 Welcome to this CUBE conversation with Fortinet. I'm your host, Lisa Martin. Derek Mankey is back. He's the Chief Security Insights and Global Threat Alliances at Fortinet's FortiGuard Labs. Derek, welcome back to the program. Thank you, Lisa. Thanks for having me. It's great to speak with you. Likewise, we've talked a lot this year. And of course, when I saw that there are, you guys have predictions from FortiGuard Labs, Global Threat Intelligence and Research Team about the cyber threat landscape for 2022, I thought there's going to be a lot to talk about with Derek here. So let's go ahead and dig right in. First of all, one of the things that caught my attention was the title of the press release about the predictions that was just revealed. The press release says FortiGuard Labs predicts cyber attacks aim at everything from crypto wallets to satellite internet. Nothing, there is no surface that is safe anymore. Talk to me about some of the key challenges that organizations in every industry are facing. Yeah, absolutely. So this is, as you said, you hit the key word there, surface, right? And that attack, surface is open for attack. That's the attack surface that we talk about. It is literally being pushed out from the edge to space. Like a lot of these places that had no connection before, particularly in OT environments, off grid, we're talking about a critical infrastructure, oil and gas as an example. There's a lot of these remote units that we're living out there that relied on field engineers to go in and plug into them. They were air gapped. Those are the things now that are going to be accessible by LEOs, low earth orbital satellites. And there are 4,000 of those out there right now. It's going to be over 30,000. We're talking Starlink. We're talking at least four or five other competitors entering this space, no pun intended. And that's a big deal because it's a gateway. It opens the door for cyber criminals to be able to have accessibility to these networks. And so security has to come from to mine there, right? It absolutely does. We've got this fragmented perimeter, tools that are siloed, the expand, very expanded attack service, as you just mentioned, but some of the other targets, the 5G enabled edge, the core network, of course the home environment, where many of us still are. Yeah, yeah, definitely. So that home environment, like the edge, it is a, it's the smart edge, right? So we have things called EATs, Edge Access Trojans. These are Trojans that will actually impact and infect edge devices. And if you think about these edge devices, we're talking things that have machine learning and automation built into them, a lot of privilege because they're actually processing commands and acting on those commands in a lot of cases, right? Everything from smart office, smart home, often even into the OT environment that we're talking about. And that is a juicy target for attackers, right? Because these devices naturally have more privilege. They have APIs and connectivity to a lot of these things where they can definitely do some serious damage and be used as these pivot points within the network from the edge, right? And that's a key point there. Let's talk about the digital wallet that we all walk around with. We think out so easy, we can do quick simple transactions with Apple wallet, Google SmartTap, Venmo, what have you. But that's another growing source of where we need to be concerned, right? Yeah, so I've worn my cyber security hat for over 20 years and 10 years ago even, we were talking all about online banking Trojans. That was a big threat, right? Because a lot of financial institutions, they hadn't rolled out things like multi-factor authentication. It was fairly easy to get someone's bank credentials, go in, siphon funds out of an account. That's a lot harder nowadays. And so cyber criminals are shifting tactics to go after the low hanging fruit, which are these digital wallets and often cryptocurrency, right? We've actually seen this already in 40 Guard Labs. Some of this is already starting to happen right now. I expect this to happen a lot more in 2022 and beyond. And it's because these wallets hold a lot of value right now with the crypto and they can be transferred easily without having to do like EFTs and wire transfers and all those sorts of things that includes actually a lot of paperwork from the financial institutions. And we saw something where they were actually hijacking these wallets, right? Just intercepting a copy and paste command because it's a 54 character address. People aren't typing that in all the time. So when they're sending or receiving funds, what we've actually seen in malware today is they're taking that, intercepting it and replacing it with the attacker's wallet. Simple as that, bypassing all the authentication measures and so forth. And is that happening for the rest of us that don't have crypto wallets? Is that happening for folks with Apple wallets? And is that a growing threat concern that people need to meet that it is? Absolutely, yes. So crypto wallets is the majority of what we're seeing. But yeah, no digital wallet is untouched here. Absolutely, these are all valid targets and we are seeing to see activity in that, yeah. I'm sure going after those stored credentials, that's probably low hanging fruit for the attackers. Absolutely, yeah. Another thing that was interesting that the 2022 predictions threat landscape highlighted was the e-sports industry and the vulnerabilities there. Talk to me about that. That was something that I found surprising. I didn't realize it was a billion dollar revenue a year industry. A lot of money there. A lot of money, a lot of money. And these are our full blown platforms that have been developed. This is a business. This isn't, again, going back to what we've seen and we still do see the online gaming itself. We've seen Trojans written for that. Oftentimes it's just trying to get into end users gaming accounts so that they can steal virtual equipment and current, there was virtual currencies as well. So there was some monetization happening but not on a grand scale. This is about a shift attack is going after a business just like any organization, big business, right? To be able to hold that hostage effectively in terms of DDoS threats, in terms of new vulnerabilities, in terms of also crippling these systems with ransomware, like we've already seized during the O.T. This is just another big target, right? And if you think about it, these are live platforms that rely on low latency. So very quick connections. Anything that interrupts that, think about the Olympics, right? In a sports environment, it's a big deal to them. And it's a lot of revenue that could be lost and cyber criminals fully realizes and this is why we're predicting that eSports is going to be a big target for the moon forward. Got it. And let's talk about what's going on with ransomware. When you and I spoke a few months ago, I think it was ransomware was up nearly 11X in the first half of calendar year 2021. What are you seeing from an evolution perspective in the actual ransomware actions themselves as well as what the cyber criminals are evolving to? Yeah. So two words, aggressive, destructive. Not good words, right? But this is what we're seeing with ransomware now. Again, they're not just going after data as the currency. We're seeing destructive capabilities put into ransomware, including wiper malware. So this used to be just in the realm of APT's nation state attacks. We saw that it was Shamun. We saw that with Dark Soul back in 2013. So destructive threats, but in the world of APT and nation state, now we're seeing this in cyber crime. We're seeing it with ransomware. And this, I expect to be a full blown tactic for cyber criminals simply because they have the threat, right? They've already leveraged a lot of extortion and double extortion schemes. We've talked about that. Now they're going to be onboarding this as a new threat, basically. I'm planting these time bombs, these ticking time bombs, holding systems for ransom saying, and probably crippling a couple to show that they mean business and saying unless you pay us within a day or two, we're going to take all of these systems offline. We're not just going to take them offline. We're going to destroy them, right? That's big incentive for people to pay up. So they're really playing on that fear element. That's what I mean about aggressive, right? They're going to be really shifting tactics there. Aggressive and destructive are two things you don't want in a cybersecurity environment or to be called by your employer. Just wanted to point that out. Talk to me a minute about wiper malware. Is this new emerging or is this something that's seeing a resurgence? Because this came up with the Olympics in the summer, right? Absolutely. So a resurgence in a sort of different way, right? So as I said, we have seen it before, but it's been not too prevalent. It's been a niche area for them, right? Specifically for these very highly targeted attacks. So yes, the Olympics. In fact, two times of the Olympics in Tokyo, but also in the last summer Olympics as well. We also saw it with, as I mentioned, in South Korea and Darksville in 2013. We saw it in an OT environment, with Shumun as an example. But we're talking handfuls here. Unfortunately, we have blogged about three of these in the last month to month and a half, right? And this is starting to be married with ransomware, which is particularly very dangerous. Because it's not just like wiper malware, but coupled that with the ransom tactics. And that's what we're starting to see is this new, as we're surging, yes, but a completely new form that's taking place. Even to the point I think in the future that it could severely, right now what we're seeing is it's not too critical in a sense that it's not completely destroying the system. You can recover the system still. We're talking massive blue records, those sorts of things. But in the future, I think they're going to be going after the firmware themselves, essentially turning some of these devices into paperweights. And that's going to be a very big problem. Wow, that's a very scary thought that getting to the firmware and turning those devices into paperweights. One of the things also that the report talked about, but that was really interesting was that more attacks against the supply chain and Linux particularly, talk to us about that. What did you find there? What does it mean? What's the threat for organizations? Yeah, so we're seeing a diversification in terms of the platforms that cyber criminals are going after. Again, it's that attack surface, lower hanging fruit in a sense because they've, you know, for a fully patched versions of Windows 10, Windows 11, it's harder, right? For cyber criminals than it was five or 10 years ago to get into those systems. If we look at the, just the prevalence, the amount of devices that are out there in IoT and OT environments, these are running on Linux, a lot of different flavors and forms of Linux. Therefore, there's different security goals that come up with that. And that's a big patch management issue as an example too. And so this is what we, you know, we've already seen it with the Mirai botnet. This is in our threat landscape report. Mirai was the number one threat that we saw. That's a Linux based botnet. Now Microsoft has rolled out something called WSL, which is the Windows subsystem for Linux in Windows 10 and Windows 11, meaning that Windows supports Linux now. So that, all the code that's being written for botnets for malware, all that stuff is able to run on new Windows platforms effectively. So this is how they're trying to expand their attack surface. And that ultimately gets into the supply chain because again, a lot of these devices in manufacturing and operational technology environments rely quite heavily actually on Linux. Well, and with all the supply chain issues that we've been facing during the pandemic, how can organizations protect themselves against this? Yeah, so this is a big thing, right? We talked about also the weaponization of artificial intelligence, automation, all of these. There's a lot going on, as you know, right? From the threats, a lot to get visibility on, a lot to be able to act quickly on. And that's a big key metric there is how quick you can detect these and respond to them. For that, you need good threat intelligence, of course, but you also truly need to enable automation, things like SD-WAN, a mesh architecture as well, having a security fabric that can actually integrate devices that talk to each other and can detect these threats and respond to them quickly. That's a very important piece because if you don't stop these attacks while they're in that movement through the attack chain, so the kill chain concept we talk about, the risk is very high nowadays. Everything we just talked about from ransomware and destructive capabilities. So having those approaches is very important. Also having education and a workforce trained up is equally as important to be aware of these threats. I'm glad you brought up that education piece and the training, I know that's something that Fortinet is very dedicated to doing, but it also brings up the cybersecurity skills gap. I know when I talked with Kenzie just a couple of months ago at the PGA tournament, we was talking about big investments in what Fortinet is doing to help reduce that gap, but the gap is still there. How do IT teams not get overloaded with the expanding surface? It seems like the surface is just, there is no limit anymore. So how do IT teams that are lean and small help themselves in the fact that the threat is landscape is expanding, the criminals are getting smarter, they're using AI intelligent automation. What do IT teams do? I fire with fire. You got to use the same tools that they're using on their side. You need to be able to use in your toolkit. We're talking about a security operations center perspective to have tools like, again, this comes to the threat intelligence to get visibility on these things. We're talking SIM and SOAR. We have, you know, 40 AI out now, deception products, all these sorts of things. These are all tools that need that can help those people. So you don't have to have a, you know, higher 40 or 50 people in your SOC, right? It's more about how you can work together with the tools and technology to have escalation paths to do more people process procedure, as we talked about, to be able to educate and train on those, to be able to have incident response planning. So what do you do when, because inevitably you're going to be targeted probably on a ransomware attack. What do you do? Playing out those scenarios, doing breach and attack simulation, all of those things, that comes down to the skills gap. Still, it's a lot about that education and awareness, not having to do the stuff that can be handled by automation and AI. And training is, you're absolutely right. We've dedicated a lot with our NSC program at 49. We also have our 49 security academy, you know, we're integrating with both secondary so we can have the skillsets ready for new graduates. So as an example, there's a lot of progress being made towards that. We've even created a new power by 40 Guard Labs. There is a 40 Guard Labs play in our NSC seven as an example, which for threat hunting and offensive security as an example, understanding really how attackers are launching their campaigns and all of those things come together. But that's the good news actually, is that we've come a long way. We actually did our first machine learning and AI models over 10 years ago. At least so this isn't something new to us. So the technology has gone a long way. It's just a matter of how we can collaborate and obviously integrate with that for the skills gap. And one more question on the actual threat landscape. Were there any industries that came up in particular as we talked about esports, we talked about OT, but any industries that came up in particular as really big hotspots that companies and organizations really need to be aware of? Yeah, so also this is part of OT about ICS critical infrastructure. That's a big one, absolutely. We're seeing also cyber criminals offering more crime services now on dark web. So CAAS, which is crime as a service because it used to be again, a very specialized area that maybe only a handful of criminal organizations could actually launch attacks and impact those targets. So they were going after those targets. Now they're offering services, right? To other up and coming cyber criminals to be able to try to monetize that as well. Again, we're seeing this, we actually call it advanced persistent cyber crime APC instead of an APT because they're starting to take cyber crime to these targets like ICS critical infrastructure. Healthcare as well is another one. Again, usually in the realm of the APT but now being targeted more by cyber criminals and ransomware. I've heard of ransomware as a service. Is that a subcategory of crime as a service? Absolutely, yep. It is phishing as a service, ransomware as a service, NIDOS as a service, botnet as a service. Many of these subcategories but ransomware as a service, that's another big problem as well because this is an affiliate model, right? Are there higher partners and pay them commission if they actually get payments of ransom, right? So they have literally a middle layer in this network that they're pushing out to scale their attacks. And I think that's the last time we talked about ransomware, we talked about, it's a matter of, and I talked to customers all the time who say, yes, it's a matter of when, not if, is this the same sentiment you think for crime as a service in general, the attacks on eSports, on home networks, on internet satellites in space, is this just a matter of when, not if, across the board? Oh yeah, absolutely. But the good news is it doesn't have to be, when it happens, it doesn't have to be a catastrophic situation. Again, that's the whole point about preparedness and planning and all the things I talked about, that filling the skills gap in education and having the proper tools in place, that all mitigates that risk, right? And that's perfectly acceptable and that's the way we should handle this in the industry because we process, we've talked about this before, over a hundred billion threats a day in Forty Guard Labs. The volume is just going to continue to grow. It's very noisy out there and there's a lot of automated threats, a lot of attempts knocking on organizations, stores and networks and fishing emails being sent out and all that. So it's something that we just need to be prepared for just like you do for natural disaster planning and all these sorts of other things in the physical world. That's a good point. We don't have to be aggressive and destructive but last question for you, how is Forty Guard helping companies in every industry get aggressive and destructive against the threats? Yeah, great, great, great question. So this is something I'm very passionate about as you know, we don't stop just with customer protection of course that is as a security vendor that's our primary and formal subjective is to protect and mitigate risk to the customers. That's how we're doing, this is why we have 24, seven, 365 operations at Forty Guard Labs and we're helping to find the latest and greatest on threat intelligence and hunting but we don't stop there. We're actually working in the industry. So we mentioned this before the cyber threat alliance to collaborate and share intelligence on threats all the way down to disrupt cyber crime. This is what big target of ours is how we can work together to disrupt cyber crime because unfortunately they've made a lot of money, a lot of profits and we need to reduce that. We need to send a message back and fight that aggressiveness. And we're on it, right? So we're working with Interpol and Project Gateway with the World Economic Forum, the partnership against cyber crime. It's a lot of initiatives with other, you know, the whose side of security in the industry to work together and tackle this collaboratively. The good news is there's been some steps of success to that. There's a lot more we're doing the scale of the efforts. Excellent. Well, Derek as always great and very informative conversation with you. I always look forward to these seeing what's going on with the threat landscape, the challenges, the increasing challenges, but also the good news, the opportunities in it and what FortiGuard is doing. FortiNet, excuse me, I can't speak today to help customers address that. And we always appreciate your insights and your time. We look forward to talking to you and unveiling the next predictions in 2022. All right, sounds good, thanks Lisa. My pleasure. For Derek Mankey, I'm Lisa Martin. You're watching this CUBE Conversation with FortiNet. Thanks for watching.