 Hi, I'm Peter Burris and welcome once again to another CUBE conversation from our Palo Alto studios. Recently, we had Fordegard Labs here on the CUBE talking about a regular report that they do on the state of the security industry. And once again, we've got Anthony John Domenico here to talk about the most recent, the Q1 update. First of all, tell us a little bit about Fordegard Labs. Where does this come from? So Fordegard Labs actually is the threat intelligence organization of Fortinet. So what we do is we keep track of the tactics, techniques and procedures of the adversary and make sure that we have detection methodologies to be able to stop all those tactics, techniques and procedures. So you're the ones that are collecting the data that's right from the ground to help everybody keep up to date on where the threats are likely to be set priorities. So that's what this report does, right? Absolutely, it's something we do on a quarterly basis and it's really, you know, we're looking at billions of events that we're observing in real time, you know, production environments. And what we're trying to do is identify the top application exploits, malware and botnets. And what we want to be able to do is find different types of trends that then can be able to translate into helping organizations fortify their environments. All right, so here, this is the Q1 2018. People can get access to it. What's the top line change? Yeah, well at a high level, I think the, you know, one, the actual cyber criminals, they're evolving their attack methodologies to be able to increase their, you know, success rate, as well as being able to increase their infection rate. So that's one thing. You know, the other thing, obviously, we always have to talk about ransomware that, you know, seems to be a very hot threat these days for cyber criminals to make money. Now that threat isn't going away. We did see a slight decrease though where the adversaries were more interested in hijacking, you know, systems to be able to mine for cryptocurrencies that's opposed to, you know, taking that machine hostage and demanding a ransom. Really? Yeah, you believe it or not. I'm a little bit, I mean, ransomware just seems like it would have so much potential and cryptocurrencies are, well, they're interesting. But tell us a little bit about why that's happening. What seems to be the indicators? Yeah, well, like I said, ransomware isn't going away. I think they're going to continue to use that to make money. But from a cryptojacking perspective, we did see the uptake last year in our Q4 report it was about 13% of the organizations actually reported some type of cryptojacking attack. Fast forward to this report and it nearly doubled, actually over doubled to, you know, 28%. So that's about one in four organizations are actually impacted with this particular threat. Now, what I think is interesting about this particular threat is the way it evolves, right? Because it's so new, it's always looking back at his other successful, you know, predecessors to be able to determine how can I be more stealthy and how can I get my, you know, malware or my, you know, payload out to all the different sort of systems. So, you know, an example of that is fileless malware. Fileless malware is very stealthy. It's starting to use fileless malware techniques. It'll use scripts to inject their actual payload into memory, nothing on this so makes it a lot more difficult to be able to detect. Now, how do I get my payload out to all the other, you know, workstations? Well, it takes a one-two punch combination that, you know, Pechia used last year. It's leveraging, you know, there's this open source technology called, you know, Mimicats steals different types of credentials and does something called pass the hash, passes that hash credential out to those other systems and then it gains access that way, it can actually pass the actual malware from system to system. If that fails and then goes back to identifying different vulnerabilities that could then exploit, one vulnerability it does look for is eternal blue, which was the vulnerability that was so graciously given to us from shadow brokers. So those are the ways that they're starting to be more effective in being more stealthy and also being able to propagate a lot faster. And cryptocurrency obviously is one of the more interesting things because you take over the computer resources without necessarily stealing any data. You're just grabbing computer resources. Yeah, which is interesting. I don't want to actually kind of go off topic here but that's another conversation. Is cryptojacking actually a threat or not? Right, because all it's really doing is stealing, you know, CPU resources. So, you know, so people say, so that's a whole another discussion to actually get into it. Is it actually really a threat or not? Well, if you're able to get access to a computer presumably you're able to get access not just for that purpose but maybe others. Exactly. So that's probably an indication you may have a problem. But let's talk about ransomware. You said the ransomware is not going away. Ransomware most folks are familiar with it. What is it, what's the report suggest? No, Peter, did you realize that this month is the one year anniversary of WannaCry? I don't know if you remember that or not but, you know, WannaCry was very infamous for not necessarily the payload but by the way it actually was able to spread so fast and affect so many different machines. Now that spreading, that worm-like spreading kind of capability still exists here. You know, today you see a lot of different sort of threats using that but what seems to be a bit different now is the combination of that ransomware payload along with more targeted attacks. So usually in a ransomware type of attack you do some type of spamming campaign you spam out that email, you know, and you'll see what sticks. Well, these are a lot more targeted so they're going to spend a lot more time doing, you know, reconnaissance on an organization and being able to find different vulnerabilities on the outside of the network once they actually come in, very methodical at how they're able to laterally move and put their actual malware on systems that they actually think, you know, however many systems they think they should actually have that particular malware on. Now at this point, they hadn't actually executed you know, the actual payload so they have it on as many systems as possible and once they're ready, they flip the switch and all those systems now are held hostage that impact is much greater to the business. Now, when we think about the attacks we think in terms of computing devices whether it's a mobile device or a PC device or servers or whatnot, but are we seeing any changes in how people are attacking other computing resources within a network, hitting routers and others to try to drive more control over some of these network resources? Well, I mean, we definitely see exploits that are actually hitting, you know, mobile devices they're hitting routers. A lot of IoT as well, but also web technology because, you know, web technology there's so much external facing websites these days you know, they're much easier target. So we are seeing that. I would mention also that it's up 7% to 21% of organizations have actually reported mobile malware as well. And that is a especially difficult thing because your mobile applications are not just associated with a particular business but other businesses as well. And so you are both an employee and a consumer and if your mobile applications get hit that can have enormous ramifications on a number of different levels. Yeah, absolutely. And I think sometimes, you know an organization or an actual consumer will have a phone and then when necessarily think that it's the same as their work station. So it's like, oh, well, not that much can happen on my mobile phone, right? They're not the same as on my work station but actually it could be even worse. Yeah, so if you think about some of the things that's on the horizon, you mentioned that we're seeing a greater utilization of different techniques to make money in some of the new domains like jacking, crypto jacking. There's still ransomware, still an issue. As folks go back and identify these different malware these different security breaches what are they doing to actually clean things up? Are we seeing folks actually cleaning up or is there still just like whack-a-mole just whacking things out and worrying about whether or not they go back and clean things up later? Well, to basically answer your question they are starting to actually kind of clean up but wait till you hear this. So what we tried to do here in this quarterly report is we wanted to measure how quickly that they were able to kind of clean up that particular threat and what we found out we used botnet alerts and we wanted to see how fast those botnet alerts actually got cleaned up. So what we were able to determine is 58% of all organizations within 24 hours we're able to clean up that particular botnet infection which is actually pretty good but that 42% it took them either sort of two days or longer to be able to get that actual threat out actually sometimes the threat really never even actually went away. A great example of that is actually the Andromeda botnet is a threat that was brought down last year but even though it's not there anymore the infections on the workstations are still there so we're still kind of getting those actual hits on that Andromeda botnet and that actual threat for Q1 was one of the highest in prevalence and volume. Even if it wasn't necessarily doing damage because we'd figured out how to deal with it but if it's there somebody might find a way to use it again in the future. Absolutely. So as we think about the next quarter you doing this on every quarter are there any particular areas that you think folks have to, they need to anticipate some of these changes more of the same different trends or what about OT for example as operational technology becomes increasingly part of that common technology fabric how is that likely to be affected by some of these different attack types? And as your first question I think we'll probably see a lot more of the same and I think what we'll continue to see this is whole zero day market I think it's getting more and more mature meaning that we're going to see more and more vulnerabilities that are actually kind of zero day that have just been discovered or just been announced and I think we're going to continue to see the adversaries take advantage of those newly discovered zero day vulnerabilities they'll take those actual those exploits put them into their attack methodologies to propagate faster and faster so I think organizations are going to have to make sure that they can address some of those newly discovered vulnerabilities fairly quickly. Now as we switch the OT side we didn't see a lot of attacks if you look at the percentage of the overall attacks however OT if there is an actual successful attack I think it's worth saying that it's a much larger impact than a major problem. My concern is these different types of trends that are coming together one OT is starting to connect to other networks which means they're going to eventually be accessible from the internet which makes it a lot more difficult to be able to protect at the same time we're seeing nation states continue to focus on compromising OT systems as well so I don't know what's going to happen in the coming months and years but the trends aren't actually looking so good right now. So if you were to if we had a CIO sitting here right now and you were talking to them about this report what are the first off how should they regard the information? What should they be doing differently as a result of the information the reports reviewing? Yeah I mean I would say one we always talk about this it's easier said than done but going back to the basics and making sure that you have good cyber hygiene and being able to identify vulnerabilities that exist in your environment and that me just saying that sounds kind of simple but that really means identifying all the assets that you have in your environment that you're responsible for protecting number one and then being able to identify the vulnerabilities that may exist on those things that's not the easiest thing to do but I think it's something that really should be focused on at the same time though threats are going to get into your network that's just a you know that's a given so being able to make sure that you can identify you know threats within your environment it's extremely important and then once you identify them what's the processes for you to go ahead and actually respond and clean up those particular threats that really is going to be the key I know it's at a high level it's much deeper than that but I think that's where you start. All right Anthony Giannomenico, Tony G. Tony G. Thanks very much once again for being on theCUBE and talking to us about four to guards Q1 2018 report from Fortinet. Awesome, well thanks for having me. You betcha, so Anthony Giannomenico a senior strategist researcher at Fort Agard Labs of Fortinet talking to us about the one Q 2018 report. Once again this has been a CUBE conversation thanks for listening.