 Hey, welcome to this CUBE conversation with NetScout. I'm Lisa Martin, excited to talk to you, Richard Hummel, the manager of threat research for Arbor Networks, the security division of NetScout. Richard, welcome to theCUBE. Thanks for having me, Lisa, it's a pleasure to be here. We're going to unpack the six NetScout threat intelligence report, which is going to be very interesting, but something I wanted to start with is we know that and yes, you're going to tell us COVID and the pandemic has had a massive impact on DDoS attacks ran somewhere. But before we dig into the report, I'd like to just kind of get some stories from you. As we saw last year about this time, rapid pivot to work from home, rapid pivot to distance learning. Talk to us about some of the attacks that you saw in particular that literally hit close to home. Sure, and there's one really good prime example that comes to mind because it impacted a lot of people. There's a lot of media sensation around this, but if you go and look, just Google it, Miami, Dade County and DDoS, you'll see the first articles that pop up is the entire district school network going down because a student did not want to go to school and launched a DDoS attack. There was something upwards of 190,000 individuals that no longer connected the school's platform, whether that's a teacher, a student or parents. And so it had a very significant impact. And when you think about this in terms of the digital world, that impacted very severely a large number of people and you can't really translate that to what would happen in a physical environment because it just doesn't compute. There are two totally different scenarios to talk about here. Amazing that a child can decide, I don't want to go to school today and as a result of a pandemic, take that out for nearly 200,000 folks. So let's dig into, I said, this is the sixth net scout threat intelligence report. One of the global trends and themes that is seen as evidence in what happened last year is up and to the right. Oftentimes when we're talking about technology, with analyst reports, up and to the right is a good thing. Not so in this case. We saw huge increases in threat vectors, more vectors weaponized per attack, sophistication, expansion of threats and IoT devices. Walk us through the overall key findings from 2020 that this report discovered. Absolutely. And if you glance at your screen and you'll see the key findings here where we talk about record-breaking numbers. And just in 2020, we saw over 10 million attacks, which, I mean, this is a 20% increase over 2019. And what's significant about that number is COVID had a huge impact. In fact, if we go all the way back to the beginning, right around mid-March, that's when the pandemic was announced, attacks skyrocketed and they didn't stop. They just kept going up and to the right. And that is true through 2021. So far in the first quarter, typically January, February is the down month that we observe in DDoS attacks. Whether this is, you know, it's going back to school from Christmas break, you have the Christmas routines and e-commerce is slowing down. January, February is typically a slow month. That was not true in 2021. In fact, we hit record numbers on a month by month in both January and February. And so not only do we see 2.9 million attacks in the first quarter of 2021, which I mean, let's do the math here, right? We've got four quarters. You know, we're on track to hit 12 million attacks potentially, if not more. And then you have this normal where we said 800,000 approximately month over month since the pandemic started. We started 2021 at 950,000 plus. That's up into the right. And it's not slowing down. It's not slowing down. It's a trend that it shows, you know, significant impact across every industry. And we're going to talk about that, but what are some of the new threat vectors that you saw weaponized in the last year? I mean, you talked about the example of the Miami-Dade School District, but what were some of those new vectors that were really weaponized and used to help this up into the right trend? So there's four in particular that we were tracking in 2020. And these aren't necessarily new vectors. Typically what happens when an adversary starts using this is there's a proof of concept out there. In fact, a good example of this would be the RDP over UDP. So I mean, we're all remotely connected, right? We're doing this over a Zoom call. If I wanna connect to my organization, I'm gonna use some sort of remote capability, whether that's a VPN or tunneling in, whatever it might be, right? And so remote desktop is something that everybody's using. And we saw actors start to kind of play around with this in mid 2020 and right around September, November timeframe, we saw a sudden spike. And typically when we see spikes in this kind of activity, it's because adversaries are taking proof of concept code that maybe has been around for a period of time and they're incorporating those into DDoS for higher services. And so any person that wants to launch a DDoS attack can go into underground forums and marketplaces and they can purchase, maybe it's $10 in Bitcoin and they can purchase an attack that leverages a bunch of different DDoS vectors. And so adversaries have no reason to remove a vector as new ones get discovered. They only have the motivation to add more, right? Because somebody comes into their platform and says, I wanna launch an attack that's gonna take out my opponent. It's probably gonna look a lot better if there's a lot of attack options in there where I can just go through and start taking buttons left and right. So all of a sudden, now I've got this complex multi-vector attack that I don't have to pay anything extra for adversaries already did all the work for me. And now I can launch an attack. And so we saw four different vectors that were weaponized in 2020. One of those are notably the Jenkins that you see listed on the screen in the key findings. That one isn't necessarily a DDoS vector. It started out as one, it does amplify, but what happens is Jenkins servers are very vulnerable and when you actually initiate this attack, it tips over the Jenkins server. So it kind of operates as like a DOS event versus DDoS, but it still had the same effect of availability. It takes a server offline. And then now just in the first part of 2021, we're tracking multiple other vectors that are starting to be weaponized. And when we see this, we go from a few incidents or alerts, 2000s, month over month. And so we're seeing even more vectors added and that's only going to continue to go up and to the right, you know, that theme that we talked about at the beginning here. As more vectors get added and what did you see last year in terms of industries that may have been more vulnerable as we talked about the work from home, everyone was dependent really. Here we are on Zoom, dependent on Zoom, dependent on Netflix streaming media was kind of a lifeline for a lot of us, but also was healthcare and education. Did you see any verticals in particular that really started to see an increase in the exploitation and in the risk? Yeah, so let's separate this into two parts. The last part of the key findings that we had was talking about a group week for a campaign we call Lazarus Baramada. So this is a global DDoS extortion campaign. We're going to cover that a little bit more when we talk about kind of extorted events and how that operates, but these guys, they started where the money is. And so when they first started targeting industries and this kind of coincides with COVID, though it started several months after the pandemic was announced, they started targeting financial organizations, commercial banking, they went after stock exchange. Many of you would hear about the New Zealand stock exchange that went offline. That's this LBA campaign and these guys taking it off. So they started where the money is. They moved to financial agitation, targeting insurance companies. They started currency exchange places. And then slowly from there, they started to expand. And in so much as our Arbor Cloud folks actually saw them targeting organizations that are part of vaccine development. And so these guys, they don't care who they heard. They don't care who they're going after. They're going out there for a payday. And so that's one aspect of the industry targeting that we've seen. The other aspect is you'll see on the next slide here, we actually saw a bunch of different verticals that we really haven't seen in the top 10 before. In fact, if you actually look at this, you'll see the number one, two and three are pretty common for us. We almost always are going to see these kind of telecommunications, wireless, satellite, broadband, these are always going to be in the top. And the reason for that is because gamers and DDoS attacks associated with gaming is kind of the predominant thing that we see in this landscape. And let's face it, gamers are on broadband operating systems. If you're in Asian communities, often they'll use mobile hotspots. So now you start to have wireless come in there. And so that makes sense seeing that. But what doesn't make sense is this internet publishing and broadcasting. And you might say, well, what is that? Well, that's things like Zoom and WebEx and Netflix and these other streaming services. And so we're seeing adversaries going after that because those have become critical to people's way of life, their entertainment, what they're using to communicate for work and school. So they realize, if we can go after this, it's going to disrupt something. And hopefully we can get some recognition maybe we can show this as a demonstration to get more customers on our platform or maybe we can get a payday. In a lot of the DDoS attacks that we see, in fact, most of them are all monetary focused. And so they're looking for a payday. They're going to go after something that's going to likely send out that payment. And then just walk down the line. You can see COVID through this whole thing, electronic shopping is number five, right? Everybody turned to e-commerce because we're not going to in-person stores anymore. Electronic computer manufacturing, how many more people have to get computers at home now because they're no longer in a corporate environment. And so you can see how the pandemic has really influenced this industry target. Significant influence, Sarah. And I also wonder too, Zoom became a household name for every generation. We're talking five generations and maybe the generations that aren't as familiar with computer technology might be even more exploitable because it's easy to click on a phishing email when they don't understand how to look for the link. Let's now unpack the different types of DDoS attacks and what is on the rise. You talked about in the report, the triple threat. We often think of that in entertainment. That's a good thing, but again, not here. Explain that triple threat. Yeah, so what we're seeing here is we have adversaries out there that are looking to take advantage of every possible angle to be able to get that payment. And everybody knows ransomware is a household name at this point, right? And so ransomware and DDoS have been a lot in common because they both attack the availability of network resources or computers or devices or whatever they might be. And so there's a lot of parallels to draw between the two of these. Now ransomware is a denial of service event, right? You're not going to have tens of thousands of computers hitting a single computer to take it down. You're going to have one exploitation event. Somebody clicked on a link. There was a brute force attempt that managed to compromise little faxes, credentials, whatever it might be. Ransomware gets deployed on a system and encrypts all your files. Well, all of a sudden you've got this ransom note that says, if you want your files decrypted, you're going to send us this amount of payment in Bitcoin. Well, what adversaries are doing now is they're capitalizing on the access that they already gained. So they already have access to the computer. Well, why not steal all the data first, then let's encrypt whatever is there. And so now I can ask for a ransom payment to decrypt the files and I can ask for an extortion to prevent me from posting your data publicly. Maybe there's sensitive corporate information there. Maybe you're a local school system and you have all of your students data on there. You're a hospital that has sensitive PII, whatever it might be, right? So now they're going to extort you to prevent them from posting that publicly. Well, why not add DDoS to this entire picture? And now you're already encrypted. We've already got your files and I'm going to DDoS your system so you can't even access them if you wanted to. And I'm going to tell you, you have to pay me in order to stop this DDoS attack. And so this is that triple threat. And we're seeing multiple different ransomware families. In fact, if you look at one of the slides here, you'll see that there's SunCrypt, there's RagnarCryptor and then Maze did this initially back in September. And then more recently, even the dark side stuff. I mean, who hasn't heard about dark side now with the colonial pipeline event, right? So they came out and said, hey, we didn't intend for this battle of damage, but it happened. Well, April 24th, they actually started offering DDoS as part of their toolkits. And so you can see how this has evolved over time and adversaries are learning from each other and they're incorporating this kind of methodology and here we have triple extortion event. Really seems like triple extortion event as a service with the opportunities, the number of vectors there. And you're right, everyone has heard of the colonial pipeline and that's where things like ransomware become a household term just as much as zoom and video conferencing and streaming media. Let's talk now about the effects that the threat report saw and uncovered region by region. Were there any regions in particular that really stood out as most impacted? So not particularly. So one of the phenomena that we actually saw in the threat report, which we probably could have talked about it before now, but it makes sense to talk about a regionally because we didn't see any one particular region, one particular vertical, a specific organization, a specific country, none was more heavily targeted than another. In fact, what we saw is organization that we've never seen targeted before. We've seen industries that have never been targeted before all of a sudden are now getting DDoS attacks because we went from a local on-prem. I don't need to be connected to the internet. I don't need to have my employees remote access. And now all of a sudden you're dependent on the internet, which really, let's face it, that's critical infrastructure to these days. And so now you have all of these additional people with a footprint connected to the internet that an adversary can figure out and they can poke at. And so what we saw here is just overall, all industries, all regions saw these upticks. The exception would be in China. We actually in the Asia-Pacific region specifically, but predominantly in China, but that often has to do with visibility rather than a decrease in attacks because they have their own infrastructure in China. Brazil's the same way. They have their own kind of ecosystems. And so often you don't see what happens a lot outside the borders. And so from our perspective, we might see a decrease in attacks, but for all we know, they actually saw an increase in attacks that is internal to their country against their country. And so across the board, just increases everywhere you look. Wow. So let's talk about what organizations can do in light of this. As we are here, we are still doing this program by video conferencing and things are opening up a little bit more, at least in the States anyway. And we're talking about more businesses going back to some degree, but there's going to still be some mix, some hybrid of working from home and maybe even distance learning. So what can enterprises do to prepare for this when it happens? Because it sounds to me like with the sophistication, the up and to the right, it's not if we get attacked, it's when. It's when, exactly. And that's just it. And it's no longer something that you can put off. You can't just assume that I've never been DDoS attacked and I'm never going to be DDoS attacked anymore. You really need to consider this as part of your core security platform. I like to talk about defense in depth or a layer defense approach where you want to have a layered approach. So maybe they target your first layer and they don't get through or they do get through and now your second layer has to stop it. Well, if you have no layers or if you have one layer, it's not that hard for an adversary to figure out a way around that. And so preparation is key, making sure that you have something in place. And I'm going to give you an operational example here. One of the things we saw with the LBA campaigns is they actually started doing network reconnaissance for their targets. And what they would do is they would take the IP addresses belonging to your organization. They would look up the domains associated with that and they would figure out like, hey, this is VPN.organization.com or VPN too. And all of a sudden they found your VPN concentrator. And so that's where they're going to focus their attack. So something as simple as changing the way that you name your VPN concentrators might be sufficient to prevent them from hitting that link link or right sizing the DDoS protection services for your company. Do you need something as big as like on-prem solutions? We need hardware. Do you instead want to do a managed service or do you want to go and talk to a power provider because there's right solutions and right sizes for all types of organizations? And the key here is preparation. In fact, all of the customers that we've worked with for the LBA extortion campaigns, if they were properly prepared, they experienced almost no downtime or impact to their business. It's the people like the New Zealand Stock Exchange or their service provider that wasn't prepared to handle the attacks that were sent at them that were crippled. And so preparation is key. The other part is awareness. And that's part of what we do with this threat report. We want to make sure you're aware what adversaries are doing when new attack vectors are coming out, how they're leveraging these, what industries they're targeting because that's really going to help you to figure out what your posture is, what your risk acceptance is for your organization. And in fact, there's a couple of resources that we have here on the next slide. And you can go both of these. One of them is the threat report. You can view all of the details and we only scratched the surface here in this new interview. So definitely recommend going there. But the other one is called Horizon. And nescal.com slash horizon is a free resource you can register, but you can actually see near real-time attacks based on industry and based on region. So if your organization out there and you're figuring, well, I'm never attacked, well, go look up your industry. Go look up the country where you belong and see is there actually attacks against this. And I think you'll be quite surprised that there's quite a few attacks against you. And so definitely recommend checking these out. Great resources, nescal.com slash horizon, nescal.com slash threat report. I do want to ask you one final question. That's in terms of timing. We saw the massive acceleration and digital transformation last year. We've already talked about this a number of times on this program, the dependence that businesses and consumers are like globally in every industry in every country have on streaming, on communications right now. In terms of timing though, for an organization to go from being aware to understanding what adversaries are doing to being prepared, how quickly can an organization get up to speed and help themselves start reducing their risk? So I think that with DDoS, as opposed to things like ransomware, the ramp up time for that is much, much faster. There is a finite period of time with DDoS attacks that is actually going to impact you. And so maybe you're a small organization and you get DDoS attack. There's a pretty high chance that DDoS attack isn't going to last for multiple days. So maybe it's like an hour, maybe it's two hours and then you recover. Your network resources are available again. That's not the same for something like ransomware. You get here with ransomware unless you pay or you have backups, you have to do the rigorous process of getting all your stuff back online. DDoS is more about as soon as the attack stops that saturation goes away and you can start to get back online again. So it might not be as like immediate critical that you have to have something, but there's also solutions like a cloud solution where it's as simple as signing up for the service and having your traffic redirected to their scrubbing center, their detection center. And then you may not have to do anything on-prem yourself. It's a matter of going out to an organization, finding a good contract and then signing up, signing on the double line. And so I think that the ramp up time for mediation services and DDoS protection can be a lot faster than many other security platforms and solutions. That's good to know because with the up and to the right trend that you said, the first quarter is usually slow. It's obviously not in that way as what you've seen in 2021 and we can only expect what we, and when we talk to you next year that the up and to the right trend may continue. So hopefully organizations take advantage of these resources, Richard, that you talked about to be prepared to mediate and protect their customers, their employees, et cetera. Richard, we thank you for stopping by theCUBE, and talking to us about the sixth NetScout Threat Intelligence Report, really interesting information. Absolutely, I definitely am pleasure to be here. Lisa, anytime you guys want to do it again, you know where I live. Yes, it's one of my favorite topics. So you got it, and I got to point out the last thing, your Guardians of the Galaxy background, one of my favorite movies. And it should be noted that on the NetScout website, they are considered the guardians of the connected world. I just thought that connection was, as Richard told me before we went live, not planned, but I thought that was a great coincidence. Again, Richard, it's been a pleasure talking to you. Thank you for your time. Thank you so much. For Richard Hummel, I'm Lisa Martin. You're watching this CUBE Conversation.