>> Announcer: From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hi, I'm Stu Miniman, and this is a special CUBE Conversation coming to us from our Boston area studio. We know that so much has changed in 2020 with the global pandemic on, with people working from home, staying safe is super important, and that especially is true when it comes to the threats that are facing us. So really happy to welcome to the program Hardik Modi, we're going to be talking about the NETSCOUT threat intelligence report for the first half of 2020. Hardik's the AVP of engineering for threat and mitigation products. Hardik, thanks so much for joining us. >> Thanks Stu, it's great to be here. Thanks for having me. >> Alright, so first set this up. This is NETSCOUT does these threat reports and on a pretty regular cadence, I have to think that the first half of 2020, we'll dig into this a little bit, is a little different because I know everybody when they had their plans at the beginning of 2020, by the time we got to March, we kind of shredded them and started over or made some serious adjustments. So why don't you introduce us to this? And then we'll talk specifically about the first half 2020 results. >> Right, thanks, Stu. So I'm here to speak about the fifth NETSCOUT threat intelligence report. So this is something that we do every six months in my team, in particular, the NETSCOUT threat intelligence organization, we maintain visibility across the internet and in particular threat activity across the internet, and very specifically with a strengthened DDoS activity. And so, you know, there's a lot of data that we have collected. There's a lot of analysis that we conduct on a regular basis. And then every six months, we try to roll this up into a report that gives you a view into everything that's happened across the landscape. So this is our report for the first half of the year. So through June 2020, and yes, you know, as we came into March 2020, everything changed. And in particular, when, you know, the pandemic kind of set upon us, you know, countries, entire continents went into lockdown and we intuited that this would have an impact on the threat landscape. And you know, this is even as we've been reporting through it, this is our first drill of roll up and look at really everything that happened and everything that changed in the first half of 2020. >> Yeah. It absolutely had such a huge impact. You know, my background, Hardik, is in networking. You think about how much over the last decade we've built out, you know, those corporate networks, all the Wi-Fi environments, all the security put there, and all of a sudden, well, we had some people remote, now everybody is remote. And you know, that has a ripple on corporate IT as well as, you know, those of us at home that have to do the home IT piece there. So why don't you give us a look inside the report? What are some of the main takeaways that the report had this time? >> No, so you're right, the network became everything for us and the network became how we, how our students attended school, right? And how we did our shopping, you know, how we did certainly finance and most definitely how for a lot of us how we did work, and suddenly the network, which, you know, certainly was a driver for productivity, and just business worldwide suddenly became that much more central. And so, we tend to look at the network, both sort of at the enterprise level, but then also a lot of what we get to see is at the service provider level. So what's happening on the big networks worldwide, and that's what we've rolled up into this report. So a few things that I want to kind of highlight from the report, the first thing is there were a lot of DDoS attacks. So we recorded through our visibility, 4.83 million DDoS attacks in the first six months of the year. That's almost 30,000 attacks a day. And you know, it's not like we hear about 30,000 outages every day. Certainly aren't 30,000 outages every day, but you know, this is an ongoing onslaught, for anybody who exists on the internet, and this didn't update at all through the first half of the year. If you kind of go like, just look at the numbers, it went up 15% for the same period year on year. But then as you enter into March, and in particular, the date when the WHO sort of announced the global pandemic, that's essentially the start that we marked. From that day onwards, the rise in attacks year on year for the same period, you know, a year ago was 25%. So that really, just in sheer numbers a lot changed. And then, you know, as we go a level deeper, and we look at like the nature of these attacks. You know, a lot of that actually has evolved considerably, over the past few years. And then in particular, like we're able to highlight a few stats in the first half of the year, and certainly like a lot of the drivers for this, the technical drivers are understood. And then there's just the human drivers for this, right? And we understand that a lot more people are at home. A lot more people are reliant on the internet and, you know, just sad to say, but you know, certainly also a lot more people aren't as engaged with school, with work, with society at large. And these tend to have knock on effects across large, a lot of things that we do in life, but also in like cyber crime and in particular, like in the DDoS space. >> Maybe if you could for our audience, I think they're in general familiar with DDoS, it's typically when, you know, sites get overwhelmed with traffic, different from say, everybody working at home is it'd be a little bit more cautious about phishing attacks. You're getting, you know, links and tax links in email, "Super important thing, please check this," please don't click those links. Does this impact, you know, those workers at home or is it, you know, all the corporate IT and all the traffic going through those that there's ways that they can stop, halt that, or, you know, interfere, get sensitive data? >> That's a really good point. And in large parts, I mean, and like with a lot of other kind of cyber crime activity, this is primarily felt inside the enterprise. And so the, as far as like, you know, companies are concerned and people who are using VPN and other kinds of remote access to get to critical resources, the key challenge here is the denial of availability. And so, okay. So you're right. Let's take a step back. DDoS, distributed denial of service. This is typically when like a large polarity of devices are used to direct traffic towards a device on the internet. And we typically think of this as a site. And so maybe, your favorite newspaper went down because of a DDoS attack, or you couldn't get to your bank or your retail, you know, e-commerce as a result of the DDoS attack, but this plays out in many different ways, including the inability for people to access work, just because their VPN concentrators have been DDOSed. I think, you know, just coming back to the split between people who work for a company and the company themselves, ultimately it's a shared responsibility, there's some amount of best practices that employees can follow. I mean, a lot of this enforcement and, you know, primarily ensuring that your services are running to expectation, as always, there's going to be the responsibility of the enterprise and something that enterprise security typically will want to cater for. >> All right. And how are these attacks characterized? You said it was up significantly 15% for the half year, overall, 25% overall, anything that differentiates big attacks, small attacks? Do we know how many of them actually freeze a site or pause how much activity is going on? >> Right, so what I will say is that within just those numbers, and we're simply just counting attacks, right? Even within those numbers, a key aspect that has changed is the rise in what we call multi-vector attacks. And so these are attacks in which they're, you go back maybe five years, certainly like going back further, typically a DDoS attack would involve a single technique that was being used to cause damage. And then over time, as many techniques were developed and new vulnerable services are discovered on the internet, what we find is that there's, you know, occasionally there would be a combination of these vectors, as we call them, being used against the target. And so a big thing that has changed within the last two years is what we think of as the rise in multi-vector attacks. And what we are seeing is that attacks that involve even 15 separate vectors are up considerably, over 1000% compared to the same time last year, and correspondingly attacks that involve a single vector are down in a really big way. And so we're just seeing a shift in the general, the techniques that are used within these attacks, and, you know, that has been considerable over certainly, you know, the same time 2019. But if you go back two years, even, it would seem like a complete sea change. >> What other key things, key learnings did you have from the survey this year that you can share? >> Yeah, so one thing I want to highlight that, you know, we kind of, and I think it's been implicit in some of your questions, certainly in many conversations that I have, like, what is the cost of these attacks? You know, what is ultimately the impact of these attacks on society? And one of the ways in which we tend to think of the impact is in simply like outages, like an e-commerce site that does a certain amount of business every day, you know, they can easily recognize that "All right, if I'm off for a day, for two days, for seven days, here's the impact to my business." So that tends to be understood at the individual enterprise level. Another cost that that often is well recognized as like the cost of mitigating attacks. And so now there's, whether it's the service provider, the enterprise themselves, other forms of business or other entities who will invest in mitigation techniques and capacity, those costs tend to kind of rack up. What we have done, and thanks to our kind of really unique visibility into service provider networks worldwide. What we've been able to do is extract essentially the, what we call the DDoS attack coefficient. And this is, think of it as like, here's how much DDoS attack traffic is going on worldwide or across any set of networks at any given time. So if you had zero DDoS in the world, that number will be zero, but it most definitely is not. You know, there's, we have represented numbers for different parts of the world. This can be many, many, many gigabits per second, many terabits per second. And essentially there's a, even just a transit cost for carrying this traffic from one point to another. And that is actually like the, you know, what we call the DDoS attack coefficient. And that cost is something that I want to highlight is being borne by everyone. So this ultimately is what shows up in your internet bills, whether you're a residential subscriber, whether you're using your phone and paying for internet through your phone, or you're an enterprise, and now you have network connections for your service providers, because ultimately this is a cost that we're bearing as a society. This is the first time that we've actually conducted research into this phenomenon. And I'm proud to say that we've captured this split across multiple geographies of the world. >> Yeah. It's been a big challenge these days. The internet is a big place, there's worry about fragmentation of the internet. There's worry about some of the countries out there, as well as some of the large, multinational global companies out there, really are walling our piece of the internet. Hardik, one thing I'm curious about, we talked about the impact of work from home and have a more distributed workforce. One of the other big mega trends we've been seeing even before 2020 is the growth of edge computing. You talk about the trillions of IOT devices that will be out there. Does DDoS play into this? You know, I just, the scenario runs through my mind. "Okay, great. We've got all these vehicles running that has some telemetry," all of a sudden, if they can't get their telemetry, that's a big problem. >> Yeah. So this is both the, this is the devices themselves and the, basically the impact that you could see from an attack on them. But more often what we see on the internet in the here and now is actually the use of these devices to attack other more established entities on the internet. So then, so for us now, for many years, we've been talking about the use of IOT devices in attacks, and simply the fact that so many devices are being deployed that are physically, they're vulnerable from the get-go, insecure at birth, essentially, and then deployed across the internet. You know, even if they were secure to start, they often don't have update mechanisms. And now, they, over a period of time, new vulnerabilities are discovered in those devices and they're used to attack other devices. So in this report, we have talked about a particular family of malware called Mirai, and Mirai has been around since 2016, been used in many high profile attacks. And over time there have been a number of variations to Mirai. And, you know, we absolutely keep track of the growth in these variations and the kinds of devices where they attack. Sorry, that they compromise, and then use to attack other targets. We've also kind of gone into another malware family that has been talked about a bit called Lucifer, and Lucifer was another, I think originally more Microsoft Windows, so you're going to see it more on your classic kind of client and server kind of computing device. But over time, we've seen, we have reported on Linux variants of Lucifer that not only can be installed on Linux devices, but also have DDoS capabilities. So we're tracking like the emergence of new botnets. Still, Stu, going straight back to your question. They are, this is where IOT, you know, even for all the promise that it holds for us as society, you know, if we don't get this right, there's a lot of pain in our future just coming from the use of these devices in attacks. >> Well, I thought it was bad enough that we had an order of magnitude more surface area to defend against on, I hadn't really thought about the fact that all of these devices might be turned into an attack vector back on what we're doing. Alright, Hardik. So you need to give us some, the ray of hope here. We've got all of these threats out here. How's the industry doing overall defending against this, what more can be done to stop these threats? What are some of the actions people, and especially enterprise techs should be doing? >> Yeah, so I absolutely start with just awareness. This is why we publish the report. This is why we have resources like NETSCOUT Cyber Threat Horizon that provides continuous visibility into attack activity worldwide. So it absolutely just starts with that. We're actually, this is not necessarily a subject of the report because it's happened in the second half of the year, but there have been a wave of high profile attacks associated with extortion attempts, over the past month. And, these attacks aren't necessarily complex, like the techniques being used aren't novel. I think in many ways, these are the things that we would have considered maybe run of the mill, at least for us on the research side and the people who live this kind of stuff, but, they have been successful, and a number of companies right now, a number of entities worldwide right now are kind of rethinking what they're doing in particular DDoS protection. And for us, you know, our observation is that this happens every few years, where every few years, there's essentially a reminder that DDoS is a threat domain. DDoS typically will involve an intelligent adversary on the other side, somebody who wants to cause you harm. To defend against it, there are plenty of well known kind of techniques and methodology, but that is something that enterprises, all of us, governments, service providers, those of us on the research side have to kind of stay on top of, keep reminding ourselves of those best practices and use them. And, you know, I'll say that again, for me, the ray of hope is that we haven't seen a new vector in the first six months of the year, even as we've seen a combination of other known vectors. And so for these, just from that perspective, there's these attacks we should be able to defend against. So that's essentially where I leave this, in terms of the hope for the future. >> Alright, Hardik, what final tips do you have? How do people get the report itself and how do they keep up? Where do you point everyone to? >> Yes, so the report itself is going to be, is live on the 29th of September 2020. It will be available at NETSCOUT.com/threatreport. I'll also point you to another resource, Cyber Threat Horizon, that gives you more continuous visibility into a tech activity, and that's NETSCOUT.com/horizon. And so these are the key resources that I leave you with, again, this is, there's plenty to be hopeful about. As I said, there hasn't been a new vector that we've uncovered in the first six months of the year, as opposed to seven vectors in the year 2019. So, that is something that certainly gives me hope. And, for the things that we've talked about in the report, we know how to defend against them. So, this is something that I think with action, we'll be able to live through just fine. >> Well, Hardik, thanks so much for sharing the data, sharing the insight, pleasure catching up with you. >> Okay. Likewise, Stu, thank you. >> All right, and be sure to check out theCUBE.net for all of the videos we have, including many of the upcoming events. I'm Stu Miniman and thank you for watching theCUBE. (calm music)

>> Announcer: From theCUBE studios in Palo Alto and Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. >> Hi, I'm Stu Miniman, and this is a special CUBE Conversation coming to us from our Boston area studio. We know that so much has changed in 2020 with the global pandemic on, with people working from home, staying safe is super important, and that especially is true when it comes to the threats that are facing us. So really happy to welcome to the program Hardik Modi, we're going to be talking about the NETSCOUT threat intelligence report for the first half of 2020. Hardik's the AVP of engineering for threat and mitigation products. Hardik, thanks so much for joining us. >> Thanks Stu, it's great to be here. Thanks for having me. >> Alright, so first set this up. This is NETSCOUT does these threat reports and on a pretty regular cadence, I have to think that the first half of 2020, we'll dig into this a little bit, is a little different because I know everybody when they had their plans at the beginning of 2020, by the time we got to March, we kind of shredded them and started over or made some serious adjustments. So why don't you introduce us to this? And then we'll talk specifically about the first half 2020 results. >> Right, thanks, Stu. So I'm here to speak about the fifth NETSCOUT threat intelligence report. So this is something that we do every six months in my team, in particular, the NETSCOUT threat intelligence organization, we maintain visibility across the internet and in particular threat activity across the internet, and very specifically with a strengthened DDoS activity. And so, you know, there's a lot of data that we have collected. There's a lot of analysis that we conduct on a regular basis. And then every six months, we try to roll this up into a report that gives you a view into everything that's happened across the landscape. So this is our report for the first half of the year. So through June 2020, and yes, you know, as we came into March 2020, everything changed. And in particular, when, you know, the pandemic kind of set upon us, you know, countries, entire continents went into lockdown and we intuited that this would have an impact on the threat landscape. And you know, this is even as we've been reporting through it, this is our first drill of roll up and look at really everything that happened and everything that changed in the first half of 2020. >> Yeah. It absolutely had such a huge impact. You know, my background, Hardik, is in networking. You think about how much over the last decade we've built out, you know, those corporate networks, all the Wi-Fi environments, all the security put there, and all of a sudden, well, we had some people remote, now everybody is remote. And you know, that has a ripple on corporate IT as well as, you know, those of us at home that have to do the home IT piece there. So why don't you give us a look inside the report? What are some of the main takeaways that the report had this time? >> No, so you're right, the network became everything for us and the network became how we, how our students attended school, right? And how we did our shopping, you know, how we did certainly finance and most definitely how for a lot of us how we did work, and suddenly the network, which, you know, certainly was a driver for productivity, and just business worldwide suddenly became that much more central. And so, we tend to look at the network, both sort of at the enterprise level, but then also a lot of what we get to see is at the service provider level. So what's happening on the big networks worldwide, and that's what we've rolled up into this report. So a few things that I want to kind of highlight from the report, the first thing is there were a lot of DDoS attacks. So we recorded through our visibility, 4.83 million DDoS attacks in the first six months of the year. That's almost 30,000 attacks a day. And you know, it's not like we hear about 30,000 outages every day. Certainly aren't 30,000 outages every day, but you know, this is an ongoing onslaught, for anybody who exists on the internet, and this didn't update at all through the first half of the year. If you kind of go like, just look at the numbers, it went up 15% for the same period year on year. But then as you enter into March, and in particular, the date when the WHO sort of announced the global pandemic, that's essentially the start that we marked. From that day onwards, the rise in attacks year on year for the same period, you know, a year ago was 25%. So that really, just in sheer numbers a lot changed. And then, you know, as we go a level deeper, and we look at like the nature of these attacks. You know, a lot of that actually has evolved considerably, over the past few years. And then in particular, like we're able to highlight a few stats in the first half of the year, and certainly like a lot of the drivers for this, the technical drivers are understood. And then there's just the human drivers for this, right? And we understand that a lot more people are at home. A lot more people are reliant on the internet and, you know, just sad to say, but you know, certainly also a lot more people aren't as engaged with school, with work, with society at large. And these tend to have knock on effects across large, a lot of things that we do in life, but also in like cyber crime and in particular, like in the DDoS space. >> Maybe if you could for our audience, I think they're in general familiar with DDoS, it's typically when, you know, sites get overwhelmed with traffic, different from say, everybody working at home is it'd be a little bit more cautious about phishing attacks. You're getting, you know, links and tax links in email, "Super important thing, please check this," please don't click those links. Does this impact, you know, those workers at home or is it, you know, all the corporate IT and all the traffic going through those that there's ways that they can stop, halt that, or, you know, interfere, get sensitive data? >> That's a really good point. And in large parts, I mean, and like with a lot of other kind of cyber crime activity, this is primarily felt inside the enterprise. And so the, as far as like, you know, companies are concerned and people who are using VPN and other kinds of remote access to get to critical resources, the key challenge here is the denial of availability. And so, okay. So you're right. Let's take a step back. DDoS, distributed denial of service. This is typically when like a large polarity of devices are used to direct traffic towards a device on the internet. And we typically think of this as a site. And so maybe, your favorite newspaper went down because of a DDoS attack, or you couldn't get to your bank or your retail, you know, e-commerce as a result of the DDoS attack, but this plays out in many different ways, including the inability for people to access work, just because their VPN concentrators have been DDOSed. I think, you know, just coming back to the split between people who work for a company and the company themselves, ultimately it's a shared responsibility, there's some amount of best practices that employees can follow. I mean, a lot of this enforcement and, you know, primarily ensuring that your services are running to expectation, as always, there's going to be the responsibility of the enterprise and something that enterprise security typically will want to cater for. >> All right. And how are these attacks characterized? You said it was up significantly 15% for the half year, overall, 25% overall, anything that differentiates big attacks, small attacks? Do we know how many of them actually freeze a site or pause how much activity is going on? >> Right, so what I will say is that within just those numbers, and we're simply just counting attacks, right? Even within those numbers, a key aspect that has changed is the rise in what we call multi-vector attacks. And so these are attacks in which they're, you go back maybe five years, certainly like going back further, typically a DDoS attack would involve a single technique that was being used to cause damage. And then over time, as many techniques were developed and new vulnerable services are discovered on the internet, what we find is that there's, you know, occasionally there would be a combination of these vectors, as we call them, being used against the target. And so a big thing that has changed within the last two years is what we think of as the rise in multi-vector attacks. And what we are seeing is that attacks that involve even 15 separate vectors are up considerably, over 1000% compared to the same time last year, and correspondingly attacks that involve a single vector are down in a really big way. And so we're just seeing a shift in the general, the techniques that are used within these attacks, and, you know, that has been considerable over certainly, you know, the same time 2019. But if you go back two years, even, it would seem like a complete sea change. >> What other key things, key learnings did you have from the survey this year that you can share? >> Yeah, so one thing I want to highlight that, you know, we kind of, and I think it's been implicit in some of your questions, certainly in many conversations that I have, like, what is the cost of these attacks? You know, what is ultimately the impact of these attacks on society? And one of the ways in which we tend to think of the impact is in simply like outages, like an e-commerce site that does a certain amount of business every day, you know, they can easily recognize that "All right, if I'm off for a day, for two days, for seven days, here's the impact to my business." So that tends to be understood at the individual enterprise level. Another cost that that often is well recognized as like the cost of mitigating attacks. And so now there's, whether it's the service provider, the enterprise themselves, other forms of business or other entities who will invest in mitigation techniques and capacity, those costs tend to kind of rack up. What we have done, and thanks to our kind of really unique visibility into service provider networks worldwide. What we've been able to do is extract essentially the, what we call the DDoS attack coefficient. And this is, think of it as like, here's how much DDoS attack traffic is going on worldwide or across any set of networks at any given time. So if you had zero DDoS in the world, that number will be zero, but it most definitely is not. You know, there's, we have represented numbers for different parts of the world. This can be many, many, many gigabits per second, many terabits per second. And essentially there's a, even just a transit cost for carrying this traffic from one point to another. And that is actually like the, you know, what we call the DDoS attack coefficient. And that cost is something that I want to highlight is being borne by everyone. So this ultimately is what shows up in your internet bills, whether you're a residential subscriber, whether you're using your phone and paying for internet through your phone, or you're an enterprise, and now you have network connections for your service providers, because ultimately this is a cost that we're bearing as a society. This is the first time that we've actually conducted research into this phenomenon. And I'm proud to say that we've captured this split across multiple geographies of the world. >> Yeah. It's been a big challenge these days. The internet is a big place, there's worry about fragmentation of the internet. There's worry about some of the countries out there, as well as some of the large, multinational global companies out there, really are walling our piece of the internet. Hardik, one thing I'm curious about, we talked about the impact of work from home and have a more distributed workforce. One of the other big mega trends we've been seeing even before 2020 is the growth of edge computing. You talk about the trillions of IOT devices that will be out there. Does DDoS play into this? You know, I just, the scenario runs through my mind. "Okay, great. We've got all these vehicles running that has some telemetry," all of a sudden, if they can't get their telemetry, that's a big problem. >> Yeah. So this is both the, this is the devices themselves and the, basically the impact that you could see from an attack on them. But more often what we see on the internet in the here and now is actually the use of these devices to attack other more established entities on the internet. So then, so for us now, for many years, we've been talking about the use of IOT devices in attacks, and simply the fact that so many devices are being deployed that are physically, they're vulnerable from the get-go, insecure at birth, essentially, and then deployed across the internet. You know, even if they were secure to start, they often don't have update mechanisms. And now, they, over a period of time, new vulnerabilities are discovered in those devices and they're used to attack other devices. So in this report, we have talked about a particular family of malware called Mirai, and Mirai has been around since 2016, been used in many high profile attacks. And over time there have been a number of variations to Mirai. And, you know, we absolutely keep track of the growth in these variations and the kinds of devices where they attack. Sorry, that they compromise, and then use to attack other targets. We've also kind of gone into another malware family that has been talked about a bit called Lucifer, and Lucifer was another, I think originally more Microsoft Windows, so you're going to see it more on your classic kind of client and server kind of computing device. But over time, we've seen, we have reported on Linux variants of Lucifer that not only can be installed on Linux devices, but also have DDoS capabilities. So we're tracking like the emergence of new botnets. Still, Stu, going straight back to your question. They are, this is where IOT, you know, even for all the promise that it holds for us as society, you know, if we don't get this right, there's a lot of pain in our future just coming from the use of these devices in attacks. >> Well, I thought it was bad enough that we had an order of magnitude more surface area to defend against on, I hadn't really thought about the fact that all of these devices might be turned into an attack vector back on what we're doing. Alright, Hardik. So you need to give us some, the ray of hope here. We've got all of these threats out here. How's the industry doing overall defending against this, what more can be done to stop these threats? What are some of the actions people, and especially enterprise techs should be doing? >> Yeah, so I absolutely start with just awareness. This is why we publish the report. This is why we have resources like NETSCOUT Cyber Threat Horizon that provides continuous visibility into attack activity worldwide. So it absolutely just starts with that. We're actually, this is not necessarily a subject of the report because it's happened in the second half of the year, but there have been a wave of high profile attacks associated with extortion attempts, over the past month. And, these attacks aren't necessarily complex, like the techniques being used aren't novel. I think in many ways, these are the things that we would have considered maybe run of the mill, at least for us on the research side and the people who live this kind of stuff, but, they have been successful, and a number of companies right now, a number of entities worldwide right now are kind of rethinking what they're doing in particular DDoS protection. And for us, you know, our observation is that this happens every few years, where every few years, there's essentially a reminder that DDoS is a threat domain. DDoS typically will involve an intelligent adversary on the other side, somebody who wants to cause you harm. To defend against it, there are plenty of well known kind of techniques and methodology, but that is something that enterprises, all of us, governments, service providers, those of us on the research side have to kind of stay on top of, keep reminding ourselves of those best practices and use them. And, you know, I'll say that again, for me, the ray of hope is that we haven't seen a new vector in the first six months of the year, even as we've seen a combination of other known vectors. And so for these, just from that perspective, there's these attacks we should be able to defend against. So that's essentially where I leave this, in terms of the hope for the future. >> Alright, Hardik, what final tips do you have? How do people get the report itself and how do they keep up? Where do you point everyone to? >> Yes, so the report itself is going to be, is live on the 29th of September 2020. It will be available at NETSCOUT.com/threatreport. I'll also point you to another resource, Cyber Threat Horizon, that gives you more continuous visibility into a tech activity, and that's NETSCOUT.com/horizon. And so these are the key resources that I leave you with, again, this is, there's plenty to be hopeful about. As I said, there hasn't been a new vector that we've uncovered in the first six months of the year, as opposed to seven vectors in the year 2019. So, that is something that certainly gives me hope. And, for the things that we've talked about in the report, we know how to defend against them. So, this is something that I think with action, we'll be able to live through just fine. >> Well, Hardik, thanks so much for sharing the data, sharing the insight, pleasure catching up with you. >> Okay. Likewise, Stu, thank you. >> All right, and be sure to check out theCUBE.net for all of the videos we have, including many of the upcoming events. I'm Stu Miniman and thank you for watching theCUBE. (calm music)

>>buy from San Francisco. It's the queue covering our essay conference 2020. San Francisco Brought to you by Silicon Angle Media >>Hey, welcome back here. Ready? Jeff Frick here with the Cube. We're in downtown San Francisco. It is absolutely spectacular. Day outside. I'm not sure why were incited. Mosconi. That's where we are. It's the RCC conference, I think 50,000 people the biggest security conference in the world here in Mosconi this week. We've been here, wall to wall coverage. We'll be here all the way till Thursday. So thanks for joining us. We're excited to have our next guest. He's got a lot of great data to share, so let's jump into it. It's hard mode. He's a VP engineering threat and mitigation products for nets. Cowhearted. Great to meet you. >>Thank you. Good to be here, >>too. So for people who aren't familiar with Net Scout, give em kind of the basic overview. What do you guys all about? Yes, and that's what we consider >>ourselves their guardians of the connected world. And so our job is to protect, like, you know, companies, enterprises, service providers, anybody who has on the Internet and help keep their services running your applications and things returned deliver to your customers would make sure that it's up there performing to, like, you know the way you want them to, but also kind of give you visibility and protect you against DDOS attacks on other kind of security threats. That's basically in a nutshell. What we do as a company and, yeah, wear the garden of connected world. >>So So I just from a vendor point of the I always I feel so sorry for >>buyers in this environment because you walk around. I don't know how many vendors are in here. A lot of >>big boost, little boost. So how do you kind of help separate? >>You know, Netsch out from the noise? How what's your guys? Secret sauce? What's your kind of special things? >>Really, it's like 30 years >>off investment in like, network based visibility, and >>we truly >>believe in the network. Our CEO, he says, like you know the network like, you know, actually, when you monitor the network, it's like taking a blood test. It tells you the truth, right? And it's really like how you find out, like, you know, some things right or wrong. I mean, I actually, for my background to like network monitoring. There's a lot of our what we think of as like the endpoint is actually contested territory. That's where the adversary is. When you're on the network and your monitoring all activity, it really gives you a vantage point. You know, that's >>really special. So we really focus on the network. Our heritage and the network is is one of our key strengths and then, you know, as part of >>us as a company like Arbor Arbor. Networks with coming in that's got acquired some years ago were very much part of Net Scout with our brand of products. Part of that, you know, the Arbor legacy includes huge visibility into what's happening across the Internet and visibility like nobody else like in terms of the number of service providers and large enterprises who work with us, help us understand what's happening across the landscape. That's like nobody else out here. And that is what we consider a key differentiator. >>Okay, great. So one of the things you guys do >>a couple times years, I understand his publisher reporting solution, gift people. Some information as to what's going on. So we've got the We've >>got the version over four here. Right Net scout threat, intelligence report. So you said this comes out twice a year, twice a year. So what is the latest giving some scoop >>here, Hot off the presses we published last week. Okay, so it's really just a few days old and, you know, our focus here is what happened in the last six months of last year. So that and then what we do is we compare it against data that we've collected a year prior. >>So really a few things >>that we want you to remember if you're on the right, you know, the first number is 8.4 million. That's the number of D DOS attacks that >>we saw. This doesn't mean that >>we've seen every attack, you know, in the world, but that's like, you know just how many DDOS attacks we saw through the eyes of our customers. That's >>in this in six months. 8.4 number is >>actually for the entire year here in an entire year of 2019. There's a little bit of seasonality to it. So if you think of it like a 4.4, maybe something that that was the second half of the year. But that's where I want to start. That's just how many DDOS attacks we observed. And so, in the >>course of the report, what we can do a >>slice and dice that number talk about, like, different sizes, like, what are we seeing? Between zero and 100 gigabits per 2nd 102 104 100 above and >>kind of give you a sense of just what kind of this separation there is who is being targeted >>like we had a very broad level, like in some of the verticals and geographies. We kind of lay out this number and give you like, a lot of contact. So if you're if you're in finance and you're in the UK, you want to know like, Hey, what happened? What happened in Europe, for example, In the past 66 months, we have that data right, and we've got to give you that awareness of what's happening now. The second number I want you to remember is seven seven or the number of new attack vectors reflection application attack vectors that we observed being used widely in in in the second half. >>Seven new 17 new ones. So that now kind of brings our tally >>up to 31 like that. We have those listed out in here. We talk about >>just how much? Uh huh. Really? Just how many of these vectors, how they're used. Also, these each of these vectors >>leverage vulnerabilities in devices that are deployed across the Internet. So we kind of laid out like, you know, just how many of them are out there. But that's like, You know that to us seven is reflecting how the adversary is innovating. They're looking for new ways to attack us. They've found 71 last year. They're going to war, right? Right. And that's that's kind of what we focus on. >>Let's go back to the 8.4. So of those 8.4 million, how many would you declare >>successful from the attacker point of view? >>Yeah, You know something that this is always >>like, you know, you know, it's difficult to go estimate precisely or kind of get within some level of >>precision. I think that you know, the the adversaries, always trying to >>of course, they love to deliver a knockout blow and like all your services down but even like every attack inflicts a cost right and the cost is whether it's, you know, it's made its way all the way through to the end target. And now you know, they're using more network and computing resource is just to kind of keep their services going while they're under attack. The attack is low, You're still kind of you. You're still paying that cost or, you know, the cost of paid upstream by maybe the service provider. Somebody was defending your network for you. So that way, like, you know, there's like there's a cost to every one of these, right? In >>terms of like outages. I should also point out that the attacks that you might think >>that this attack is like, you know, hey, you know, there was a specific victim and that victim suffered as a result of but >>in many cases, the adversaries going after people who are providing services to others. So I mean, if a Turkish bank >>goes down right, like, you know, our cannot like services, customers for a month are maybe even a few hours, right, And you know, the number of victims in this case is fairly broad. Might be one attacks that might be one target, however, like the impact is fairly, >>is very large. What's interesting is, have begs a question. Kind of. How do you >>define success or failure from both the attacker's point of view as well as the defender? >>Yeah, I mean, I mean and again, like there's a lot of conversation in the industry about for every attack, right? Any kind of attack. What? When do I say that? You know what? I was ready for it. And, you know, I was I was fine. I mean, I don't care about, you know, ultimately, there's a cost to each of these things. I'd say that everybody kind of comes at it with their You know, if you're a bank, that you might go. Okay. You know what? If my if I'm paying a little bit extra to keep the service up and running while the Attackers coming at me, No problem. If I if my customers air aren't able to log in, some subset of my customers aren't able to log in. Maybe I can live through that. A large number of my customers can't log in. That's actually a really big problem. And if it's sustained, then you make your way into the media or you're forced to report to the government by like, outages are like, You know, maybe, you know, you have to go to your board and go like a sorry, right? Something just happened. >>But are the escalation procedures >>in the definition of consistency? Right? Getting banged all the time right? And there's something like you said, there's some disruption at some level before it fires off triggers and remediation. So so is there some level of okay, that's kind of a cost of doing business versus, you know, we caught it at this. They're kind of like escalation points that define kind of very short of a full line. >>I think when we talk to our service provider customers, we talked to the very large kind of critical enterprises. They tend to be more methodical about how they think of like, Okay, you know, degradation of the service right now, relative to the attack. I think I think for a lot of people, it's like in the eyes of the beholder. Here's Here's something. Here's an S L. A. That I missed the result of the attack at that point. Like you know, I have, I certainly have a failure, but, you know, it's it's up until there is kind of like, Okay, you're right >>in the eyes the attacker to delay service >>at the at the Turkish bank because now their teams operate twice, twice the duration per transaction. Is it? Just holding for ransom is what benefit it raises. A range >>of motivations is basically the full range of human nature. There's They're certainly like we still see attacks that are straight journalism. I just I just cause I could just I wanted I wanted to write. I wanted to show my friend like, you know, that I could do this. There's there's definitely a lot of attacks that have that are like, you know, Hey, I'm a gamer and I'm like, you know, there's I know that person I'm competing with is coming from this I p address. Let me let me bombard them with >>an attack. And you know, there's a huge kind of it could be >>a lot of collateral damage along the way because, you know, you think you're going after this one person in their house. But actually, if you're taking out the network upstream and there's a lot of other people that are on that network, like you know, there's certain competitive element to it. They're definitely from time to time. There are extortion campaigns pay up or we'll do this again right in some parts of the world, like in the way we think of it. It's like cost of doing business. You are almost like a business dispute resolution. You better be. You know, you better settle my invoice or like I'm about, Maybe maybe I'll try and uses take you out crazy. Yeah, >>it, Jeff. I mean things >>like, you know the way talked about this in previous reports, and it's still true. There's especially with d dos. There's what we think of it, like a democratization off the off the attack tools where you don't have to be technical right. You don't have to have a lot of knowledge, you know, their services available. You know, like here's who I'm going to the market by the booth, so I'd like to go after and, you know, here's my $50 or like a big point equivalent. All right, >>let's jump to >>the seven. We talked about 8.4 and the seven new attack vectors and you outline, You know, I think, uh, the top level themes I took from the summary, right? Weaponizing new attack vectors, leveraging mobile hot spots targeting compromised in point >>about the end points. I o t is >>like all the rage people have mess and five G's just rolling out, which is going to see this huge i o t expansion, especially in industrial and all these connected devices and factories in from that power people. How are people protecting those differently now, as we're getting to this kind of exponential curve of the deployment of all these devices, >>I mean, there are a lot of serious people thinking about how to protect individual devices, but infrastructure and large. So I'm not gonna go like, Hey, it's all bad, right? Is plenty back on it all to be the next number, like 17 and 17 as the number of architectures for which Amir, I mean, I was really popular, like in a bar right from a few years ago. That still exists. But over time, what's happened is people have reported Mirai to different architectures so that, you know, think of it like, you know, if you have your your refrigerator connected to the Internet, it comes. It's coming with a little board, has CPU on it like >>running a little OS >>runs and runs in the West on it. Well, there's a Mirai variant ready for that. Essentially, as new devices are getting deployed like, you know, there's, you know, that's kind of our observation that there's even as new CPUs are introduced, a new chips or even the West they're introduced. There's somebody out there. We're ready to port it to that very now, Like, you know, the next level challenges that these devices, you know, they don't often get upgraded. There's no real. In many cases, they're not like, you know, there's very little thought given to really kind of security around it. Right? There are back doors and, like default passwords used on a lot of them. And so you take this combination. I have a whole you know, we talk about, you know, large deployments of devices every year. So you have these large deployments and now, you know, bought is just waiting for ready for it Now again, I will say that it's not. It's not all bad, but there are serious people who were thinking about this and their devices that are deployed on private networks. From the get go, there was a VPN tunnel back to a particular control point that the the commercial vendor operates. I mean, there are things like that, like, hardening that people have done right, So not every device is gonna find its way into a botnet. However, like, you know, you feel like you're getting a toy like Christmas and against $20 you know, and it can connect to the Internet. The odds are nobody's >>thinking not well. The thing we've heard, too, about kind of down the i t and kind of bringing of operations technology and I t is. A lot of those devices weren't developed for upgrades and patches, and Lord knows what Os is running underneath the covers was a single kind of use device. It wasn't really ever going to be connected to the outside world. But now you're connecting with the I t. Suddenly exposing a whole host of issues that were never kind of part of the plan when whoever designed that thing in the first place for sure for sure is crazy. Alright, so that's that. Carpet bombing tactics, increased sector attack, availability. What is there's carpet bomb and carpet bombing generally? What's going on in this space? >>Well, so carpet bombing is a term that we applied a few years ago to a kind of a variation of attack which, like >>traditionally, you know, we see an attack >>against a specific I P address or a specific domain, right? That's that's where that's what I'm targeting. Carpet bombing is taking a range of API's and go like, you know, hey, almost like cycling through every single one of them. So you're so if your filters, if your defense is based on Hey, if my one server sees a spike, let me let me block traffic while now you're actually not seeing enough of a spike on an individual I p. But across a range there's a huge you know, there's a lot of traffic that you're gonna be. >>So this is kind of like trips people >>up from time to time, like are we certainly have defensive built for it. But >>now what? We're you know, it's it's really like what we're seeing is the use >>off Muehr, our other known vectors. We're not like, Okay, C l dap is a protocol feel that we see we see attacks, sealed up attacks all the time. Now what we're >>seeing is like C l >>dap with carpet bombing. Now we're seeing, like, even other other reflection application protocols, which the attack isn't like an individual system, but instead the range. And so that's that's what has changed. Way saw a lot of like, you know, TCP kind of reflection attacks, TCP reflection attacks last year. And then and then the novelty was that Now, like okay, alongside that is the technique, right? Carpet bombing technique. That's that's a pipe >>amounts never stops right? Right hard. We're out of time. I give you the final word. One. Where can people go get the information in this report? And more importantly, for people that aren't part of our is a matter that you know kind of observers or they want to be more spark. How should they be thinking about security when this thing is such a rapidly evolving space? >>So let me give you two resource is really quickly. There's this this >>report available Dub dub dub dub dot com slash threat report. That's that's that's what That's where this report is available on Google Next Threat report and you'll find your way there. We've also, you know, we made another platform available that gives you more continuous visibility into the landscape. So if you read this and like Okay, what's happening now? Then you would go to what we call Met Scout Cyber Threat Horizon. So that's >>kind of tell you >>what's happening over the horizon. It's not just like, you know, Hey, what's what am I seeing? What are people like me seeing maybe other people other elsewhere in the world scene. So that's like the next dot com slash horizon. Okay, to find >>that. And I think like between those two, resource is you get >>access to all of our visibility and then, you know, really, in terms of like, our focus is not just to drive awareness, but all of this knowledge is being built into our products. So the Net's got like arbor line of products. We're continually innovating and evolving and driving like more intelligence into them, right? That's that's really? How We help protect our customers. Right >>hearted. Thanks for taking a few minutes >>and sharing the story. Thank you. 18 Scary. But I'm glad you said it's not all bad. So that's good. >>Alright, he started. I'm Jeff. You're watching the Cube. We're at the RSA conference 2020 >>Mosconi. Thanks for watching. We'll see you next time. >>Yeah, yeah, yeah.