(upbeat music) >> Hello everyone, welcome to this special Cube conversation. I'm John Furrier, host of theCube. We're here in Palo Alto. We've got some remote guests. Going to break down the Fortinet vulnerability, which was confirmed last week as a critical vulnerability that exposed a zero-day flaw for some of their key products, obviously, FortiOS and FortiProxy for remote attacks. So we're going to break this down. It's a real time vulnerability that happened is discovered in the industry. Horizon3.ai is one of the companies that was key in identifying this. And they have a product that helps companies detect and remediate and a bunch of other cool things you've heard on the cube here. We've got James Horseman, an exploit developer. Love the title. Got to got to say, I'm not going to lie. I like that one. And Zach Hanley, who's the chief attack engineer at Horizon3.ai. Gentlemen, first, thank you for joining the Cube conversation. >> Thank you. It's good to be here. >> Yeah, thank you so much for having us. >> So before we get into the whole Fortinet, this vulnerability that was exposed and how you guys are playing into this I just got to say I love the titles. Exploit developer, Chief Attack Engineers, you don't see that every day. Explain the titles Zach, let's start with you. Chief Attack Engineer, what do you do? >> Yeah, sure. So the gist of it is, is that there is a lot to do and the cybersecurity world. And we made up a new engineering title called Attack Engineer because there's so many different things an attacker will actually do over the course of attack. So we just named them an engineer. And I lead that team that helps develop the offensive capabilities for our product. >> Got it. James, you're the Exploit Developer, exploiting. What are you exploiting? What's going on there? >> So what I'll do in a day to day is we'll take N-days, which are vulnerabilities that have been disclosed to a vendor, but not yet publicly patched necessarily or a pocket exists for them. And I'll try to reverse engineer and find them, so we can integrate them into our product and our customers can use them to make sure that they're actually secure. And then if there's no interesting N-days to go after, we'll sometimes search for zero-days, which are vulnerabilities in products that the vendor doesn't yet know about. >> Yeah, and those are most critical. Those things can being really exploited and cause a lot of damage. Well James, thanks for coming on. We're here to talk about the vulnerability that happened with Fortinet and their products zero-day vulnerability. But first with the folks, for context, Horizon3.ai is a new startup rapidly growing. They've been on theCube. The CEOs, Snehal and team have described their product as an autonomous pen testing. But as part of that, they also have more of a different approach to testing environment. So they're constantly putting companies under pressure. Let's get into it. Let's get into this hack. So you guys are kind of like, I call it the early warning detection system. You're seeing things early because your product's constantly testing infrastructure. Okay? Over time, all the time always on. How did this come come about? How did you guys see this? What happened? Take us through. >> Yeah, sure. I'll start off. So on Friday, we saw on Twitter, which is actually a really good source of threat intelligence these days, We saw a person released details that 40 minutes sent advanced warning email that a critical vulnerability had been discovered and that an emergency patch was released. And the details that we saw, we saw that was an authentication bypass and we saw that it affected the 40 OS, 40 proxy and the 40 switch manager. And we knew right off the bat those are some of their most heavily used products. And for us to understand how this vulnerability worked and for us to actually help our clients and other people around the world understand it, we needed to get after it. So after that, James and I got on it, and then James can tell you what we did after we first heard. >> Yeah. Take us through play by play. >> Sure. So we saw it was a 9.8 CVSS, which means it's easy to exploit and low complexity and also kind of gives you the keys that take them. So we like to see those because they're easy to find, easy to go after. They're big wins. So as soon as we saw this come out we downloaded some firmware for 40 OS. And the first few hours were really about unpacking the firmware, seeing if we could even to get it run. We got it running a a VMware VMDK file. And then we started to unpack the firmware to see what we could find inside. And that was probably at least half of the time. There seemed to be maybe a little bit of obfuscation in the firmware. We were able to analyze the VDMK files and get them mounted and we saw that they were, their operating system was compressed. And when we went to decompress them we were getting some strange decompression errors, corruption errors. And we were kind of scratching our heads a little bit, like you know, "What's going on here?" "These look like they're legitimately compressed files." And after a while we noticed they had what seemed to be a different decompression tool than what we had on our systems also in that VMDK. And so we were able to get that running and decompress the firmware. And from there we were off to the races to dive deeper into the differences between the vulnerable firmware and the patch firmware. >> So the compressed files were hidden. They basically hid the compressed files. >> Yeah, we're not so sure if they were intentionally obfuscated or maybe it was just a really old version of that compression algorithm. It was the XZ compression tool. >> Got it. So what happens next? So take us through. So you discovered, you guys tested. What do you guys do next? How did this thing... I mean, I saw the news it hit heavily. You know, they updated, everyone updated their catalog for patching. So this kind of hangs out there. There's a time lag out there. What's the state of the security at that time? Say Friday, it breaks over the weekend, potentially a lot of attacks might have happened. >> Yeah, so they chose to release this emergency pre-warning on Friday, which is a terrible day because most people are probably already swamped with work or checking out for the weekend. And by Sunday, James and I had actually figured out the vulnerability. Well, to make the timeline a little shorter. But generally what we do between when we discover or hear news of the CV and when we actually pocket is there's a lot of what we call patch diffing. And that's when we take the patched version and the unpatched version and we run it through a tool that kind of shows us the differences. And those differences are really key insight into, "Hey, what was actually going on?" "How did this vulnerability happen?" So between Friday and Sunday, we were kind of scratching our heads and had some inspiration Sunday night and we actually figured it out. So Sunday night, we released news on Twitter that we had replicated the exploit. And the next day, Monday morning, finally, Fortinet actually released their PSIRT notice, where they actually announced to the world publicly that there was a vulnerability and here are the mitigation steps that you can take to mitigate the vulnerability if you cannot patch. And they also release some indicators of compromise but their indicators of compromise were very limited. And what we saw was a lot of people on social media, hey asking like, "These indicators of compromise aren't sufficient." "We can't tell if we've been compromised." "Can you please give us more information?" So because we already had the exploit, what we did was we exploited our test Fortinet devices in our lab and we collected our own indicators of compromise and we wrote those up and then released them on Tuesday, so that people would have a better indication to judge their environments if they've been already exploited in the wild by this issue. Which they also announced in their PSIRT that it was a zero-day being exploited in the wild It wasn't a security researcher that originally found the issue. >> So unpack the difference for the folks that don't know the difference between a zero-day versus a research note. >> Yeah, so a zero-day is essentially a vulnerability that is exploited and taken advantage of before it's made public. An N-day, where a security researcher may find something and report it, that and then once they announce the CVE, that's considered an N-day. So once it's known, it's an N-day and once if it's exploited before that, it's a zero-day. >> Yeah. And the difference is zero-day people can get in there and get into it. You guys saw it Friday on Twitter you move into action Fortinet goes public on Monday. The lag between those days is critical time. What was going on? Why are you guys doing this? Is this part of the autonomous pen testing product? Is this part of what you guys do? Why Horizon3.ai? Is this part of your business model? Or was this was one of those things where you guys just jumped on it? Take us through Friday to Monday. >> James, you want to take this one? >> Sure. So we want to hop on it because we want to be able to be the first to have a tool that we can use to exploit our customer system in a safe manner to prove that they're vulnerable, so then they can go and fix it. So the earlier that we have these tools to exploit the quicker our customers can patch and verify that they are no longer vulnerable. So that's the drive for us to go after these breaking exploits. So like I said, Friday we were able to get the firmware, get it decompressed. We actually got a test system up and running, familiarized ourself with the system a little bit. And we just started going through the patch. And one of the first things we noticed was in their API server, they had a a dip where they started including some extra HTTP headers when they proxied a connection to one of their backend servers. And there were, I believe, three headers. There was a HTTP forwarded header, a Vdom header, and a Cert header. And so we took those strings and we put them into our de-compiled version of the firmware to kind of start to pinpoint an area for us to look because this firmware is gigantic. There's tons of files to look at. And so having that patch is really critical to being able to quickly reverse engineer what they did to find the original exploit. So after we put those strings into our firmware, we found some interesting parts centered around authorization and authentication for these devices. And what we found was when you set a specific forwarded header, the system, for lack of better term, thought that you were on the inside. So a lot of these systems they'll have kind of, two methods of entry. One is through the front door, where if you come in you have to provide some credentials. They don't really trust you. You have to provide a cookie or some kind of session ID in order to be allowed to make requests. And the other side is kind of through the back door, where it looks like you are part of the system itself. So if you want to ask for a particular resource, if you look like you're part of the system they're not going to scrutinize you too much. They'll just let you do whatever you want to do. So really the nature of this exploit was we were able to manipulate some of those HTP headers to trick the system into thinking that we were coming in through the back door when we really coming in through the front. >> So take me through that that impact. That means remote execution. I can come in remotely and anonymous and act like I'm on the inside system. >> Yeah. >> And that's the case of the kingdom as you said earlier, right? >> Yeah. So the crux of the vulnerability is it allows you to make any kind of request you want to this system as if you were an administrator. So it lets you control the interfaces, set them up or down, lets you create packet captures, lets you add and remove users. And what we tried to do, which surprisingly the exploit didn't let us do was to create a new admin user. So there was some kind of extra code in there to stop somebody that did get that extra access to create an admin user. And so that kind of bummed us out. And so after we discovered the exploit we were kind of poking around to see what we could do with it, couldn't create an admin user. We were like, "Oh no, what are we going to do?" And eventually we came up with the idea to modify the existing administrator user. And that the exploit did allow us to do. So our initial POC, took some SSH keys adding them to an existing administrative user and then we were able to SSH in through the system. >> Awesome. Great, description. All right, so Zach, let's get to you for a second. So how does this happen? What does this... How did we get here? What was the motivation? If you're the chief attacker and you want to make this exploit happen, take me through what the other guy's thinking and what he did or she. >> Sure. So you mean from like the attacker's perspective, why are they doing this? >> Yeah. How'd this exploit happen? >> Yeah. >> And what was it motivated by? Was it a mistake? Was it intentional? >> Yeah, ultimately, like, I don't think any vendor purposefully creates vulnerabilities, but as you create a system and it builds and builds, it gets more complex and naturally logic bugs happen. And this was a logic bug. So there's no blame Fortinet for like, having this vulnerability and like, saying it's like, a back door. It just happens. You saw throughout this last year, F5 had a very similar vulnerability, VMware had a very similar vulnerability, all introducing authentication bypasses. So from the attacker's mindset, why they're actually going after this is a lot of these devices that Fortinet has, are on the edge of corporate networks and ransomware and whatever else. If you're a an APT, you want to get into organizations. You want to get from the outside to the inside. So these edge devices are super important and they're going to get a lot of eyes from attackers trying to figure out different ways to get into the system. And as you saw, this was in the wild exploited and that's how Fortinet became aware of it. So obviously there are some attackers out there doing this right now. >> Well, this highlights your guys' business model. I love what you guys do. I think it's a unique and needed approach. You take on the role of, I guess white hacker as... white hat hacker as a service. I don't know what to call it. You guys are constantly penetrating, testing, creating value for the customers to avoid in this case a product that's popular that just had the situation and needed to be resolved. And the hard part is how do you do it, right? So again, there's all these things are going on. This is the future of security where you need to have these, I won't say simulations, but constant kind of testing at scale. >> Yeah. >> I mean, you got the edge, it takes one little entry point to get into the network. It could be anywhere. >> Yeah, it definitely security, it has to be continuous these days. Because if you're only doing a pen test once a year or twice a year you have a year to six months of risk just building and building. And there's countless vulnerabilities and countless misconfigurations that can be introduced into a your network as the time goes on. >> Well, autonomous pen testing- >> Just because you're- >> ... is great. That's awesome stuff. I think it just frees up the talent in the organization to do other things and again, get on the real important stuff. >> Just because your network was secure yesterday doesn't mean it's going to be secure today. So in addition to your defense in depth and making sure that you have all the right configurations, you want to be continuously testing the security of your network to make sure that no new vulnerabilities have been introduced. >> And with the cloud native modern application environment we have now, hardware's got to keep up. More logic potential vulnerability could emerge. You just never know when that one N-vulnerability is going to be there. And so constantly looking out for is a really big deal. >> Definitely. Yeah, the switch to cloud and moving into hybrid cloud has introduced a lot more complexity in environments. And it's definitely another hole attackers going and after. >> All right. Well I got you guys here. I really appreciate the commentary on this vulnerability and this exploit opportunity that Fortinet had to move fast and you guys helped them and the customers. In general, as you guys see the security business now and the practitioners out there, there's a lot of pain points. What are the most powerful acute pain points that the security ops guys (laughing) are dealing with right now? Is it just the constant barrage of attacks? What's the real pain right now? >> I think it really matters on the organization. I think if you're looking at it from a in the news level, where you're constantly seeing all these security products being offered. The reality is, is that the majority of companies in the US actually don't have a security staff. They maybe have an IT guy, just one and he's not a security guy. So he's having to manage helping his company have the resources he needs, but also then he's overwhelmed with all the security things that are happening in the world. So I think really time and resources are the pain points right now. >> Awesome. James, any comment? >> Yeah, just to add to what Zach said, these IT guys they're put under pressure. These Fortinet devices, they could be used in a company that just recently transitioned to a lot of work from home because of COVID and whatnot. And they put these devices online and now they're under pressure to keep them up to date, keep them configured and keep them patched. But anytime you make a change to a system, there's a risk that it goes down. And if the employees can't VPN or log in from home anymore, then they can't work. The company can't make money. So it's really a balancing act for that IT guy to make sure that his environment is up to date, while also making sure it's not taken down for any reason. So it's a challenging position to be in and prioritizing what you need to fix and when is definitely a difficult problem. >> Well, this is a great example, this news article and this. Fortinet news highlights the Horizon3.ai advantage and what you guys do. I think this is going to be the table stakes for security in the industry as people have to build their own, I call it the militia. You got to have your own testing. (laughing) You got to have your own way to help protect yourself. And one of them is to know what's going on all the time every day, today and tomorrow. So congratulations and thanks for sharing the exploit here on this zero-day flaw that was exposed. Thanks for for coming on. >> Yeah, thanks for having us. >> Thank you. >> Okay. This is theCube here in Palo Alto, California. I'm John Furrier. You're watching security update, security news, breaking down the exploit, the zero-day flaw that was exploited at least one attack that was documented. Fortinet devices now identified and patched. This is theCube. Thanks for watching. (upbeat music)

>> Hey welcome back everybody. Jeff Frick here with theCUBE, we are on the ground in downtown San Francisco at the Google Next 17 Conference. It's this crazy conference week, and arguably this is the center of all the action. Cloud is big, Google Cloud Platform is really coming out with a major enterprise shift and focus, which they've always had, but now they're really getting behind it. And I think this conference is over 14,000 people, has grown quite a bit from a few years back, and we're really excited to have one of the powerhouse partners with Google, who's driving to the enterprise, and that's Intel, and I'm really excited to be joined by Raejeanne Skillern, she's the VP and GM of the Cloud Platform Group, Raejeanne, great to see you. >> Thank you, thanks for having me. >> Yeah absolutely. So when we got this scheduled, I was thinking, wow, last time I saw you was at the Open Compute Project 2015, and we were just down there yesterday. >> Yesterday. And we missed each other yesterday, but here we are today. >> So it's interesting, there's kind of the guts of the cloud, because cloud is somebody else's computer that they're running, but there is actually a computer back there. Here, it's really kind of the front end and the business delivery to people to have the elastic capability of the cloud, the dynamic flexibility of cloud, and you guys are a big part of this. So first off, give us a quick update, I'm sure you had some good announcements here at the show, what's going on with Intel and Google Cloud Platform? >> We did, and we love it all, from the silicon ingredients up to the services and solutions, this is where we invest, so it's great to be a part of yesterday and today. I was on stage earlier today with Urs Holzle talking about the Google and Intel Strategic Alliance, we actually announced this alliance last November, between Diane Green and Diane Bryant of Intel. And we had a history, a decade plus long of collaborating on CPU level optimization and technology optimization for Google's infrastructure. We've actually expanded that collaboration to cover hybrid cloud orchestration, security, IOT edge to cloud, and of course, artificial intelligence, machine learning, and deep learning. So we still do a lot of custom work with Google, making sure our technologies run their infrastructure the best, and we're working beyond the infrastructure to the software and solutions with them to make sure that those software and solutions run best on our architecture. >> Right cause it's a very interesting play, with Google and Facebook and a lot of the big cloud providers, they custom built their solutions based on their application needs and so I would presume that the microprocessor needs are very specific versus say, a typical PC microprocessor, which has a more kind of generic across the board type of demand. So what are some of the special demands that cloud demands from the microprocessor specifically? >> So what we've seen, right now, about half the volume we ship in the public cloud segment is customized in some way. And really the driving force is always performance per dollar TCO improvement. How to get the best performance and the lowest cost to pay for that performance. And what we've found is that by working with the top, not just the Super Seven, we call them, but the Top 100, closely, understanding their infrastructure at scale, is that they benefit from more powerful servers, with performance efficiency, more capability, more richly configured platforms. So a lot of what we've done, these cloud service providers have actually in some cases pushed us off of our roadmap in terms of what we can provide in terms of performance and scalability and agility in their infrastructure. So we do a lot of tweaks around that. And then of course, as I mentioned, it's not just the CPU ingredients, we have to optimize in the software level, so we do a lot of co-engineering work to make sure that every ounce of performance and efficiency is seen in their infrastructure. And that's how they, their data center is their cost to sales, they can't afford to have anything inefficient. So we really try to partner to make sure that it is completely tailor-optimized for that environment. >> Right, and the hyperscale, like you said, the infrastructure there is so different than kind of classic enterprise infrastructure, and then you have other things like energy consumption, which, again, at scale, itty bitty little improvements >> It's expensive. >> Make a huge impact. And then application far beyond the cloud service providers, so many of the applications that we interact with now today on a day to day basis are cloud-based applications, whether it is the G Suite for documents or this or that, or whether it's Salesforce, or whether we just put in Asana for task tracking, and Slack, and so many of these things are now cloud-based applications, which is really the way we work more and more and more on our desktops. >> Absolutely. And one of the things we look at is, applications really have kind of a gravity. Some applications are going to have a high affinity to public cloud. You see Tustin Dove, you see email and office collaboration already moving into the public cloud. There are some legacy applications, complex, some of the heavier modeling and simulation type apps, or big huge super computers that might stay on premise, and then you have this middle ground of applications, that, for various reasons, performance, security, data governance, data gravity, business need or IP, could go between the public cloud or stay on premise. And that's why we think it's so important that the world recognizes that this really is about a hybrid cloud. And it's really nice to partner with Google because they see that hybrid cloud as the end state, or they call it the Multi Cloud. And their Kubernetes Orchestration Platform is really designed to help that, to seamlessly move those apps from on a customer's premise into the Google environment and have that flow. So it's a very dynamic environment, we expect to see a lot of workloads kind of continue to be invested and move into the public cloud, and people really optimizing end-to-end. >> So you've been in the data center space, we talked a little bit before we went live, you've been in the data center space for a long, long time. >> Long time. >> We won't tell you how long. (laughing) >> Both: Long time. >> So it must be really exciting for you to see this shift in computing. There's still a lot of computing power at the edge, and there's still a lot of computing power now in our mobile devices and our PCs, but so much more of the heavy lift in the application infrastructure itself is now contained in the data center, so much more than just your typical old-school corporate data centers that we used to see. Really fun evolution of the industry, for you. >> Absolutely, and the public cloud is now one of the fastest growing segments in the enterprise space, in the data center space, I should say. We still have a very strong enterprise business. But what I love is it's not just about the fact that the public cloud is growing, this hybrid really connects our two segments, so I'm really learning a lot. It's also, I've been at Intel 23 years, most of it in the data center, and last year, we reorganized our company, we completely restructured Intel to be a cloud and IoT company. And from a company that for multiple decades was a PC or consumer-based client device company, it is just amazing to have data center be so front and center and so core to the type of infrastructure and capability expansion that we're going to see across the industry. We were talking about, there isn't going to be an industry left untouched by technology. Whether it's agriculture, or industrial, or healthcare, or retail, or logistics. Technology is going to transform them, and it all comes back to a data center and a cloud-based infrastructure that can handle the data and the scale and the processing. >> So one of the new themes that's really coming on board, next week will it be a Big Data SV, which has grown out of Hadoop and the old big data conversation. But it's really now morphing into the next stage of that, which is machine learning, deep learning, artificial intelligence, augmented reality, virtual reality, so this whole 'nother round that's going to eat up a whole bunch of CPU capacity. But those are really good cloud-based applications that are now delivering a completely new level of value and application sophistication that's driven by power back at the data center. >> Right. We see, artificial intelligence has been a topic since the 50s. But the reality is, the technology is there today to both capture and create the data, and compute on the data. And that's really unlocking this capabilities. And from us as a company, we see it as really something that is going to not just transform us as a business but transform the many use cases and industries we talked about. Today, you or I generate about a gig and a half of data, through our devices and our PC and tablet. A smart factory or smart plane or smart car, autonomous car, is going to generate terabytes of data. Right, and that is going to need to be stored. Today it's estimated only about 5% of the data captured is used for business insight. The rest just sits. We need to capture the data, store the data efficiently, use the data for insights, and then drive that back into the continuous learning. And that's why these technologies are so amazing, what they're going to be able to do, because we have the technology and the opportunity in the business space, whether it's AI for play or for good or for business, AI is going to transform the industry. >> It's interesting, Moore's Law comes up all the time. People, is Moore's Law done, is Moore's Law done? And you know, Moore's Law is so much more than the physics of what he was describing when he first said that in the first place, about number of transistors on a chip. It's really about an attitude, about this unbelievable drive to continue to innovate and iterate and get these order of magnitude of increase. We talked to David Floyer at OCP yesterday, and he's talking about it's not only the microprocessors and the compute power, but it's the IO, it's the networking, it's storage, it's flash storage, it's the interconnect, it's the cabling, it's all these things. And he was really excited that we're getting to this massive tipping point, of course in five years we'll look back and think it's archaic, of these things really coming together to deliver low latency almost magical capabilities because of this combination of factors across all those different, kind of the three horseman of computing, if you will, to deliver these really magical, new applications, like autonomous vehicles. >> Absolutely. And we, you'll hear Intel talk about Jevons Paradox, which is really about, if you take something and make it cheaper and easier to consume, people will consume more of it. We saw that with virtualization. People predicted oh everything's going to slow down cause you're going to get higher utilization rates. Actually it just unlocked new capabilities and the market grew because of it. We see the same thing with data. Our CEO will talk about, data is the new oil. It is going to transform, it's going to unlock business opportunity, revenue growth, cost savings in environment, and that will cause people to create more services, build new businesses, reach more people in the industry, transform traditional brick and mortar businesses to the digital economy. So we think we're just on the cusp of this transformation, and the next five to 10 years is going to be amazing. >> So before we let you go, again, you've been doing this for 20 plus years, I wasn't going to say anything, she said it, I didn't say it, and I worked at Intel the same time, so that's good. As you look forward, what are some of your priorities for 2017, what are some of the things that you're working on, that if we get together, hopefully not in a couple years at OCP, but next year, that you'll be able to report back that this is what we worked on and these are some of the new accomplishments that are important to me? >> So I'm really, there's a number of things we're doing. You heard me mention artificial intelligence many, many times. In 2016, Intel made a number of significant acquisitions and investments to really ensure we have the right technology road map for artificial intelligence. Machine learning, deep learning, training and inference. And we've really shored up that product portfolio, and you're going to see these products come to market and you're going to see user adoption, not just in my segment, but transforming multiple segments. So I'm really excited about those capabilities. And a lot of what we'll do, too, will be very vertical-based. So you're going to see the power of the technology, solving the health care problem, solving the retail problem, solving manufacturing, logistics, industrial problems. So I like that, I like to see tangible results from our technology. The other thing is the cloud is just growing. Everybody predicted, can it continue to grow? It does. Companies like Google and our other partners, they keep growing and we grow with them, and I love to help figure out where they're going to be two or three years from now, and get our products ready for that challenge. >> Alright, well I look forward to our next visit. Raejeanne, thanks for taking a few minutes out of your time and speaking to us. >> It was nice to see you again. >> You too. Alright, she's Raejeanne Skillern and I'm Jeff Frick, you're watching theCUBE, we're at the Google Cloud Next Show 2017, thanks for watching. (electronic sounds)