Max Havey [00:00:00] Welcome to Security Visionaries, a podcast powered by Netskope focused on bringing you conversations with senior executives from the world of cybersecurity, technology, trust and networking. This episode features a conversation with Ray Canzanese, director of Netskope Threat Labs. Ray sits down to chat with us about his latest quarterly Cloud and Threat Report. Talking through why he chose to focus on the adversary this time around, what surprised you most about his findings and how security folks and beyond can use the findings from this report. Here's our conversation with Ray. Hello and welcome to Security Visionaries. I'm your host, Max Harvey. And today we're sitting down for a conversation about the October Cloud and Threat report with Ray Canzanese director of Netskope Threat Labs. Ray, welcome to the show. How are you doing today?
Ray Canzanese [00:00:44] I'm doing all right, Max. As good as I can on a monday. How about you?
Max Havey [00:00:47] I'm doing I'm doing solid doing. So glad to be having this conversation. So? So as a director of Netskope Threat Labs, Ray is responsible for writing our quarterly cloud threat report. To get things started off here, Ray, can you sort of give us a little bit of background about sort of the interim report, how long you've been doing it and sort of why we do it?
Ray Canzanese [00:01:06] Sure. We started writing these reports in 2020, so this will be our third complete year of writing these reports. We put a new one out every quarter and we cover a slightly different topic or angle every time we put a new report out. The goal of these reports are to provide strategic, actionable threat intel to the reader. So that's what we're hoping comes through in all of these, but especially the latest report we just put out.
Max Havey [00:01:38] Absolutely. And so can you tell us sort of what the focus for this most recent report was and sort of your approach for writing this report?
Ray Canzanese [00:01:45] Sure. So previous reports have covered topics like where we see malware getting downloaded by victims. We've talked about where they're encountering phishing links. We've talked about risks with A.I., Right. We've talked about insider threat risks. So we've taken all these different views, many of them about a external adversary. And for this latest report, we decided to focus on that adversary. Right. So instead of focusing on a specific thing like phishing or or malware or exploits, let's look at the adversaries. Let's look at the adversaries that are most active against Netskope customers. And let's see if we can learn anything from that. Let's see if we can learn, for example, what are the top tactics and techniques that are being used, regardless of which adversary we're talking about? Or let's look at whether if I'm working in a specific industry, in a specific geo, if there's a particular adversary I should be worried about and therefore a specific set of tactics and techniques that are favored by that adversary that I should focus my defenses on.
Max Havey [00:02:59] Definitely. So a sense of, you know, sort of knowing your enemy so that you can better sort of do things on your end.
Ray Canzanese [00:03:05] Exactly right. And sometimes I feel like we get a little abstract when we talk about cybersecurity, like we're talking about where malware comes from and where you're encountering malware. And this is kind of taking that step back and reminding ourselves there's somebody else doing that, right? There's somebody sending those links, right? There's somebody trying to convince your users to do these things that compromised your systems. So let's really focus on who that is. Right. Who that adversary is on the other side of this this sort of like offense defense type battle that we're up against in cybersecurity.
Max Havey [00:03:45] How did having sort of that perspective sort of change the way that you approached writing this report compared to, you know, previous reports that you've done?
Ray Canzanese [00:03:52] Sure. So first off, it changed the approach of, let's call it the 12 months up to writing this report. In other words, what we needed to change first to even write this report, right, is to more closely and more accurately try to track the adversary. Right. So the first thing that changes for us is that we start spending, you know, even more time when we're detecting malware, when we see somebody visiting a phishing page, when we see command and control traffic exiting an endpoint, trying to collect as much information about that as we can, to then try to attribute that back to one or more of the adversary groups that we are tracking. Right. So all of that work, you know, and I save roughly a year, right. Which is more or less what this report covers. We end up starting talking about, you know, beginning of 23 to today. So that's that's where we begin, right, is tracking. And then when it comes time to start writing the report, what you're looking at as well, are there any adversaries that were more active than others? Right. Are there any that were more active within a certain population than others? And then just start looking at those tactics that are floating to the top, right. To see what are those interesting trends, those stand out things that are going to then guide us in our defensive strategy moving forward.
Max Havey [00:05:18] Definitely sort of a more qualitative approach there. Well, so then with with that in mind, sort of what were some of the big takeaways and some of the big findings that you had coming out of this report?
Ray Canzanese [00:05:27] Sure. So the big takeaway, the first and maybe easiest takeaway is that throughout all of the adversaries that we were tracking, right. And there were, I think, around 50 total groups that we tracked for this report. There were a few techniques that stood out of just everybody is using them. Right. So if I'm taking that know your adversary approach, right. There's this one angle to it that's well, I don't really care which of the 50 adversaries it is. They're likely to be doing these six things and these six things in pretty substantial volume. Right. And those six things we had tracked them in terms of the MITRE ATT&CK framework. So the MITRE ATT&CK framework gives us a really nice language to talk to each other in cybersecurity about tactics, about techniques, and about the groups that are using them. So we picked that common language to write this report in and in that common language, we talk about initial access, the techniques that adversaries use to get into a target system. We talk about execution, which is how they're running malicious code once they're in that system, we talk about command and control, which is obviously once they've compromised the system, how are they then talking to it? And then finally, data exfiltration, Right. How do they, if their ultimate goal is to, for example, try to blackmail you, they're going to have to steal something to blackmail you with, right? So they need to exfiltrate some data back to their systems. So we look at six specific techniques in those categories and basically found across the board. Every adversary that we were tracking was doing them. And they centered around phishing, they centered around getting users to execute malware, and then they centered around doing all the command and control and the exfiltration over HTTP and HTTPS, basically to blend in with all the other stuff on the network.
Max Havey [00:07:40] So essentially breaking down what sort of the key tactics and tips that you're seeing a lot of these different adversaries are, they're all applying and then kind of breaking those down sort of by industry, by geo and a lot of other factors once you sort of laid those out. Right.
Ray Canzanese [00:07:55] Right. And we started with those because if you're if you're just trying to get from this report, what should I do differently? Those are the ones that everybody is getting targeted with, Right? So if you're going to start somewhere, start with the ones that are common because your defensive strategy is going to work against virtually every group. Right. Then the next step after you go through those six tactics and techniques are to look at what's happening in your industry and your geo.
Max Havey [00:08:22] Definitely. And as you sort of drill down further into those geos and industries, is there anything that really jumped out at you as sort of surprising in these findings?
Ray Canzanese [00:08:30] Yes, there was one thing that that really surprised me. So if you look just across the adversaries that we're tracking, they're very roughly in two groups. They are either financially motivated or they are geopolitically motivated. Right. They're either cyber criminals. Right. Or they're some sort of state-sponsored or state-affiliated geopolitical actor. And so looking in those two groups and across sort of our entire network, it's no surprise, I think, to anybody working in cybersecurity that the overwhelming volume is cyber crime, right? It's mostly cyber criminal activity. The geopolitical activity as a percentage of total volume of attacker activity is much lower. Now, there were some standouts, right? So on the industry side, in financial services and in healthcare, the geopolitical adversaries were more active than they were in other industries. Similarly, there were standouts in the the geographical regions where it's pretty much the opposite. There were two standouts, the standouts being Australia and North America that had much lower geopolitical adversary activity than other regions. So really, you know, it was those standouts that were the surprising bit here, right, in terms of whether it was cyber crime or geopolitical activity that we were seeing.
Max Havey [00:10:06] Absolutely. And so what were those specific standouts so interesting, and why should, you know, sort of folks who are like cybersecurity leaders or other folks within security organizations, why should they be taking note of those sorts of anomalies and outliers within within this sort of research?
Ray Canzanese [00:10:22] Right. So if you work in one of those outlier regions. Right. That tells you something about the adversary that you're up against. Right. And so it's not just. Look at whether it's geopolitical or criminal. Right. But you can then use the MITRE ATT&CK framework to look at of those top geopolitical adversaries in those regions. What are the tactics and techniques that they are using? Right. And how well are your defenses tuned against them? So in other words, the thing you learn by looking that is what is special about your industry, or your region, that you should maybe be doing something slightly different, and more targeted toward the adversary that you're up against. And oftentimes where you can get intel on this is talking to your peer organizations, right? So talk to other people in your industry, other people in your industry that are operating in the same region as you. You can often, you know, find an ISAC or some other group, right, that you can join and share with each other what's going on. How your peers are building up their defenses. What you can do differently, learning from them to to defend against the particular adversaries you're up against.
Max Havey [00:11:37] And that's a that's a good broad takeaway, especially as we're, you know, kind of in the midst of Security Awareness Month right now, and sort of thinking about that, just zooming out a little bit further, if you had to offer sort of one key tactic or tip coming out of this report to the broader security organizations, security folks who are technical, non-technical, non threat, you know, folks out there in security. What's one takeaway you would offer to them?
Ray Canzanese [00:12:01] Sure. So I know that one of our favorite topics that talk about in Cybersecurity Awareness Month is phishing. So let me talk about phishing for a minute, because when we think about phishing, we often think about email, right? A lot of our phishing training focuses around how do you how do you know whether it's safe to open that email? What we found is that email is becoming a less and less common way in which people are falling for phishing. Right? And that's one because you train everybody to be suspicious of email, and two, because you build up all your anti-phishing defenses around email. And so what we're starting to see is that it's not email, it's text messages, it's phone calls, it's DMs on Instagram, it's fake reviews on Facebook. It's weird search results that you found in Google when you search for a really specific thing that you wanted to know about some software you use or some hardware you use that an attacker managed to get a phishing page listed on the Google search results for that. So in other words, the I think the phishing story is that phishing isn't email, right? Phishing is somebody else trying to trick you into giving up your username or your password or logging into something when they're kind of looking over your shoulder virtually. And that can begin anywhere and it can begin outside of email. So if you're worried about phishing from a technical perspective because you work in cybersecurity, make sure your phishing defenses go beyond email. If you're just a regular old person out there who's a little paranoid and worried about phishing, easy solution, never click on links ever. Never go to websites that other people tell you to go to. In other words, if I want to log into my bank's website, I open my browser and I type in the URL of my bank's website. There's no other way that I will ever log into my bank's website. No dire sounding text message. No Instagram DM, no Snapchat, no Facebook, nothing. There's nobody anywhere that's ever going to convince me to log to anything important any other way.
Max Havey [00:14:29] Well, and that's a good point too, noting that how this phishing has evolved, like we saw even in the news recently with the MGM attack, where that was done through through voice phishing, through through a phone call, through to helpdesk. So like, there are these examples of how this is continuing to develop and grow and change. And I think that's I think that's an excellent point to have there.
Ray Canzanese [00:14:48] Yeah, absolutely. And I mean, I don't know how common this is, but I probably get a dozen phone calls and text messages a day that are certainly scams of some sort. So they're either, you know, phishing for credentials are trying to get me to send them money. Right. But there's something going on there. So I think I think people might be familiar with some of these higher volume ones. But when you start getting into the lower volume, more nuanced ones is where people start getting tricked. So stop thinking about the channel and start thinking about like, what's actually going on. Somebody is trying to get you to go to a fake website. So just don't give anybody those opportunities, Right? Just never, never click on links. Right. Easy solution. Unplug that computer.
Max Havey [00:15:37] Stop thinking about the channel and focus on the outcome. Feels like the the real big takeaway here. I feel like that's something that is easy enough for everyone in our audience to remember and to keep in mind as they're operating out of the Internet.
Ray Canzanese [00:15:50] Right. Because, you know, I give all those examples of what it is today, right? But tomorrow it's going to be, I don't know, Mastodon or some other platform that is not as popular now, but as it becomes popular will become a channel where phishers, scammers, cyber criminals, geopolitical actors, they'll all go there as well.
Max Havey [00:16:13] Yeah, absolutely. I think that brings me to the end of my questions here. Is there anything further that you'd like to add that we haven't we haven't covered in this conversation so far?
Ray Canzanese [00:16:22] Well, if we if we weren't going to give the pitch, I'll give the pitch. Right. This report is live on netskope.com/threat-labs. On our website you'll find more details about everything we talked about here today. And every month you'll see new monthly reports go up on our website. We'll talk about interesting threats live as they're happening on our blog. And every quarter you'll see another one of these big reports. If you can't keep up with all of this exciting stuff that we're doing, I also have a mailing list that you'll find at that exact same website that is netskope.com/threat-labs.
Max Havey [00:17:04] Absolutely. And for everybody who wants to check this out on their own, I will have a link to this in the show notes for the episode. But until then, until we have another report for you. Ray, thank you so much for taking the time. It's always illuminating, talking to you about all the all the interesting new stuff you're uncovering over at Netskope Threat Labs.
Ray Canzanese [00:17:19] Thanks, Max.
Max Havey [00:17:20] Awesome. Have a good one.