 From our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hi, and welcome to the CUBE studios in Palo Alto, California for another CUBE Conversation where we go in depth with the tech leaders driving innovation across the technology industry. I'm your host, Peter Burris. Well, it's that time of quarter again. Every quarter we get together with Fortinet to discuss their threat landscape report, which is one of the industry's best and most comprehensive views into how the bad guys are utilizing bad software and bad access to compromise digital business and steal digital assets. Now, this quarter's report suggests that there's not as much new stuff going on. If you look at the numbers, they're relatively flat compared to previous quarters, but that doesn't tell the real story. Underneath those numbers, we see that there's a churn. There's an incredibly dynamic world of bad actors doing bad things with old and new bad stuff to try to compromise digital business. To learn more about this dynamism and what's really happening, once again, we've got a great CUBE guest. Tony Gianomenico is a senior security strategist and researcher and CTI lead at Fortinet. Tony, welcome back to the CUBE. Hey, Peter, it's great to be here. So Tony, I started off by making this observation that the index suggests that we're in kind of a steady state, but that's not really what's happening, is it? What's really going on? Where it's going on inside the numbers? Yeah, you know, we start to see a little bit of a shift of tactics. What has happened, I think, not all the time, but sometimes what the adversaries like to do is penetrate an organization where maybe us as defenders aren't necessarily as focused in on. And a great example is for many years, we were focused on, and rightfully so, and we continue to be focused on this, is being able to block a phishing email, right? We have our email security gateways to be able to not allow that email to come into the network. We also then, for whatever reason, if it happens to get into the network, we focus on user awareness training to educate our users to make sure that they can identify a malicious email. They're not clicking that link or clicking that attachment. Now, with that said, we look at the actual data in our Q3 threat landscape report. And what we're seeing is the adversaries are targeting vulnerabilities that if they were successfully exploited, would give them remote code execution, meaning that they can compromise that box and then move further and further inside the network. Now, granted, that's been happening for many years, but we have actually seen an increase this quarter. As a matter of fact, it was number one prevalence across all the actual regions. So with that said, I think it's worth making sure that you're looking at your Edge devices or your Edge services that are publicly exposed out there. Make sure that there's no vulnerabilities on them. Make sure that they're not misconfigured. And also make sure that you have some type of multi-factor authentication. And I think, like we've talked about many times, that threat landscape or that threat attack surface continues really to expand, right? You got cloud, you have IoT. So it's becoming more and more difficult to be able to secure all those Edge services, but definitely something you should take a look at. And you got more people using more mobile devices to do more things. So it sounds as though it's a combination of two things. It's really driving this dynamism, right, Tony? It's one, just the raw numbers of growth and devices and opportunities and the threat surface is getting larger and the possibility that something's misconfigured is going up. And two, that they're just trying to catch organizations by surprise. One of those is just make sure you're doing things right, but the other one is don't take your eye off the ball, isn't it? How are organizations doing as they try to expand their ability to address all of these different issues, including a bunch that are tried and true and mature that we may have stopped focusing on? Yeah, you know, it's really hard, right? I always say this and I get some mixed kind of reactions sometimes, but you can't protect and monitor everything. I mean, depending on how large your network is, it's really difficult. So I mean, really focusing on what's important, what's critical in your organization is probably really the best approach. I mean, really kind of focusing on that. Now, with that said though, the reason why it becomes so difficult these days is the volumes of threats that we're seeing kind of come out of what I refer to the cyber crime ecosystem, right? Where anybody who wants to get into a life of cyber crime, they really don't need to know much. They just need to understand where to get these particular services that they can sort of rent, right? You have malware as a service, right? You got kind of ransomware as a service. So it's important to make sure we understand that, hey, anybody can get into a life of cyber crime and that volume is really sort of even driven by the cyber crime ecosystem. Well, the threat report noted specifically that the, as you said, the life of crime is getting cheaper for folks to get into because just as we're moving from products to services in technology and in other parts of the industry, we're moving from products to services in the threat world too. Talk a little bit about this, what you just said, this notion of bad guy as a service, what's happening? Yeah, I actually like that, bad guy as a service. What's really kind of popular these days is ransomware as a service. In Q3, we saw two more variants, ransomwares as a service, you know, sold in. And then also, I think I can pronounce it, Nemti. I always have a hard time pronouncing all of these malware names. But anyway, these are new variants now that are coming up. And of course, anytime you get something new, the malware usually has more, you know, more advanced kind of capabilities. And, you know, these malware have ways to evade AV detection. You know, they're looking for different services that may be on the operating system, finding ways to be able to support the detection of their particular malware, or if someone is analyzing that particular threat, making it longer for an analyst to be able to figure out what's going on, and as well as trying to avoid different types of sandbox technologies. Now, I think that's something bad that actually, you know, really worry about, but what really gets me, and I might have said this in some of the previous conversations this year, is that the tactics are also kind of changing a bit for ransomware as a service coming out of the cyber crime ecosystem. It used to be more opportunistic. There was a spray and pray approach. Let's hope something sticks. That's totally changed. They're becoming a lot more targeted. And one of the main reasons why is because organizations are paying large amounts of money for their ransom. They're paying large amounts of money to have the ability to decrypt their files after they get hit with ransomware. And you've seen this right now. The adversaries are targeting organizations or industries that may not have the most robust security posture. They're focused on municipalities. You know, they're focused on, you know, cities, also state local government. Well, we saw it earlier on this year, the city of Baltimore. We had a bunch of cities in Florida, actually one city in Florida ended up having to pay $600,000 in ransom to be able to have their files decrypted. And also in the state of Texas, we saw a malware variant or a ransomware variant hit about 22 municipalities throughout the state of Texas. And, you know, the one other thing I think seems to be common amongst all of these victims is a lot of them have some type of insurance. So I think the bad guys are also doing some research or doing their homework to make sure, hey, if I'm going to spend the money to target this individual or this organization, I want to make sure that they're going to be able to pay me the ransom. They're refining their targets based on markers, which is how bad guys operate everywhere, right? You decide who your mark is and what their attributes are. And because these are digital, there's also a lot more data flying around about who these marks are, how they work. As you said, the availability of insurance means that there's now a process for payment in place because insurance demands it. And it accelerates the time from hitting them to getting paid. Have I got that right? Yeah, that is 100% spot on, you know, efficiency, efficiency, efficiency. I mean, we all want to get paid as fast as possible, right, Peter? Yeah, that's true. That's true. All right, so it's time for prescription time, Tony. It's, we've talked about this for probably six or eight quarters now. And every time I ask you, and what do folks do differently in the next few months? What should they do differently in the next few months? Yeah, you know, I like to talk a lot about how we, you know, you have to have that foundational kind of infrastructure in place, having visibility and all that. And that's 100% sort of true. That doesn't change. But I think one thing that we can start doing, and this is wonderful sort of project that had transpired over the last few years from the MITRE organization is the MITRE attack framework. What had happened was MITRE had gone out there and brought in through all these open source outlets different types of threat reports that the adversaries, you know, were documented actually doing, they took all those tactics and corresponding techniques and documented all of them in one location. So now you have a common language for you to be able to determine and be able to learn what the actors are actually doing to complete their cyber mission. And because now we have that, there's a trend now. Organizations are starting to look at this data, understand it, and then operationalizing it into their environment. And what I mean by that is they're looking at the actual kind of the tactic and the technique and understanding what it is, looking at what is the actual digital dust that it might leave behind, what's the action and making sure that they have the right protections and detections and they're grabbing the right logs at least to be able to determine when that particular threat actor using that technique happens to be in their environment. But it also sounds as though, you noted the use of common language, that it sounds as though you're suggesting that enterprises should be taking a look at these reports, studying them, reaching agreement about what they mean, the language so that they are culturing themselves to this more common way of doing things because it's the ability to not have to negotiate with each other when something happens and to practice how to respond that really leads to a faster, more certain, more protecting response. Have I got that right? Yeah, you know, 100%. And I'll also add though, as you start to operationalize this, you know, MITRE attack framework and understanding what the adversary is kind of doing, you get more visibility, but then also what you're seeing is a trend of vendors starting to create what's referred to as threat actor playbooks, right? So as they discover these actual threats, they're mapping the actual tactics and techniques back to this common language. So now you have the ability to be able to say, hey, I've just seen, you know, Fortinet just put this report out on this particular threat actor or this malware. Because we're leveraging a common language, they can more easily go back and see how they're actually defending against these particular TTPs. And the latest one that we put out just this week was a playbook on the malware Emotet. It's a banking trojan. Well, at least it started out as a banking trojan. It's kind of morphed into something a little more. Now you see it delivering a bunch of malware variants, you know, different malware families. It's almost like a botnet now. And we hadn't actually seen it really for a little while, but in Q3, we saw a bunch of different campaign spawn. And like I always say, malware will hibernate for a little bit, but when it comes back, it comes back bigger, faster, stronger. There's always new tactics. There's only new capabilities. And in this case, it's no exception. What they did, and I thought was very unique at being able to, again, pray on the humans to be able to make a mistake. So what they did is they, as a victim, they would grab the email thread from the emails, grab those threads and put it in a spoofed email and then email that to the next victim. And they'll actually, so when the victim opens up that particular email, they see that thread that looks like, hey, I've had this correspondence before. This has to be a good email. I'm going to click that attachment. And when they do, now they're compromised and that whole process happens over and over and over again. So they're scraping the addresses and they are taking the email and creating a new email and sending it on to new addresses, hopefully before the actual real email gets there, right? You know, yes, but I also say that they're actually, they're taking the context of the email, right? So that email sort of thread, so it makes it, it's an actual real thread and they're just kind of adding it in there. So it really looks like it's, oh, hey, I've had that correspondence before. I'm just going to click that link. So this notion of operationalizing through the minor framework in these new playbooks is a way ultimately that more people, presumably, were creating more of a sense of professionalism that will diffuse into new domains. So for example, you mentioned early on, municipalities and whatnot that may not have the same degree of sophistication through this playbook approach, through utilizing these new resources and tools that Fortnay and others are providing, it means that you can raise to some degree the level of responsiveness in shops that may not have the same degree of sophistication, correct? Yeah, I definitely would have to agree. And also I think as you start to understand these techniques, you will never just have one technique as a standalone, right? These techniques are always chained together, right? You're going to have, once this technique is there, you're going to know that there's a few techniques that probably haven't happened before and there's some that are going to happen later. A great example of this, let's say, when an adversary is moving laterally inside a network, there's really three basic things that they have to be able to have. One is they have to have the authorization, the access to be able to move from system to system. Once they have that, and there's a variety of ways that they can do that, once they're there, now they have to somehow copy that malware from system to system and you can do that through remote desktop protocol, you can do that through PSX, there's a variety of different ways you can do that. And then once the malware is there, then you have to execute it somehow and there's ways to do that. Now, if you have a common language for each one of those, now you start chaining these things together, you know the digital dust or the actual behaviors and what's actually left behind with these actual tactics and now as manually you can start better understanding how to, you know, threadhunt more efficiently and also start to actually let the technology do this kind of threadhunting for you. So I guarantee you we're going to see innovation and technology where they're going to be doing automatic threadhunting for you based on these types of understandings in the future. Tony, once again, great Cube conversation. Thanks again for being on the Cube. Tony, Gian Domenico is, and I'm going to just completely shorten your title, Threat Landscape Expert, Fortnette. Tony, thanks again. Hey, it's great to be here, Peter. Thanks a lot. And thanks once again for joining us for another Cube conversation. I'm Peter Burris, see you next time.