 Welcome back everyone to theCUBE's live coverage of MY's, the leading cybersecurity conference. I'm your host, Rebecca Knight, along with my co-host and analyst, Rob Strecce. We are joined by John Holquist. He is the chief analyst, Mandiant Intelligence Google Cloud, and Selena Larson, senior threat intelligence analyst at Proof Point. Welcome, John and Selena. Thank you. So you were on a panel earlier today, a keynote panel, and John, I have to tell you, your worries about the criminal use of zero days was enough to give me shivers. So why have we been seeing more financial crime groups using zero days? Well, the biggest reason is there's a lot of good money in crime these days, right? So... Crime pays. Yeah, crime pays. I think very recently there was a disclosure of a $30 million ransom on one target. And if you look at the way that the zero days we've seen, the way that they work, they're all enabling access to dozens, hundreds of targets, and you can imagine the payout from that. Now, generally in the past, this was like a state actor problem, right? This was like, when we talked about zero days, we generally talked about APT or cyber espionage. But if you're making that kind of money, you actually have more buying power than the state, honestly. Okay, so what changes have been implemented in the industry that's forcing these state actors, these threat actors to use more advanced attacks like zero days? Well, I think we have had some success, and it's good news when they have to reach for a zero day, right? Because that means that some of the other precautions and controls that we've replaced probably have had some success. And that actually means that there's probably a higher barrier to entry for a lot of actors, which is excellent. But there are so a lot of controls that we have to consider. And the good news about this process is we're learning what those controls are the hard way, but we are learning about them. Yeah, Selena, you used my favorite word, S-bombs. Oh no. I just, and I think we cover a lot of open source and a lot of open source technology. And I think part of it is looking at how you can inject things upfront. And we also see it coming in data as well. We've started with LLMs, but we'll park that for a minute. So why is it that the supply chain has become such a great place for them to go and really start their attacks? Yeah, so that's a good question. I think there's a couple of reasons. Number one, that which we mentioned on stage, is that a lot of these organizations or the applications and services that are being compromised with the Note-A, for example, like Move It, for example, Go Anywhere, things like that are not necessarily widely known, they're widely used. But if you talk to kind of the average person in an enterprise, they might not even know that this is the type of software that's in their tech stack, right? So these kind of like lesser known but widely used applications and services are a really, really interesting target because they provide, like John was saying, a lot of access, widespread access, the awareness might not necessarily be at the top. And also, they might not even know the types of checks that are going on with their providers or their service providers, like what, to your point, open source, what open source software is being used in this equipment or in these services. And so it's really easy to kind of overlook it as an enterprise, right? There's like so much focus, I think, from the APT world, if we're talking about O-Day, in Windows, in iOS, in zero-click exploits. But these kind of off the reservation are things that people might not really know about types of tools can be very, very interesting. And like you're saying, they are enabling, like the supply chain, they're enabling file transfer, they're enabling sharing across various organizations. And so they might not get enough scrutiny within the enterprise, but from threat actors, they do. Right, and I think you and John, you even brought up the whole file transfer aspect of it. And I think to me, I mean, obviously, as people who use that quite a bit and you start to look at it, and that vector seems to make a lot of sense because, again, especially hot, we had some, we were talking about insurance and hospitals and they have a ton of data. And as they move to cloud, that seems like a logical attack vector. I think so, and I think about lawyers a lot when I think about that, right? How do you get information to lawyers? Lawyers carry a ton of like sensitive information. You know, one of the things we've seen through the years on the espionage side is that the third parties that we give our most sensitive data to are also targeted. And we have to really start thinking about where that data lies, not necessarily who controls it, whether or not it's even in our system. Because, frankly, if they can get it from your lawyer, they can still use it to extort you, right? And you're going to have to start thinking through a lot of that. Funny enough, it's not that privileged once it's out and over, right? I mean, again. One of the biggest takeaways that I got from the panel was hearing you talk about social engineering and just how much of almost, it's psychological warfare because they are using obsequiousness to gain your trust and make you feel good about yourself, that you're being asked all these questions. Can you talk a little bit about what you've seen and what really worries you when it comes to these social engineering attacks? Yeah, absolutely. So I feel like there's different tiers of social engineering and stuff that we kind of really focus on, right? So there's kind of what you would consider business email compromise, BEC, there's that sense of urgency, there's this, oh, I'm the CEO, I need this payment, or we're changing our payments and stuff like that. Then you kind of go up a little bit of a level and that's like pig butchering. And that's kind of a bit of a romance scam. There's that social engineering kind of preying on your desire to feel wanted or be loved. And you kind of see that originating on a lot of different platforms, whether it's like WhatsApp or Tinder or LinkedIn. And those are kind of more, those are financially motivated cyber criminals. I hate those types of activities. But then you kind of get up a stage to the APT actors, right? And so then you have, for example, like we were talking about with North Korea, they're going after security researchers, they're going after academics, they're playing a long game. And what's really interesting is we're seeing this kind of shift across the threat landscape, largely driven by APT, but also we're seeing it on e-crime where they'll start having benign conversations with people. They'll just reach out to you. They're not going to include a link to something bad. They're not going to include a malicious attachment. They're going to reach out to you and be like, hey, I really like this paper you wrote. Like, do you have some time to talk to me about it? And really building that trust with a target. I mean, they're playing the long game, right? Like North Korea, Iran, these actors can spend months really cultivating a relationship before sending an actual payload. And by that point, you're in a trusted conversation with them. And then that's kind of when you have your guard down and that's when you might click and install malware. So when you have these criminals who are playing this long game and really patient, I mean, how do you solve this problem? How do you solve a problem like North Korea? It sounds like the sound of music. I mean, I know. It's super tough, right? I mean, yeah, I think Maddie spoke about we have to have more controls than just the person, right? There's just, unfortunately, it's not enough to just expect the person to always, you know, like make the right call because it's really hard to do it. These are spies, right? They're not, you know. They're good at what they do. They're good at what they do. They're incentivized to do what they do. They'll spend a month, they've got the time, right? And they'll take their time. And you have to have other precautions in place. It's not enough to just expect somebody to always get it right. Mm-hmm, yeah. Oh, sorry, go ahead. Oh, no. So I'll circle back to kind of the zero day thing. I used to be run product for a software company. I had to deal with Log4J and numerous other ones. And when you start to look at it and say, hey, you know, I had a CISO ask me, a CISO CIO of a hedge fund one day. I was in front of him and he goes to me, he goes, how many bugs do you ship in your product every release? And I go, I don't know, two, 300 bugs per release. And he goes to me, he goes, wow, that's the most honest answer I've ever heard. Yeah, we get rid of the ones and the twos and we have structure around the threes and the fours and we do security rankings and all of that. But again, when you start to look at it and go, those aren't the zero days that we're getting rid of. And so why is it, should we look at zero days as just being normal going forward? Is that, is this the new norm where we're going to hear a lot more about them? I mean, it does depend on what kind of threat, your threat model, right? I think that's important. But I think if you're an enterprise and you have data that criminals might find interesting and you're using those technologies that they're preying on, I think, yeah, you should consider it the norm. And let's say you're using the file transfer software, you need to have controls anticipating a zero day, right? And I've had conversations with people and they're like, well, they didn't patch in time. There was no warning. They dropped on everybody's target, all these targets simultaneously. Nobody could have had that warning. So they all got popped at once. If you are, especially like say in the defense sector or supporting the defense sector, I think you have a very heightened model and you definitely need to be worried about zero days. As you sort of get away from those places where they traditionally target, you have a little bit of breathing room. But I think we find these adversaries in mysterious places all the time, right? And I think if you're an enterprise, you really need to at least work that in your model. What would happen if they can break through this one, like your perimeter? What's the next step of your plan? Right. Well, yeah, and kind of taking a look at what has been recently exploited, what are the zero days that are being used, both from like, if APT is in your threat model, from an APT perspective, but also from a cyber crime perspective, taking a look at the types of software and services that are being exploited, maybe trying to do your own internal analysis, where you're ranking, prioritizing, what do we look at first? Like, where do we put all of our resources for doing an assessment on what happens if this gets exploited? And basically using historic activities, dare I say, intelligence, to kind of help you prioritize where you spend your time or you spend your money. And maybe if you have the resources to do your own pen testing, to do your own vulnerable research. And I think, yeah, like it really depends again on your threat model. But making informed decisions within your own organization about where you're going to spend time based off of what we've seen historically in the landscape, like to John's point, FTP, that's, I mean, the file transfer stuff, that's, we're seeing a lot of that. So where, what file transfer software are you using within your own organization? And then kind of taking a step back and say, what happens if? And then go from there. There's a tremendous amount of value. I mean, there's a tremendous amount of activity at post zero day, right? And people are struggling to patch in time. And there's only so many resources in the world. You can keep up with only so many zero days. So I think you really have to take an intelligent triage approach to which one of these zero days you're going to actually patch first, right? And that has a lot to do with what actor has access to them, how it's being used, how they're targeting. There was a big difference. You remember the exchange vulnerability, for instance. That was a very unique situation where that vulnerability was massively valuable. It could get you right into, right downtown in a network where you wanted to be, right? And we knew that drop it, and we knew to drop everything and patch this thing, right? Because, and the other thing is that we also knew that it was being like, like that adversary had like ramped up, you know, scanning for this thing suddenly. That we don't always have that level of intelligence, but we have a, like there are lesser, more less clear versions of that. We can actually use to make these decisions. So, you both painted the landscape as one where the bad actors are highly incentivized, smart, patient, so it's scary. But what is giving you optimism right now? Is there anything that the defenders are doing, doing particularly well, particularly from what they were doing even just a couple of years ago? So, for me, the fact that cybercrime and ransomware actors even use zero days is a case for optimism for me personally, because that has meant that all these threat actors have to use zero days, because we're doing all these things right. So, earlier you mentioned, you know, what stuff in the threat landscape has really forced behavior change? Well, Microsoft blocking macros by default, made a huge shift. MFA everywhere means that, you know, password spraying and just getting in on exposed services isn't really the default anymore, like it happens less and less. Because the baseline of cyber security is increasing, there are decisions that have been made by vendors, by organizations to say, hey, you know, this low hanging fruit, we're going to knock it out. So, that really forces the adversaries to have to change their behavior. And the fact that they're having to use O-Day, they're having to spend resources either finding it or buying it, which is great news. And they're, you know, the stuff that they have relied on historically just isn't working anymore. I think we want to force them to innovate, right? If we live in a world where they don't have to innovate and they can get away with this too easily, then we're not doing our jobs. But it's clear that they're being forced to innovate. And that's good to hear. What you want to hear is like, here's a new threat factor, right? That's good news. That means a lot of others' controls are starting to work. Great. Well, John and Selena, thank you so much for coming on theCUBE. Thank you. Thanks for having us. I'm Rebecca Knight for Rob Stretch A. Stay tuned for more of theCUBE's live coverage of MYs.