[00:02.970 --> 00:05.370]  Okay, let me introduce you here.
[00:06.690 --> 00:13.490]  Well, welcome everybody to DEF CON 30's Altspace VR DEF CON group meeting.
[00:13.490 --> 00:19.930]  John Clay is from Trend Micro. He's going to give us a presentation on cyber attack trends in 2022.
[00:20.210 --> 00:25.750]  John Clay has worked in the cybersecurity space for over 25 years and uses his industry experience
[00:25.750 --> 00:30.830]  to educate and share insights on threat research and intelligence to the public.
[00:30.830 --> 00:35.650]  Delivers webinars, writes blogs, and engages customers and the public on the state of
[00:35.650 --> 00:39.990]  cybersecurity around the world. An accomplished public speaker, John has delivered hundreds of
[00:39.990 --> 00:45.310]  speaking sessions globally. He focuses on the threat landscape and cyber criminal undergrounds,
[00:45.310 --> 00:50.110]  the attack lifecycle, and the use of advanced detecting technologies in protecting against
[00:50.110 --> 00:55.030]  today's sophisticated threats. So thank you for being here, John, and take it away.
[00:55.310 --> 00:59.870]  Yeah, thank you. So this will be an interesting one because obviously we don't have slides, so
[00:59.870 --> 01:05.850]  I'll try to talk through the details of what I wanted to go over today. But
[01:05.850 --> 01:11.750]  thanks everybody for joining us. Hopefully we'll get these slides rolling here at some point.
[01:12.130 --> 01:19.730]  But let's talk a little bit about attack trends. You know, Trend Micro was one of the founding
[01:19.730 --> 01:29.170]  members of the Cybersecurity Tech Accord, which is a group of over 150 organizations around the
[01:29.170 --> 01:39.710]  world. And we did a survey recently around nation-state threats and challenges with nation-state
[01:39.710 --> 01:45.310]  threats. And we asked a number of questions that I thought were going to be pertinent to this
[01:45.310 --> 01:53.230]  discussion today. And I wanted to share some of those with you. So the first one is how concerned
[01:53.230 --> 01:59.210]  are you with being a victim of a nation-state attack? You know, as we we've seen with the
[01:59.790 --> 02:05.550]  Russia-Ukraine conflict going on, there's a lot more talk about nation-state activity.
[02:06.210 --> 02:10.650]  You may be in an industry that you may be targeted by nation-state actors. But
[02:11.250 --> 02:15.850]  it was interesting. The responses went from very concerned, somewhat concerned,
[02:15.950 --> 02:21.430]  a bit concerned, to not concerned at all. And only 2% said not concerned at all. So everybody
[02:21.430 --> 02:27.750]  is a little bit concerned about this and about nation-state actors targeting them.
[02:27.890 --> 02:34.730]  The next question was, how will we prepare to defend ourselves against these nation-state
[02:34.730 --> 02:41.110]  attacks? And one is increasing investment on cybersecurity-related technical measures. So
[02:41.110 --> 02:47.150]  certainly looking at the technical aspect. They also said improving training and education of
[02:47.150 --> 02:53.230]  employees. So we're looking at people and the people side of the equation. And then,
[02:53.230 --> 02:59.250]  you know, designing a person or designating a person or a team to be in charge of cybersecurity,
[02:59.250 --> 03:04.670]  establishing or enhancing corporate policies. So when you think about risk, right, we think about,
[03:04.670 --> 03:09.830]  we always talk about the people process and technology. And the answers here definitely
[03:09.830 --> 03:15.430]  fell in line with that, which is, you know, so as organizations start building better defenses
[03:15.430 --> 03:21.270]  in the future, you need to really think about that. All three of those areas in your business is
[03:21.270 --> 03:24.470]  how you're going to deal with people, how you're going to deal with process, and how you're going
[03:24.470 --> 03:30.650]  to deal with technology. One of the interesting questions was we asked, where will people be
[03:30.650 --> 03:33.990]  attacked? Where do they think within their organization they're going to be attacked?
[03:33.990 --> 03:40.130]  Number one at 60% was the cloud environment. Certainly with the pandemic happening,
[03:40.230 --> 03:47.730]  a lot of organizations have done some newly investment in cloud architecture. And that
[03:47.730 --> 03:52.270]  definitely is going to be a cause. And the criminals know this. And they also realize,
[03:52.270 --> 03:57.490]  the criminals realize that it's new to a lot of organizations. So they probably are making some
[03:57.490 --> 04:04.750]  mistakes. And it may be an area that is not as easily defendable by an organization as some of
[04:04.750 --> 04:10.850]  the other areas that have been around much longer. Number two at 47% was employee computers
[04:10.850 --> 04:16.890]  and laptops. Kind of not surprising, obviously. They're going to target your employees. They're
[04:16.890 --> 04:24.870]  going to target, obviously, the devices that they're using. Another one was mobile phones
[04:24.870 --> 04:32.290]  was at 22%. Hardware infrastructure was actually three at 46, almost 47%, which is like your
[04:32.290 --> 04:38.630]  servers and stuff. So that was, I thought, was interesting. And then how will we be attacked?
[04:38.870 --> 04:44.570]  They asked this question in two parts. They said, how will we be attacked today? And how
[04:44.570 --> 04:51.430]  will we be attacked in five years? What's interesting is today they say,
[04:51.930 --> 05:01.330]  or 47% say malware. And then there is phishing and spear phishing. Third is ransomware. Fourth
[05:01.330 --> 05:07.970]  is denial of service. Fifth is SQL injection. And sixth is man in the middle. But five years from
[05:07.970 --> 05:13.430]  now, they think number one will be ransomware. And obviously, we've seen ransomware in quite a bit,
[05:13.930 --> 05:19.510]  in the news quite a bit. And so these respondents really feel that ransomware is going to
[05:19.510 --> 05:26.590]  increase in the future rather than decrease. The second one, though, was denial of service. So I
[05:26.590 --> 05:33.570]  think they're thinking that these actors may be looking to a little bit more harm within
[05:33.570 --> 05:41.430]  organizations' systems. Malware dropped to number three, and then we had phishing and spear phishing
[05:41.430 --> 05:48.450]  as number four. So that was just kind of gave you some idea of, based on some of your peers
[05:48.450 --> 05:55.750]  responding to this survey, I thought would be a good idea to key up. The next area I wanted to
[05:55.750 --> 06:03.350]  look at is the actors and their motivations. So a lot of you probably know who all the different
[06:03.350 --> 06:09.450]  types of actors are. But when I talk to a lot of customers and people in the industry, one of the
[06:09.450 --> 06:15.830]  things I mention a lot is that you need to think about who could be targeting you. So when you're
[06:15.830 --> 06:21.370]  going to build a defense plan and strategy, you need to think about who are the most common actors
[06:21.370 --> 06:27.570]  that could be targeting you. Because obviously, their motives and their methods may be different
[06:27.570 --> 06:32.550]  based on the different types of actors. So today, obviously, we have probably the number one is
[06:32.550 --> 06:38.650]  cybercriminals, financially motivated folks. These are the ransomware gangs out there,
[06:38.650 --> 06:45.470]  the business email compromise gangs. But you also have amateurs and script kiddies. We certainly
[06:45.470 --> 06:51.890]  still see the script kiddies out there. Although one of the guys that I work with who heads up our
[06:51.890 --> 06:58.270]  research, one of the research communities inside Trend Micro, was sharing with me the other day,
[06:58.270 --> 07:05.330]  we used to have this pyramid of sophistication when it came to the actors. And at the bottom
[07:05.330 --> 07:12.150]  was the script kiddies, which were not very sophisticated. In the middle, you had some of
[07:12.150 --> 07:17.270]  the newer people not around. And then the very top was the nation state, we always thought nation
[07:17.270 --> 07:21.470]  state actors, were going to be the most sophisticated. But if you think about it,
[07:21.470 --> 07:27.210]  you're a much better person in your job today than you were when you first started. And we've
[07:27.210 --> 07:32.830]  seen a lot of these actors being in this industry for many, many years. So the sophistication level,
[07:32.830 --> 07:39.870]  and it's almost taken that pyramid and flipped it upside down so that most of the threat actors
[07:39.870 --> 07:45.690]  out there or are within the actor gangs are very sophisticated, almost as sophisticated as
[07:45.690 --> 07:54.270]  the nation state actors are. So that is one of the challenges we feel is happening in the world
[07:54.270 --> 08:01.810]  today is that they are getting much better at what they do. Hacktivists still around, we saw an
[08:01.810 --> 08:09.390]  emergence of Anonymous with the Russian invasion of Ukraine, and Anonymous people going after
[08:09.390 --> 08:14.890]  Russian networks. So certainly the hacktivists and again, their motive may be a little different
[08:14.890 --> 08:20.190]  from obviously a cyber criminal, for example. Nation states, obviously, we mentioned that,
[08:20.190 --> 08:25.490]  but also competitive spies can be out there. So when you're thinking about that defense,
[08:25.490 --> 08:30.230]  and depending on the industry you're in, you want to think about who are these people that
[08:30.230 --> 08:35.250]  could be targeting me, so that you have the ability to understand their TTPs and the way
[08:35.250 --> 08:42.930]  that they could be attacking you. And the next area is motivation. So what motivates these threat
[08:42.930 --> 08:51.490]  actors? And I have four areas that I talk about a lot in this area. Was there a question?
[08:53.630 --> 09:01.450]  Okay, I just muted him. Yep, yeah, speed it up a bit. Oh, no, Shane, I just muted them. No worries.
[09:01.450 --> 09:08.770]  Oh, okay. Sorry. The first area is espionage. So again, you know, mostly like Chinese actors
[09:08.770 --> 09:14.670]  tend to be very prolific on the espionage stage. They're trying to steal intellectual property.
[09:14.890 --> 09:19.870]  If you're a manufacturer, for example, you've got your processes down to how you manufacture
[09:19.870 --> 09:25.390]  your product. And they may look to steal that because they don't want to invest in the R&D that
[09:25.390 --> 09:33.010]  goes into that, having to do that. So cyber espionage is pretty big. The second area is
[09:33.010 --> 09:38.390]  financial gain. That's probably the biggest. Again, I think this industry now is closing in on
[09:38.390 --> 09:46.130]  over a billion dollars in illegal revenue coming from cybercrime. So it's definitely a huge business
[09:46.130 --> 09:52.990]  out there today. And even could be multi-billions for all we know. They do not put in W-2 forms to
[09:52.990 --> 09:58.490]  the IRS when they make money. So we don't really know how much money they're making, but it's
[09:58.490 --> 10:08.710]  certainly probably extensive. The third area is disruption or destruction attempts. And this is
[10:08.710 --> 10:15.050]  where, you know, as we saw with the Russian-Ukraine conflict, we saw more destructive attacks. There
[10:15.050 --> 10:21.090]  were some wipers thrown out there very early on that tried to wipe systems versus encrypting
[10:21.090 --> 10:26.510]  systems, for example, like the ransomware actors. If I wipe a system, it's not usable anymore.
[10:26.510 --> 10:31.690]  Whereas if I encrypt it, obviously, if I can get the key, I can get that system back up and running
[10:31.690 --> 10:36.970]  pretty quickly. So disruptive and destruction attacks. And the fourth area, which a lot of
[10:36.970 --> 10:43.490]  people don't realize today is an education motive. And we're seeing this happening more and more,
[10:43.490 --> 10:49.610]  especially in the critical infrastructure area, where you may have actors inside your critical
[10:49.610 --> 10:53.850]  infrastructure, but they aren't doing anything destructive. They aren't doing anything to
[10:53.850 --> 11:01.770]  create financial gain. All they are doing is trying to learn how to access ICS or SCADA devices or
[11:01.770 --> 11:08.750]  access an OT network so that they can figure out, can I do it? What can I do? We kind of saw this
[11:08.750 --> 11:17.050]  potentially with the Russian invasion of the Ukraine power plant years ago, where they probably
[11:17.050 --> 11:23.910]  did that as much for educating themselves on how to get access to that network, how to bring down
[11:23.910 --> 11:30.030]  those systems. So these are a lot more stealthier type of activities, because again, they're going
[11:30.030 --> 11:33.850]  to come in, they're going to do stuff, and then they're going to leave and wipe all of the traces
[11:33.850 --> 11:41.690]  of their attack. So again, thinking of the motivation of these actors against your organization,
[11:41.690 --> 11:47.370]  depending again on what industry you're in, what products you produce, what services you produce,
[11:47.370 --> 11:51.810]  that kind of stuff. So think about that as you're building that defense model.
[11:54.560 --> 12:03.040]  The other thing I wanted to highlight is the attack stages. So there's a definite model that
[12:03.040 --> 12:09.980]  has been followed over the last several years of the attack lifecycle. And it all came out with
[12:09.980 --> 12:19.060]  kind of the cyber attack chain that Lockheed Martin has patented. And it really starts with
[12:19.060 --> 12:23.840]  intelligence gathering. So they're going to learn before they even launch any type of an attack
[12:23.840 --> 12:28.320]  against your organization, they're going to figure out who do they want to target. Again, that's going
[12:28.320 --> 12:35.560]  to be not only who the victim is, and what their motivation is in attacking them, but also who
[12:35.560 --> 12:42.620]  in the organization do they want to initially target. So they'll do all this upfront intelligence
[12:42.620 --> 12:49.300]  gathering to understand who, what, when, where, why, how am I going to target them. So they'll
[12:49.300 --> 12:55.100]  have all of that information usually upfront before they actually go into the second area,
[12:55.100 --> 13:01.520]  which is point of entry. So how do I initially access this network and get into it. And we're
[13:01.520 --> 13:07.380]  seeing some new things I'll talk about in one of the future slides here. But point of entry
[13:07.380 --> 13:12.860]  certainly is the next stage. The third stage is where they establish a command and control
[13:12.860 --> 13:19.380]  infrastructure. They need this to continually keeping access to that compromised network.
[13:19.380 --> 13:23.800]  And this can come in many different forms, but there's always going to be typically a command
[13:23.800 --> 13:32.040]  and control infrastructure that they will establish inside the organization and outward
[13:32.040 --> 13:39.540]  bound to allow them to see that information and continue to have that access. And then the fourth
[13:39.540 --> 13:44.340]  stage is lateral movement. And this is something we're seeing even a lot of the ransomware attacks
[13:44.340 --> 13:49.980]  where they'll get in and they will then laterally move. Because obviously if I compromise an
[13:49.980 --> 13:55.500]  employee's system to get access, usually that employee's computer is not going to have the
[13:55.500 --> 14:02.580]  information or the data or what they want to achieve and their motive in getting access to
[14:02.580 --> 14:08.740]  your network. It will then need to laterally move across the network to two different areas. It
[14:08.740 --> 14:13.040]  could be your cloud infrastructure, could be your data centers, could be critical infrastructure,
[14:13.040 --> 14:19.200]  your OT network, whatever that might be. The fifth area is that asset and data discovery. So
[14:19.200 --> 14:24.260]  if they're an actor group that wants to steal data, they're going to look for your customer
[14:24.260 --> 14:28.880]  data, your intellectual property, your source code. They're going to, again, as part of that lateral
[14:28.880 --> 14:34.560]  movement process where they map your network out, they're going to learn where those repositories
[14:34.560 --> 14:42.280]  are. And then they look again, how do I access those? The sixth stage is what we call data
[14:42.280 --> 14:48.560]  exfiltration. So once I find data, I need to exfiltrate that out to their command and control
[14:48.560 --> 14:54.360]  infrastructure or to somewhere where they can get access to that data. And again, this is not
[14:54.360 --> 15:00.980]  going to be done through massive uploads to the web. It's going to be done in byte-sized increments
[15:00.980 --> 15:06.080]  so you don't see it very easily. It's going to be encrypted, obviously. It may utilize different
[15:06.080 --> 15:11.300]  channels. It could use, you know, a Dropbox channel. If you use a Dropbox inside your account,
[15:11.300 --> 15:19.200]  it could use a, you know, a OneDrive. It could be an email with an attachment, whatever it might be.
[15:19.200 --> 15:24.840]  They're going to figure out a way to make it exfiltrate it without you realizing it.
[15:24.880 --> 15:29.960]  And there's actually a seventh stage, which a lot of people don't realize it, but that's
[15:29.960 --> 15:35.200]  it's called a maintenance stage. And the maintenance stage is where they will continue to
[15:35.200 --> 15:40.680]  stay in resident in the network, but they may not be as active. They may throw some
[15:41.280 --> 15:47.420]  back doors on systems that they just let sit there. They don't, you know, they don't activate.
[15:47.820 --> 15:52.200]  They may ping the command and control infrastructure every month or every couple of months
[15:52.200 --> 15:57.720]  just to let them know that they still have access because they may want to sell that access at some
[15:57.720 --> 16:03.640]  point or utilize that access for another attack against that organization. So that's, and that's,
[16:03.640 --> 16:08.340]  you're going to see that regardless of whether it's a ransomware attack, whether it's a business
[16:08.340 --> 16:14.340]  email compromise attack, whether it's just a, you know, a data exfil type of attack,
[16:14.340 --> 16:20.680]  these stages are all going to be very similar in any attack that you're going to see today.
[16:22.660 --> 16:29.080]  Now, one of the things that I don't know if everybody reads the Verizon Data Breach
[16:29.080 --> 16:34.460]  Investigative Report that they publish every year, but it's a pretty good report if you're
[16:34.460 --> 16:39.220]  not reading it because it does give you some very good information about how the attacks are
[16:39.220 --> 16:46.940]  happening. And, but back in 2019, they actually had a, an appendix that they, that was written
[16:46.940 --> 16:52.440]  by the United States Secret Service. And I can, and I continue to use this because it's still
[16:52.440 --> 16:59.060]  relevant today. And it's very good information because what Secret Service had done is they had,
[16:59.740 --> 17:04.840]  all these malicious actors that they had arrested over the years and some of the very big breaches,
[17:04.840 --> 17:11.780]  and they asked them, how did you get access to these networks? And, and one of the, there's
[17:11.780 --> 17:17.940]  three areas that they came, that came out of these interviews with these hackers. The first thing
[17:17.940 --> 17:26.100]  they look for is human error. So how can I, can I find somebody who makes a mistake, misconfigures
[17:26.100 --> 17:34.960]  an S3 bucket, misconfigures a, a open IP that gave, gives me access to that network or to that
[17:34.960 --> 17:41.060]  device. So they look for people, people making mistakes. Obviously human error also when I send
[17:41.060 --> 17:46.520]  an email in and the user clicks on a link that they, they probably shouldn't have. So that human
[17:46.520 --> 17:54.200]  error thing. The second thing they look for is IT security complacency. And this is where you think
[17:54.200 --> 18:02.400]  about like not patching quickly, not configuring things, not, not doing, enabling some of the
[18:02.400 --> 18:09.040]  advanced detection technologies that you have access to. You just don't do it. The third area
[18:09.040 --> 18:14.500]  they, that they look for were technical deficiencies. So do I, am I not running stuff
[18:14.500 --> 18:19.480]  that I should be running in certain areas of the network? You know, maybe the OT network has been,
[18:19.480 --> 18:26.200]  hasn't had a lot of security running in it. So it's deficient of security controls. So they
[18:26.200 --> 18:33.180]  look for that. But the interesting thing was they, they mentioned that and this was quoted in the,
[18:33.180 --> 18:38.340]  in the article, it is when multiple TTPs are utilized in concert that cyber criminals are
[18:38.340 --> 18:43.360]  able to gain and maintain access to a computer network. So they're looking for not just one of
[18:43.360 --> 18:48.860]  these, but if they find two of them or two or three of them together, they almost absolutely
[18:48.860 --> 18:54.420]  know that they can get access to that network. And one of the actors actually talked about being
[18:54.420 --> 18:59.440]  in resident on a, on a, on a very large organization's network for over 10 years,
[18:59.440 --> 19:03.420]  just following this model over and over and over.
[19:05.300 --> 19:10.660]  Some of the tactics that we're seeing today utilized by the malicious actors.
[19:10.860 --> 19:16.120]  I mentioned the extensive intelligence gathering before the attack. So that's certainly going to
[19:16.120 --> 19:21.640]  continue to happen. If you are publishing information out there on your, about your
[19:21.640 --> 19:26.500]  network, if you're publishing information about the people, that's always going to be helpful to
[19:26.500 --> 19:33.600]  these, these criminals. Collaboration between groups is happening more and more. And this is
[19:33.740 --> 19:38.980]  a very concerning area that we've seen happening in the undergrounds. In the past, you used to have
[19:38.980 --> 19:44.540]  these groups in the underground and they'd be, they'd be, you know, working only with themselves.
[19:44.540 --> 19:50.580]  They'd only work together with if they were an independent person. But even now we're starting
[19:50.580 --> 19:58.300]  to see, for example, access as a service gangs, whose only purpose in life is to, is to figure
[19:58.300 --> 20:04.080]  out how to access a network. And then they will sell that access to another group. It could be a
[20:04.080 --> 20:11.540]  group that does, that uses Emotet and use it to laterally move across the network. And then they
[20:11.540 --> 20:16.260]  will sell access to a ransomware gang who will ultimately do a ransomware attack. So this
[20:16.260 --> 20:22.900]  collaboration is happening much more often than we've seen in the past. Counter incident response
[20:22.900 --> 20:30.020]  is used extensively today. So they are obfuscating their malware. They're, they're cleaning up after
[20:30.020 --> 20:36.220]  themselves, erasing their tracks. I was talking to our, our incident response manager just this
[20:36.220 --> 20:41.060]  morning and I was asking him, you know, what are the, some of the things we're seeing? And for
[20:41.060 --> 20:47.080]  example, they are, we're seeing now where they will deploy some malware on a device inside a
[20:47.080 --> 20:53.900]  compromised network and that, that malware gets detected. So, you know, good for the security
[20:53.900 --> 20:59.620]  product that's running on that endpoint. But what we are seeing now is that within a few hours or a
[20:59.620 --> 21:05.640]  couple of days, we see a variant of it popping up and running and being executed on those networks.
[21:05.640 --> 21:12.480]  So we're actually taking that, that detection and, and then, you know, recoding, refiguring it out on how to
[21:12.920 --> 21:21.560]  bypass that, that organization, that security product. So that's happening quite often.
[21:22.300 --> 21:28.200]  The attacks today are going to be across many of the different areas of your network. So as part of
[21:28.200 --> 21:33.840]  that, that life cycle we're seeing today, I, as I said, the attacks aren't going to stop and end at
[21:33.840 --> 21:40.760]  the endpoint. So EDR, great technology, but it's only going to see a small piece of the overall
[21:40.760 --> 21:45.860]  attack that you're going to see against most organizations. There's going to be network access
[21:45.860 --> 21:50.800]  that, and network traffic that they're going to be utilizing. It's going to go into the cloud
[21:50.800 --> 21:55.760]  infrastructure. It's going to go into a data center. It's going to go, it's going to use the email.
[21:55.760 --> 22:01.720]  It's going to use the web layer. All of these areas of your network could be utilized by these
[22:01.720 --> 22:07.840]  threat actors in the campaign against your organization. So that's why we're starting to
[22:07.840 --> 22:13.440]  see more organizations starting to adopt more of a platform approach, potentially, where
[22:13.440 --> 22:18.580]  the products are working together. In the past, obviously, we used the best of breed model
[22:19.310 --> 22:24.220]  that worked very well back in the day. But today, because those products are pretty siloed, they
[22:24.220 --> 22:28.820]  don't talk to each other. They don't give a lot of information. It's making it very hard for you,
[22:28.820 --> 22:34.720]  the defenders, to manage that and see the visibility of these campaigns. So you detect
[22:34.720 --> 22:39.460]  something on one endpoint, you may detect something on a server in a different area of your network,
[22:39.460 --> 22:45.120]  and not realizing that it's part of the same campaign. Today, we're starting to see technology
[22:45.120 --> 22:50.960]  innovations that are allowing you to see that and identify that much more effectively.
[22:51.560 --> 22:57.300]  And then lastly, one of the other areas we're seeing today are what we call supply chain
[22:57.300 --> 23:03.120]  attacks or island hopping, where they're actually utilizing your software vendors who
[23:04.460 --> 23:11.000]  regularly have communications into your networks, and they're using them to pop into those networks.
[23:11.000 --> 23:16.940]  Or you have a small business who's a vendor of yours, like in the target attack years ago,
[23:16.940 --> 23:24.200]  where it was the HVAC vendor who had access to the network. And because they're a small business,
[23:24.200 --> 23:29.180]  they may not have as good of security controls as you and your bigger organization. And so they
[23:29.180 --> 23:35.360]  will use it to pivot or laterally move from that network into your network. So we're seeing more
[23:35.360 --> 23:41.700]  than that. Obviously, SolarWinds was an example. Kaseya was an example of that. We just saw one
[23:41.700 --> 23:49.080]  just recently happening as well. So software supply chain attacks are going to be on the increase
[23:49.080 --> 23:57.080]  more and more as we go through it. Now, this next slide I want to talk about, you can't see it,
[23:57.080 --> 24:04.280]  but I'll tell you what's going on here. I've been discussing with our tech support organization over
[24:04.280 --> 24:10.100]  the last several years, you know, how are these customers or prospects that call us getting
[24:10.100 --> 24:16.920]  infected in the first place? So what's the root cause of an infection that happens? And there's
[24:16.920 --> 24:23.360]  some commonalities that we are seeing today from organizations that are dealing with these
[24:23.960 --> 24:33.240]  successful attacks. First is weak credentials. So there's no question that the threat actors today
[24:33.240 --> 24:40.080]  are looking to compromise credentials and accounts. If I can get the Active Directory account,
[24:40.080 --> 24:45.000]  administrative account, I have pretty much keys to the kingdom at that point. And we actually see
[24:45.000 --> 24:49.980]  this quite often where that account gets compromised. And so the actors are going to go
[24:49.980 --> 24:54.680]  in, they're going to turn off, they're going to stop the process, the security product running on
[24:54.680 --> 24:59.360]  the on the endpoint, that process, they'll turn it off because they can, they have that access,
[24:59.360 --> 25:04.900]  they have that those credentials. So weak credentials is a big one. Email accounts,
[25:04.900 --> 25:10.860]  for example, business email compromise happens a lot because I'm able to compromise that CFO's
[25:10.860 --> 25:16.880]  email account very easily, because they're using a weak credential on it. And then I send emails
[25:16.880 --> 25:23.300]  from that account into the organizations, I asked my finance person, a wire transfer a million bucks
[25:23.300 --> 25:29.020]  to this account, I need it today. By the way, don't call me because I'm in a meeting to do the
[25:29.020 --> 25:35.120]  two factor verification process. Secondary, outdated and unpatched operating system or
[25:35.120 --> 25:40.540]  applications. We certainly know question that exploits are being used regularly, whether it's
[25:40.540 --> 25:48.280]  an end day exploit, which is a known vulnerability with a patch or a zero day, which is a
[25:48.280 --> 25:53.880]  unknown vulnerability that does not have a patch today. Those are being utilized quite often.
[25:53.880 --> 25:58.680]  But certainly, we see regularly customers like, oh, I thought I patched it or I hadn't patched it
[25:58.680 --> 26:05.760]  or in other cases, it's an unsecured device that doesn't have the ability to get patched,
[26:05.760 --> 26:12.660]  for example, or it hasn't been patched in years, like on an OT network, for example.
[26:13.280 --> 26:18.720]  So that's going to happen. Advanced detection technology is not being enabled. So we see
[26:18.720 --> 26:25.740]  this often where customer actually has the technology available to them, they just didn't
[26:25.740 --> 26:32.380]  enable it. AI and machine learning are prime examples of this. So you may be relying simply
[26:32.380 --> 26:37.140]  on signatures, and you haven't enabled the behavior monitoring, you haven't enabled a
[26:37.140 --> 26:42.860]  machine learning engine to be able to analyze those, that malware and specifically those
[26:43.140 --> 26:49.460]  variants of known malware that would be able to be detected by those newer technologies. So
[26:49.460 --> 26:56.920]  make sure you know when you have those enabled. Another area is misconfigurations. We talked
[26:56.920 --> 27:03.240]  about that earlier. So we see this quite often. And then one thing I wanted to highlight is
[27:03.240 --> 27:09.640]  ransomware gets all the hype today. It's certainly in the news quite often. And one of the reasons
[27:09.640 --> 27:18.740]  is because it is the most visible, most loud threat we've ever seen in the history of cybersecurity.
[27:18.740 --> 27:24.500]  It pops up on the screen and it says, hey, you're in fact, you know, you've been encrypted by Conti
[27:24.500 --> 27:30.200]  or by Lockbit or whoever it might be. So when you get ransomware, you know, you got infected.
[27:30.200 --> 27:36.520]  The challenge that a lot of organizations have is, is maybe thinking that that's the only threat
[27:36.520 --> 27:42.260]  against them. Whereas the reality is that that actor group has probably been in the network for
[27:42.260 --> 27:47.800]  quite some time, because ransomware is usually the last revenue option that they take. Because
[27:47.800 --> 27:53.100]  it is so visible, once they launch ransomware, they know the organization is going to know
[27:53.100 --> 27:58.680]  they're infected, and they've got somebody resident in their network. So just be aware
[27:58.680 --> 28:05.240]  that if a ransomware gets popped up, the likelihood that other activities have been happening is very,
[28:05.240 --> 28:13.880]  very high. Now, the next area I wanted to just highlight is some of the areas that we're seeing
[28:13.880 --> 28:20.020]  them target as they do their attacks. So one area is, why am I going to target credentials,
[28:20.020 --> 28:24.540]  right? Why am I looking for accounts out there? First and foremost, they're very trusted, right?
[28:24.540 --> 28:30.840]  Your AD account, or your exchange account, Office 365 administrator account, those are going to be
[28:30.840 --> 28:36.200]  trusted. If I can compromise those, I probably, like I said, I have the keys to the kingdom.
[28:36.660 --> 28:42.440]  It allows them to disguise their activity, because again, I'm acting as that person,
[28:42.440 --> 28:48.740]  so I can disguise it. There are a ton, a ton of stolen credentials being sold in the underground
[28:48.740 --> 28:54.200]  today. So I can go and buy RDP credentials that were stolen from previous hacks all day long
[28:54.200 --> 29:00.420]  in the underground, and I can use those. And again, if I don't have a very good credential
[29:01.420 --> 29:06.800]  update process happening in my account, the likelihood that I have an account still out
[29:06.800 --> 29:12.720]  there that has the same credentials being run. We also see, for example, I was asking my IR guy
[29:12.720 --> 29:17.520]  today, I said, do we ever see where they can compromise the Trend Micro Administrator account?
[29:17.520 --> 29:22.380]  And he says, it happens on occasion, but usually when they find that out, it's because they use
[29:22.380 --> 29:28.300]  the same account credentials that they use for their AD server. So they're sharing accounts,
[29:28.300 --> 29:34.940]  credentials across multiple applications. And again, big no-no for most people, but
[29:35.500 --> 29:40.860]  it still happens. And again, weak credentials is big. Now, why am I going to target people?
[29:40.860 --> 29:45.240]  So again, people are probably the weakest link inside your organization, the employees,
[29:45.240 --> 29:49.600]  but why would they continue to want to target them? Well, first, it's definitely easier than
[29:49.780 --> 29:56.320]  a technical attack. I don't have to go and buy a zero day for $500,000. I can just,
[29:56.320 --> 30:01.900]  you know, craft an email from after my intelligence gathering about this employee who likes,
[30:01.900 --> 30:06.140]  you know, for example, likes the NBA, I can craft an email that says, hey,
[30:06.140 --> 30:11.720]  check out this latest trade in the NBA, click here, click, boom, infected.
[30:12.080 --> 30:16.360]  Difficult to detect and respond to. A lot of times these employees don't even realize they've
[30:16.360 --> 30:23.060]  been infected. So they aren't communicating it to you in the SOC or into the IT department.
[30:23.060 --> 30:27.220]  So you don't even realize that they're infected and they don't realize it either.
[30:27.220 --> 30:32.780]  People definitely give away way too much information and social media. As I just
[30:32.780 --> 30:36.600]  previously mentioned, the NBA thing, they're going to give their likes,
[30:36.600 --> 30:40.500]  their dislikes, their hobbies, whatever it might be. So crafting socially engineered
[30:41.220 --> 30:49.040]  content to them is very simple after doing a scan of social media accounts of those people.
[30:49.300 --> 30:55.000]  It's very low risk for high reward. Vulnerabilities, I talked about
[30:55.000 --> 31:00.320]  vulnerabilities before. Why are they targeting quite a bit? Obviously new vulnerabilities happen
[31:00.320 --> 31:06.600]  every single day. I think the last patch Tuesday, Microsoft disclosed over 140, which was a record
[31:06.600 --> 31:12.580]  for them. And that's just one vendor. So you obviously have multiple applications and operating
[31:12.580 --> 31:17.400]  systems you're running in your organization. You're probably getting updates every day from
[31:17.400 --> 31:23.660]  one of those or multiple of those. And so these criminals recognize that. They actually monitor
[31:23.660 --> 31:29.140]  those patches as they come out and they look at them. We're seeing more and more one day
[31:29.140 --> 31:34.980]  vulnerabilities than we've seen ever before, which is basically a vulnerability that's been
[31:34.980 --> 31:40.880]  exploited one day after the patch was released. So that's certainly a challenge because there's
[31:40.880 --> 31:46.700]  so much information out there being shared publicly. Even the proof of concept stuff out
[31:46.700 --> 31:51.740]  there is being shared quite often and they use that. There's an exploit marketplace at
[31:51.740 --> 32:00.100]  the underground. So there's buying and selling of exploits of vulnerabilities. You can go in
[32:00.100 --> 32:05.720]  the underground and you can search for Exchange or Office 365 vulnerabilities. It'll pop up a
[32:05.720 --> 32:12.080]  number of exploits that are for sale in that area. If I want one for a business application,
[32:12.080 --> 32:18.560]  I just search for that and I can find it and buy it and use it. And then lastly, zero days. We're
[32:18.560 --> 32:23.760]  seeing more and more zero days. If you didn't see Google Project Zero last year, it said there
[32:23.760 --> 32:30.480]  was, I think there were 50 or 80 plus zero days used in active attacks last year. Highest ever
[32:30.480 --> 32:36.200]  seen. And maybe the reason I postulate that potentially it's because you're doing a very
[32:36.200 --> 32:41.760]  much better job today of protecting your networks from the traditional stuff. So you're blocking
[32:41.760 --> 32:47.620]  those end day vulnerabilities or exploits that are being used. So they have to move to zero days
[32:47.620 --> 32:53.900]  because they are unknown and they actually still work. And then the last area I wanted
[32:53.900 --> 33:00.160]  to just highlight is why target external facing infrastructure? So you all probably use Shodan
[33:00.160 --> 33:05.860]  or you heard of Shodan. Shodan is a tool that can be used by you or cyber criminals, for example,
[33:05.860 --> 33:11.620]  of scanning the internet for IP, open IPs. And it'll give you information about those IPs. It'll
[33:11.620 --> 33:19.540]  tell you what it is, what ports are open, what services are open. And so it's very easy to scan.
[33:19.540 --> 33:25.360]  And obviously that's the first thing that they're going to look for in an organization is what open
[33:25.360 --> 33:31.320]  IPs does that organization have? I'm going to scan those IPs and do a scan on them to figure out,
[33:31.320 --> 33:36.900]  is there anything on there that I can target and utilize to get access to that device or that IP?
[33:37.540 --> 33:43.480]  So that's going to happen. Misconfigurations, we talked about that, they are all over the place.
[33:43.500 --> 33:50.060]  There's exposed ports and services, certainly all the time on these devices that may have,
[33:50.060 --> 33:55.380]  should have been shut down. And often it's forgotten infrastructure, for example, people,
[33:55.380 --> 34:00.360]  you know, we see again, when we talk to customers, they go, I didn't realize that IP was still there,
[34:00.360 --> 34:04.560]  that device was still on the network. It should have been, you know, archived years ago, but it's
[34:04.560 --> 34:13.080]  still active and still there. So that's kind of the main stuff that I had today to talk about in
[34:13.080 --> 34:20.180]  terms of what is happening, how is it happening in the underground. The next just few minutes,
[34:20.180 --> 34:25.900]  I wanted to highlight and give you some recommendations that I give customers and
[34:25.900 --> 34:32.740]  people out there on how to help you defend against these. Again, this is a great time right now to
[34:32.740 --> 34:41.280]  really look at your overall cybersecurity strategy and your plan and how you go about things,
[34:41.280 --> 34:48.920]  because like I mentioned before, with all these different types of TTPs and attack scenarios,
[34:48.920 --> 34:56.200]  maybe a traditional approach to your cybersecurity may not be helping you today,
[34:56.200 --> 35:01.480]  it may be actually hurting you more than it's helping. So first area, audit and inventory. So
[35:01.480 --> 35:06.660]  attack surface management, attack surface discovery are terms that are being used quite often,
[35:06.660 --> 35:14.400]  but they're actually pretty good, because as I said, if you can't see it, don't know it's there,
[35:14.400 --> 35:19.860]  how do you defend against it? So having something that can do some more attack surface discovery for
[35:19.860 --> 35:26.820]  you can help you understand audit and inventory, all of the devices that are on your network,
[35:26.820 --> 35:34.160]  both internal and external, to understand that. And then identify authorized and unauthorized devices
[35:34.160 --> 35:41.620]  and software, make an audit of event and incident logs. So you're obviously logging a lot,
[35:41.620 --> 35:46.140]  make sure you're looking at those logs and identifying. If you don't have the expertise,
[35:46.140 --> 35:51.100]  you don't have the manpower to be able to do that, that's where maybe look at a managed service
[35:51.100 --> 35:58.640]  provider or managed service option for you. And then configure and monitor. So manage hardware,
[35:58.640 --> 36:03.380]  software configurations. So we talked about misconfigurations. You may take this time right
[36:03.380 --> 36:08.860]  now to look at all your configurations. Have a call with your cybersecurity vendor or vendors
[36:08.860 --> 36:15.880]  and make sure that you have their best practices guides. Make sure you have configured their
[36:15.880 --> 36:21.180]  products properly and given the best opportunity to detect the latest. Make sure you have the
[36:21.180 --> 36:26.220]  latest and greatest software from them, from those vendors, and make sure it's working.
[36:26.640 --> 36:32.680]  Grant admin privileges and access only when necessary to an employee. So again, that looking
[36:32.680 --> 36:38.600]  at who has access to your AD administrative accounts, who has access to your customer data,
[36:38.940 --> 36:45.620]  and then only limit them to being able to access that at the right time and the right person having
[36:45.620 --> 36:53.160]  access. Monitor network ports, protocols, services. Activate security configurations on network
[36:53.160 --> 36:59.720]  infrastructures devices. So again, a lot of this activity, network activity, can help you identify
[36:59.720 --> 37:05.840]  if you're compromised. That lateral movement is an area that you can do. Even a command and
[37:05.840 --> 37:11.920]  control infrastructure, as it pings outside to the command and control server or servers out there,
[37:11.920 --> 37:17.200]  you may be able to identify. Maybe that infrastructure was built in a region of the
[37:17.200 --> 37:25.620]  world where you don't have businesses and business. So then you could look at, oh, why do we have
[37:25.620 --> 37:33.860]  something connecting to a server in Zimbabwe or wherever it might be? And then you could cut off
[37:33.860 --> 37:40.240]  that access. Another area is patch and update. We talk about that quite a bit. But one area is
[37:40.240 --> 37:45.200]  virtual patching. You may not even, you may not think about virtual patching, but virtual patching
[37:45.200 --> 37:50.240]  actually allows you to virtually patch that vulnerability for a period of time until you
[37:50.240 --> 37:57.220]  actually can do the proper process and QA of the full patch. A lot of times those patches aren't
[37:57.220 --> 38:04.880]  complete. So with a virtual patch may have a more complete ability to detect an exploit. In fact,
[38:04.880 --> 38:14.120]  Project Zero, of the 24 zero days that have been used in 2022, 12 of them were variants of earlier
[38:14.120 --> 38:19.540]  vulnerabilities that had been used in attacks before. So they're starting, even the criminals
[38:19.540 --> 38:25.680]  are starting to use variants of exploits that worked in the past because they work now and
[38:25.680 --> 38:31.380]  they can get around the defenses. But virtual patching, look at that. Also network IPS
[38:32.380 --> 38:38.400]  outside in and inside out. That can help you identify some of this stuff as well.
[38:39.100 --> 38:44.100]  Protect and recover. Certainly implement data protection, backup, recovery measures as
[38:44.100 --> 38:48.600]  ransomware. As you know, one of the big things for ransomware was, can you back up and recover
[38:48.600 --> 38:54.780]  very quickly from an encrypted system that's encrypted? So that would be a good one as well.
[38:55.640 --> 39:00.880]  Enable multi-factor authentication. Definitely got to be that in, especially with, like I
[39:00.880 --> 39:06.900]  mentioned, those big applications, those business critical applications, and any access to your
[39:06.900 --> 39:15.540]  critical data, your customer data, your source code data, your IP data, etc. Secure and defend.
[39:15.540 --> 39:21.020]  A lot of times there's actually preventative measures. So EDR is great for detection and
[39:21.020 --> 39:26.220]  response, but there's a lot of technology today that can actually prevent these attacks.
[39:26.220 --> 39:33.920]  Look for early warning signs. If I see Emotet detection in my network, that may be an indicator
[39:33.920 --> 39:38.440]  that there's a ransomware attack coming in the future. And that can inform you and maybe look
[39:38.440 --> 39:43.120]  at you to hardening some of the areas, especially if you know the actor group, because you could go
[39:43.120 --> 39:50.500]  to MITRE ATT&CK Framework site, look up that actor group that uses Emotet or uses Cobalt Strike,
[39:50.500 --> 39:57.280]  for example, and you can identify their TTPs of future areas of what they could do inside
[39:57.280 --> 40:03.400]  your network. And then lastly, train and test your employees. Train your employees, train your
[40:03.400 --> 40:08.640]  users. If you're doing a cloud infrastructure, make sure your cloud architects are fully trained
[40:08.640 --> 40:14.120]  in how to secure that cloud infrastructure. Maybe implement some of these technologies today that
[40:14.120 --> 40:20.480]  can identify when somebody misconfigures something and it can alert you or ping that person that,
[40:20.480 --> 40:24.540]  maybe shouldn't make that configuration change because it's opening it up to
[40:24.540 --> 40:32.120]  attack at that point. So that's all I had today. I hope this was helpful. If there's any questions,
[40:32.120 --> 40:49.180]  I'd be happy to take those now. Thank you very much for the hand claps. I appreciate that.
[40:50.900 --> 40:56.060]  Well, I will sign off then. Everybody have a great rest of your conference. I hope it all
[40:56.060 --> 41:00.080]  goes well. And if you have any questions or anything, you can certainly reach out to me.
[41:01.280 --> 41:09.280]  John underscore Clay at Trend Micro.com or John L. Clay on Twitter. J-O-N. I don't have an H there.
[41:09.280 --> 41:15.160]  So thanks, everybody. Have a great day and stay safe and healthy. Talk to you soon. Bye-bye.
[41:15.480 --> 41:16.620]  Thanks, John.
[41:17.860 --> 41:19.120]  Thanks very much.
[41:19.320 --> 41:21.040]  Press the R key to...
[41:23.160 --> 41:24.080]  Which key?
[41:24.080 --> 41:27.440]  The Romeo key to drop the mic.
[41:31.100 --> 41:31.980]  Romeo.
[41:32.460 --> 41:35.620]  Romeo. R. Letter R. Romeo.
[41:35.620 --> 41:36.080]  Yeah.
[41:36.460 --> 41:39.220]  Yeah, on your keyboard. If you press R, it'll drop the mic.
[41:39.660 --> 41:40.380]  There we go.
[41:40.380 --> 41:43.280]  There you go. Thank you, John. That was excellent.
[41:45.640 --> 41:48.680]  Thank you, John. Excellent presentation.
[41:50.200 --> 41:52.900]  We're still working on the slide problem, by the way.
[41:52.900 --> 42:00.980]  It looks as if the service that they use for... allows us to project slides into the meeting space has gone down.
[42:01.400 --> 42:07.580]  We are contacting... we have contacted and put in a trouble ticket to AllSpace VR tech support.
[42:07.580 --> 42:09.480]  And we've got multiple people working on it.
[42:09.480 --> 42:15.400]  They're doing PCAPs to see if there's anything going on, like some type of network problem, that sort of thing.
[42:15.400 --> 42:17.620]  But right now, it looks like the service is down.
[42:17.620 --> 42:18.580]  Now, in the meantime...
[42:19.800 --> 42:24.620]  Hey, Giglio, you need to mute your mic because we're getting your keyboards.
[42:25.680 --> 42:26.540]  Thanks.
[42:28.640 --> 42:30.320]  So we're working on that.
[42:30.320 --> 42:33.520]  Our next speaker will be here in about eight minutes.
[42:33.840 --> 42:36.620]  And as soon as they're here, we'll introduce them.