 From the CUBE studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Hi, I'm Stu Miniman, and this is a special CUBE Conversation coming to us from our Boston area studio. We know that so much has changed in 2020 with the global pandemic on, with people working from home. Staying safe is super important, and that especially is true when it comes to the threats that are facing us. So really happy to welcome to the program, Hardik Modi, we're gonna be talking about the NetScout Threat Intelligence Report for the first half of 2020. Hardik's the AVP of Engineering for Threat and Mitigation Products. Hardik, thanks so much for joining us. Thanks Stu, it's great to be here. Thanks for having me. All right, so first, set this up. This is NetScout does these threat reports and on pretty regular cadence. I have to think that the first half of 2020 will dig into this little bit is a little different because I know everybody when they had their plans at the beginning of 2020, by the time we got to March, we kind of shredded them and started over or made some serious adjustments. So why don't you introduce us to this and then we'll talk specifically about the first half of 2020 results. Right, thanks Stu. So I'm here to speak about the fifth NetScout Threat Intelligence Report. So this is something that we do every six months in my team in particular the NetScout Threat Intelligence Organization. We maintain visibility across the internet and in particular like threat activity across the internet and very specifically with a strengthened DDoS activity. And so there's a lot of data that we have collected. There's a lot of analysis that we conduct on a regular basis. And then every six months we try to roll this up into a report that gives you a view into everything that's happened across the landscape. So this is our report for the first half of the year. So through June, 2020. And yes, as we came into March, 2020, everything changed. And in particular, when the pandemic kind of set upon us countries, entire kind of continents went into lockdown. And we intuited that this would have an impact on the threat landscape. And this is, even as we've been reporting through it this is our first real roll up and look at really everything that happened and everything that changed in the first half of 2020. Yeah, it absolutely has such a huge impact. My background, Hardik, is in networking. You think about how much over the last decades we've built out those corporate networks, all the Wi-Fi environments, all the security put there. And all of a sudden, well, we had some people remote now everybody is remote. And that has the ripple on corporate IT as well as those of us at home that have to do the home IT piece there. So why don't you give us a look inside the report? What are some of the main takeaways that the report had this time? No, so you're right. The network became everything for us and the network became how our students attended school, how we did our shopping, how we did certainly finance and most definitely for a lot of us how we did work. And suddenly the network, which certainly was a driver for productivity and just business worldwide suddenly became that much more central. And so we tend to look at the network both at the enterprise level but then also a lot of what we get to see is at the service provider level. So what's happening on the big networks worldwide? And that's what we rolled up into this report. So a few things that I want to kind of highlight from the report. The first thing is there were a lot of DDoS attacks. So we recorded through our visibility 4.83 million DDoS attacks in the first six months of the year. That's almost 30,000 attacks a day. And it's not like we hear about 30,000 outages every day. Certainly aren't 30,000 outages every day. But this is an ongoing onslaught for anybody who exists on the internet and this didn't abate at all through the first half of the year. If you kind of go like just look at the numbers, it went up 15% for the same period year on year. But then as you enter into March and in particular like the date when the WHO sort of announced the global pandemic, that's essentially the start that we marked. From that day onwards, the rise in attacks year on year for the same period a year ago is 25%. So that really just in sheer numbers, like a lot changed. And then as we go a level deeper and we look at like the nature of these attacks, a lot of that actually has evolved considerably over the past few years. And then in particular, like we're able to highlight a few stats in the first half of the year. And certainly like a lot of the drivers for this, the technical drivers are understood. And then there's just the human drivers for this, right? And we understand that a lot more people are at home. A lot more people are reliant on the internet. And just sad to say, but certainly also a lot more people aren't as engaged with school, with work, with society at large. And these tend to have knock-on effects across a lot of things that we do in life, but also in like cyber crime and in particular like in the DDoS space. Yeah, maybe if you could for our audience, I think they're in general familiar with DDoS. It's typically when sites get overwhelmed with traffic, different from say everybody working at home is be a little bit more cautious about phishing attacks. You're getting links and tax, links and email. Super important thing, please check this. Please don't click those links. Does this impact those workers at home? Or is it all the corporate IT and all the traffic going through those that there's ways that they can stop, halt that or interfere, get sensitive data? It's a really good point. And in large parts, I mean, and like with a lot of other kind of cyber crime activity, this is primarily felt inside the enterprise. And so as far as companies are concerned and people who are using VPN and other kinds of remote access to get to critical resources, the key challenge here is the denial of availability. And so it's okay. So you're right. Let's take a step back. DDoS distributed denial of service. This is typically when like a large polarity of devices are used to direct traffic towards a device on the internet. And we typically think of this as a site. And so maybe your favorite newspaper went down because of a DDoS attack or you couldn't get to your bank or your retail e-commerce as a result of the DDoS attack. But this plays out in many different ways, including the inability for people to access work just because their VPN concentrators have been DDoS. I think just coming back to the split between people who work for a company and the company themselves, I think ultimately is a shared responsibility. There's some amount of best practices that employees can follow. I mean, a lot of this enforcement and primarily ensuring that your services are running to expectation, as always is going to be the responsibility of the enterprise and something that enterprise security typically will want to cater for. All right. And how are these attacks characterized? You said it was up significantly 15% for the half year overall, 25% overall. Anything that differentiates big attacks, small attacks, do we know how many of them actually freeze a site or pause how much activity is going on? Right. So what I will say is that within just those numbers, and we're just simply just counting attacks, right? Even within those numbers, a key aspect that has changed is the rise in what we call multi-vector attacks. And so these are attacks in which you go back maybe five years, certainly like going back further. Typically a DDoS attack would involve a single technique that was being used to cause damage. And then over time, as many techniques were developed and new vulnerable services are discovered on the internet, what we find is that occasionally there would be a combination of these vectors as we call them being used against the target. And so a big thing that has changed within the last two years is what we think of as the rise in multi-vector attacks. And what we're seeing is that attacks that involve even 15 separate vectors are up considerably like over a thousand percent compared to the same time last year and correspondingly attacks that involve a single vector are down in a really big way. And so we're just seeing a shift in the general like the techniques that are used within these attacks. And that has been considerable over certainly, same time 2019, but if you go back two years even, it would seem like a complete sea change. What other key things, key learnings did you have from the survey this year that you can share? Yeah, so one thing I want to highlight that we kind of, and I think it's been implicit in some of your questions, certainly in many conversations that I have, like what is the cost of these attacks? Like what is ultimately the impact of these attacks on society? And one of the ways in which we tend to think of the impact is in simply like outages, like any commerce site that does a certain amount of business every day, they can easily recognize that, all right, if I'm off for a day, for two days, for seven days, here's the impact in my business. So that tends to be understood at the individual enterprise level. Another cost that often is well recognized is like the cost of mitigating attacks. And so now there's, whether it's the service provider, the enterprise themselves, other forms of business or other entities who will invest in mitigation techniques and capacity, like those costs tend to be kind of, what we have done, and thanks to our kind of really unique visibility into service provider networks worldwide, what we've been able to do is extract essentially what we call the DDoS attack coefficient. And this is, think of it as like, here's how much DDoS attack traffic is going on worldwide or across any set of networks at any given time. So if you had zero DDoS in the world, that number will be zero, but it most definitely is not. There's, we have represented numbers for different parts of the world. This can be many, many, many gigabits per second, many terabits per second. And essentially, there's even just a transit cost for carrying this traffic from one point to another. And that is actually like, what we call the DDoS attack coefficient. And that cost is something that I want to highlight is being borne by everyone. So this ultimately is what shows up in your internet bills, whether you're a residential subscriber, whether you're using your phone and paying for internet through your phone, or you're an enterprise, and now you have, you have network connections for your service providers. This ultimately, this is a cost that we're bearing as a society. This is the first time that we've actually conducted research like into this phenomenon, and I'm proud to say that we've captured this in, you know, a split across multiple geographies of the world. Yeah, it's been big challenge these days. The internet is a big place that there's worry about fragmentation of the internet. There's worry about that some of the countries out there, as well as some of the large multinational global companies out there really are walling our piece of the internet. One thing I'm curious about, we talked about the impact of work from home and have a more distributed workforce. One of the other big mega trends we've been seeing even before 2020 is the growth of edge computing. You talk about the trillions of IoT devices that will be out there. Does DDoS play into this? You know, I just, this narrow runs through my mind. Okay, great, we've got all these vehicles running that has some telemetry. All of a sudden, if they can't get their telemetry, that's a big problem. Yeah, so this is both the, you know, this is the devices themselves and the, you know, basically the impact that you could see from an attack on them. But more often what we see on the internet and the here and now is actually the use of these devices to attack other, like more established entities on the internet. So then, so for us now, for many years we've been talking about the use of IoT devices in attacks and simply the fact that so many devices are being deployed that are physically, they're vulnerable from the get go insecure at birth, essentially. And then deployed across the internet, you know, even if they were secure to start, they often don't have update mechanisms. And now, you know, they, you know, over a period of time new vulnerabilities are discovered in those devices and they're used to attack other devices. So in this report, we have talked about a particular family of malware called Mirai and Mirai has been around since 2016, been used in many high profile attacks. And over time, there have been a number of variations to Mirai and, you know, we absolutely keep track of, you know, the growth in these variations and the kinds of devices that they attack, sorry, that they compromise and then use to attack other targets. We've also kind of gone into another malware family that has been, you know, talked about a little bit called Lucifer. And Lucifer was another, you know, I think originally more Microsoft windows, so you're going to see it more on your classic kind of client and server kind of computing device. But over time, we've seen, we have reported on Linux variants of Lucifer that not only can be installed on Linux devices, but also have DDoS capabilities. So we're tracking like the emergence of new botnets. Still like Stu going straight back to your question, you know, they are, you know, this is where IoT, you know, even for all the promise that it holds for us as society, you know, we don't get this right. You know, there's a lot of pain in our future just coming from the use of these devices in attacks. Well, I thought it was bad enough that we had in order of magnitude more surface area to defend against on. I hadn't really thought about the fact that all of these devices might be turned into an attack vector back on what we're doing. All right, Hardik. So you need to give us some, the ray of hope here. We've got all of these threats out here. What, you know, how's the industry doing overall defending against this? What more can be done to stop these threats? What are some of the actions people and especially enterprise tech should be doing? Yeah, and so I absolutely start with, you know, just awareness. Like, you know, this is why we publish the report. This is why we have resources like NetScout Cyber Threat Horizon that provides continuous visibility into attack activity worldwide. So it absolutely just starts with that. We're actually, you know, this is not necessarily a subject of the report because it's happened in the second half of the year. But there have been a wave of high-profile attacks associated with extortion attempts, you know, over the past month. And, you know, these attacks aren't necessarily complex. Like, you know, the techniques being used aren't novel. You know, I think in many ways, like, you know, these are things that we would have considered maybe run of the mill, at least for us on the research side and the people who live this kind of stuff. But, you know, they have been successful. And, you know, a number of companies right now, a number of entities worldwide right now are kind of rethinking what they're doing in particular DDoS protection. And for us, you know, our observation is that this happens every few years where every few years there's essentially a reminder that DDoS is a threat domain. DDoS typically will involve an intelligent adversary on the other side, somebody who wants to cause you harm. You know, to defend against it, you know, there are plenty of well-known kind of techniques and like, you know, methodology. But that is something that, you know, enterprises, you know, all of us, governments, service providers, those of us on the research side have to kind of stay on top of, keep reminding ourselves of those best practices and use them. And, you know, I'll say that, again, for me, the ray of hope is that we haven't seen a new vector in the first six months of the year, even as we've seen a combination of other known vectors. And so for these, you know, just from that perspective, you know, there's, you know, these attacks, we should be able to defend the game. So that's essentially where I'll leave this, you know, in terms of like, you know, the hope for the future. All right, Hardik, what final tips do you have? How do people get the report itself? And how do they keep up? Where do you point everyone to? Yes, so the report itself is going to be, is live on the 29th of September 2020. It will be available at netscout.com slash threat report. I'll also point you to another resource, Cyber Threat Horizon that gives you more continuous visibility into attack activity. And that's netscout.com slash horizon. And so these are the key resources that I leave you with. Again, you know, this is, you know, there's plenty to be hopeful about. Like, you know, as I said, you know, there hasn't been a new vector that we've uncovered in the first six months of the year. This is as opposed to seven vectors in the year 2019. So, you know, that is something that, you know, certainly like gives me hope. And, you know, for the things that are, that we've talked about in the report, you know, we know how to defend against them. So, you know, this is something that I think with action we'll be able to live through just fine. Well, Hardik, thanks so much for sharing the data, sharing the insight, pleasure catching up with you. Okay, likewise too, thank you. All right, be sure to check out thecube.net for all of the videos we have, including many of the upcoming events. I'm Stu Miniman and thank you for watching theCUBE.