner is regularly accessing data that they should not have access to, it could be a sign that their systems have been compromised.
#7 Insider Threats
Occasionally, malicious actors can also come from within your organization. People already behind the company firewall pose an elevated threat because they often possess authorized access to sensitive systems and data or even have privileged administrative rights to control critical systems, disable defenses, and exfiltrate data. Additionally, insiders may have extensive knowledge about cybersecurity architectures and how their companies respond to cyber threats. These skills are useful in gaining access to restricted places, changing security settings, or deducing the best possible time for cyber attacks. Insider threats are difficult to identify and usually require comprehensive activity monitoring, however there are steps that can be taken to mitigate these threats.
Tips for avoiding an internal cyber attack:
- Restrict access to critical systems and data – Limit access to critical systems and data on a need-to-know basis. This will help to reduce the chances of an insider threat being able to compromise your systems.
- Develop comprehensive data protection and classification policies – Classifying data according to its sensitivity level will help to ensure that only authorized people have access to sensitive information. Additionally, implementing comprehensive data protection policies will help to reduce the chances of an insider threat actor being able to steal or delete critical data.
- Enable logging and deploy user behavior analytics and threat detection techniques – Even a sophisticated insider threat actor will eventually create unusual activity patterns that can be detected, but only if you are collecting and analyzing the right logs and using the right detection playbooks.
An MDR partner can help you secure your organization with expert guidance, best-in-class technology, and around-the-clock monitoring and support.
A data breach can have devastating consequences for your business, including loss of customers, reputation damage, and hefty ransoms (and potentially fines). Being cognizant of the many ways cybercriminals exploit vulnerabilities is critical to keeping your data safe.
As mentioned in this article, engaging your users as part of your defense strategy by conducting proper training on cyber threats and best practices, vetting third-party vendors, performing regular security audits, implementing strong security protocols, and investing in robust logging and monitoring solutions will strengthen your security posture and defend you from breaches.
However, resources required to do all of this (let alone do it well) can be scarce. This is where an MDR solution comes in, as it can provide your organization with both the advanced tools as well as the experience and expertise to deliver the comprehensive protection you need to defend against cyber threats – without breaking the bank. It can also give you the peace of mind of having a team of seasoned cybersecurity experts at your side at all times, and, when an attack occurs, provide you savings. For instance:
- On average, organizations with a dedicated Incident Response team who have tested their response can save $2.66 million when breaches occur, often because they can prevent costs (ransomware payments, etc.) from occurring in the first place.
- Organizations that contain a data breach in 200 days or less save $1.12 million on average. 
- Organizations that fully deploy AI and automation programs to identify and contain breaches generate $3.05 million in cost savings and realize a faster response time by more than 28 days.