 Hi, I'm Peter Burris, and once again welcome to a Cube conversation from our beautiful studios here in Palo Alto, California. For the last few quarters, I've been lucky enough to speak with Tony Giandomenico, who's a senior security strategist and researcher at Fortinet, specifically in the Fordegard Labs, about some of the recent trends that they've been encountering, and some of the significant groundbreaking industry-wide research we do on security threats and trends and vulnerabilities. And once again, Tony's here on theCUBE to talk about the second quarter report. Tony, welcome back to theCUBE. Hey Peter, it's great to be here, man. You know, sorry, I actually couldn't be right there with you though, I'm actually in Las Vegas for the Black Hat DefCon conference this time. So, you know, I'm having a lot of fun here, but you know, definitely missing him back in the studio. Well, we'll get you next time, but it's good to have you down there because we need your help. So Tony, let's start with the obvious. Second quarter report, this is the Fortinet Threat Landscape Report. What were some of the key findings? Yeah, so there's a lot of them, but I think some of the key ones were, one, you know, cryptojacking is actually moving into the IoT and media, you know, device space. Also, you know, we did an interesting, you know, report that we'll talk about a little bit later, you know, within the actual threat report itself was really around the amount of vulnerabilities that are actually actively being exploited over that actual Q2 period. And then lastly, we did start to see the, you know, bad guys using agile development methodologies to quickly get updates into their malware code. So let's take each of those in turn because they're all three crucially important topics. Starting with crypto, starting with cryptojacking and the relationship between IoT. The world is awash in IoT. It's just an especially important domain. It's going to have an enormous number of opportunities for businesses and it's going to have an enormous impact in people's lives. So as these devices roll out, they get more connected through TCPIP and related types of protocols, they become a threat. What's happening? Yeah, what we're seeing now is I think the, you know, the bad guys continue to experiment with this whole cryptojacking thing. And if you're not really, you know, for the audience who may not be familiar with cryptojacking, it's really the ability, it's malware that helps the bad guys mine for cryptocurrencies. And we're seeing that cryptojacking malware move into those IoT devices now, as well as those immediate devices. And, you know, you might be saying, well, are you really getting a lot of resources out of those IoT devices? Well, not necessarily, but, you know, like you mentioned, Peter, there's a lot of them out there, right? So the strength is in the number. So I think if they can get a lot of IoT's, you know, compromised into an actual botnet, really the strength is in the numbers. And I think you can start to see a lot more of those CPU, you know, resources, you know, being leveraged across that entire botnet. Now, adding on to that, we did see some, you know, cryptojacking affecting some of those media devices as well. We have a lot of honeypots out there. You know, examples would be say, you know, different types of, you know, smart TVs. A lot of these, you know, software sort of frameworks that they have kind of plugins that you can download. And, you know, at the end of the day, these media devices are basically browsers. And what, you know, some folks will do is they'll kind of jailbreak this stuff and they'll go out there and maybe, for example, they want to be able to download the latest movie. They want to be able to, you know, stream that live, it may be a bootleg movie. You know, however, when they go out there and download that stuff, often malware actually comes along for the ride and we're seeing cryptojacking, you know, being kind of downloaded onto those media devices as well. So the act of trying to skirt some of the limits that are placed in some of these devices gives often, and one of the bad guys, an opportunity to piggyback on top of that file that's coming down. So, you know, don't break the law, period. And, you know, copyright does have a law because when you do, you're likely to be encountering other people who are going to break the law and that can be your problem. Absolutely, absolutely. And then I think it also, you know, for folks who are actually starting to do that, you know, it really starts to, you know, we talk a lot about how, you know, segmentation, you know, segmenting your network and your corporate environment and things of that nature, but those same methodologies now have to apply at your home, right? Because at your home off, you know, your home network, you're actually starting to build a fairly, you know, significant network. So kind of separating a lot of that stuff from your work environment, because everybody these days seems to be working, you know, remotely from time to time. So the last thing you want is to create a conduit for you to actually get malware on your machine that maybe you go and use for work resources. You don't want that malware then to end up in your environment. So crypto jacking, exploiting IoT devices to dramatically expand the amount of processing power that could be applied to doing bad things. That leads to the second question. There are, there's this kind of notion, it's true about data, but I presume it's also true about bad guys and the things that they're doing, that there's these, you know, millions and billions of files out there that are all bad, but your research has discovered that yeah, there are a lot, but there are a few that are especially responsible for the bad things that are being done. What did you find out about the actual scope of vulnerabilities from a lot of these different options? Yeah, so it's interesting is, I mean, we always play this, you know, and I think all the vendors talk about this, hey, you know, cyber hygiene, you got to patch, got to patch, got to patch. Well, that's easier said than done. And what organizations end up doing is actually trying to prioritize what vulnerabilities they really should be patching first because they can't patch everything. So we did some, you know, we did an actual research where we took about 108,000 plus vulnerabilities that are actually publicly known. And we wanted to see which ones were actually actively being exploited over an actual kind of quarter. In this case, it was Q2 of this year. And we found out only 5.7% of those vulnerabilities were actively being exploited. So this is great information, I think for the IT security professional, leverage these types of reports to see which particular vulnerabilities are actively being exploited because the bad guys are going to look at the ones that are most effective and they're going to continue to use those. So prioritize your patching really based on these types of reports. Yeah, but let's be clear about this, Tony, right? That 108,000, looking at 108,000 potential vulnerabilities, 5.7% is still 6,000 possible sources of vulnerability. So prioritize those, but that's not something that people are going to do in a manual way on their own, is it? No, no, no, not at all. So there's a lot of, I mean, there's a lot of stuff that goes into the automation of those vulnerabilities and things of that nature. And there's different types of, you know, methodologies that they can use. But at the end of the day, if you look at these types of reports and you can read some of the top 10 or some of the top 20 kind of exploits out there, you know, you can determine, hey, I should probably start patching those first. And even, you know, what we see, we see also this trend now of once the malware is in there, it starts to spread laterally. Oftentimes in worm-like spreading capabilities, we'll look for other vulnerabilities to exploit and move their malware into those systems laterally in the environment. So just even taking that information and saying, whoa, okay, so once the malware is in there, it's going to start leveraging X, Y, Z vulnerability. Let me make sure that those are actually patched first. You know, Tony, the idea of crypto-jacking IoT devices and utilizing some new approaches, new methods, new processes to take advantage of that capacity, the idea of a lateral movement of, you know, 5.7% of the potential vulnerabilities suggests that even the bad guys are starting to create a lot of new experience, new devices, new ways of doing things, finding what they've already learned about some of these vulnerabilities and extending them to different domains. It sounds like the bad guys themselves are starting to develop a fairly high degree of sophistication in the use of advanced application development methodologies because at the end of the day, they're building apps too, aren't they? Yeah, you know, absolutely, you know, it's funny. I always use this analogy, you know, from the good guy's side, you know, for us to have a good, strong security program, of course we need technology controls, but we need the expertise, right? So we need the people, and we also need the processes, right? So very good streamlined sort of processes. Same thing on the bad guy's side. And this is what we're starting to see is a lot more agile development methodologies that the bad guys are actually using, you know, prior to, well, I think it still happens, but, you know, earlier on, for the bad guys to be able to circumvent a lot of these security defenses, they were leveraging polymorphism, modifying those kind of malware fairly quickly, you know, to evade our defenses. Now, that still happens, and it's very effective still, but I think an industry as a whole is getting better. So the bad guys, I think, are starting to use better, more streamlined processes to update their malicious, you know, software, their malicious code to then always try to stay one step ahead of the actual good guys. You know, it's interesting, we did what we call a crowd chat yesterday, which is an opportunity to bring our communities together and have a conversation about a crucial issue, and this particular one was about AI and the adoption of AI, and we asked the community, what domains are likely to see significant investment in attention? And a domain that was identified as number one was crypto, and a lot of us kind of stepped back and said, well, why is that? And we kind of concluded that one of the primary reasons is is that the bad guys are as advanced and have an economic incentive to continue to drive the state of the art in bad application development, and that includes the use of AI and other types of technologies. So as you think about prices for getting access to these highly powerful systems, including crypto jacking going down, the availability of services that allow us to exploit these technologies, the expansive use of data and the availability of data everywhere, suggests that we're in a pretty significant arms race for how we utilize these new technologies. What's on the horizon, do you think over the course of the next few quarters? And what kinds of things do you anticipate that we're going to be talking about? What headlines will be reading about over the course of the next few quarters as this war game continues? Yeah, well, I think a lot of it is, I mean, I think you touched upon it, AI, right? So using machine learning and the industry and cyber, we are really excited about this type of technology. It's still immature, we still have a long way to go, but it's definitely helping at being able to quickly identify these types of malicious threats, but on the flip side, the bad guys are doing the same thing. They're leveraging that same artificial intelligence that the machine learning to be able to modify their malware. So I think we'll continue to see more and more malware that might be AI sort of focused or AI sort of driven, but at the same time, we've been talking about this a little bit, this swarm type of type of technology where you have these larger kind of botnet infrastructures and instead of the actual mission of the malware being very binary, and if the system, it's either yes or no, it does or it doesn't and that's it. But I think we'll start to see a little bit more on what's the mission and whatever that mission is using artificial intelligence then to be able to determine, well, what do I need to do to be able to compete that or complete that mission? I think we'll see more of that type of stuff. So with that though, on the good guy side for the defenses, we need to continue to make sure that our technology controls are talking with each other and that they're making some automated decisions for us because I'd rather get as a security professional working in a sock, I want an alert saying, hey, we detected a breach and I've actually quarantined this particular threat at these particular end points or we've contained it in this area, rather than, hey, you got an alert, you got to figure out kind of what to do. Minimize the actual impact of the breach, let me fight the attack a little longer, can it give me some more time? False positives are not necessarily a bad thing when the risk is very high. All right. Yeah, absolutely. Tony, John Domenico, senior security strategist and researcher at Fortinet, the FortiGuard Labs. Enjoy Black Hat. Talk to you again. Thanks Peter, it's always a good seeing you. And once again, this is Peter Burris, a CUBE conversation from our Palo Alto studios. Until next time.