 From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders all around the world, this is a CUBE Conversation. Everyone, welcome to this CUBE Conversation. I'm John Furrier, host of theCUBE here in theCUBE's Palo Alto Studios. During the COVID crisis, we're quarantined with our crew, but we've got the remote interviews. Got two great guests here from Fortinet, FortiGuard Labs. Derek Mankey, Chief Security Insights and Global Threat Alliances at FortiGuard Labs and Amar Lakhani, who's the lead researcher at FortiGuard Labs. Guys, great to see you. Derek, good to see you again. Amar, thank you for being with me too. Hey, it's been a while and it happens so fast. It just seems our stay was just the other day. Derek, we've done a couple of interviews in between. A lot of flow coming out of Fortinet, FortiGuard, a lot of action, certainly with COVID. Everyone's pulled back home. The bad actors taking advantage of the situation. The surface area's increased really is the perfect storm for security in terms of action. Bad actors are at all time high. New threats is going on. Take us through what you guys are doing. What's your team makeup look like? What are some of the roles and you guys are seeing on your team and how does that transcend to the market? Yeah, sure, absolutely. So you're right. I mean, like I was saying earlier, this always happens fast and furious. We couldn't do this without a world-class team at FortiGuard Labs. So we've grown our team now to over 235 globally. There's different roles within the team. If we look 20 years ago, the roles used to be just very pigeonholed into say antivirus analysis, right? But now we have to account for it. When we're looking at threats, we have to look at that growing attack surface. We have to look at where are these threats coming from? How frequently are they hitting? What verticals are they hitting? What regions? What are the particular techniques, tactics, procedures? So we have threat, this is the world of threat intelligence, of course, contextualizing that information. And it takes different skill sets on the back end. And a lot of people don't really realize the behind the scenes, what's happening. And there's a lot of magic happening, not only from what we talked about before in our last conversation from artificial intelligence and machine learning that we do at FortiGuard Labs and automation, but the people. And so today we want to focus on the people and talk about how on the back ends we approach a particular threat. We're going to talk to the world of ransom and ransomware and look at how we dissect threats, how we correlate that, how we use tools in terms of threat hunting as an example, and then how we actually take that to that last mile and make it actionable so that customers are protected, how we share that information with key threat and tele-sharing partners. But again, it comes down to the people. We never have enough people in the industry. There's a big shortage as we know, but it's a really key critical element. And we've been building these training programs for over a decade with FortiGuard Labs. So this to me is exactly why I always say, and I'm sure Mark can share this too, that there's never a dull day in the office. I know we hear that all the time, but I think today all the viewers will really get an idea of why that is because it's very dynamic and on the back end, there's a lot of things that we're doing to get our hands dirty with this. You know, the old expression in startup plan, Silicon Valley, is if you're in the arena, that's where the action is and it's different than sitting in the stands watching the game. You guys are certainly in that arena. And we've talked and we cover your threat report that comes out frequently. But for the folks that aren't in the weeds on all the nuances of security, can you kind of give the 101 ransomware? What's going on? What's the state of the ransomware situation? Set the stage, because that still continues to be threat. I don't go a week, but I don't read a story about another ransomware and then it leaks out, yeah, they paid 10 million in Bitcoin or something. Like, I mean, this is real, that's a real ongoing threat. What is it? I mean, Bitcoin's quite a bit, but yeah. Yeah. So I'll give sort of the 101 and then maybe we can pass it to Amar, who's on the front lines dealing with this every day. If we look at the world of, I mean, first of all, the concept of ransom, obviously with people that has gone extended way, way before cybersecurity, right? In the world of physical crime. So of course, the world's first ransom where a virus is actually called PC Cyborg. This was in 1989. The ransom payment was demanded through a peel box from, I believe it was Panama City at the time, not too effective on floppy disks, very small audience, not a big attack surface. Didn't hear much about it for years. Really it was around 2010, we started to see ransomware becoming prolific. And what they did was, what cyber criminals did was shift on success from a fake anti-virus software model, which was popping up a whole bunch of, said your computer is infected with 50 or 60 viruses. Pay us, we'll give you an anti-virus solution, which was of course fake. People started catching on, the gig was up, people caught on to that. So they weren't making a lot of money selling this fraudulent software. Enter ransomware. And this is where ransomware really started to take hold because it wasn't optional to pay for the software. It was mandatory almost for a lot of people because they were losing their data. They couldn't reverse engineer the encryption. Couldn't decrypt it with any universal tool. Ransomware today is very rigid. We just released our threat report for the first half of 2020. And we've seen things like master boot record, MBR ransomware, this is persistent. It sits before your operating system when you boot up your computer. So it's hard to get rid of. Very strong public private key cryptography that's being, so each victim is infected with the different keys, an example. The list goes on and I'll save that for the demo today. But that's basically, it's prolific. And we're seeing not only just ransomware attacks for data, we're now starting to see ransom for extortion, for targeted ransom cases that are going after critical business, essentially it's like a DOS holding revenue streams for ransom too. So the ransom demands are getting higher because of this as well, so it's complicated. Yeah, and I was mentioning, Amar, I want to weigh in, I mean, 10 million is a lot. We reported early in this month, Garmin was the company that was hacked. IT got completely locked down. They pay 10 million. Garmin makes all those devices and as we know, this is impact and that's real numbers. So I mean, it's some other little ones, but for the most part, it's a pain in the butt to full on business disruption and extortion. Can you explain how it all works before we go to the demo? You know, you're absolutely right. It is a big number and a lot of organizations are willing to pay that number to get their data back. Essentially, their organization, their business is at a complete standstill when they don't pay, all their files are inaccessible to them. Ransomware in general, what it does in it from a very basic overview is it basically makes your files not available to you. They're encrypted, they have essentially a passcode on them that you have to have the correct passcode to decode them. A lot of times that's in a form of a program or actually a physical password you have to type in, but you don't get that access to get your files back unless you pay the ransom. A lot of corporations these days, they are not only paying the ransom, they're actually negotiating with the criminals as well. They're trying to say, oh, you want 10 million, how about four million? Sometimes that goes on as well, but it's something that organizations know that if they don't have the proper backups and the hackers are getting smart, they're trying to go after the backups as well. They're trying to go after your duplicate files. So sometimes you don't have a choice and organizations will pay the ransom. And it's, you know, they're smart. It's a business. They know the probability of buy versus build or pay versus rebuild. So they kind of know where to attack. They know that the tactics, the name is vulnerable. It's not like just some kitty script thing going on. This is real systrophisticated stuff and it's highly targeted. Can you talk about some use cases there what goes on with that kind of attack? Absolutely. The cyber criminals are doing reconnaissance. They're trying to find out as much as they can about their victims. And what happens is they're trying to make sure that they can motivate their victims in the fastest way possible to pay the ransom as well. So there's a lot of attacks going on. What we're usually finding now is ransomware is sometimes the last stage of an attack. So an attacker may go into an organization. They may already be taking data out of that organization. They may be stealing customer data, PII, which is personal identifiable information, such as social security numbers or driver's licenses or credit card information. Once they've done their entire attack, once they've gone everything they can, a lot of times their end stage, their last attack is ransomware and they encrypt all the files on the system and try and motivate the victim to pay as fast as possible and as much as possible as well. You know, it's interesting. I was talking to my buddy the other day. It's like casing the joint. They check it out. They do their recon reconnaissance. They go in and identify what's the best move to make, how to extract the most out of the victim, in this case, the target. And really, I mean, it's just to go on a tangent. You know, why don't we have the right to bear our own arms? Why can't we fight back? I mean, at the end of the day, Derek, this is like, who's protecting me? I mean, do I have to protect my own, build my own army or does the government help us? I mean, at some point, I got to write to bear my own arms here, right? I mean, this is the whole security paradigm. Yeah, so, I mean, there's a couple of things, right? So first of all, this is exactly why we do a lot of it. I was mentioning the skill shortage in cyber security professionals as an example. This is why we do a lot of the heavy lifting on the back end, obviously, from a defensive standpoint. You obviously have the red team, blue team aspect. How do you first, you know, there's ways to fight back by being defensive as well, too. And also by, you know, in the world of threat intelligence, one of the ways that we're fighting back is not necessarily by going and hacking the bad guys because that's illegal in jurisdictions, right? But how we can actually find out who these people are, hit them where it hurts, freeze assets, go after money laundering networks, follow the cash transactions where it's happening. This is where we actually work with key law enforcement partners, such as Interpol as an example. This is the world of threat intelligence. This is why we're doing a lot of that intelligence work on the back end. So there's other ways to actually go on the offense without necessarily weaponizing it, per se, right? Like using, you know, bearing your own arms, as you said. There's different forms that people may not be aware of with that, and that actually gets into the world of, you know, if you see attacks happening on your system, how you can use security tools and collaborate with threat intelligence. Yeah, I think that's the key. I think the key is these new sharing technologies around collective intelligence is gonna be a great way to kind of have more of an offensive collective strike. But I think fortifying the defense is critical. I mean, that's, there's no other way to do that. Absolutely. I mean, you know, we say this almost every week, but it's in simplicity. Our goal is always to make it more expensive for the cyber criminals to operate. And there's many ways to do that, right? You can be a pain to them by having a very rigid, hardened defense. That means that if it's too much effort on their end, I mean, they have ROIs in their sense, right? If it's too much effort on their end, they're going to go knocking somewhere else. There's also, you know, as I said, things like disruption. So ripping infrastructure offline that cripples them. Yeah, it's whack-a-mole. They're going to set up somewhere else, but then also going after people themselves. Again, the cash networks, these sorts of things. So it's sort of a holistic approach between anything. Hey, it's an arms race, better AI, better cloud scale, always helps, you know, it's a ratchet game. Okay, Amar, I want to get into this video. It's a ransomware four-minute video. I'd like you to take us through, as you lead, you're the lead researcher. Take us through this video and explain what we're looking at. Let's roll the video. All right, sure. So what we have here is we have the victim's desktop over here. We have a couple of things on this victim's desktop. We have a batch file, which is essentially going to run the ransomware. We have the payload, which is the code behind the ransomware. And then we have files in this folder, and this is where you would typically find user files. In a real-world case, this would be like your Microsoft Word documents or your PowerPoint presentations over here. We just have a couple of text files that we've set up. We're going to go ahead and run the ransomware. And sometimes attackers, what they do is they disguise this, like they make it look like an important Word document. They make it look like something else, but once you run the ransomware, you usually get a ransom message. And in this case, the ransom message says your files are encrypted. Please pay this money to this Bitcoin address. That obviously is not a real Bitcoin address. Usually they look a little more complicated, but this is our fake Bitcoin address. But you'll see that the files now are encrypted. You cannot access them. They've been changed. And unless you pay the ransom, you don't get the files. Now, as researchers, we see files like this all the time. We see ransomware all the time. So we use a variety of tools, internal tools, custom tools, as well as open source tools. And what you're seeing here is an open source tool. It's called the Cuckoo Sandbox. And it shows us the behavior of the ransomware, what exactly is a ransomware doing? In this case, you can see just clicking on that file launched a couple of different things. It launched basically a command executable, a PowerShell, it launched our Windows shell, and then it did things on the file. It basically had registry keys, it had network connections, it changed the disk. So this kind of gives us a behind-the-scenes look at all the processes that's happening on the ransomware. And just that one file itself, like I said, does multiple different things. Now, what we want to do as researchers, we want to categorize this ransomware into families. We want to try and determine the actors behind that. So we dump everything we know in the ransomware in these central databases, and then we mine these databases. What we're doing here is we're actually using another tool called Maltigo and use custom tools as well as commercial and open source tools. But this is a open source and commercial tool. But what we're doing is we're basically taking the ransomware and we're asking Maltigo to look through our database and say, like, do you see any like files or do you see any types of incidences that have similar characteristics? Because what we want to do is we want to see the relationship between this one ransomware and anything else we may have in our system because that helps us identify maybe where the ransomware is connecting to, where it's going to other processes that it may be doing. In this case, we can see multiple IP addresses that are connected to it. So we can possibly see multiple infections. We can block different external websites if we can identify a command and control system. We can categorize this to a family. And sometimes we can even categorize this to a threat actor that has claimed responsibility for it. So it's essentially visualizing all the connections and the relationship between one file and everything else we have in our database in this example. Of course, I've put this in multiple ways. We can save these as reports as PDF type reports or usually HTML or other searchable data that we have back in our systems. And then the cool thing about this is this is available to all our products, all our researchers, all our specialty teams. So when we're researching botnets, when we're researching file-based attacks, when we're researching IP reputation, we have a lot of different IOCs or indicators of compromise that we can correlate where attacks go through and maybe even detect new types of attacks as well. So the bottom line is you got the tools using combination of open source and commercial products to look at the patterns of all ransomware across your observation space. Is that right? Exactly, I showed you like a very simple demo. It's not only open source and commercial, but a lot of it is our own custom developed products as well. And when we find something that works, that logic, that technique, we make sure it's built into our own products as well. So our own customers have the ability to detect the same type of threats that we're detecting as well. At Fortegaard Labs, the intelligence that we acquire, that product, that product of intelligence, it's consumed directly by our products. So take me through what's actually going on, what it means for the customer. So Fortegaard Labs, you're looking at all the ransomware, you're seeing the patterns. Are you guys proactively looking? Is it, you guys are researching? You look at something, pops in the radar. I mean, take us through what is, what goes on and then how does that translate into a customer notification or impact? So yeah, John, if you look at a typical life cycle of these attacks, there's always proactive and reactive. That's just the way it is in the industry, right? So of course, we try to be as proactive as possible. We look through some of the solutions we talked about before. And if you look at an incoming threat, first of all, you need visibility. You can't protect or analyze anything that you can't see. So you got to get your hands on visibility. We call these IOCs, indicators of compromise. So this is usually something like an actual executable file, like the virus or the malware itself. It could be other things that are related to it, like websites that could be hosting the malware as an example. So once we have that seed, we call it a seed, we can do threat hunting from there. So we can analyze that, right? If it's a piece of malware or a botnet, we can do analysis on that and discover more malicious things that this is doing. Then we go investigate those malicious things. And we really, you know, it's similar to the world of CSI, right? These different dots that they're connecting, we're doing that at hyperscale. And we use that through these tools that Amar was talking about. So it's really a life cycle of getting, you know, the malware incoming, seeing it first, analyzing it, and then doing action on that, right? So sort of a three-step process. And the action comes down to what Amar was saying, waterfalling that to our customers so that they're protected. But then in tandem with that, we're also going further and sharing it if applicable to say law enforcement partners, other threat intel sharing partners too. And it's not just humans doing that, right? So the proactive piece, again, this is where it comes to artificial intelligence, machine learning. There's a lot of cases where we're automatically doing that analysis without humans. So we have AI systems that are analyzing and actually creating protection on its own too. So it's quite interesting that way. It's just at the end of the day, you want to protect your customers. And so this renders out, if I'm a for-to-net customer across the portfolio, the goal here is to protect them from ransomware, right? That's the end of the game. Yeah, and that's a very important thing when you start talking these big dollar amounts that we were talking earlier when it comes to the damages that are done from asthma attacks. Yeah, I mean, not only is it good insurance, it's just good to have that fortification. All right, so Derek, I got to ask you about the term the last mile because before we came on camera, I'm a bandwidth junkie, I always want more bandwidth. So the last mile used to be a term for last mile to the home where there was telephone lines, now it's fiber and Wi-Fi. But what does that mean to you guys in security? Does that mean something specific? Yeah, absolutely. The easiest way to describe that is actionable, right? So one of the challenges in the industry is we live in a very noisy industry when it comes to cyber security. What I mean by that is because of that growing attack surface, and you have these different attack vectors. You have attacks not only coming in from email, but websites from DOS attacks. There's a lot of volume that's just gonna continue to grow is the world of 5G and OT. So what ends up happening is when you look at a lot of security operations centers for customers as an example, there are, it's very noisy. It's, you can guarantee almost every day you're gonna see some sort of probe, some sort of attack activity that's happening. And so what that means is you get a lot of detection events, a lot of logs. And when you have this worldwide shortage of security professionals, you don't have enough people to process those logs and actually start to say, hey, this looks like an attack. I'm gonna go investigate it and block it. So this is where the last mile comes in because a lot of the times that these logs, they light up like Christmas, right? I mean, there's a lot of events that are happening. How do you prioritize that? How do you automatically add action? Because the reality is if it's just humans doing it, that last mile is often going back to your bandwidth terms, there's too much latency, right? So how do you reduce that latency? That's where the automation, the AI machine learning comes in to solve that last mile problem, to automatically add that protection. It's especially important because you have to be quicker than the attacker. It's an arms race, like you said, right? I think what you guys do with ForteGuard Labs is super important, not only for the industry, but for society at large, as you have kind of all this shadow, cloak and digger kind of attack systems, whether it's national security, international, or just for mafia's and racketeering and the bad guys. Can you guys take a minute and explain the role of ForteGuard specifically and why you guys exist? I mean, obviously there's a commercial reason. You bolt onto Fortinet, that trickles down into the products, that's all good for the customers, I get that. But there's more to ForteGuard than just that. Can you guys talk about this trend in the security business? Because it's very clear that there's a collective sharing culture developing rapidly for societal benefit. Can you take a minute to explain that? Yeah, sure. I'll give my thoughts to Marty, and add some dollars to that too. From my point of view, there's various functions. So we've just talked about that last mile problem, that's the commercial aspect we create through ForteGuard Labs, ForteGuard services that are dynamic and updated to security products because you need intelligence products to be able to protect against intelligent attacks. That's just a defense. Again, going back to how can we take that further? I mean, we're not law enforcement ourselves. We know a lot about the bad guys and the actors because of the intelligence work that we do. But we can't go in and prosecute. We can share knowledge and we can train prosecutors. This is a big challenge in the industry. A lot of prosecutors don't know how to take cybersecurity courses to court. And because of that, a lot of these cyber criminals reign free. And that's been a big challenge in the industry. So this has been close to my heart. Over 10 years, I've been building a lot of these key relationships between private public sector as an example, but also private sector. Things like Cyber Threat Alliance. We're a founding member of the Cyber Threat Alliance. We have over 28 members in that alliance. And it's about sharing intelligence to level that playing field because attackers roam freely. What I mean by that is there's no jurisdictions for them. Cyber crime has no borders. They can do a million things wrong and they don't care. We do a million things right. One thing wrong and it's a challenge. So there's this big collaboration that's a big part of ForteGuard. So what I exist to is to make the industry better to work on protocols and automation and really fight this together. Well remaining competitors. I mean, we have competitors out there, of course. And so it comes down to that last mile problem, John, is like we can share intelligence within the industry but it's only intelligence is just intelligence. How do you make it useful and actionable? That's where it comes down to technology integration. Omar, what's your take on this societal benefit? Because I've been saying since the Sony hack years ago that when you have nation states, if they put troops on our soil, the government would respond. But yet virtually they're here and the private sectors defend for themselves. There's no support. So I think this private public partnership thing is very relevant. I think it's the ground zero of the future build out of policy because we pay for freedom. Why don't we have cyber freedom if we're going to run a business? Where's our help from the government? We pay taxes. So again, if a military showed up, you're not going to see companies fighting the foreign enemy, right? So again, this is a whole new change over. What's your thought? It really is. You have to remember that cyber attacks puts everyone on an even playing field, right? I mean, you now don't have to have a country that has invested a lot in weapons development or nuclear weapons or anything like that, right? Anyone can basically come up to speed on cyber weapons as long as they have an internet connection. So it evens the playing field, which makes it dangerous, I guess, for our enemies. But absolutely, I think a lot of us, from a personal standpoint, a lot of us have seen, researchers have seen, organizations fail through cyber attacks. We've seen the frustration. We've seen, besides organization, we've seen people just like grandmas lose their pictures of their other loved ones because they've been attacked by ransomware. I think we take it very personally when innocent people get attacked and we make it our mission to make sure we can do everything we can to protect them. But I will add that, at least here in the US, the federal government actually has a lot of partnerships and a lot of programs to help organizations with cyber attacks. The US cert is always continuously updating organizations about the latest attacks in regard as another organization run by the FBI and a lot of companies like Fortinet and even a lot of other security companies participate in these organizations so everyone can come up to speed and everyone can share information so we all have a fighting chance. It's a whole new wave of paradigm. You guys are on the cutting edge. Derek, always great to see you, Mark, great to meet you remotely, looking forward to meeting in person when the world comes back to normal. As usual, thanks for the great insights. Appreciate it. All right, thanks, John. It's a pleasure, as always. Okay, CUBE Conversation here. I'm John Furrier, host of theCUBE. Great insightful conversation around security, ransomware with a great demo. Check it out from Derek NMR from Fortinet Guard Labs. I'm John Furrier, thanks for watching.