 TheCube presents Ignite 22 brought to you by Palo Alto Networks. Welcome back to Vegas, guys. We're happy that you're here. Lisa Martin here, covering with Dave Vellante, Palo Alto Networks Ignite 22. We're at MGM Grand. This is our first day, Dave, of two days of CUBE coverage. We've been having great conversations with the ecosystem, with Palo Alto executives, with partners. One of the things that they have is Unit 42. We're going to be talking with them next about cyber intelligence and the threat data that they get is incredible. Yeah, they have all the data. They know what's going on. And of course, things are changing. The state of play changes. Hold on a second. I got a text here. Oh, my Netflix account was frozen. Should I click on this link? Yeah. What do you think? Have you had a little bit more of that this holiday season? Definitely. Unbelievable, right? A lot of submission going on. They're very clever. Yeah, we're very pleased to welcome back one of our alumni to the CUBE. Wendy Whitmore is here, the SVP of Unit 42. Welcome back, Wendy. Great to have you. Thanks, Lisa. So Unit 42 created back in 2014, one of the things that I saw that you said in your keynote this morning or today was everything old is still around and it's way more prolific than ever. What are some of the things that Unit 42 is seeing these days with respect to cyber threats as the landscape has changed so much the last two years alone? You know, it has. So it's really interesting. I've been responding to these breaches for over two decades now. And I can tell you that there are a lot of new and novel techniques. I love that you already highlighted smishing right in the opening gate, right? Because that is something that a year ago, no one knew what that word was. I mean, it's probably going to be invented this year, right? But that said, so many of the tactics that we have previously seen when it comes to just general espionage techniques, right? Data exfiltration, intellectual property soft. Those are going on now more than ever. You're not hearing about them as much in the news because there are so many other things, right? We're under the landscape of a major war going on between Russia and Ukraine of ransomware attacks occurring on a weekly basis. And so we keep hearing about those. But ultimately, these nation-state actors are using that top cover, if you will, as a great distraction. It's almost like a perfect storm for them to continue conducting so much cyber espionage work that we may not be feeling that today, but years down the road, the work that they're doing today is going to have really significant impact. Ransomware has become a household word in the last couple of years. I think even my mom knows what it is to some degree. But the threat actors are far more sophisticated than they've ever been. They're very motivated. They're very well-funded. I think I read a stat recently in the last year that there's a ransomware attack once every 11 seconds. And of course, we only hear about the big ones, but that is a concern that goes all the way up to the board. Yeah, you know, we have a stat in our ransomware threat report that talks about how often victims are posted on leak sites. And I think it's once every seven minutes at this point that a new victim is posted, meaning a victim has had their data, a victim organization had their data stolen and posted on some leak site in the attempt to be extorted. So that has become so common. One of the shifts that we've seen this year in particular, and in recent months, you know, a year ago when I was at Ignite, which was virtual, we talked about quadruple extortion, meaning four different ways that these ransomware actors would go out and try to make money from these attacks. And what they're doing now is often going to just one, which is I don't even want to bother with encrypting your data now because that means that in order to get paid, I probably have to decrypt it, right? That's a lot of work, it's time consuming, it's kind of painstaking. And so what they've really looked to do now is do the extortion, where they simply steal the data and then threaten to post it on these leak sites, you know, release it other parts of the web and go from there. And so that's really a blending of these techniques of traditional cyber espionage with intellectual property theft. Wow. How trustworthy are those guys in terms of, I mean, these are hackers, right? In terms of, it's really the hacker honor system, isn't it? I mean, if you get compromised like that, you really beholden to criminals. And so... So that's one of the key reasons why having the threat intelligence is so important, right? Understanding which group that you're dealing with and what their likelihood of paying is. What's their modus operandi? It's become even more important now because these groups switch teams more frequently than NFL trades, you know, free agents during the regular season, right? Or players become free agents. And that's because their infrastructure, so the infrastructure, the servers, the systems that they're using to conduct these attacks from is actually largely being disrupted more from law enforcement, international intelligence agencies working together with public private partnerships. So what they're doing is saying, okay, great, all that infrastructure that I just had now is burned, right? It's no longer effective. So then they'll disband a team and then they'll recruit a new team and it's constant like mixing and matching in players. All that said, even though that's highly dynamic, one of the other areas that they pride themselves on is customer service. So, and I think it's interesting because, you know, when I said they're not wanting to like do all the decryption, yeah, cause that's like painful technical, technical slow work, but on the customer service side, they will create these customer service portals, immediately stand one up, say, you know, hey, it's like an Amazon, you know, if you've ever had to return a package on Amazon, for example, and you need to click through and like explain, you know, hey, I didn't receive this package. A portal window pops up, you start talking to either a bot or a live agent on the backend. In this case, there are what appear to be very much humans who are explaining to you exactly what happened, what they're asking for, super pleasant, getting back within minutes of a response, and they know that in order for them to get paid, they need to have good customer service because otherwise they're not going to, you know, have a business. How, so what's the state of play look like from between nation states, criminals, and how difficult or not so difficult is it for you to identify, do you have clear signatures? My understanding, and with SolarWinds, it was a little harder, but maybe help us understand and help our audience understand what the state of play is right now. One of the interesting things that I think is occurring, and I highlighted this this morning, is this idea of convergence. And so I'll break it down for one example relates to the type of malware or tools that these attackers use. So traditionally, if we looked at a nation state actor like China or Russia, they were very, very specific and very strategic about the types of victims that they were going to go after when they had zero days. So, you know, new malware out there, new vulnerabilities that could be exploited only by them because the rest of the world didn't know about it. They might have one organization that they would target that at most a handful and all very strategic for their objective. They wanted to keep that a secret as long as possible. Now what we're seeing actually is those same attackers going towards, one, a much larger supply chain. So SolarWinds is a great example of that. The Haphneum attacks towards Microsoft Exchange Server last year, all great examples of that. But what they're also doing is instead of using zero days as much or because those are expensive to build, they take a lot of time, a lot of funding, a lot of patience and research, what they're doing is using commercially available tools. And so there's a tool that our team identified earlier this year called Brut-Retel C4 or BRC4 for short. And that's a tool that we now know that nation-state actors are using. But just two weeks ago, we invested a ransomware attack where the ransomware actor was using that same piece of tooling. So to your point, yeah, it can get difficult for defenders when you're looking through and saying, well, wait, dear, all using some of the same tools right now and some of the same approaches. When it comes to nation-states, that's great for them because they can blend into the noise and it makes it harder to identify as quickly. And is that an example of living off the land or is that BRC4 sort of a homegrown hacker tool? Is it a commercial off the shelf? So it was a tool that was actually, so you can purchase it. I believe it's about 2,500 US dollars for a license. It was actually created by a former red teamer from a couple well-known companies in the industry who then decided, well, hey, I built this tool for work. I'm going to sell this. Well, great for red teamers that are legitimately doing good work, but not great now because they built a strong tool that has the ability to hide amongst a lot of protocols. It can actually hide within Slack and Teams to where you can't even see the data as being exfiltrated. And so there's a lot of concern and then now the reality that it gets into the wrong hands of nation-state actors and ransomware actors. One of the really interesting things about that piece of malware is it has a setting where you can change wallpaper. And I don't know if offhand you know what that means, but if that comes to mind what you would do with it, well, certainly a nation-state actor is never going to do something like that, right? But who likes to do that are ransomware actors who can go in and change the background wallpaper on a desktop that says you've been hacked by XYZ organization and let you know what's going on. So pretty interesting. Obviously the developer doing some work there for different parts of the nefarious community. Tremendous amount of sophistication that's gone on the last couple of years alone. I was just reading that Unit 42 is now a founding member of the Cyber Threat Alliance, includes now more than 35 organizations. So you guys are getting a very broad picture of today's threat landscape. How can customers actually achieve cyber resilience? Is it achievable? And how do you help? So I think it is achievable. So let me kind of parse out the question, right? So the Cyber Threat Alliance, the JCDC, the Cyber Safety Review Board, which I'm a member of, right? I think one of the really cool things about Palo Alto Networks is just our partnerships. So those are just a handful. We've got partnerships with over 200 organizations. We work closely with the Ukrainian cert, for example, sharing information, incredible information about what's going on in the war, sharing technical details. We do that with Interpol on a daily basis where we're sharing information just last week that Africa's cyber surge operation was announced where millions of nodes were taken down that were part of these larger system of C2 channels that attackers are using to conduct exploits and attacks throughout the world. So super exciting in that regard and it's something that we're really passionate about at Palo Alto Networks. In terms of resilience, a few things. One is visibility, so really having an understanding of as much of real time as possible, right? What's happening? And then it goes into how can we decrease operational impact? So that's everything from network segmentation to one of the terms and phrases I like to use a lot is the win is really increasing the time it takes for the attackers to get their work done and decreasing the amount of time it takes for the defenders to get their work done. I call it increasing the denominator, right? And the ROI equation, benefit over value equals, or benefit equals value over cost. If you can increase the cost to go elsewhere, right? That's the game. You mentioned Ukraine before. What have we learned from Ukraine? I remember I was talking to Robert Gates years ago, 2016 I think, and I was asking him, yeah, but don't we have the best cyber technology? Can't we attack? He said, we got the most to lose too. So what have we learned from Ukraine? Well, I think that's part of the key point there, right? Is a great offense essentially can also be for us deterrents. So in that aspect, we have as a company, excuse me, as a country, as a company as well, but then as partners throughout all parts of the world have really focused on increasing the intelligence sharing and specifically, and I mentioned the Ukrainian cert, there are so many different agencies and other sorts throughout the world that are doing everything they can to share information to help protect human life there. And so what we've really been concerned with is what cyber warfare elements are going to be used there? Not only how does that impact Ukraine, but how does it potentially spread out to other parts of the world, critical infrastructure? So you've seen that, I mentioned CSRB, but CISA, right? CISA has done a tremendous job of continuously getting out information and doing everything they can to make sure that we are collaborating at a commercial level. We are sharing information and intelligence more than ever before. So partners like Mandia and CrowdStrike, our Intel teams are working together on a daily basis to make sure that we're able to protect not only our clients, but certainly if we've got any information relevant that we can share that as well. And I think if there's any silver lining to an otherwise very awful situation, I think the fact that it has accelerated intelligence sharing is really positive. I was going to ask you about this, because 10 or so years ago, there was a lot of talk about that, but the industry kind of kept things to themselves. I actually tried to monetize some of that private data. So that's changing is what I'm hearing from you. More so than ever. I mentioned I've been in the field for 20 years. It's tough when you have a commercial business that relies on information in order to pay people's salaries, right? I think that has changed quite a lot. We see the benefit of just that continuous sharing. There are so many more walls broken down between these commercial competitors, but also the work on the public-private partnership side has really increased some of those relationships, made it easier. And I have to give a whole lot of credit and mention Yosissa, like the fact that during log4j, like they had GitHub repositories, they were using Slack, they were using Twitter. So the government has really started pushing forward with a lot of the newer leadership that's in place to say, hey, we're going to use tools and technology that works to share and disseminate information as quickly as we can, right? That's fantastic. That's helping everybody. We knew that every industry, nobody's spared of this, but did you notice in the last couple of years any industries in particular that are more vulnerable? Like I think of healthcare with personal health information or financial services, any industries kind of jump out as being more susceptible than others? So I think those two are always going to be at the forefront, right? Financial services and healthcare, but what's been really top of mind is critical infrastructure, just making sure, right, that our water, our power, our fuel, so many other parts of, right, the ecosystem that go into making sure that, you know, we're keeping, you know, houses heated during the winter, for example, that people have fresh water, those are extremely critical, and so that is really a massive area of focus for the industry right now. Well, can I come back to public-private partnerships? My question is, relates to regulations, because the public policy tends to be behind the technology industry as an understatement. So when you take something like GDPR as the obvious example, but there are many, many others, data sovereignty, you can't move the data, is there tension between your desire, our desire as an industry to share data and government's desire to keep data private and restrict that data sharing? How is that playing out? How do you resolve that? Well, I think there have been great strides, right, in each of those areas. So in terms of regulation when it comes to breaches, there, you know, has been a tendency in the past to do victim shaming, right? And for organizations to not want to come forward because they're concerned about the monetary funds, right? I think there's been tremendous acceleration. You're seeing that everywhere from the FBI, from CISA, to really working very closely with organizations to have a true impact. So one example would be a ransomware attack that occurred, this was for a client of ours within the United States. And we had a very close relationship with the FBI at that local field office and made a phone call. This was 7 a.m. Eastern time. And this was an organization that had this breach gone public, would have made worldwide news. There would have been a very big impact because it would have taken a lot of their systems offline. Within 30 minutes, that local FBI office was on site, said, we just saw this piece of malware last week. We have a decryptor for it from another organization who shared it with us. Here you go. And within 60 minutes, every system was back up and running, our teams were able to respond and get that disseminated quickly. So efforts like that, I think the government has made a tremendous amount of headway into improving relationships. Is there always going to be some tension between competing organizations? Sure, but I think that we're doing a whole lot to progress it. But governments will make exceptions in that case, especially for something as critical as the example that you just gave and be able to do a reach around, if you will, on onerous regulations that aren't helpful in that situation. But certainly do a lot of good in terms of protecting privacy. Well, and I think there used to be exceptions made typically only for national security elements, right? And now you're seeing that expanding much more so, which I think is also positive. Last question for you as we wrap in up time here. What can organizations really do to stay ahead of the curve when it comes to threat actors? We've got internal, external threats. What can they really do to just be ahead of that curve? Is that possible? Well, it is. Now, it's not an easy task. I'm not going to trivialize it, but I think that one, having relationships with the right organizations in advance, always a good thing. That's everything from certainly commercial relationships, but also your peers, right? There's all kinds of fantastic industry specific information sharing organizations. I think the biggest thing that impacts is having education across your executive team and testing regularly, right? Having a plan in place, testing it, and it's not just the security pieces of it, right? As security responders, we live these attacks every day, but it's making sure that your general counsel and your head of operations and your CEO knows what to do, your board of directors, do they know what to do when they receive a phone call from Bloomberg, for example? Are they supposed to answer? Do your employees know that? Those kind of communications in advance and training can be really critical and make or break a difference in an attack. That's a great point about the testing, but also the communication that it really needs to be company-wide. Everyone at every level needs to know how to react. Wendy, it's been so great having you on. Wait, one last question. Sure. What's your favorite superhero growing up? Ooh, it's got to be Wonder Woman. Yeah. Yeah, okay. Yeah. So, because I'm always curious, not a lot of women in security, in cyber. I had to get into it. And many cyber pros want to save the world. Yeah, no, that's a great question. So I joined the Air Force. You know, I was a special agent doing computer crime investigations and that was a great job. And I learned about that from, we had an alumni day and all these alumni came in from the university and they were in flight suits and combat gear. And there was one woman who had long, blonde, flowing hair and a black suit and high heels and she was carrying a gun. What did she do? Cause that's what I would do. Ah, awesome. Love it. On Wonder Woman. Exactly, Wonder Woman. Wendy, it's been so great having you on the program. We will definitely be following Unit 42 and all the great stuff that you guys are doing. Keep up the good work. Thanks so much, Lisa. Thank you. Our pleasure. For our guest and Dave Vellante, I'm Lisa Martin, live in Las Vegas at MGM Grand for Palo Alto Ignite 22. You're watching theCUBE, the leader in live enterprise and emerging tech coverage.