 Welcome to this CUBE conversation. I'm Lisa Martin. I'm joined by Amar Lakini, the lead researcher and cybersecurity expert at Fortygarde Labs at Fortinet. Amar, welcome back to theCUBE. It's always good to be back on. It is, even though we're still in this work from anywhere environment, and that's one of the things that I want to talk to you about. We're in this environment now. I've lost count, 16 months, 17 months, and we now have this distribution of folks working still from home, maybe some in the office, and a good portion that probably want to remain remote. And one of the things that you guys have seen in this time is this huge uptick and the sophistication in phishing attacks. Talk to me about what's going on. You know, it's funny that you mentioned that, Lisa. Every attack that I've seen in the last 16 months usually has a phishing component. And over the last, even just the last couple of weeks, we've seen some really sophisticated attacks, that are against industrial control systems, against critical infrastructure, against large corporations, government entities, and almost every one of those attacks, whether it's a ransomware attack, whether it's a denial service attack, usually has a phishing component. And the sad part is usually the initial attack vector, how attackers are getting into the network, a lot of times as the first step is through phishing. And you know, it works. It's a method that has always worked. It works just as well today as it always did. So attackers are basically going back so well and basically making their phishing attacks more complicated, more sophisticated, and it's much more effective than it ever used to be. Tell me how they're making it more sophisticated? Because I know I've seen interesting examples through Twitter, for example, of people that are very well versed might even consider them cybersecurity experts who've just almost fallen for a phishing email that looks so legitimate. How is it getting more sophisticated? Well, what attackers are doing is they're definitely playing on your emotions. They understand that there's a lot of things happening in the world. And sometimes we get a little emotion about it, whether it's, hey, how do you get the latest vaccine? Maybe information around getting jobs, going back to work. LinkedIn is a good example. A lot of people are looking for jobs. When the US elections were happening, there was a lot of phishing attacks around political donations and affiliations. They kind of find these hot button items that they know people are really gonna not think first about security and really think like, hey, how do I respond back to this? And really attack them that way. The other thing that we're seeing on how it's getting complicated is, it used to be like a phishing attack. It used to be pretty simple, like click on a link. Now what they're doing is they're actually targeting organizations and what you do as a job. For example, I've seen a lot of phishing attacks against HR, human resource departments. And I feel sad for anyone in human resources because their job all day is to basically open files and emails from strangers. And that's what attackers are doing. They're like, hey, I'm gonna apply for a cybersecurity position. And by the way, my resume is encrypted. Please click on this link to see my secure version of my resume. And when they do that, HR person may be thinking, hey, this is a cybersecurity guy. Like, good, he's actually sending me an encrypted link in reality that when they click on that button, it's attacking their machine and actually getting into the organization. The attacks are getting into the organization. So they're using more and more tricks to actually technically bypass them the security tools you may have. So getting more sophisticated by preying on emotions and also using technology and things that a nature person, like you said, would think, great, this is the level of sophistication that this applicant has. How do organizations start reducing those attacks, those that are falling victim to these attacks? Yeah, so I think, and yet, Fortinet, we always mentioned like the Fort of our labs that training and security awareness is some of the best ways you can protect against this attack. At Fortinet, we have our training advancement agenda. That's at fortinet.com, forward slash training, forward slash TAA. Basically what that does, we emphasize what we preach is that training is the key and education is the key in helping protect against those attacks. And you can train anyone these days, at least some level of awareness. My mom used to call me up and she used to tell me, like, hey, I got the IRS calling me. Should I answer these questions? I was like, no, absolutely not. Like this is dangerous. The IRS doesn't call you up and asking you for a credit card number. I actually had my mom go for our level one of our training and she actually gets it. She's like, okay, I get why I should call the, answer the questions from the IRS now. So I think any type of training to anyone you can give and you can start it off like with people in high school, with people in elementary school, all the way up to professionals. I think it helps in all levels. So first of all, your mom sounds like my mom and I need to get my mom to do this training. I really do. But one of the things that that kind of highlights is the fact that there are five generations in the workforce. So they're, and in every industry, there is a huge variety of people that understand technology and know to be suspicious. And that's one of the things I think that's challenging for organizations because if a lot of that responsibility falls on the person, the more sophisticated, the more personalized this phishing email is, the more likely I'm to think this is legitimate instead of questioning it. So that training that you're talking about, tell me a little bit more about that. You mentioned a variety of ages and generations that folks as young as high school kids and then folks in our parents' generation can also go on and learn how to navigate through basic emails, for example, to look for, to see what to look for. Yeah, it's not only emails. So attackers, like I said, they are getting sophisticated. We are seeing phishing attacks not only through emails, but through applications, mobile applications. There's actually like some advanced phishing techniques now on smart speakers. When you ask your smart speaker a certain skill, like, hey, tell me my balance, tell me what the weather is. It's like some phishing attacks there. So there's like phishing attacks all across the board. Obviously, when we talk about phishing, we're mostly talking about email attacks, but every generation kind of has their tools, kind of has their techniques or apps that they're comfortable with. So, and we're trained, like a lot of my friends are trained to basically click on any app, download any app. They don't really read the pop-ups that say you want to share information. They'll just start sharing information. People in the workforce, sometimes they're not paying attention, they're just clicking on emails. And attackers realize this, most of the time when attacks happen, it's not when you're paying attention. It's like when we're on our Zoom calls and we're actually like looking at our phones, looking at emails, multitasking, and that's when your attention kind of diverts a little bit. And that's when attackers are really jumping in and are really trying to take advantage of that situation. And I think that's a good idea about the training is because it opens up your eyes to understand, hey, it's more about just emails. It's really about every way we can use technology can be a vector on how we get attacked. And we have a couple of good examples on that as well. Let's talk about that. Cause I want to see how easy it is for the bad actors to create phishing attacks. You were saying it's not just email, it's through apps, it's through my smart speaker, which is one of the reasons I don't have one. But talk to me about how easy it is for them to actually set these up. Yeah, so I think we have a demo we can show, an example that we can show of what's going on. And what I'm showing here is basically how easy you can download proof of concept apps. What I'm showing here is actually a defensive tool. It's for defenders and people that want to test their security on testing phishing and how susceptible the organization may be to phishing. But you can see like attackers could do something very similar, this tool is called Black Eye. And what it does is allows me to create multiple different types of phishing websites. I can create a custom one or I can use a template that's already created. Once I use this template, for example, I'm using the LinkedIn template here. It's going to create a website for me. It already, this website I can embed into a link. If I was potentially a bad guy, I could hide it behind a link. I could potentially change the website to make it look more like LinkedIn. But when I go to the LinkedIn fake website, this phishing website, which is hosted, you'll see it kind of looks like LinkedIn. It actually has that little security box, the little green box, because it generates a certificate as well. And when I go to the real LinkedIn website, yes, the real LinkedIn website does look a little different. It's using a more updated template, a more updated website. But most people aren't going to notice the difference between the real LinkedIn website and here where we have the fake LinkedIn website. And I'll just show you, like, if I log in and I'm going to log in with a demo account, this is actually a honeypot demo account that we have just to showcase this tool. But I'll log in here and you'll see from our test box soon as we log in and we go back to the attacker's point of view. He's captured the username, the password, but not only that, he has the IP address, the ISP, the location of where the victim is coming from. So they have a lot of different types of information that they've captured. And this is just one simple way of doing an attack. Now, one thing to remember, I know I speak very fast, but at the same time, this is real time. I didn't like copy and paste anything. I just recorded this in real time and replayed this. And this is how easy it is for an attacker to potentially, like, start setting up a system where they can attack victims. That's remarkable because I mean, I'm in LinkedIn every day and I don't know, you talked about, we're all busy multitasking and things like that. I don't know that I would have, nothing that you should caught my attention. So how would I know to, what would I know to look for as a user, as a potential victim? How do I look for something on that page to tell me, think twice about this? Yeah, it's getting much more difficult these days. I mean, one of the things that I do is I try and make sure I type in the addresses, especially when I get links and emails, I try not to just click on the link directly. I try and look at what's behind that link. Is it really going to the LinkedIn website? I'll try and go ahead and type in it and type in the website and the web browser. But mostly, I think the thing that we can do to all protect ourselves is kind of slow down. One of the reasons I mentioned LinkedIn is not because LinkedIn is doing anything bad, they're actually seeing a lot of precautions on being secure. But people these days are very emotional. They're going back to work to maybe looking for new jobs or they're trying to get back into the workforce after a pandemic. So there's a lot of people that are getting phishing attacks from attackers and it's a really mean thing. They're taking once again, advantage of that emotion like someone needs a job. So let me go ahead and send them a LinkedIn link and this time they're just stealing their username and passwords. That's remarkable. I think another thing you can do, can you hover over the link? And if it looks suspicious, if it doesn't go to like linkedin.com, for example, in this case, that's one way, right? Is to check out what that actual URL is. Yeah, absolutely. And that's a great way of doing that. So we definitely recommend that. Look at the hover over the link, look over the links, type in the links directly if you can. And you can see like, attackers are getting sophisticated. We used to tell people to look for that green lockbox. Attackers can now generate that green lockbox. So you have to do a little more due diligence just to keep your eyes a little sharper these days. Do you think phishing is, and I know a lot of us understand what it is, but do you think it's as common ransomware was up? I think Derek told me 7X in the second half of calendar year 2020. Is phishing becoming more of a household word like ransomware is? Or is that something that you think actually will help more organizations and more people and more generations be just more aware of, let me just take a step back and check that this is legitimate. Yeah, so phishing you have to remember is like the initial attack. So the demo that I just showed you, you could say the true attack was me possibly stealing the username and password, but a phishing would be the way that someone would get to that, like by essentially mimicking the LinkedIn website as I showed in the example. So ransomware is an attack, it's the main attack usually, the attack that attackers are going for, but how they get into the system is usually for a phishing site. They'll usually try and fish your username and password to your corporate side, maybe your VPN services or your remote desktop services. So phishing is usually in conjunction with another attack. And that's the scary part is attackers have a lot of attacks they can choose from, but the attacks that they're normally conducting to get that initial access to your system is phishing. So besides training, which is obviously absolutely critical, how can organizations protect themselves against this threat landscape that I imagine is only going to continue to grow? Yeah, no, it's definitely going to continue to grow. As I said, I really believe education is the best thing you can do, but on top of that, just I would say cyber hygiene, the basic things that we always mention every time is like, make sure your security products are up to date, make sure they're installed, make sure your patches are up to date, which is very difficult, but that does start helping things. Make sure you're using the latest version of your web browsers. A lot of web browsers these days have some sort of anti-phishing type of tools in them as well, especially for websites so they can kind of detect things. There's once again, a lot of just even free plugins, security plugins that are available that kind of detect a lot of phishing sites as well. So there's a lot of things I think people can do to protect themselves from a technology standpoint with basic cyber hygiene as well as security awareness. So you think this is really preventable essentially? I don't think it's 100% preventable because I think attackers are always gonna take advantage of those times when our emotions are heightened and they're gonna take advantage of just us sometimes like not paying as much attention as we can, but I think we can definitely reduce that attack surface the more we educate ourselves. Absolutely, tell me that training website again. Sure, saying it. It's basically fortinet.com forward slash training forward slash TAA. Excellent, and can you access different levels? Like if I literally point my mom to that website and she access something that would be at her 75 year old brain level. Absolutely, so we have different levels out there. I would suggest that I go trying, everyone should try basically level one NSE level one. That's our security institutes. So that's really good awareness for everyone on all sorts of different levels, but we have training gear towards specific individuals and different age groups as well. Excellent, and it's one of those things that culturally is difficult, I think for Americans, slow down, right? We don't do that, especially when people are still working from home and probably now it's summertime, kids are out of school, things are a little bit more chaotic, but that best practice of an organization really keeping up with their cyber hygiene and us as individuals slowing down, checking something is really some of the best ways. This is such an interesting topic. Thank you for showing us how easy it is to create phishing attacks and what some of the things are that we as individuals and companies can do to protect ourselves against it. Hey, no problem, glad to be here. For Amar Lakini, I'm Lisa Martin. You're watching this CUBE conversation.