There is no question that the level of threats facing today’s businesses continues to change on a daily basis. So what are the trends that CISOs need to be on the lookout for?
For this episode of the Threatpost podcast, I am joined by Derek Manky, Chief Security Strategist & VP Global Threat Intelligence, Fortinet’s FortiGuard Labs to discuss the threats facing CISOs along with more.
During the course of our discussion, we dive into:
- What an attack on all fronts looks like
- The current state of the threat landscape
- New techniques being leveraged be adversaries
- The automation of threats
We also lay out what CISOs need to consider when laying out and producing their threat action plan.
An abridged transcript is below the podcast player.
Jeff Esposito: Hello and welcome to this edition of the Thrreatpost podcast. I’m your host Jeff Esposito:, the publisher of the publication. And with me today is Derek Manky: chief security strategist and VP of global threat intelligence at Fortinet FortiGuard Labs. Derek, welcome to the podcast and welcome back to the podcast.
Derek Manky Yeah, Jeff, great to be here again, thanks so much.
JE: No worries. So how have things been for a Fortinet lately? Like what have you guys been up to?
DM: We’ve been busy, that’s an understatement. So first of all, you know, within Fortinet we have Fortiguard Labs, which is my purview. And you know, we’re seeing on average over 100 billion threats a day. And yes, that’s a big number. There’s a lot of stuff happening out there. But we just don’t look at it at a broad level, like we’re, this is what I mean, we’ve been busy, right?
We have to dissect each one of those, we have to literally take the proverbial microscope and zoom into these threats and look at what’s the playbook look like? What are the latest techniques and tactics and all that sort of stuff. And it’s quite interesting, right to see how this has been evolving from cybercriminals and threat actors as well.
JE: So I think it’s interesting there, because you said billion, that’s with a B, I kind of feel like Dr. Evil a little bit hearing that, that’s a, that’s a really big number. And now with all of those types of threads coming across, like what have your team seen changing over the past, like, you know, quarter or so.
DM: So first of all, I’ll talk about what’s changing in a sec. But what’s the same? Because that’s the constant. If you look at a formula, right? This is the constant metric that we see in that volume. I don’t quite frankly, I don’t think that’s ever going to change that continues to be an issue. That’s the growing attack surface, right? There’s more and more vulnerable endpoints, IoT devices, and more exploits being discovered for that and attacked and that’s the billion, the capital B, that we talked about, right?
So so that’s what’s the salmon? Yes, we’re still seeing email as one of the most prominent attack vectors and phishing and all that kind of stuff. Right. So that hasn’t gone away. And that’s why I say that the threat landscape hasn’t shifted, it’s expanding, right. And when we look at the expansion, it’s some of the themes that I’m seeing. And the most concerning to me is speed. Right? This is the new element to the formula where speed is from the offense, right? Meaning they’re moving with more agility. And I’m talking about ways you know, everything from initially getting a foothold in a network to actioning their plans. So that’s usually something like extortion or pulling exfiltrating data as an example, that whole cycle, we’re not talking about months or days, we were talking about hours, some even minutes or seconds in some cases. So speed is a very big concern, log for J was we did a lot of I know, everyone’s sick of talking about log for J. But one of the things in our analysis was a new rate of exploit metric that we put out there. And this was 50 times faster than any other like the MS Exchange vulnerabilities that we saw your previous as an example.
JE: So like, more than like the wanna cry, and like, yeah, not pecha copycats. After it was with all the Shadow Brokers leaks and things.
DM: Yeah. And like Apache struts was another one that we put in there that from 2017, just as a benchmark five years ago. Yeah, yeah. And proxy log on Ms. Exchange, that was another comparable one. But again, that was significant at the time. But again, log for J was just 50 times faster from what we saw. And so that’s just one example. Right? But we’re, and that’s how quickly they capitalize on a new fresh zero day vulnerability how they actually attacked it. And by the way, speaking of copycats, this actually points to that volume aspect we’re talking about it wasn’t just the speed, the speed of adoption as well, right. We saw over well over 10 copycats and campaigns that were piggybacking on this within a seven day period, right everything from remote access Trojans to you know, crypto miners crypto jackers, you name it, it’s really an attack on all fronts in that aspect. And but again, it goes back to that speed feed of weaponization adoption and just the rate that the attack cycle is happening. And we can talk about that, you know, dive into that later. That’s thanks to offensive automation and a lot of tools that they have at their disposal. But going back to what’s what’s changing, so speed aggression, two, that’s another theme, right? They’re getting much more bold cybercriminals not say they weren’t bold before, but you know, we’re seeing things go from double extortion to triple extortion to expanding their their playbooks on that. You know, there’s clearly no shame here, right when it comes to the game for attackers, and we’re seeing tools being developed for that specifically with wiper Mauer. Even firmware attack direct for more attacks as an example to so again, more aggression and this all translates more risk, but in addition to speed and an aggression, the tactics right, so this what I was just talking about the playbooks the way that they’re actually tactically going through this, it’s not just a one prong approach. You know, they’re building in layers of redundancy and coming up with various ways to actually, you know, vehicles to deliver these attacks. Those vehicles are a result of things like the RAS or the ransom as a service platforms, because it’s not just a monolithic one cybercrime gang or one attacker, you got multiple people. And each, you know, campaign has a different method to try to achieve the same objective, right?
JE: So before we get on with some of the questions that you brought up, you know, one term a few times now I just want to make sure I’m fully understanding this as well as the audience ours. What do you mean, when you say attack on all fronts? Like, I think I have a pretty good idea of it. But I want to just make sure of that one.
DM: Think of your house, right? If you’re an attacker, how are you going to get into the house and try to get into the safe to, you know, get the crown jewels or exfiltrate that out of the house? Right? If you just think of an attack on one friend, the most obvious way is okay, let’s check the front door. Let’s break the door. Let’s break the window. Right. But maybe there’s a chimney. Maybe there’s, I don’t know, a floorboard that’s loose on on the side, these sorts of things, right? These are all different gaps, different parts of that attack surface that attackers can try to get into and even tactical approaches, right? Hey, mate, you know, you got to delivery downstairs, why don’t you come and get it, lower the personnel so that you can actually just go and make them do the hard work for you. So that’s what I mean like that. This isn’t an analogy, of course. But when we talk about the threat landscape and the attack surface, it’s the same idea the attack on all friends is coming in through not just phishing, you know, social engineering and phishing. Yes, we still see that but with the work from anywhere environment now, in the last two years, we’re seeing way more attacks happening from things like waterhole attacks, right. So like, hey, we know there’s a lot of people sitting on their, in their hybrid work environments at home going to their daily news site or their, you know, whatever they are doing for that day, let’s plant some exploit code and try to attack them that way. That’s another front, right. And again, that as a service model that we talked about, you have all these different campaigns, different ways that people are trying to attack, things like IOT devices that are freshly plugged into networks as an example. So that’s what I mean, it’s that broad coverage of the attack surface.
JE: So it’s kind of just made that attack surface much bigger now with people in these hybrid. Yeah, work from anywhere type of situation, because we know that people, like you said, aren’t just going to all kosher websites during the course of a day. Yeah, you know, with nobody at a desk looking at them all the time. I know you said that, you know, there’s a lot of the same stuff you’re seeing where a lot of groups, you know, doing the same spots, what what are like three type of things that you’ve seen, that might be new, in the past, like year or so,
DM: they’ll start with defensive Asian. So that’s not new. But the ways that they focus on the defensive Asian is at an unprecedented level, I would say. And we actually have visibility into this. So we’re doing a lot of work with mitre ingenuity as an example in the the attack framework, and we’re getting real time data on that that microscopic view, right? So it’s not just the CVS or the malware that’s being used, but how are they actually trying to do this? And, you know, what are their techniques in that playbook? And actually, the number one thing, we highlighted this in our threat landscape, or latest threat landscape report, but the number one thing that we’re seeing there is a focus on defense evasion, which is not surprising, because obviously they don’t you know, when I say they attackers don’t like us security vendors, right? threat intel units. And they’re constantly trying to obfuscate code to try to get around security policies and so forth. So the focus on that and the new sub techniques that they’re doing, so it’s different ways, right? They’re trying to evade that continues to evolve. It’s a big focus for us, right? Because we’re actually looking at that on a daily basis. And obviously, it’s significant, because as we discover those we’re building in all of the appropriate security measures. So again, it’s just something we’re seeing from the playbook from what attackers are doing. But the other techniques and this ties into the aggression. One, our focus on wiper Mauer. So this is concerning to say the least this is something that we talked about, up until this year. So let’s say last year prior, maybe once a year, we would talk about, you know, wiping them out or attack. Now, you know, we’ve put out over I believe seven of these just in the first quarter and a bit this year. And a lot of these wiper malware attacks are typically associated with APTC state sponsored attacks with targeted attacks, right? But we’re seeing this convergence now between cybercrime and AAPT groups, right, yeah. And so cybercrime is becoming more targeted. And we’re seeing cybercrime start to employ wiper malware and that’s a new technique that’s very concerning to say the least and It doesn’t stop there. Like I said, the third one is now it’s starting to get escalated to a level even of direct firmware taxes. It’s like wiped from our squared, right? It’s not just going after they’re coming
JE: for everything. Yeah. And I think like, you talked about this with the wipers, like a question I have on this one is after seeing how much mayor’s had to pay to rebuild their shipping fleet, like that’s not a small chunk of change. But I think the other question is, do you think this is something that’s leading people to get more bold with extortion that they’re looking to do with some of these? Yes.
DM: Yeah, absolutely. Good. Good news, bad news. The good news is we haven’t really seen this yet. And I’ve been talking about it a bit the, I call it APC, advanced, persistent cybercrime, because it’s that world converged, right? They’re waking up to this cyber criminals and they know that it can be a big payday. And that is a big saber to rattle. You know, for more attacks away from our and when you combine that with the world of cybercrime, and extortion. Absolutely, that is where it’s headed.
JE: And we know these guys don’t have morals, because obviously they wouldn’t be in this line of work if they had those.
DM: Yes, yes. The Doggy Dog world, as we say here.
JE: Now, before we started recording today, you know you we kind of hit on something a little bit that you had presented about at RSA a few years ago. Yep. And one of the things that I wanted to kind of come back to because I find this super fascinating is can you talk about the automation of threats and how AI machine learning, which is typically something you hear in like cybersecurity buzzwords that they put out in marketing materials, now is being used against the protectors and then getting into cyber systems. So how is it being leveraged right now?
DM: Yeah, good question. So yeah, I did present on this, it was, you know, on the accelerating attack chain. And so just like the Lockheed Martin cyber Kill Chain, of course, that’s the defender center point of view, the attack chain is just the opposite, right? How you doing weaponization reconnaissance, code delivery, and so forth. Again, if we look at dating ourselves here, right, but if we look at writing 12 years ago, now, Stuxnet as an example, some of these high sophisticated attacks, we’re talking about years, right? weaponization digital certificate signing the code development exploit for zero days in that case, right. Just as an example, that was a long time ago, a long time of development for these sorts of attacks, not automated at all right and targeted. But today, what we’re seeing is automation being put in as the glue on the offense, just like on the defense, we have, you know, orchestration and SD Wan and all these things, right? To safeguard against that. It’s like any sports analogy, you have the offense in the defense, and they’re incorporating speed and agility, again, via automation into their offense. And we’re seeing this through toolkits, API’s toolkits that are being created where they can do you know, a simple example, and I actually talked about this in my talk is where they, you can take something like an enterprise license with showdown and do a blueprint, effectively a scan of, you know, vulnerable services, and then automate that into a meta split attack for what you actually discovered, right? It’s basic automation one to one, but it takes all the work of an operator going in and typing in all the commands and gluing it together. They’re orchestrating that that’s just one simple example. But there’s much more and we’re starting to see that in attack toolkits, everything from Hey, right, I’ve landed a rat on a system, remote access Trojan, how do I find certain files and information? How do I send that back to my centrally managed, I don’t know, PHP dashboard, as an example. Right? That’s automation. And that’s what we’re seeing more and more happen from a the attack cycle perspective, but also a business operations perspective, too, right. And to be clear, they’re different, right, automation and clearly an AI ML and AI. Vast majority of what we see is the automation piece right now. But on the MLA AI side, that is where, you know, we’re starting some good news, bad news scenario. Again, Jeff, the good news is from our side from the defenders, you know, security vendor threat intel world. Clearly we have more funding, we’ve put in more over the years, like 10 years now more investment into machine learning and AI from a defensive standpoint. They’re just starting to do this in the last year or two from the offense because they haven’t had to in the past because they can rely on automation, the low hanging fruit, but yeah, so what we’re seeing now with mln AI is starting to do to wrap those techniques. ologies into the defense evasion, as I talked about things like deep fakes as well, using those for social engineering attacks, right? That’s another example of it.
JE: That’s a whole different can of worms. And I think it almost be its own separate podcasts of creepiness with like, some of them are just like the scary part I think about with the deep fakes now is, you know, given the way that the world is you could pretty much start a war with a deep fake if you really had a good one and access to something else.
DM: Yes, yeah, I completely agree. It’s one of the most scariest things out there, actually, right now. And again, we haven’t seen a lot of activity on that right now. Because social engineering still works at its most basic level, unfortunately. But they’re not afraid to go to that level. And they will. Right. So
JE: that’s where you see it, too. And I wonder also, if the the crashing prices of cryptocurrency and some of the more regulation that’s being pushed, if they’re trying to get their money out quickly, while you know, there’s still a market to be doing, like seeing some of the European legislation or even, you know, some of the bands for certain countries and now becomes, can you operate and get your criminal money and untraceable waste? Yeah.
DM: Yeah, absolutely. And that’s actually a another point I didn’t touch on. But absolutely. When it comes to Well, I mentioned business operations. But this is part of that, right? How they can enable business operations, including money laundering, specifically through crypto, there’s more than one way to wash
JE: is definitely that way. And it’s definitely something that’s not going away, despite some of this increased attention. So let’s hope that somehow they get taken down a little bit more. But no, we got to get back to the business side of things. You know, we’ve talked a lot about, you know, threats and things like that. But when a CSI O, or a CSO talks about having a plan of action in place for a threat, what are the three things you think they should consider when really looking at this one, because we all know, a plan is perfect until you get punched in the face, as Mike Tyson once eloquently said, but like, so what does a business need to do in their three steps to protect themselves from a threat? Right? Well, let’s play off
DM: what you just said there. So that’s actually one of my points is having a plan in place. So incident response planning, but also exercising this plan? Right. So I think that’s, quite frankly, not done often enough breach and attack simulation. And it doesn’t have to be on a, you know, NATO lock shields, which, you know, we asked we do participate in at a national level, but also, but just to at an enterprise level, right, simple things even right, running some table Trump drills down to possibly more enhanced things like cyber ranges, or even commercial solutions like like bas breach and attack simulation that goes a tremendously long way. Because like he said, it’s one thing to have a plan. But then once you have to enact that plan, if you have that muscle memory and you’ve gone through it, that goes That’s invaluable. Right. So absolutely, that’s one of the points that that I talked to so CISOs about. Another point is, and this is a natural one, but integrated threat intelligence. I know everybody talks about threat intelligence, but actionable, something actionable, right? You know, it’s one thing to know about something, it’s another thing to act on something and being able to do that with speed. Going back to that, what the problem is that I’m talking about these attacks happening so quickly. Literally, it’s just like the exchange, right? You know, if you’re talking about latency, and you miss out by one or two seconds, that could cost millions of dollars. Right?
JE: Yeah. Which is crazy to think about. But literally, like, I think if you were talking about some of this stuff, like maybe a few years ago, if we think back to the height of when like a Bitcoin, what was it like 75,000? US dollars or something like that? Yeah. Yeah. And then it would tank down shortly after, so you can miss a lot and a little bit of time. So I think that’s definitely something that’s, you know, really important. And I think, you know, one of the things that focuses into me on this that you’ve talked about today is it’s not just speed, from the defense standpoint, like, obviously, that needs to be there. But also, the reason it’s more important is because of the fact that speed kills quite literally when it comes from the attackers at that point. Yep.
DM: Yeah. And again, a lot of that when we talk about speed, from a defensive standpoint, it’s obviously the same idea that orchestration, St. Wham, API and integration, you know, we have the our security fabric on our fabric partners. So it’s a big ecosystem. So interoperability ecosystem is very important for that exact reason, right? And it’s all about that kill chain, right? Being able to stack up defense against a kill chain with speed have the right as these attacks breaks, that’s the automation piece. But going back to the AI ml, the power of that is dealing with zero day threats, right. So predictive analysis anomalies, and not heuristics, which is very old school and was never effective, but true, deep learning that has a high accuracy rate, you know, is key part of that too. And then, you know, the other big ones that come up are zero trust zt and a zero trust network access, which is just an implementation of the zero trust concept by going back to the deep fake thing that we talked about. Not that I don’t trust you Do you know who you’re talking to? Right? It’s important when it comes to not not just for social engineering, but anything that’s being introduced into a network, right? That includes rogue IoT devices that are being plugged in code that’s being running new code that’s been introduced. Again, it should be really approached from a zero trust architecture, especially in the word from anywhere environments nowadays, because there’s a lot of, you know, road networks that these devices are being plugged into as well. So that’s another big one that comes up. And then, you know, there’s all the I know, we’re sick of talking about this, but we always have to mention it the, you know, employee education and training, vulnerability patch management, just for the speed aspect again, right? I mean, like I said, with log 4g, we saw within 48 hours, there was public exploit code available on being attacked. And if you don’t have a patch within 48 hours in place, again, speed can kill that. Right. So yeah, so I know, those are the things that topic we, you know, we talked about all the time, but it’s still obviously important as well, and segmentation, right? The sort of security one on one things, but But again, it’s just those are really, you know, very basic, powerful measures that can be put in place,
JE: think, with the messages that you sent on there. The same reason that we still see phishing work, is because it’s effective. And at the same time, at the defense level, you need to follow the best practices and really train up staff because otherwise, the reason phishing works is because people still use it just because it works. Yes, exactly. And I think that’s the spot that the new employee education is definitely key to their. So Derek, I want to thank you very much for your time today. And then we will be linking out to the report that your team recently put out on there. But do you have anything you’d like to add before we let you go for today?
DM: I just like to always, you know, so a lot of scary stuff that we talk about, but it doesn’t have to be overwhelming. I know there’s a skills gap. You know, employee has a word for a shortage out there in general, right, and especially in cybersecurity, but this is, again, why these tools are incredibly important to help fill those gaps. And again, don’t need a big checklist of 50 items to do to some of the simple things we talked about will go a
JE: long way. So well. Thank you very much, Derek, and I look forward to speaking with you in the future. All right. Thanks, Jeff.