Adopting Zero Trust
Adopting Zero Trust
Breaking Down the SMB Threat Landscape and The Value of MSPs
0:00
-46:22

Breaking Down the SMB Threat Landscape and The Value of MSPs

Season 3, Episode 9: We chat with SonicWall’s Doug McKee about the top 5 threats targeting SMBs based on recent research.

Catch this episode on YouTubeAppleSpotifyAmazon, or GoogleYou can read the show notes here.

Cybersecurity challenges come in many different flavors regardless of how old your company is or how many employees it houses. Larger companies have to deal with layers upon layers of technology, processes, and the people who support it. Smaller organizations are resource-constrained, often lack the experience or expertise to build a proper program, and typically rely on external support systems.

While larger companies may not be nimble, typically, they employ and understand the value of threat intelligence to hone in on risks that could impact the business. They also have larger targets on their back because they are seen as more valuable targets for data, financial drain, and other nefarious purposes. In the same, smaller organizations may not be as valuable as a direct target, but they can be seen as a doorway into these larger companies. It’s for these reasons that supply chain attacks, even older ones, are among the top threats targeting small businesses and startups.

This week on AZT, we examine the top five threats targeting startups and small businesses and chat with SonicWall’s Executive Director of Threat Research about the WHY behind them. As a researcher and educator through SANS, Doug McKee shares his perspective on why smaller shops need to consider threat intelligence as part of their cybersecurity program and how MSPs can help fulfill that capability.

Top 5 threats to SMBs (According to SonicWall)

  • Log4j (2021) more than 43% of organizations were under attack

  • Fortinet SSL VPN CVE-2018-13379 - 35% of orgs were under attack

  • Heartbleed (2012) - 35% of organizations

  • Atlassian CVE-2021- 26085 - 32 %

  • Vmware CVE-2021 - 21975 - 28% of orgs

The Guest: Douglas McKee

Doug is an experienced information security professional who possesses extensive technical expertise acquired through involvement in application and system security testing, hardware and software vulnerability research, malware analysis, forensics, penetration testing, red team exercises, protocol analysis, application development, and risk mitigation activities. These technical proficiencies are complemented by adept leadership and communication skills, honed through the leadership of teams and projects, collaboration within both large and small teams, and the composition of technical reports for clients.

Doug is recognized for discovering numerous CVEs and regularly speaks at prominent security conferences such as Blackhat, DEFCON, RSA, Hardware.io, and Ekoparty. Additionally, Douglas's research is frequently featured in publications with a wide readership, including Wired, Politico, Bleeping Computer, Security Boulevard, Venture Beat, CSO, Politico Morning eHealth, Tech Republic, and Axios.

Key Takeaways

  • None of these vulnerabilities in SonicWall’s research were found or disclosed between 2022-2024, and yet we’re still dealing with them

  • Old vulnerabilities remain a significant threat

  • The most widespread attacks for SMBs include Heartbleed and Log4j vulnerabilities

  • Many widespread vulnerabilities are supply chain vulnerabilities

  • These vulnerabilities are embedded in multiple products and systems

  • Patching vulnerabilities can be complex and costly

  • Compliance and regulatory standards can complicate the process

  • Attackers are becoming increasingly nuanced in their approaches

The Persistent Threat of Old Vulnerabilities

Despite advancements in cybersecurity, old vulnerabilities continue to pose significant threats, especially to small businesses. McKee explains that some of the most widespread attacks include those utilizing decade-old vulnerabilities such as Heartbleed and Log4j.

McKee emphasized that many widespread vulnerabilities are essentially supply chain vulnerabilities embedded in multiple products and systems, making them difficult to locate and rectify.

"You can group log4j and Heartbleed," said McKee. “I think under the underlying root cause here is they're essentially supply chain vulnerabilities, right? These are underlying libraries. They don't exist in one singular product.”

On top of these being supply chain attacks, McKee highlighted the resource constraints that small businesses typically face increase risk. With fewer resources it’s easier to go longer stretches of time without identifying threats.

“Where is this vulnerability within my infrastructure? What products are using it? You can still come out and hear of someone that found out, Oh, log4j was using this application or this piece of hardware that we didn't know it was used in, six months ago,” said Mckee.

And to put a bow on the situation, what is old often becomes new again. In just our past episode, we chatted with OWASP and MITRE regarding emerging threats, and they reinforced that the most common attack vectors are rehashes from the past. As threat actors and even researchers perfect attacks and find new elements to take advantage of, they often find new life and new victims.

Outrunning Your Peers, a Small Biz Strategy

We’ve heard the concept of making your company so expensive to attack that it’s not worth the effort, and that is certainly one way to reduce risk. In other words, you can just run a bit faster than the next small shop. However, there is more to this story, as small businesses are seen as a trojan horse that allows threat actors to abuse the supply chain and get in with larger targets.

Small businesses can unintentionally serve as gateways for cyber attackers to access larger organizations. Due to their typically lower security measures and defenses, attackers see small businesses as easy targets. Once they successfully infiltrate these smaller businesses, they can misuse the established trust and business relationships to gain entry into larger, more secure companies.

For instance, a small business might have a trusted relationship with a larger company, which gives them certain privileges, such as access to certain parts of the larger company's network. Cyber attackers can exploit these privileges to bypass the larger company's security measures. This strategy is often referred to as a supply chain attack, as the attacker is targeting the larger company through its supply chain.

One prevention strategy for small businesses is to ensure they have robust cybersecurity measures in place. This not only protects their own data and systems but also makes them less attractive as a gateway for attacking larger businesses.

Another strategy for small businesses is to focus on outrunning their peers in terms of cybersecurity. This doesn't necessarily mean they need to have the most advanced security measures in place. Instead, it means implementing adequate defenses that make attacking their business more trouble than it's worth, causing cyber attackers to look elsewhere for easier targets. By maintaining a strong cybersecurity posture, small businesses can protect themselves while simultaneously safeguarding their business partners.

Show Transcript

This transcript was automatically created and is undoubtedly filled with typos. As usual, we blame the machines for any errors.

Elliot: Hello and welcome back to Adopting Zero Trust or AZT. I am your producer, Elliot Volkman, alongside your host, Mr. Neil Dennis. And today we are going to be looking at some fresh or some more recent research that will absolutely be impactful to any organization who either supports SMBs is an SMB or startup and maybe a little bit in between as well.

So before we really get into the meat of it and the information in that research, Douglas, maybe, or sorry, let's go with Doug a little more casual as is the nature of our, our series. Doug McKee is over at SonicWall and he is an executive director of threat research. Doug which, you know, if you're familiar with our show, Mr.

Neil Dennis has a little bit of background there which as you also know, he likes to pull us down a few different rabbit holes. So I suspect we will talk about research, but hopefully we'll get some other interesting conversations in the mix as well. With all that said, Doug, maybe you can give us a little bit of background about yourself, how you got into threat intel and threat research and then we'll dig into the actual research that you have for us today.

Doug Mckee: Yeah, absolutely. Thanks Elliot for inviting to be on the show. And it's great to be able to talk about research with you all here today. So I've, I've been in a cybersecurity space somewhere in the neighborhood of, of 15 years. I've been doing a little bit of everything. I've got a pretty broad background, Jack of all trades mostly in the offensive security space.

Did a lot of red teaming, pen testing, vulnerability research. I've done malware analysis, breach analysis, all that type of fun stuff and kind of settled in the the VR and exploitation space over the last several years. I'm also a lead author and instructor for SANS. I authored their security 568 class, which is combating supply chain attacks using product security testing.

So that's obviously a passion of mine as well. But yeah, that's, that's a little bit about me right now.

Elliot: Very cool. So I, I don't want to like ruin this and just list off here are these top five threats that are really impacting us and bees, but I do want to plant this seed before we can run into it, which I found was really interesting is today in 2024. There are these top five or so threats that y'all and your research has identified.

What really stood out is that these aren't things that have just appeared in the last year or two years. Some of them stretched back to 2021 or actually one of these stretched back to 2012. So it's a little concerning that threats from that far back are still some of the biggest risks and challenges that an organization has to consider.

As far as, you know, Securing your cyber security posture and whatnot. So maybe we can kind of jump into that. Can you give us a little bit of a high level of your findings and, you know, what we're about to discuss and some of the top threats currently targeting startups?

Doug Mckee: Yeah, absolutely. So the, the data comes from our, our IPS or internet for you. Wow. Prevention system, intrusion prevention systems. Can't talk today. Great for a podcast. So we get we get telemetry back from these devices, right? And they, they tell us a little bit about what attackers are attempting against SMBs and, and.

All types of businesses are, obviously all data has biases, right? So our, our customer base is where we're getting this data. And our customer base is very high percentage, somewhere in the 90th percentile, small businesses, right? That's why we've labeled it against small businesses for these threats. And what we're finding is that a large amount of the attacks that we're preventing through, through our signature database are, are really old attacks well, and so this data is from 2022 tilted.

Till the end of March today would be a slightly overstretched, right? And we're still seeing things like log for J being the majority of attempts attackers are using against against our organizations. We're still seeing things like heart bleed as well, which is the one that you mentioned all the way back from I think it's 2012 if I'm, if I'm not mistaken, right?

That. It's lingering around also attacks with Fortinet SSL VPN vulnerabilities from 2018 Atlassian makes the list with a 2021 vulnerability. And then VMware also makes the list in the top five also from 2021. So we can talk a lot and speculate about why this is being the case. If, if you want to move in that direction, but I think for the, for the most part there's something to do with, Time, and what these vulnerabilities are actually, actually in.

Elliot: Yeah, we are absolutely going to jump into that. And I would just want to throw in a couple additional numbers that y'all had sent our way, which is just to show the impact necessarily, but log 4j, you all see about 43 percent of organizations were under attack associated with that. For Fortinet SSL VPN issue.

And I will not read off the CVE 35 percent Heartbleed, 35 percent Elastian's CVE that you already discussed was 32 percent and VMware CVEs was 28%. So those are. Pretty big numbers. You know, obviously long for days. It's almost like half of your customers. I mean, not half, but you know, that, that is a large portion of people impact by that.

And Neil, I know has definitely had conversations about that. It basically hit everybody overnight, but if it happened years ago at this point, Maybe that is our jumping off point. Why are we still seeing that our organization's not prioritized solving it. They not feel like they have the solutions to solve against these issues.

Yeah. Let's let's pivot over towards that direction.

Doug Mckee: I think there's, you can actually group two of these. You can group log4j and Heartbleed and talk about them together to answer that question. I think under the underlying root cause here is they're essentially supply chain vulnerabilities, right? These are underlying libraries. They don't exist in one singular product.

And that means that vulnerability is literally all over the place. And one of the challenges with that, then for our organizations, especially small businesses who may be under resources, simply identification. Where is this vulnerability within my infrastructure? What products are using it? You can still come out and hear of someone that found out, Oh, log4j was using this application or this piece of hardware that we didn't know it was used in, six months ago.

And so that makes it a very valuable vulnerabilities for attackers to continue to leverage. On top of the fact that, and this kind of applies to all five of them, the more time that a vulnerability or a threat exists, the more research that can go into it, right? And so what happens is attackers and actually even the good guys, like researchers put more time into understanding how that attack can be perfected.

And when you combine that again with the supply chain space, It only takes one more application. They're more widespread. And attackers can get a real big bang for their buck there. So I think, at least talking about those two to kick it off with, that's a large portion of why you're seeing organizations being sprayed with those attacks.

Elliot: Interesting. So Neil, before I give you your host hat, maybe we pull that off and being the threat Intel guy. Do you feel like that perspective jazz with you? Does that make sense? Like these attacks are still evolving. We're finding out more information. What's your perspective on that? Silence.

Neal Dennis: the scope and scale of those. And since we're talking SMB to Doug's point, I guarantee I could go to town right now and look at, pretty much every small business here that has anything beyond just a payment system. And I'm going to find something.

I don't care who their MSSP is. I don't care who, how they've set up. One of these is going to show up if they have a tech debt reprise for it. But I think the other part of the problem is. When we first have these issues like log forage and the rest, we may not necessarily have the actual fix directly for that the day it comes out or the day we're made aware of it.

Most of the time we are, I think log forage before they published size that I think they had the initial fix and heartbly just came out of nowhere, disclosed, open before we had a fix. But that being said, the fix is sometimes AWS going, now we put something on the, on the Endpoint devices or, or further out maybe in the actual DMZ to say, Nope, we'll modify it and notify you if someone makes an effort, but you don't actually fix it.

You just put a stop gap and then you forget about it. And I think that's the other part of the issue is those stop gaps eventually disappear when you change service providers and you still have those exploits open in your solutions somewhere. So yeah obviously they're using them. They wouldn't keep putting them in their payloads if they weren't effective.

And then to the last point on Doug's side, The longer it's out, the more nuanced we can get with avoiding whatever those limitations are, even the patches to some extent, because once again, back to log forger, at least maybe not log forge, but some of the VM stuff. Some of those patches sometimes are, Hey, put this signature in our solution and you're good.

All right. We're going to evade that signature in a couple of weeks. Once we figure out what it actually is. Cause you're not fixing once again, the actual issue. You're just trying to put something in between it and the real issue. So a lot of vendors have lovely ways of doing that instead of fixing, right?

Yeah. I think it's a hundred percent.

Elliot: Okay, so

Doug Mckee: I think, as we continue to think about if you talk about MSSPs, changing and just companies switching out with their protections and not fixing the root cause. I think another thing we can talk about in that realm is just, patching struggles when it comes to compliance and regulatory organization.

I think that's another reason why these things are such a big win. So yeah, they're older vulnerabilities, but go to a healthcare provider and tell them that the only way to fix that vulnerability is to spend millions of dollars switching out device X. And all of a sudden the, their desire to do that drops incredibly.

And then of course you have things like HIPAA and all other kinds of regulations that have to re go through their process just to fix this vulnerability. So I also think it's important to give. To highlight the struggle of some, some in some sectors, like it's a really hard thing to accomplish and it's not always the end organization's fault, right?

They're at the mercy of some of these other vendors. And that also means again, that attackers are going to find success in using these things. I have a I used to do a lot of penetration testing for healthcare systems, which is why you end up, you end up hearing a lot of my side stories end up being in healthcare.

But it wasn't that many years ago that I was doing a test and I ran into a windows XP machine. This is long after windows XP was end of life, and when asking the question to the organization, why am I able to. Compromise this XP machine and own half your network. It was like we can't switch out that, hugely expensive piece of equipment because it affects our medical care and we, we don't, where does, where does it meet, medical care in that space?

So I just think that's like an initial layer on why do we still have these age old vulnerabilities? That are effective

Neal Dennis: Yeah. I think that's the other fun part. So back on the. IT, OT chain of things, and healthcare, ID, all the other fun stuff that goes in all that stuff. Availability versus uptime, IT wants to take stuff down so it stays up when it comes back, and OT world needs to stay up so they make money and nobody yells at them.

That's two counterintuitive process flows for people trying to secure a network. And you're right, stuff like this lives down in the weeds. And I'll say this, I guarantee everyone listening, No matter what tool you're using, whether it's what we're using to record today, or whether it's your Gmail or something, even smaller tool stack, I guarantee you there are vulnerabilities in it that that company is aware of, or they put mitigations in front of them to monitor for those because they don't have the right way to patch it, to make it go forward.

And I, whether it's enterprise tech stack or open source tech stack, those exist. It's what happens when they start pushing additional updates around that to maintain the monitoring when those doors start to open back again. And that, that's the fun part of the story, both as a product producer and provider, as well as a consumer.

They're there. They may tell you they're fixed, but what they really mean most of the time is now, we're just making sure nobody can take advantage of it while we figure out how to fix it. And then they forget about it a year later

Elliot: And we'll

Neal Dennis: floodgates are open again.

Elliot: we'll

Doug Mckee: because sometimes it comes down to a cost thing too, especially if we start talking about hardware devices, to remove a vulnerability could be a slight rearchitecture. Then how do you handle that rearchitecture if you're the vendor and then pushing an update for that? As you, as you said, they put some type of mitigating factor in place of it.

I saw one vulnerability not that long ago where the solution was it was unauthenticated. Now it's authenticated. And that was their solution, which yes, adds a layer of protection, but. Doesn't fix, doesn't fix the issue.

Neal Dennis: Yeah, that's always the fun one. We were Slight tangent, but the one that we just, the gentleman we just interviewed, he's a vulnerability risk management guy and patch Tuesdays, this and all that fun stuff. And same thing. Yeah, I think it's hilarious. Cause he said basically the same deal. Like it's still a vulnerability.

You just changed how we access it just a little bit to provide maybe a small monitoring aspect, but I can still get around it and take advantage of it. So thank you for not actually fixing the problem. So I'm, I am curious if Ellie wants me to be curious at the moment

Elliot: I'm not going to hold you back. Come on now.

Neal Dennis: no,

Elliot: the research. Now it's free range.

Neal Dennis: I, some of the questions and asks that you had in here, some of the things in the list that you're happy to speak to him. I am, I got some curiosity questions around, but when we think about y'all as a tech sack and what y'all are doing, what you do to look at this data what's some of the key things, like what's some of the.

The ways that you've approached this data stack to come up with your findings would be a good question. I'm an Intel guy, so I like to understand people's actual methodologies. And it's politely spelled out in here that you would do that with us, so I'm very curious about your methodology. No, what's your approach and what's your intent, from your overall methodology for that type, for this research?

Doug Mckee: So we obviously we get tons of data back from all of our, all of our products and all of our sensors. And, and oftentimes it's, I run the I run the IPS content team. We, we produce signatures on a daily basis for, for all these threats that, that we're talking about. And we're constantly rinsing, repeating and saying like, how do we make our signatures better?

Like what, what, or what should we be focusing on for, for small businesses specifically. And so when I'm reviewing the telemetry data oftentimes we look at what are the signatures with the highest hits, like what is, what is people getting slammed with today? How can we make those signatures more generic?

And I, I simply just took a step back and was like, all right let's look at how, what widespread these attacks are instead. Because if I want to focus on something to improve, improve signature base, I want to help as many people as possible. I don't want to just help one organization, whether it's one small customer or one big customer, I want to try to help all of them.

So the methodology was here to just start tweaking the way we, we approach it and say, what's affecting most of our organizations. It's. And so that's how we got to, Oh, these are the top five most widespread attacks. And what's interesting too, is there's like a huge cliff. So the reason I published the top five is I think after we get off of here, we go from 28 percent down to like single digits, as far as not, not, not again, not quantity of attacks, but widespread attacks. And in fact, there's some, there's some vulnerabilities out there that have a much higher quantity attack today, but they're only hitting a few organizations. They're more targeted. And so it's what is, what is affecting most of our customers?

And that's where this, this came from. That was the backend methodology is how can we improve what we're looking at from widespread? And what's it's, it's really interesting to look at that. These are the, the older ones. And so I think some of the methodologies going forward is anything like supply chain related is going to get a lot more attention to, because it's being hit a wider group of, of people, things we can speculate on.

Why is Fortinet, Elastian and VMware on the top of the list? Looking at this data and it goes completely speculatory, but some things to think about is Fortnite's an edge edge device, right? Attackers get a hold of one of the largest vendors. Cisco is obviously in that ballpark as well.

But if you get a hold of edge devices, that's game over for a lot of attackers because internal defenses versus external offenses. They don't have to fish, right? You've got that. Got that as a possibility. VMware infrastructure, kind of like Fortinet cloud computing, a lot of VMware infrastructure there.

So again, the overall theme being biggest bang for your buck type thing from attackers. And then I think Atlassian is the most interest one, interesting one personally. And that, and that has to do with, in my opinion, stealing data. Probably one of the largest providers for things like, wiki and project management and task in those, those areas.

What can we either ransom back to you or what can we sell on the black market? Or what can we use to pivot a lot of that stuff's posted in those technologies. So it's a long winded answer, but I think ultimately trying to protect as many people as possible.

Neal Dennis: Oh, I think that's cool. It makes sense. So I've got a slight stub question on Atlassian stuff. Or at least an anecdote from my side that might turn into a question. The

Elliot: the reason I'm

Neal Dennis: one of the supply chain risks that I saw play out a while back, someone just like with GitHub, they were trying to get access to someone's JIRA setup so they could change

Elliot: a right

Neal Dennis: code base and sprints as it was being shared directly in Atlassian and Confluence pages.

Wow. So they were trying to get in so they could corrupt like with solar wind style, corrupt the source code or some part of the code as the engineering team was doing their thing. But my curiosity question is, so you mentioned, ransomware and extortion, stuff like that. So as y'all are doing this research, are you, are you able to, or are you intending to look at who the threat actors are that are going forward with this to see what those exploit packages might lead to as well?

Is that part of that, that overall effort?

Doug Mckee: So there's, We gathered David differently for, for different products. So in this specific effort, the reason, I'm, I'm specific about network attacks, and widespread is I'm specifically looking at like IPS network traffic data. As far as attribution and, and who Where are these attacks are coming from?

A lot of that comes from actually some of our sandboxing technology where we can actually deeply analyze a lot of the malware that we get that come through that come through the firewall boxes. So that's a different area and they don't always necessarily match up 1 to 1 as I'm sure. I'm sure you understand.

I guess the short answer is yes, we're doing that. But. we have yet to be able to dive into it with this specific information as far as where the log for J attacks currently coming from. I don't have that information

Neal Dennis: it's all good. No, no, it's just a curiosity question. Like I said, as an Intel analyst, act as a government trade Intel analyst, I should say, because there's a difference in the scheme of things. You've got two sides of the fence. The one where attribution is king and one where who gives a pants. Let's just continue to block stuff.

And so that's why I asked the question, maybe over a different colon of beer, I'll ask you where you sit on that fence. So I can either agree or, or tell you you're very, very wrong. So that, no, that, that's still, that's good insights. I think from an iteration though, knowing that y'all as a company, one, you're looking at the threats, be y'all have a larger teaming capability that will, attempt to look at to some layer of attribution or some layer of intent.

Thinking down a little bit more on this want to get back on the MSP side of the house a little bit, because from a supply chain perspective as a whole, obviously SMBs, I don't remember what the latest numbers are, because it always goes back and forth every couple of years.

One year, we're looking at three quarters of the SMBs are all using an MSP of some sort, and then you flip it around and suddenly they all want to go spend a million dollars to start their own thing. And now we're down to 60 percent or something. I don't know. But from an MSP engagement perspective, what, what's some of the insights or ideas to maybe push your MSP to help you do these things or maintain this or better yet secondary question, if you decide to change a service provider.

What are some of the things you might suggest to carry forward with that around these types of supply chain risks and concerns that they might need to take with them?

Doug Mckee: So I think there's, there's multiple ways in which MSPs can, can help with the, with, with this issue. I think that boils down to two main things. I think we can talk about resource constraints and we can talk about complexity, right?

So we've talked about startups briefly earlier in the conversation, and you can have these startups that are like. One day there's three to 10 people. And all of a sudden, like two to three weeks later, they're, they're a hundred or even more, a larger startup because they're all of a sudden they're being successful, their product selling, et cetera, et cetera.

And they move from this, this category of trying to work out of their, their Ma's garage and to, to something where they, Oh, we actually need like security, like we need to think about these things and it's really easy to all of a sudden get this like concept of shadow it. I'm sure that's a term you guys have heard before and you don't know, What you don't know.

And so MSPs coming back to the question here, MSPs can come in and really help provide the resources required to understand the complexity of your network, where you may have deficiencies, and then make suggestions without the need for hiring a dedicated security team. Training them up, spinning them up on a regular basis.

So I think that's definitely one where they can help automated patching. A lot of MSPs have that down to the science because they do that for a large customer base and they can probably implement something or they can implement something for you a lot quicker than if you were able to, again, try to try to do this yourself.

Yeah. I think there's a couple of things we can talk about. If I was interviewing an MSP, for example, or trying to figure out if I want to switch or not. And, and one thing I would consider is. What is that MSP doing specifically for your organization? That's not necessarily cookie cutter for every organization, right?

Are they taking the time to realize that, if, if let's say you're in a different industry let's say that you're in finance, are they applying the same rules that they're applying to the medical industry? Are they applying the same rules that they're applying to the tech industry and their methodologies and the way they approach things?

Cause at the end of the day, what production comes down to often is prioritization. And you have to have a intake of threat intelligence for where you're sitting at in the organization, like the list that we're talking about here, the top five, most widespread attacks, not to everybody in the world, but to small businesses, that's going to exist differently when you're trying to protect, not that you would do this, but if.

For Microsoft, right? If you were, if Microsoft was interviewing MSPs and I, as I said, not that they would do that, but that's going to be very different than if it's, some small company that only has 200 people and is in a completely different industry. So I think how, how you go about prioritization and customization when it comes to threat intelligence, which is driving how you act.

Do you have threat intelligence or what, what is your threat intelligence intake? And how is it related to, to, again, my organization, are you an MSP that specializes in preventing windows attacks? And I'm an Apple shop, right? What experience do you have in Apple? So it seems simple, but those are the things that are really going to matter further down the road.

And I'll give, I'll give you one more, and this is, this is. This can fall in or outside the MSP space. You could sometimes consider more consulting if you will, do you have the expertise on your staff to do things, to leverage skills like product security testing? Because when we talk about threats like log4j and heart bleed, and we, we already mentioned the hardest, Problem is identification, right?

How do I know if I have it? The best way to know that you have it is someone that can break down the products in your company and tell you what is being used from a library perspective. And that comes from techniques like product security testing. So if those are, that's an advanced question to ask MSP, do you offer those types of services or can you help me with that?

So I don't have to be trying to do it on my own.

No, of course

it's a very rude world. Yeah.

I also think in that line of thinking, it's also important to realize that Attackers don't only go after the Microsoft's right. They go after the cog makers because often using your terminology, oftentimes, because they know that they don't have the resources necessarily. And if they get the cog makers, then they can maybe get into Hyundai or the next level up because you might be doing business with them.

And they're, Yeah. Sometimes that means that you're actually more of a target because you can be used as a Trojan horse other places. If we look at like breaches, like the Home Depot breach back in the day, or the casino that was hacked in 2017 by the internet connected fish tank, right?

Just because you're not the, the one, the big fish in the market, no pun intended, like you may, you may actually be the vehicle that's being used. So absolutely you need to leverage as many resources as you can. I like to joke all the time. Attackers are lazy. They're no different than me and you, right?

They don't want to do the hard, hard way. And I think that's ultimately what with these widespread attacks. They don't want to, find a custom zero day or, or leverage something like ridiculously windows vulnerability that requires, ROP chains and exploit mitigations and the pipe bypass CFG and all that fun stuff.

They want to run a script. that runs log4j that gets you into their network, or they want to send a fish. So they're going to find the avenues that, that, that works for them. Especially if, we see these numbers, if again, there's 43 percent of organizations are being hit by log4j.

You have to argue that attackers must be having success with it at a pretty large rate.

Also sometimes depending on who you are, if it doesn't work, they'll move on to a different target. Like sometimes you just have to be able to run faster than the guy behind you. Think it's worth highlighting that too, that there's such a huge value in making sure that you're protected against, like it's worth time and investment because the ones that these are working with are going to be the victims.

Yeah.

I think something that's actually not written here that is also interesting on the same vein is after back in October. The predictions are a big thing in cybersecurity, right? They're like, Hey, what, what's, what's going to happen in 2024. And I just started to look at some of this data. I didn't have it all pulled together yet.

And I noticed that there was a trend with log for J specifically. And the trend was that it was upward facing. Like we were seeing, starting to see more and more attacks on log4j. And so I had made the prediction that, in 2024, it's going to continue to go up now. Obviously we haven't seen all of 2024 yet, but so far, when I looked at this in March to, to start putting together, okay, last two years, what, what are we seeing?

It was higher than it was in October. So I think. To your point, we need to change the direction a little bit, right? And how do we do that is we have to bring awareness to what the issues are. So that way we can force them to take a step back and, and come up with a new tactic.

Yeah, I think it's a really hard problem, right? Like at the end of the day, like, how do you know what to ignore and how do you know what to listen to? The concept of prioritization is key, especially for CISOs, right? Like it's, it's their job to basically say, this is the risk that's most important for us to tackle.

This is the risk we're going to accept. That's a whole nother conversation we can talk about later about risk acceptance. So how, how do we approach this as. As businesses. And I think, or at least as small businesses, one of the first thing I would say is my, my prioritization for small businesses is you can't know what to protect against if you don't know what you have.

Period. End of discussion. So if you don't have a good understanding of what's on your network, like in, in where it's being used and all that fun stuff, then it doesn't matter what the headlines are because you don't know how to properly implement the protections because you don't know what to ignore and you don't know what to listen to.

So to me, that's the first big piece of the puzzle where I think a lot of. S and B's get caught up in the what was the headline I saw the other day? Quantum computing is going to make RSA obsolete or something to that effect. Yeah, let that be tomorrow's problem, right? Today's problem is, and what we're showing here with this little bit of research is you need to sure up the old stuff first, which means I have to know if the old stuff exists on my network.

A silly answer to your question is where do I get my prioritization from, from my, from myself in internally, right? I need to get my prioritization from my if you will, my internal S S bomb. What, what are, what am I using? And then on, on top of that, then you want to take into, there's tons of factors that can go into prioritization once you have that.

But I would argue you want to stick with first, what is your mission critical functions? Those need to be prioritized as far as protection goes, not suggesting that. Yes, I know we can sit here and say that it doesn't have to be mission critical and attackers can get into your network using it, and then they can compromise other things, again, different discussion.

But if I'm talking about prioritization, I want to make sure that I'm sharing up my mission, critical stuff first, because they affect my bottom line. And also having the mentality of not, if I'm going to get compromised. When I get compromised. And thinking that I'm already compromised. Like if, if, if we can shift the mindset to that and not have a organization saying, Oh, I've got production X, Y, Z.

So they're not going to get me. That's a very old or antiquated methodology. So when you're talking about prioritization, prioritize what you have. Prioritize how you're thinking about your security. In other words, saying, think, consider yourself already compromised. Did I protect my mission critical assets or make it extremely difficult for those to be the ones that have given access to and then leverage threat intelligence and different tools that are able to provide you stuff specific for your industry.

Absolutely. And, and in my, in the SANS class that, that I teach, we, we use this phrase called think red, act blue, and it talks about this methodology of, we have to always be thinking about from an attacker's mindset. And then what separates us apart is, what we do with that action.

So to your point, whether it's an intern, or whether you can hire an MSP or an MSSP to, to help you with bringing in that mindset, like that's, that's what you need to, Prioritize when we're talking about of a protection standpoint, because if you don't know, you don't know.

Absolutely. I'm always, always happy to pitch pitch the SANS class. I obviously I'm biased. I think it's a fantastic class. It's security five 68. So that's combating supply, combating supply chain attacks using product security, testing, and security. Two things we talked about today on the podcast, right?

Product security testing and supply chain attacks. And it's very fundamental in the concept of knowing what you have, but not just knowing what you have and trusting what the vendor provides you. But we, we do two things in that class. One, we provide you a repeatable methodology, step by step process on how to do that product security testing.

I challenge you to go Google product security testing and find something like that, that didn't come from my class. Right there. Before we wrote this class last year, there's no one could tell you how to do product security testing. We actually have a free poster. You can go download if you, if you Google San security five 68 and you do Google poster, it'll come right up and you can grab the methodology poster that we provide in that class.

And again, it's going to show you the repeatable methodology on, on how to do product security testing. Of course, It's a, it's a five day class. So we dive into that pretty extensively during the class more than you're going to get on the poster. But I think that really is key is in understanding what you what you have on your network.

One of my favorite things we do is we even talk about how to break down proprietary protocols. When you were mentioning, medical industry, financial industry, OT earlier. Again, you don't know what you don't know when you've got these network packets going across your network and you have no idea how to parse them.

How do you protect yourself? You figure out what they're doing. And so that's one of the things that we talk about on a deeper technical level in that class.

Yeah, absolutely.

Yeah, absolutely. Our, our everyday focus is, is SMBs and and we have an MSP service that we offer to a recent acquisition solution, granite, and if, if you, if you're looking for an MSP to help you with this highly, we are specializing in small businesses and so we're looking at the threats on, on a regular basis to, to that industry and providing that intelligence and then leveraging that through through our MSP.

Highly definitely. Specialized for that area.

Absolutely. I, so someone's got to pick up the phone, right?

I thank you so much for having us. It was great to have a chat with y'all for a little while and happy to do it again. Anytime.

Elliot: That

was weird. Yeah, we are. It's all right. Magic editing and whatnot.

Yeah, sorry.

Welcome, welcome, welcome.

So we're going to take a look at the the the the the the You

And then I have a copy of the document.

I'd like to introduce the president of the United States, and our great friend, the President of the United States.

Okay.

We're going to go ahead and get started.

I'm going to go through the code for this one, and then I'm going to give you the code

Here, on the left is the The same thing that you would see on the web page.

And and I would say that we we have we're we're You

I don't know if I've ever asked for it. I'll just say,

What are you talking about? No. I got nothing.

I do so little work talking is the worst. So I much rather do what I do. I, I do have a question though. It might tee off a conversation that I've got going on at RSA with OWASP and MITRE. So this will be a good jumping off point, or it might be follow up, whichever order we publishes. This research focuses on SMBs and startups.

I'm curious since these are like the top five. How would an organization, a startup or an SMB be able to identify if these are things that they should prioritize. If you look at, whatever articles that you read, the headlines, This ransomware is hitting us. These phishing attacks are hitting us.

How do you differentiate between all of the things that you see spread everywhere, a little bit of excess media hype versus what an organization of a certain size in a certain industry should do. And this also blends right back over to threat intelligence. Figured I'd throw that one out there.

Okay. very much.

Okay. very much.

Yeah. Depending on the time of day, a tornado will be possible. In the worst cases, it's possible for a tornado to pass by you. The tornadoes can't pass by you. The tornadoes can pass by you. And there's a high chance you'll be hit by a tornado. If you have a tornado, you're going to be hit by a tornado. And if you're hit by a tornado, you're going to be hit by a tornado.

So you should be careful. And your safety is guaranteed. I'll see you next time.

Okay. Okay. Okay. Okay.

Yeah. Okay.

Okay.

Let's take it out for clarification. This was not a paid advertisement. Neil is just very nice. So just, just putting that out there. Otherwise we're generally vendor neutral and how that all works. But Doug, thank you so much for being here, sharing your expertise and your insight and that research with us.

I think anywhere that we can help elevate information and identify areas of prioritization, even though as you, Clearly stated that information needs to come from within. I think it's super important for us to be able to do that. So Neil and I are always very happy to identify that kind of research, build a platform, and that is essentially what we've done outside of just rambling and terrorizing other marketing people.

That that's what we're here for. So Doug, thank you so much for coming on and sharing that expertise. We really appreciate it.

Neal Dennis: Can you hear me? I can't. Elliot needs to refresh.

Oh, there he goes. That's funny. Talking about mom and pops. Then there goes Riverside. They heard us talking about them. They didn't like it. That's all good. Yeah. Oh yeah. We got you. And I think we're still recording.

Yeah. Lost you somewhere around mom and pop.

So I think as we, as we dive down into the MSP bucket here, a few I, I've definitely lived the startup life going from five person to more a couple of times now, and you go from having nothing on your box managed wise to all of a sudden you wake up the next day and there's automatic reboots and updates on what would we do here?

But patch management. So back on that. So if we think about MSPs as the variations of service, some of them have after hours, 24, seven, whatever, sock rolls, whatever. But I think that's a really good niche thought that people don't take into account is you can hire an MSP to be your IT administrator.

They don't have to necessarily be your security from the SOC perspective, if that's not what you're looking for. But you can hire someone to bring that wealth of experience to help you with the patch management exclusively or in the vulnerability management aspects. And, there's definitely some companies out there that that's what they specialize in is, Hey, let us come in once a month and break everybody's stuff for you and they'll be mad at us and not you.

Or every two days when Chrome decides to update and you have to refresh all your fricking tabs. Thinking on that, what, do you have any thoughts on, on like maybe transitioning? Let's say if you're questioning your service providers on what they've done, are there any things related to these vulnerabilities or, or constructs around vulnerability management that someone should ask their current provider.

So when they go to a new provider, or if they're appealing back away from the provider, other than just, I know my obligatory question is how the heck did you do that? And thank you. But, but do you think there's any additional insights around transition period and all that other fun stuff to.

Maybe have a list like this to go, Hey, what did you do? And is this still relevant today? Or do I need to take some other mitigations moving forward?

And I want to be clear. The reason why I keep harassing you about various weird things like this is because as someone who focuses on SMBs, obviously like you're doing, a lot of people have questions like this around these type things. So it's good to get perspective on what they should be thinking to ask and how they should be managing.

On that same vein, back on SMB slash supply chain a little bit more, you hinted at, bill of materials a little bit and having someone that may help you discover that. So I want to iterate on the bill of materials piece a little bit and the S bombs and all the other stuff that we have to put up with the fan who we're servicing, but.

As, as good as it is to obviously have self discovery and you need that, that is a exceedingly needed skillset to be able to have, whether you pay for it extra, or you have it intrinsic to your, your security team. And then the other part of that is back on the S bomb side of the house, depending on how big of a company you are and what you're doing to support what your company is doing back on healthcare versus finance, versus someone who's just.

Cogs for a car that nobody cares about. If you're an SMB supporting a very large provider somewhere, or if you're a cog in a much larger supply chain for a big, big entity, and one or two echelons down, I think the other thing people could think of is soliciting who it is that they're providing resources for.

So if I'm making a cog for Honda, Honda or Hyundai, Hyundai, one of the H whatever's. Or Ford versus making a cog for someone who's just trying to make a new EV in their garage. And that's it. I might be able to go to Honda and be like, Hey, I'm one of your primary suppliers. Help me figure out what's going on in my system or help me figure out, what's critical for me to keep you going and then use that from a priorities perspective.

So I think SMBs, we focus a lot on them because they have their own buckets of problems. And I think an SMB as well should also think of trying to solicit who it is up chain from them that has the billions of dollars to maybe help them maintain some kind of awareness and what they should focus on. And then maybe take that back to someone like you and whoever else as well and say, Hey, from a supply chain perspective or from a product perspective, here are the things that we actually care about.

It's a weird world. It's a different set of rules. Back to your point, Microsoft versus the cog maker. Microsoft is going to get whatever the heck they ask for. And they're going to be able to,

yeah, yeah, yeah, that's exactly it. We're not going to spend time burning cycles against stuff when we have a finite, as a threat actor, finite span to be able to take advantage of something before whatever it is we're soliciting with, reconning, reckon ordering with, gets popped and turned away. So yeah, you're going to throw everything that you've seen work currently and then come back a few days later if none of that worked and try something new until you do find something.

But yeah, if log forge is still in the in the exploit paths, it's definitely getting someone somewhere. Otherwise it'd be a waste of time.

Yeah.

And this kind of comes back to a little bit of a nuance on SMBs and supply chain for me and stand up slightly on a soapbox for a few seconds. But if you're in an SMB world, once again, you have a community and this, this is things I think people also need to realize you talk about, outrun the guy behind you a hundred percent.

Please, but at the same vein, if you're seeing these things as a consumer, and so this is where your research to me is valuable because you're doing some of this because they obviously can't in that sense. So as a SMB, as a Intel provider, or at least an Intel consumer, someone who has the ability to understand what my footprint looks like from a threat perspective, or what's hitting me at least a little bit, I should be able to take that info back to my peer groups and harden my peer groups.

Even more. So then once again, as a group, we're less likely to get targeted in the future by those, those, whatever they may be, and then bring that data forward. And so when you create something like this research wise, it's to your point, it's what's the biggest impact across the most people that you can think of and, and, and look for.

And that's what this is. This is taking your data set, your understanding and letting SMBs as a whole know, Hey, look guys, SMB in general. Here's the things you've got to worry about because they know that y'all are softer targets. So take care of these big things, make sure they're good to go. And then let's move on to what the next, flavor of the day is.

And we'll keep the ball ball rolling for and I, I think that's a very important aspect that some people miss in the threat space, when we talk about public disclose, disclosures and things like that, and there's pros and cons on either side of the fence. So you putting out a product like this, that says, here's the top five threats.

It's probably going to make some threat actor stop using it. But that's a good thing in the grand scheme of stuff, because that means, they're, they know that they're being caught with this stuff. They know they need to shift away from it, especially if they want to come after a particular customer base.

The downside is they're going to shift and come after new things, but it takes some time to retool and it takes some time to come back for it. And that's why Intel is a repetitive cycle and we rinse, lather, repeat. And then, nine months, you're going to write the next top five threats for SMBs.

And hopefully it'll be a little different and that that's a good win ROI wise. So yeah.

Oh, yeah, I know you wanted to say something at the you know a few times here before we wrap up giving time permissions But I want to be mindful that all so he sits here and he goes you hear his intro, right? He's hey, i'm i'm the whatever producer black back in person, whatever elliot And then here's your host neil and I have to remind him that he does all the work He's not just a producer he does yeah, I think it's very well said I know who you are and know what you are and know what the heck screwed up as best as you can. And just one last piece you, you said it earlier, you need a resource to, to drive into what's, what's actually there. What's actually going on. You need to have someone somewhere on a team somehow that understands how to be, red team to some extent.

And. You yourself obviously haven't come from that back end, know that better than most, I hope. And then red team, your stuff, even if it's some intern from a university that has, pays and works for coffee, let them come in and try to break your crap better than than someone else.

And so I know we're coming up on time, but I got two last questions. One, I would like, since you're doing sand stuff I'm all for you personally pitching your sands course, if you're up for it and what the number is, and then for our listeners. Throw it back over to Doug to let you know where to go get some fun stuff here from the sand side of the house.

Yeah, just don't try to push a packet back out until you know what it's doing first. I, yeah, I used to work OT side of the house and proprietary, pick a flavor of the day, bus this, mod bus, propy bus, all the other fun buses. I may or may not have learned that one. And then last but not least before I let Elliot closes out real fast, SonicWall, I just want to iterate on that where, where you're coming from the research that y'all produce in effect, like right off the bat, you talked about how, as a, as a company that a large percentage of your client base is SMB focused.

And I just want to iterate on that for everybody listening that if you're looking for SMB support and stuff, there are companies like SonicWall out there that do have a focus of the day that does help y'all more than someone like Microsoft.

Reach out to Doug. Doug likes to play sales rep. I'm kidding. Yeah.

Oh, Ellie, I'm good, bud. I'm done. I just wanted to get a good point for Sans.

0 Comments
Adopting Zero Trust
Adopting Zero Trust
Today, Zero Trust is a fuzzy term with more than a dozen different definitions. Any initial search for Zero Trust leads people to stumble upon technology associated with the concept, but this gives people the wrong impression and sets them off on the wrong foot in their adoption journey. Zero Trust is a concept and framework, not technology.
We are on a mission to give a stronger voice to practitioners and others who have been in these shoes, have begun adopting or implementing a Zero Trust strategy, and to share their experience and insight with peers while not influenced by vendor hype.