 As we've been reporting, the pandemic has called CISOs to really shift their spending priorities towards securing remote workers. Almost overnight, zero trust has gone from buzzword to mandate. What's more, as we wrote in our recent cybersecurity breaking analysis, not only must Secop Pros secure an increasingly distributed workforce, but now they have to be wary of software updates in the digital supply chain, including the very patches designed to protect them against cyber attacks. Hello everyone and welcome to this CUBE Conversation. My name is Dave Vellante and I'm pleased to welcome Derek Mankey, who's Chief Security Insights and Global Threat Alliances for Fortegaard Labs with fresh data from its Global Threat Landscape Report. Derek, welcome, great to see you. Thanks so much for the invitation to speak. It's always a pleasure, a lot to cover. Yeah, you're welcome. So first, I wonder if you could explain for the audience, what is Fortegaard Labs and what's its relationship to Fortinet? All right, so Fortegaard Labs is our global socket. It's our Global Threat Intelligence Operations Center. It never sleeps and misses a beat. You know, it's been here since inception at Fortinet. So it's 21 years in the making since Fortinet was founded. We have built this in-house, so we don't OEM technology. We've built everything from the ground up, including creating our own training programs for our analysts when we're following malware, following exploits. We even have a unique program that I created back in 2006. It's an ethical hacking program. And it's a zero-day research. So we try to beat the hackers, the bad guys, to their game. And we, of course, do that responsibly to work with vendors, to close schools and create virtual patches. And so it's everything from customer protection for us and foremost, to following the Threat Landscape and cyber criminals. It's very important to understand who they are, what they're doing, who they're targeting, what tools are they using. Yeah, that's great. Some serious DNA and skills in that group. And it's critical because, like you said, you can minimize the spread of those malware very, very quickly. So now you have the Global Threat Landscape Report. We're going to talk about that, but what exactly is that? Right, so this Global Threat Landscape Report, it's a summary of all the data that we collect over a period of time. So we release this bi-annually, two times a year. Cyber crime is changing very fast, as you can imagine. So while we do release security blogs and what we call Threat Signals for Breaking Security Events, we have a lot of other vehicles to release that intelligence, but this Threat Landscape Report is truly global. It looks at all of our global data. So we have over five million censorship worldwide and 40 guard labs. We're processing, I know it seems like a very large amount, but north of 100 billion threat events in just one day. And we have to take the task of taking all of that data and put that on to scale for half a year and compile that into something that is digestible. That's a very tough task, as you can imagine. So that, we have to work with a huge technologies back to machine learning and artificial intelligence, automation and, of course, our analysts to do that. Yes, so this year, of course, it was like every year is a battle, but this year was an extra battle. Can you explain what you saw in terms of the hacker dynamics over the past, let's say 12 months? I know you do this twice a year, but what trends did you see evolving throughout the year and what have you seen with the way that attackers have exploited this expanded attack surface outside of corporate networks? Yeah, it's quite interesting. Last year certainly was not normal, like we all say. And that was no exception for cybersecurity. You know, if we look at cyber criminals and how they pivoted and adapted to the threat landscape, cyber criminals are always trying to take advantage of the weakest link of the chain. They're trying to always prey on fear and ride waves of global trends and themes. We've seen this before in natural disasters, as an example, trying to do charity scams and campaigns. And they're usually limited to a region where that incident happened. And they usually live about two to three weeks, maybe a month at the most. And then they'll move on to the next trend and that's breaking. Of course, because COVID was so global and dominant, we saw attacks coming in from well over 40 different languages as an example in regions all across the world. That wasn't lasting two to three weeks. It lasted for the better part of the year. And of course, they're using this as a vehicle, right? Praying on the fear they're doing everything from initial lockdown, fishing lures, COVID-19 lures to layoff notices then to phase one reopenings all the way up to fast forward to where we are today with vaccine rollout and development. So there's always that new flavor and new theme that they were rolling out. But because it was so successful for them, they didn't have to innovate too much, right? They didn't have to expand and shift to new trends and themes or really develop on new ransom families as an example or new sophisticated malware. That was the first half of the year. In the second half of the year, of course, people started to experience COVID fatigue, right? People started to become, we did a lot of education around this. People started to become more aware of this threat. And so cyber criminals started to, as we expected, started to become more sophisticated with their attacks. And so on expansion into different ransomware families, we saw more of a shift of focus on targeting the digital supply chain as an example. And so that was really towards Q4. So it was a long-lived lead year with success on the COVID themes. Targeting healthcare as an example, a lot of the organizations that were really in a vulnerable position, I would say. So, okay, I want to clarify something my assumption was that they actually did really increase the sophistication, but it sounds like that was kind of a first half trends. Not only did they have to adapt, not have to, but they adapted to these new vulnerabilities. My sense was that when you talk about the digital supply chain, that that was a fairly sophisticated attack. Am I getting that right that they did their increased sophistication in the first half, and then they deployed it? What actually happened there from your data? Well, if we look at, so generally there's two types of attacks that we look at. We look at the premeditated sophisticated attacks that can have a lot of ramp-up work on their end, a lot of time developing the weaponization phase. So developing the exploits of the sophisticated malware that they're going to use for the campaign, reconnaissance, understanding the targets, where platforms are developed, the blueprinting that DNA of the supply chain. Those take time, in fact, years. Even if we look back to 10 plus years ago with the Stuxnet attacks as an example, that was on nuclear centrifuges, and that had four different zero-day weapons at the time that was very sophisticated. That took over two years to develop, as an example. So some of these can take years of time to develop, but they're very specific in terms of the targets that we're going to go after, and obviously the ROI from their end. The other type of attack that we see is this ongoing, these broad, wide sweeping attacks. And the reality for those ones is they don't, unfortunately, need to be too sophisticated. And those ones were the ones I was talking about that were really just playing on the COVID theme. And they still do today with the vaccine rollout and development, but it's really because they're just playing on, social engineering, using topical themes. And in fact, the weapons they're using, these vulnerabilities are from our research data, and this was highlighted actually in the first half landscape before last year. On average, we're two to three years old. So we're not talking about fresh vulnerabilities. We got a patch right away. I mean, these are things that should have been patched two years ago, but they're still unfortunately having success with that. So you mentioned Stuxnet as the former sort of example of the types of attacks that you see. I always felt like that was a watershed moment, one of the most sophisticated, if not the most sophisticated attack that we'd ever seen. When I talked to CISOs about the recent government hack, they suggest, I infer, maybe they don't suggest it. I infer that it was of similar sophistication. It was maybe thousands of people working on this for years and years and years. Is that accurate or not necessarily? Yeah, there's definitely, there's definitely some comparisons there. One of the largest things is both attacks used digital certificate impersonation. So they're digitally assigned. So of course, that whole technology using cryptography is designed, is by design, to say that this piece of software installed in your system has a certificate, it's coming from the source, it's legitimate. Of course, if that's compromised, that's all out of the window. And yeah, this is what we saw in both attacks. In fact, looking at Stuxnet, they also had digitally assigned certificates that were compromised. So when it gets to that level of sophistication, that means definitely that there's a target that there's been using months of homework done by cyber criminals for reconnaissance and to be able to weaponize that. What did you see with respect to ransomware? What were the trends there over the past 12 months? I've heard some data and it's pretty scary, but what did you see? Yeah, so ransomware is always the thorn in our side and it's gonna continue to be so. In fact, ransomware is not new itself. It was actually first created in 1989 and they demanded ransom payments through snail mail. This was to appeal a box, obviously that didn't take off, wasn't successful on the internet was just being worn at the time. But if you look at now, of course, over the last 10 years really, the ransomware model has been lucrative, right? I mean, it's been using by force, encrypting data on systems so that users had to, they were forced to pay the ransom because they wanted access to their data back. Data was the target currency for ransomware. That's shifted now. And that's actually been a big pivot over the last years. So because again, before it was this, let's cast a wide net in fact as many people as we can randomly and try to see if we can hold some of their data for ransom. Some people that data may be valuable, may not be valuable. And that model still exists and we see that. But really the big shift that we saw last year in the threat landscape before was a shift to targeted ransom. So again, the sophistication is starting to rise because they're not just going after random data, they're going after data that they know is valuable to large organizations. And they're taking that a step further now. So there's various ransomware families we saw that have now reverted to extortion and blackmail. So they've taken that data encrypting it and saying, unless you pay us this large sum of money, we're going to release this to the public or sell it to a buyer on the dark web. And of course you can imagine the amount of damages that can happen from that. The other thing we're seeing is a target of ransom going to revenue services. So if they can cripple networks, it's essentially a denial of service. They know that the company is going to be bleeding X millions of dollars a day, so they can demand $5 million of ransom payments. And that's effectively what's happening. So it's again becoming more targeted and more sophisticated. And unfortunately the ransom's going up. Yeah, they go to where the money is. And of course your job is to lower the ROI for them. This is a constant challenge. We talked about some of the attack vectors that you saw this year that cyber criminals are targeting. I wonder if, given the work from home, if things like IoT devices and cameras and thermostats with 75% of the workforce at home, is this infrastructure more vulnerable? I guess of course it is, but what did you see there in terms of attacks on those devices? Yeah, so unfortunately the attack surface as we call it, so the amount of target points is expanding. It's not shifting, it's expanding. We still see, as I mentioned earlier, vulnerabilities from two years ago that are being used. In some cases, over the holidays for e-commerce, we saw e-commerce heavily under attack and e-commerce has spiked since last summer, right? It's been a huge amount of traffic increase. Everybody's shopping from home. And those vulnerabilities going after shopping cart plugins as an example are five to six years old. So we still have this theme of old vulnerabilities are still new in a sense, being attacked. But we're also now seeing this complication of, yeah, as you said, IoT being rolled out everywhere and the really quick shift to work from home. We really have to treat this as the distributed branch model for enterprise, right? And it's really now the secure branch, how do we take any of these devices on those networks and secure them? Because, yeah, if you look at what we highlighted in the landscape report and the top 10 attacks that we're seeing, so hacking attacks, hacking attempts. This is who our IPS triggers. We're seeing attempts to go after IoT devices. Right now, they're mostly favoring, well, in terms of targets, consumer-grade routers. But they're also looking at DVR devices as an example for home-entered human systems, network attack storage as well, and IP security cameras. Some of the newer devices, the quote unquote smart devices that are now on virtual assistants and home networks, we actually released a predictions piece at the end of last year as well. So this is what we call the new intelligent edge. And that's what I think is we're really going to see this year in terms of what's ahead. We always have to look ahead and prepare for that. But yeah, right now, unfortunately, the story is all of this is still happening, IoT is being targeted. Of course they're being targeted because they're easy targets. It's like for cyber criminals, it's like shooting fish in a barrel. There's not just one, but there's multiple vulnerabilities, security holes associated with these devices, easy entry point sent to networks. I mean, attackers, they're highly capable, they're organized, they're well-funded, they move fast, they're agile, and they follow the money as we were saying. You mentioned vaccines and big pharma, health care. Where did you see advanced persistent threat groups really targeting? Were there any patterns that emerged in terms of either industry types or organizations being targeted? Yeah, so just to be clear again, when we talk about APTs, advanced persistent threat group, the groups themselves, they're targeting, these are usually the more sophisticated groups, of course. So going back to that theme, these are usually the premeditated targeted attacks usually points to nation state. Sometimes, of course, as overlap, they can be affiliated with cyber crime. Cyber crime groups are typically looking at some other targets for ROI. But there's a blend, right? So as an example, if we look at the APT groups last year, absolutely number one, I would say it would be healthcare. Healthcare was one of those, and it's very unfortunate, but obviously with the shift that was happening and pop-up medical facilities, there's a big rush to change networks for a good cause, of course. But with that came security holes and concerns and targets. And that's what we saw APT groups targeting was going after those and ransomware and the cyber crime trend followed as well, right? Because if you can follow those critical networks and cripple them from a cyber criminal's point of view, you can expect them to pay the ransom because they think that they need to in order to get those systems back online. In fact, last year too, unfortunately, we saw the first death that was caused because of a denial of service attack in healthcare, right? Facilities weren't available because of a cyber attack. Patients had to be diverted and didn't make it on the way. All right, Derek, I'm sufficiently bummed out. So maybe in the time remaining, we could talk about remediation strategies. You know, we know there's no silver bullet in security, but what approaches are you recommending for organizations? How are you consulting with folks? Sure, yeah, so a couple of things. The good news is there's a lot that we can do about this, right? And basic measures go a long way. So a couple of things just to get out of the way, I call it housekeeping as a cyber hygiene, but it's always worth reminding. So we talk about keeping security patches up to date. We always have to talk about that because that is reality. It's these vulnerabilities that are still being successful for five to six years old, in some cases a majority of two years old. So being able to do that, manage that from an organization's point of view, really treat the new work from home. I don't like to call it work from home because the reality is it's work from anywhere. A lot of the times for some people. So really treat that as a secure branch methodology. Doing things like segmentations on networks, secure Wi-Fi access, multi-factor authentication is a huge must, right? So using multi-factor authentication because passwords are dead, using things like XDR. So XDR is a combination of detection and response for endpoints. This is a centralized management thing, right? So endpoint and detection and response as an example. Those are all good security things. So of course having security inspection, that's what we do. So good threat intelligence baked into your security solution. That's the 45 labs angle. So that's antivirus, intrusion prevention, web filtering, sandboxing, so forth. But then it gets, that's the security stack. Beyond that it gets into the end user, right? Everybody has a responsibility. This is that supply chain we talked about. The supply chain is a target for attackers. Attackers have their own supply chain as well. And we're also part of that supply chain, right? The end users, we're constantly fished for social engineering. So using phishing campaigns against employees to better do training and awareness is always recommended too. So that's what we can do, obviously. That's what's recommended to secure the endpoints in the secure branch. There's things we're also doing in the industry to fight back against cyber crime as well. Well, I want to actually talk about that and talk about ecosystems and collaboration because while you have competitors, you all want the same thing. SecOps teams are like superheroes in my book. I mean, they're trying to save the world from the bad guys. And I remember I was talking to Robert Gates on theCUBE a couple of years ago, former Defense Secretary, and I said, yeah, but don't we have like the best security people? And can't we go on the offensive and weaponize it ourselves? Of course, there's examples of that. US government's pretty good at it, even though they won't admit it. But the answer to me was, yeah, we got to be careful because we have a lot more to lose. than many countries. So I thought that was pretty interesting. But how do you collaborate with whether it's the US government or other governments or other competitors even, or your ecosystem? Maybe you could talk about that a little bit. Yeah, this is what makes me tech. I love working with industry. I've actually built programs for 15 years of collaboration in the industry. So we need, I always say we can't win this war alone. You actually hit on this point earlier. You talked about following and trying to disrupt the ROI of cyber criminals. Absolutely, that is our target, right? We're always looking at how we can disrupt their business model in order to, there's obviously a lot of different ways to do that, right? So a couple of things we do is resiliency. That's what we just talked about, increasing the security stack so that they go knocking on someone else's door. But beyond that, it comes down to private, private sector collaborations. So we co-founded the Cyber Threat Alliance in 2014 as an example. This was our fierce competitors coming in to work with us to share intelligence. Because like you said, we're competitors in the space, but we need to work together to do the better fight. And so this is that Venn diagram, let's compare notes, let's team up when there's a breaking attack and make sure that we have the intelligence so that we can still remain competitive on the technology stack integration, the solutions themselves. But let's level the playing field here because cyber criminals moved out, there's no borders and they moved with great agility. So that's one thing we do in the private, private sector. There's also public, private sector relationships, right? So we're working with Interpol as an example, Interpol Project Gateway. And that's when we find attribution. So it's not just what are these people doing like infrastructure, but who are they? Where are they operating? What advanced tools are they creating? We've actually worked on cases that are led down to warrants and arrests. In some cases, one case was a $60 million distance email compromise fraud scam. The great news is if you look at the industry as a whole, over the last three to four months has been four takedowns. Emotet, Netwalker, there's also E. Gregor recently as well too. And E. Gregor, they're actually going in and arresting the affiliates. So not just the CEO or the king and of these organizations, but the people who are distributing their ads and where themselves. And that was an unprecedented step. Really important. So you really expect to paint a picture of this, again, supply chain, this ecosystem of cyber criminals and how we can hit them where it hurts on all angles. Most recently, I've been heavily involved with the World Economic Forum. So I'm co-author of a report from last year of the partnership on cyber crime. And this is really not just the private sector, the private and public sector working together. We know a lot about cyber criminals. We can arrest them. We can take servers offline from data centers, but working together, we can have that whole, that holistic effect. Great, thank you for that. Derek, what if people want to go deeper? I know you guys mentioned you do blogs, but are there other resources that they can tap? Yeah, absolutely. So everything you can see is on our threat research blog so 40Net blog, that's under threat research. We also put out playbooks, but we're doing, this is more for the heroes, as you call them, the security operations centers. We're doing playbooks on the adversary. So this is a playbook on the offense. What are they up to? How are they doing that? That's on 40Guard.com. We also release threat signals there. So we typically release about 50 of those a year and those are all our insights and views into specific attacks that are happening. Well, Derek Mackie, thanks so much for joining us today and thanks for the work that you and your teams do, very important. Great, thanks. Yeah, it's a pleasure. And rest assured, we will still be there 24-7 to 65. Good to know. And thank you for watching, everybody. This is Dave Vellante for theCUBE. We'll see you next time.