Saturday, December 12, 2015

What about the little guy?

We hired a new Business Development Manager yesterday. I'm happy to say that Chuck Nettleship will be starting on Monday morning.  Chuck's an old Norwich guy who's been around the block as many times as I have, and has worked not in the same places, but in similar places. So the conversation was fun as hell. And as he asked more questions, wanting to come up to speed before Monday morning, some of the questions made me go back a bit. I've been hearing some of these questions for years, but haven't really seen a good answer. For example, he asked "How is it that in today's information security environment, that only the most sophisticated companies have the ability to detect and efficiently react to badness in their environments?" What about the little guy?

The other night, I was at our monthly NH ISC2 meeting. And while some (usually not this one) of these meetings can be dry, ISC2 is normally pretty good. It's a smart group and I enjoy the intellectual tennis. So the other night, one comment caught my attention. According to the guy, Angler was responsible for the delivery of over 90% of the malware being dropped into their systems. And being a good group and coming from a smart guy in a great company, I'm going to take this at face value and believe. We wrote in August about it being used for Neutrino and we know that at the time, Angler made up about 80% of the delivery... but this is the tip of the iceberg.

This week's blog was actually going to be about the evolution of the Angler Exploit Kit.  But this morning, I woke up thinking about Chuck's question --the supply chain problem, and if this big company is having a problem with Angler, what about the little guy?

We (Wapack Labs) work in APT. We also work in financial crime, fraud when it intersects (which is becoming more and more), intelligence (know the bad guy), counterintelligence (identify and stop the bad guy), counter branding, incident response and more...

Who cares, right? You knew that already. The idea is, this is a COMPLEX new threat landscape. There are about 150 things in the SANS Top 20 that every defender needs to do right, every minute of every day. And if you miss one? WHAM! Hacking today means money to bad guys - big money. It means espionage --stealing your stuff for a country's (or another company's) gain. It means making a handsome living stealing from others and selling it elsewhere.

So, when I talked with Chuck yesterday afternoon, we spoke at length of the idea that while big companies can, for the most part protect themselves --or at least have process in place that allows efficient response when they do get breached.  What about the supply chain? The picture above shows the supply chain of an airplane. There's a ton of information on airplane supply chain, but only one level deep... but to take this further... according to, the Boeing 787 has approximately 2.3 mil parts with roughly 30% purchased from overseas suppliers. Again, who cares right?

At one point, a partnering person at a large manufacturing company told me that in a survey of their 10,000 critical suppliers, ~60% had less than 100 employees and half of those had less than 25.  So let's do some simple math... 6,000 companies had less than 100 employees, and 3000 had less than 25. I'd bet a dollar that most of those are small engineering or manufacturing firms, and that none of them have a formal Information Security program strong enough to defend against even basic threats.

So how many of those suppliers --in the airplanes that we line up to board, in the laptop I'm using to write this blog (a depiction of the laptop supply chain is shown above), the chip manufacturers for medical devices, or the computer in the car you drive... how do the little guys who supply the basic components of those products protect themselves from having their lunch eaten or worse, code written into those devices that can be accessed later. And when that happens, who's there to help protect the little guy with the cable box for an internet connection and little more?

We are. This isn't new for us, and our focus is intelligence, but we've partnered with some great companies to do consulting, monitoring, alerting, incident response, and remediation. Some of our partners include Morphick Security, Kyrus, Alert Logic, D4C Global, Delta Risk, Ezentria and others offer a range of capabilities that can rival any other --some focus on the espionage and advanced threats. Others focus on monitoring and alerting and do really well in smaller environments. One focuses exclusively on the under 25 market. They handle the 24x7 monitoring, incident response, or consultations. We handle intel and analysis.

Is this the panacea? No. More like the bandaid... but it's something. We've got one partner who just set up a Passive Vulnerability system in an MSSP configuration for companies under 25 employees. When something bad happens, they respond. When something really bad happens, we get a call.

Need help? Interested in partnering? Drop me (or Chuck) a note.

In the mean time, let's keep moving forward!

For me? Time to put up the Christmas Tree. I'm late.
Have a great weekend!