(upbeat music) >> Welcome to this cube conversation. I'm Lisa Martin. I'm joined by Aamir Lakhani, the Lead Researcher and Cybersecurity Expert at FortiGuard Labs at Fortinet. Aamir, welcome back to theCube. >> Hey, it's always good to be back on. >> It is, even though we're still in this work from anywhere environment, and that's one of the things that I want to talk to you about. We're in this environment now, I've lost count, 16 months, 17 months? And we now have this distribution of folks working still from home, maybe some in the office, and a good portion that probably want to remain remote. And one of the things that, that you guys have seen in this time is this huge uptick and sophistication in phishing attacks. Talk to me about what's going on. >> You know, it's a funny thing you mention that, Lisa, every attack that I've seen in the last 16 months usually has a phishing component, and over the last, even just the last couple of weeks, we've seen some really sophisticated attacks, attacks that are against industrial control systems, against critical infrastructure, against large corporations, government entities, and almost every one of those attacks, whether it's a ransomware attack, whether it's a denial of service attack, usually has a phishing component. And the sad part is usually the initial attack vector, how attackers are getting into the network, a lot of times as the first step is through phishing. And, you know, it works, it's a method that has always worked. It works just as well today as it always did, so attackers are basically going back to the well and basically making their phishing attacks more complicated, and more sophisticated, and it's much more effective than it ever used to be. >> Tell me how they're making it more sophisticated because I know, I've seen interesting examples through Twitter, for example, of people that are very well-versed, you might even consider them cybersecurity experts, who've just almost fallen for a phishing email that looks so legitimate. How is it getting more sophisticated? >> Well, what attackers are doing is they're definitely playing on your emotions. They understand that there's a lot of things happening in the world, and sometimes we get a little emotion about it, whether it's, "Hey, how do you get the latest vaccine?" Maybe information, you know, around getting jobs, going back to work, LinkedIn, is a good example. A lot of people are looking for jobs. When the U.S. elections were happening, and there was a lot of phishing attacks around, political donations, and affiliations. They kind of kind of find these hot button items that they know people are really going to not think first about security, and really think like, "Hey, how do I respond back to this?" and really attack them that way. The other thing that we're seeing on how it's getting complicated is, it used to be like a phishing attack. You know, it used to be pretty simple, like click on a link. Now what they're doing is they're actually targeting organizations and what you do as a job. For example, I've seen a lot of phishing attacks against the HR, the human resource departments, and I feel sad for anyone in human resources because their job all day is to basically open files, and emails from strangers, and that's what attackers are doing. They're like, "Hey, I want to apply for a cybersecurity position. "And by the way, my resume is encrypted. "Please click on this link to see "my secure version of my resume". And when they do that, you know, HR person may be thinking, "Hey, this is a cybersecurity guy, like good. "He's actually sending me an encrypted link." In reality, when they click on that button, it's attacking their machine, and actually getting into their organization. The attacks are getting into the organization. So they're using more and more tricks to actually technically bypass some of the security tools you may have. >> So getting more sophisticated by preying on emotions, and also using technology, and things that an HR person, like you said, would think, "Great, this is the level of sophistication that this applicant has. How do they, how do organizations start reducing those attacks, that are falling victim to these attacks? >> Yeah, so I was thinking, at Fortinet we always mention, like at FortiGuard labs, that training and security awareness is some of the best ways you can protect against this attack. At Fortinet we have our training advancement agenda, that's out of Fortinet.com/training/taa. Basically what that does, well what we emphasize, what we preach, is that training is the key and education is the key, in helping protect against those attacks. And, you know, you can train anyone these days, at least some level of, you know, awareness. My mom used to call me up, and used to tell me like, "Hey, I got the IRS calling me, "should I answer these questions?" I was like, "No, absolutely not, like this is dangerous, "the IRS doesn't call you up and asking you "for your credit card number." I actually had my mum go for our level, one of our training, and she actually gets it. She's like, "Okay, I get why I shouldn't call the, you know, "answer the questions from the IRS now." So I say any type of training, to anyone you can give, and you can start it off like with people in high school, with people in elementary school, all the way up to professionals, I think it helps in all levels. >> So first of all, your mom sounds like my mom, and I need to get my mom to do this training, I really do. But one of the things that kind of highlights is the fact that there are five generations in the workforce. So there, and in every industry, there is a huge variety of people that understand technology, and know to be suspicious. And that's one of the things I think that's challenging for organizations, because if a lot of that responsibility falls on the person, the more sophisticated, the more personalized this phishing email is, the more likely I'm to think this is legitimate instead of questioning it. So that training that you're talking about, tell me a little bit more about that. You mentioned a variety of ages and generations, that folks as young as high school kids, and then folks in our parents' generation can also go on and learn how to navigate through basic emails, for example, to look for, to see what to look for. >> Yeah, it's not only emails. So attackers, like I said, they are getting sophisticated. We are seeing phishing attacks, not only through emails, but through applications, mobile applications. There's actually like some advanced phishing techniques now on smart speakers. When you ask your smart speaker, a certain skill like, "Hey, tell me my balance, "tell me what the weather is." There's like some phishing attacks there. So there's phishing attacks all across the board. Obviously, when we talk about phishing we're mostly talking about email attacks, but every generation kind of has their tools kind of has their, you know, techniques or apps that they're comfortable with. So, and we're trained, like a lot of my friends are trained to basically click on any app, download any app, allow, they don't really read the pop-ups that say like, "Do you want to share information?" They'll just start sharing information. People in the workforce, like sometimes that are not paying attention, they're just clicking on emails, and attackers realize this, most of the time when attacks happen, it's not when you're paying attention. It's like when we're on our Zoom calls, and we're actually like looking at our phones, looking at emails, multitasking, and that's when your attention kind of diverts a little bit, And that's when attackers are really jumping in, and really trying to take advantage of that situation. And that's, I think that's a good idea about the training is because it opens up your eyes to understand, hey, it's more about just emails, it's really about every way we can use technology, can be a vector on how we get attacked, and we have a couple of good examples on that as well. >> Let's talk about that, cause I want to see how easy it is for the bad actors to create phishing attacks. You were saying, it's not just email, it's through apps, it's through my smart speaker, which is one of the reasons I don't have one. But talk to me about how easy it is for them to actually set these up. >> Yeah, so we have, I think we have a demo we can show, an example that we can show, of what's going on. And what I'm showing here is basically how easy you can download proof of concept apps. Now, what I'm showing here is actually a defensive tool, it's for defenders, and people that want to test for security on testing, phishing, and how susceptible their organization may be to phishing. But you can see like attackers could do something very similar. This tool is called Black Eye. And what it does is allows me to create multiple different types of phishing websites. I can create a custom one, or I can use a template that's already created. Once I use this template, for example I'm using the LinkedIn template here, it's going to create a website for me. It already, this website, I can embed into a link if I was, if I was potentially a bad guy, I could hide it behind a link. I could potentially change the website to make it look more like LinkedIn. But when I go to the LinkedIn fake website, this phishing website, which is hosted, you'll see, it kind of looks like LinkedIn. It actually has that little security box, that little green box, because it generates a certificate as well. And when I go to the real LinkedIn website, yes, the real LinkedIn website does look a little different. It's using a more updated template, a more updated website, but most people aren't going to notice the difference between the real LinkedIn website, and here, where we have the fake LinkedIn website. And I'll just show you like, if I log in and I'm going to log in with a demo account, this is actually a honeypot demo account that we have, just to showcase this tool. But I'll log in here, and you'll see from our test box, as soon as we log in, and we go back to the attacker's point of view, he's captured the username, the password, but not only that he has the IP address, the ISP, the location of where the victim is coming from. So they have a lot of different types of information that they've captured. And this is just one simple way of doing the attack. Now, one thing to remember, I know I speak very fast, but at the same time, this is real time. I didn't like copy and paste anything, I just recorded this in real time, and replayed this. And this is how easy it is for an attacker to potentially start setting up a system where they can attack victims. >> That's remarkable, because I mean, I'm in LinkedIn every day, and I don't know, you talked about, we're all busy, multitasking, and things like that. I don't know that I would've, nothing that you showed caught my attention. So how would I know to, what would I know to look for as a user, as a potential victim? How do I look for something on that page to tell me "think twice about this? >> Yeah, it's getting much more difficult these days. I mean, one of the things that I do is I try and make sure I type in like the addresses, especially when I get links in emails, I try not to like, just click on the link directly. I try and look at what's behind that link, is it really going to the LinkedIn website, you know, I'll try and go ahead and type in it, type in the website in the web browser. But mostly I think the thing that we can do to all protect ourselves is like kind of slow down. One of the reasons I mentioned LinkedIn is not because LinkedIn is doing anything bad. They're actually taking a lot precautions on being secure. But you know, people, these days are very emotion, they're going back to work, they're maybe looking for new jobs, or they're trying to get back into the workforce after a pandemic. So there's a lot of people that are getting phishing attacks from attackers, and it's a really mean thing. They're taking once again, advantage of that emotion, like someone needs a job, so let me go ahead and send them a LinkedIn link, and this time they're just stealing their username and passwords. >> That's remarkable. I think another thing you can do, can you hover over the link, and if it looks suspicious, if it doesn't go to like linkedin.com, for example, in this case, that's one way, right, is to check out what that actual URL is. >> Yeah, absolutely, and that's a great way of doing that, so we definitely recommend that. Look at the, hover over the link, look over the links, type in the links directly if you can. And you can see like, you know, attackers are getting sophisticated.. We used to tell people, look for that green lock box, attackers can now generate that green lockbox, so you have to do a little more due diligence. Just keep your eyes a little sharper these days. >> Do you thing phishing is, and I know a lot of us understand what it is, but do you think it's as common ransomware was up? I think Derek told me 7X in the second half of calendar year, 2020, Is phishing becoming more of a household word like ransomware is? Or is that something that you think actually will help more organizations, and more people and more generations be just more aware of let me just take a step back, and check that this is legitimate. >> Yeah, so phishing, you have to remember is it's like the initial attack. So the demo that I just showed you, you could say the true attack was me possibly stealing the username and password, but a phishing would be the way that someone would get to get to that. Like by essentially mimicking the LinkedIn website, as I showed in the example. So ransomware is an attack, it's the main attack. Usually the attack that attackers are going for, but how they get into the system is usually through a phishing site. They'll usually try and phish your username and password to your corporate site, maybe your VPN services, or your remote desktop services. So phishing is usually in conjunction with another attack, and that's the scary part is attackers have a lot of attacks that you can choose from, but the attacks that they're normally normally conducting to get that initial access to your system is phishing. >> So besides training, which is obviously absolutely critical, how can organizations protect themselves against this threat landscape that I imagine is only going to continue to grow? >> Yeah, no, it's definitely going to continue to grow. And as I said, I really believe education is the best thing you can do. But on top of that, you know, just I would say, you know, cyber hygiene. The basic things that we always mention every time, it was like, make sure like your security products are up to date, make sure they're installed, make sure your patches are up to date, which is very difficult, but that does start helping things. Make sure you're using the latest version of your web browser. There's a lot of web browsers these days has some sort of anti-phishing type of tools in them as well, especially for websites. So they can kind of detect things. There's a once again, a lot of just even free plugins, security plugins, that are available, that kind of detect a lot of phishing sites as well. So there's a lot of things I think people can do to protect themselves from a technology standpoint. You know, with basic cyber hygiene, as well as security awareness. >> So you think this is really preventable, essentially. >> I don't think it's 100% preventable, because I think, you know, attackers are always going to take advantage of those times in our emotion when our emotions are heightened, and they're going to take advantage of just us sometimes like not paying as much attention to as we can. But I think you can definitely reduce that attack surface. The more we educate ourselves. >> Absolutely, tell me that training website again. >> Sure things, so it's basically Fortinet.com/training/taa. >> Excellent, and can you access different levels? Like if I literally point my mom to that website, can she access something that would be at her 75 year old brain level? >> Absolutely, so we have different levels out there. I would suggest that I go trying, everyone should try basically Level 1, NSC Level 1. That's our Security Institute. So that's really good awareness for everyone on all sorts of different levels. But we have training, geared towards specific individuals, and different age groups as well. >> Excellent, and it's one of those things that culturally is difficult I think for Americans, slow down, right? We don't do that, especially when people are still working from home, and probably now it's summertime, kids are out of school, things are a little bit more chaotic. That that best practice of an organization really keeping up with their cyber hygiene and us as individuals slowing down, checking something are really some of the best ways. Aamir, this is such an interesting topic. Thank you for showing us how easy it is to create phishing attacks, and what some of the things are that we as individuals, and companies can do to protect ourselves against it. >> Hey, no problem, glad to be here. >> For Aamir Lakhani, I'm Lisa Martin, you're watching this Cube conversation. (soft music)

>>from the Cube Studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a cube conversation, >>Everyone. Welcome to this cube conversation. I'm John for host of the Cube here in the Cubes Palo Alto studios during the co vid crisis. Square Quarantine with our crew, but we got the remote interviews. Got great to get great guests here from 44 to guard Fortinet, 40 Guard Labs, Derek Manky chief Security Insights and Global Threat alliances. At 14 it's 40 guard labs and, um, are Lakhani. Who's the lead researcher for the Guard Labs. Guys, great to see you. Derek. Good to see you again. Um, are you meet you? >>Hey, it's it's it's been a while and that it happened so fast, >>it just seems, are say it was just the other day. Derek, we've done a couple interviews in between. A lot of flow coming out of Florida net for the guards. A lot of action, certainly with co vid everyone's pulled back home. The bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security. Uh, in terms of action, bad actors are at all time high new threats here is going on. Take us through what you guys were doing. What's your team makeup look like? What are some of the roles and you guys were seeing on your team? And how's that transcend to the market? >>Yeah, sure, Absolutely. So you're right. I mean, like, you know, like I was saying earlier this this is all this always happens fast and furious. We couldn't do this without, you know, a world class team at 40 guard labs eso we've grown our team now to over 235 globally. There's different rules within the team. You know, if we look 20 years ago, the rules used to be just very pigeonholed into, say, anti virus analysis. Right now we have Thio account for when we're looking at threats. We have to look at that growing attack surface. We have to look at where these threats coming from. How frequently are they hitting? What verticals are they hitting? You know what regions? What are the particular techniques? Tactics, procedures, You know, we have threat. This is the world of threat Intelligence, Of course. Contextualizing that information and it takes different skill sets on the back end, and a lot of people don't really realize the behind the scenes. You know what's happening on bears. A lot of magic happen not only from what we talked about before in our last conversation from artificial intelligence and machine learning, that we do a 40 yard labs and automation, but the people. And so today we want to focus on the people on and talk about you know how on the back ends, we approach a particular threat. We're going to talk to the world, a ransom and ransomware. Look at how we dissect threats. How correlate that how we use tools in terms of threat hunting as an example, And then how we actually take that to that last mile and and make it actionable so that, you know, customers are protected. How we share that information with Keith, right until sharing partners. But again it comes down to the people. We never have enough people in the industry. There's a big shortages, we know, but it it's a really key critical element, and we've been building these training programs for over a decade within 40 guard lab. So you know, you know, John, this this to me is why, exactly why, I always say, and I'm sure Americans share this to that. There's never a dull day in the office. I know we hear that all the time, but I think today you know, all the viewers really get a new idea of why that is, because this is very dynamic. And on the back end, there's a lot of things that doing together our hands dirty with this, >>you know, the old expression started playing Silicon Valley is if you're in the arena, that's where the action and it's different than sitting in the stands watching the game. You guys are certainly in that arena. And, you know, we've talked and we cover your your threat report that comes out, Um, frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware. What's going on? What's the state of the ransomware situation? Um, set the stage because that's still continues to be a threat. I don't go a week, but I don't read a story about another ransomware and then it leaks out. Yeah, they paid 10 million in Bitcoin or something like I mean, this Israel. That's a real ongoing threat. What is it, >>quite a bit? Yeah, eso I'll give sort of the one on one and then maybe capacity toe mark, who's on the front lines dealing with this every day. You know, if we look at the world of I mean, first of all, the concept to ransom, obviously you have people that that has gone extended way, way before, you know, cybersecurity. Right? Um, in the world of physical crime s Oh, of course. You know the world's first ransom, where viruses actually called PC cyborg. This is in 1989. The ransom payment was demanded to appeal box from leave. It was Panama City at the time not to effective on floppy disk. Very small audience. Not a big attack surface. I didn't hear much about it for years. Um, you know, in really it was around 2000 and 10. We started to see ransomware becoming prolific, and what they did was somewhat cybercriminals. Did was shift on success from ah, fake antivirus software model, which was, you know, popping up a whole bunch of, you know said your computer is infected with 50 or 60 viruses. Chaos will give you an anti virus solution, Which was, of course, fake. You know, people started catching on. You know, the giggles up people caught onto that. So they weren't making a lot of money selling this project software. Uh, enter Ransomware. And this is where ransomware really started to take hold because it wasn't optional to pay for the software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer the current. Uh, the encryption kind of decrypt it with any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw we've seen things like master boot record nbr around somewhere. This is persistent. It sits before your operating system when you boot up your computer. So it's hard to get rid of, um, very strong. Um, you know, public by the key cryptography that's being so each victim is infected with the different key is an example. The list goes on, and you know I'll save that for for the demo today. But that's basically it's It's very it's prolific and we're seeing shit. Not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted ransom cases that we're going after, you know, critical business. Essentially, it's like a D O s holding revenue streams around too. So the ransom demands were getting higher because of this is Well, it's complicated. >>Yeah, I was mentioning, Omar, I want you to weigh in. I mean, 10 million is a lot we reported earlier this month. Garment was the company that was act I t guy completely locked down. They pay 10 million. Um, garment makes all those devices and a Z. We know this is impacting That's real numbers. So I mean, it's another little ones, but for the most part, it's new. It's, you know, pain in the butt Thio full on business disruption and extortion. Can you explain how it all works before I got it? Before we go to the demo, >>you know, you're you're absolutely right. It is a big number, and a lot of organizations are willing to pay that number to get their data back. Essentially their organization and their business is at a complete standstill. When they don't pay, all their files are inaccessible to them. Ransomware in general, what does end up from a very basic or review is it basically makes your files not available to you. They're encrypted. They have a essentially a pass code on them that you have to have the correct pass code to decode them. Ah, lot of times that's in the form of a program or actually a physical password you have type in. But you don't get that access to get your files back unless you pay the ransom. Ah, lot of corporations these days, they are not only paying the ransom, they're actually negotiating with the criminals as well. They're trying to say, Oh, you want 10 million? How about four million? Sometimes that it goes on as well, but it's Ah, it's something that organizations know that if they don't have the proper backups and the Attackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicate files, so sometimes you don't have a choice, and organizations will will pay the ransom >>and it's you know they're smart. There's a business they know the probability of buy versus build or pay versus rebuild, so they kind of know where to attack. They know the tactics. The name is vulnerable. It's not like just some kitty script thing going on. This is riel system fistic ated stuff. It's and it's and this highly targeted. Can you talk about some use cases there and what's goes on with that kind of attack? >>Absolutely. The cybercriminals are doing reconnaissance. They're trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. Eh? So there's a lot of attacks going on. We usually we're finding now is ransomware is sometimes the last stage of an attack, so an attacker may go into on organization. They may already be taking data out of that organization. They may be stealing customer data P I, which is personal, identifiable information such as Social Security numbers or or driver's licenses or credit card information. Once they've done their entire attack, once they've gone, everything they can Ah, lot of times their end stage. There last attack is ransomware, and they encrypt all the files on the system and try and try and motivate the victim to pay as fast as possible and as much as possible as well. >>You know, it's interesting. I thought of my buddy today. It's like casing the joint. They check it out. They do their re kon reconnaissance. They go in, identify what's the move that's move to make. How to extract the most out of the victim in this case, Target. Um, and it really I mean, it's just go on a tangent, you know? Why don't we have the right to bear our own arms? Why can't we fight back? I mean, the end of the day, Derek, this is like, Who's protecting me? I mean, >>e do >>what? To protect my own, build my own army, or does the government help us? I mean, that's at some point, I got a right to bear my own arms here, right? I mean, this is the whole security paradigm. >>Yeah, so I mean, there's a couple of things, right? So first of all, this is exactly why we do a lot of that. I was mentioning the skills shortage and cyber cyber security professionals. Example. This is why we do a lot of the heavy lifting on the back end. Obviously, from a defensive standpoint, you obviously have the red team blue team aspect. How do you first, Um, no. There is what is to fight back by being defensive as well, too, and also by, you know, in the world that threat intelligence. One of the ways that we're fighting back is not necessarily by going and hacking the bad guys, because that's illegal in jurisdictions, right? But how we can actually find out who these people are, hit them where it hurts. Freeze assets go after money laundering that works. You follow the cash transactions where it's happening. This is where we actually work with key law enforcement partners such as Inter Pool is an example. This is the world, the threat intelligence. That's why we're doing a lot of that intelligence work on the back end. So there's other ways toe actually go on the offense without necessarily weaponizing it per se right like he's using, you know, bearing your own arms, Aziz said. There's different forms that people may not be aware of with that and that actually gets into the world of, you know, if you see attacks happening on your system, how you how you can use security tools and collaborate with threat intelligence? >>Yeah, I think that I think that's the key. I think the key is these new sharing technologies around collective intelligence is gonna be, ah, great way to kind of have more of an offensive collective strike. But I think fortifying the defense is critical. I mean, that's there's no other way to do that. >>Absolutely. I mean the you know, we say that's almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cyber criminal to operate. And there's many ways to do that right you could be could be a pain to them by by having a very rigid, hard and defense. That means that if if it's too much effort on their end, I mean, they have roos and their in their sense, right, too much effort on there, and they're gonna go knocking somewhere else. Um, there's also, you know, a zay said things like disruption, so ripping infrastructure offline that cripples them. Yeah, it's wack a mole they're going to set up somewhere else. But then also going after people themselves, Um, again, the cash networks, these sorts of things. So it's sort of a holistic approach between anything. >>Hey, it's an arms race. Better ai better cloud scale always helps. You know, it's a ratchet game. Okay, tomorrow I want to get into this video. It's of ransomware four minute video. I'd like you to take us through you to lead you to read. Researcher, >>take us >>through this video and, uh, explain what we're looking at. Let's roll the video. >>All right? Sure s. So what we have here is we have the victims. That's top over here. We have a couple of things on this. Victims that stop. We have ah, batch file, which is essentially going to run the ransom where we have the payload, which is the code behind the ransomware. And then we have files in this folder, and this is where you typically find user files and, ah, really world case. This would be like Microsoft Microsoft Word documents or your Power point presentations. Over here, we just have a couple of text files that we've set up we're going to go ahead and run the ransomware and sometimes Attackers. What they do is they disguise this like they make it look like a like, important word document. They make it look like something else. But once you run, the ransomware usually get a ransom message. And in this case, the ransom message says your files are encrypted. Uh, please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address that usually they look a little more complicated. But this is our fake Bitcoin address, but you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as the researchers, we see files like this all the time. We see ransomware all the all the time. So we use a variety of tools, internal tools, custom tools as well as open source tools. And what you're seeing here is open source tool is called the cuckoo sandbox, and it shows us the behavior of the ransomware. What exactly is a ransom we're doing in this case? You can see just clicking on that file launched a couple of different things that launched basically a command execute herbal, a power shell. It launched our windows shell and then it did things on the file. It basically had registry keys. It had network connections. It changed the disk. So this kind of gives us behind the scenes. Look at all the processes that's happening on the ransomware and just that one file itself. Like I said, there's multiple different things now what we want to do As researchers, we want to categorize this ransomware into families. We wanna try and determine the actors behind that. So we dump everything we know in the ransomware in the central databases. And then we mind these databases. What we're doing here is we're actually using another tool called malt ego and, uh, use custom tools as well as commercial and open source tools. But but this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking malty, go to look through our database and say, like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system because that helps us identify maybe where the ransom that's connecting to where it's going thio other processes that may be doing. In this case, we can see multiple I P addresses that are connected to it so we can possibly see multiple infections weaken block different external websites. If we can identify a command and control system, we can categorize this to a family. And sometimes we can even categorize this to a threat actor that has claimed responsibility for it. Eso It's essentially visualizing all the connections and the relationship between one file and everything else we have in our database in this example. Off course, we put this in multiple ways. We can save these as reports as pdf type reports or, you know, usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets when we're researching file based attacks when we're researching, um, you know, I P reputation We have a lot of different IOC's or indicators of compromise that we can correlate where attacks goes through and maybe even detective new types of attacks as well. >>So the bottom line is you got the tools using combination of open source and commercial products. Toe look at the patterns of all ransomware across your observation space. Is that right? >>Exactly. I should you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic that that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At four of our labs intelligence that we acquire that product, that product of intelligence, it's consumed directly by our projects. >>Also take me through what, what's actually going on? What it means for the customers. So border guard labs. You're looking at all the ransom where you see in the patterns Are you guys proactively looking? Is is that you guys were researching you Look at something pops on the radar. I mean, take us through What is what What goes on? And then how does that translate into a customer notification or impact? >>So So, yeah, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be a wear Some of the solutions we talked about before. And if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can't see. So you got to get your hands on visibility. We call these I, O. C s indicators a compromise. So this is usually something like, um, actual execute herbal file, like the virus from the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that seed, we call it a seed. We could do threat hunting from there, so we can analyze that right? If it's ah piece of malware or a botnet weaken do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things and we really you know, it's similar to the world of C. S. I write have these different gods that they're connecting. We're doing that at hyper scale on DWI. Use that through these tools that Omar was talking. So it's really a life cycle of getting, you know, the malware incoming seeing it first, um, analyzing it on, then doing action on that. Right? So it's sort of a three step process, and the action comes down to what tomorrow is saying water following that to our customers so that they're protected. But then in tandem with that, we're also going further. And I'm sharing it, if if applicable to, say, law enforcement partners, other threat Intel sharing partners to And, um, there's not just humans doing that, right? So the proactive peace again, This is where it comes to artificial intelligence machine learning. Um, there's a lot of cases where we're automatically doing that analysis without humans. So we have a I systems that are analyzing and actually creating protection on its own. Two. So it Zack white interest technology. >>A decision. At the end of the day, you want to protect your customers. And so this renders out if I'm afford a net customer across the portfolio. The goal here is to protect them from ransomware. Right? That's the end of game. >>Yeah, And that's a very important thing when you start talking these big dollar amounts that were talking earlier comes Thio the damages that air down from estimates. >>E not only is a good insurance, it's just good to have that fortification. Alright, So dark. I gotta ask you about the term the last mile because, you know, we were before we came on camera. You know, I'm band with junkie, always want more bandwidth. So the last mile used to be a term for last mile to the home where there was telephone lines. Now it's fiber and by five. But what does that mean to you guys and security is that Does that mean something specific? >>Yeah, Yeah, absolutely. The easiest way to describe that is actionable, right? So one of the challenges in the industry is we live in a very noisy industry when it comes thio cybersecurity. What I mean by that is because of that growing attacks for fists on do you know, you have these different attack vectors. You have attacks not only coming in from email, but websites from, you know, DDOS attacks. There's there's a lot of volume that's just going to continue to grow is the world of I G N O T. S O. What ends up happening is when you look at a lot of security operation centers for customers as an example, um, there are it's very noisy. It's, um you can guarantee that every day you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs, and when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually started to say, Hey, this looks like an attack. I'm gonna go investigate it and block it. So this is where the last mile comes in because ah, lot of the times that you know these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because The reality is, if it's just humans, doing it on that last mile is often going back to your bandwidth terms. There's too much too much lately. See right, So how do you reduce that late and see? That's where the automation the AI machine learning comes in. Thio solve that last mile problem toe automatically either protection. Especially important because you have to be quicker than the attacker. It's an arms race like E. >>I think what you guys do with four to Guard Labs is super important. Not like the industry, but for society at large, as you have kind of all this, you know, shadow, cloak and dagger kind of attacks systems, whether it's National Security international or just for, you know, mafias and racketeering and the bad guys. Can you guys take a minute and explain the role of 40 guards specifically and and why you guys exist? I mean, obviously there's a commercial reason you both on the four net that you know trickles down into the products. That's all good for the customers. I get that, but there's more to the fore to guard than just that. You guys talk about this trend and security business because it is very clear that there's a you know, uh, collective sharing culture developing rapidly for societal benefit. Can you take them into something that, >>Yeah, sure, I'll get my thoughts. Are you gonna that? So I'm going to that Teoh from my point of view, I mean, there's various functions, So we've just talked about that last mile problem. That's the commercial aspect we create through 40 yard labs, 40 yards, services that are dynamic and updated to security products because you need intelligence products to be ableto protect against intelligence attacks. That's just the defense again, going back to How can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that you do. But we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court, and because of that, a lot of these cybercriminals rain free. That's been a big challenge in the industry. So, you know, this has been close to my heart over 10 years, I've been building a lot of these key relationships between private public sector as an example, but also private sector things like Cyber Threat Alliance, where a founding member of the Cyber Threat Alliance, if over 28 members and that alliance. And it's about sharing intelligence to level that playing field because Attackers room freely. What I mean by that is there's no jurisdictions for them. Cybercrime has no borders. Um, they could do a million things, uh, wrong and they don't care. We do a million things right. One thing wrong, and it's a challenge. So there's this big collaboration that's a big part of 40 guard. Why exists to is to make the industry better. Thio, you know, work on protocols and automation and and really fight fight this together. Well, remaining competitors. I mean, we have competitors out there, of course, on DSO it comes down to that last mile problem. John is like we can share intelligence within the industry, but it's on Lee. Intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. And, >>um, are what's your take on this, uh, societal benefit because, you know, I've been saying since the Sony hack years ago that, you know, when you have nation states that if they put troops on our soil, the government would respond. Um, but yet virtually they're here, and the private sector's defend for themselves. No support. So I think this private public partnership thing is very relevant. I think is ground zero of the future build out of policy because, you know, we pay for freedom. Why don't we have cyber freedom is if we're gonna run a business. Where's our help from the government? Pay taxes. So again, if a military showed up, you're not gonna see, you know, cos fighting the foreign enemy, right? So, again, this is a whole new change over it >>really is. You have to remember that cyberattacks puts everyone on even playing field, right? I mean, you know, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that, right? Anyone can basically come up to speed on cyber weapons as long as they have an Internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies, you know, But absolutely that I think a lot of us, You know, from a personal standpoint, a lot of us have seen researchers have seen organizations fail through cyber attacks. We've seen the frustration we've seen. Like, you know, besides organization, we've seen people like, just like grandma's loser pictures of their, you know, other loved ones because they can being attacked by ransom, where I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But But I will add that the least here in the U. S. The federal government actually has a lot of partnerships and ah, lot of programs to help organizations with cyber attacks. Three us cert is always continuously updating, you know, organizations about the latest attacks. Infra Guard is another organization run by the FBI, and a lot of companies like Fortinet and even a lot of other security companies participate in these organizations so everyone can come up to speed and everyone share information. So we all have a fighting chance. >>It's a whole new wave paradigm. You guys on the cutting edge, Derek? Always great to see a mark. Great to meet you remotely looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >>All right. Thank God. Pleasure is always >>okay. Q conversation here. I'm John for a host of the Cube. Great insightful conversation around security Ransomware with a great demo. Check it out from Derek and, um, are from 14 guard labs. I'm John Ferrier. Thanks for watching.

>> Announcer: From theCUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world. This is a CUBE conversation. >> Hi everyone. Welcome to this CUBE Conversation. I'm John Furrier host of theCUBE here in the CUBEs, Palo Alto studios during the COVID crisis. We're quarantine with our crew, but we got the remote interviews. Got two great guests here from Fortinet FortiGuard Labs, Derek Mankey, Chief Security Insights and global threat alliances at Fortinet FortiGuard Labs. And Aamir Lakhani who's the Lead Researcher for the FortiGuard Labs. You guys is great to see you. Derek, good to see you again, Aamir, good to meet you too. >> It's been a while and it happens so fast. >> It just seems was just the other day, Derek, we've done a couple of interviews in between a lot of flow coming out of Fortinet FortiGuard, a lot of action, certainly with COVID everyone's pulled back home, the bad actors taking advantage of the situation. The surface areas increased really is the perfect storm for security in terms of action, bad actors are at an all time high, new threats. Here's going on, take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? >> Yeah, sure, absolutely. So you're right. I mean like I was saying earlier that is, this always happens fast and furious. We couldn't do this without a world class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different rules within the team. If we look 20 years ago, the rules used to be just very pigeonholed into say antivirus analysis, right? Now we have to account for, when we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions, what are the particular techniques, tactics, procedures? So we have threat. This is the world of threat intelligence, of course, contextualizing that information and it takes different skill sets on the backend. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the backend we approached a particular threat, we're going to talk to the word ransom and ransomware, look at how we dissect threats, how correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected. I would share that information with keys, right, until sharing partners. But again, it comes down to the people. We never have enough people in the industry, there's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with them FortiGuard Labs. So, you know John, this to me is exactly why I always say, and I'm sure Aamir can share this too, that there's never a adult day in the office and all we hear that all the time. But I think today, all of you is really get an idea of why that is because it's very dynamic and on the backend, there's a lot of things that we're doing to get our hands dirty with this. >> You know the old expression startup plan Silicon Valley is if you're in the arena, that's where the action is. And it's different than sitting in the stands, watching the game. You guys are certainly in that arena and you got, we've talked and we cover your, the threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware, what's going on? What's the state of the ransomware situation? Set the stage because that's still continues to be threat. I don't go a week, but I don't read a story about another ransomware. And then at least I hear they paid 10 million in Bitcoin or something like, I mean, this is real, that's a real ongoing threat. What is it? >> The (indistinct) quite a bit. But yeah. So I'll give sort of the 101 and then maybe we can pass it to Aamir who is on the front lines, dealing with this every day. You know if we look at the world of, I mean, first of all, the concept of ransom, obviously you have people that has gone extended way way before cybersecurity in the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This is a 1989 around some payment that was demanded through P.O Box from the voters Panama city at the time, not too effective on floppiness, a very small audience, not a big attack surface. Didn't hear much about it for years. Really, it was around 2010 when we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake antivirus software model, which was, popping up a whole bunch of, setting here, your computer's infected with 50 or 60 viruses, PaaS will give you an antivirus solution, which was of course fake. People started catching on, the giggles out people caught on to that. So they, weren't making a lot of money selling this fraudulent software, enter ransomware. And this is where ransomware, it really started to take hold because it wasn't optional to pay for this software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer that the encryption, couldn't decrypt it, but any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we saw, we've seen things like master boot record, MVR, ransomware. This is persistent. It sits before your operating system, when you boot up your computer. So it's hard to get rid of it. Very strong public private key cryptography. So each victim is effective with the direct key, as an example, the list goes on and I'll save that for the demo today, but that's basically, it's just very, it's prolific. We're seeing shuts not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted around some cases that are going after critical business. Essentially it's like a DoS holding revenue streams go ransom too. So the ransom demands are getting higher because of this as well. So it's complicated. >> Was mentioning Aamir, why don't you weigh in, I mean, 10 million is a lot. And we reported earlier in this month. Garmin was the company that was hacked, IT got completely locked down. They pay 10 million, Garmin makes all those devices. And as we know, this is impact and that's real numbers. I mean, it's not other little ones, but for the most part, it's nuance, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? >> You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number, to get their data back. Essentially their organization and their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does end up from a very basic overview is it basically makes your files not available to you. They're encrypted. They have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom. They're actually negotiating with the criminals as well. They're trying to say, "Oh, you want 10 million? "How about 4 million?" Sometimes that goes on as well. But it's something that organizations know that if they didn't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicated files. So sometimes you don't have a choice in organizations. Will pay the ransom. >> And it's, they're smart, there's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics and it's vulnerable. It's not like just some kitty script thing going on. This is real sophisticated stuff it's highly targeted. Can you talk about some use cases there and what goes on with that kind of a attack? >> Absolutely. The cyber criminals are doing reconnaissance and trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. We usually, what we're finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers, or driver's licenses, or credit card information. Once they've done their entire tap. Once they've gone everything, they can. A lot of times their end stage, their last attack is ransomware. And they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. >> I was talking to my buddy of the day. It's like casing the joint there, stay, check it out. They do their recon, reconnaissance. They go in identify what's the best move to make, how to extract the most out of the victim in this case, the target. And it really is, I mean, it's just to go on a tangent, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, what to protect my, build my own arms, or does the government help us? I mean, at some point I got a right to bear my own arms here. I mean, this is the whole security paradigm. >> Yeah. So, I mean, there's a couple of things. So first of all, this is exactly why we do a lot of, I was mentioning the skill shortage in cyber cybersecurity professionals as an example. This is why we do a lot of the heavy lifting on the backend. Obviously from a defensive standpoint, you obviously have the red team, blue team aspect. How do you first, there's what is to fight back by being defensive as well, too. And also by, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal jurisdictions. But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks. If you follow the cash transactions where it's happening, this is where we actually work with key law enforcement partners, such as Interpol as an example, this is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the backend. So there's other ways to actually go on the offense without necessarily weaponizing it per se, right? Like using, bearing your own arms as you said, there there's different forms that people may not be aware of with that. And that actually gets into the world of, if you see attacks happening on your system, how you can use the security tools and collaborate with threat intelligence. >> I think that's the key. I think the key is these new sharing technologies around collective intelligence is going to be a great way to kind of have more of an offensive collective strike. But I think fortifying, the defense is critical. I mean, that's, there's no other way to do that. >> Absolutely, I mean, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cybercriminal to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means if it's too much effort on their end, I mean, they have ROIs and in their sense, right? It's too much effort on there and they're going to go knocking somewhere else. There's also, as I said, things like disruption, so ripping infrastructure offline that cripples them, whack-a-mole, they're going to set up somewhere else. But then also going after people themselves, again, the cash networks, these sorts of things. So it's sort of a holistic approach between- >> It's an arms race, better AI, better cloud scale always helps. You know, it's a ratchet game. Aamir, I want to get into this video. It's a ransomware four minute video. I'd like you to take us through as you the Lead Researcher, take us through this video and explain what we're looking at. Let's roll the video. >> All right. Sure. So what we have here is we have the victims that's top over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder. And this is where you would typically find user files and a real world case. This would be like Microsoft or Microsoft word documents, or your PowerPoint presentations, or we're here we just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this. Like they make it look like an important word document. They make it look like something else. But once you run the ransomware, you usually get a ransom message. And in this case, a ransom message says, your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. I usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox, and it shows us the behavior of the ransomware. What exactly is ransomware doing. In this case, you can see just clicking on that file, launched a couple of different things that launched basically a command executable, a power shell. They launched our windows shell. And then at, then add things on the file. It would basically, you had registry keys, it had on network connections. It changed the disk. So that's kind of gives us a behind the scenes, look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now what we want to do as a researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in a ransomware in the central databases. And then we mine these databases. What we're doing here is we're actually using another tool called Maldito and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maldito to look through our database and say like, do you see any like files? Or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system, because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that I may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites that we can identify a command and control system. We can categorize this to a family, and sometimes we can even categorize this to a threat actor as claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database. And this example, of course, I'd put this in multiple ways. We can save these as reports, as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOC or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. >> So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? >> Exactly. I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At FortiGuard Labs, the intelligence that we acquire, that product, that product of intelligence it's consumed directly by our prospects. >> So take me through what what's actually going on, what it means for the customer. So FortiGuard Labs, you're looking at all the ransomware, you seeing the patterns, are you guys proactively looking? Is it, you guys are researching, you look at something pops in the radar. I mean, take us through what goes on and then how does that translate into a customer notification or impact? >> So, yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course we try to be (indistinct) as we look for some of the solutions we talked about before, and if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can see. So you got to get your hands on visibility. We call these IOC indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that SEED, we call it a SEED. We can do threat hunting from there. So we can analyze that, right? If we have to, it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyper-scale. And we use that through these tools that Aamir was talking about. So it's really a lifecycle of getting the malware incoming, seeing it first, analyzing it, and then doing action on that. So it's sort of a three step process. And the action comes down to what Aamir was saying, waterfall and that to our customers, so that they're protected. But then in tandem with that, we're also going further and I'm sharing it if applicable to say law enforcement partners, other threat Intel sharing partners too. And it's not just humans doing that. So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. >> It say's at the end of the day, you want to protect your customers. And so this renders out, if I'm a Fortinet customer across the portfolio, the goal here is protect them from ransomware, right? That's the end game. >> Yeah. And that's a very important thing. When you start talking to these big dollar amounts that were talking earlier, it comes to the damages that are done from that- >> Yeah, I mean, not only is it good insurance, it's just good to have that fortification. So Derek, I going to ask you about the term the last mile, because, we were, before we came on camera, I'm a band with junkie always want more bandwidth. So the last mile, it used to be a term for last mile to the home where there was telephone lines. Now it's fiber and wifi, but what does that mean to you guys in security? Does that mean something specific? >> Yeah, absolutely. The easiest way to describe that is actionable. So one of the challenges in the industry is we live in a very noisy industry when it comes to cybersecurity. What I mean by that is that because of that growing attacks for FIS and you have these different attack factors, you have attacks not only coming in from email, but websites from DoS attacks, there's a lot of volume that's just going to continue to grow is the world that 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers, as an example, there are, it's very noisy. It's you can guarantee almost every day, you're going to see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of protection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, "Hey, this looks like an attack." I'm going to go investigate it and block it. So this is where the last mile comes in, because a lot of the times that, these logs, they light up like Christmas. And I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms. There's too much latency. So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem to automatically add that protection. It's especially important 'cause you have to be quicker than the attacker. It's an arms race, like you said earlier. >> I think what you guys do with FortiGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this, shadow, cloak and dagger kind of attack systems, whether it's national security international, or just for, mafias and racketeering, and the bad guys. Can you guys take a minute and explain the role of FortiGuards specifically and why you guys exist? I mean, obviously there's a commercial reason you built on the Fortinet that trickles down into the products. That's all good for the customers, I get that. But there's more at the FortiGuards. And just that, could you guys talk about this trend and the security business, because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? >> Yeah, sure. I'll give you my thoughts, Aamir will add some to that too. So, from my point of view, I mean, there's various functions. So we've just talked about that last mile problem. That's the commercial aspect. We created a through FortiGuard Labs, FortiGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense again, going back to, how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do, but we can't go in and prosecute. We can share knowledge and we can train prosecutors, right? This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free, and that's been a big challenge in the industry. So this has been close my heart over 10 years, I've been building a lot of these key relationships between private public sector, as an example, but also private sector, things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that Alliance, and it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right, one thing wrong and it's a challenge. So there's this big collaboration. That's a big part of FortiGuard. Why exists too, as to make the industry better, to work on protocols and automation and really fight this together while remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problems on is like, we can share intelligence within the industry, but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. >> Aamir, what's your take on this societal benefit? Because, I would say instance, the Sony hack years ago that, when you have nation States, if they put troops on our soil, the government would respond, but yet virtually they're here and the private sector has to fend for themselves. There's no support. So I think this private public partnership thing is very relevant, I think is ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business, where is our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new changeover. What's your thought? >> It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that. Anyone can basically come up to speed on cyber weapons as long as an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely I think a lot of us, from a personal standpoint, a lot of us have seen research does I've seen organizations fail through cyber attacks. We've seen the frustration, we've seen, like besides organization, we've seen people like, just like grandma's lose their pictures of their other loved ones because they kind of, they've been attacked by ransomware. I think we take it very personally when people like innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that at least here in the U.S. the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US-CERT is always continuously updating, organizations about the latest attacks and regard is another organization run by the FBI and a lot of companies like Fortinet. And even a lot of other security companies participate in these organizations. So everyone can come up to speed and everyone can share information. So we all have a fighting chance. >> It's a whole new wave of paradigm. You guys are on the cutting edge. Derek always great to see you, Aamir great to meet you remotely, looking forward to meeting in person when the world comes back to normal as usual. Thanks for the great insights. Appreciate it. >> Pleasure as always. >> Okay. Keep conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security ransomware with a great demo. Check it out from Derek and Aamir from FortiGuard Labs. I'm John Furrier. Thanks for watching.

(dramatic music) >> Hi I'm Peter Burris with Wikibon, and welcome to this Cube conversation with Fortinet's Aamir Lakhani. Aamir's a world renowned cyber security expert, and lead researcher at Fortinet. And is known in the blackout world as Dr. Chaos. Aamir, thanks very much for joining us today. >> Ah, thank you, glad to be here. >> So, I'm in our Palo Alto studios, Aamir's in Houston, Texas. Aamir how did we move from a world where the issues associated with cyber security were really pertinent and relevant to a few, to an increasing emphasis across business and the concerns about cyber security. And how is that expertise becoming increasingly relevant to business today? >> Wow, that's a, that's a very interesting question. You know, the best I can say is it's a brave new world today. I mean if you think about it today, everything is connected and interconnected to the net. From our homes, to our cars, to our TVs. It's a smart world as everyone says. And because of that there's a lot of opportunity, not only to be connected, but also, a lot of opportunity for attackers to exploit systems. Use these systems as launching pads to gain access to more important information. And we're seeing that all over the place. You know, when I started off my career, it used to be that security experts were really the guys that knew how to configure the vendor boxes. The best that they knew how to. They got the certifications from the vendors. They had the best practices from the vendors. And somewhere along the line, someone realized that, hey, it's going to be a good idea to actually test the security, and pretend like we're the bad guys. And that's where the evolution of I think, penetration testing as well as a red team and offensive security came into play. Where the good guys are now actually writing bad code trying to be the hackers. And trying to guess what the hackers are going to do, before they even do it. And I think that's where we're at today. And the reason we're there is, there's a lot of opportunity with a lot of devices everywhere that's interconnected. >> So, in many respects we've moved from a world where security was a feature of the products we purchased to where today, security really is an asset. And it's an asset that the external world, especially the bad guys, are constantly trying to erode for the business. We've seen some actual resources emerge in the cyber security world. Like the dark net, for example, that is, has many purposes, it might be used in certain countries as a way of circumnavigating limitations on privacy, or access to different sources of information. But it's clearly also being used by nefarious individuals to at least, plan and set up nefarious acts. Take us through the role that the dark net is playing today in the changing landscape of cyber security. >> Exactly, and the first thing to explain is the dark net is almost the media term. Because, it means a variety of different things. First of all, in its most basic form, what it means is, it's all the information that Google doesn't have, that you can't do a Google search for. And that could include, you know, ISPs, it could include forums. But what most people talk about when they talk about the dark net is, what we call the Tor network. Or the onion routing network. Which is, basically, a specialized network that you need to specialized software to gain access to. And you need to know where to go. It's not just, you know, Google search for something. You actually have to have places that you need to go to. That really is today, what is the dark net. Now there are other aspects to the dark net. There's other peer to peer networks. But really it's a hidden network. And that's kind of the evolution of the dark net. >> So, if we think about the role that the dark net's playing. It's not so much the business itself will operate on the dark net, but it needs, at some point in time, visibility into some of the activities that are being performed on the dark net. Because dark net activities turn into surface net problems for enterprises, if they're not smart about their cyber security practices, policies and approaches. Tell us a little bit about some of the manifestations of dark net activities that are hidden, that suddenly become hidden when you don't want them to. And manifest themselves as cyber security problems. >> Exactly, one of the things that we have on the dark net is this concept called ghost markets. And what a ghost market is, think about black market. But a black market, you know, sells goods, and services that could be illegal. A ghost market is very similar, except that it's a very I would say transparent, or it could be a market that may not be up for a long time. It could be here one day, and it could disappear the next day. And that's why it's called a ghost market. Now, what you find on these ghost markets, one of the more popular ghost markets, that was in the media was Silk Roads. You essentially can find anything you want. Now most of the time they're selling illegal drugs. Anything you can think of. But there's other things that they sell on ghost markets as well, such as, exploit kids, cyber zero day attacks, credit cards, a lot of credit cards, account numbers. Account passwords for anything you can think of. Like Netflix, or HBO, or anything that's out there. And on top of that, there's a lot of forums that hackers participate in. You know sometimes a hacker may say, "Hey, I'm just interested in learning how "to create ransomware, how do I create ransomware?" And someone will say, "Well, this is how you do it. "This is a ransomware kit. "Oh, by the way, I can create ransomware for you. "And charge you some money." And other times, hackers are very specific. They're like, "I really don't like company ABC dot com, "I want to attack them, can anyone help me?" And you will find intelligence based on that. You know, we monitor companies all the time. And we know sometimes before they're going to get attacked. Because there's a lot of chatter on the dark net about that. >> So, we have this dark net in which individuals could be anonymous. And that anonymity buys them the opportunity to do some, again, bad things. But you mentioned something interesting, this notion of a ghost market. All markets feature some sort of mechanism for actually handling transactions, for remunerating exchanges. Money. But money is not an honest, at least not with credit cards. How are some of the cryptocurrencies playing a role here in mediating these exchanges in the dark net? Let's start there, and then we'll get into some other factors associated with cryptocurrencies. And how they are important enterprises. Let's start with that one. >> Yeah, so first, you're right, you know, everyone wants to buy and sell something off the dark net. And at first when this was first coming into play, these ghost markets, back in the day people used to use things like gift cards, and re-loaded cards, and web money. And, you know, those things really didn't last. And really what exploded on the dark net what became the de facto currency on the dark net was Bitcoins, and that's how people started transacting with Bitcoins and it, in my opinion, my personal opinion, I think that's one of the reasons why Bitcoins really took off. Now Bitcoins unlike popular belief, they're not really anonymous, there is a public ledger. That keeps track of all the transactions taking place. So, there are other cryptocurrencies that are coming into play that are more anonymous. Mineiro, for example, is not a new cryptocurrency. But it's a popular cryptocurrency that's coming into play in the dark market. In fact, one of the largest dark markets, ghost markets, today called the Dream Market on the dark net, announced that they're going to start accepting Mineiro. So, because of that, I personally believe Mineiro's going to start like gaining more and more popularity. Because now the bad guys, now the criminals are actually using it, it's worth value to them, and they're going to start exchanging information. And of course, with these cryptocurrencies, you can always take it to some sort of exchange, and you can also launder these currencies. And maybe even trade it in for real cash. >> So, many people talk about the need to expect the best, but plan for the worst. And a lot of enterprises today need to start to being more planful about what to do in the event that they encounter a problem. So, for example, some of their data gets stolen, and they end up with some ransomware. That leads the acid question, should firms actually start thinking about creating reserves of some of these currencies? Should they find themselves being attacked? >> You know, so, first of all, I do think it makes sense for firms to at least understand, you know, how cryptocurrency works. Now, I would never promote a, you know, suggest that firms pay a ransom in any type of manner. Because, obviously, it just encourages, and drives the cyber criminal underground. And we've seen that. In fact, in these forums, in these dark net forums, there are attackers out there that say, "Hey, I've attacked this firm, "or I've targeted this industry, "and they're well known to pay, so let's go after them." The healthcare industry is a good example of that. Obviously, for various reasons the healthcare industry can take very little downtime. I mean, there's medical, you know, concerns people's lives, and concerns. So, generally they've been known to pay for ransomware. And that's documented all over the dark web. So, people actually encourage attackers, encourage those attackers to go after their healthcare. Just getting back to your question. You know, one of the last things that you want be in a situation is, you don't ever want to be in the situation where you have to, come up, and understand how cryptocurrencies works, and try and learn it on the fly, while your, you know, while your entire system's are down. While your networks are being held hostage. So, for that reason I would absolutely recommend at least to my customers, hey, learn about cryptocurrency. How it works, what the upside, and what the bad side is. Obviously, in today's market, there's a lot of volatility in cryptocurrency because, you know, it's not being held, or created like currencies, it's being held more like a resource, like gold. You know, people are investing into it. It's becoming, you know, something like this dark market of futures. And, but I think customers need to, and the general public probably needs to learn about how exactly that works. Because there's a lot of misconceptions in cryptocurrency today. >> So, you mentioned that perhaps they shouldn't have a reserve of cryptocurrency, because we don't want to encourage anybody to pay for it. Once you pay you've put a target on your back as someone who's willing to pay. But you also mentioned that firms have to learn something about cryptocurrencies, in advance of actually having a problem. What is a good high quality, world class stance for enterprise relative to cryptocurrency? What are the say, the two or three points that you would suggest, a CEO, board of directors, worry about, and what do they need to really understand now as part of their cryptocurrency stance, what do you think? >> Well, for a cryptocurrency specifically, I think, you know, businesses really need to understand the volatility of it. You know, it is a face, face currency. You know, what does that exactly mean? Who's backing that up? You know, how does it, how does it, you know, drive its value, I think those are very important questions. You know, I do have, you know, clients that actually do hold a very large reserves of cryptocurrency for various reasons. Not only for cyber security reasons. But also, potentially, for investment reasons as well. And that's getting into a whole another world. But I think they need to understand what that really means. But being on those, you know, let's take it back to the cyber aspect of things. One of the things that attackers do concentrate on is attacking cryptocurrency wallets. If you can attack a wallet, and steal the actual cryptocurrency that's obviously worth money to them. A lot of business that do invest in cryptocurrency, or, you know, have any type of cryptocurrency holdings really don't understand how to secure their wallets. Sometimes they use the online methods, which are fine. I mean you are relying on, on the online provider, or the Cloud provider that's providing that wallet. Or other customers that do understand details on cryptocurrency make, keep complete offline wallets. Remember, a cryptocurrency is basically a math algorithm, it's a hash, it's a set of numbers. It doesn't matter if it's really digital online, or if it's stored on a piece of paper in your draw. As long as you have that number you have that cryptocurrency. And so, it's a, I think when you're getting into the dynamics of money, and how it works it's always a little interesting. But I want to stress to you, you know, it's very common for people not to understand how to store cryptocurrency and get those wallets stolen, or hi-jacked, and once that's done, it's gone. It's like cash, you're not going to get that back. >> So, we've talked a little bit about how we got to this point today with cyber security, and how it's becoming, while still very specialized and highly technical, more, and more people have to be, at least, be aware of it. So that they can act rapidly, and properly when they encounter a problem. Look forward the next few years Aamir. And give us some visibility into where you think the cyber security world's going to be? How is this going to play out? If we think about 2020, 2021? >> Wow, that's a loaded question. You know, to keep in the context of this talk. You know, we spoke a little bit about the dark net. And, you know, it's an evolving marketplace, and maybe the dark net was responsible for a little bit of the ignition behind cryptocurrencies. And I think cryptocurrencies, a good thing that came out of it was the blockchain, this public ledger. On basically keeping transactions public, while keeping identities anonymous. I think the blockchain is very powerful even outside of cryptocurrencies. When you're talking about sharing medical information, and research, and actually talking about verifying things, or making a smart contract. A smart contract is basically, a contract that will automatically execute on the Internet, based after certain conditions are met. I think based on those technologies, you know, we're going to see some sort of an evolution of how, you know how security, how cyber security, and technology is really being integrated into our everyday lives. And I know people say, "Well it's already "integrated into our everyday lives." But I don't think you've seen anything yet. I mean I think that cyber security is going to be part of the ecosystem. It's not going to be a bolt on product. It's going to have to be built in from day one. From design, and everything that we do. Whether it's from heart monitors, and heart pumps, to your smart TVs, to of course, your computers, and data centers. >> So, last question, Aamir, we had, or I introduced the segment by talking about how security used to be a feature of different products, and you mentioned this as well, and increasingly it's becoming an asset, a crucial asset of the business. Now, some companies are a little bit more orientated towards that perspective than others. Fortinet, for example, I would argue is very strong on the orientation towards the idea that you have to, that security should be an asset. You have to invest in that appropriately. But identify some things that CIOs, CSOs, CDOs, can do to try to up level the stance within the business of security as an asset. That combines both technology, but also practice processes, and people. >> Right, no, that's a good point. You know, you cannot think of security just as a bolt on technology. I think that's very important. You know, one of things that we do at Fortinet. It's a practice that we preach. And I think a lot of professionals would agree with this. Is that security has to be built all around your ecosystem. That all your devices just can't be specialized add on products. All your devices have to be participating in security. You know, that's why at Fortinet we have what we call our security fabric. Where it's not only our products. But other products as well, are continuously sharing information about blocking attacks. And blocking threats, as well as providing visibility into corporations. And I think corporations kind of miss that sometimes. They're like, "Hey, I bought a product, "I should be good, right?" But they don't really understand what that product does. The effectiveness of that product. How well is it actually blocking the threats. And what is it not doing. What are the questions that you should be asking about the product, or about the environment that you don't know about. And I think once you start building security as a fabric embedded into an ecosystem, embedded into your business practices, right from everything. From, you know, from your charter, from your board of directors understanding, you know, cyber security all the way down to the secretary that's opening up email links. Understanding that, hey, I could be actually putting my company and my business at risk. I think once you've started instilling that mindset, you become more successful. >> Well it's more than just-- >> You know-- >> It's more than just the technology. It's also you. How does, how do people like you, how does your insight, your expertise, your content get distributed and adopted as a consequence of relationships at Fortinet. And obviously others as well? >> Yeah, I mean, I'm really lucky. Our team of researchers, 200 plus researchers, looking for the most common threats. The most updated techniques that the hackers, that the bad guys, that cyber criminals are using. We're examining threats across the board. From everything that you hear on the news. We're on top of it. And the nice thing is, we digest all of that information, and we look at the inner workings of that information. And then we use advanced technologies. Such as artificial intelligence, neural networks, or just a, good old grease work on figuring how to stop these attacks. And that brainpower, that trust that we have, gets actually digested into all the products. And that's very important. Now on top of just being smart guys that create good technology to stop that, we definitely believe that, you know, sharing is caring. And that's why we work with not only government agencies, not only with large businesses, but we also work with, I would say even our competitors, and tell them right away, "Hey, you know, we." When we see a problem, "You guys, look out for this problem. "This could be a big deal. "This could even affect your customers." And that's one of the reasons Fortinet was one of the founding members of the Cyber Threat Alliance which is a lot of security vendors sharing information about threats, and letting the technology speak for itself. >> And a lot of very savvy large enterprises that have a major stake to play in security world as well, again, successfully sharing their insight. Because security as you said, it's a team sport. It takes a village, to secure a business. I guess you could say. Aamir Lakhani, lead researcher, Dr. Chaos thanks very much for joining us in this Cube conversation about cyber security, the dark net, cryptocurrencies. And some of the things that businesses have to worry about as they move forward, and increase their activity. And their dependency on digital technologies. Once again, this is Peter Burris, Wikibon. I've been speaking with Aamir Lakhani at Fortinet. Hope you enjoyed this Cube conversation. >> Aamir: Thanks. (dramatic music)