SaRB for SMO's blog pages contain between 3000-4500 words, as a non-subscribers you only have access to 800-1000 words.

(Reading time: 23 - 45 minutes)

SMO Attackers


SaRB for SMOs Action Info

Security Management Group

box 4951482 1280

When it comes to cyber security attacks, who are the attackers likely to attack a Small Organisation? What do they look like, how skilled are they, why do they do what they do? These are just some of the questions that hit the public imagination. But when it comes to attackers of Small Organisations there are many myths and misconceptions which hinder the preparation and response to attacks.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.



To put the record straight, on the one hand, it may not help knowing who is or has attacked you, because you are too busy dealing with the incident, on the other hand having a little understanding of attackers and attacks enables your Organisation to prepare itself better by utilising threat modelling approaches in your risk management, and cyber threat intelligence. Knowing who wants to attack you and why can help you prepare and protect what they are after, more effectively.

Although we won’t be going into any detail on either Threat Modelling or Risk Management in depth, we will be touching on many overlapping issues.
The one very important point to understand before we get started is that, it isn’t important to understand everything all in one go.

Default sample awareness and knowledge infographic

Myths and Misconceptions about Attackers

The reason why it is important to explore some of the myths and misconceptions is that unless they are clarified, they actually help the attackers to succeed. Understanding them, what they are after, what their motivations are, their skill levels most definitely helps to prepare the controls which help make it harder to the attacker to achieve what they want.

Here are some of the misconceptions:

  • Attackers target all their victims – this is only true in a small number of cases. Most attackers will use automated tools to scan IP addresses, web sites, etc. which in some respects are just like the sort of tools that Google, Microsoft, Amazon, Facebook use to scan the internet. Once these tools find something of interest, they compile the starting point of a target list. This means that the approach to targeting isn’t who, but what. “The what”, is usually down to a vulnerability which hasn’t been patched on a router, a webserver, or a form on a web site, etc. So, the targeting is based on what the technology or tool they are using is able to identify or exploit and certainly not based on “the who owns that technology” which has been identified. Or, another example is where an email list of directors, or key staff in organisations has been purchased, which may be used to send out a phishing or spam message. The next stage for the attacker will be to identify all those who opened the email, so here the targeting is refined by those email addresses which respond. More than often when attackers are targeting very specific individuals or organisations it is often due to the attacker being a nation state, or because the target has hit the news, or because the group of targets have a particular known asset or vulnerability as well as access to resources for payment, or where they may have been paid by a competitor to attack the target.
  • Attackers have morals and ethics – most attacker treat what they do as a job or business, they put in hours and want to put the least effort in to get the maximum return. This together with the fact that they don’t particularly target victims, is why they don’t really care if the target turns out to be a charity, an essential social service, or a small business, or a bigger business. The targeting isn’t based on the victim, but what can be exploited – there are no morals involved in the decision.
  • An attacker is just some spotty kid in a basement, without any parental control – this misconception totally ignores the basics of what organised criminals see as the advantages of cyber crime over traditional crime. Which include the ability to commit crimes all over the world, whilst hiding your location and not necessarily targeting any victim in the country you live in. Some of the ransomware gangs which have become notorious over the last few years have been Russian gangs, where it seems the authorities have a relaxed attitude to them as long as the victims are not Russian and in unfavourable regimes around the world. Cyber attacks have moved on a lot from the days where a few bored kids would spend their time accidently finding and exploiting vulnerabilities for fun. Cyber criminals have been leveraging their resources to create big businesses for years, to the point where cyber crime generates more revenues for criminals than any other traditional major crime category like drugs or prostitution. This aspect of cyber crime attracts far more criminals into attacking than any number of kids in basements – not that there aren’t any, but there aren’t as many as the old movies would have you believe.
  • The attacker will understand that as a Small Organisation we don’t have any disposable income to pay them like big businesses have. Since cyber crime is a business, the rules have changed and continue to do so, and we have already clarified that there are no morals involved. The media has reported on attacks to hospitals where all the hospital victims were running a certain outdated version of Windows, and the attackers demanded a ransom. Further, more recently attackers have changed their tactic to be more aggressive and succeed in their business quest to get paid. In realising that Organisations with good backups were choosing to not pay, and instead to recover systems from the last good backup, led attackers to first understand the data on the compromised systems and then what the regulatory fines would cos, and to exfiltrate the data before demanding a ransom. Using this approach, the attackers now give an ultimatum to pay or have the exfiltrated data released to the public so the victim will end up having to pay a fine which is a much higher amount than the ransom being requested. Understanding the data and the fines has changed the game for criminals, as they are being more persistent in their extortion attempts, regardless of the victim being an individual, a charity, or a Small Organisation.
  • Attackers succeed using highly advanced skills and techniques – research has shown that many attacks rely on old vulnerabilities which have been known for many years. Victims often don’t realise that because many users don’t patch their systems, there are far too many around for attackers to ignore what to them are low hanging fruit. Also, attackers don’t want to have to pay for the latest exploits because there are more than enough old existing vulnerabilities which have been around for a long time on systems which have not applied the security patches. Their logic makes sense; “Why would anyone spend money on a new tool when the ten-year-old one is still able to provide at least the same returns”?
  • Attackers work on their own in isolation – this misconception ignores the criminal underground marketplaces where criminals can enlist the help of other, as well missing the fact that criminals may use innocent money mules to help them clean up their ill-gotten earnings.
  • Another misconception about attacker skills is an assumption that all attackers craft their own tools and exploits. This has not been the case for a long time. Cyber crime is now mainstream in that in the same way there are plenty of vendors which develop carpentry tools, the carpenter just utilises the best tool for the right job. The cyber crime tools are just like the tools we all use on a daily basis – they are point and click, drag and drop, etc. However, in the cyber crime markets, there is a high level of specialisation whereby certain suppliers will make tools available on a profit-sharing basis – rather like the affiliate programmes we are familiar with in business. These tools and business models make it so much easier to have very little expertise and expense to get started in cyber criminal activities.
  • We are only sharing information with our “accountant, lawyer, trusted advisor”, etc. surely we should be secure? There are many cases of messages coming from email addresses which look like they are from a trusted person. But this was not the case and the targeted victim has paid out to the changed account details, which were the result of a compromised email account. Trusted advisors are often a victim group which will be exploited many times over, once they have already been compromised.
  • We have fostered a great level of trust in our staff and will be able to identify any attack. What is often ignored or misconceived is that it is possible for staff to either be tempted to reduce controls intentionally (or unintentionally) or be coerced into doing something that they otherwise would not do. Also, there have been many incidents of insider, where either the member of staff took the role on with the sole purpose of causing harm, or the employee’s perspective towards their employer changed over time, examples include employees consistently overlooked for promotion, or in times of redundancies, etc.

These are just some of the myths and misconceptions which if not dealt with and understood, actually facilitate attacker in some way rather than to help protect the organisation. 

Why Learn about Attackers

We advocate that all organisations should learn about the potential attackers who are likely to attack them so that the security team can use the attackers characteristics to protect the organisation. For small organisations it is not important that they learn anything and everything about attackers, but that they learn enough to understand that their misconceptions are wrong, and what this means for protecting their organisations.

When any organisation attempts to service a particular target market they will only be able to do so successfully if they research it. Attackers will attempt to do the same about their group of victims, and it makes complete sense that Small Organisations should take some time to understand the types of attackers likely to attack them with a view to improving their defences against them.

This is nothing more or less than a risk management approach, if you want to manage the risk of attacks effectively, then you also need to understand the attackers and their motivations to do so. There is no need to understand everything all in one go, but we cover this topic in enough detail which we hope provides the key points to improve defences.
Part of understanding attackers is the threat they pose to your organisation and to try and use that to model the threat in your risk management approach.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

 Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Actions and Activities

Now, on SaRB for SMOs:

  • Help us to help you by completing our short poll on this topic (only available when article is published).
  • Let us know which FAQs you would like us to answer.

Later, in your Organisation:

  • Complete Board level Policy Review
  • Update Policy
  • Present to the Board for Agreement

Finally, if you know anyone who could benefit from the information you have viewed, please invite them to register for SaRB for SMOs and share our resources with them.

Follow-up Resources:

Virtually Informed Resources:

  • Glossary - at the top of this blog article (link to items).
  • Infographics (Downloadable in the week of publication).
  • Download Items - Policy Templates, etc. (Downloadable in the week of publication).
  • FAQ’s (Available soon).
  • Blog articles (link to items )
  • How To articles (links only available to Premium subscribers).
  • Other content (available soon)

External Resources:

  • Ponemon Institute Survey
  • Other Survey information


Images from