 From our studios, in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Welcome to the CUBE studios for another CUBE Conversation, where we go in-depth with thought leaders driving business outcomes with technology. I'm your host, Peter Burris. Every enterprise that is trying to do digital transformation finds themselves facing two challenges. One, their digital assets themselves are a source of value and two other assets that are sources of value are becoming increasingly digitized. And that creates a lot of challenges, a lot of security concerns that bad agents out in the internet are exploiting and requires a programmatic fundamental response to try to ensure that the digital assets or digitized assets aren't mucked with by bad guys. So to have that conversation, we're here with Tony Gian Domenico. Tony's a senior security strategist and a researcher and a CTI lead at Fortnett. Tony, welcome back to the CUBE. Hey, Peter, it's great to be here, man. So it's good to see you. Yeah, well, we've been doing this for a couple of years now, Tony. And so let's get, just kick it off. What's new? Ah, so what's new? Should we start talking a little bit about the index here, what we saw with the overall threat landscape? Sure. Cool, cool. So, you know, like we always do, we always like to start off with an overall threat landscape, at least to give an overview of what that index looks like. And it really consists of malware, botnets, application exploits, and what we looked at over the quarter, there was a lot of volatility throughout the quarter, but at the end of the day, it ended up only 1% higher than the quarter before. Now, some of that volatility really is being driven by what we've talked about a lot of times, Peter, in a lot of these other episodes, is that swarm-like activity, whenever an actual vulnerability is successfully exploited by an adversary, everybody swarms in on that vulnerability. In our Fort Agar Labs, you see that really like super spike up. A great example of that would be in last year, in December, ThinkPHP, which is an application that's a framework to rapidly develop web apps. They had a vulnerability that if you successfully exploited it, it would give you remote access or, I'm sorry, remote code execution, and they were exploiting that, and we definitely see in a huge uptake. Now, that wasn't the only one for the quarter, but that, and along with some of the other ones, is really what's kind of driving that volume. So the index has been around for a few quarters now, and it's a phenomenal way for folks out there to observe how overall trends are evolving. But as you said, one of the key things that's being discovered is that, or you're discovering as you do this research, is this notion of swarming. It seems as though there ought to be a couple of reasons why that's the case, Tony. It's, we've talked about this in the past. There's folks who want to get a little bit more creative in creating bad stuff, and there's other folks who just want to keep their costs low and just leverage what's out there. Which approach are the bad guys tend to using more, and, or is there an approach, one or the other approach is more targeted to one or another kind of attack? Well, it's funny, you usually see the folks in the cyber crime ecosystem that are really focusing on identifying, not so much where they're doing more sort of targeted attacks. It's more of a, you know, pray and spray, you know, type of thing. And you see a lot of that, you know, anytime the canary can get into a life of cyber crime, right, and they'll leverage some of these common, you know, you know, services, you have code reuse, you know, which is out there. So you have that sort of like group there, right? And then you have more of the, you know, more of the, you know, hands-on sort of keyboard, the more, you know, targeted attacks that are really focused on specific, you know, victims. So you have those, you know, those two groups, I would say. Now, with that though, there kind of is a commonality there where there's this concept and it's nothing new. We've been talking about this for years in the cybersecurity industry. It's living off the land, right? Where once a victim is on the actual machine itself, they start leveraging some of the tools that are already available there. And usually these tools, they're administration tools to be able to administer the actual network. But these tools can also be used in the farthest ways. From example here would be, you know, PowerShell. That, you know, a lot of admins use PowerShell for efficiencies on the network. But that also can be used in the farthest ways and the bad guys are using that. And then this past quarter, you know, we did see a lot of PowerShell activity. Now, you know, Peter, having said that though, I think as a whole with the security community, we're getting better at being able to identify these types of PowerShell attacks. One, we got better technology on the endpoint. And I think two, Microsoft has done a better job of being able to provide us more hardening capabilities for PowerShell, like being able to restrict access to PowerShell, as well as giving us better logging capability to be able to identify that malicious activity. So we are getting better. And the bad guys know this. So I think what we can probably look for in the future is them leveraging either a different interface or a different language. Because all they really need to do is interface with that .NET framework, which is part of a Windows system, and they can start doing the same exact things they were doing with PowerShell. And we're seeing that in the open source community now, things like Silent Trinity, the open source tool that allows you to do those same things. So if we're seeing an open source, pretty much guarantee we're going to see it out there in a while here soon. So we've got a group of bad actors that are using this living off the land approach to leverage technology that's out there. And we've still got kind of the big guys having to worry about being targeted because that's how you make a lot of money if you're successful. But it certainly does sound is that a general business practice for a lot of these guys is to leverage common infrastructure. And that this common infrastructure is increasingly becoming better understood. Have I got that right? No, no, Peter, you're spot on here. What we did, we did some exploratory research in this last quarter. And what we found out is with the exploits within that quarter or the actual threats, 60% of those threats are using the same infrastructure. What I mean by infrastructure, I mean, things like infrastructure to download malware, maybe to redirect you to some other site that then downloads malware. And that makes a lot of sense, Peter. You know why? Because in this cyber crime ecosystem, if you didn't realize this, it's a vicious competitive market. Everybody is trying to sell their wares and they want to make sure that their service is the best. It's better than someone else's. And they want to make sure that it's stable. So they find these community infrastructures that are tried and true. Some of them are from bulletproof hosting services, things of that nature. So you see a lot of the folks in a cyber crime ecosystem using them. Now on the flip side though, you definitely see some of the threat actors that are more sort of the advanced threat actors. Maybe what they want to do is hide a little bit. So they'll hide in that larger community to be able to possibly be able to bypass that attribution back to them. Because they don't want to be sort of labeled with, oh, hey, this particular threat actor always uses this infrastructure. So if they can blend in, a lot harder to find them. So they can use what is available, but at the same time differentiate themselves in this bad actor ecosystem to take on even more challenging to potentially lucrative exploits. Now, Tony, if we know something about this common infrastructure, as you said, 60% of these attacks are using this common infrastructure, that suggests we can bring a common set of analysis frameworks to bear as we consider who these actors are and what their practices are. Have I got that right? Yeah, yeah, absolutely. If you can align your playbook defenses with the offensive actual playbooks that the threat actors are using, the better off you're going to be, right? Because then you can be able to combat them a lot better. And as a matter of fact, I mean, we've kind of introduced this sort of concept in conjunction with our partnership with the Cyber Threat Alliance. We're actually producing these threat actor playbooks. And what we're doing is the idea behind this is if we can identify the malicious activity that threat actors are actually doing to complete their cyber mission, expose some of them tactics, those techniques, those procedures, we could possibly disrupt some of that malicious activity. And this past quarter here, we focused on a group, Peter called the Silence Group. And they're really focused on identifying and stealing financial data. They're looking at banks, banking infrastructure and ATM machines. And you'll get a kick out of this. With the ATM machines, they're doing something called jackpotting where they, if they can find the actual software behind the ATM machine, find that ATM process, they can inject a malicious DLL into that process, giving them total control over the ATM machine. And now they can dispense money at will and they can have these money mules on the other side receive that actual money. So, you know, we have a lot of different campaigns and playbooks that we've identified on our website. And that, once we understand that, we align that with our security fabric and ensure that our customers are protected against that particular playbook. Tony, I'm not happy to hear that. So this is my distressed face that I use during these types of interviews. But if we're able to look at how bad guy playbooks are operating, then we ought to be able to say, and what are those fundamentals that a shop should be using, a security professionals should be using that are just so basic and so consistent. And it seems that you guys have identified three to do a better job of taking a fabric approach that starts to weave together all assets into a more common security framework. Two, to do a better job of micro and macro segmentation so that you can identify where problems are and then finally increase your overall use of automation with AI and ML. How is this translating into your working with customers as they try to look at these playbooks and apply their own playbooks or how they set up their response regimes? Yeah, so I mean, I think overall, I mean, I think you kind of hit it on the head, Peter, you kind of nailed down really those kind of fundamental sort of concepts here. Now, you can identify and you can document as many playbooks as you want, but if you're not able to quickly respond when you identify those actual playbooks, that's really half the battle. I mean, if you need to be able to identify one, not only when the threat actor's in your environment, but then also you need to be able to quickly take action. And like you were saying, with that fabric, if we can have that actual fabric being able to talk to the other controls within that fabric and take some action, they're better off you're going to be because you can align your defenses there and that's great. But you got to make sure that all the controls within that fabric are all communicating together, they're working together, they're sharing information and they're responding together. Sure enough, are you starting to advise customers, I'm curious, you're advising customers that even as they increase the capabilities of their fabric and how they handle their architectures from a micro-macro segmentation and increase their use of automation, are there things that they can do from a practice standpoint just to ensure that their responses are appropriate, fast and accurate? Yeah, sure, sure. I mean, I think a lot of the actual fabric, once you actually build that fabric, there's certain playbook responses that you can program into that fabric. And it'll also even go, I know we talked about fundamentals, but I'll even dive a little bit lower here. You have that fabric, but you also have to make sure you understand all the assets you have in your environment because that information and that knowledge helps you with that macro and micro segmentation because when you can isolate the different areas, if there is a certain area that gets infected, you can quickly turn the knobs to isolate that particular threat in that specific area or that specific segmented area. And that is really going to allow you to fight through the attack, give you more time and ultimately reduce the impact of that particular breach. So Tony, we got the summer months coming up. That means more vacations, which is just less activity, but then we got summer interns coming in, which may involve additional clicking on things that shouldn't be clicked on. Any ideas, what should security pros be thinking about in the summer months? What's the trend show? Well, I think we're going to continue to see that I think the same type of threats that we've seen in the first quarter, but I would say, there may be a slight sort of drop off, right? We got kind of kids that are going to be out on vacations, so schools may not see as much activity. You got folks who are going to be taking vacations and at the end of the day, most of these exploits are client side exploits, which means a lot of times you need somebody to do something on the actual computer, either clicking that link or clicking that attachment. And if they're not there to do that, they'll just sit there and you'll see less activity over time. So we might see a little reduction in volume, but I still think we'll see very similar types of threats in the coming months. So good time or good opportunity for security pros to double down on putting in place new architecture practices and response regimes so that when stuff kicks up in the fall, they're that much more prepared. Absolutely. Tony Gian Domenico, Fortnette. Great, you got it. Once again, thanks very much for being on theCUBE. Hey, Peter, it's always a pleasure being here, man. Hope to see you again soon. You will. And once again, I'm Peter Burris. Until next time.