Name: 2025 SMB Security Gaps Exposed: What the Threat Report Reveals
Uploaded: 2025-06-17T19:05:56.102Z
Duration: 30 min 36 s
Description: 2025 SMB Security Gaps Exposed: What the Threat Report Reveals

Transcript for "2025 SMB Security Gaps Exposed: What the Threat Report Reveals": Alrighty. We're live. Hey, everyone. I'm just gonna give everybody a couple minutes to join. We can get things started. Alrighty. Hi, everybody. Welcome to today's session. Twenty twenty five SMB security gaps exposed, what the threat report reveals. Just a few items before we begin. If you have any questions throughout the broadcast, please submit them through the q and a tab on the right hand side of the webinar console. We'll have a look at them and answer the questions at the end of the session. Also, we'll be recording today's session, so be on the lookout for an email through the link later this week. And with that, I will hand it off to our host, Andrew, to kick things off. Sure. Yeah. Thanks so much for, for the intro there. If anyone saw me chuckling, I always like enjoy seeing, always enjoy seeing greetings from New York City. Everyone, good to see you. Not not subtle at all. I'm right here in, in the heart of Broadway in New York City. I'm joined today by, by John Shier from our field CISO team. And, John, you're in a different city. Where whereabouts are you today? I'm just outside of Toronto. Just a little bit north of you. Perfect. Hopefully, the weather is treating you treating you good there, but, of course, British guy talks about the weather. We're not here to talk about weather, in the literal sense. We are here to talk about the the new report that's just been released. And, John, I wanted to will you just dig into that first of all? We're highlighting SMBs in this report. Why did we decide to do that this year? Yeah. So in the last couple years, we've just been a little bit more prescriptive about the focus of the report, as it pertains to the data that that's both analyzed, but it also included in the report. So, obviously, you know, we've got customers from small businesses all the way up to enterprise organizations. And throughout the year, you're gonna see reports come out from all sorts of vendors, and many try to cover the entirety of the threat landscape. And that's really important. It's it's good to have that high level comprehensive visibility. But we also know that we've got deep expertise in protecting SMBs, which account for the vast majority of businesses worldwide. And so that's the target of most cyber criminals as well. They're gonna go where most of the businesses are. So for our part, we wanna give those businesses a fairly accurate view of the threat landscape as it relates to them. And what we've done in this report is we've taken telemetry from that segment and analyzed it. Telemetry comes from a couple places. So the first place is what we call, customer data or endpoint data. And this is very simply just detection telemetry that comes from Sophos endpoints and and Sophos managed systems. And that gives us a pretty broad view of the threats that, were encountered in the last year. And then the data are analyzed within Sophos Labs. The other set is what we call incident response data. So this consists of both data gathered in the course of escalations driven by detections of malicious activity on MDR, so Managed Detection and Response customer networks, and also Sophos Incident Response Data. So these these are incidents from, customer networks or other organizations that call us, all from 500 employees or fewer, where there was basically little or no Managed Detection and Response protection in place. So these both these data sets are treated as a combined set of incident response data. And just a little small caveat here that SecureWorks incident and detection data was not included in this report as it was based on pre acquisition telemetry. So in the end, all that data gets aggregated together to give us a picture of the threat landscape for the calendar year of 2024 as it pertains to small and mid sized companies. Fantastic. Like you said, an incredibly valuable dataset out there for what is the vast majority of organizations in the world. So let's let's cut to the chase, John. What are some of those headlines? What are some of the the big important findings this year? Certainly. Yeah. I'll I'll give you some highlights. At least the surprising one is that the the least sorry, the least surprising one is that ransomware still dominates, especially in the incident response numbers, and that kind of makes sense. Right? A lot of companies are gonna need more help recovering from something like, ransomware than they are from from something else. But, over seventy percent of SMBs were hit by ransomware in the past year. And, you know, that's a pretty big number and we've been used to seeing ransomware for a while now. I mean, what is it? CryptoLocker was out in 2013, and we're coming off on the twelfth anniversary. Is it September, like September 5 or something like that? I can't remember the exact date. But, you know, the modern crypto ransomware that we're seeing today is based on really that that originator in in that space. And over the years, we've witnessed a couple of additional pressure trap tactics being added by ransomware criminals beyond just simply encrypting files, right? They, that's what they started doing and then around, I think it was like 2019, they started stealing data on top of encryption. So instead of just demanding a payment for the decryption key, they were demanding a payment for the decryption key and also for the suppression of that data so that they wouldn't release it to the public. So this has become pretty common place in a lot of the ransomware attacks that we see today. And and our data saw this as well that, in at least 30% of cases, we were seeing that the criminals were attempting to steal data on top of the encrypting things. Another highlight is that, network edge devices really contributed a lot. Over a third of initial access will response were, due to, to edge devices getting compromised. And in 15% of those cases that involved unpatched vulnerabilities. And when I say unpatched vulnerabilities, I mean vulnerabilities for which there was a patch available, but it hadn't been applied. And some of these patches have been available for more than a year for some of these devices. We're also seeing SaaS platforms being abused. These include some supply chain compromises, but also authentication based attacks. You know, credential stuffing attacks against these platforms made up some pretty big news last year. We saw, both Atlassian and Snowflake had some issues, around compromised credentials and those were being targeted by criminals in 2024. And this largely involved criminals of, you know, using old breach credentials against these platforms and because some of these customers, the customers of those companies that were being were the victims of these attacks, didn't have multifactor authentication turned on for the the for the accounts that the criminals had, you know, the compromised credentials for, they were able they were able to basically walk right through the front door and get the data of those victims. So old breaches and password reuse are a big reason why, you know, we require MFA for all central accounts, for example, but why it's a requirement in today's day and age when it comes to protecting against most cyber attacks. We're also seeing, a rise in business email compromise. So the thing about BEC, business email compromise, is not only that they'll try to directly scam you out of money, but it can also be used to deploy additional threats. So much of this, you know, the the activity and the previous stuff I I just mentioned is driven by malware as a service. Lots of info stealers out there are grabbing credentials and even some second factors and using those to reach organizations. And this is again why we need to move to that phishing resistant form of multifactor authentication wherever wherever possible. And finally, we saw a lot of SEO scams for legitimate applications. So when people are googling or, you know, binging things, you take your pick, the the top results are often ads. And so what the criminals have been doing is they've been quite successful at exploiting the system either by forcing their results to the top or very often just buying these ads. So, you know, some of these criminals make a lot of money. And so what they're doing is they're buying their way to the top, poisoning the top results. And while you might actually get the software that you're looking for when you click on one of these ads, you'll also unfortunately get a little nasty surprise on the side. So John, what I heard there was there is so much talk. You go around any cybersecurity conference and you're bound to see people talking about organizations, talking about the way that they defend day zero attacks. And you're telling me I got I got day three sixty five to worry about as well. Yeah. Unfortunately, that is the case. And we're seeing that, you know, in in a lot of organizations where the patches that are that are missing aren't just zero days. They're n days as we call them. Right? So and that and, unfortunately, I've seen in in some other datasets that, I work with, you know, up to thirteen hundred days. Yeah. It's it's a bit of a shocker, and I know that's one thing that we've been seeing a lot of organizations kinda talk about, especially when we do focus on that that that small and mid market space. I've heard organizations say to me, like, I you know, I'm not a target. No no one's coming after my data. What do you say to someone who who thinks that they're they're in an organization that isn't perhaps isn't likely to be targeted by, you know, the next the next nation, state nation actor. Easy for you to say. Right? Yeah. I mean, the the the the sort of glib answer is that, yeah, I guess you're not a direct target, but you're certainly an opportunity. When it comes to most of cybercrime, specifically most of cybercrime that's impacting, smaller and mid sized organizations, the criminals aren't looking and saying, oh, I wanna attack that flower shop right there. I what what they're looking for is they're looking for opportunities and very often those opportunities can present themselves in a couple of different ways. One of them is we just talked about vulnerabilities. Right? So, they're gonna scan the Internet for vulnerable devices. So if you think about your external presence, everything that is exposed to the Internet, not only can your customers see, but the criminals as well. And so they're gonna scan the Internet looking for exposed services and especially exposed services with potential vulnerabilities. They'll exploit vulnerabilities if they can, but also exposed services now brings in the second sort of most common, thing that criminals employ which we also just talked about which is compromised credentials. So if they see a VPN device that's hanging out or just any kind of portal, they're going to try to, either log in if they've got the credentials because they might match that up. If if they find, for example, they're they're scanning a section of the Internet, they find a bunch of businesses with some services hanging out, they might look and see, well, are there breaches associated with that? They can take the domain and go, have I been phoned? Right? And say, oh, there's a dataset. Go get that dataset and then log in. Or they'll do it the other way around. Right? They'll have a dataset of known great storming accounts, and then they'll try those against the, against those companies. So yeah. Are you, like, are you on a list somewhere that says, oh, we gotta tackle these companies? No. But because you are somehow vulnerable to something, you're a target of opportunity. I think that's a great segue, and we've we've seen tons of reports in the industry kinda using that phrase that attackers are are not just breaking in. Sometimes they're just logging in. An unfortunately, really popular way of logging in, don't mean to trigger you, John, is RDP. Tell us tell us what we're, what what we're seeing with, with RDP these days. And I think you guys call it you guys have a different meaning for that abbreviation. Yeah. I call it the remote disaster protocol. Unfortunately, RDP is one of those ubiquitous technologies that is very useful for a lot of organizations to manage their, the remote fleet of assets. Right? And whether that's, you know, logging into servers or troubleshooting through, troubleshooting endpoints through RDP or whatever the case may be. But unfortunately, the problem with RDP is if you hang it out on the Internet, that's again, that's one of those targets that if you, you know, go to us, an engine like a certain like Shoden, right, or Census and just type in remote desktop, you'll get a whole bunch of hits. The criminals are doing that too. Right? So they're finding these devices, these RDP devices. And unfortunately, it's fairly trivial to exploit when it comes to RDP. You know, it's it's not very brute force resistant. So, one of the ways that people try to do better is they put a, you know, remote desktop gateway with RD web. So the the front the web portal in front of that. And again, it's it's one of these systems where you can just brute force this thing full of accounts, come home, and eventually it will give up its secrets. It will give up some accounts, and then they just simply use those and log right, you know, right back into to to the company. So we need to think start thinking about how we architect this remote access stuff. And I know our, you know, our listeners have probably seen this or heard this a lot, but, really think about protecting these through different layers of protection. The idea behind the layers is not only to improve protection, but these layers also provide detection opportunities. Right? And so as criminals are having to circumvent these different layers, they create they create noise, and that noise are detection opportunities that we can then key on for suspicious events that we can then hopefully get from detection to very early response, which then really improves your outcomes in the end. So I'm gonna use an old cybersecurity saying here. We had defense in-depth. But, John, it sounds like you're trying to coin detection in-depth. Well, in a sense, yeah. If you think about that. Right? There there's all these different layers have telemetry associated with them. And we also know that there are limitations to, and I've been saying this for twenty years. Right? A firewall, if you open a port, it will let that traffic through. So that's a limitation in a sense, if you think of it, you know, in terms of the the the attacker mindset. Right? That's an opportunity and a limitation of the technology. You're letting me in. Okay. Great. But then there are other things you can do around, by using other technologies and other telemetry to look for, potentially, you know, somebody coming in, but at an hour you're not expecting them to. Right? On a service port that you're not expecting them to. Those kinds of things. Not expecting them at that hour. So, you know, RDP is is again another great example of this. Like if you're looking for, ways to, use the telemetry that RDP is generating and just logins in general, right, event event ID 4625 successful login. Well, okay. If that successful login is happening at 3AM when most of your employees are sleeping and you're not a twenty four seven shop, that's probably a detection opportunity. How have you seen the the the TTPs of attackers change as kind of the industry has moved along to this need of more detection capabilities? What are they doing to to further try and evade that detection? Yeah. So one of the things that, you know, we're seeing in in this report as well, and I'll just bring in one more, which is the active adversary report because I think they, you know, the two of them are complimentary in the sense that they are talking about what what threat actors are doing is the use of what we call living off the land binaries, law bins, right, and specifically the Microsoft tools that are on installed on the system by default are in very many cases required by the operating system to let it function. And what the criminals are doing is they're just increasingly using those tools to their advantage. So instead of bringing in their own tools and, you know, we still see this. We still see a threat actor will get onto a a network and they will go and download a zip file containing a whole bunch of different tools that they will then, you know, they will they will decompress and then use those for their attack. But that again is a detection opportunity. That's that's potential noise. These these tools, if you're not expecting them, but are looking for something like, I don't know, like advanced IP scanner. Right? It's a network scanning tool that is very frequently abused. If you've got something like application control turned on and then they try to run that, well, that's gonna block it. Hopefully, that's how you've had it set. And so that's a detection opportunity. Right? But if you're then gonna instead of using that, you go and start doing things like net commands and IP config and ping. Right? Tools that are already present on the system allow you to enumerate the network without raising raising any suspicions. This is one area where I think a lot of the criminals are are gravitating to because it offers them an opportunity to hide complaints like They're using the same tools you're using, and therefore, it does make, in this sense, it does make detection a lot harder because now you've gotta determine the difference between the administrators and the users using these legitimate tools and the criminals using these legitimate tools. That's a a really difficult line to walk that to to your point, John, just how do you know the difference between a net user add to admin group when that's in the context of Andrew who's maybe authorized to do that versus in the context of, sorry, John who's maybe not authorized to do that? It seems as well, like, we we see huge amounts of data about the the spend, you know, the amount of money that just the world industry spends on security products. Do you think do do we need more tools? Is that is that the problem? Is that the fix to the problem? I think that's that's a and it depends question. Right? For some organizations, there might be some technology that they're not currently using that they might need to add to the the existing set of technology that that they're using to protect their organizations. And the example I'll give you is something like phishing resistant multi factor authentication. Maybe for a certain business, the the best thing they can do is use, you know, hardware security keys. I'm I'm looking for YubiKey. I've got I've got them all over the place, but, you know, some like a YubiKey. Right? That might be an opportunity for them to really increase their ability to mitigate against these compromised, you know, these these compromised credentials, these breaches that occur. Where unfortunately, it might not be that you got breached, but one of your employees was part of a different dataset that got breached and then but they're using the same password. So now with phishing resistant multi factor authentication, you can really limit the the usefulness of of these credentials, these compromised credentials. So so that's an opportunity or an example where you might wanna introduce more technology to solve a problem. And Infosdealers were rampant last year. So, you know, tons of detections for information stealers, the kinds of, malware that are that that that's really the the point of it all is to steal credentials for for most of these, these info stealers, as well as a whole bunch of other stuff. They'll just kinda like ransack your computer for any piece of useful information. But also, you know, you wanna start thinking about of the technology you already have, am I using it to its full capability? Am I am I using all the telemetry that's available to me? So I gave you an example of an event ID 4624 before. I hope I said 4624 because 4625 is is a, is a an unsuccessful login. Right? So that's another opportunity when you're looking at detection telemetry to go, okay. Well, I've had I I just saw 10,000 of these in the last, you know, three minutes and I I have an RD web server that's hanging out on the Internet. Thankfully, I wanna go have a look and see what's happening here. And, unfortunately, what we've seen in in a lot of the especially incident response cases that we're looking at is, sometimes the victims are only capturing the successful logins and not the unsuccessful ones or vice versa. Right? So that's an example of existing technology baked into the Windows platform that you can use in a, in a more intelligent way. And then it it doesn't have to be technological either. There can be processes involved with how you handle certain things. Right? So how you deploy applications or how you deploy, assets into your network. There are opportunities there potentially where and this addresses something like, you know, business email compromise. That's not necessarily a technology problem that needs to be solved. It's more of a process problem. Right? So if ever you get one of these requests that says, hey, we've, you know, we've changed banks and you need to redirect the funds to this other bank account. Have an, you know, another process outside of all that that can verify that that's indeed the case. That's that's really useful stuff, John. And I know I'm keeping an eye on the clock. We've had some questions come in. Thanks so much everybody for keeping your questions, coming in there. Use that q and a panel. I'm gonna put you on the spot a little bit here, John. So, because I because I know you love that. So, we had a question come in from Aaron. I'll rephrase this, Aaron, if you'll forgive me. I think what we've seen and it seems that we always see this head the the headlines of, industries or certain sectors that are under a higher rate of attack. Certainly, in the last few weeks, it's been largely a lot of retail. Why why do you think we see those kind of waves of of attacks targeting the same types of sectors? Is it I know attribution's hard. Does it tend to be the same threat actor? Does it tend to be just super similar infrastructure and and that kind of opportunistic element? I think it's both of those. So I think so let's let's take the first one you just mentioned. There's a threat actor out there called CLOP, and they're very, prominent, in abusing file transfer appliances and and a lot of these edge devices that get used by a lot of big companies. They we don't know if they do their own research or if they're buying vulnerabilities, but they do tend to find these zero days in in a lot of these appliances. And so they'll go out and just compromise the whole whack of them all at once. And that in some of these cases, they tend to hit also not only so not only is it the same threat actor, but they also tend to hit the same profile of companies. Right? These larger companies that can afford some of these big enterprise devices. So that's one side of the of of the equation. The other side is the, there's certain sectors where if and it kind of relates to the first one. If you're using very similar technology, if you're using similar software or services or hard whatever the case may be, and somebody finds something in one of those, you know, services or or whatever that presents an opportunity for cyber criminals, a whole bunch of them are gonna start hammering on that. And so now you've got an entire sector that's under attack. So when we think about the, you know, the the retailers that have been hit lately, I don't know that I've seen a lot of concrete, here's why it happened, here were the root causes of all these attacks, but I wouldn't be surprised if there is something in common. And sometimes it's just the sheer, you know, the sheer want of destruction with one of these cyber criminals, so we can't forget that. They wanna just be able to cripple a lot of organizations or a lot of sectors that they feel, either deserve it, or as is the case often for things like healthcare and education, where there's gonna be a higher propensity to pay the ransom in case of ransomware because of the service that they provide. So we do often see a lot of, you know, education focused attacks in September when everybody's going back to school and you need your services, you need your your systems online. Right? And, you know, very likewise the the healthcare side of things, well, they're just a critical service. Right? If I can harm hospital systems, then I can potentially, well, the idea is that, well, they're gonna be likelier to pay because they don't wanna harm their patients. Right? So did that pressure, that extra pressure where literally life and death could potentially be on the line by attacking some of these, these these organizations. Fascinating stuff. Thank you, John. I'll answer one quick kind of product question that came in. Thank you. Brent, Brent's an MDR customer with a question there. Short answer, yes. Long answer, go go talk to your Sophos team. They'll show you how to get those, those regular reports, set up. So that was just a little bit of respite, John, because we just have a couple more minutes, and I would love to, take us out on a high. Take us out on what can what can everybody watching today live and and everybody that catches the, the the on demand replays. What what are some things they can start doing right now to really reduce their risk and really improve their posture from the data you've seen in the report? Sure. I'll I'll answer that question in just a second because I also look I saw, Brent's question as well around, being able to to spot, you know, the the lull bins. An interesting little thing that I spotted in in the active adversary data, for example, is when we look at the IR versus MDR. So we actually split those two types of cases apart. IR being really just, you know, you you had an issue and you called us in versus MDR being an escalation. Right? I didn't see a lot of, the tool psexec. It was it was in the dataset, but it wasn't as high. And that's because the MDR agent actually blocks that by default. Right? So we know that PS exec gets used by organizations and you can, you know, exempt it. It's one of those that's just so easy for us to go, you know, most of the time it's cyber criminals that are using that tool. We'll just block it by default and then turn it on on a case by case basis. So that's an example there where, hey, you know what? There's some stuff you can just get rid of and you're probably not gonna feel too much pain. Alright. So to answer your question, first thing you need to do is you hopefully need to go read the report, because we can't cover everything in detail in in a short webcast. And there are a lot of, there are a lot of different ways in which cyber criminals are attacking these small and medium sized businesses. And we've I outlined many of them in that report. In with the goal in mind of giving you the data you need to make better defensive decisions. So as you're looking at as you're reading through the report and as you're looking at what is being, you know, what is being reported on, you can then start thinking critically, and that's the second thing. Start thinking critically about your own security posture and and assess that security posture against what the cyber criminals are doing, what we know they're doing because we caught them in the act in many cases. There's gonna be certainly some areas that you're gonna be able to, improve your security, increase your ability to mitigate or recover from an attack, and if you can just, you know, start moving the needle a little bit towards that that, you know, security maturities down the security maturity spectrum, a little further down the line, then you're gonna be able to mitigate against those attacks. So that's the third thing is you're gonna need to act. So read the report, look at the findings and assess whether there are areas that the criminals are actively, where they're actively engaging in right now, and find those areas in your network and then act on the on mitigating them. Right? If it again, if it means implementing so phishing resistant multifactor authentication, great. If you happen to have RDP hanging out in the Internet, you know, maybe for whatever reason that, you know, you needed it for for the weekend, but it never got turned off or get it off the Internet, scan your external presence, right, to see if there's anything else that is hanging out that you didn't know about that you can then move behind a VPN or something like that. So, that that's the last bit really is is to is to act on the things that you're seeing. And, you know, pick some easy wins, get those wins, and you'll then just by by virtue of doing those, you'll you'll definitely increase your security posture. But also, you might have the opportunity to get potentially budget for more when you're talking to the higher ups to control the money. Right? And say, hey, listen. We were able to, implement multi factor authentication and actually had a positive impact on our help desk calls. So now we're not taking as many of those. Can we have a bit more budget to do something else? Can we can we do something around, you know, maybe upgrading our VPNs so that we can add something else? I whatever the case may be. Right? So the whole point of this is this my little ramble here is that security getting security right isn't an easy thing to do. It is it really is a journey without a destination. And if you get lost along the way, ask for help. Right? Because when we work together, we force the criminal to work harder, get noisier, and that, again, creates opportunities for detection. And so what we wanna do is get us as as many of us as far down that road of of, security maturity as possible. And, again, if you need help, come see us. Love it. Quoting some Aerosmith lyrics to take us out, John. Security is a journey, not a destination. Thank you. John Shier, Sophos Field, CZO. Thank you so much for joining us. Thank you everybody for, for for seeing this session live and on demand. Go read that report and stay secure.