 Welcome back everyone to theCUBE's live coverage of MYs here in Washington DC, the leading cybersecurity conference. I'm your host, Rebecca Knight, along with my co-host and analyst, Rob Streche. We have with us, direct from the Netherlands, John Fooker, the head of threat intelligence at Trellex. Thank you so much for coming on the show tonight. Thank you for inviting me. Well, welcome to the Disco Tech. Yes, it is. Yes, it's a party. People can't hear it, but it's like it's getting down. So we want to talk about ransomware attacks, which are still the most prevalent kind of cyber threat and persistent cyber threat to organizations today. Can you describe for our viewers what the landscape looks like and how it's changed even from just a few years ago? Oh, it's fascinating. I've been covering this space for many years and when we look at some of the pivotal changes, we had ransomware as a service where the people developing it, we're not the person spreading it, it started off as this almost nuisance. There was still encrypting, but it was corporations or larger organizations were like, oh, it's not a big deal, it's just one machine. And then it turned into, wait a second, we actually have access to one machine in the network. Can we work on exploitation of the complete network and get full access to that network and then have a stronger extortion position? And that went on and went on. And what we saw is that the individuals that were affiliates as we call them, who were in the beginning were not as skilled, developed their skill, they got more skilled at doing things. And now it's basically he who holds the access to the valuable network is in control. And then there's a couple of things that really happened in the recent years, like the war in Ukraine with the response of for instance, Conti, which was by then the largest ransomware as a service group that splintered off into different groups, where you had groups that are now only focusing on data extortion, groups are focusing on full encryption, but it's become more scattered. And it's interesting to see. And it's still to be questioned at what level the foreign administration in Russia plays a role in targeting or in influence, but from the Conti leaks, what we researched, we could also establish that there is a certain type of relationship. To what extent we don't know, but still it's interesting to see. And we see a clear shift towards more data extortion right now. Move IT is a big example that we've seen recently where organizations get hit in their managed file transfer systems and they get extorted for the sensitive data that they have and they get extorted for that data. Instead of locking up all the machines. So again, you see hundreds and hundreds of these a year. Yes. Where are the main actors? What, who are the groups that are coming after people right now? I know because I just, in my own little world, I had 16,000, I checked yesterday, I had 16,000 attempts to get into my home network. Oh wow. So I was blown away by just the volume that I see on a daily basis. And I can tell you where most of them are coming from, but I have a funny feeling they're the same places in the world and... There's a difference between what system they use to attack you versus what actual attribution it is where they're based out of. We do think that a majority of the financially motivated cyber criminals are operating from a former Soviet Union country. Can I be Ukraine, Kazakhstan, Russia? So we do see that the majority of the larger groups are operating from that space. However, in the last couple of weeks, we saw the attacks against the hotel industry and it's believed to be scattered spider and the opinions, not everybody's on the same page yet. I had some very interesting and lively discussions recently about like, is it really that sophisticated? But the common belief is that within scattered spider, there's actually Western individuals either from the US or the UK that are doing this. Which is interesting because then you have a collaboration between a historic Russian Vatak group versus somebody who speaks or is based out of the UK in the Western world or the US. But the majority of the larger groups that we see are predominantly from Russian speaking countries. So your team, as Rob said, you investigate hundreds of these a year. Have you noticed patterns? What are some of the identifiable stages and steps that you're seeing and that organizations should be on the lookout for? That's a great question. I think if we look across the board, historically Ransomware was the final payload. It was the encryption that was the problem. So I think the industry, a lot of people approached it from a, okay, I need to have my endpoint protection and I'm good. It's like, but it's the coup de gras. When you look at a large organization, it takes work for that product to go from that initial photo all the way up to the full encryption. So your detection and actually your protection opportunity lies before that stage. It goes from having proper email security to having an EDR that can actually spot behavior. Because what these product does often do is they live off the land, they use common attack tools, but they often use stuff that's available to them on the systems network. So guess what? If that sysadman is really comfortable by using PowerShell just to do their tasks, that FedExor will leverage PowerShell but just for own nefarious purpose. And what we see is that a lot of organizations that are targeted are struggling with detecting what we call malicious behavior by non-malicious tooling. So the things that would not normally trigger a traditional AV, but do stand out because it's an anomaly. Somebody would not perform that action with those tools at that given time. And that's where the new challenge lies for a lot of organizations, detecting that behavior. And it's not even taken into play like, okay, they have multiple connectors to cloud, they have multiple platforms, they have multiple vendors. So tying all that together, it's like you need to have proper EDR, XDR and all these things together to have a really, really good chance to spot that behavior before you get that final payload. Yeah, I was going to say, what should the people watching today be looking for in their environment? And what should they be paying attention to? Well, great question. It's that anomalous behavior, things that will spot lateral movement, privileged escalation attempts, but it even goes to knowing your external attack service and to the things that I heard in the keynote today which was spot on. It's like, when we look at Move IT, a lot of companies trust other SaaS applications to do their sensitive data transfers. Well, have you ever took a good look at that application? Have you tested it? Just like we test our own network with red teams, do we test the products that we leverage? Are we know that they're secure? Isn't there a vulnerability in there? Cause, yeah, if there's a SQL injection vulnerability, doesn't look too great. And we should be, as every organization is, take a priority in trying to poke holes at all the systems that we rely on, that we trust on, to make sure that we have a secure environment. One of the things we've been remarking on is the sense of urgency of getting the private sector and the public sector to work together. You and your team have been involved in several major takedowns this year. Can you tell our viewers a little bit about what it was like to work with law enforcement agencies and what that process entailed? No, totally. My background lies in law enforcement and computer science. So it helps, you know, to speak the language. And if we want to make the world a safer place, we are dependent on each other. That's clear as day. A lot of major organizations, they trust the private sector to protect them. However, there are certain things that the public sector or law enforcement can do that we're not allowed to do or we cannot do. And that's good, that lies with them. And when these two things align, when our things align, we can actually make a difference. So it is interesting how that works. It's covered in secrecy and all these things. You can't talk about it. But often we inspect a piece of malware or we look at a customer incident or whatever it is and we will find indicators that can lead to attribution where we are like, hey, wait a second, this is actually a system that's based in this country and that's a friendly country or, hey, we've been talking to this threat actor. We have an idea who we might be or they're using a certain chat server that's in a certain country. Okay, we can talk to the law enforcement agency. So what we will do is we would have our talks with the law enforcement agency and we would exchange information and say like, well, why don't we work together on this? Cause, and for the longest time, it would be a one-way street. That's very often you hear that, like are you passing information and you didn't get nothing back. But I think tables are turning. So we are getting information back and it works best cause when they get some stuff back and we can actually look at our own dataset that we have as a global company, we can give them back even more information and that will speed up the investigation. And inevitably that leads to better attribution or better disruption of the threat actors. Yeah, that makes total sense. And I wonder, is there anything unusual that you learn in doing these investigations with them or anything insightful that you can pass along? Yeah, maybe I've been in this business a little too long, but I'm still amazed when I look at like the private sector portrayal of a cyber criminal, it's always a hoodie, it's always that. I was like, no, no, no, these are million dollar businesses, they have their own HR, they have every department and they have to operate like a business. And it's funny, there's key success factors that will make a cyber criminal enterprise successful or not. It's like, they cannot do everything from A to Z themselves, they might when they start out, but they outsource stuff. It's like, I often draw an analogy with a pizza place. Like in the old days, the pizza place would have their own delivery and they would make the peace dots and they have some person on payroll that would do the deliveries and if there's no deliveries, they're just sitting there reading something and you'd still have to pay them. Well, fast forward, we have Uber Eats, Postmates and all those services and they take that whole logistics or the delivery out of your hands and our pizza parlor can focus on baking the best pizza pies. Similar with productors, when they start to grow, when they get at a certain maturity level, they want to outsource things that they're not comfortable with. So they look for other partners. So it is very much, it's very similar to a regular business and they're entrepreneurial, they want to make money. So these are some of the things that if you start off in this business and you look at, well, you watch a little bit too much Hollywood movies and series, yeah, you might come surprised that it's actually, there's a lot of corporate structure that you can recognize from it. I want to talk to you about AI because it is a huge topic at this conference. It's a huge part of our national dialogue, frankly. And today, Kevin Mandi was on the main stage talking about how it was the answer to the overwhelm security team. He sounded very optimistic in talking about the potential of AI and yet there are many people who are concerned about it for all the good that it will do for the security folks. It's also helping the criminals. It's also helping that billion dollar enterprise do their jobs better too. What's your take? Where do you fall? What do you see the future holding? Yeah, I think we've only scratched the surface. And mind you, it could be like three years ago it was Bitcoin and it was Web 3.0 and now it's AI so there's always something new. But still for this technology, I do see relative to our industry, I do see there's things applicable to our industry that can really make a difference. If we talk about every sock member being overwhelmed with alerts, having the trouble to correlate separate alerts or low indicating signals, things that would not pop out but tying those things together into a cohesive story, I think AI can really play a difference. When I talk to a lot of my ex-co-workers, my ex-colleagues from the past but also our customers and they're in the sec ops, what they struggle with is articulating what it is that they're seeing to the board level. Well, large language models can play a role. If you can have all that threat data and you can say, well, okay, translate what it is that I'm seeing and the struggle I have into a message that actually will appeal to a board level executive, you can make your case much better. So I see definite, definite changes in that field where we can unlock the full potential. But on the flip side, yeah, there's threat actors that are leveraging it for more crafty emails. The historic, okay, spot the spelling errors, that's no longer the case. It's going to be a little bit harder. But at the same time, I'm also a bit realistic. And when I look at how threat actors often get in, they don't always have to leverage AI and go for all these hoops that we think they will do in order to get their objective. So in the military, they would say, it's a target-rich environment. We're still living in a target-rich environment. There's still some basic cyber hygiene, like credentials, external monitoring of your systems, vulnerability, patching, all that stuff that needs to take place. And the threat actor doesn't even have to leverage AI to do so. They can just scan and they find a way in. So maybe when we fix that problem, we'll see some more crafty attacks. I mind you, we focus on AI a lot with LLM, a lot of chat GPT, and that's built on prior knowledge. So a lot of the malware examples that I've saw that we've seen in the recent months, and actually the last year, it was built on stuff we already knew. It wasn't really groundbreaking. Where I do think for threat actors that it could help, and that's very similar to the team I run, is the learning curve. We use it, like the team that I run, we do malware analysis, we look at malware, there's some code. And normally the reverser has to look at the assembly code, and they really have to make sense of it. But now with an LLM plugin, they can actually translate a lot on the fly and get a bit of sense of it. Well, the same can go for a cyber criminal that is just early in their career, starting off, learning how to code, getting an interest. They can use AI or an LLM model to get a better understanding of the code and get a better, well actually a steeper learning curve. They will learn faster how to code nefarious stuff. Well, John, thank you so much for coming on theCUBE. This is a really interesting conversation. Thank you so much. That's been great. I'm Rebecca Knight for Robstretch.ay. Stay tuned for more of theCUBE's live coverage of MYs.