>>Our studios. Silicon Valley, Palo Alto, California is a Q conversation. Hi and welcome to the cube studios in Palo Alto, California for another cube conversation where we go in depth with the tech leaders driving innovation across the technology industry. I'm your host Peter Burris. Well, it's that time of quarter again. Every quarter we get together with Fortinet to discuss their threat landscape report, which is one of the industry's best and most comprehensive views into how the bad guys are utilizing bad software and bad access to compromise digital business and steel digital assets. Now, this quarter's report suggests that there's not as much new stuff going on. If you look at the numbers, they're relatively flat compared to previous quarters, but that doesn't tell the real story. Underneath those numbers, we see that there is a churn. There's an incredibly dynamic world of bad actors doing bad things with old and new bad stuff to try to compromise digital business to learn more about this dynamism and what's really happening. Once again, we've got a great cube guest, Tony Gian. Medico is a senior security strategist and researcher and CTI lead at Fortinet. Tony, welcome back to the cube. >>Hey Peter, it's great to be here. >>So Tony, I started off by making this observation that the index suggests that we're in kind of a steady state, but that's not really what's happening. Is it? What's really going on? Where it's going on inside the numbers? >>Yeah, no, we start to see a little bit of a shift of tactics. Um, what has happened, I think, uh, not all the time, but sometimes with the adversaries like to do is penetrate an organization where maybe us as defenders aren't necessarily as focused in on, and a great example is this. For many years we were focused on at and rightfully so, and we continue to be focused on this is being able to block a phishing email, right? We have our email security gateways to be able to not allow that email to come into the network. We also then for for whatever reason, if it happens to get into the network, we focus on user awareness training to educate our users to make sure that they can identify a malicious email. They're not clicking that link are clicking that attachment. Now with that said, we look at the actual data in our Q three threat last grade report and what we're seeing is the adversaries are targeting vulnerabilities that if they were successfully exploited would give them remote code execution, meaning that they, they they can compromise that box further and further inside the network. >>Now granted that's been happening for many years but we have actually seen an increase order. As a matter of fact, it was number one prevalence across all the actual regions. So with that said, I think it's worth making sure that you're looking at your edge devices or your edge services that are publicly exposed out there. Make sure that there's no vulnerabilities on them, make sure that they're not misconfigured and also make sure that you have some type of multifactor authentication. And I think like we've talked about many times that threat landscape or that no threat attack surface continues really to expand, right? You got, you got cloud, you have IOT. So it's becoming more and more difficult to be able to secure all those edge services. But definitely you know, something you should take a look at >>and you got more people using more mobile devices to do more things. So, so it sounds as though it's a combination of two things. It's really driving this dynamism, right, Tony? It's one, just the raw numbers of growth and devices and opportunities and the threat surface is getting larger and the possibility that something's misconfigured is going up and to that they're just trying to catch organizations by surprise. One of those is just make sure you're doing things right, but the other one is don't keep, take your eye off the ball, isn't it? How are organizations doing as they try to, uh, expand their ability to address all of these different issues, including a bunch that are tried and true and mature, uh, that we may have stopped focusing on? >>Yeah. You know, it's really hard, right? I always say this and um, you know, I get some mixed kind of reacts in sometimes, but you can't protect and monitor everything. I mean, depending on how large your network is, it's really difficult. So, I mean really focusing on what's important, what's critical in your organization is probably really the best approach. I mean, really kind of focusing on that. Now with that said though, the reason why it becomes so, so difficult these days is the volumes of threats that we're seeing. Um, kind of come out of what I refer to the cybercrime ecosystem, right? Where anytime, do you know anybody who wants to get into a life of cyber crime, they really don't need to know much. They just need to understand, right, where to get these particular services that they can sort of rent, right? You have malware as a service, right? You got kind of ransomware as a service. So it's an important to make sure we understand, um, Hey, anybody can get into a life of cyber crime and that volume is really sort of being driven by the cyber crime ecosystem. >>Well, the threat report noted, uh, specifically that the, uh, as you said, the life of crime is getting cheaper for folks to get into because just as we're moving from products to services in technology and in other parts of the industry, we're moving from products to services in, uh, the threat world. To talk a little bit about this, what you just said, this notion of, you know, bad guy as a service, what's happening? >>Yeah, I actually that bad guy as a service. Um, what's really kind of popular these days is ransomware as a service. Um, as a matter of fact, uh, In Fortiguard labs, we were tracking for about two years or so, one of the most prolific ransomware-as-a-service GandCrab. Matter of fact, over the two year period, they gleaned off about over $2 billion  dollars worth of ransoms. Now, they said that they kind of shut down and as they started closing down operations in Q3, we saw two more variants of ransomware as a service. You know, Soden and, and also, uh, I think I can pronounce it ... "Nempty". I always have a hard time pronouncing all of these malware name. But anyway, these are new variants now that are coming up. And of course anytime you get something new, the malware usually has more, you know, more a more advanced kind of capabilities in, you know, these malwares have, you know, ways to evade detection, you know, they're looking for different services that may be on the, the operating system, finding ways to be able to thwart the detection of their particular malware, or if someone is analyzing that particular threat, making it longer for an analyst to be able to figure out what's going on. >>Um, and as well as trying to avoid different types of sandbox technologies. Now I think that's something bad that actually, you know, really worry about. But what really gets me, and I might have said this, um, in some of the previous conversations this year, is that the tactics are also kind of changing a bit for ransomware as a service coming out of the cyber-crime ecosystem. It used to be more opportunistic. There was a spray and pray approach, let's hope something sticks. Right? Totally changed. They're becoming a lot more targeted. And one of the main reasons why it is because organizations are paying large amounts of money or the ransom depending large amounts of money to the group. Yo yo to have 'em the ability to decrypt their files after they get hit with ransomware. And you've seen this right now, the adversaries are targeting organizations or industries that may not have the most robust security posture. >>They're focused on municipalities. No, they're focused on, you know, cities also state local government. Um, well we saw it earlier on this year, the city of Baltimore. We had a bunch of cities in Florida, actually one city in Florida ended up having to pay $600,000 in a ransom to be able to have their files decrypted. And also in the state of Texas we saw, um, a uh, malware variant or ransomware variant hit about 22 municipalities throughout the state of Texas. And you know, the one other thing I think seems to be common amongst all of these victims is a lot of them have some type of insurance. So I think the bad guys are also doing some research or doing their homework to sure, Hey, if I'm going to spend the money to target this individual or this organization, I want to make sure that they're going to be able to, yeah, pay me the ransom. >>They're refining their targets based on markers, which is how bad guys operate everywhere, right? You decide who your market is and what their attributes are. And because these are digital, there's also a lot more data flying around about who these marks are, how they work. Uh, as you said, the of the availability of insurance means that there's now a process for payment in place because insurance demands it and it accelerates, uh, the, the, the time from hitting them to getting paid. If I got that right. >>Yeah, that is 100% spot on, you know, efficiency, efficiency, officio. I mean, we all want to get paid as fast as possible. Right? Right. >>Peter? Yeah, that's true. That's true. Alright, so it's time for prescription time, Tony. It's a, a, we've talked about this for probably six or eight quarters now and every time I ask you and what do folks do differently in the next few months? Uh, what should they do differently and the next few months? >>Ah, you know, I like to talk a lot about how we, you know, you have to have that foundational, it kind of infrastructure in plays, having visibility and all that debt and that's 100% sort of true. Um, that doesn't change. But I think one thing that we can start doing, um, and this is wonderful. Um, I'm sort of project that had transpired over the last few years from the MITRE, uh, organization is the MITRE attack framework. Uh, what had happened was MITRE had gone out there and brought in, um, through all these open source outlets, different types of threat reports, um, that the adversaries, um, you know, we're di we're documented actually doing, they took all those tactics and corresponding techniques and documented all of them in one location. So now you have a common language for you to be able to determine and be able to learn what the actors are actually doing to come cyber mission. >>And because now we have that there's a trend. Now organizations are starting to look at this data, understand it and then operationalizing it into their environment. And what I mean by that is they're looking at the actual, the uh, tactic and the technique and you know, understanding what it is, looking at, what is the actual digital dust that it might leave behind, what's the action and making sure that they, I have the right protections and the Texans and they're grabbing the right logs at least to be able to determine when that particular threat actor, using that technique happens to be in there environment. >>But it also sounds as though you, you know, you noted the, uh, use of common language that it sounds as though, uh, you're suggesting that enterprises should be taking a look at these reports, studying them, uh, reaching agreement about what they mean, the language so that they are acculturating themselves to this more common way of doing things. Because it's the ability to not have to negotiate with each other when something happens and to practice how to respond. That really leads to a faster, more certain, more protecting response if I got that right. Yeah. >>You know, 100%. And I'll also add though, um, as you start to operationalize this no miter attack framework and understanding what the adversaries are kind of doing, you get more visibility. Yeah. But then also what you're seeing is it's a trend of vendors starting to create what's referred to as threat actor playbooks, right? So there, as they discover these actual threads, they're mapping the actual tactics and techniques back to this common language. So now you have the ability to be able to say, Hey, I just seen, uh, you know, Fordanet just put this report out on this particular, you know, threat actor or this malware because we're leveraging a common language. They can more easily go back and see how they're actually defending against these particular, you know, TTPs. Well, and the latest one, you know, that we put out, uh, just this week was, um, uh, Oh, a playbook on the malware it's a banking Trojan. >>Uh, well at least it started out as a banking Trojan. It's kinda morphed into something a little more now. You see it delivering a bunch of malware variants, um, you know, different malware families. It's almost like a botnet now. And, uh, we hadn't actually seen it, um, really for a little while. But in Q three we saw a bunch of different campaigns spawn. And like I always say, malware a hibernate for a little bit, but when it comes back, it comes back bigger, faster, stronger. There's always new tactics, there's always new capabilities. And then this case, that's no exception. What they did, um, and I thought was very unique, uh, at being able to, again, Ray on, um, the humans to be able to make a mistake. So what they did is they, as a victim, they would grab the email thread from the emails, grab those threads, I put it in a spoofed email, and then email that to the next victim. And they'll actually, um, so you know, when the victim opens up that particular email, they see that thread that looks like, Hey, I've had this correspondence, you know, before this has to be a good email, I'm going to click that attachment. And when they do, now they're compromised and that whole process happens over and over and over again. >>So there's, they're scraping the addressees and they are taking the email and creating a new AML and sending it onto new, uh, addressees hopefully before the actual real email gets there. Right? >>No, yes, but also say that, um, they're actually, they're taking the context of the email, right? So the email sort of thread, so it makes it, it's an actual real thread. Well, they're just kind of adding it in there. So it's really. It really looks like it's, hello. Hey, I've had that correspondence before. Um, I'm just going to click that link for attachments. >>This notion of operationalizing through the minor framework and these new playbooks, uh, is a, a way ultimately that more people, presumably we're creating more of a sense of professionalism that will diffuse into new domains. So, for example, you mentioned early on, uh, municipalities and whatnot that may not have the same degree of sophistication through this playbook approach, through the utilizing these new resources and tools that Fort Dannon and others are providing. It means that you can raise to some degree, the level of responsiveness in shops that may not have the same degree of sophistication. Correct? >>Yeah, I did. You know, I, I definitely would have to agree. And then also, I think as you start to understand these techniques, you will never just have one technique as a standalone, right? These techniques are Holies chained together, right? You're going to have, once this technique is there, you're going to know that there's a few techniques or probably have happened before and there's some, they're going to happen later. A great example of this, let's say, when you know, when an adversary is moving laterally inside the network, there's really three basic things that they have to be able to have. One is they have to have the authorization, the access, you know, to be able to move from system to system. Once they have that, you know, and there's a way a variety of ways that they can do that. Once they're there, now they have to somehow copy that malware from system to system. >>And you know, you can do that through, you know, ah, remote desktop protocol. You can do that through no P S exact. There's a variety of different ways you can do that. And then once the malware's there, then you have to execute it somehow. And there's ways to do that now if you have a common language for each one of those, now you start chaining these things together, you know, the digital dust or the actual behaviors and what's actually left behind with these actual tactics. And now as manually you can start better understanding how to, you know, threat hunt more efficiently and also start to actually let the technology do this kind of threat hunting for you. So I guarantee you we're going to see innovation and technology where they're going to be doing automatic through hunting for you based on these types of understandings in the future. >>Tony, what's growing? Once again, great cube conversation. Thanks again for being on the cube. Tony John, John de Medico is, I'm going to just completely shorten your title, uh, threat landscape expert Fort net. Tony, thanks again. >>Hey, it's great to be here, Peter. >>Thanks a lot, and thanks once again for joining us for another cube conversation on Peter Burris. See you next time..