close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      In this episode of Security Visionaries, we sit down for a conversation with Ray Canzanese, Director of Netskope Threat Labs, to discuss some of the big takeaways from the just released October 2023 Cloud and Threat Report. Ray digs into why he chose to focus on the adversary this time around, what surprised him about his findings, and how security folks and beyond can best use the findings from this report.

                                      Read the latest Cloud and Threat Report at: https://www.netskope.com/netskope-threat-labs.

                                      The thing you learn by looking at adversaries’ trends and tactics is what is special about your industry, or your region, that you should maybe be doing something slightly different, and more targeted toward the adversary that you’re up against. And oftentimes where you can get intel on this is talking to your peer organizations.

                                      Ray Canzanese, Director, Netskope Threat Labs
                                      Ray Canzanese

                                       

                                      Timestamps

                                      *(0:01): Introductions*(8:22): What was surprising about your findings?
                                      *(0:47): Background on the Cloud and Threat Report*(10:06): Why should security folks be taking note of those sorts of anomalies and outliers?
                                      *(1:38): What was the focus for this report?*(11:37): What’s one takeaway you want to impart from this report?
                                      *(3:45): How was the approach different writing it this time?*(16:13): Closing thoughts
                                      *(5:18): Big takeaways and findings from the report

                                       

                                      Other ways to listen:

                                      On this episode

                                      Ray Canzanese
                                      Director, Netskope Threat Labs

                                      chevron

                                      Robert Arandjelovic

                                      Ray is the Director of Netskope Threat Labs, which specializes in cloud-focused threat research. His background is in software anti-tamper, malware detection and classification, cloud security, sequential detection, and machine learning.

                                      LinkedIn logo

                                      Max Havey
                                      Senior Content Specialist at Netskope

                                      chevron

                                      Max Havey

                                      Max Havey is a Senior Content Specialist for Netskope’s corporate communications team. He is a graduate from the University of Missouri’s School of Journalism with both Bachelor’s and Master’s in Magazine Journalism. Max has worked as a content writer for startups in the software and life insurance industries, as well as edited ghostwriting from across multiple industries.

                                      LinkedIn logo

                                      Robert Arandjelovic

                                      Ray is the Director of Netskope Threat Labs, which specializes in cloud-focused threat research. His background is in software anti-tamper, malware detection and classification, cloud security, sequential detection, and machine learning.

                                      LinkedIn logo

                                      Max Havey

                                      Max Havey is a Senior Content Specialist for Netskope’s corporate communications team. He is a graduate from the University of Missouri’s School of Journalism with both Bachelor’s and Master’s in Magazine Journalism. Max has worked as a content writer for startups in the software and life insurance industries, as well as edited ghostwriting from across multiple industries.

                                      LinkedIn logo

                                      Episode transcript

                                      Open for transcript

                                      Max Havey [00:00:00] Welcome to Security Visionaries, a podcast powered by Netskope focused on bringing you conversations with senior executives from the world of cybersecurity, technology, trust and networking. This episode features a conversation with Ray Canzanese, director of Netskope Threat Labs. Ray sits down to chat with us about his latest quarterly Cloud and Threat Report. Talking through why he chose to focus on the adversary this time around, what surprised you most about his findings and how security folks and beyond can use the findings from this report. Here's our conversation with Ray. Hello and welcome to Security Visionaries. I'm your host, Max Harvey. And today we're sitting down for a conversation about the October Cloud and Threat report with Ray Canzanese director of Netskope Threat Labs. Ray, welcome to the show. How are you doing today?

                                      Ray Canzanese [00:00:44] I'm doing all right, Max. As good as I can on a monday. How about you?

                                      Max Havey [00:00:47] I'm doing I'm doing solid doing. So glad to be having this conversation. So? So as a director of Netskope Threat Labs, Ray is responsible for writing our quarterly cloud threat report. To get things started off here, Ray, can you sort of give us a little bit of background about sort of the interim report, how long you've been doing it and sort of why we do it?

                                      Ray Canzanese [00:01:06] Sure. We started writing these reports in 2020, so this will be our third complete year of writing these reports. We put a new one out every quarter and we cover a slightly different topic or angle every time we put a new report out. The goal of these reports are to provide strategic, actionable threat intel to the reader. So that's what we're hoping comes through in all of these, but especially the latest report we just put out.

                                      Max Havey [00:01:38] Absolutely. And so can you tell us sort of what the focus for this most recent report was and sort of your approach for writing this report?

                                      Ray Canzanese [00:01:45] Sure. So previous reports have covered topics like where we see malware getting downloaded by victims. We've talked about where they're encountering phishing links. We've talked about risks with A.I., Right. We've talked about insider threat risks. So we've taken all these different views, many of them about a external adversary. And for this latest report, we decided to focus on that adversary. Right. So instead of focusing on a specific thing like phishing or or malware or exploits, let's look at the adversaries. Let's look at the adversaries that are most active against Netskope customers. And let's see if we can learn anything from that. Let's see if we can learn, for example, what are the top tactics and techniques that are being used, regardless of which adversary we're talking about? Or let's look at whether if I'm working in a specific industry, in a specific geo, if there's a particular adversary I should be worried about and therefore a specific set of tactics and techniques that are favored by that adversary that I should focus my defenses on.

                                      Max Havey [00:02:59] Definitely. So a sense of, you know, sort of knowing your enemy so that you can better sort of do things on your end.

                                      Ray Canzanese [00:03:05] Exactly right. And sometimes I feel like we get a little abstract when we talk about cybersecurity, like we're talking about where malware comes from and where you're encountering malware. And this is kind of taking that step back and reminding ourselves there's somebody else doing that, right? There's somebody sending those links, right? There's somebody trying to convince your users to do these things that compromised your systems. So let's really focus on who that is. Right. Who that adversary is on the other side of this this sort of like offense defense type battle that we're up against in cybersecurity.

                                      Max Havey [00:03:45] How did having sort of that perspective sort of change the way that you approached writing this report compared to, you know, previous reports that you've done?

                                      Ray Canzanese [00:03:52] Sure. So first off, it changed the approach of, let's call it the 12 months up to writing this report. In other words, what we needed to change first to even write this report, right, is to more closely and more accurately try to track the adversary. Right. So the first thing that changes for us is that we start spending, you know, even more time when we're detecting malware, when we see somebody visiting a phishing page, when we see command and control traffic exiting an endpoint, trying to collect as much information about that as we can, to then try to attribute that back to one or more of the adversary groups that we are tracking. Right. So all of that work, you know, and I save roughly a year, right. Which is more or less what this report covers. We end up starting talking about, you know, beginning of 23 to today. So that's that's where we begin, right, is tracking. And then when it comes time to start writing the report, what you're looking at as well, are there any adversaries that were more active than others? Right. Are there any that were more active within a certain population than others? And then just start looking at those tactics that are floating to the top, right. To see what are those interesting trends, those stand out things that are going to then guide us in our defensive strategy moving forward.

                                      Max Havey [00:05:18] Definitely sort of a more qualitative approach there. Well, so then with with that in mind, sort of what were some of the big takeaways and some of the big findings that you had coming out of this report?

                                      Ray Canzanese [00:05:27] Sure. So the big takeaway, the first and maybe easiest takeaway is that throughout all of the adversaries that we were tracking, right. And there were, I think, around 50 total groups that we tracked for this report. There were a few techniques that stood out of just everybody is using them. Right. So if I'm taking that know your adversary approach, right. There's this one angle to it that's well, I don't really care which of the 50 adversaries it is. They're likely to be doing these six things and these six things in pretty substantial volume. Right. And those six things we had tracked them in terms of the MITRE ATT&CK framework. So the MITRE ATT&CK framework gives us a really nice language to talk to each other in cybersecurity about tactics, about techniques, and about the groups that are using them. So we picked that common language to write this report in and in that common language, we talk about initial access, the techniques that adversaries use to get into a target system. We talk about execution, which is how they're running malicious code once they're in that system, we talk about command and control, which is obviously once they've compromised the system, how are they then talking to it? And then finally, data exfiltration, Right. How do they, if their ultimate goal is to, for example, try to blackmail you, they're going to have to steal something to blackmail you with, right? So they need to exfiltrate some data back to their systems. So we look at six specific techniques in those categories and basically found across the board. Every adversary that we were tracking was doing them. And they centered around phishing, they centered around getting users to execute malware, and then they centered around doing all the command and control and the exfiltration over HTTP and HTTPS, basically to blend in with all the other stuff on the network.

                                      Max Havey [00:07:40] So essentially breaking down what sort of the key tactics and tips that you're seeing a lot of these different adversaries are, they're all applying and then kind of breaking those down sort of by industry, by geo and a lot of other factors once you sort of laid those out. Right.

                                      Ray Canzanese [00:07:55] Right. And we started with those because if you're if you're just trying to get from this report, what should I do differently? Those are the ones that everybody is getting targeted with, Right? So if you're going to start somewhere, start with the ones that are common because your defensive strategy is going to work against virtually every group. Right. Then the next step after you go through those six tactics and techniques are to look at what's happening in your industry and your geo.

                                      Max Havey [00:08:22] Definitely. And as you sort of drill down further into those geos and industries, is there anything that really jumped out at you as sort of surprising in these findings?

                                      Ray Canzanese [00:08:30] Yes, there was one thing that that really surprised me. So if you look just across the adversaries that we're tracking, they're very roughly in two groups. They are either financially motivated or they are geopolitically motivated. Right. They're either cyber criminals. Right. Or they're some sort of state-sponsored or state-affiliated geopolitical actor. And so looking in those two groups and across sort of our entire network, it's no surprise, I think, to anybody working in cybersecurity that the overwhelming volume is cyber crime, right? It's mostly cyber criminal activity. The geopolitical activity as a percentage of total volume of attacker activity is much lower. Now, there were some standouts, right? So on the industry side, in financial services and in healthcare, the geopolitical adversaries were more active than they were in other industries. Similarly, there were standouts in the the geographical regions where it's pretty much the opposite. There were two standouts, the standouts being Australia and North America that had much lower geopolitical adversary activity than other regions. So really, you know, it was those standouts that were the surprising bit here, right, in terms of whether it was cyber crime or geopolitical activity that we were seeing.

                                      Max Havey [00:10:06] Absolutely. And so what were those specific standouts so interesting, and why should, you know, sort of folks who are like cybersecurity leaders or other folks within security organizations, why should they be taking note of those sorts of anomalies and outliers within within this sort of research?

                                      Ray Canzanese [00:10:22] Right. So if you work in one of those outlier regions. Right. That tells you something about the adversary that you're up against. Right. And so it's not just. Look at whether it's geopolitical or criminal. Right. But you can then use the MITRE ATT&CK framework to look at of those top geopolitical adversaries in those regions. What are the tactics and techniques that they are using? Right. And how well are your defenses tuned against them? So in other words, the thing you learn by looking that is what is special about your industry, or your region, that you should maybe be doing something slightly different, and more targeted toward the adversary that you're up against. And oftentimes where you can get intel on this is talking to your peer organizations, right? So talk to other people in your industry, other people in your industry that are operating in the same region as you. You can often, you know, find an ISAC or some other group, right, that you can join and share with each other what's going on. How your peers are building up their defenses. What you can do differently, learning from them to to defend against the particular adversaries you're up against.

                                      Max Havey [00:11:37] And that's a that's a good broad takeaway, especially as we're, you know, kind of in the midst of Security Awareness Month right now, and sort of thinking about that, just zooming out a little bit further, if you had to offer sort of one key tactic or tip coming out of this report to the broader security organizations, security folks who are technical, non-technical, non threat, you know, folks out there in security. What's one takeaway you would offer to them?

                                      Ray Canzanese [00:12:01] Sure. So I know that one of our favorite topics that talk about in Cybersecurity Awareness Month is phishing. So let me talk about phishing for a minute, because when we think about phishing, we often think about email, right? A lot of our phishing training focuses around how do you how do you know whether it's safe to open that email? What we found is that email is becoming a less and less common way in which people are falling for phishing. Right? And that's one because you train everybody to be suspicious of email, and two, because you build up all your anti-phishing defenses around email. And so what we're starting to see is that it's not email, it's text messages, it's phone calls, it's DMs on Instagram, it's fake reviews on Facebook. It's weird search results that you found in Google when you search for a really specific thing that you wanted to know about some software you use or some hardware you use that an attacker managed to get a phishing page listed on the Google search results for that. So in other words, the I think the phishing story is that phishing isn't email, right? Phishing is somebody else trying to trick you into giving up your username or your password or logging into something when they're kind of looking over your shoulder virtually. And that can begin anywhere and it can begin outside of email. So if you're worried about phishing from a technical perspective because you work in cybersecurity, make sure your phishing defenses go beyond email. If you're just a regular old person out there who's a little paranoid and worried about phishing, easy solution, never click on links ever. Never go to websites that other people tell you to go to. In other words, if I want to log into my bank's website, I open my browser and I type in the URL of my bank's website. There's no other way that I will ever log into my bank's website. No dire sounding text message. No Instagram DM, no Snapchat, no Facebook, nothing. There's nobody anywhere that's ever going to convince me to log to anything important any other way.

                                      Max Havey [00:14:29] Well, and that's a good point too, noting that how this phishing has evolved, like we saw even in the news recently with the MGM attack, where that was done through through voice phishing, through through a phone call, through to helpdesk. So like, there are these examples of how this is continuing to develop and grow and change. And I think that's I think that's an excellent point to have there.

                                      Ray Canzanese [00:14:48] Yeah, absolutely. And I mean, I don't know how common this is, but I probably get a dozen phone calls and text messages a day that are certainly scams of some sort. So they're either, you know, phishing for credentials are trying to get me to send them money. Right. But there's something going on there. So I think I think people might be familiar with some of these higher volume ones. But when you start getting into the lower volume, more nuanced ones is where people start getting tricked. So stop thinking about the channel and start thinking about like, what's actually going on. Somebody is trying to get you to go to a fake website. So just don't give anybody those opportunities, Right? Just never, never click on links. Right. Easy solution. Unplug that computer.

                                      Max Havey [00:15:37] Stop thinking about the channel and focus on the outcome. Feels like the the real big takeaway here. I feel like that's something that is easy enough for everyone in our audience to remember and to keep in mind as they're operating out of the Internet.

                                      Ray Canzanese [00:15:50] Right. Because, you know, I give all those examples of what it is today, right? But tomorrow it's going to be, I don't know, Mastodon or some other platform that is not as popular now, but as it becomes popular will become a channel where phishers, scammers, cyber criminals, geopolitical actors, they'll all go there as well.

                                      Max Havey [00:16:13] Yeah, absolutely. I think that brings me to the end of my questions here. Is there anything further that you'd like to add that we haven't we haven't covered in this conversation so far?

                                      Ray Canzanese [00:16:22] Well, if we if we weren't going to give the pitch, I'll give the pitch. Right. This report is live on netskope.com/threat-labs. On our website you'll find more details about everything we talked about here today. And every month you'll see new monthly reports go up on our website. We'll talk about interesting threats live as they're happening on our blog. And every quarter you'll see another one of these big reports. If you can't keep up with all of this exciting stuff that we're doing, I also have a mailing list that you'll find at that exact same website that is netskope.com/threat-labs.

                                      Max Havey [00:17:04] Absolutely. And for everybody who wants to check this out on their own, I will have a link to this in the show notes for the episode. But until then, until we have another report for you. Ray, thank you so much for taking the time. It's always illuminating, talking to you about all the all the interesting new stuff you're uncovering over at Netskope Threat Labs.

                                      Ray Canzanese [00:17:19] Thanks, Max.

                                      Max Havey [00:17:20] Awesome. Have a good one.

                                      Subscribe to the future of security transformation

                                      By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.