There is no question that the level of threats facing todays businesses continues to change on a daily basis. So what are the trends that CISOs need to be on the lookout for?
For this episode of the Threatpost podcast, I am joined by Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, [Fortinets FortiGuard Labs]() to discuss the threats facing CISOs along with more.
During the course of our discussion, we dive into:
* What an attack on all fronts looks like
* The current state of the threat landscape
* New techniques being leveraged be adversaries
* The automation of threats
We also lay out what CISOs need to consider when laying out and producing their threat action plan.
_An abridged transcript is below the podcast player. _
**_Jeff Esposito: _**_Hello and welcome to this edition of the Thrreatpost podcast. Im your host Jeff Esposito:, the publisher of the publication. And with me today is Derek Manky: chief security strategist and VP of global threat intelligence at Fortinet FortiGuard Labs. Derek, welcome to the podcast and welcome back to the podcast. _
**Derek Manky **Yeah, Jeff, great to be here again, thanks so much.
**_JE: _**_No worries. So how have things been for a Fortinet lately? Like what have you guys been up to?_
**DM: **Weve been busy, thats an understatement. So first of all, you know, within Fortinet we have Fortiguard Labs, which is my purview. And you know, were seeing on average over 100 billion threats a day. And yes, thats a big number. Theres a lot of stuff happening out there. But we just dont look at it at a broad level, like were, this is what I mean, weve been busy, right?
We have to dissect each one of those, we have to literally take the proverbial microscope and zoom into these threats and look at whats the playbook look like? What are the latest techniques and tactics and all that sort of stuff. And its quite interesting, right to see how this has been evolving from cybercriminals and threat actors as well.
**_JE: _**_So I think its interesting there, because you said billion, thats with a B, I kind of feel like Dr. Evil a little bit hearing that, thats a, thats a really big number. And now with all of those types of threads coming across, like what have your team seen changing over the past, like, you know, quarter or so._
**DM: **So first of all, Ill talk about whats changing in a sec. But whats the same? Because thats the constant. If you look at a formula, right? This is the constant metric that we see in that volume. I dont quite frankly, I dont think thats ever going to change that continues to be an issue. Thats the growing attack surface, right? Theres more and more vulnerable endpoints, IoT devices, and more exploits being discovered for that and attacked and thats the billion, the capital B, that we talked about, right?
So so thats whats the salmon? Yes, were still seeing email as one of the most prominent attack vectors and phishing and all that kind of stuff. Right. So that hasnt gone away. And thats why I say that the threat landscape hasnt shifted, its expanding, right. And when we look at the expansion, its some of the themes that Im seeing. And the most concerning to me is speed. Right? This is the new element to the formula where speed is from the offense, right? Meaning theyre moving with more agility. And Im talking about ways you know, everything from initially getting a foothold in a network to actioning their plans. So thats usually something like extortion or pulling exfiltrating data as an example, that whole cycle, were not talking about months or days, we were talking about hours, some even minutes or seconds in some cases. So speed is a very big concern, log for J was we did a lot of I know, everyones sick of talking about log for J. But one of the things in our analysis was a new rate of exploit metric that we put out there. And this was 50 times faster than any other like the MS Exchange vulnerabilities that we saw your previous as an example.
**JE: **So _like, more than like the wanna cry, and like, yeah, not pecha copycats. After it was with all the Shadow Brokers leaks and things. _
**DM: **Yeah. And like Apache struts was another one that we put in there that from 2017, just as a benchmark five years ago. Yeah, yeah. And proxy log on Ms. Exchange, that was another comparable one. But again, that was significant at the time. But again, log for J was just 50 times faster from what we saw. And so thats just one example. Right? But were, and thats how quickly they capitalize on a new fresh zero day vulnerability how they actually attacked it. And by the way, speaking of copycats, this actually points to that volume aspect were talking about it wasnt just the speed, the speed of adoption as well, right. We saw over well over 10 copycats and campaigns that were piggybacking on this within a seven day period, right everything from remote access Trojans to you know, crypto miners crypto jackers, you name it, its really an attack on all fronts in that aspect. And but again, it goes back to that speed feed of weaponization adoption and just the rate that the attack cycle is happening. And we can talk about that, you know, dive into that later. Thats thanks to offensive automation and a lot of tools that they have at their disposal. But going back to whats whats changing, so speed aggression, two, thats another theme, right? Theyre getting much more bold cybercriminals not say they werent bold before, but you know, were seeing things go from double extortion to triple extortion to expanding their their playbooks on that. You know, theres clearly no shame here, right when it comes to the game for attackers, and were seeing tools being developed for that specifically with wiper Mauer. Even firmware attack direct for more attacks as an example to so again, more aggression and this all translates more risk, but in addition to speed and an aggression, the tactics right, so this what I was just talking about the playbooks the way that theyre actually tactically going through this, its not just a one prong approach. You know, theyre building in layers of redundancy and coming up with various ways to actually, you know, vehicles to deliver these attacks. Those vehicles are a result of things like the RAS or the ransom as a service platforms, because its not just a monolithic one cybercrime gang or one attacker, you got multiple people. And each, you know, campaign has a different method to try to achieve the same objective, right?
**_JE: _**_So before we get on with some of the questions that you brought up, you know, one term a few times now I just want to make sure Im fully understanding this as well as the audience ours. What do you mean, when you say attack on all fronts? Like, I think I have a pretty good idea of it. But I want to just make sure of that one._
**DM: **Think of your house, right? If youre an attacker, how are you going to get into the house and try to get into the safe to, you know, get the crown jewels or exfiltrate that out of the house? Right? If you just think of an attack on one friend, the most obvious way is okay, lets check the front door. Lets break the door. Lets break the window. Right. But maybe theres a chimney. Maybe theres, I dont know, a floorboard thats loose on on the side, these sorts of things, right? These are all different gaps, different parts of that attack surface that attackers can try to get into and even tactical approaches, right? Hey, mate, you know, you got to delivery downstairs, why dont you come and get it, lower the personnel so that you can actually just go and make them do the hard work for you. So thats what I mean like that. This isnt an analogy, of course. But when we talk about the threat landscape and the attack surface, its the same idea the attack on all friends is coming in through not just phishing, you know, social engineering and phishing. Yes, we still see that but with the work from anywhere environment now, in the last two years, were seeing way more attacks happening from things like waterhole attacks, right. So like, hey, we know theres a lot of people sitting on their, in their hybrid work environments at home going to their daily news site or their, you know, whatever they are doing for that day, lets plant some exploit code and try to attack them that way. Thats another front, right. And again, that as a service model that we talked about, you have all these different campaigns, different ways that people are trying to attack, things like IOT devices that are freshly plugged into networks as an example. So thats what I mean, its that broad coverage of the attack surface.
**_JE: _**_So its kind of just made that attack surface much bigger now with people in these hybrid. Yeah, work from anywhere type of situation, because we know that people, like you said, arent just going to all kosher websites during the course of a day. Yeah, you know, with nobody at a desk looking at them all the time. I know you said that, you know, theres a lot of the same stuff youre seeing where a lot of groups, you know, doing the same spots, what what are like three type of things that youve seen, that might be new, in the past, like year or so,_
**DM: **theyll start with defensive Asian. So thats not new. But the ways that they focus on the defensive Asian is at an unprecedented level, I would say. And we actually have visibility into this. So were doing a lot of work with mitre ingenuity as an example in the the attack framework, and were getting real time data on that that microscopic view, right? So its not just the CVS or the malware thats being used, but how are they actually trying to do this? And, you know, what are their techniques in that playbook? And actually, the number one thing, we highlighted this in our threat landscape, or latest threat landscape report, but the number one thing that were seeing there is a focus on defense evasion, which is not surprising, because obviously they dont you know, when I say they attackers dont like us security vendors, right? threat intel units. And theyre constantly trying to obfuscate code to try to get around security policies and so forth. So the focus on that and the new sub techniques that theyre doing, so its different ways, right? Theyre trying to evade that continues to evolve. Its a big focus for us, right? Because were actually looking at that on a daily basis. And obviously, its significant, because as we discover those were building in all of the appropriate security measures. So again, its just something were seeing from the playbook from what attackers are doing. But the other techniques and this ties into the aggression. One, our focus on wiper Mauer. So this is concerning to say the least this is something that we talked about, up until this year. So lets say last year prior, maybe once a year, we would talk about, you know, wiping them out or attack. Now, you know, weve put out over I believe seven of these just in the first quarter and a bit this year. And a lot of these wiper malware attacks are typically associated with APTC state sponsored attacks with targeted attacks, right? But were seeing this convergence now between cybercrime and AAPT groups, right, yeah. And so cybercrime is becoming more targeted. And were seeing cybercrime start to employ wiper malware and thats a new technique thats very concerning to say the least and It doesnt stop there. Like I said, the third one is now its starting to get escalated to a level even of direct firmware taxes. Its like wiped from our squared, right? Its not just going after theyre coming
**_JE: _**_for everything. Yeah. And I think like, you talked about this with the wipers, like a question I have on this one is after seeing how much mayors had to pay to rebuild their shipping fleet, like thats not a small chunk of change. But I think the other question is, do you think this is something thats leading people to get more bold with extortion that theyre looking to do with some of these? Yes._
**DM: **Yeah, absolutely. Good. Good news, bad news. The good news is we havent really seen this yet. And Ive been talking about it a bit the, I call it APC, advanced, persistent cybercrime, because its that world converged, right? Theyre waking up to this cyber criminals and they know that it can be a big payday. And that is a big saber to rattle. You know, for more attacks away from our and when you combine that with the world of cybercrime, and extortion. Absolutely, that is where its headed.
**_JE: _**_And we know these guys dont have morals, because obviously they wouldnt be in this line of work if they had those._
**DM: **Yes, yes. The Doggy Dog world, as we say here.
**_JE: _**_Now, before we started recording today, you know you we kind of hit on something a little bit that you had presented about at RSA a few years ago. Yep. And one of the things that I wanted to kind of come back to because I find this super fascinating is can you talk about the automation of threats and how AI machine learning, which is typically something you hear in like cybersecurity buzzwords that they put out in marketing materials, now is being used against the protectors and then getting into cyber systems. So how is it being leveraged right now?_
**DM: **Yeah, good question. So yeah, I did present on this, it was, you know, on the accelerating attack chain. And so just like the Lockheed Martin cyber Kill Chain, of course, thats the defender center point of view, the attack chain is just the opposite, right? How you doing weaponization reconnaissance, code delivery, and so forth. Again, if we look at dating ourselves here, right, but if we look at writing 12 years ago, now, Stuxnet as an example, some of these high sophisticated attacks, were talking about years, right? weaponization digital certificate signing the code development exploit for zero days in that case, right. Just as an example, that was a long time ago, a long time of development for these sorts of attacks, not automated at all right and targeted. But today, what were seeing is automation being put in as the glue on the offense, just like on the defense, we have, you know, orchestration and SD Wan and all these things, right? To safeguard against that. Its like any sports analogy, you have the offense in the defense, and theyre incorporating speed and agility, again, via automation into their offense. And were seeing this through toolkits, APIs toolkits that are being created where they can do you know, a simple example, and I actually talked about this in my talk is where they, you can take something like an enterprise license with showdown and do a blueprint, effectively a scan of, you know, vulnerable services, and then automate that into a meta split attack for what you actually discovered, right? Its basic automation one to one, but it takes all the work of an operator going in and typing in all the commands and gluing it together. Theyre orchestrating that thats just one simple example. But theres much more and were starting to see that in attack toolkits, everything from Hey, right, Ive landed a rat on a system, remote access Trojan, how do I find certain files and information? How do I send that back to my centrally managed, I dont know, PHP dashboard, as an example. Right? Thats automation. And thats what were seeing more and more happen from a the attack cycle perspective, but also a business operations perspective, too, right. And to be clear, theyre different, right, automation and clearly an AI ML and AI. Vast majority of what we see is the automation piece right now. But on the MLA AI side, that is where, you know, were starting some good news, bad news scenario. Again, Jeff, the good news is from our side from the defenders, you know, security vendor threat intel world. Clearly we have more funding, weve put in more over the years, like 10 years now more investment into machine learning and AI from a defensive standpoint. Theyre just starting to do this in the last year or two from the offense because they havent had to in the past because they can rely on automation, the low hanging fruit, but yeah, so what were seeing now with mln AI is starting to do to wrap those techniques. ologies into the defense evasion, as I talked about things like deep fakes as well, using those for social engineering attacks, right? Thats another example of it.
**_JE: _**_Thats a whole different can of worms. And I think it almost be its own separate podcasts of creepiness with like, some of them are just like the scary part I think about with the deep fakes now is, you know, given the way that the world is you could pretty much start a war with a deep fake if you really had a good one and access to something else._
**DM: **Yes, yeah, I completely agree. Its one of the most scariest things out there, actually, right now. And again, we havent seen a lot of activity on that right now. Because social engineering still works at its most basic level, unfortunately. But theyre not afraid to go to that level. And they will. Right. So
**_JE: _**_thats where you see it, too. And I wonder also, if the the crashing prices of cryptocurrency and some of the more regulation thats being pushed, if theyre trying to get their money out quickly, while you know, theres still a market to be doing, like seeing some of the European legislation or even, you know, some of the bands for certain countries and now becomes, can you operate and get your criminal money and untraceable waste? Yeah._
**DM: **Yeah, absolutely. And thats actually a another point I didnt touch on. But absolutely. When it comes to Well, I mentioned business operations. But this is part of that, right? How they can enable business operations, including money laundering, specifically through crypto, theres more than one way to wash
**_JE: _**_is definitely that way. And its definitely something thats not going away, despite some of this increased attention. So lets hope that somehow they get taken down a little bit more. But no, we got to get back to the business side of things. You know, weve talked a lot about, you know, threats and things like that. But when a CSI O, or a CSO talks about having a plan of action in place for a threat, what are the three things you think they should consider when really looking at this one, because we all know, a plan is perfect until you get punched in the face, as Mike Tyson once eloquently said, but like, so what does a business need to do in their three steps to protect themselves from a threat? Right? Well, lets play off_
**DM: **what you just said there. So thats actually one of my points is having a plan in place. So incident response planning, but also exercising this plan? Right. So I think thats, quite frankly, not done often enough breach and attack simulation. And it doesnt have to be on a, you know, NATO lock shields, which, you know, we asked we do participate in at a national level, but also, but just to at an enterprise level, right, simple things even right, running some table Trump drills down to possibly more enhanced things like cyber ranges, or even commercial solutions like like bas breach and attack simulation that goes a tremendously long way. Because like he said, its one thing to have a plan. But then once you have to enact that plan, if you have that muscle memory and youve gone through it, that goes Thats invaluable. Right. So absolutely, thats one of the points that that I talked to so CISOs about. Another point is, and this is a natural one, but integrated threat intelligence. I know everybody talks about threat intelligence, but actionable, something actionable, right? You know, its one thing to know about something, its another thing to act on something and being able to do that with speed. Going back to that, what the problem is that Im talking about these attacks happening so quickly. Literally, its just like the exchange, right? You know, if youre talking about latency, and you miss out by one or two seconds, that could cost millions of dollars. Right?
**_JE: _**_Yeah. Which is crazy to think about. But literally, like, I think if you were talking about some of this stuff, like maybe a few years ago, if we think back to the height of when like a Bitcoin, what was it like 75,000? US dollars or something like that? Yeah. Yeah. And then it would tank down shortly after, so you can miss a lot and a little bit of time. So I think thats definitely something thats, you know, really important. And I think, you know, one of the things that focuses into me on this that youve talked about today is its not just speed, from the defense standpoint, like, obviously, that needs to be there. But also, the reason its more important is because of the fact that speed kills quite literally when it comes from the attackers at that point. Yep._
**DM: **Yeah. And again, a lot of that when we talk about speed, from a defensive standpoint, its obviously the same idea that orchestration, St. Wham, API and integration, you know, we have the our security fabric on our fabric partners. So its a big ecosystem. So interoperability ecosystem is very important for that exact reason, right? And its all about that kill chain, right? Being able to stack up defense against a kill chain with speed have the right as these attacks breaks, thats the automation piece. But going back to the AI ml, the power of that is dealing with zero day threats, right. So predictive analysis anomalies, and not heuristics, which is very old school and was never effective, but true, deep learning that has a high accuracy rate, you know, is key part of that too. And then, you know, the other big ones that come up are zero trust zt and a zero trust network access, which is just an implementation of the zero trust concept by going back to the deep fake thing that we talked about. Not that I dont trust you Do you know who youre talking to? Right? Its important when it comes to not not just for social engineering, but anything thats being introduced into a network, right? That includes rogue IoT devices that are being plugged in code thats being running new code thats been introduced. Again, it should be really approached from a zero trust architecture, especially in the word from anywhere environments nowadays, because theres a lot of, you know, road networks that these devices are being plugged into as well. So thats another big one that comes up. And then, you know, theres all the I know, were sick of talking about this, but we always have to mention it the, you know, employee education and training, vulnerability patch management, just for the speed aspect again, right? I mean, like I said, with log 4g, we saw within 48 hours, there was public exploit code available on being attacked. And if you dont have a patch within 48 hours in place, again, speed can kill that. Right. So yeah, so I know, those are the things that topic we, you know, we talked about all the time, but its still obviously important as well, and segmentation, right? The sort of security one on one things, but But again, its just those are really, you know, very basic, powerful measures that can be put in place,
**_JE: _**_think, with the messages that you sent on there. The same reason that we still see phishing work, is because its effective. And at the same time, at the defense level, you need to follow the best practices and really train up staff because otherwise, the reason phishing works is because people still use it just because it works. Yes, exactly. And I think thats the spot that the new employee education is definitely key to their. So Derek, I want to thank you very much for your time today. And then we will be linking out to the report that your team recently put out on there. But do you have anything youd like to add before we let you go for today?_
**DM: **I just like to always, you know, so a lot of scary stuff that we talk about, but it doesnt have to be overwhelming. I know theres a skills gap. You know, employee has a word for a shortage out there in general, right, and especially in cybersecurity, but this is, again, why these tools are incredibly important to help fill those gaps. And again, dont need a big checklist of 50 items to do to some of the simple things we talked about will go a
**_JE: _**_long way. So well. Thank you very much, Derek, and I look forward to speaking with you in the future. All right. Thanks, Jeff._Read More
References
Back to Main
