>> from our studios in the heart of Silicon Valley, Palo Alto, California It is a cute conversation. >> Well, the Special Cube conversation. We are here in Palo Alto, California, Cube studios here. Tony, Gino, Domenico, Who's the senior security strategist and research at for Net and four to guard labs live from Las Vegas. Where Black Hat and then Def Con security activities happening, Tony, also known as Tony G. Tony G. Welcome to this cube conversation. >> Hey, Thanks, John. Thanks for having me. >> So a lot of action happening in Vegas. We just live there all the time with events. You're there on the ground. You guys have seen all the action there. You guys are just published. Your quarterly threat report got a copy of it right here with the threat index on it. Talk about the quarterly global threats report. Because the backdrop that we're living in today, also a year at the conference and the cutting edge is security is impacting businesses that at such a level, we must have shell shock from all the breaches and threats they're going on. Every day you hear another story, another story, another hack, more breaches. It said all time high. >> Yeah, you know, I think a lot of people start to get numb to the whole thing. You know, it's almost like they're kind of throwing your hands up and say, Oh, well, I just kind of give up. I don't know what else to do, but I mean, obviously, there are a lot of different things that you can do to be able to make sure that you secure your cybersecurity program so at least you minimize the risk of these particular routes is happening. But with that said with the Threat Landscape report, what we typically dio is we start out with his overall threat index, and we started this last year. If we fast forward to where we are in this actual cue to report, it's been one year now, and the bad news is that the threats are continuing to increase their getting more sophisticated. The evasion techniques are getting more advanced, and we've seen an uptick of about 4% and threat volume over the year before. Now the silver lining is I think we expected the threat volume to be much higher. So I think you know, though it is continuing to increase. I think the good news is it's probably not increasing as fast as we thought it was going to. >> Well, you know, it's always You have to know what you have to look for. Blood. People talk about what you can't see, and there's a lot of a blind spot that's become a data problem. I just want to let people know that. Confined the report, go to Ford Nets, ah website. There's a block there for the details, all the threat index. But the notable point is is only up 4% from the position year of a year that the attempts are more sophisticated. Guys gotta ask you, Is there stuff that we're not seeing in there? Is there blind spots? What's the net net of the current situation? Because observe ability is a hot topic and cloud computing, which essentially monitoring two point. Oh, but you gotta be able to see everything. Are we seeing everything? What's what's out there? >> Well, I mean, I think us as Ford, a guard on Darcy, have cyber threat in challenges. I think we're seeing a good amount, but when you talk about visibility, if you go back down into the organizations. I think that's where there's There's definitely a gap there because a lot of the conversations that I have with organizations is they don't necessarily have all the visibility they need from cloud all the way down to the end point. So there are some times that you're not gonna be able to catch certain things now. With that said, if we go back to the report at the end of the day, the adversaries have some challenges to be able to break into an organization. And, of course, the obvious one is they have to be able to circumvent our security controls. And I think as a security community, we've gotten a lot better of being able to identify when the threat is coming into an organization. Now, on the flip side, Oh, if you refer back to the minor Attack knowledge base, you'll see a specific tactic category called defense evasions. There's about 60 plus techniques, evasion techniques the adversary has at their disposal, at least that we know may there may be others, but so they do have a lot of opportunity, a lot of different techniques to be able to leverage with that, said There's one technique. It's, ah, disabling security tools that we started seeing a bit of an increase in this last cue to threat landscape report. So a lot of different types of threats and mile where have the capability to be ableto one look at the different processes that may be running on a work station, identifying which one of those processes happen to be security tools and then disabling them whether they're no, maybe they might just be able to turn the no, the actual service off. Or maybe there's something in the registry that they can tweak. That'll disable the actual security control. Um, maybe they'll actually suppress the alerts whatever. They conduce you to make sure that that security control doesn't prevent them from doing that malicious activity. Now, with that said, on the flip side, you know, from an organization for perspective, you want to make sure that you're able to identify when someone's turning on and turning off those security control to any type of alert that might be coming out of that control also. And this is a big one because a lot of organizations and this certainly do this minimize who has the ability to turn those particular security controls on and off. In the worst cases, you don't wanna have all of your employees uh, the you don't want to give them the ability to be able to turn those controls on and off. You're never gonna be ableto baseline. You're never gonna be able to identify a, you know, anomalous activity in the environment, and you're basically gonna lose your visibility. >> I mean, this increase in male wearing exploit activity you guys were pointing out clearly challenge the other thing that the report kind of She's out. I want to get your opinion on this. Is that the The upping? The ante on the evasion tactics has been very big trend. The adversaries are out there. They're upping the ante. You guys, we're upping the guarantees. This game you continue this flight will continues. Talk about this. This feature of upping the ante on evasion tactics. >> Yes. So that's what I was that I was kind of ah, referring to before with all the different types of evasion techniques. But what I will say is most of the all the threats these days all have some type of evasion capabilities. A great example of this is every quarter. If you didn't know. We look at different types of actors and different types of threats, and we find one that's interesting for us to dig into and where create was called an actual playbook, where we want to be able to dissect that particular threat or those threat actor methodologies and be able to determine what other tactics and corresponding techniques, which sometimes of course, includes evasion techniques. Now, the one that we focused on for this quarter was called His Ego's Was Ego, says a specific threat that is an information stealer. So it's gathering information, really based on the mission goals off, whatever that particular campaign is, and it's been around for a while. I'm going all the way back to 2011. Now you might be asking yourself, Why did we actually choose this? Well, there's a couple different reasons. One happens to be the fact that we've seen an uptick in this activity. Usually when we see that it's something we want to dive into a little bit more. Number two. Though this is a tactic of the of the adversary, what they'll do is they'll have their threat there for a little while, and then local doorman. They'll stop using that particular malware. That's no specific sort of threat. They'll let the dust settle that things die down. Organizations will let their guard down a little bit on that specific threat. Security organizations Ah, vendors might actually do the same. Let that digital dust kind of settle, and then they'll come back. Bigger, faster, stronger. And that's exactly what Z ghosted is. Ah, we looked at a specific campaign in this new mall where the new and improved Mauer, where is they're adding in other capabilities for not just being able to siphon information from your machine, but they're also now can capture video from your webcam. Also, the evasion techniques since Iran that particular subject, what they're also able to do is they're looking at their application logs. Your system logs your security logs, the leading them making a lot more difficult from a forensic perspective. Bill, go back and figure out what happened, what that actual malware was doing on the machine. Another interesting one is Ah, there. We're looking at a specific J peg file, so they're looking for that hash. And if the hash was there the axle? Um, our wouldn't run. We didn't know what that was. So we researched a little bit more on What we found out was that J Peg file happened to be a desktop sort of picture for one of the sandboxes. So it knew if that particular J pick was present, it wasn't going to run because it knew it was being analyzed in a sandbox. So that was a second interesting thing. The 3rd 1 that really leaned us towards digging into this is a lot of the actual security community attribute this particular threat back to cyber criminals that are located in China. The specific campaign we were focused on was on a government agency, also in China, So that was kind of interesting. So you're continuing to see these. These mile wears of maybe sort of go dormant for a little bit, but they always seem to come back bigger, faster, stronger. >> And that's by design. This is that long, whole long view that these adversaries we're taking in there as he organized this economy's behind what they're doing. They're targeting this, not just hit and run. It's get in, have a campaign. This long game is very much active. Howto enterprises. Get on, get on top of this. I mean, is it Ah, is it Ah, people process Issue is it's, um, tech from four to guard labs or what? What's what's for the Nets view on this? Because, I mean, I can see that happening all the time. It has >> happened. Yeah, it's It's really it's a combination of everything on this combination. You kind of hit like some of it, its people, its processes and technology. Of course, we have a people shortage of skilled resource is, but that's a key part of it. You always need to have those skills. Resource is also making sure you have the right process. Is how you actually monitoring things. I know. Ah, you know, a lot of folks may not actually be monitoring all the things that they need to be monitoring from, Ah, what is really happening out there on the internet today? So making sure you have clear visibility into your environment and you can understand and maybe getting point in time what your situational awareness is. You you, for my technology perspective, you start to see and this is kind of a trend. We're starting the leverage artificial intelligence, automation. The threats are coming, and it's such a high volume. Once they hit the the environment, instead of taking hours for your incident response to be about, at least you know not necessarily mitigate, but isolate or contain the breach. It takes a while. So if you start to leverage some artificial intelligence and automatic response with the security controls are working together. That's a big that's a big part of it. >> Awesome. Thanks for coming. This is a huge problem. Think no one can let their guard down these days? Certainly with service, they're expanding. We're gonna get to that talk track in the second. I want to get quickly. Get your thoughts on ransom, where this continues to be, a drum that keeps on beating. From a tax standpoint, it's almost as if when when the attackers need money, they just get the same ransomware target again. You know, they get, they pay in. Bitcoin. This is This has been kind of a really lucrative but persistent problem with Ransomware. This what? Where what's going on with Ransomware? What's this state of the report and what's the state of the industry right now in solving that? >> Yeah. You know, we looked into this a little bit in last quarter and actually a few quarters, and this is a continuous sort of trend ransom, where typically is where you know, it's on the cyber crime ecosystem, and a lot of times the actual threat itself is being delivered through some type of ah, phishing email where you need a user to be able to click a langur clicking attachment is usually kind of a pray and spray thing. But what we're seeing is more of ah, no sort of ah, you know, more of a targeted approach. What they'll do is to look for do some reconnaissance on organizations that may not have the security posture that they really need. Tohave, it's not as mature, and they know that they might be able to get that particular ransomware payload in there undetected. So they do a little reconnaissance there, And some of the trend here that we're actually seeing is there looking at externally RTP sessions. There's a lot of RTP sessions, the remote desktop protocol sessions that organizations have externally so they can enter into their environment. But these RTP sessions are basically not a secure as they need to be either week username and passwords or they are vulnerable and haven't actually been passed. They're taking advantage of those they're entering and there and then once they have that initial access into the network, they spread their payload all throughout the environment and hold all those the those devices hostage for a specific ransom. Now, if you don't have the, you know, particular backup strategy to be able to get that ransom we're out of there and get your your information back on those machines again. Sometimes you actually may be forced to pay that ransom. Not that I'm recommending that you sort of do so, but you see, or organizations are decided to go ahead and pay that ransom. And the more they do that, the more the adversary is gonna say, Hey, I'm coming back, and I know I'm gonna be able to get more and more. >> Yeah, because they don't usually fix the problem or they come back in and it's like a bank. Open bank blank check for them. They come in and keep on hitting >> Yeah >> same target over and over again. We've seen that at hospitals. We've seen it kind of the the more anemic I t department where they don't have the full guard capabilities there. >> Yeah, and I would have gone was really becoming a big issue, you know? And I'll, uh, ask you a question here, John. I mean, what what does Microsoft s A N D. H s have in common for this last quarter? >> Um, Robin Hood? >> Yeah. That attacks a good guess. Way have in common is the fact that each one of them urged the public to patch a new vulnerability that was just released on the RTP sessions called Blue Keep. And the reason why they was so hyped about this, making sure that people get out there and patch because it was were mobile. You didn't really need tohave a user click a link or click and attachment. You know, basically, when you would actually exploit that vulnerability, it could spread like wildfire. And that's what were mobile is a great example of that is with wannacry. A couple years ago, it spread so quickly, so everybody was really focused on making sure that vulnerability actually gets patched. Adding onto that we did a little bit of research on our own and ransom Internet scans, and there's about 800,000 different devices that are vulnerable to that particular ah, new vulnerability that was announced. And, you know, I still think a lot of people haven't actually patched all of that, and that's a real big concern, especially because of the trend that we just talked about Ransomware payload. The threat actors are looking at are Rdp as the initial access into the environment. >> So on blue Keep. That's the one you were talking about, right? So what is the status of that? You said There's a lot of vulnerable is out. There are people patching it, is it Is it being moving down, the down the path in terms of our people on it? What's your take on that? What's the assessment? >> Yeah, so I think some people are starting to patch, but shoot, you know, the scans that we do, there's still a lot of unpacked systems out there, and I would also say we're not seeing what's inside the network. There may be other RTP sessions in the environment inside of an organization's environment, which really means Now, if Ransomware happens to get in there that has that capability than to be able to spread like the of some RTP vulnerability that's gonna be even a lot more difficult to be able to stop that once it's inside a network. I mean, some of the recommendations, obviously, for this one is you want to be able to patch your RTP sessions, you know, for one. Also, if you want to be able to enable network authentication, that's really gonna help us. Well, now I would also say, You know, maybe you want a hard in your user name and passwords, but if you can't do some of this stuff, at least put some mitigating controls in place. Maybe you can isolate some of those particular systems, limit the amount of AH access organizations have or their employees have to that, or maybe even just totally isolated. If it's possible, internal network segmentation is a big part of making sure you can. You're able to mitigate some of these put potential risks, or at least minimize the damage that they may cause. >> Tony G. I want to get your thoughts on your opinion and analysis expert opinion on um, the attack surface area with digital and then ultimately, what companies can do for Let's let's start with the surface area. What's your analysis there? Ah, lot of companies are recognizing. I'll see with Coyote and other digital devices. The surface area is just everywhere, right? So I got on the perimeter days. That's kind of well known. It's out there. What's the current digital surface area threats look like? What's your opinion? >> Sure, Yeah, it's Ah, now it's funny. These days, I say no, Jenna tell you everything that seems to be made as an I P address on it, which means it's actually able to access the Internet. And if they can access the Internet, the bad guys can probably reach out and touch it. And that's really the crux of the problem of these days. So anything that is being created is out on the Internet. And, yeah, like, we all know there's really not a really rigid security process to make sure that that particular device as secure is that secure as it actually needs to be Now. We talked earlier on about You know, I ot as relates to maybe home routers and how you need to be ableto hard in that because you were seeing a lot of io teapot nets that air taking over those home routers and creating these super large I ot botnets on the other side of it. You know, we've seen ah lot of skate of systems now that traditionally were in air gapped environments. Now they're being brought into the traditional network. They're being connected there. So there's an issue there, but one of the ones we haven't actually talked a lot about and we see you're starting to see the adversaries focus on these little bit more as devices in smart homes and smart buildings in this queue to threat landscape report. There was a vulnerability in one of these you motion business management systems. And, you know, we looked at all the different exploits out there, and the adversaries were actually looking at targeting that specific exploit on that. That's smart management building service device. We had about 1% of all of our exploit, uh, hits on that device. Now that might not seem like a lot, but in the grand scheme of things, when we're collecting billions and billions of events, it's a fairly substantial amount. What, now that we're Lee starts a kind of bring a whole another thought process into as a security professional as someone responds double for securing my cyber assets? What if I include in my cyber assets now widen include all the business management systems that my employees, Aaron, for my overall business. Now that that actually might be connected to my internal network, where all of my other cyber assets are. Maybe it actually should be. Maybe should be part of your vulnerability mentioned audibly patch management process. But what about all the devices in your smart home? Now? You know, all these different things are available, and you know what the trend is, John, right? I mean, the actual trend is to work from home. So you have a lot of your remote workers have, ah, great access into the environment. Now there's a great conduit for the obvious areas to be ableto break into some of those smart home devices and maybe that figure out from there there on the employees machine. And that kind of gets him into, you know, the other environment. So I would say, Start looking at maybe you don't wanna have those home devices as part of, ah, what you're responsible for protecting, but you definitely want to make sure your remote users have a hardened access into the environment. They're separated from all of those other smart, smart home devices and educate your employees on that and the user awareness training programs. Talk to them about what's happening out there, how the adversaries air starting to compromise, or at least focus on some of them smart devices in their home environment. >> These entry points are you point out, are just so pervasive. You have work at home totally right. That's a great trend that a lot of companies going to. And this is virtual first common, a world. We build this new new generation of workers. They wanna work anywhere. So no, you gotta think about all that. Those devices that your son or your daughter brought home your husband. Your wife installed a new light bulb with an I peed connection to it fully threaded processor. >> I know it. Gosh, this kind of concern me, it's safer. And what's hot these days is the webcam, right? Let's say you have an animal and you happen to go away. You always want to know what your animals doing, right? So you have these Webcams here. I bet you someone might be placing a webcam that might be near where they actually sit down and work on their computer. Someone compromises that webcam you may be. They can see some of the year's name and password that you're using a log in. Maybe they can see some information that might be sensitive on your computer. You know, it's the The options are endless here. >> Tony G. I want to get your thoughts on how companies protect themselves, because this is the real threat. A ni O t. Doesn't help either. Industrial I ot to just Internet of things, whether it's humans working at home, too, you know, sensors and light bulbs inside other factory floors or whatever means everywhere. Now the surface area is anything with a knife he address in power and connectivity. How do companies protect themselves? What's the playbook? What's coming out of Red hat? What's coming out of Fort Annette? What are you advising? What's the playbook? >> Yeah, you know I am. You know, when I get asked this question a lot, I really I sound like a broken record. Sometimes I try to find so many different ways to spin it. You know, maybe I could actually kind of say it like this, and it's always means the same thing. Work on the fundamentals and John you mentioned earlier from the very beginning. Visibility, visibility, visibility. If you can't understand all the assets that you're protecting within your environment, it's game over. From the beginning, I don't care what other whiz bang product you bring into the environment. If you're not aware of what you're actually protecting, there's just no way that you're gonna be able to understand what threats are happening out your network at a higher level. It's all about situational awareness. I want to make sure if I'm if I'm a C so I want my security operations team to have situational awareness at any given moment, all over the environment, right? So that's one thing. No grabbing that overall sort of visibility. And then once you can understand where all your assets are, what type of information's on those assets, you get a good idea of what your vulnerabilities are. You start monitoring that stuff. You can also start understanding some of different types of jabs. I know it's challenging because you've got everything in the cloud all the way down to the other end point. All these mobile devices. It's not easy, but I think if you focus on that a little bit more, it's gonna go a longer way. And I also mentioned we as humans. When something happens into the environment, we can only act so fast. And I kind of alluded to this earlier on in this interview where we need to make sure that we're leveraging automation, artificial in intelligence to help us be able to determine when threats happened. You know, it's actually be in the environment being able to determine some anomalous activity and taking action. It may not be able to re mediate, but at least it can take some initial action. The security controls can talk to each other, isolate the particular threat and let you fight to the attack, give you more time to figure out what's going on. If you can reduce the amount of time it takes you to identify the threat and isolate it, the better chances that you're gonna have to be able to minimize the overall impact of that particular Reno. >> Tony, just you jogging up a lot of memories from interviews I've had in the past. I've interviewed the four star generals, had an essay, had a cyber command. You get >> a lot of >> military kind of thinkers behind the security practice because there is a keeping eyes on the enemy on the target on the adversary kind of dialogue going on. They all talk about automation and augmenting the human piece of it, which is making sure that you have as much realty. I'm information as possible so you can keep your eyes on the targets and understand, to your point contextual awareness. This seems to be the biggest problem that Caesar's heir focused on. How to eliminate the tasks that take the eyes off the targets and keep the situational winners on on point. Your thoughts on that? >> Yeah, I have to. You know what, son I used to be? Oh, and I still do. And now I do a lot of presentations about situational awareness and being ableto build your you know, your security operations center to get that visibility. And, you know, I always start off with the question of you know, when your C so walks in and says, Hey, I saw something in the news about a specific threat. How are we able to deal with that? 95% of the responses are Well, I have to kind of go back and kind of like, you don't have to actually come dig in and, you know, see, and it takes them a while for the audio. >> So there's a classic. So let me get back to your boss. What? Patch patch? That, um Tony. Chief, Thank you so much for the insight. Great Congressional. The Holy Report. Keep up the good work. Um, quick, Quick story on black hat. What's the vibe in Vegas? Def con is right around the corner after it. Um, you seeing the security industry become much more broader? See, as the industry service area becomes from technical to business impact, you starting to see that the industry change Amazon Web service has had an event cloud security called reinforce. You starting to see a much broader scope to the industry? What's the big news coming out of black at? >> Yeah, you know, it's it's a lot of the same thing that actually kind of changes. There's just so many different vendors that are coming in with different types of security solutions, and that's awesome. That is really good with that, said, though, you know, we talked about the security shortage that we don't have a lot of security professionals with the right skill sets. What ends up happening is you know, these folks that may not have that particular skill, you know, needed. They're being placed in these higher level of security positions, and they're coming to these events and they're overwhelmed because they're all they'll have a saw slight. It's all over a similar message, but slightly different. So how did they determine which one is actually better than the others? So it's, um, I would say from that side, it gets to be a little bit kind of challenging, but at the same time, No, I mean, we continued to advance. I mean, from the, uh, no, from the actual technical controls, solutions perspective, you know, You know, we talked about it. They're going, we're getting better with automation, doing the things that the humans used to do, automating that a little bit more, letting technology do some of that mundane, everyday kind of grind activities that we would as humans would do it, take us a little bit longer. Push that off. Let the actual technology controls deal with that so that you can focus like you had mentioned before on those higher level you know, issues and also the overall sort of strategy on either howto actually not allow the officer to come in or haven't determined once they're in and how quickly will be able to get them out. >> You know, we talked. We have a panel of seashells that we talk to, and we were running a you know, surveys through them through the Cube insights Most see says, we talk Thio after they won't want to talk off the record. I don't want anyone know they work for. They all talked him. They say, Look, I'm bombarded with more and more security solutions. I'm actually trying to reduce the number of suppliers and increase the number of partners, and this is nuanced point. But to your what you're getting at is a tsunami of new things, new threats, new solutions that could be either features or platforms or tools, whatever. But most si SOS wanna build an engineering team. They wanna have full stack developers on site. They wanna have compliance team's investigative teams, situational awareness teams. And they want a partner with with suppliers where they went partners, not just suppliers. So reduce the number suppliers, increase the partners. What's your take on that year? A big partner. A lot of the biggest companies you >> get in that state spring. Yeah. I mean, that's that's actually really our whole strategy. Overall strategy for Ford. Annette is, and that's why we came up with this security fabric. We know that skills are really not as not as prevalent as that they actually need to be. And of course, you know there's not endless amounts of money as well, right? And you want to be able to get these particular security controls to talk to each other, and this is why we built this security fabric. We want to make sure that the controls that we're actually gonna build him, and we have quite a few different types of, you know, security controls that work together to give you the visibility that you're really looking for, and then years Ah, you know, trusted partner that you can actually kind of come to And we can work with you on one identifying the different types of ways the adversaries air moving into the environment and ensuring that we have security controls in place to be able to thwart the threat. Actor playbook. Making sure that we have a defensive playbook that aligns with those actual ttp is in the offensive playbook, and we can actually either detect or ultimately protect against that malicious activity. >> Tony G. Thanks for sharing your insights here on the cube conversation. We'll have to come back to you on some of these follow on conversations. Love to get your thoughts on Observe ability. Visibility on. Get into this. What kind of platforms are needed to go this next generation with cloud security and surface area being so massive? So thanks for spending the time. Appreciate it. >> Thanks a lot, Right. We only have >> a great time in Vegas. This is Cube conversation. I'm John for here in Palo Alto. Tony G with Fortinet in Las Vegas. Thanks for watching

from our studios in the heart of Silicon Valley Palo Alto California this is a cute conversation welcome to the cube studios for another cube conversation where we go in-depth with thought leaders driving business outcomes with technology I'm your host Peter Burris every Enterprise that is trying to do digital transformation finds themselves facing two challenges one their digital assets themselves are a source of value and to other assets that are sources of value are becoming increasingly digitized and that creates a lot of challenges a lot of security concerns that bad agents out in the internet are exploiting and requires a programmatic fundamental response to try to ensure that the digital assets or digitized assets aren't mucked with by bad guys so to have that conversation we're here with Tony Jian Domenico Tony's a senior security strategist and a researcher and the CTI lead at Ford NIT Tony welcome back to the cube hey Pete it's great to be here man so as you get to see you yeah well we've been doing this for a couple of years now Tony and so let's get just kick it off what's new so what's new should we start talking about a little bit about the index here what we saw with the overall threat landscape sure well cool so you know y'all like you know like we always do we always like to start off with an overall threat landscape at least they give an overview of what that index looks like and it really consists of malware botnets application exploits and what we looked at over the quarter there was a lot of volatility throughout the quarter but at the end of the day it ended up only 1% higher than the quarter before now some of that volatility really is being driven by what we've talked about a lot of times Peter and a lot of these other episodes is that swarm like activity whenever an actual vulnerability is successfully exploited by an adversary everybody swarms in on that vulnerability and our fertig are labs you see that really like super spike up a great example of that would be in the last year in December think PHP which is an application that's a framework to rapidly develop web apps they had a vulnerability that if you successfully exploited it it would give you remote the remote access or I'm sorry remote code execution and they were exploiting that and we definitely seen a huge uptick now that wasn't the only one for the quarter but that and along with some of the other ones it's really what's kind of driving on volume so the index has been around for a few quarters now and it's a phenomenal way for folks out there to observe how overall trends are evolving but as you said one of the key things that's being discovered is that or you're discovering as you do this research is this notion of swarming it seems as though there ought to be a couple of reasons why that's the case Tony it's it's we've talked about this in the past there's folks who want to get a little bit more creative in creating bad stuff and there's other folks who just want to keep the cost low and just leverage what's out there which approach are the bad guys tend to using more and or is there an approach one of the other approach is more targeted to one or another kind of attack well it's funny you usually see the folks in the cyber crime ecosystem that are really focusing on you know identifying them not so much where they're doing more sort of targeted attacks it's more of a you know pray and spray you know type of thing and you see a lot of that you know anytime they can hire you can get a life of cybercrime right in the leverage some of these common you know you know services you have code reuse you know which is out there so you have that sort of like group there right and then you have more of the you know more of the you know hands-on sort of keyboard the more you know targeted attacks that are really focused on specific you know victims so you have those you know those two groups I say now with that though there kind of is a commonality there where there's this concept and it's nothing new we've been talking about this for years in the cybersecurity industry it's living off the land right where once a victim is on the actual machine itself they start leveraging some of the tools that are already available there and usually these tools their administration tools to be able to minister the actual network but these tools can also be used in the farías ways from example here would be you know PowerShell they you know a lot of admins use PowerShell for efficiencies on the network but that also can be used in the forest ways and the bad guys are using that and then this past quarter you know we did see a lot of PowerShell activity now you know Peter having said that though I think as a whole with the security community we're getting better at being able to identify these types of PowerShell attacks one we got better technology on the endpoint and I think to Microsoft is in a better job of being able to provide us more hardening capabilities for PowerShell like being able to restrict access to PowerShell as well as giving us better logging capability to be able to identify that malicious activity so we are getting better and the bad guys know this so I think what we can probably look for in the future is them leveraging either a different interface or different language because all they really need to do is interface with that dotnet framework which is part of a Windows system and they can start doing the same exact things they were doing with PowerShell and we're seeing that it in the open-source community now things like Silent Trinity open source tool that allows you to do those same things so for C an open source pretty much guarantee we're gonna see it out there in the wild here soon so we've got a group of bad actors that are using this living off the land approach to leverage technology that's out there and we've still got kind of the big guys having to worry about being targeted because you know that's how you make a lot of money if you're successful but it certainly does sound is that a general business practice for a lot of these guys is to leverage common infrastructure and that this common infrastructure is increasingly becoming you know better understood have I got that right no I you know Peter you're spot-on here what we did we did some exploratory research in this last quarter and what we found out is with the exploits within that quarter or or or the axe will come threats sixty percent of those threats are using the same infrastructure what I mean by infrastructure you know I I mean things like you know infrastructure to download malware maybe to redirect you to some other site and then downloads malware and that makes a lot of sense Peter you know why because in this cybercrime ecosystem if you didn't realize this it's a vicious competitive market everybody is trying to sell their wares and they want to make sure that their service is the best it's better than someone else's and they want to make sure that it's stable so they find these you know community you know infrastructures that are tried-and-true you know some of them are from you know bulletproof hosting so you know services you know things of that nature so you see a lot of the folks in a cybercrime ecosystem using them now on the flip side though you definitely see some of the thread actors that are more sort of you know more the advanced threat actors maybe what they want to do is hide a little bit so they'll hide in that larger community to be able to possibly be able to bypass that that attribution back to them because they don't want to be sort of labeled with oh hey this particular thread actor always uses this infrastructure so if they can blend in a lot harder to find them so they can use what is available but at the same time differentiate themselves in this bad actor ecosystem to take on even more challenging the potentially lucrative exploits now tell me if we know something about this common infrastructure as you said sixty percent of these attacks are using this common infrastructure that suggests we can bring a common set of analysis frameworks to bear as we consider who these actors are and what their practices are have I got that right yeah yeah absolutely if you can align your PlayBook defenses with the offensive actual playbook that the threat actors are using they're better off you're gonna be right because then you can be able to combat them a lot better and as a matter of fact I mean we've kind of introduced this sort of concept in conjunction with our our partnership with the cyber threat Alliance we're actually producing these thread actor play books you know and what we're doing is the idea behind this is if we can identify the malicious activity the threat actors are actually doing to complete their cyber mission expose some of them tactics those techniques those procedures we could possibly disrupt some of that malicious activity and you know this past this past quarter here we focused on a group you know Peter called the the silence group and they're really focused on identifying and stealing financial data they're looking at banks banking infrastructure and ATM machines and you'll get a kick out of this with the ATM machines they're doing something called jackpot II where they if they can find the axle software behind the ATM machine find that ATM process they can inject a malicious DLL into that process giving them total control over the ATM machine and now they can dispense money at will and they can have these money mules on the other side receive that actual money so you know we have a lot of different campaigns in play books that we've identified on our website and that once we understand that we align that with our security fabric and ensure that our customers are protected against that particular playbook Tony I'm not happy to hear that so this is this is my distressed face that I use during these types of interviews but it's if if we're able to look at how bad guy play books are operating then we ought to be able to say and what are those fundamentals that a shop should be using the security professionals should be using that are just you know so basic and so consistent and it seems that are you guys have identified three to do a better job of taking a fabric approach that starts to weave together all assets into a more common security framework to to do a better job of micro and macro segmentation so that you can identify where problems are and then finally increase your overall use of automation with AI and m/l how is this translating into your working with customers as they try to look at these playbooks and apply their own playbooks for how they set up their response regimes yeah so I mean I think overall I mean I think you can hit it on the head computer you kind of nailed down really those some it was kind of fundamental sort of concepts here now you can identify and you can document as many playbooks as you want but if you're not able to quickly respond when you identify those actual playbooks you know that's really half the battle I mean if you need to be able to identify you know one not only when the threat actors in your environment but then also you need to be able to quickly you know take action and like you were saying with that fabric if we can have that actual fabric being able to talk to the other controls within that fabric and take some action they're better off you're gonna be because you can align your defenses there and that's a great would you gotta make sure that all the controls within that fabric are all communicating together they're working together they're sharing information and they're responding together sure enough yeah are you starting to advise customers I'm curious you advising customers that even as they increase the capabilities of their fabric and how they handle their architectures from a micro macro segmentation and increase their use of automation or are there things that they can do from a practice standpoint just to ensure that their responses are appropriate fast and accurate yeah sure sure I mean I think a lot of the actual fabric once you actually build that fabric there's certain you know playbook responses that you can program into that fabric and I'll also even go I know we talked about you know fundamentals but I'll even dive a little bit lower here and you know you have that fabric but you also have to make sure you understand all the assets you have in your in you know your environment because that that information and that knowledge helps you with that macro and micro segmentation because when you can isolate you know different areas if there is a certain area that gets infected you can quickly turn the knobs to isolate that particular threat and that specific you know area or that's a specific segmented area and that is really gonna allow you to fight through the attack give you more time and ultimately reduce the impact of that particular breach so Tony we got the summer months coming up that means more vacations which is you jest less activity but then we got summer interns coming in which you know may involve additional clicking on things that shouldn't be clicked on any ideas what what should security pros be thinking about in the summer months what's the trend show well I think we're gonna continue to see that you know I I think the same type of threats that we've seen in the first quarter but I would say you know there may be a slight sort of drop-off right we got kind of kids that are gonna be out on vacation so you know schools may not see as much activity you got you know folks gonna be taking vacations and at the end of the day most of these exploits are client-side exploits which means you know a lot of times you need somebody to do something on the actual computer either you know clicking that link or clicking the attachment and if they're not there to do that they'll just sit there and you'll see less activity over time so we might see a little reduction in volume but I still think we'll see very similar types of you know threats in the coming months so good time good time are a good opportunity for security pros to double down on putting in place new architecture practices and response regime so that when stuff kicks up in the fall they're that much more prepared da Tony G on Domenico fort Ned great once again thanks very much for being on the cube hey you know Peter it's always a pleasure being here man hope to see you again soon you will and once again I'm Peter Burroughs until next time [Music]