 Live from New York City, it's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technologies. Hey, welcome back everyone. Live here with CUBE coverage in New York City. Our favorite place to be when we've got all the action going on. CyberConnect 2017 is an inaugural event where industry government comes together to solve the crisis of our generation at cybersecurity. I'm John Furrier, Coast Cube. My partner, Dave Vellante here. Our next guest is Chris Novak, V-Track Global Director, Threat Research Advisory Center at Verizon. Welcome to theCUBE, great to have you. Thanks, pleasure to be here. So you do all the homework, you got the forensic data, you're the one who looks at the threats, you get the burning bush of cyber intelligence. What's happening? Tell us what's the threat. Everything. So it's interesting because I always find what I do to be wildly exciting just because it's always changing, right? Everything we see, it's kind of like being a cop. You know, ultimately you're investigating unknowns all the time, trying to figure out how they happen, why they happen, who they happen to. But more importantly than that, how do you get ahead of it to prevent being the next one or prevent it happening to others? And that's really the thrust of what we're out to do. Talk about the challenges, because General Keith Alexander was on stage talking about like how he compared it to an airline crashing where they come in and look at for the black box and it's worse because you didn't even know what happened, who was involved, the notion of anonymous, public domain software is causing all kinds of democratization, good and bad, bad being actors that we don't even know attacking us. What is the landscape of how you identify what's going on? Yeah, and it gets even more challenging than that because I like that analogy and I'd say I'd almost take it one step further and say the analogy of the airline and looking for the black box, in many cases when we go in to do an investigation, we're just hoping that there was a black box to look at and begin with. In many cases we get there and there was no information and we're trying to take all the pieces and put it together of what's left and ultimately what we see is it keeps evolving, right? It keeps getting harder and the threat actors keep getting better. What I always tell folks is while many of us all have to play by a set of rules or regulations or compliance obligations, the threat actors don't have to do any of that. They're free to do whatever works for them and repeat it over and over again and for them it's a business. So Dave and I were talking earlier, I want to get your reaction to this about the importance of Stuxnet. Archtechnica has a report coming out that certificate authorities were compromised well before Stuxnet, but Stuxnet is the Pearl Harbor, cyber Pearl Harbor as a point in time. So much has happened since then. So from that kind of Pearl Harbor moment of the awakening of oh my God to today, what's the landscape look like? I mean and how important was the Stuxnet to that point in time now and how has it evolved? What's changed? I think a couple of key things that come out of that one is you start to see more and more attribution to government related attacks. Some are actively sponsored and known, some are we're just digging through the details and the weeds to try and figure out who's actually behind it and attribution may never actually take place. Or it could not be real because they want to blame their enemy so that they get attacked. Well and that's either beauty or downside of cyber is that you can conduct it in a vacuum in an anonymous fashion. So in many respects, you can conduct an attack remotely and try to give it all the hallmarks of someone else. Making it further difficult to attribute. And the tools are now available too. So like I hear reports that states are sponsoring or releasing in the public domain, awesome hacks like Stuxnet of the Future which some say was released and then got out of control by accident. And that's always something you have to be concerned about is the fact that once this stuff gets out there, even if you only intended to use this malware or attack vector once, once you use it on that victim, there's the potential that that spreads. What you guys have been doing this study for the last decade. Correct. So you've seen the shift from sort of hacktivist to nation sponsored malware. How, what has the research shown you over the last decade as that shift has occurred? Yeah, so I mean it's interesting because you look at it and a lot of what we still see today are financially motivated and interestingly enough opportunistic, what I say low hanging fruit kind of attacks, about 70 to 80% are fall in that category and about 20 to 25 depending on the year are nation state, but that keeps growing each year. And I think a lot of the nation state piece, but it's still the smaller piece of the pie or the graph, whatever you're looking at because at the end of the day, It's cash. It's cash. They want the cash. And so much of what we find when you look back at the old days of breaches where the majority of them were, they weren't even really breaches of theft of data. It was, you know, someone. Confetti. So I should have actually asked that question differently because it's really went from hacktivist to criminals. Correct. To nation states. Exactly right. And you're saying the dominant now is criminal activity. That's correct. Yeah, we find a large piece of it about more than half is organized crime. And it comes down to look, you can steal money in a variety of different ways. This is a way to do it safely from 1000 miles away. And no one knows who you are. On the other end of the keyboard. And by the way, no consequence. Who's going to, who do you go to? Exactly. So it's annoyance is the hacktivist. Okay, we can kind of live with that. It's cash. And it's threats to critical infrastructure. And we see kind of a graduation there where you see the activists realize, I can do this and make a point, but a point doesn't necessarily make me money. Or I can do this for an organized crime group and make millions of dollars. And by the way, to your point, we just were just teasing out, Dave, there is zero downside. Because if you get caught, what happens? If you get caught. If you get caught. Yeah. If you get caught, what happens? If you get caught? You don't make money. You don't make money. No, no. There's no courts. Oh, yeah. It's very hard to prosecute. There's actually no process for that. So we heard this morning that I want to cry and other sort of examples of malware really weren't about malware. I mean, sorry. They really weren't about ransomware. They were about sort of sending a message or politics. So you're obviously seeing more of that in your research. Exactly right. Fake news and I wonder if you could comment. Absolutely. In fact, it was interesting because as some of those had continued to come out, everyone kept thinking that it was all ransomware. And then as we studied it further, we found some of these, they never had the intention of collecting a ransom or giving the data back. It was all about making a political point. And you now have this kind of injection of politics into something that was really traditionally just organized crime, smash and grab, make cash. Now politics is feeding into that going, wait, we can affect and influence all sorts of things in ways people have never imagined and people don't even know what's going on. You must be seeing a dramatic improvement in the quality. I hate to say this, but the quality of malware over the last decade. Less bugs, less errors, more insidious, sophisticated. That's exactly right. We do see that continuing to improve. And for them, like I always tell folks, they operate it like a business. You'll have some of these groups where they'll have different divisions or departments. People will have clearly defined roles and responsibilities of what they're supposed to be doing and generating that malware, troubleshooting it and they'll even reward people for how well it works. Chris, I'd like to get your personal opinion, but you could put your Verizon hat on too. I will take any opinion that you have. What, how do we solve this? Because this event here, we like this inaugural event because it's the first industry event that talks about the big picture, the holistic view, the 20 mile stair, if you want to say it that way, not the black hat, which has its own conference and there should be more of that. This is industry coming together. The government is now intersecting here. What's your opinion on how this gets solved? Obviously, we heard community, share data, that's been going around. What do you think? So that's probably the hardest question I get asked. And honestly, I think it's because there's not really a simple answer to it, right? It's like saying, how do we stop crying? We don't. It's not going to be possible. It's a matter of how do we put up better defenses and also important, how do we put up better detection so that we can see things and potentially stop them sooner before they blow up into these big multi-hundred million record or billion record reaches. And so, one of the biggest things that I advocate is awareness. You know, we also have to do things like proactive threat hunting, right? If you're not out there, I say it's kind of like having security guards, right? You go through any office and you've got security guards walking the halls, sitting in the lobby, looking for things that are unusual. If we're not out there in the cyber realm looking for unusual things, you can't expect that you're going to see them until they've reached a certain blow up. Or they're cloaked, completely cloaked. You can't see them. And then you, that's also true. That's all security guys are looking for someone they can't see. That's true. Chris, thanks so much for coming and sharing the opinion. Follow the research and use the reports public or? Yes, the reports are all available on the Verizon Enterprise.com website. Okay, Verizon Enterprise.com. Check it out. These reports are treasure trove of information. Always getting it out. Thanks for your perspective. Looking for some more trends. Chris Novak here inside theCUBE, here in New York City's live coverage of CyberConnect 2017. I'm John Furrier, Dave Vellante. We'll be back with more coverage after this short break.