Okay, let me introduce you here.
Well, welcome everybody to DEF CON 30's Altspace VR DEF CON group meeting.
John Clay is from Trend Micro. He's going to give us a presentation on cyber attack trends in 2022.
John Clay has worked in the cybersecurity space for over 25 years and uses his industry experience
to educate and share insights on threat research and intelligence to the public.
Delivers webinars, writes blogs, and engages customers and the public on the state of
cybersecurity around the world. An accomplished public speaker, John has delivered hundreds of
speaking sessions globally. He focuses on the threat landscape and cyber criminal undergrounds,
the attack lifecycle, and the use of advanced detecting technologies in protecting against
today's sophisticated threats. So thank you for being here, John, and take it away.
Yeah, thank you. So this will be an interesting one because obviously we don't have slides, so
I'll try to talk through the details of what I wanted to go over today. But
thanks everybody for joining us. Hopefully we'll get these slides rolling here at some point.
But let's talk a little bit about attack trends. You know, Trend Micro was one of the founding
members of the Cybersecurity Tech Accord, which is a group of over 150 organizations around the
world. And we did a survey recently around nation-state threats and challenges with nation-state
threats. And we asked a number of questions that I thought were going to be pertinent to this
discussion today. And I wanted to share some of those with you. So the first one is how concerned
are you with being a victim of a nation-state attack? You know, as we we've seen with the
Russia-Ukraine conflict going on, there's a lot more talk about nation-state activity.
You may be in an industry that you may be targeted by nation-state actors. But
it was interesting. The responses went from very concerned, somewhat concerned,
a bit concerned, to not concerned at all. And only 2% said not concerned at all. So everybody
is a little bit concerned about this and about nation-state actors targeting them.
The next question was, how will we prepare to defend ourselves against these nation-state
attacks? And one is increasing investment on cybersecurity-related technical measures. So
certainly looking at the technical aspect. They also said improving training and education of
employees. So we're looking at people and the people side of the equation. And then,
you know, designing a person or designating a person or a team to be in charge of cybersecurity,
establishing or enhancing corporate policies. So when you think about risk, right, we think about,
we always talk about the people process and technology. And the answers here definitely
fell in line with that, which is, you know, so as organizations start building better defenses
in the future, you need to really think about that. All three of those areas in your business is
how you're going to deal with people, how you're going to deal with process, and how you're going
to deal with technology. One of the interesting questions was we asked, where will people be
attacked? Where do they think within their organization they're going to be attacked?
Number one at 60% was the cloud environment. Certainly with the pandemic happening,
a lot of organizations have done some newly investment in cloud architecture. And that
definitely is going to be a cause. And the criminals know this. And they also realize,
the criminals realize that it's new to a lot of organizations. So they probably are making some
mistakes. And it may be an area that is not as easily defendable by an organization as some of
the other areas that have been around much longer. Number two at 47% was employee computers
and laptops. Kind of not surprising, obviously. They're going to target your employees. They're
going to target, obviously, the devices that they're using. Another one was mobile phones
was at 22%. Hardware infrastructure was actually three at 46, almost 47%, which is like your
servers and stuff. So that was, I thought, was interesting. And then how will we be attacked?
They asked this question in two parts. They said, how will we be attacked today? And how
will we be attacked in five years? What's interesting is today they say,
or 47% say malware. And then there is phishing and spear phishing. Third is ransomware. Fourth
is denial of service. Fifth is SQL injection. And sixth is man in the middle. But five years from
now, they think number one will be ransomware. And obviously, we've seen ransomware in quite a bit,
in the news quite a bit. And so these respondents really feel that ransomware is going to
increase in the future rather than decrease. The second one, though, was denial of service. So I
think they're thinking that these actors may be looking to a little bit more harm within
organizations' systems. Malware dropped to number three, and then we had phishing and spear phishing
as number four. So that was just kind of gave you some idea of, based on some of your peers
responding to this survey, I thought would be a good idea to key up. The next area I wanted to
look at is the actors and their motivations. So a lot of you probably know who all the different
types of actors are. But when I talk to a lot of customers and people in the industry, one of the
things I mention a lot is that you need to think about who could be targeting you. So when you're
going to build a defense plan and strategy, you need to think about who are the most common actors
that could be targeting you. Because obviously, their motives and their methods may be different
based on the different types of actors. So today, obviously, we have probably the number one is
cybercriminals, financially motivated folks. These are the ransomware gangs out there,
the business email compromise gangs. But you also have amateurs and script kiddies. We certainly
still see the script kiddies out there. Although one of the guys that I work with who heads up our
research, one of the research communities inside Trend Micro, was sharing with me the other day,
we used to have this pyramid of sophistication when it came to the actors. And at the bottom
was the script kiddies, which were not very sophisticated. In the middle, you had some of
the newer people not around. And then the very top was the nation state, we always thought nation
state actors, were going to be the most sophisticated. But if you think about it,
you're a much better person in your job today than you were when you first started. And we've
seen a lot of these actors being in this industry for many, many years. So the sophistication level,
and it's almost taken that pyramid and flipped it upside down so that most of the threat actors
out there or are within the actor gangs are very sophisticated, almost as sophisticated as
the nation state actors are. So that is one of the challenges we feel is happening in the world
today is that they are getting much better at what they do. Hacktivists still around, we saw an
emergence of Anonymous with the Russian invasion of Ukraine, and Anonymous people going after
Russian networks. So certainly the hacktivists and again, their motive may be a little different
from obviously a cyber criminal, for example. Nation states, obviously, we mentioned that,
but also competitive spies can be out there. So when you're thinking about that defense,
and depending on the industry you're in, you want to think about who are these people that
could be targeting me, so that you have the ability to understand their TTPs and the way
that they could be attacking you. And the next area is motivation. So what motivates these threat
actors? And I have four areas that I talk about a lot in this area. Was there a question?
Okay, I just muted him. Yep, yeah, speed it up a bit. Oh, no, Shane, I just muted them. No worries.
Oh, okay. Sorry. The first area is espionage. So again, you know, mostly like Chinese actors
tend to be very prolific on the espionage stage. They're trying to steal intellectual property.
If you're a manufacturer, for example, you've got your processes down to how you manufacture
your product. And they may look to steal that because they don't want to invest in the R&D that
goes into that, having to do that. So cyber espionage is pretty big. The second area is
financial gain. That's probably the biggest. Again, I think this industry now is closing in on
over a billion dollars in illegal revenue coming from cybercrime. So it's definitely a huge business
out there today. And even could be multi-billions for all we know. They do not put in W-2 forms to
the IRS when they make money. So we don't really know how much money they're making, but it's
certainly probably extensive. The third area is disruption or destruction attempts. And this is
where, you know, as we saw with the Russian-Ukraine conflict, we saw more destructive attacks. There
were some wipers thrown out there very early on that tried to wipe systems versus encrypting
systems, for example, like the ransomware actors. If I wipe a system, it's not usable anymore.
Whereas if I encrypt it, obviously, if I can get the key, I can get that system back up and running
pretty quickly. So disruptive and destruction attacks. And the fourth area, which a lot of
people don't realize today is an education motive. And we're seeing this happening more and more,
especially in the critical infrastructure area, where you may have actors inside your critical
infrastructure, but they aren't doing anything destructive. They aren't doing anything to
create financial gain. All they are doing is trying to learn how to access ICS or SCADA devices or
access an OT network so that they can figure out, can I do it? What can I do? We kind of saw this
potentially with the Russian invasion of the Ukraine power plant years ago, where they probably
did that as much for educating themselves on how to get access to that network, how to bring down
those systems. So these are a lot more stealthier type of activities, because again, they're going
to come in, they're going to do stuff, and then they're going to leave and wipe all of the traces
of their attack. So again, thinking of the motivation of these actors against your organization,
depending again on what industry you're in, what products you produce, what services you produce,
that kind of stuff. So think about that as you're building that defense model.
The other thing I wanted to highlight is the attack stages. So there's a definite model that
has been followed over the last several years of the attack lifecycle. And it all came out with
kind of the cyber attack chain that Lockheed Martin has patented. And it really starts with
intelligence gathering. So they're going to learn before they even launch any type of an attack
against your organization, they're going to figure out who do they want to target. Again, that's going
to be not only who the victim is, and what their motivation is in attacking them, but also who
in the organization do they want to initially target. So they'll do all this upfront intelligence
gathering to understand who, what, when, where, why, how am I going to target them. So they'll
have all of that information usually upfront before they actually go into the second area,
which is point of entry. So how do I initially access this network and get into it. And we're
seeing some new things I'll talk about in one of the future slides here. But point of entry
certainly is the next stage. The third stage is where they establish a command and control
infrastructure. They need this to continually keeping access to that compromised network.
And this can come in many different forms, but there's always going to be typically a command
and control infrastructure that they will establish inside the organization and outward
bound to allow them to see that information and continue to have that access. And then the fourth
stage is lateral movement. And this is something we're seeing even a lot of the ransomware attacks
where they'll get in and they will then laterally move. Because obviously if I compromise an
employee's system to get access, usually that employee's computer is not going to have the
information or the data or what they want to achieve and their motive in getting access to
your network. It will then need to laterally move across the network to two different areas. It
could be your cloud infrastructure, could be your data centers, could be critical infrastructure,
your OT network, whatever that might be. The fifth area is that asset and data discovery. So
if they're an actor group that wants to steal data, they're going to look for your customer
data, your intellectual property, your source code. They're going to, again, as part of that lateral
movement process where they map your network out, they're going to learn where those repositories
are. And then they look again, how do I access those? The sixth stage is what we call data
exfiltration. So once I find data, I need to exfiltrate that out to their command and control
infrastructure or to somewhere where they can get access to that data. And again, this is not
going to be done through massive uploads to the web. It's going to be done in byte-sized increments
so you don't see it very easily. It's going to be encrypted, obviously. It may utilize different
channels. It could use, you know, a Dropbox channel. If you use a Dropbox inside your account,
it could use a, you know, a OneDrive. It could be an email with an attachment, whatever it might be.
They're going to figure out a way to make it exfiltrate it without you realizing it.
And there's actually a seventh stage, which a lot of people don't realize it, but that's
it's called a maintenance stage. And the maintenance stage is where they will continue to
stay in resident in the network, but they may not be as active. They may throw some
back doors on systems that they just let sit there. They don't, you know, they don't activate.
They may ping the command and control infrastructure every month or every couple of months
just to let them know that they still have access because they may want to sell that access at some
point or utilize that access for another attack against that organization. So that's, and that's,
you're going to see that regardless of whether it's a ransomware attack, whether it's a business
email compromise attack, whether it's just a, you know, a data exfil type of attack,
these stages are all going to be very similar in any attack that you're going to see today.
Now, one of the things that I don't know if everybody reads the Verizon Data Breach
Investigative Report that they publish every year, but it's a pretty good report if you're
not reading it because it does give you some very good information about how the attacks are
happening. And, but back in 2019, they actually had a, an appendix that they, that was written
by the United States Secret Service. And I can, and I continue to use this because it's still
relevant today. And it's very good information because what Secret Service had done is they had,
all these malicious actors that they had arrested over the years and some of the very big breaches,
and they asked them, how did you get access to these networks? And, and one of the, there's
three areas that they came, that came out of these interviews with these hackers. The first thing
they look for is human error. So how can I, can I find somebody who makes a mistake, misconfigures
an S3 bucket, misconfigures a, a open IP that gave, gives me access to that network or to that
device. So they look for people, people making mistakes. Obviously human error also when I send
an email in and the user clicks on a link that they, they probably shouldn't have. So that human
error thing. The second thing they look for is IT security complacency. And this is where you think
about like not patching quickly, not configuring things, not, not doing, enabling some of the
advanced detection technologies that you have access to. You just don't do it. The third area
they, that they look for were technical deficiencies. So do I, am I not running stuff
that I should be running in certain areas of the network? You know, maybe the OT network has been,
hasn't had a lot of security running in it. So it's deficient of security controls. So they
look for that. But the interesting thing was they, they mentioned that and this was quoted in the,
in the article, it is when multiple TTPs are utilized in concert that cyber criminals are
able to gain and maintain access to a computer network. So they're looking for not just one of
these, but if they find two of them or two or three of them together, they almost absolutely
know that they can get access to that network. And one of the actors actually talked about being
in resident on a, on a, on a very large organization's network for over 10 years,
just following this model over and over and over.
Some of the tactics that we're seeing today utilized by the malicious actors.
I mentioned the extensive intelligence gathering before the attack. So that's certainly going to
continue to happen. If you are publishing information out there on your, about your
network, if you're publishing information about the people, that's always going to be helpful to
these, these criminals. Collaboration between groups is happening more and more. And this is
a very concerning area that we've seen happening in the undergrounds. In the past, you used to have
these groups in the underground and they'd be, they'd be, you know, working only with themselves.
They'd only work together with if they were an independent person. But even now we're starting
to see, for example, access as a service gangs, whose only purpose in life is to, is to figure
out how to access a network. And then they will sell that access to another group. It could be a
group that does, that uses Emotet and use it to laterally move across the network. And then they
will sell access to a ransomware gang who will ultimately do a ransomware attack. So this
collaboration is happening much more often than we've seen in the past. Counter incident response
is used extensively today. So they are obfuscating their malware. They're, they're cleaning up after
themselves, erasing their tracks. I was talking to our, our incident response manager just this
morning and I was asking him, you know, what are the, some of the things we're seeing? And for
example, they are, we're seeing now where they will deploy some malware on a device inside a
compromised network and that, that malware gets detected. So, you know, good for the security
product that's running on that endpoint. But what we are seeing now is that within a few hours or a
couple of days, we see a variant of it popping up and running and being executed on those networks.
So we're actually taking that, that detection and, and then, you know, recoding, refiguring it out on how to
bypass that, that organization, that security product. So that's happening quite often.
The attacks today are going to be across many of the different areas of your network. So as part of
that, that life cycle we're seeing today, I, as I said, the attacks aren't going to stop and end at
the endpoint. So EDR, great technology, but it's only going to see a small piece of the overall
attack that you're going to see against most organizations. There's going to be network access
that, and network traffic that they're going to be utilizing. It's going to go into the cloud
infrastructure. It's going to go into a data center. It's going to go, it's going to use the email.
It's going to use the web layer. All of these areas of your network could be utilized by these
threat actors in the campaign against your organization. So that's why we're starting to
see more organizations starting to adopt more of a platform approach, potentially, where
the products are working together. In the past, obviously, we used the best of breed model
that worked very well back in the day. But today, because those products are pretty siloed, they
don't talk to each other. They don't give a lot of information. It's making it very hard for you,
the defenders, to manage that and see the visibility of these campaigns. So you detect
something on one endpoint, you may detect something on a server in a different area of your network,
and not realizing that it's part of the same campaign. Today, we're starting to see technology
innovations that are allowing you to see that and identify that much more effectively.
And then lastly, one of the other areas we're seeing today are what we call supply chain
attacks or island hopping, where they're actually utilizing your software vendors who
regularly have communications into your networks, and they're using them to pop into those networks.
Or you have a small business who's a vendor of yours, like in the target attack years ago,
where it was the HVAC vendor who had access to the network. And because they're a small business,
they may not have as good of security controls as you and your bigger organization. And so they
will use it to pivot or laterally move from that network into your network. So we're seeing more
than that. Obviously, SolarWinds was an example. Kaseya was an example of that. We just saw one
just recently happening as well. So software supply chain attacks are going to be on the increase
more and more as we go through it. Now, this next slide I want to talk about, you can't see it,
but I'll tell you what's going on here. I've been discussing with our tech support organization over
the last several years, you know, how are these customers or prospects that call us getting
infected in the first place? So what's the root cause of an infection that happens? And there's
some commonalities that we are seeing today from organizations that are dealing with these
successful attacks. First is weak credentials. So there's no question that the threat actors today
are looking to compromise credentials and accounts. If I can get the Active Directory account,
administrative account, I have pretty much keys to the kingdom at that point. And we actually see
this quite often where that account gets compromised. And so the actors are going to go
in, they're going to turn off, they're going to stop the process, the security product running on
the on the endpoint, that process, they'll turn it off because they can, they have that access,
they have that those credentials. So weak credentials is a big one. Email accounts,
for example, business email compromise happens a lot because I'm able to compromise that CFO's
email account very easily, because they're using a weak credential on it. And then I send emails
from that account into the organizations, I asked my finance person, a wire transfer a million bucks
to this account, I need it today. By the way, don't call me because I'm in a meeting to do the
two factor verification process. Secondary, outdated and unpatched operating system or
applications. We certainly know question that exploits are being used regularly, whether it's
an end day exploit, which is a known vulnerability with a patch or a zero day, which is a
unknown vulnerability that does not have a patch today. Those are being utilized quite often.
But certainly, we see regularly customers like, oh, I thought I patched it or I hadn't patched it
or in other cases, it's an unsecured device that doesn't have the ability to get patched,
for example, or it hasn't been patched in years, like on an OT network, for example.
So that's going to happen. Advanced detection technology is not being enabled. So we see
this often where customer actually has the technology available to them, they just didn't
enable it. AI and machine learning are prime examples of this. So you may be relying simply
on signatures, and you haven't enabled the behavior monitoring, you haven't enabled a
machine learning engine to be able to analyze those, that malware and specifically those
variants of known malware that would be able to be detected by those newer technologies. So
make sure you know when you have those enabled. Another area is misconfigurations. We talked
about that earlier. So we see this quite often. And then one thing I wanted to highlight is
ransomware gets all the hype today. It's certainly in the news quite often. And one of the reasons
is because it is the most visible, most loud threat we've ever seen in the history of cybersecurity.
It pops up on the screen and it says, hey, you're in fact, you know, you've been encrypted by Conti
or by Lockbit or whoever it might be. So when you get ransomware, you know, you got infected.
The challenge that a lot of organizations have is, is maybe thinking that that's the only threat
against them. Whereas the reality is that that actor group has probably been in the network for
quite some time, because ransomware is usually the last revenue option that they take. Because
it is so visible, once they launch ransomware, they know the organization is going to know
they're infected, and they've got somebody resident in their network. So just be aware
that if a ransomware gets popped up, the likelihood that other activities have been happening is very,
very high. Now, the next area I wanted to just highlight is some of the areas that we're seeing
them target as they do their attacks. So one area is, why am I going to target credentials,
right? Why am I looking for accounts out there? First and foremost, they're very trusted, right?
Your AD account, or your exchange account, Office 365 administrator account, those are going to be
trusted. If I can compromise those, I probably, like I said, I have the keys to the kingdom.
It allows them to disguise their activity, because again, I'm acting as that person,
so I can disguise it. There are a ton, a ton of stolen credentials being sold in the underground
today. So I can go and buy RDP credentials that were stolen from previous hacks all day long
in the underground, and I can use those. And again, if I don't have a very good credential
update process happening in my account, the likelihood that I have an account still out
there that has the same credentials being run. We also see, for example, I was asking my IR guy
today, I said, do we ever see where they can compromise the Trend Micro Administrator account?
And he says, it happens on occasion, but usually when they find that out, it's because they use
the same account credentials that they use for their AD server. So they're sharing accounts,
credentials across multiple applications. And again, big no-no for most people, but
it still happens. And again, weak credentials is big. Now, why am I going to target people?
So again, people are probably the weakest link inside your organization, the employees,
but why would they continue to want to target them? Well, first, it's definitely easier than
a technical attack. I don't have to go and buy a zero day for $500,000. I can just,
you know, craft an email from after my intelligence gathering about this employee who likes,
you know, for example, likes the NBA, I can craft an email that says, hey,
check out this latest trade in the NBA, click here, click, boom, infected.
Difficult to detect and respond to. A lot of times these employees don't even realize they've
been infected. So they aren't communicating it to you in the SOC or into the IT department.
So you don't even realize that they're infected and they don't realize it either.
People definitely give away way too much information and social media. As I just
previously mentioned, the NBA thing, they're going to give their likes,
their dislikes, their hobbies, whatever it might be. So crafting socially engineered
content to them is very simple after doing a scan of social media accounts of those people.
It's very low risk for high reward. Vulnerabilities, I talked about
vulnerabilities before. Why are they targeting quite a bit? Obviously new vulnerabilities happen
every single day. I think the last patch Tuesday, Microsoft disclosed over 140, which was a record
for them. And that's just one vendor. So you obviously have multiple applications and operating
systems you're running in your organization. You're probably getting updates every day from
one of those or multiple of those. And so these criminals recognize that. They actually monitor
those patches as they come out and they look at them. We're seeing more and more one day
vulnerabilities than we've seen ever before, which is basically a vulnerability that's been
exploited one day after the patch was released. So that's certainly a challenge because there's
so much information out there being shared publicly. Even the proof of concept stuff out
there is being shared quite often and they use that. There's an exploit marketplace at
the underground. So there's buying and selling of exploits of vulnerabilities. You can go in
the underground and you can search for Exchange or Office 365 vulnerabilities. It'll pop up a
number of exploits that are for sale in that area. If I want one for a business application,
I just search for that and I can find it and buy it and use it. And then lastly, zero days. We're
seeing more and more zero days. If you didn't see Google Project Zero last year, it said there
was, I think there were 50 or 80 plus zero days used in active attacks last year. Highest ever
seen. And maybe the reason I postulate that potentially it's because you're doing a very
much better job today of protecting your networks from the traditional stuff. So you're blocking
those end day vulnerabilities or exploits that are being used. So they have to move to zero days
because they are unknown and they actually still work. And then the last area I wanted
to just highlight is why target external facing infrastructure? So you all probably use Shodan
or you heard of Shodan. Shodan is a tool that can be used by you or cyber criminals, for example,
of scanning the internet for IP, open IPs. And it'll give you information about those IPs. It'll
tell you what it is, what ports are open, what services are open. And so it's very easy to scan.
And obviously that's the first thing that they're going to look for in an organization is what open
IPs does that organization have? I'm going to scan those IPs and do a scan on them to figure out,
is there anything on there that I can target and utilize to get access to that device or that IP?
So that's going to happen. Misconfigurations, we talked about that, they are all over the place.
There's exposed ports and services, certainly all the time on these devices that may have,
should have been shut down. And often it's forgotten infrastructure, for example, people,
you know, we see again, when we talk to customers, they go, I didn't realize that IP was still there,
that device was still on the network. It should have been, you know, archived years ago, but it's
still active and still there. So that's kind of the main stuff that I had today to talk about in
terms of what is happening, how is it happening in the underground. The next just few minutes,
I wanted to highlight and give you some recommendations that I give customers and
people out there on how to help you defend against these. Again, this is a great time right now to
really look at your overall cybersecurity strategy and your plan and how you go about things,
because like I mentioned before, with all these different types of TTPs and attack scenarios,
maybe a traditional approach to your cybersecurity may not be helping you today,
it may be actually hurting you more than it's helping. So first area, audit and inventory. So
attack surface management, attack surface discovery are terms that are being used quite often,
but they're actually pretty good, because as I said, if you can't see it, don't know it's there,
how do you defend against it? So having something that can do some more attack surface discovery for
you can help you understand audit and inventory, all of the devices that are on your network,
both internal and external, to understand that. And then identify authorized and unauthorized devices
and software, make an audit of event and incident logs. So you're obviously logging a lot,
make sure you're looking at those logs and identifying. If you don't have the expertise,
you don't have the manpower to be able to do that, that's where maybe look at a managed service
provider or managed service option for you. And then configure and monitor. So manage hardware,
software configurations. So we talked about misconfigurations. You may take this time right
now to look at all your configurations. Have a call with your cybersecurity vendor or vendors
and make sure that you have their best practices guides. Make sure you have configured their
products properly and given the best opportunity to detect the latest. Make sure you have the
latest and greatest software from them, from those vendors, and make sure it's working.
Grant admin privileges and access only when necessary to an employee. So again, that looking
at who has access to your AD administrative accounts, who has access to your customer data,
and then only limit them to being able to access that at the right time and the right person having
access. Monitor network ports, protocols, services. Activate security configurations on network
infrastructures devices. So again, a lot of this activity, network activity, can help you identify
if you're compromised. That lateral movement is an area that you can do. Even a command and
control infrastructure, as it pings outside to the command and control server or servers out there,
you may be able to identify. Maybe that infrastructure was built in a region of the
world where you don't have businesses and business. So then you could look at, oh, why do we have
something connecting to a server in Zimbabwe or wherever it might be? And then you could cut off
that access. Another area is patch and update. We talk about that quite a bit. But one area is
virtual patching. You may not even, you may not think about virtual patching, but virtual patching
actually allows you to virtually patch that vulnerability for a period of time until you
actually can do the proper process and QA of the full patch. A lot of times those patches aren't
complete. So with a virtual patch may have a more complete ability to detect an exploit. In fact,
Project Zero, of the 24 zero days that have been used in 2022, 12 of them were variants of earlier
vulnerabilities that had been used in attacks before. So they're starting, even the criminals
are starting to use variants of exploits that worked in the past because they work now and
they can get around the defenses. But virtual patching, look at that. Also network IPS
outside in and inside out. That can help you identify some of this stuff as well.
Protect and recover. Certainly implement data protection, backup, recovery measures as
ransomware. As you know, one of the big things for ransomware was, can you back up and recover
very quickly from an encrypted system that's encrypted? So that would be a good one as well.
Enable multi-factor authentication. Definitely got to be that in, especially with, like I
mentioned, those big applications, those business critical applications, and any access to your
critical data, your customer data, your source code data, your IP data, etc. Secure and defend.
A lot of times there's actually preventative measures. So EDR is great for detection and
response, but there's a lot of technology today that can actually prevent these attacks.
Look for early warning signs. If I see Emotet detection in my network, that may be an indicator
that there's a ransomware attack coming in the future. And that can inform you and maybe look
at you to hardening some of the areas, especially if you know the actor group, because you could go
to MITRE ATT&CK Framework site, look up that actor group that uses Emotet or uses Cobalt Strike,
for example, and you can identify their TTPs of future areas of what they could do inside
your network. And then lastly, train and test your employees. Train your employees, train your
users. If you're doing a cloud infrastructure, make sure your cloud architects are fully trained
in how to secure that cloud infrastructure. Maybe implement some of these technologies today that
can identify when somebody misconfigures something and it can alert you or ping that person that,
maybe shouldn't make that configuration change because it's opening it up to
attack at that point. So that's all I had today. I hope this was helpful. If there's any questions,
I'd be happy to take those now. Thank you very much for the hand claps. I appreciate that.
Well, I will sign off then. Everybody have a great rest of your conference. I hope it all
goes well. And if you have any questions or anything, you can certainly reach out to me.
John underscore Clay at Trend Micro.com or John L. Clay on Twitter. J-O-N. I don't have an H there.
So thanks, everybody. Have a great day and stay safe and healthy. Talk to you soon. Bye-bye.
Thanks, John.
Thanks very much.
Press the R key to...
Which key?
The Romeo key to drop the mic.
Romeo.
Romeo. R. Letter R. Romeo.
Yeah.
Yeah, on your keyboard. If you press R, it'll drop the mic.
There we go.
There you go. Thank you, John. That was excellent.
Thank you, John. Excellent presentation.
We're still working on the slide problem, by the way.
It looks as if the service that they use for... allows us to project slides into the meeting space has gone down.
We are contacting... we have contacted and put in a trouble ticket to AllSpace VR tech support.
And we've got multiple people working on it.
They're doing PCAPs to see if there's anything going on, like some type of network problem, that sort of thing.
But right now, it looks like the service is down.
Now, in the meantime...
Hey, Giglio, you need to mute your mic because we're getting your keyboards.
Thanks.
So we're working on that.
Our next speaker will be here in about eight minutes.
And as soon as they're here, we'll introduce them.