(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say>> now I'm not condoning that you actually pay the ransom>> however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes>> and we've seen organizations actively go ahead and do this>> is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this CUBE conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next CUBE Conversation. (uplifting music)

(uplifting music) >> Hi I'm Peter Burris, and welcome to another great CUBE conversation. We're here in our Palo Alto studios with Fortinet's Anthony Giandomenico, Anthony welcome. >> Welcome, it's great to be here. >> So or otherwise known as Tony G. So in theCUBE conversations Tony, we want to talk about interesting and relevant things. Well here's an interesting and relevant thing that just happened: Fortinet has put forward their quarterly Threats report. What is it? What's in it? >> Really, it's something we do on a quarterly basis, and it's really geared towards the IP security profession, so we go to from the CSO all the way down to the security operator. And what we're looking at is billions of events that are being observed in real time, you know production environments around the world and what we're hoping to do is look at different types of trends that are specific to application exploits, malware, and botnets and hopefully then provide some recommendations back to those IP security professionals. >> Now Tony, malware's been around for a while, some of the bots are a little bit new, but certainly there's some real new things that are on the horizon like IoT and we've heard recently that there's been some challenge with some of these IoT devices. Is it the threat getting more or less intense according to the report? >> Yeah, definitely it's getting more sophisticated, specifically with these IoT devices. What we're seeing as an example with the Reaper and Hajime, always had a hard time actually pronouncing that so I think it's "Hajime". They're actually starting to attack multiple vulnerabilities so instead of just going after one vulnerability, they have multiple vulnerabilities that is inside their malicious code, and then they have the ability to automate the exploitation of those vulnerabilities depending on what the IoT devices are. Now, they're also becoming a lot more resilient. And what I mean by that is some of the actual botnets like Hajime is able to communicate via P2P to each other. What they kind of creates is a decentralized command and control infrastructure. And then lastly, they're becoming much more agile as well, they have this Lua engine, which enables them to quickly update their code so, giving an example, let's say there's a new vulnerability out there. They can quickly swap out or add the additional exploit before that vulnerability, propagate that out to all of the IoT devices that are part of the botnet, and then they can swarm in on that new vulnerability. >> So Fortinet's Fortiguard Labs is one of the leading researchers in this area, especially internet, enterprise security. What is your recommendations that people do about the increasing intensity of the IoT threats? >> But I think we need to start, at least thinking about fighting these automation attacks or worm attacks with our own swarm-like defenses. And what I mean by that is having a seamless integration and automation across your entire security fabric. Now, there's a lot that actually kind of goes into that, but your technology controls need to start talking to each other, and then you can start automating and taking some action really based on whatever threat happens to be in your environment. Now, it's easier said than done, but if you can do that, you can start automating the continual resistance or resiliency of you being able to actually defend against those automated attack. >> So let's change gears a little bit. Willie Sutton, I think it was Willie Sutton, the famous bank robber was famous for saying, when someone asked him "Why do you rob banks?" he said "That's where the money is." >> All of the money (laughing) >> Crypto-jacking. What's going on with as BitCoin becomes a bigger feature of the whole landscape, what's happening with crypto-jackers, what is it, how does it work, why should we be concerned about it? >> Well definitely cryptocurrency is becoming more and more popular these days and the bad guys are definitely taking advantage of that. So when we talk about what is crypto-jacking, so it's really it's sharing, or secretly using, the CPU resources to be able to mine for cryptocurrencies. Now, traditionally you used to have to put some type of application on your machine to be able to mine for cryptocurrencies. Nowadays, all the bad guys really have to do is install a little java script in your browser and away they go. And the only way that you're going to know that your machine may be part of this mining, is it may become super slow and you may be savvy enough to say "Well, maybe look at the CPU." And you look at it and it's pegged at 100%. So that's one of the ways that you can determine that your computer is part of crypto mining. Now in the Q4 report what we've seen is a huge update in crypto mining malware, and it's interesting because it's very intertwined with the rise and fall of the BitCoin price. So as we saw the BitCoin price go up, the crypto mining malware went up, and as it actually dropped off so did the activity. The other thing that we actually ended up seeing is actually in the Darknet. There's a bit of a shift where the bad guys used to only accept payment in BitCoin. Now they're looking at accepting other forms of actual cryptocurrency and that also holds true for ransomware. So if you have an infected with ransomware, it's quite possible that they're going to demand that ransom in something other than BitCoin. >> Interesting, so, in fact we had a great previous group conversation with another really esteemed Fortinet guest, and we talked a little bit about this. So one of the prescriptions is businesses have to be careful about the degree to which they think about doing a lot of transactions in cryptocurrencies. But they probably want to have a little bit of reserves just in case. But what should a business do? What should someone do to mediate some of the challenges associated with crypto-jacking? >> Yeah, I think one of the first things, it's probably self-explanatory to most us that are actually in the cyber field, but having good user awareness training program that actually includes keeping up with the latest and greatest tactics, techniques, and the actual threats that the bad guys are doing out there. Now the other obvious thing would probably be just make sure that your security solutions are able to detect the crypto mining URLs and malware. And I would also say- now I'm not condoning that you actually pay the ransom- however, it's happened many times where they've paid, I think there were some companies that actually paid over a million dollars in BitCoin, it may actually be an option and if you have that in your incident response plan, and what you want to do sometimes- and we've seen organizations actively go ahead and do this- is they'll buy some BitCoin, kind of keep it on hand so if they do have to pay, it streamlines an entire process. Because ransomware, the actual ransom now, you may not be able to pay in BitCoin. You probably have to keep abreast of what are the actually trends in paying up for your ransom because you may have to have other cryptocurrencies on hand as well. >> So, make sure your security's up to date, then you can track these particular and specific resources that tend to do this, have a little bit on reserve, but make sure that you are also tracking which of the currencies are most being used. So, there are other exploits, as you said earlier. Now we see people when someone's not working by doing peer to peer type stuff. The bad guys are constantly innovative, some would argue that they're more inventive than the good guys because they got less risk to worry about. What other threats is the report starting to highlight, that people need to start thinking about? >> So in this Q4 report what we did is we added in the top exploit kit. And I think we'll probably continue to do that over the-- >> What's an exploit kit? >> Exploit kit is something, it's a very nice little kind of GUI that allows you to really just kind of point and click, has multiple exploits in there, and it's usually browser based so it's going to be able to compromise usually a vulnerability within the browser, or some of the actual browser plugins, things of that nature, and the one that we had in the Q4 report was the Sundown exploit kit. Now, it was interesting because we didn't necessarily see that one on the top, it might've been top of its game maybe 2014, 2015, but it actually rose in early December to actually kind of be number one for Q4. And it's unique because it does leverage steganography, meaning it's able to hide its malicious code or its harvested information inside image files. So we'll continue to track that, we don't know sure why it actually kind of rose up in the beginning of December but we'll just actually continue to track it on time. >> So you've already mentioned ransomware but let's return to it because that's at the top of people's minds, we pay lawyers when they come after us with sometimes what looks like ransom. But what is happening, what's the point in ransomware, what's the report on they like? >> Well, what you see is the actual growth and volume and sophistication has really been common amongst all the reports that we have actually put out to date, but not a lot has really changed. In Q4, what we did have Locky was the number one malware, or ransomware variant along with Global Imposter. Now, it's still the same delivery mechanisms, so you still got the social engineering, it's being delivered through fishing email, but then it's expanding out to let's say compromised websites, malvertising, as well as earlier on last year, we saw where it was being able to propagate from vulnerability to vulnerability so it had this worm-like spreading capability. That's all really been the same and not a lot has really sort of changed. The thing that has changed actually is the fact that they're up in the ante a little bit to be able to hopefully increase their chances of you actually falling for that actual scam, is they're making the subject of that scam a little bit more top-of-mind. As an example, the subject may be cryptocurrency because you're more likely to figure out what's going on there, you'll be more likely to download that file or click that link if the subject is something around cryptocurrency because it is top-of-mind today. >> Interestingly enough, I, this morning received an email saying, "You could win some free cryptocurrency." And I said "And you can go into the trash can." (Tony laughing) So what should people do about it? I just threw something away, but what should people generally do to protect their organization from things like ransomware? >> I do get that a lot, I get that question a lot. The first thing I say, if you're trying to protect against ransomware, you follow the same things that you were doing with some of the other threats because I don't think ransomware is that unique when it comes to the protection. The uniqueness is really an impact, because certain threats they'll actually go and steal data and whatnot but when's the last time you heard of a business going out of business or losing money because some data was stolen? Not very often, it seems to be continued as business as usual, but ransomware, locking your files, it could actually bring the business down. So what you want to do is be able to minimize the impact of that actual ransomware so having a good offline backup strategy, so good backup and recovery strategy, making sure you go through those table top exercises really to make sure that when you do have to recover, you know exactly how long it's going to take and it's very efficient and very streamlined. >> Practice, practice, practice. >> Yup, and don't rely on online backups, shadow copy backups because those things are probably going to be encrypted as well. >> Yup, alright so that's all we have time for today Tony. So, Anthony Giandomenico from-- >> Tony G! (laughing) >> Tony G, who's a senior security strategist researcher at the Fortinet Fortiguard Labs. Thanks very much for this Cube conversation. >> It was great to be here. >> Peter Burris, once again, we'll see you at the next Cube Conversation. (uplifting music)