 Welcome to this CUBE conversation, I'm Lisa Martin. Richard Hummel joins me next, Manager of Threat Intelligence at NetScout. Richard, welcome back to theCUBE. Thanks Lisa, it's nice to be back, thank you for having me. We have a lot to talk about in the next 15 to 20 minutes. We're going to be talking about the NetScout Threat Intelligence Report. The report covers the first half of 2021, January 1 to June 30th. Unprecedented events of 2020, Richard spilling into 2021. How have the events of 2020 impacted the threat landscape? What are you seeing? I would say that it's significantly impacted it. The COVID pandemic and all that happened with remote work and education removing to remote, all of that had a hand in kind of exponentially increasing the threat landscape that adversaries have at the disposal to compromise unknowing victims to launch attacks. There's so much more that adversaries are able to really hook into. I mean, just in the first half of 2021, we saw almost a 5.4 million DDoS attacks. And if you go back to last year, we broke a record at 10 million, just over 10 million and we're well on track to hit 11 million at the end of this year. So you can see how it's impacted. And even as much as some things are starting to tail off or taper off a little bit, as things start to get back to normal, we start to resume travel, we resume going to the office. There's still that tail in and we're still seeing this kind of heightened attack landscape. And there's lots of different phenomena that's happening as a result, which we'll talk about throughout this interview. Yeah, we'll dissect that. You said on pace for a record breaking 11 million DDoS attacks by the end of 2021. One of the things I want to talk about is speed. I noticed in the report that seven attack vectors in seven months, which means that threat actors exploited or weaponized seven, at least seven of the new DDoS vectors in just seven months time. Why is that significant? I'll even raise the ante a little bit. Just after the threat report, there's an eighth factor. And so this is the nature that we're in. This is really the age of innovation. And we've been in kind of an innovative space in the cyber crime world for a couple of years now where we continue to see this domino effect for lack of a better way of describing it where it's just one after the next after the next. And then you add in this compounding thing where you have more devices than ever before connected to the internet. And then you have all that much more exposure for these things that take advantage of you. And so we see adversaries innovating. And one of the ways in which we see that is they operate like a business enterprise. They have functional components for different things. And as you kind of fragments that business structure in the crime world you get specialized areas for certain things. And so you have adversaries that are niche in a certain area, whether it's distribution of malware or it's launching a DDoS attack or maybe it's just finding reflectors amplifiers to launch those DDoS attacks. You have all of these kinds of niche areas. And the more you can consolidate or collapse those different skill sets into different components, you're gonna find it iterates a much more rapidly. It's the same thing that happens as entrepreneurs in the business enterprise. You outsource what you're not the expert at and you outsource it to somebody who is an expert. And we see the same phenomena happening in the cyber crime world. So the rate of discovery to weaponization is getting shorter? Super fast. And we've seen things weaponized as short as one to two days from the time of proof of concept comes online to when an adversary adopts this into their tools or their tool kits. And so most often the way we see this adopted is maybe a bot picks it up. So you have like your Mariahs, your Satori, your DAF, all these different IoT related bots out there that have capabilities. But then you also have these platforms called Booter Stressors. And adversaries just continue to add vectors that there's no reason to remove them because they're still effective. And so we see this continual add of new ways to compromise or new ways to attack somebody that just always goes up into the right. Up into the right in some cases can be good. In this case, it's obviously a sign of distress. One of the things that the report showed Richard was the development of adaptive DDoS. Just the name adaptive leads me to think of evasive tactics. These threat actors are employing. Talk to us about adaptive DDoS and what the report showed for the first half of 2021. Sure, so the biggest thing we saw with adaptive DDoS and I have to preface this by one of the changes that we saw over the first half of 2021. Going into the first half of the year, DNS reflection amplification was kind of the predominant preferred method by adversaries. There's so many DNS servers out there. So it's something they're able to do. Well, we saw a different type of attack called TCP ACK floods actually surpassed that. And TCP ACK floods are a little bit different because it uses a different internet protocol. Now what's significant about TCP based connections is it's connection oriented. So it requires what we would call a three-way handshake. So there's packets going to the target, they're coming back to the adversary, they're going to the target. And in most cases, there's spoofing of IP addresses. So it never really goes to the actual adversary but somebody else, right? And so it's much more process intensive or network intensive. And so you can basically launch these TCP floods, these SIN attacks, these ACK floods, whatever they might be. And you're creating a bunch of different connections on that targeted entity. And you're spoofing the source. So in other words, let's just say I am victim one and there's an adversary out there that wants to target me. So they're going to actually spoof my IP address and they're going to send a bunch of these SIN flood or SIN acts or TCP ACK floods or whatever they might be to all these DNS servers around the world. And so they're all going to reply to their supposed source of those packets, which in fact is spoofed, right? And so now you're getting all this flood attacks. And so what we're seeing here is a switch. We're moving from kind of the just connection list, the UDP based off, the DNS reflection application to a more niche thing, such as TCP ACK floods. And it's the first time we've ever seen TCP ACK floods take first place. And what's notable about that is that there are certain types of DDoS mitigation that is susceptible to this kind of attack. And so what we see adversaries do is they'll launch that attack and they'll monitor, did my victim go down? If they didn't go down, they'll pivot, they'll try something else. Maybe they'll try a typical volumetric attack. If that succeeds, well, okay, we took one layer of the defense down. So is there anything else preventing us from taking our target offline? Well, maybe there's a second layer of defense. So now let's try this other thing and see if that works. And so we actually saw this successful against commercial banks and payment card processors where they used TCP ACK floods, the bypass one layer, then these volumetric bypass the seconds. And then on a completely different target, we saw it in reverse. And so we see adversaries adapting to how we're putting our security postures in place and what we're doing to defend our organizations and networks and adversaries are very quickly iterating and pivoting to follow what we're doing and overcoming that. And when you say quickly, how quickly are we talking? Is this a matter of days? Well, in the case of the attacks that we're talking about, we're talking about seconds or minutes because they're actually launching the attack and they're sitting there watching to see if that goes down. And if it doesn't go down, they can pivot it really, really quickly and launch a secondary attack. And so in these cases, it's really, really rapid and really fast. Wow, another thing that I read in the report and that you sort of intimated a minute ago was the amount of collateral damage seems to also be expanding with what you're seeing in the threat landscape. Talk to us about the risks there in the collateral damage and give us some examples of that actually happening. So I think the biggest example of this, and this isn't actually DDoS related, but if you look at like the colonial pipeline incident that happened, right? So they didn't actually go after colonial pipeline. They went after a vendor that provides some sort of service to them. And that resulted in colonial saying, we got to shut down our pipeline because now we can't bill our customers. So that's like one aspect of collateral damage. Well, let's translate that to the DDoS world. What happens when a DNS server goes offline that services 1,000 different websites? Now you have all of these other websites that can't be accessed. Well, what happens if an adversary goes after VPN for a prominent enterprise? They successfully take down that VPN concentrator and now all of their remote workforce can no longer access those sources. In fact, there's something we're calling a connectivity supply chain, which is what adversaries are moving to, both in the corporate world as well as commercial. VPNs are increasingly used by gamers, for instance, to mask their IPs because DDoS attacks predominantly target gamers. 85% of all attacks are against gamers. And so they're using VPNs to mask their source. Well, an adversary says, well, hey, I can't go after the individual because I don't know their IP, but I know what your VPN they're using. So maybe if I target all the VPN nodes that are publicly available for that VPN concentrator or VPN service provider, now I can take them offline, but it has a consequence. You're not just taking off your individual target, you're taking off every single person that's using that VPN. This is the collateral damage impact we're talking about. It can be very, very far reaching. You mentioned the connectivity supply chain. Let's go ahead and dissect that because that was somebody else that the report showed was that there was vital components of what NetScout calls the connectivity supply chain, which you'll define are under increasing attack. Define the connectivity supply chain and tell us what the report is showing. So supply chain comes in many forms and fashion. You have your physical supply chain. You have your vendors that provide software. You have actual, you know, movers, like such as SIMIs and trains and you have pipelines to get crude oil to places. All of these things are supply chain, but what's the underlying foundation behind these? How do all of these operate? And more and more in today's day and age, you rely on internet connectivity. You rely on that backbone to be able to operate your systems across a remote space, whether that's internationally or if it's different countries, if it's just different states, you have to have some way of connecting all those things. And we're not often doing things physically in person there, right? We do this by remote access. We do this by having certain websites or controllers and all of these things rely on a few critical things that if you were to take them offline, it would prevent you from doing this kind of management. So DNS servers, VPNs, I already talked about, whether it's commercial or corporate to access your company's assets. And then you have internet exchanges. If any one of these things went down from a DDoS attack, you're talking about massive collateral damage. And so what we're calling the connectivity supply chain is really just that. What connects all of us together? That's the internet and what makes the internet tick? And here at NetScal, we call ourselves gardens of the connected world. And though that might seem a little bit weird to say it that way, it's absolutely true because our primary goal here at NetScal is to make sure that organizations maintain that connection that allows them to really just live, breathe, survive, do their business without that, you can't conduct business. Right, and we saw that the rapid pivot last year and so many businesses and any, every industry had to rapidly pivot and shift to digital but the risks as the innovation of technology for use for good continues. So does its innovation and use for adversarial things. Another thing the report showed, triple extortion. Talk about that, what you saw, what does that mean for businesses? So the triple extortion is three pronged attack. And everybody here is going to know exactly what I'm talking about when I say ransomware because ransomware is the biggest threats to cyber world, really not even just the cyber world, just anybody that has a computer or device or anything, whether it's a business, it's a user, it's a school, hospitals, everybody is at risk for this and adversaries see the success that ransomware is having and more and more operators get involved in this. Well, what we're seeing here is that they're not satisfied with just encrypting your files and getting a one-time payment. No, they got to take it a step further. In fact, the double extortion has been ongoing since as far back as 2013 when a popular game over Zeus variant was distributing crypto locker ransomware. And so you have like your initial compromise and data theft and wire transfers of bank stuff followed by ransomware. I already stole your money from your bank and now you're going to pay me a ransomware to decrypt your files. Well, let's move forward to today's day and age and over the past year, one of the things we've seen is that adversaries are now adding a third tactic to this, the DDoS. And so they will encrypt your files, they'll demand, hey, you're going to pay us this amount of Bitcoin in order to decrypt your files. But we're already in your system, so let's just steal your data and then after you pay us for the decryption, we're going to hold your data hostage until you pay us again. Or maybe we're going to use that data as a lever to get you to pay that initial ransomware. Well, that's still not enough because more and more security researchers like myself say, don't pay. And I'm saying that right here, plain English, do not pay the ransomware because it has detrimental effects. You don't even know if they're going to decrypt your files and you don't know if they're going to come back. Maybe you pay them, they never send you a decryption key. You pay them and lo and behold, they're part of some terrorist organization. So now you're actually complicit in funding these guys. And the more success that these ransomware operators have, the more they're going to do it. And so it has a lot of really negative consequences. Well, let's add another lever. Let's add DDoS to this. So it's not enough being decrypted your files. It's not enough to steal your data. Let's knock your network offline. So now you have no recourse whatsoever except to pay us in order to resume services. And we're seeing at least four or five different ransomware groups or gangs actually use this triple extortion to go after their victims. And so it's something that we expect to see down the road and more and more operators continue to kind of adopt this. Yeah, the report showed that there was a ransomware group that in the first half of 2021 alone, netted $100 million. So ransomware is a service. This is a big business. You say, don't pay. What can organizations do to defend themselves against triple extortion, even single or double? Yeah, so I mean, the thing is preparation is key for a lot of this and not just for the ransomware piece or triple extortion, but DDoS in general, preparation goes a long way to mitigating this potential threat. And one of the things we'd like to say here is that 80% of the things you can do to defend against ransomware also works for defending against DDoS. And the key word here is preparation, making sure that you've done your initial observations of your network. You understand what is in your network, every device, not just like your core critical systems because there could be that IoT device sitting there on their fringe somewhere that has for whatever reason, access to a system that if encrypted would cause detrimental harm to your company. So not only do you wanna inventory your system, you also wanna figure out are they passed, are they up to date? Do we allow unauthenticated logins? Are they using default usernames and passwords? In fact, the vast majority of ransomware today, the initial infection vector is either going to be some sort of spam messaging or brute forcing RDP SSH and Telnet. The tried and true methods that they've been using for five, six, seven years, they are still successfully using to get into organizations. And so making sure that you're sufficiently locking those down, specifically on the ransomware side, if you wanna prevent those, not only are you gonna do this preparation, but you're gonna make sure that you isolate your critical systems. You shouldn't have everything connected to one spot. If somebody compromises one device, they should not be able to encrypt your entire network. They absolutely should never be able to encrypt your backup files and have backup files, right? So there's a lot of different things you can do here. And by practicing a lot of this preparation, this isolation, the segmenting of your networks, you're also helping in the DDoS space because if they go after one network asset, you have others to fall back on. There's one significant difference between ransomware and DDoS. Ransomware, after you've been infected, unless you have backups or you pay the ransomware, your files are pretty much gone. Unless there's some decrypted that can be had or the government has some sort of campaign that gets your decryption keys and they help you with the decryption. So in those cases, if you get encrypted, there's often not a whole lot of recourse unless you have prepared ahead of time. With DDoS, however, the vast majority, 99% of all DDoS attacks can be prevented if you have a mitigation and protection solution in place. And even if you get DDoS, oftentimes they're short-lived. In fact, the vast majority of DDoS attacks last less than 15 minutes. And so it's not like your stuff is gonna be encrypted for days on end or weeks on end. You're gonna get hits. You might go down for a period of time, but you can recover services. And during that recovery period, you can go and you can seek mitigation and protection services. And so there's a big difference between DDoS and ransomware in that regard. That's a great way of describing that. We've talked a lot about ransomware as it's been on the increase in the last year and a half. We've talked about how it's not a matter of if we get attacked, it's a matter of when. But your distinction between ransomware and DDoS attacks show that both with preparation and the right tools are preventable and recoverable provided organizations have put the proper tools and mechanisms in place to do that. And given how quickly we're seeing the adaptation of the threat actors, organizations, if they're not already on that preparation train, need to catch it. Absolutely, they need to get busy right away. There's really no delay. Like you said, that's not if it's when. And so every single person, every organization, I would take a step further, not even organizations, every single individual that has a computer or some sort of internet connection at home needs to realize that they absolutely can be and are the target of these attacks. We've said it now for the past year and a half that within five minutes of an IoT device going online, you're getting brute force attempts. And that's any IoT device. That's something you connect that maybe you never even realize you can log into and change a password. Well, if it's online, then chances are somebody's trying to brute force that to access it and use it in the fairest ways. And as we all sort of anticipate, we're going to be in this hybrid work environment, work from anywhere environment for quite a while longer. One last question I want to ask you when you talk about all the proliferation of IoT devices and we're still in this work from anywhere situation, botnets, what are some of the things that the report showed and how can organizations protect a growing number of vulnerable IoT devices from botnets? So I think the biggest thing to protect against IoT compromise is just simply patch and update your passwords. Mariah has been out there for a long time, feels in 16, we saw the Dynatax, but it's still using the same usernames and passwords. Sure, they add more to the list, but the predominant ones that are successful in compromising devices have been around for many years, but they're still successful in compromising these IoT devices. In fact, in the report, one of the things we wanted to show is actually where are these botnets? How are they being used? And specifically in a DDoS nature. And so we actually took all of the IP addresses that we're seeing from bots that are either coming back into our honeypot or things that we scan for. And what we've determined is that roughly 200 to 208,000 of the IP addresses, IP addresses that both we collected, as well as a new partner of ours called GreyNoise, they've agreed to partner with us on this report. And you'll see that in the report if you actually read it. We took these list of nodes and we compare that to what we're seeing in the DDoS attack landscape. And it turns out that approximately 200,000 of these contributed to more than 2.8 million DDoS attacks in the first half of 2021. Now there was 5.4 million attacks total. So more than half of those had some form of DDoS botnet IoT representation. And so that should tell you that these botnets are huge and they're everywhere and they're active. And so the report actually walks you through where the density zones are in clusters of these botnets as well as what botnets in those high density zones are using to compromise other IoT devices. And so it's definitely a very informative read. And I think that you'll figure out that this isn't something we talk about in the abstract, right? This is a botnet in my backyard and I should absolutely be concerned of any IoT device in my home. Right, and the Netscout threat intelligence report which Richard has just walked us through is not only available online, it's interactive. It's a great report. I've looked at the PDF, but Richard work and folks go to actually interact with the document and actually glean even more information about how they can prepare and defend. Yeah, so netscout.com slash threat report. And as Lisa said, it is interactive. So you will need to sign up for the site and you can do both. You can either view the interactive webpage or you can download the PDF, whatever your reading preferences. But I do encourage the interactive portion because for instance, like this botnet density map that I showed or that I've talked about, you can actually page through month over month to see where those density clusters are. And there's various other animations, there's other maps in there. So there's definitely a lot more value to perusing the interactive nature of this. A lot of granularity. Richard, thank you so much for joining me today, talking about what the first half of 2021 showed. I can't wait to talk to you next year when we're going to be looking at the second half of the year, where we are with respect to that record breaking 11 million DDoS attacks. Thank you for taking your time to explain the top trends in the report and for showing folks where they can go to interact with it. Absolutely, thank you Lisa. And thank you to theCUBE for hosting the interview. Definitely appreciate it. Our pleasure for Richard Hummel. I'm Lisa Martin. You're watching a CUBE conversation.