 We're back at the Aria Las Vegas. We're covering CrowdStrike's Falcon 22, first one since 2019, Dave Vellante and Dave Nicholson on theCUBE. Adam Myers is here as the Senior Vice President of Intelligence at CrowdStrike. Adam, thanks for coming on theCUBE. Thanks for having me. Interesting times, isn't it? You're very welcome. Senior Vice President of Intelligence, tell us what your role is. So I run all of our intelligence offerings, all of our analysts. We have a couple hundred analysts that work at CrowdStrike tracking threat actors. There's 185 threat actors that we track today. We're constantly adding more of them. And it requires us to really have that visibility and understand how they operate so that we can inform our other products or XDR, our cloud workload protections and really integrate all this around the threat actor. So it's that threat hunting capability that CrowdStrike has, that's what you're sort of... Well, so think of it this way. When we launched the company 11 years ago yesterday, what we wanted to do is to tell customers, to tell people that, well, you don't have a malware problem. You have an adversary problem. There are humans that are out there conducting these attacks. And if you know who they are, what they're up to, how they operate, then you're better positioned to defend against them. And so that's really at the core what CrowdStrike started with. And all of our products are powered by intelligence. All of our services are overwatched and are falcon-complete, all powered by intelligence because we want to know who the threat actors are and what they're doing so we can stop them. So for instance, like, you can stop known malware. A lot of companies can stop known malware. But you also can stop unknown malware. And I infer that the intelligence is part of that equation, is that right? Absolutely, that's the outcome. That's the output of the intelligence. But I could also tell you who these threat actors are or where they're operating out of. Show you pictures of some of them. That's the threat in selling. We are tracking down to the individual persona, in many cases, these various threats, whether they be Chinese nation-state, Russian threat actors, Iran, North Korea. We track, as I said, quite a few of these threats. And over time, we develop a really robust, deep knowledge about who they are and how they operate. Okay, and we're going to get into some of that, the big four in cyber. But before we do, I want to ask you about the e-crime index stats, the ECX, you guys call it. Side joke for all your nerds out there, maybe you could explain that out of it. You want to assemble a humor? Yeah, right, right. So, but what is that index, you guys? How often do you publish it? What are you learning from that? Yeah, so it was modeled off of the Dow Jones Industrial Average. So if you look at the Dow Jones, it's a composite index that was started in the late 1800s. And they took a couple of different companies that were the industrial component of the economy back then, right? Textiles and railroads and coal and steel and things like that. And they used that to approximate the overall health of the economy. So if you take these different stocks together, swizzle them together and figure out some sort of number, you could say, look, it's up, the economy's doing good. It's down, not doing so good. So after World War II, everybody was exuberant and positive about the end of the war. The DGI goes up. The oil crisis in the 70s goes down. COVID hits goes up, sorry, goes down. And then everybody realizes that they can use Amazon still and they can still get the things they need, goes back up. With the e-crime index, we took that approach to say, what is the health of the underground economy? When you read about any of these ransomware attacks or data extortion attacks, there are criminal groups that are working together in order to get things spammed out or to buy credentials and things like that. And so what the e-crime index does is it takes 24 different observables, right? The price of a ransom, the number of ransom attacks, the fluctuation in cryptocurrency, how much stolen material is being sold for on the underground and we're constantly computing this number to understand, is the e-crime ecosystem healthy? Is it thriving or is it under pressure? And that lets us understand what's going on in the world and kind of contextualize it. Give an example, Microsoft on Patch Tuesday releases 56 vulnerabilities. 11 of them are critical. Well, guess what? After Patch Tuesday is Hack Wednesday. And so all of those 11 vulnerabilities are exploitable and now you have threat actors that have a whole new array of weapons that they can deploy and bring to bear against their victims after that Patch Tuesday. So that's Hack Wednesday. Conversely, look at something like the Colonial Pipeline. Colonial Pipeline attack, May of 21, I think it was, comes out and all of the various underground forums where these ransomware operators are doing their business, they freak out because they don't want law enforcement. President Biden is talking about them and he's putting pressure on them. They don't want this ransomware component of what they're doing to bring law enforcement, bring heat on them. So they de-platform them, they kick them off. And when they do that, the ransomware stops being as much of a factor at that point in time and the e-crime index goes down. So we can look at holidays and right around Thanksgiving, which is coming up pretty soon. It's going to go up because there's so much online commerce with Cyber Monday and such, right? You're going to see this increase in online activity. E-crime actors want to take advantage of that. When Christmas comes, they take vacation too. They're going to spend time with their families so it goes back down and it stays down till around the end of the Russian Orthodox Christmas, which you can probably extrapolate why that is and then it goes back up. So as it's fluctuating, it gives us the ability to really just start tracking what that economy looks like. Real-time indicator of that crypto. I mean, hack on economy. You talked about Hack Wednesday and before that you mentioned the big four. And I think you said 185 threat actors that you're tracking is number 185 on that list. Somebody living in their mom's basement or are the resources necessary to get on that list such that it's like, no, no, no, no, this is very, very organized, large groups of people. Hollywood would have you believe that it's Guy with a laptop, Hack Wednesday and everything done. Are there individuals who are doing things like that or are these typically very well organized? That's a great question and I think it's an important one to ask and it's both. It tends to be more of the bigger groups. There are some one-off ones where it's one or two people. Sometimes they get big, sometimes they get small. One of the big challenges, have you heard of ransomware as a service? Of course, oh my God. Any knucklehead can be a ransomwareist. Exactly, so we don't track those knuckleheads as much unless they get on to our radar somehow, they're conducting a lot of operations against our customers or something like that. But what we do track is that ransomware as a service platform because the affiliates, the people that are using it, they come, they go and it could be, they're only there for a period of time. Sometimes they move between different ransomware services, they'll use the one that's most useful for them that week or that month. They get in the best rate because it's rev-sharing. They get a percentage, that platform gets percentage of the ransom. So they negotiate a better deal, they might move to a different ransomware platform. So that's really hard to track. And it's also, I think, more important for us to understand the platform and the technology that is being used than the individual that's doing it. That makes sense. All right, let's talk about the big four. China ran, North Korea and Russia. Tell us about how you monitor these folks. Are there different signatures for each? Can you actually tell, based on the hack, who's behind it? So, yeah, it starts off, motivation is a huge factor. China conducts espionage. They do it for diplomatic purposes, they do it for military and political purposes and they do it for economic espionage. All of these things map to known policies that they put out, the five-year plan, the made in China 2025, the Belt and Road Initiative. It's all part of their efforts to become a regional and ultimately a global hegemon. They're not stealing nickels and dimes. No, they're stealing intellectual property, they're stealing trade secrets, they're stealing negotiation points when there's a high-speed rail or something like that. And they use a set of tools and they have a set of behaviors and they have a set of infrastructure and a set of targets that as we look at all of these things together, we can derive who they are by motivation and the longer we observe them, the more data we get, the more we can get that attribution. I could tell you that there's X number of Chinese threat groups that we track under Panda, and they're associated with the Ministry of State Security. There's a whole other set that's associated with the People's Liberation Army Strategic Support Force. So, I mean, these are big operations, they're intelligence agencies that are operating out of China. Iran has a different set of targets, they have a different set of motives. They go after North American and Israeli businesses right now that's kind of their main operation. And they're doing something called Hack and Lock and Week. With a Lock and Week, what they're doing is they're deploying ransomware. They don't care about getting a ransom payment, they're just doing it to disrupt the target. And then they're leaking information that they steal during that operation that brings embarrassment. It brings compliance, regulatory legal impact for that particular entity. So, it's disruptive. Chaos creators, that's- Well, you know, I think they're trying to create a, they're trying to really impact the legitimacy of some of these targets and the trust that their customers and their partners and people have in them. And that is psychological warfare in a certain way. And it is really part of their broader initiative. Look at some of the other things that they've done, they've hacked into the missile defense system in Israel and they've turned on the sirens. Those are all things that they're doing for a specific purpose. And that's not China, right? As you start to look at this stuff, you can start to really understand what they're up to. Russia very much been busy targeting NATO and NATO countries and Ukraine. Obviously, the conflict that started in February has been a huge focus for these threat actors. And then as we look at North Korea, totally different. There was a major crypto attack today. They're going after these crypto platforms. They're going after DeFi platforms. They're going after all of this stuff that most people don't even understand and they're stealing the cryptocurrency and they're using it for revenue generation. These nuclear weapons don't pay for themselves. Their research and development don't pay for themselves. And so they're using that cyber operation to either steal money or steal intelligence. They need the cash, yeah. Yeah, and they also do economic targeting because Kim Jong-un had said back in 2016 that they need to improve the lives of North Koreans. They have this national economic development strategy and that means that they need, I think only 30% of North Korea has access to reliable power. So having access to clean energy sources and renewable energy sources, that's important to keep the people happy and stop them from rising up against the regime. So that's the type of economic espionage that they're conducting. Big four, if there were big five or six, I would presume U.S. and some Western European countries would be on there. Do you track? I mean, the United States obviously has people that are capable of this. We're out doing our thing and defense or offense. Where do we sit in this matrix? Well, I think the big five would probably include e-crime. We also track India, Pakistan. We track actors out of Columbia, out of Turkey, out of Syria. So there's a whole, this problem is getting worse over time. It's proliferating. And I think COVID was also a driver there because so many of these countries couldn't move human assets around because everything was getting locked down. As machine learning and artificial intelligence and all of this makes its way into the cameras and border and transfer points, it's hard to get a human asset through there. And so cyber is a very attractive, cheap, and deniable form of espionage and gives them operational capabilities. Not, you know, and to your question about U.S. and other kind of five-eye friendly-type countries, we have not seen them targeting our customers. So we focus on the threats that target our customers. And so, you know, if we were to find them at a customer environment, sure. But, you know, when you look at some of the public reporting that's out there, the malware that's associated with them is focused on, you know, real bad people. And it's physically, like, cryptid to their hard drive. So unless you have a sensor on, you know, an Iranian or some other laptop that might be targeted or something like that. Well, like Stuxnet did, right? Yeah, well, you won't see it, right? So, yeah. Well, Samantek saw it, but way back when, right, back in the day? Well, I mean, if you want to go down that route, I think it actually came from a company in the region that was doing the IR, and they were working with Samantek. Oh, okay. So, okay, so it was a local... Yeah, I think Crisis, I think, was the company that first identified it, and then they worked with Samantek. It was a, they found it on, I guess, a logic controller, I forget what it was. It was a long time ago, so I might not have that completely right, but I, yeah. No, but it was a seminal moment in the industry. Oh, and it was a seminal moment for Iran, because that, I think, caused them to get into cyber operations, right? When they realized that something like that could happen, that bolstered, you know, there was a lot of underground hacking forums in Iran, and after Stuxnet, we started seeing that those hackers were dropping their hacker names, and they were starting businesses. They were starting to try to go after government contracts, and they were starting to build training, offensive programs, things like that, because they realized that this is an opportunity there. Yeah, we were talking earlier about this with Sean, and, you know, in the nuclear war, you know, the Cold War days, you had the mutually assured destruction. It's not as black and white in the cyber world, right? Because, as Robert Gates told me, you know, a few years ago, we have a lot more to lose, so we have to be somewhat, is the United States careful as to how much of an offensive posture we take? Well, here's the secret, so I have a background in political science, so mutually assured destruction, I think, is a deterrent strategy where you have two entities that they will destroy each other, so they're disinclined to go down that route. With cyber, I really don't like that mutually assured destruction. That doesn't fit, right? I think it's deterrents by denial, right? So, raising the cost, if they were to conduct a cyber operation, raising that cost that they don't want to do it. They don't want to incur the impact of that, right? And think about this in terms of, a lot of people are asking about, would China invade Taiwan? And so, as you look at the costs that that would have on the Chinese military, the PLA, the PLA Navy, et cetera, you know, that's that deterrence by denial, trying to make the costs so high that they don't want to do it. And I think that's a better fit for cyber to try to figure out how can we raise the costs to the adversary if they operate against our customers, against our enterprises, and that they'll go someplace else and do something else. Well, that's a retaliatory strike, isn't it? I mean, is that what you're saying? I mean- No, definitely not. It's more reducing their return on investment, essentially. Yeah. And dissincenting them to do X and sending them off somewhere else. Right, and threat actors, whether they be criminals or nation states, you know, Bruce Lee had this great quote that was, be like water, right? Like take the path of least resistance, like water will. Threat actors do that too. So, I mean, unless you're a super high value target that they absolutely have to get into you by any means necessary, then if you become too hard of a target, they're going to move on to somebody that's a little easier. Excellent. Awesome. Really appreciate your insight. We'd love to have you back. Anytime. Go deeper. Adam Myers, we're here at Falcon 22. Dave Vellante, Dave Nicholson. We'll be right back right after this short break.