>> Announcer: Live from New York City. It's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify, and the Institute for Critical Infrastructure Technology. >> Hey, welcome back everyone. Live here with Cube coverage in New York City, our favorite place to be when we've got all the action going on. CyberConnect 2017 is an inaugural event where industry, government comes together to solve the crisis of our generation. That's cybersecurity. I'm John Furrier, co-host theCube My partner Dave Vellante here. Our next guest is Chris Novak, VTRAC Global Director, Threat Research Advisory Center at Verizon. Welcome to theCube, great to have you. >> Thanks, pleasure to be here. >> So you do all the homework. You've got the forensic data. You're the one looks at the threats. You're the burning bush of cyber intelligence. What's happening? Tell us what's the threats? >> Everything. So, it's interesting because I always find what I do to be wildly exciting just because it's always changing, right? Everything we see. It's kind of' like being a cop. Ultimately you're investigating unknowns all the time, trying to figure out how they happen, why they happen, who they happen to, but more importantly than that, how do you get ahead of it to prevent being the next one, or prevent it happening to others? And that's really the thrust of what we're out to do. >> Talk about the challenges 'cause General Keith Alexander was on stage talking about how he compared it to an airline crashing, where they come in looking for the black box, and it's worse because you don't even know what happened, who was involved. >> Chris: That's right. >> The notion of anonymous, public domain software is causing all kinds of democratization, good and bad, bad being actors that we don't even know attacking us. What is the landscape of how you identify what's going on? >> Yeah, and it gets even more challenging than that because I like that analogy, and I'd say I'd almost take it one step further and say the analogy of the airline and looking for the black box. In many cases when we go in to do an investigation, we're just hoping that there was a black box to look at to begin with. In many cases, we get there and there was no information, and we're trying to take all the pieces and put it together of what's left. And ultimately what we see is, it keeps evolving, right? It keeps getting harder, and the threat actors keep getting better. What I always tell folks is, while many of us all have to play by a set of rules, or regulations, or compliance obligations, the threat actors don't have to do any of that. They're free to do whatever works for them, and repeat it over and over again, and, for them, it's a business. >> So Dave and I were talking earlier. I want to get your reaction to this. About the importance of Stuxnet. Ars Technica has a report coming out that certificate authorities were compromised well before Stuxnet. But Stuxnet is the Pearl Harbor, cyber Pearl Harbor, as a point in time. So much has happened since then. So from that kind of Pearl Harbor moment of the wakening of, oh my God, to today, what's the landscape look like? How important was the Stuxnet to that point in time now, and how has it evolved? What's changed? >> Sure, and I think a couple of key things that come out of that. One is, you start to see more and more attribution to government-related attacks. Some are actively sponsored and known. Some are, we're just diggin' through the details and the weeds to try and figure out who's actually behind it and attribution may never actually take place. >> Or it could not be real 'cause they want to blame their enemy so that they get attacked. >> Well, and that's the either beauty or downside of cyber is that you can conduct it in a vacuum, in an anonymous fashion. So, in many respects, you can conduct an attack remotely and try to give it all the hallmarks of someone else, making it further difficult to attribute it. >> And the tools are now available too, so like, I hear reports that states are sponsoring, or releasing in the public domain, awesome hacks, like Stuxnet of the future, which some say was released and then got out of control by accident. >> And that's always something you have to be concerned about is the fact that once this stuff gets out there, even if you only intended to use this malware or attack vector once. Once you use it on that victim, there is a potential that that spreads. >> But you guys have been doing this study for the last decade. >> Correct. >> So you've seen the shift from sort of hacktivist to nation-sponsored malware. What has the research shown you over the last decade as that shift has occurred? >> Yeah, it's interesting because you look at it and a lot of what we still see today are financially-motivated and interestingly enough, opportunistic, low-hanging fruit kind of attacks. About 70 to 80% fall in that category, and about 20 to 25, depending on the year, are nation state, but that keeps growing each year. And, I think a lot of it is. >> John: What the nation state piece? >> The nation state piece. But it's still the smaller piece of the pie or the graph, whatever you're looking at, because, at the end of the day >> It's cash. >> It's cash. >> They want the cash. >> And so much of what we find when you look back at the old days of breaches where the majority of them were, they weren't even really breaches of theft of data, it was someone. >> Confetti, graffiti. >> I should have actually asked that question differently because it's really went from hacktivist to criminals. >> Chris: Correct. >> To nation states and you're saying the dominant now is criminal activity. >> That's correct. Yeah, we find the large piece of it about more than half is organized crime. It comes down to, look, you can steal money in a variety of different ways. This is a way to do it safely from thousand miles away >> And no one knows who you are. >> on the other end of a keyboard. >> So it's annoyance. >> And by the way, no consequence. Who's going to? >> Virtually, yeah. >> What court do you go to? >> So its annoyance is the hacktivist. Okay, we can kind of' live with that. It's cash and it's threats to critical infrastructure. >> And we see kind of a graduation there where you see the activists realize, I can this and make a point, but a point doesn't necessarily make me money, or I can do this for an organized crime group and make millions of dollars. Hmmmm. >> And, by the way, to your point which we were just teasing out, Dave. There is zero downside, because if you get caught, what happens? >> Yeah. >> If you get caught. >> If you get caught, yeah. And then what happens if you get caught? >> There's no jurisdiction. >> You don't make money. >> No, no, there's no courts. >> It's very hard to prosecute. >> There's actually no process for that. >> So, we heard this morning that WannaCry and other examples of malware really weren't about malware. I mean, sorry, they really weren't about ransomware, they were about sending a message, or politics. So, you're obviously seeing more of that in your research. >> Chris: Exactly right. >> Fake news, and I wonder if you could comment. >> Absolutely, yeah. So, in fact, it was interesting because some of those had continued to come out. Everyone kept thinking that it was all ransomware, and then as we studied it further we found some of these, they never had the intention of collecting a ransom, or giving the data back. It was all about making a political point, and you now have this kind of injection of politics into something that was really, traditionally, just organized crime, smash and grab, make cash. Now politics is feeding into that, going, wait, we can affect and influence and all sorts of things in ways people have never imagined and people don't even know it's going on. >> So you must be seeing a dramatic improvement in the quality, hate to say this, but the quality of malware, over the last decade. Less bugs, less errors, >> More sophisticated. >> More insidious, sophisticated. >> That's exactly right >> Vectors. >> We do see that continuing to improve and for them, like I always tell folks, they operate it like a business. You'll have some of these groups where they'll have different divisions or departments. People will have clearly-defined roles and responsibilities of what they're supposed to be doing in generating that malware, troubleshooting it, and they'll even reward people for how well it works. >> Chris, I'd like to get your personal opinion. If you could put your Verizon hat on too, I will take any opinions that you have. How do we solve this? 'Cause this event here. We like this inaugural event because it's the first industry event that talks about the big picture, the holistic view, the 20-mile stare, if you want to' say it that way. Not the Black Hat, which has its own conference, and there should be more of that. This is industry coming together. Governments now intersecting here. What's your opinion on how this gets solved. We heard community, shared data, that's been going around. What do you think? >> So, that's probably the hardest question I get asked, and, honestly, I think it's because there's not really a simple answer to it, right? It's like saying, how do we stop crime? We don't. It's not going to be possible. It's a matter of, how do we put up better defenses? And also, important, how do we put up better detection, so that we can see things and, potentially, stop them sooner before they blow up into these big, multi-hundred-million record, or billion record breaches? So, one of the biggest things that I advocate is awareness. We also have to do things like pro-active threat hunting, right? If you're not out there. It's kind of like having security guards, right? You go through any office and you've got security guards walking the halls, sitting in the lobby, looking for things that are unusual. If we're not out there in the cyber realm looking for unusual things, you can't expect that you're going to see them until they've reached a certain blow-up point. >> Or are they cloaked? Completely cloaked. You can't see 'em. >> That's also true. >> Security guards are looking for someone they can't see. >> That's true. >> Chris, thanks so much for coming here and sharing the opinion. Follow the research. And your report's public, or? >> Yes, the reports are all available on the VerizonEnterprise.com website. >> Okay, VerizonEnterprise.com. Check it out. These reports are a treasure trove of information. Always getting it out. Thanks for your perspective. Lookin' for more trends. Chris Novak here inside theCube here in New York City's live coverage of CyberConnect 2017. I'm John with Dave Vallente. We're back with more coverage after this short break. (techno music)