<img src="https://ws.zoominfo.com/pixel/cEO5AncHScwpt6EaX0mY" width="1" height="1" style="display: none;">
Skip to main content

A Firewall is a Good Start: Small Business Cyber Threats By the Numbers

June 09, 2022


Dark Cubed’s network of MSP partners has deployed our platform to myriad small business verticals:

  • Finance - small accounting firms, real estate title or settlement companies, local insurance offices, local investment/wealth management firms, real estate offices
  • Legal - small law firms
  • Retail - jewelry chains, casinos, car dealerships, animal feed/farm supply stores, commercial food supply companies, a photography chain, an oil delivery service company
  • Construction/Industrial - a roofing company, trucking companies, a nursery, a local farm, plumbing/AC companies, lawn and tractor dealerships, equipment rental businesses
  • Healthcare - orthodontics offices, general practitioners, a small pharmacy chain, x-ray/MRI diagnostic facilities
  • Manufacturing - machine shops, a specialty chemical manufacturer, printing companies
  • Municipal - small town offices, a housing authority
  • Education - school districts, private schools
  • Religious - churches
  • Misc - tourist visitor’s center, small ski resort, nature preserve

As part of a recent analysis, we looked across our entire end user customer base, comprising small business like the ones listed above (among many others), and discovered the following:

  • 96% of all the small businesses in the Dark Cubed customer ecosystem saw at least one threat over the course of the month in which we conducted the study. A threat was defined as a 7, 8, or 9 ranked IP address (note that Dark Cubed scores each IP connecting to the firewall on a scale of 1 to 9, where 9 is the highest threat IP)
  • On average 757 level 9 threats were seen at the firewall for each small business customer over the course of a single month. This per-month average was taken over the course of 6-month period
  • The “average” 9-level threat number is misleading, as a few outliers drive that number well beyond what the typical small business will see, so we calculated the median, or the number at which half the small businesses saw a great number of 9-level threats, and half saw fewer. The median was 38, or slightly more than one 9-level threat per day at the firewalls of the small businesses being protected by Dark Cubed
  • For each of those 9-level threats, on average, there were about 6 interactions observed between the network and the high-risk device, meaning a device that was highly likely the source of malicious activity attempted to connect to the small business network, on average, 6 times
  • Of the level-9 threat connections, in the month of May 2022, 35% of the connections were initiated internally, meaning actions taken by a user on the small business network resulted in a connection to the malicious IP

It’s important to note, that with few exceptions, none of these 9-level threats - none of which have any legitimate reason to connect to a small business network - was blocked by the firewall of the small business, despite the reality that many of those small businesses subscribed to the firewall manufacturers’ native threat intelligence feed.



If Dark Cubed is scoring an IP a 9, you can feel comfortable concluding that that 9-level device has no business connecting to the network of the small business. It is, however, reasonable to ask “why not”? To answer that question, we’ve provided some examples below of 9-level threats detected on the networks of our MSP partners’ clients recently.

  • An Iranian Telecom company identified for exploiting SQL server vulnerabilities attacking a K-12 school district in the Southeast US
  • A Chinese device associated with brute force attacks (automated attempts to identify weak passwords) also attacking the K-12 school district’s offices
  • A German IP launching a Telnet open port scan and potential SNMP (Simple Network Management Protocol) attack was stopped attempting to connect to an animal hospital in the US
  • A Chinese host scanning for, and then potentially attacking, a web application vulnerability in the ThinkPHP, attacking the offices of a specialty pharmacy chain
  • A known phishing site in Germany connecting to the network of a State Regulatory Agency office in the southern US
  • A host - located in the US - associated with brute force SSH attacks (the objective of which is to use the SSH protocol to execute commands on a remote computer) was blocked by Dark Cubed on the network of the offices of a small municipality in the southwest US
  • Servers running Shodan scanning software that catalogs internet-facing devices and software. Shodan data is used primarily by pen testers and hackers to more efficiently identify their targets.
  • Command and control servers for the Mirai botnet, malware that hijacks target devices and uses them in DDoS attacks
  • A command and control server for Redline Stealer malware, which harvests sensitive information from infected machines

A firewall is an essential element of a security architecture for all size businesses, and has been for decades. But, because the threat landscape evolves literally by the hour, firewalls require care and feeding to be effective. Very few organizations, especially small businesses or the MSPs that service them, have the resources to manage the most critical element of the firewall - the blocklist - actively and continuously. As is clear from the data we’ve assembled and presented here, that’s exactly where Dark Cubed’s automated solution comes in.