 Live from San Francisco, it's theCUBE, covering RSA Conference 2020 San Francisco, brought to you by SiliconANGLE Media. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're in downtown San Francisco. It is an absolutely spectacular day outside. I'm not sure why we're inside at Moscone, but that's where we are. It's the RSA-C Conference. I think 50,000 people, the biggest security conference in the world here at Moscone this week. We've been here wall-to-wall coverage. We'll keep you here all the way till Thursday, so thanks for joining us. We're excited to have our next guest. He's got a lot of great data to share, so let's jump into it. It's Hardik Modi. He's the AVP engineering threat and mitigation products for Netscout. Hardik, great to meet you. Hey, thank you, Jeff. Good to be here. You too. So, for people that aren't familiar with Netscout, give them kind of the basic overview. What are you guys all about? Yeah, so Netscout, we consider ourselves the guardians of the connected world. And so, our job is to protect companies, enterprises, service providers, anybody who's on the internet and help keep their services running, so your applications and things that you're trying to deliver to your customers, both make sure that they're up and they're performing the way you want them to, but also kind of give you visibility and protect you against DDoS attacks and other kind of security threats. That's basically in a nutshell what we do as a company. And yeah, we're the guardians of the connected world. So, just from a vendor point of view, I feel so sorry for buyers in this environment, because you walk around, there's, I don't know how many vendors are in here, a lot. Big boost, little boost. So, how do you kind of help separate Netscout from the noise? What's your guy's secret sauce? What's your kind of special thing? Really, it's like 30 years of investment in network-based visibility. And we truly believe in the network. Like, our CEO, he says a network, actually when you monitor the network, it's like taking a blood test. It tells you the truth, right? And it's really like how you find out, like if something's right or wrong. I mean, I actually, for my background too, like in terms of network monitoring, there's a lot of our, what we think of as the end point is actually contested territory. That's where the adversary is. When you're on the network and you're monitoring all activity, it really gives you a vantage point. That's really special. So, we really focus on the network. Our heritage in the network is one of our key strengths. And then, as part of us as a company, like Arbor, Arbor Networks was a company that Netscout acquired some years ago. We're now very much part of Netscout, with the Arbor brand of products. Part of that, the Arbor legacy includes huge visibility into what's happening across the internet. And visibility like nobody else, like in terms of the number of service providers and large enterprises who work with us, help us understand what's happening across the landscape. That's like nobody else out here. That is what we consider a key differentiator. Okay, great. So, one of the things you guys do a couple times years, I understand, is publish a report. So, give people some information as to what's going on. So, we've got the version number four here, right? And Netscout Threat Intelligence Report. So, you said this comes out twice a year? Twice a year. So, what is the latest? Give us some scoop here. Hot off the press. Hot off the press. We published last week. So, it's really just a few days old. And yeah, our focus here is what happened in the last six months of last year. Really, and then what we do is we compare it against data that we've collected a year prior. So, really a few things that we'd want you to remember. A few numbers, right? The first number is 8.4 million. That's the number of DDoS attacks that we saw. Now, this doesn't mean that we've seen every attack in the world, but that's like, just how many DDoS attacks we saw through the eyes of our customers. That's in six months. Well, the 8.4 number is actually for the entire year. So, the entire year. So, the entire year of 2019. There's a little bit of seasonality to it. So, think of it like 4.4, maybe something like that. Like it was the second half of the year. But that's where I want to start. That's just how many DDoS attacks we observed. And so, in the course of the report, what we can do is slice and dice that number. Talk about different sizes. What are we seeing between zero and 100 gigabits per second? 100 to 200, 400 and above. And kind of give you a sense of just what kind of distribution there is. Who is being targeted? Like, you know, so we, at a very broad level, like in terms of the verticals and geographies, we kind of lay out this number and give you like a lot of context. So, if you're in finance and you're in the UK and you want to know like, hey, what happened in like Europe, for example, in the past, those six months? Like we have that data in here. And we kind of give you that awareness of what's happening. Now, the second number I want you to remember is seven. And seven were the number of new attack vectors, reflection and application attack vectors that we observed being used kind of widely in the second half. Seven new ones. Seven new ones. So that now kind of brings our tally up to 31. Like in that we have those listed out in here. We talk about just how much, really just how many of these vectors, how they're used. Also, each of these vectors leverage vulnerabilities in devices that are deployed across the internet. So we kind of lay out like, just how many of them are out there. But that's like, to us, seven is reflecting how the adversary is innovating. So they're looking for new ways to attack us. They found seven new ones last year. They're going to be more, right? And that's kind of what we focus on. Well, let's go back to the 8.4. So of those 8.4 million, how many would you declare successful from the attacker point of view? Yeah, you know something. This is always like, you know, it's difficult to go estimate precisely or kind of get within some level of precision. I'd say that the adversary is always trying to, of course, they'd love to deliver a knockout blow and go like, oh, your services down. But even like, every attack inflicts a cost. Right, right. And the cost is whether it's made its way all the way through to the end target. And now they're using more network and computing resources just to kind of keep their services going while they're under attack. Even though the attack is low, you're still kind of, you're still paying that cost. Or, you know, the cost is paid upstream by maybe the service provider or somebody who's defending your network for you. So that way, like, you know, there is like, there's a cost to every one of these. Right. In terms of like, you know, outages, I should also point out that the attack, you might think that this attack is like, you know, hey, you know, there was a specific victim and that victim suffered as a result of the attack. But in many cases, the adversary is going after people who are providing services to others. So I mean, if a Turkish bank goes down. Right. Like, you know, or cannot like service its customers for a month, no, or maybe even a few hours. Right, right. Then, you know, the number of victims in this case is fairly broad. Right. It might be one attack. It might be one target. However, like, you know, the impact is fairly, you know, it's very large. Which is interesting, because it begs the question, kind of how do you define success or failure from both the attacker's point of view as well as the defender? Yeah, well, I mean, and again, like, you know, there's a lot of like, you know, conversation in the industry about for every attack. Like, you know, any kind of attack. When do I say that, you know what, I was ready for it and, you know, I was fine. I mean, I don't care about it. I mean, you know, ultimately there's a cost to each of these things. I'd say that everybody kind of comes at it with their, you know, if you're a bank, then you might go, okay, you know what, if I'm paying a little bit extra to keep the service up and running while the attacker is coming at me, no problem. If my customers aren't able to log in, some subset of my customers aren't able to log in, maybe I can live through that. The large number of my customers can't log in. That's actually a real problem. And if it's sustained, then you make your way into the media, or you're forced to report to the government about like, you know, outages or like, you know, maybe, you know, you have to go up to your board and go like, hey, sorry, you know, something just happened. But are the escalation procedures in the definition of, cause let's just say, right, you're getting banged all the time, right? And there's some, like you said, there's some disruption at some level before it fires off triggers and remediation. So is there some level of, okay, you know, that's kind of cost to do in business versus, you know, we caught it at this point, are there kind of like escalation points that define, you know, kind of the severity short of a full knockout blow? I think when we talk to our service provider customers and when we talk to the very large and kind of critical enterprises, they tend to be more methodical about how they think of like, okay, you know, degradation of the service, you know, relative to the attack. I think for a lot of people, it's like in the eyes of the beholder. Like, you know, like, you know, here's something, here's an SLA that I missed as a result of the attack. At that point, like, you know, I have, you know, I certainly have a failure, but you know, it's up until there, it's kind of like, okay, you know, you work your way through. And then the eyes of the attacker to delay service at the Turkish Bank because now their ATMs operate. Yeah. Twice the duration per transaction. I mean, is it just, are they holding up a ransom? What's the benefit? It's so crazy. The range of motivations is like, is basically the full range of human nature. There's, I mean, there's certainly like, we still see attacks that are straight nihilism. I just, I just, because I could. Just because I could. And I wanted to, right? I wanted to show my friend. Like, you know that, you know, I could do this. There's, there are definitely a lot of attacks that have, that are like, you know, hey, I'm a gamer. And I'm like, you know, there's, I know that the person I'm competing with is coming from this IP address. Let me, let me bombard them with an attack. And you know, there's a huge kind of, it could be a lot of collateral damage along the way. Right, right. Cause you know, this, like, you think you're going after this one person in their house, but actually, if you're taking out the network upstream, then there's a lot of other people. That are on that network, right. There's like, you know, there's certain competitive elements to it. They're definitely from time to time, there are extortion campaigns, like, you know, hey, you know, pay up or, or, you know, we'll do this again. Right. In some parts of the world, like, you know, the way we think of it is like, it's just cost of doing business or almost like a business dispute resolution. Right. You know, you better settle my invoice or like, and I'm about to, you know, maybe I'll try and use it to take you out. That's crazy. Yeah. No, so I mean, Jeff, I mean, the thing is like, you know, this is, you know, the, and we talked about this in previous reports and it's still true. There's a, especially with DDoS, there's what we think of as like, you know, democratization of the, of the attack tools where you don't have to be technical, right? You don't have to have a lot of knowledge. You know, you, you know, there are services available. You go like, here's who I'm, You go to the market, buy the, buy the service. Here's who I'd like to go after. And, you know, here's my 50 US dollars or like, Bitcoin equivalent and like, you know, please launch it for me. All right. Well, let's jump to the seven. We talked about the 8.4 and the seven new attack vectors. And you outlined, you know, I think the top level themes I took from the summary, right? And weaponizing new attack vectors, leveraging mobile hotspots and targeting compromised end point. Let's talk about the end points. IoT is like all the rage. People have nests and, and it's in 5G just rolling out, which is going to see this huge IoT expansion, especially in industrial and all these connected devices and factories and this and that. How are people, you know, how are people protecting those differently now as we're getting to this kind of exponential curve of the deployment of all these devices? You know, I mean, there are a lot of serious people thinking about how to protect, you know, both individual devices, but infrastructure at large. So I'm not going to go like, hey, it's all bad. Right, right. But it is plenty bad. And so I'll throw you the next number, like 17. And 17 are the number of like architectures for which a Mirai, Mirai was a, you know, really popular like, you know, from a few years ago that still exists. But like, you know, over time, what's happened is people have ported Mirai to different architectures so that, you know, I mean, think of it like, you know, if you have your, your refrigerator connected to the internet, it comes, it's coming with a little board, has a CPU on it, like runs a little OS, runs an OS on it. Well, there's a Mirai variant ready for that. Like, you know, it's essentially as new devices are getting deployed. Like, you know, there's, you know, that's kind of our observation that there's, even as new CPUs are introduced or new chips or even OSs are introduced, there's somebody out there who's ready to port it to that variant. And now like, you know, I mean, the next level challenge is that these devices, you know, they don't often get upgraded. There's no real, you know, like in many cases, they're not like, you know, there's very little thought given to like real kind of security around it. Right. There are backdoors and like, you know, default passwords used on a lot of them. And so you take this combination, I have a whole, like, you know, we talk about the, you know, large deployments of devices every year. So you have these large deployments and now, you know, the bot is just waiting for it. Right. It's just ready for it. Now, again, I will say that it's not all bad. There are serious people who are thinking about this and there are devices that are, you know, deployed on private networks from the get go. You know, they VPN or tunnel back to a particular control point that the commercial vendor operates. I mean, there are things like that, like hardening that people have done. Right. So not every device is going to find it to into a botnet. However, like, you know, you know, if you're like, you know, if you're getting a toy like at Christmas and it gets like $20, you know, and it can connect to the internet because the odds are, I mean, nobody's thinking too hard about it. It's not too secure. Well, and the thing we've heard too about kind of on the IoT and, you know, kind of the bringing of operations technology and IT is that a lot of those devices weren't developed for upgrades and, you know, patches and Lord knows what OS is running underneath the covers. It was a single kind of used device that wasn't really ever going to be connected to the outside world. But now you're connecting with the IT suddenly exposing a whole host of issues that were never kind of part of the plan when whoever designed that thing in the first place. For sure. For sure. It's crazy. All right, so that's that carpet bombing tactics increased sector attack availability. There's carpet bombing. I know carpet bombing is generally, what's going on in this space? Well, so carpet bombing, you know, is term that we applied a few years ago to a kind of, you know, variation of attack, which like, so traditionally, like, you know, we see an attack against a specific IP address or a specific domain, right? You know, I'm going to, that's where, that's what I'm targeting. Carpet bombing is taking a range of IPs and going like, you know, hey, almost like cycling through every single one of them. So if your filters, if your defense is based on, hey, if my one server sees a spike, let me block the traffic. Well, now you're actually not seeing enough of a spike on an individual IP, but across a range, there's a huge, like, you know, there's a lot of the traffic that you're going to be seeing. So this kind of like trips people up from time to time. Like, we certainly have defenses built for it, but now what we're, you know, it's really like what we're seeing is the use of newer or other known vectors. So we're not like, okay, CLDAP is a protocol, CLDAP we see, you know, attacks, you know, CLDAP attacks all the time. Now, what we're seeing is like CLDAP with carpet bombing. Now we're seeing like even other, you know, other, you know, reflection application protocols in which the attack isn't like an individual system, but instead the range. And so that's what has changed. You know, we saw a lot of like, you know, TCP kind of reflection attacks, spoof TCP, you know, reflection attacks last year. And then the novelty was that now like, okay, this is, you know, alongside that is the, you know, the technique, the carpet bombing technique that's applied there. Yeah, the cat and mouse never stops, right? Doesn't. All right, Hart, we're out of time. Give you the final word. One, where can people go get the information in this report? And more importantly, for people that aren't part of RSA, you know, that are, you know, kind of observers or they want to be more smart, how should they be thinking about security when this thing is such a rapidly evolving space? So let me give you two resources really quickly. There's this report available at www.netscout.com slash threat report. Okay. So that's where this report is available or just Google for NetScout Threat Report and, you know, you'll find your way there. We've also, you know, we've made another platform available that gives you more continuous visibility into the landscape. So if you read this and we're like, okay, what's happening now? Then you would go to what we call NetScout Cyber Threat Horizon. So that's kind of telling you what's happening over the horizon. It's not just like, you know, hey, what am I seeing? But what are people like me seeing? Maybe what are people elsewhere in the world seeing? Yeah. So that's like www.netscout.com slash horizon. Okay. To find that. And I think like, you know, between those two resources, you get access to all of our visibility. And then, you know, really in terms of like, you know, our focus is not just to drive awareness, but all of this knowledge is being kind of built into our products. So the, you know, the NetScout, like Arbor line of DDoS products, like, you know, we're continually kind of innovating and evolving and driving like more intelligence into them. Right. And that's really like, you know, how we help protect our customers. Right. Well, Hardik, thanks for taking a few minutes and sharing the stories. Thank you, Jeff. Fascinating, scary. But I'm glad you said it's not all bad. So that's good. It's not all bad. All right, he's Hardik. I'm Jeff, you're watching theCUBE. We're at the RSA Conference 2020 in Moscone. Thanks for watching. We'll see you next time.