 Hi everybody, John Walls here, continuing our Cube conversations here, focusing on Netscout today and the growing problem of ransomware. Obviously, very much in the news these days with a couple of high profile cases. It is certainly an increasing challenge, but by no means a new phenomenon at all. With us to talk about this is Roland Dobbins, who is the principal engineer of Netscout's ACERT team. And Roland, good to see you today, sir. Thanks for joining us. Good to see you as well. And Richard Hummel, who is Thread Intelligence Research Lead for the ACERT team. And Richard, thank you for being with us as well here on the Cube. Absolutely, John. Thanks for having us. Yeah, let's just jump right in here. Ransomware, obviously, we're all well aware of a couple of high profile cases, as I alluded to. Let's talk about first the magnitude and scale of the problem as it currently exists. Roland, I'm going to let you just set the table for us here. Let's talk about ransomware, where it was maybe four or five years ago, and then the challenges has become today. Actually, John, if you don't mind, I'd really like to hand that one to my colleague Richard, because he really has an in-depth background there, but that's okay. Richard, jump in on that. Absolutely, yeah. And so I'll handle all the ransomware stuff, namely because I've been doing this for going on seven years now of looking specifically at ransomware. I started this right around the time I joined eyesight partners, leading premier provider of threat intelligence, who was acquired by FireEye, and now Mandiant, and now even a conglomerate that just acquired Mandiant. So there's been a series of acquisitions here, but the reality is this threat intelligence has been pervasive across all of these, and you can see that over time, that value hasn't diminished, and you can see that by all of these acquisitions. That's a really good example to show how valuable this is because everybody wants it. And the reality is, is back then I started tracking ransomware, specifically looking at a lot of the crypto locker variants, things like crypto wall and torrent locker and Tesla Crypt. And there's any number I could go on and on and on about all these different variations and how ransomware came to be and what adversaries were using it for. But the reality is, is ransomware has been around for a long, long time. And probably three or four years ago, there was this lull in time where people were like, hey, we've got these initiatives like no ransomware.org, we've got the local law enforcement backing in a bunch of different countries. There's this big huge international effort to basically get rid of ransomware, and it's going to be a thing of the past. And we very clearly see that is not the case. And now with ransomware, you have an evolution over time. It used to be you would have different flavors of ransomware where sometimes it would encrypt your files first and then it would reach back to the command control. Sometimes it would reach back first to get keys and then it would encrypt. Sometimes the encryptions were breakable. Sometimes the keys were stored locally. But a lot of the more recent variants of ransomware are very well done. They're very sophisticated. They will encrypt your files and the keys themselves are held by the adversary. And so there's no way to just decrypt these. You can't create a decrypter like a lot of these security companies do. You would actually have to get that key from the adversary or you would have to restore your systems from a backup. And so the history of ransomware is very long and varied. And one of the core topics we want to discuss today is ransomware isn't by itself anymore. It used to be that ransomware was the name that incited fear, but these guys have evolved over time. And now ransomware operators are doing kind of this triple extortion where they will encrypt your files. They've already gained access to that system. So then they will exfiltrate sensitive data and they will have that as kind of a hostage and say, look, you're going to pay us for this ransomware to decrypt your files to get those back. But oh, guess what? We also have your sensitive data that we're going to post online and sell in underground forms unless you pay us additional money. But now we even have a third stage here. And this is kind of where Roland's going to come in and talk about this is we have DDoS extortion that is surging. In fact, we did a survey of enterprise and internet service providers. And when we asked them what was their biggest concerns in 2020 and going into 2021 about threats and in obviously ransomware was number one, but DDoS extortion was number two. And so you have this one to bang that adversaries are using to be able to extort payment from victims. And this has been going on for a number of years with this kind of double extortion and now this triple extortion. In fact, going all the way back to the crypto locker days, you would have banking malware like Gameover Zeus where they would get on your system, they would do wire transfers from your bank accounts, they would steal files. And then as a last straw, they would deploy ransomware and encrypt all your files. And so not only that they steal all your money from the bank, now they're going to say, you got to pay us to actually decrypt your files. So this idea of kind of a double tap has been going on for a long time. And more recently around September of last year, we started to see this DDoS aspect part of these operations. And so yeah, that's kind of the history of what we're dealing with here. And DDoS distributed denial of service, Ron, I'm going to let you pick up the ball at this point then. Now this evolution, you will the triple threat. First, you were talking about encryption and public exposure. And now this DDoS stage is pillar of the malfeasance, if you will. What kind of headaches is this causing in terms of, from an engineering perspective, from your side of the fence, when you're looking at what your clients are dealing with, what all of a sudden they have this entirely new plethora of challenges confronting them? Sure. So DDoS goes back a long ways. It actually goes back to the late 80s in the early ARPANET. And then we started to see non-monetary DDoS extortion in the early 1990s. And we started to see monetary DDoS extortion that kicked off around 1997. So with any criminals are very, very adaptive. And so when new technologies come online and new ways that they can potentially exploit it for their gain, they will do so. In many cases, using old modalities should simply transliterated into the new technology space. And that's what we see with DDoS extortion. DDoS attacks are attacks against availability. So the idea is to disrupt the access, genuine access to applications, services, servers, data, content, infrastructure, those different types of things. And DDoS attacks can be motivated by pretty much any motivation you can think of. But there is a hardcore of DDoS extortionists that we've seen over the years. And as Richard indicated, what we started to see is a convergence between these sets of criminal specialties. And so a few years ago, we actually were disassembling a piece of ransomware. And it turned out that it had some very basic DDoS attack capabilities coded into it. It was obviously a prototype. It hadn't been finished. But this showed that these criminals in the ransomware space were thinking about getting into DDoS. And now they've developed this methodology where, like Richard said, number one, they encrypt the files. Number two, they'll threaten to leak information. And then they will DDoS the public facing infrastructure of the organizations to try and put additional pressure on them to pay. And especially now during the pandemic, with this wholesale shift to remote work, the attackers for the first time have the ability not only to disrupt the online operations, which is bad enough, but they can actually interfere with the ordinary workday activities of the first line workforce of organizations. And so this really makes it even more potent. And the ransomware itself is interesting as well because it uses exploits. Here's some social engineering along with technological exploits to exploit the confidentiality and integrity of data and to restrict that stuff, which actually turns into an attack against availability. So it's kind of really a different form of DDoS attack and can't pull that with a real DDoS attack. And it can be very, very challenging. But one thing, John, that we've seen is that organizations, if they have prepared to deal with the DDoS attack and from an architectural perspective, from an operational perspective, if they have done the things they need to do to be able to maintain availability, even the face of attack, they're about 80% of where they need to be to be able to withstand a ransomware attack. Conversely, if organizations have been doing a good job and ensuring that their systems are secured, and if they do get hit somehow with ransomware that they have the ability to maintain operations and communications and recover, they're about 80% of where they need to be to be able to successfully withstand DDoS attacks. And so it turns out that even though these threats are major threats and they're something that organizations need to be aware of, the good news is that a lot of the planning and resources and organizational changes that need to be made to face these threats are in fact very similar. Yeah, but of course, I mean, the challenge is it's hard work, right? There's an enormous amount of preparations, gotta go into this and pre-planning, pre-thought, and that's what Netscout is all about, obviously, trying to get people onto that journey and getting into this examination of their services and their networks and the fact that this can happen on multiple layers, right? It could be applications, it could be protocols, transport, network, whatever, just multiple ways that these DDoS attacks can occur. What kind of, I'd say, well, challenges again, does that present? The fact that it is, there are many doors, right, that these attacks can happen from or where these attacks can come from. So how do you then talk to your client base about approaching this kind of examination and these prophylactic measures that you're suggesting that have to be done in order to minimize the damage? It's really about business continuity. Now business continuity planning, we used to be called disaster recovery planning, right? It's something that organizations are very familiar with, it often has executive sponsorship and a lot of planning has gone into it. The thing is that DDoS attacks, which are attacks against availability, are in fact a man-made disaster, right? And they interrupt the continuity of business. Same thing with the ransomware and so from an architectural standpoint, from the standpoint of rolling out new products and services, resiliency to attack and the ability to maintain availability and continue with operations in the face of attack is really, really key for any organization today, which has any kind of significant online presence and that's really just about all of them. And so from a planning standpoint, it's imperative from an architectural standpoint, whether we're talking about things like network infrastructure or DNS or software applications, it's important from an operational standpoint. So one of the things that we see, for example, is that many organizations don't really have a good communications plan, they don't have a good internal communications plan, nor do they have a good external communications plan for communicating during an event and they don't even have really a plan for dealing with an event that is disruptive to business continuity and operations. And so that is really key. Technology is important, but the most important aspect of this is the human factor understanding the business, understanding the types of risks to the business's ability to execute on its mission, and then doing the things from a technological perspective, from an operational perspective and from a communications perspective to maintain operations and communications throughout an event and to be able to emerge on the other side of that event successfully. So Richard, you're in threat of intelligence, right? Risk assessments. And as you said, you've been around this block for quite some time now. In terms of, I guess, getting people's attention, that has been accomplished now with obviously some of these high profile cases. But what about that kind of work that you're doing in terms of trying to communicate these very threats to your client base or to prospective clients in terms of identifying their real vulnerabilities within their networks and then having them seriously address these? I mean, what's the difference maybe in the mindset now as opposed to where maybe that conversation was being had a few years ago? I think the biggest difference here is a matter of when and not if. It used to be, you could say, oh, I'm never going to get hit by ransom or I'm never going to get DDoS attacks, but that is no longer the case. Roland made a really good point that just about every single business in the world now relies on internet connectivity in order to operate their business. If they don't have that, then they're not going to be able to connect with their consumers, their shoppers, if they're retail, right? If you're a bank, then you have to communicate with your individuals having accounts. And I mean, I have not gone to a physical bank in probably six years. And so that just underscores how important it is to have this internet connectivity. Now, with that comes risk. Not only do you risk the DDoS attacks because you're publicly exposed and an adversary can actually find your internet space by doing some forensics such as network scanning, being able to walk that back, look at passive DNS, look at historical records, use things like showdown to figure out what kind of devices you're running. So there's any number of ways that you can do that. But at the same time, you're also exposing yourself to these ransomware operators and really any kind of crimeware operator out there because they're going to exploit you over the internet. We actually did a case study probably two years ago, looking at brute forcing on networks and looking at exploitation attempts to figure out like, what is the delta? If you have an online internet presence, are you going to get attacked? And the answer was very shocking to us. Yes, you're going to get attacked. And also it's going to be in less than five minutes from the time a brand new IoT device goes online to the time it starts getting brute force attacked. And within 24 hours, you're going to get exploitation attempts from known vulnerabilities or devices that haven't been patched and things like that. And so the reality is, it's not if you're going to get attacked, it's when. And so understanding that that is the nature of the threat landscape right now and having this kind of security awareness. Actually, another good point that Roland just brought up was that human element, that human element is kind of the linchpin for any security organization. And as part of my masters, I had wrote a dissertation about, and I named it as such, my professor didn't really care for this, but I said, the humans are the weakest link. Because in any security posture that is essentially true. If you don't have the expertise on a team, you're not going to be able to get things configured properly. If you don't have the expertise, you're not going to be able to respond properly. If you have individuals that aren't concerned about security, now you're going to have a bunch of gaps. Not only that, social engineering is still the number one method that adversaries use to get into organizations, and that manipulates the human element. And so having this security awareness and what we do here on this QB interview, the threat reports we publish, the blogs that we do, all the threat summaries, all of that goes hand in hand with educating the general public and having security awareness pushed out as much as possible to every single person we can. And that's really the key, this preparation, this awareness of what adversaries are doing in order to defend against them. So Roland, in your mind, and you've already walked us through a little bit of this about certain steps and measures you think that could be taken, safeguards basically, that everybody should have in the place. What is the optimal scenario from an engineering perspective in terms of trying to prevent these kinds of intrusions, these kinds of attacks in terms of what are those basic pieces, these fundamental pieces, as you see it now, understanding, as Richard just told us, that it's a matter of not if, but when. Right, so availability, redundancy, these have to be core architectural principles, whether we're talking about network infrastructure, whether we're talking about important ancillary supporting services like DNS in terms of personnel, in terms of remote access, all of these different elements and many, many more have to be designed from the out all the services in the applications, whether they're used internally, whether they are part of service delivery that an organization is doing across the internet publicly, there has to be redundancy and resiliency, there has to be a defense plan in order to defend these assets and these organizations against attack, whether it's DDoS attack, or whether it's a containment plan to deal with ransomware that potentially gets let loose inside the enterprise network, there has to be a plan to contain it and deal with it and restore it from backup. These plans have to be continuously updated because IT is not static, there are always moves and adds and changes as organizations provision new services, offer new products, move into new markets and new subspecializations and so the plans have to be consistently updated and they have to be rehearsed. You can't have a plan that just exists as pixels on a phosphor somewhere, the plan has to be executed because inevitably you're going to find that there's some scenario, some service or application or operational process that needs to be updated or that needs to be included in the plan and this has to be done regularly. Another key point is that you have to have people who are very skilled and who have both depth and breadth of understanding and either you bring those people into your organization or you reach out and get that expertise from organizations who do in fact have that kind of expertise on tap and available. You both certainly exhibit the depth and the breadth to fight this issue. I certainly appreciate the time, the insights and the warning is quite clear, be prepared, do the hard work up front. It could save you a lot of headache on the backside and it is a matter of when and not if these days. Richard Rowland, thanks for being with us here on the Q. Thank you so much. It's a pleasure. All right, talking about the triple threat of extortion, cyber extortion these days and DDoS, the distributed denial of service and the drawing problem it is, but there is a way that you can combat it and you just learned about that via NetScap here on the Q.