(Intense orchestral music) >> Hi, I'm Peter Burris and once again welcome to a CUBEComnversation from our beautiful studios here in Palo Alto, California. For the last few quarters I've been lucky enough to speak with Tony Giandomenico, who's the Senior Security Strategist and Researcher at Fortinet, specifically in the FortiGuard labs, about some of the recent trends that they've been encountering and some of the significant, groundbreaking, industry-wide research we do on security threats, and trends in vulnerabilities. And once again, Tony's here on theCUBE to talk about the second quarter report, Tony, welcome back to theCUBE. >> Hey, Peter, it's great to be here man, you know, sorry I actually couldn't be right there with you though, I'm actually in Las Vegas for the Black Hat DEF CON Conference this time so, I'm havin' a lot of fun here, but definitely missin' you back in the studio. >> Well, we'll getcha next time, but, it's good to have you down there because, (chuckles) we need your help. So, Tony, let's start with the obvious, second quarter report, this is the Fortinet threat landscape report. What were some of the key findings? >> Yeah, so there's a lot of them, but I think some of the key ones were, one, you know, cryptojacking is actually moving into the IOT and media device space. Also, we did an interesting report, that we'll talk about a little bit later within the actual threat report itself, was really around the amount of vulnerabilities that are actually actively being exploited over that actual Q2 period. And then lastly, we did start to see the bad guys using agile development methodologies to quickly get updates into their malware code. >> So let's take each of those in tern, because they're all three crucially important topics, starting with crypto, starting with cryptojacking, and the relationship between IOT. The world is awash in IOT, it's an especially important domain, it's going to have an enormous number of opportunities for businesses, and it's going to have an enormous impact in people's lives. So as these devices roll out, they get more connected through TCP/IP and related types of protocols, they become a threat, what's happening? >> Yeah, what we're seeing now is, I think the bad guys continue to experiment with this whole cryptojacking thing, and if you're not really, for the audience who may not be familiar with cryptojacking, it's really the ability, it's malware, that helps the bad guys mine for cryptocurrencies, and we're seeing that cryptojacking malware move into those IOT devices now, as well as those media devices, and, you know, you might be saying well, are you really getting a lot of resources out of those IOT devices? Well, not necessarily, but, like you mentioned Peter, there's a lot of them out there, right, so the strength is in the number, so I think if they can get a lot of IOTs compromised into an actual botnet, really the strength's in the numbers, and I think you can start to see a lot more of those CPU resources being leverages across an entire botnet. Now adding onto that, we did see some cryptojacking affecting some of those media devices as well, we have a lot of honeypots out there. Examples would be say, different types of smart TVs, a lot of these software frameworks they have kind of plugins that you can download, and at the end of the day these media devices are basically browsers. And what some folks will do is they'll kind of jailbreak the stuff, and they'll go out there and maybe, for example, they want to be able to download the latest movie, they want to be able to stream that live, it may be a bootleg movie; however, when they go out there an download that stuff, often malware actually comes along for the ride, and we're seeing cryptojacking being downloaded onto those media devices as well. >> So, the act of trying to skirt some of the limits that are placed on some of these devices, gives often one of the bad guys an opportunity to piggyback on top of that file that's coming down, so, don't break the law, period, and copyright does have a law, because when you do, you're likely going to be encountering other people who are going to break the law, and that could be a problem. >> Absolutely, absolutely. And then I think also, for folks who are actually starting to do that, it really starts to-- we talk a lot about how segmentation, segmenting your network and your corporate environment, things in that nature but, those same methodologies now have to apply at your home, right? Because at your home office, your home network, you're actually starting to build a fairly significant network, so, kind of separating lot of that stuff from your work environment, because everybody these days seems to be working remotely from time to time, so, the last thing you want is to create a conduit for you to actually get malware on your machine, that maybe you go and use for work resources, you don't want that malware then to end up in your environment. >> So, cryptojacking, exploiting IOT devices to dramatically expand the amount of processing power that could be applied to doing bad things. That leads to the second question: there's this kind of notion, it's true about data, but I presume it's also true about bad guys and the things that they're doing, that there's these millions and billions of files out there, that are all bad, but your research has discovered that yeah, there are a lot, but there are a few that are especially responsible for the bad things that are being done, what did you find out about the actual scope of vulnerabilities from a lot of these different options? >> Yeah, so what's interesting is, I mean we always play this, and I think all the vendors talk about this cyber hygiene, you got to patch, got to patch, got to patch, well that's easier said than done, and what organizations end up doing is actually trying to prioritize what vulnerabilities they really should be patching first, 'cause they can't patch everything. So we did some natural research where we took about 108 thousand plus vulnerabilities that are actually publicly known, and we wanted to see which ones are actually actively being exploited over an actual quarter, in this case it was Q2 of this year, and we found out, only 5.7% of those vulnerabilities were actively being exploited, so this is great information, I think for the IT security professional, leverage these types of reports to see which particular vulnerabilities are actively being exploited. Because the bad guys are going to look at the ones that are most effective, and they're going to continue to use those, so, prioritize your patching really based on these types of reports. >> Yeah, but let's be clear about this Tony, right, that 108 thousand, looking at 108 thousand potential vulnerabilities, 5.7% is still six thousand possible sources of vulnerability. (Tony laughs) >> So, prioritize those, but that's not something that people are going to do in a manual way, on their own, is it? >> No, no, no, not at all, so there's a lot of, I mean there's a lot of stuff that goes into the automation of those vulnerabilities and things of that nature, and there's different types of methodologies that they can use, but at the end of the day, if you look at these type of reports, and you can read some of the top 10 or top 20 exploits out there, you can determine, hey, I should probably start patching those first, and even, what we see, we see also this trend now of once the malware's in there, it starts to spread laterally, often times in worm like spreading capabilities, will look for other vulnerabilities to exploit, and move their malware into those systems laterally in the environment, so, just even taking that information and saying oh, okay so once the malware's in there it's going to start leveraging X, Y, Z, vulnerability, let me make sure that those are actually patched first. >> You know Tony the idea of cryptojacking IOT devices and utilizing some new approaches, new methods, new processes to take advantage of that capacity, the idea of a lateral movement of 5.7% of the potential vulnerabilities suggests that even the bag guys are starting to accrete a lot of new experience, new devices, new ways of doing things, finding what they've already learned about some of these vulnerabilities and extending them to different domains. Sounds like the bad guys themselves are starting to develop a fairly high degree of sophistication in the use of advanced application development methodologies, 'cause at the end of the day, they're building apps too aren't they? >> Yeah, absolutely, it's funny, I always use this analogy of from a good guy side, for us to have a good strong security program, of course we need technology controls, but we need the expertise, right, so we need the people, and we also need the processes, right, so very good, streamline sort of processes. Same thing on the bad guy side, and this is what we're starting to see is a lot more agile development methodologies that the bad guys--(clears throat) are actually using. Prior to, well I think it still happens, but, earlier on, for the bad guys to be able to circumvent a lot of these security defenses, they were leveraging polymorphous, modifying those kind of malwares fairly quickly to evade our defenses. Now, that still happens, and it's very effective still, but I think the industry as a whole is getting better. So the bad guys, I think are starting to use better, more streamlined processes to update their malicious software, their malicious code, to then, always try to stay one step ahead of the actual good guys. >> You know it's interesting, we did a, what we call a crowd chat yesterday, which is an opportunity to bring our communities together and have a conversation about a crucial issue, and this particular one was about AI and the adoption of AI, and we asked the community: What domains are likely to see significant investment and attention? And a domain that was identified as number one was crypto, and a lot of us kind of stepped back and said well why is that and we kind of concluded that one of the primary reasons is is that the bad guys are as advanced, and have an economic incentive to continue to drive the state of the art in bad application development, and that includes the use of AI, and other types of technologies. So, as you think about prices for getting access to these highly powerful systems, including cryptojacking going down, the availability of services that allow us to exploit these technologies, the expansive use of data, the availability of data everywhere, suggests that we're in a pretty significant arms race, for how we utilize these new technologies. What's on the horizon, do you think, over the course of the next few quarters? And what kinds of things do you anticipate that we're going to be talking about, what headlines will we be reading about over the course of the next few quarters as this war game continues? >> Well I think a lot of it is, and I think you touched upon it, AI, right, so using machine learning in the industry, in cyber we are really excited about this type of technology it's still immature, we still have a long way to go, but it's definitely helping at being able to quickly identify these types of malicious threats. But, on the flip side, the bad guys are doing the same thing, they're leveraging that same artificial intelligence, the machine learning, to be able to modify their malware. So I think we'll continue to see more and more malware that might be AI sort of focused, or AI sort of driven. But at the same time, we've been taking about this a little bit, this swarm type of technology where you have these larger, botnet infrastructures, and instead of the actual mission of a malware being very binary, and if it's in the system, it's either yes or no, it does or it doesn't, and that's it. But I think we'll start to see a little bit more on what's the mission? And whatever that mission is, using artificial intelligence then to be able to determine, well what do I need to do to be able to complete that place, or complete that mission, I think we'll see more of that type of stuff. So with that though, on the good guy side, for the defenses, we need to continue to make sure that our technology controls are talking with each other, and that they're making some automated decisions for us. 'Cause I'd rather get a security professional working in a saw, I want an alert saying: hey, we've detected a breach, and I've actually quarantined this particular threat at these particular endpoints, or we've contained it in this area. Rather than: hey, you got an alert, you got to figure out what to do. Minimize the actual impact of the breach, let me fight the attack a little longer, give me some more time. >> False positives are not necessarily a bad thing when the risk is very high. Alright-- >> Yeah, absolutely. >> Tony Giandomenico, Senior Security Strategist and Researcher at Fortinet, the FortiGuard labs, enjoy Black Hat, talk to you again. >> Thanks Peter, it's always good seein' ya! >> And once again this is Peter Burris, CUBEConversation from our Palo Alto studios, 'til next time. (intense orchestral music)

(vibrant music) >> Hi, I'm Peter Burris, welcome once again to another CUBE Conversation from our Palo Alto studios. Recently, we had FortiGaurd Labs here on theCUBE talking about a regular report that they do on the state of the security industry. And once again, we've got Anthony Giandomenico. >> Yeah, good. >> Here to talk about the most recent, the Q1 update. First of all, tell us a little bit about FortiGaurd labs, where's this come from? >> So FortiGaurd Labs actually is the threat intelligence organization of Fortinet, so what we do, is we keep track of the tactics, techniques, and procedures of the adversary. And make sure that we have detection methodologies to be able to stop all those tactics, techniques, and procedures. >> Peter: So you're the ones that are collecting the data that's right from the ground to help everybody keep up to date on where the threat's are likely to be, set priorities. So that's what this report does, right? >> Absolutely, it's something we do on a quarterly basis, and it's really, you know, we're looking at billions of events that we're observing in real time, you know, production environments, and what we're trying to do is identify the top application exploits, malware, and botnets, and what we want to be able to do is find different types of trends that then can be able to translate into helping organizations fortify their environments. >> Peter: Alright, so here, this is the Q1, 2018, people can get access to it. >> Anthony: Yeah. >> What's the top line change? >> Anthony: Yeah, well at a high level, I think, you know, one the actual cyber criminals, they're evolving, their attack methodologies to be able to increase their, you know, success rate as well as being able to increase their infection rate. So that's one thing, you know, the other thing, obviously we always have to talk about ransomware. That, you know, seems to be a very hot threat these days for cyber criminals to make money. Now, that threat isn't going away. We did see a slight decrease though, where the adversaries were more interested in hijacking, you know, systems to be able to mine for crypto currencies as opposed to taking that machine hostage and demanding a ransome. >> Peter: Really? >> Anthony: Yeah, believe it or not. >> I'm a little bit, I mean ransomware just seems like it would have so much potential, and crypto currencies are, well they're interesting. Tell us a little bit about why that's happening. >> What seems to be the indicators? >> Yeah, well, you know, like I said, ransomware isn't going away, I think they're going to continue to use that to make money. But from a crypto jacking, you know, perspective, we did see the uptake last year in our Q4 report. It was about 13 percent of the organizations actually reported some type of crypto jacking attack. Fast forward to this report, and it nearly doubled. Actually, over doubled to, you know 28 percent, so that's about one in four organizations that are actually impacted with this particular threat. Now, what I think is interesting about this particular threat, is the way it evolves, right. 'Cause it's so new, it's always looking back at, its other successful, you know, predecessors to be able to determine how can I be more stealthy, and how can I get my, you know, malware, or my, you know, payload out to all the different sort of systems. So, you know, an example of that is phallus malware. Phallus malware is very stealthy. It's starting to use phallus malware techniques, it'll use scripts to inject their actual payload into memory, nothing on disc, so it makes it a lot more difficult to be able to detect. Now, how do I get my payload out to all the other, you know, workstations? Well, it takes a one two punch combination that, you know, Petya used last year. It's leveraging, um, there's this open source technology called, you know, minicats, steals different types of credentials and does something called pass the hash. Passes the hash credential out to those other systems, and then it gains access. That way it can actually pass the actual malware from system to system. If that fails, and then goes back to identifying different vulnerabilities that it could then exploit. One vulnerability it does looks for is eternal blue, which was a vulnerability that was so graciously given to us from shadow brokers. So those are the ways they're starting to be more effective and be more stealthy, and also being able to propagate a lot faster. >> Peter: And crypto currency obviously is one of the more extreme things because you take over the computer resources without necessarily stealing any data. You're just grabbing computer resources. >> Anthony: Yeah, what's interesting, I don't want to actually kind of go off topic here, but that' another conversation. Is crypto jacking actually a threat or not? Right, 'cause all it's really doing is stealing, you know, CPU resources, so, you know, so people say. So that's a whole 'nother discussion to actually get into is, is it actually really a threat or not? >> Well, you're able to get access to a computer, presumably you're able to get access not just for that purpose, but many others. >> Exactly. >> So that's probably an indication, you may have a problem. >> Yes, yes. >> Let's talk about ransomware. You said ransomware's not going away. Ransomware, most folks are familiar with it. What is it, what's the report suggest? >> You know Peter, did you realize that this month is the one year anniversary of WannaCry? Don't know if you remember that or not, but, you know, WannaCry was very infamous for, not necessarily the payload, but by the way that it actually was able to spread so fast and affect so many different machines. Now, that spreading, that worm-like spreading, kind of capability still exists here, you know. Today, you see a lot of different sort of threats using that, but what seems to be a bit different now is the combination of that ransomware payload along with more targeted attacks. >> Mm-hmm >> So, usually in a ransomware type of attack, you do some type of spammy campaign. You spam out that email, you know, and see what sticks. Well, these are more, a lot more targeted, so they're going to spend a lot more time doing, you know, reconnaissance on an organization and being able to find different vulnerabilities on the outside of the network. Once they actually come in, very methodical at how they're able to laterally move and put their actual malware on systems that they actually think, you know, well you know, however many systems they think they should actually have that particular malware on. Now, at this point, they hadn't actually executed you know, the actual payloads. So they have it on as many systems as possible, and once their ready (fingers snap). They flip the switch, and all those systems now are held hostage. That impact is much greater to the business. >> Peter: Now, when we think about the attacks, we think in terms of computing devices, whether it's a mobile device or PC device, or servers or what not, but are we seeing any changes in how people are attacking other computing resources within a network, hitting routers and other to try to drive more control over somebody's network resources? >> Well, I mean, we definitely see exploits that are actually hitting, you know, mobile devices, their hitting routers, um, a lot of IOT as well, but also web technology because, you know, web technology, there's so much external facing websites these days, you know, they're much easier targets. So we are seeing that. I would mention also that, it's up seven percent to 21 percent of organizations have actually reported mobile malware as well. >> And that is a especially difficult thing because your mobile applications are not just associated with a particular business, but other businesses as well. So you are both an employee and a consumer, and if your mobile applications get hit, that can have enormous ramifications on a number of different levels. >> Anthony: Yeah, absolutely, and I think sometimes, you know, in an organization where an actual consumer will have a phone, and they won't necessarily think it's the same as their workstation. So, it's like, oh, well not that much can happen on my mobile phone, right, not the same as on my workstation, but actually, it could be even worse. >> Peter: Yes, so if you think about some of the things that are on the horizon, you mention that we're seeing a greater utilization of different techniques to make money in some of the new domains, like jacking, uh, crypto jacking. >> Mm-hmm. >> Uh, there's still ransomware, still an issue, as folks go back and identify these different malware, these different security breaches, what are they doing to actually clean things up? Are we seeing folks actually cleaning up, or is there still just like, whack-a-mole, whacking things out, andt worrying about whether they go back and clean things up later? >> Anthony: Well, to basically answer your question, they are starting to actually kind of clean up, but, you know wait 'til you hear this, so what we try to do here, in this quarterly report, is we wanted to measure how quickly they were able to clean up that, you know, that particular threat. And what we found out, you know, we used botnet alerts. And we wanted to see how fast those botnet alerts actually got cleaned up. So what we were able to determine is 58 percent of all organizations, within 24 hours, were able to clean up that particular botnet infection. Which is actually pretty good. But, that 42 percent, it took them either two days or longer, you know, to be able to get that actual threat out. Actually, sometimes the threat really never even, you know, actually went away. Great example of that, is actually the Andromeda botnet. It's a threat that was brought down last year, but even though it's not there anymore, the infections on the workstations are still there, so we're still kind of getting those actual hits on that Andromeda botnet, and that actual threat >> for Q1, was one of the highest in prevalence and volume. >> Even if it wasn't necessarily doing damage, because we'd figured out how to deal with it, >> Right. >> but if it's there, somebody might find a way to use it again in the future. >> Absolutely, absolutely. >> So as we think about the next quarter, you doing this on every quarter, are there any particular areas that you think folks have to, they need to anticipate some of these changes, more of the same, different trends, or what about OT for example, as operational technology becomes increasingly part of that common technology fabric, how is that likely to be affected by some of these different attach types? >> In answer of your first question, I think we'll probably see a lot more of the same. And I think what we'll continue to see, you know there's this whole zero day market, I think it's getting more and more mature, meaning that we're going to see more and more vulnerabilities that are actually kind of zero day that have just been discovered or just been announced, and I think we're going to continue to see the adversaries take advantage of those newly discovered zero day vulnerabilities. You know, they'll take those actual, those exploits, you know, put 'em into their attack methodologies, to propagate faster and faster, so I think, organizations are going to have to make sure they can address some of those newly discovered vulnerabilities fairly quickly. Now, as we switch the, you know, the OT side, you know, we didn't see a lot of attacks if you look at the percentage of the overall attacks, however, you know, OT, if there is an actual successful attack, I think it's, you know, worth saying that it's >> a much larger impact, right. >> You have a major problem. >> You know, my concern is, these different types of trends that are coming together. One, OT is starting to connect to other networks, which means they're going to eventually be accessible from the internet, which makes it a lot more difficult to be able to protect. At the same time, we're seeing nation states continue to focus on compromising OT systems as well. So, I don't know what's going to happen in the coming months and years, but the trends aren't actually looking so good right now. >> So if you were to, if we had a CIO sitting here right now, and you were talking about this report, what are the, first off, how should they regard the information, what should they be doing differently as a result of the information that the reports are viewing? >> Yeah, I mean, I would say, one, we always talk about this, it's easier said than done, but you know, going back to the basics, and making sure that you have good cyber hygiene and being able to identify vulnerabilities that exist in your environment, and that, you know, me just saying that sounds kind of simple, but that really means identifying all the assets that you have in your environment that you're responsible for protecting, number one, and then being able to, you know, identify the vulnerabilities that may exist on those things. That's uh, it's not the easiest thing to do, but I think it's something that really should be focused on. At the same time though, threats are going to get into your network. That's just a, you know, that's a given. So being able to make sure that you can identify, you know, threats within your environment is extremely important, and then, once you identify them, what's the processes for you to go ahead and actually respond and clean up those particular threats? That really is going to be the key. I know it's at a high level, it's much deeper than that. But that's where you start. >> Alright, Anthony Giandomenico, Tony G, >> Tony G. >> thanks very much once again for being on theCUBE and talking to us about FortiGuard's Q1, 2018 report from Fortinet. >> Awesome, well thanks for having me. >> You betcha, so, Anthony Giandomenico (laughs) a senior strategist researcher at FortiGuard labs, Fortinet, talking to us about the 1Q 2018 report. Once again, this has been a CUBE Conversation thanks for listening. (vibrant music)

(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say>> now I'm not condoning that you actually pay the ransom>> however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes>> and we've seen organizations actively go ahead and do this>> is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this CUBE conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next CUBE Conversation. (uplifting music)

(Upbeat orchestra music) >> Hi, it's Peter Burris with Cube Conversation. We're here with Anthony Giandomenico who's a senior security strategist and researcher at FortiGuard Labs. Tony G! >> Thanks for having me today, Peter! >> Good to see you again! So, Tony G, you spend a lot of time talking to a lot of users, a lot of other professionals, you're doing a lot of research on issues. Give us a quick snapshot. What's the state of security today? >> Well I think there's a lot of things happening right now, I think in the cyberworld. One, a lot of us already know is we have a huge skill shortage. We just don't have enough folks to be able to defend our cyber assets. And, I think the other thing is, you look at some of the mid-tier organizations, maybe a thousand users or so, they don't have those skilled resources, and what happens is they end up relying on different types of technology to help fill that skills gap, and that's good, but what they need to also make sure is that they have an over-arching good solid security program that takes into consideration, technology controls, so you're buying these specific products, but also, what are the processes and what are the actual kind of people that are involved. And are you actually combining all of those to encompass a solid, good, cyber security program? >> Yeah, a bad guy who watches a ransomware attack on a mid-size company, may be a little disappointed that they are not able to get 10 million dollars, but they'll be pretty happy with a million or 500 thousand dollars. That's a good day's work for these guys. >> It's low-hanging fruit, Peter, right? It's much easier, and I think that's the sweet spot for the bad guys, right, because if you go too high, sometimes it's too much effort. You go too low, you're not really getting much. But in the middle, you're getting a decent amount, and a lot of times, they don't have that strong, cyber security program. Now, I always tell a lot of my customers in that sweet spot, forget about protecting and monitoring everything. It's not going to happen. You will fail 100% of the time. However, if you focus on what are the key assets, what are those five, six business critical processes, understand the assets that those processes ride over, focus on protecting those. Everything else is ancillary because this is all that really matters to the business. The other thing I would say, Peter, and I think that this is a mindset change. If I'm a security professional and I'm responsible for protecting my cyber assets, and if I'm being measured on whether there's a breech in my network or not, so if there is a breech I fail, that has to go away. Because you will fail every single time. That's not the way you should be measured. You should be measured on, hey, we quickly identified, something in the network, isolated it, we mitigated it, we got everything back up and running, and we're back up and running as normal, minimized the actual damage. That's how I should be graded on. >> So, it's an important point, Tony G, so what we're saying is, that the real metrics associated with this should be the degree to which you can mitigate problems, not whether or not you're 100% clear of everything, because the bad guys are going to find their way at some point in time. >> They got enough time to do it and you don't. So, like if you can quickly identify when they are in the network, isolate it, minimize the damage, and get your business processes back up and running, that's a win! >> One of the things you mentioned, you mentioned for your cyber security, or your cyber assets, which by itself is not an easy thing necessarily to measure. It's hard to say that this cyber asset's worth that, and that cyber asset's worth that, but we do have to make some effort to understand the risks associated with cyber where it's an opportunity cost or whether it's replacement cost or whatever else it might be. But it also suggests historically we invest in assets we appreciate the value of those assets. Should security be regarded as an asset, should cyber security be regarded as part of the asset base of the business? What do you think? >> Absolutely, you definitely as a consumer or as someone who is interested in looking at an actual business, I think that's a key asset to make sure that your information is being protected. And, honestly, I don't think it always is. We have these regulations that are tied to making sure for example, if you're storing customer credit cards, there's PCI, and there's all these other now HIPPA regulations, and all that type of stuff, but those regulations still don't seem to be enough, and I think the minute you can turn >> You mean it's not enough and it appears that enterprise has generally continued to under invest in their cyber security assets. Is that kind of what you mean? >> Yeah, I still think it's a check-box. >> Okay, I am compliant, okay, that's enough. I betcha, there are companies out there, they'll put a certain money aside knowing that they're going to get breached, and use that money to be able to pay for their breach or whatever else they have to do to meet those regulations, instead of investing into the actual technology to fortify their environment a lot better. >> Well, at wikibon->> we are doing research on related type things all the time, we're just fascinated by the idea that if a business is going after greater flexibility and agility, a crucial element of that has to be, do you have a cyber security profile that allows you to take advantage of those opportunities, that allows you to connect with those partners, that allows you to set up more intimated relations with a big customer. And it just seems as though that something has to become an explicit feature of the conversation about what are strategic assets. >> Yeah, I totally agree. That kind of stirs up something in my head about cyber insurance. I think a lot of companies are also moving towards, well, let me just buy some kind of cyber insurance. And, in the beginning they would go ahead and buy those things, but what they would quickly find out, is that they wouldn't be able to reap the money on an actual breach, because they were out of compliance because they didn't have the good cyber security program they were supposed to have. >> Yeah, the insurance company always finds a way to not pay. Let's talk now about this notion of great agility. We talked about the role that cyber security could play in businesses as they transform the digital world. We've seen a lot of developers starting to enter into cloud-native, cloud-development, new ways of integrating, that requires a mindset shift in the development world about what constitutes security. Now everybody knows, we're not just talking about perimeter, we're talking about something different. What is it that we are talking about? Are we talking about how security is going to move with the data? Are the securities going to be embedded in the API? What do developers have to do differently or how do they have to think differently to make sure that they are building stuff that makes the business more secure? >> Well, before you even start talking about the cloud, or anything else, we still have an issue when we're building our applications, developers still, I don't think are up to speed enough on tracking good, secure coding. I think we're still playing catch-up to that. Now, what you just said, think about where we're at now, we're not even sort of there, now you're going to expand that out into the cloud, it's only going to amplify the actual problem, so there's going to be a lot of challenges that we're going to have to face. We talked about this off-line before, is where's your data going to be? It's going to be everywhere. How are you going to be able to secure that particular data? I think that's going to be a lot of challenges that face ahead of us. We have to figure out how to deal with it. >> The last thing I want to talk about, Tony G, is a lot of the applications that folks are going to be building, a lot of things the developers are going to be building, are things that increasingly provide or bring a degree 6of automation to bear. hink about it, if you've got bad cyber security, you may not know when you've been breached or when you've been hacked or when you've been compromised. You definitely don't want to find out because you've got some automation thing going on that's spinning out of control and doing everything wrong because of a security breach. What's the relationship between increasing automation and the need for more focus and attention on cyber security? >> Usually when I talk about automation, I'm talking about how the bad guys are leveraging automation. Now, I'll give you a little bit of an example here, in our FortiGuard Labs, I think last quarter, I think it was over a million exploits or at least exploit attempts that we were thwarting in one minute. The volume of the attacks are so large these days, and it's really coming from the cyber crime ecosystem. The human cannot actually deal with handling dealing with all those different threats out there, so they need to figure out a way to fight automation with automation. And that's really the key. I had mentioned this earlier on before, is you have to make sure that your technology controls are talking to each other so that they can actually take some automated action. As far as you're concerned as a security operator working in a sock, no matter how good you are, the process for you to identify something, analyze it and take action on it, it's going to be a couple hours sometimes. Sometimes it's a little bit faster, but usually it's a couple hours. It's way too late by then because that threat could spread all over the place. You need those machines to make some of those actual decisions for you, and that's where you start to hear a lot about, and all these buzz-words about artificial intelligence, machine learning, big data analytics. We're really diving into now and trying to figure out how can the machines help us make these automated decisions for us. >> But as you increase the amount of automation, you dramatically expand the threat surface for the number of things that could suddenly be compromised and be taken over as a bad actor. They themselves are more connected. It just amplifies the whole problem. >> Yeah, it gets more complicated, so a system that's more complex, is less secure. >> More vulnerable, sir. >> Yeah, more vulnerable. Absolutely. >> Alright, so once again, Tony G, thanks for being here. We've been speaking on Cube Conversation with Anthony Giandomenico who's with the FortiGuard Labs. He's a security analyst and researcher. Thank you very much for being here. >> Thanks! Thanks for having me. (Techno music)

(Upbeat orchestra music) >> Hi, it's Peter Burris with Cube Conversation. We're here with Anthony Giandomenico who's a senior security strategist and researcher at FortiGuard Labs. Tony G! >> Thanks for having me today, Peter! >> Good to see you again! So, Tony G, you spend a lot of time talking to a lot of users, a lot of other professionals, you're doing a lot of research on issues. Give us a quick snapshot. What's the state of security today? >> Well I think there's a lot of things happening right now, I think in the cyberworld. One, a lot of us already know is we have a huge skill shortage. We just don't have enough folks to be able to defend our cyber assets. And, I think the other thing is, you look at some of the mid-tier organizations, maybe a thousand users or so, they don't have those skilled resources, and what happens is they end up relying on different types of technology to help fill that skills gap, and that's good, but what they need to also make sure is that they have an over-arching good solid security program that takes into consideration, technology controls, so you're buying these specific products, but also, what are the processes and what are the actual kind of people that are involved. And are you actually combining all of those to encompass a solid, good, cyber security program? >> Yeah, a bad guy who watches a ransomware attack on a mid-size company, may be a little disappointed that they are not able to get 10 million dollars, but they'll be pretty happy with a million or 500 thousand dollars. That's a good day's work for these guys. >> It's low-hanging fruit, Peter, right? It's much easier, and I think that's the sweet spot for the bad guys, right, because if you go too high, sometimes it's too much effort. You go too low, you're not really getting much. But in the middle, you're getting a decent amount, and a lot of times, they don't have that strong, cyber security program. Now, I always tell a lot of my customers in that sweet spot, forget about protecting and monitoring everything. It's not going to happen. You will fail 100% of the time. However, if you focus on what are the key assets, what are those five, six business critical processes, understand the assets that those processes ride over, focus on protecting those. Everything else is ancillary because this is all that really matters to the business. The other thing I would say, Peter, and I think that this is a mindset change. If I'm a security professional and I'm responsible for protecting my cyber assets, and if I'm being measured on whether there's a breech in my network or not, so if there is a breech I fail, that has to go away. Because you will fail every single time. That's not the way you should be measured. You should be measured on, hey, we quickly identified, something in the network, isolated it, we mitigated it, we got everything back up and running, and we're back up and running as normal, minimized the actual damage. That's how I should be graded on. >> So, it's an important point, Tony G, so what we're saying is, that the real metrics associated with this should be the degree to which you can mitigate problems, not whether or not you're 100% clear of everything, because the bad guys are going to find their way at some point in time. >> They got enough time to do it and you don't. So, like if you can quickly identify when they are in the network, isolate it, minimize the damage, and get your business processes back up and running, that's a win! >> One of the things you mentioned, you mentioned for your cyber security, or your cyber assets, which by itself is not an easy thing necessarily to measure. It's hard to say that this cyber asset's worth that, and that cyber asset's worth that, but we do have to make some effort to understand the risks associated with cyber where it's an opportunity cost or whether it's replacement cost or whatever else it might be. But it also suggests historically we invest in assets we appreciate the value of those assets. Should security be regarded as an asset, should cyber security be regarded as part of the asset base of the business? What do you think? >> Absolutely, you definitely as a consumer or as someone who is interested in looking at an actual business, I think that's a key asset to make sure that your information is being protected. And, honestly, I don't think it always is. We have these regulations that are tied to making sure for example, if you're storing customer credit cards, there's PCI, and there's all these other now HIPPA regulations, and all that type of stuff, but those regulations still don't seem to be enough, and I think the minute you can turn >> You mean it's not enough and it appears that enterprise has generally continued to under invest in their cyber security assets. Is that kind of what you mean? >> Yeah, I still think it's a check-box. >> Okay, I am compliant, okay, that's enough. I betcha, there are companies out there, they'll put a certain money aside knowing that they're going to get breached, and use that money to be able to pay for their breach or whatever else they have to do to meet those regulations, instead of investing into the actual technology to fortify their environment a lot better. >> Well, at wikibon-- we are doing research on related type things all the time, we're just fascinated by the idea that if a business is going after greater flexibility and agility, a crucial element of that has to be, do you have a cyber security profile that allows you to take advantage of those opportunities, that allows you to connect with those partners, that allows you to set up more intimated relations with a big customer. And it just seems as though that something has to become an explicit feature of the conversation about what are strategic assets. >> Yeah, I totally agree. That kind of stirs up something in my head about cyber insurance. I think a lot of companies are also moving towards, well, let me just buy some kind of cyber insurance. And, in the beginning they would go ahead and buy those things, but what they would quickly find out, is that they wouldn't be able to reap the money on an actual breach, because they were out of compliance because they didn't have the good cyber security program they were supposed to have. >> Yeah, the insurance company always finds a way to not pay. Let's talk now about this notion of great agility. We talked about the role that cyber security could play in businesses as they transform the digital world. We've seen a lot of developers starting to enter into cloud-native, cloud-development, new ways of integrating, that requires a mindset shift in the development world about what constitutes security. Now everybody knows, we're not just talking about perimeter, we're talking about something different. What is it that we are talking about? Are we talking about how security is going to move with the data? Are the securities going to be embedded in the API? What do developers have to do differently or how do they have to think differently to make sure that they are building stuff that makes the business more secure? >> Well, before you even start talking about the cloud, or anything else, we still have an issue when we're building our applications, developers still, I don't think are up to speed enough on tracking good, secure coding. I think we're still playing catch-up to that. Now, what you just said, think about where we're at now, we're not even sort of there, now you're going to expand that out into the cloud, it's only going to amplify the actual problem, so there's going to be a lot of challenges that we're going to have to face. We talked about this off-line before, is where's your data going to be? It's going to be everywhere. How are you going to be able to secure that particular data? I think that's going to be a lot of challenges that face ahead of us. We have to figure out how to deal with it. >> The last thing I want to talk about, Tony G, is a lot of the applications that folks are going to be building, a lot of things the developers are going to be building, are things that increasingly provide or bring a degree 6of automation to bear. hink about it, if you've got bad cyber security, you may not know when you've been breached or when you've been hacked or when you've been compromised. You definitely don't want to find out because you've got some automation thing going on that's spinning out of control and doing everything wrong because of a security breach. What's the relationship between increasing automation and the need for more focus and attention on cyber security? >> Usually when I talk about automation, I'm talking about how the bad guys are leveraging automation. Now, I'll give you a little bit of an example here, in our FortiGuard Labs, I think last quarter, I think it was over a million exploits or at least exploit attempts that we were thwarting in one minute. The volume of the attacks are so large these days, and it's really coming from the cyber crime ecosystem. The human cannot actually deal with handling dealing with all those different threats out there, so they need to figure out a way to fight automation with automation. And that's really the key. I had mentioned this earlier on before, is you have to make sure that your technology controls are talking to each other so that they can actually take some automated action. As far as you're concerned as a security operator working in a sock, no matter how good you are, the process for you to identify something, analyze it and take action on it, it's going to be a couple hours sometimes. Sometimes it's a little bit faster, but usually it's a couple hours. It's way too late by then because that threat could spread all over the place. You need those machines to make some of those actual decisions for you, and that's where you start to hear a lot about, and all these buzz-words about artificial intelligence, machine learning, big data analytics. We're really diving into now and trying to figure out how can the machines help us make these automated decisions for us. >> But as you increase the amount of automation, you dramatically expand the threat surface for the number of things that could suddenly be compromised and be taken over as a bad actor. They themselves are more connected. It just amplifies the whole problem. >> Yeah, it gets more complicated, so a system that's more complex, is less secure. >> More vulnerable, sir. >> Yeah, more vulnerable. Absolutely. >> Alright, so once again, Tony G, thanks for being here. We've been speaking on Cube Conversation with Anthony Giandomenico who's with the FortiGuard Labs. He's a security analyst and researcher. Thank you very much for being here. >> Thanks! Thanks for having me. (Techno music)

(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say- now I'm not condoning that you actually pay the ransom- however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes- and we've seen organizations actively go ahead and do this- is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this Cube conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next Cube Conversation. (uplifting music)