Leading in the same way the government has always had. Its the intelligence approach, but its finally getting here, he step in the right direction. John watters, do you use the public internet for your system . You are worldwide. Mr. Watters as little as possible. On the research front, yeah. Mr. Slen is it an overbuilt type of thing . Mr. Watters the mechanics of how you communicate anonymously and maintain some level of anonymity and operations from an overseas perspective, that is kind of the dark secret trade. And tries tos it anonymize who they are and what they do. Mr. Slen so if somebody is on their computer, chrome, safari, whatever, how secure are they . Mr. Watters i think Technology Companies do as good a job as they can with the ability they have to manage their own infrastructure. The weakest link is always people. If you have somebody in front of your house giving you the key to the house and telling you the combination to the save every day because you walk up as the safe repairman and say, hey, junior, your mom said to stop by and fix the say for you, could you give me the code, she left it under the mailbox, how do you protect against that . So these technology vendors, a lot of them get the brunt of the problems, it is google, microsoft, or whoever, but a lot of times the frailty is the people, the users themselves. A lot of it is just awareness, what is Good Behavior on the internet itself. The friction point that we are seeing today, which is beginning to prioritize security over efficiency. It is a pain if you have to log into the online bank and remember all these passwords and they send you a text, but you know what, security takes priority. So you will take some inconvenience now to be secure with your assets. That is another big Tipping Point we are saying, which is good. Mr. Slen what is the dark web . Mr. Watters its basically a part of the communication that goes on that is not open to google. Its basically communication forms where people are buying and selling illicit cyber tools, s forer they are cyber merc higher, or selling stolen credentials or selling exploit kits or bot infrastructures or selling access to customary environments, there is a whole dark web that goes on with this illicit trade. You cannot just build machinery to go listen to the dark web for the information. You actually have to have somebody engaging on it to be able to pervasively stay there and gain anything positive from the intelligence perspective. Some commonat are forms or uncommon forms of malware. Severalers there are common forms. There is destructive malware that tries to destroy your operation, your operating system where you cannot reopen it. With theome of that sony breach, basically destroy your ability. There is encryption now, a locker type of attack. We will encrypt your data and if you send me a thousand dollars, i will send you the encryption key to use your data. Is to distraction, one encrypt it with a third party. The most common is apt, advanced persistent threat, which is constantly on your system and cannot be detected and it is trying to gain access to files and information and things of value from an information perspective to exfiltrate that from your entity. Of slen with the advent wireless, has that made security more difficult or has it made it easier . Mr. Watters i think it has made it more difficult. It is just another access point. You talk about trying to maintain the protective layer without the idea of the threat, if youre not saying here are the threats that are active, how do i protect against those, if you do not look at the world through that lens, you say i have all these things to protect them, how do i protect them, and you go to all the access points. Devices,net, all the the connectivity with the vendors, the channel partners, you are so connected, and all the wireless connections, there is no way to protect everything. Wireless is just another expansion point of the ways into your environment from a threat perspective. Instead of trying to protect everything, the view that shifts and really shrinks the problem from the defenders perspective, what are the threats am concerned about, how are they executing those threats, not hypothetically but really how they are doing them, and how do i protect against those threats. Wireless nexis or wireline or a vendor or a particular type of malware, you should know what they are trying to do and protect against that. A finite, structural thing, not this infinite thing called anyway in works. You cannot just protect against the radicals as the actual probables. , on your john watters website, there is an article , sayingabout the fbi you might as well pay the ransom because we cannot figure out how to get rid of this malware. Mr. Watters yeah. Its an interesting turn, isnt it . The whole dont negotiate with hostages, dont negotiate with terrorists. At the same time, you are a little business, you cannot pay your bills or meet payroll because you cannot operate and for 1000 you will regain your Operational Efficiency until they do it again, at least it buys you some time. I think their point is probably that. If you need to operate your business and that is the underway to do it near term, by some time and we will figure out a solution longterm. The ransom kits are pretty well written. The small defenses against them are tough. They can just change the code just modestly every time where the Malware Detection routines may detect the last version but not the next version. Again its a pace of defending against things that have happened, not understanding whats going to happen. Mr. Slen we recently talked with jim lewis of the senate for security of international studies. That the main state actors, china, russia, north and iran, are there other actors out there or nonstate actors that are becoming real threats . Ost watters i think m National Apparatus have a capability they are using. The examples that jim gave, almost everyone of them to my knowledge are intellectual or intelligence position officers. They operate on two fronts. It might be china or ran or orsia or North Carolina north korea. If you look at the sony breach, the north korea government is saying we did this or somebody in the north Korean Military or the guardians who say, it is not us, it is just some interest of a Group Affiliation that got together to cause damage at sony , they try to remove themselves from it, so there is plausible a layerity and there is between the National Apparatus and the executioner of the threat. Lot of these countries operate through thirdparty fronts, teams, groups, activists ka hacktivists that gives them deniability. It is attribution, and executing it on that behalf. In your building, you have a dark room with a lot people on computer screens. What are they doing back there . Mr. Watters analysis. Its easy to say you have the puzzle pieces, put together the puzzle, it is actually harder to do. The technical piece is technical skills, reverse engineering the malware, how it operates, how it compiles, how to break the encryption. The operate in the darkness and they sit there and analyze the problems to help customers simplify what they are looking at. Our customers send us malware they do not understand, we are not sure how this operates, and we break it down and say this is how it operates and that is connected to this group and here is what they are trying to do. Soon i you go from a technical problem to understanding the risk issue to make good decisions for the enterprise from the defensive perspective. The guys in the room, the technical guys, when the lights are off, it is usually analysis of a product. Mr. Slen why does the room stay dark . Mr. Watters i dont know. When i got in this business, it was the craziest thing, when the lights go out, everybody likes to work in the dark. I think it is just easier for the guys to sit in a dark room in front of a bright screen. , its ays work a lot passion working here or anywhere, they would be doing the same kind of thing. They love their job. Mr. Slen do you ever higher exhackers . Mr. Watters we do not hire any black cats that have gone good. We are not in that business. Hackers tote hat try to protect against black hat dont hire the guys who were bad who now want to be good. That is just too risky. Mr. Slen in our conversation with jim lewis, he talked about what he thought were the greatest threats, including an electrical blackout, such as we saw several years ago. Where do you see the biggest threat . Is it financial, where fair, etc. . Mr. Watters thats a good question. The latest one is really disruptive destructive malware, excuse me, like we saw in the sony breach. Now your data is gone come you cannot operate in your environment, your ability to operate and q medicaid is out there, they have overwritten the databases, and your operational ability goes away. That is a scary moment. Any business that is connected, destructive malware, nearterm, the effect, whether it is applied to take out electricity or take out a database or impair your ability to communicate, different ways to use destructive malware and disruptive malware. Where it gets and is really a function behind why. I dont think a lot of countries ostensibly want to bring a rebuttal from us because people are textbased in their thinking. If a country means to take out our grid, in theory it is like, well, they took at a physical capability for a country, so the response will be the same level of effects. Ok, we can drop a bomb and take out theirs and we are even. People are still trying to figure out the policy on this, the cyber element that is used to create physical damage, can you go back and create physical damage . Therules of the road and rules of engagement are still unfolding on the national side. Perspective,iminal they dont want to take out our ability to operate. That is their lifeblood. That is how they make money. You shut down the internet, you destroy datacom you destroy the ability to operate, they have richreduce the target environment for stop they want to keep operating in expanding the flexibility and fox nullity of our banking system, give them more places to go. The criminal interests have no want to destroy us. That would be a nation or terrorist group. , what arejohn watters the mechanics of malware and the actors who put them out there, how does it operate . Is watters the malware or just a component of it. The entire phase, you have to get into somebodys environment. Unless you are sophisticated or have unique proprietary access to raise he read dave on her to some have to participate, they are just passively hacked, a lot of times it is an email that says, hey, check out this cnn article on whatever, the cspan clip, just click here for stop you click on the link and by doing so you just allow the malware into your environment. Mr. Slen into the network . Mr. Watters onto your desktop. Now im able to become you. Now that im in your environment, i can still your passwords, you probably use the same passwords over and over again, so my malware will persist and try to expand as far as i can into the rest of the network to gain access to something of interest. So you have to persist, you have this the virus and all these things that are trying to scrape the malware, so it wants to hide in look like its good. So it does not draw attention to itself. Then the malware tries to proliferate in your environment until it find something of interest. Now it is harvesting the different data files, pieces of information that would be of interest to ever the adversary is. You now need to get that information out in a way that is not detected. So it takes a huge file, tries to send it somewhere, the alarms go off. So it says, ok, how do i get into the regular slip stream of traffic, if you are busy sending files between 9 00, 10 00 in the if 6 00 at night, it will go at those times so it looks like your network traffic. Now it has gained information outside of the environment. Now it has to get back. So it goes to drop servers, to dump all the files. Then it has to get back to the host location without it being traceable. There are ways to clear its tracks, going three navigation phase. That is how malware works. The now where and the spear phishing campaign, some of a has to say, who creates the malware, because the guys do not create all their own tools. They go by the fools, who do i hosted with. As soon a shoe click on a spearfish, i have a server that will download the malware. So i have a spearfishing malware , i have to buy it from somebody. You have Different Actors in the whole ecosystem. You have the person behind it, and was the mastermind, who has the objective. You have the tool providers, the infrastructure host ors, the people coming up with the spear sh, the people hosting the servers to exfiltrate the data to, and then all of the routing components. It is an entire ecosystem. What makes the intelligence executable is a lot of those are handled by third parties. Who are justts, selling malware or just hosting infrastructure or just hosting command and control, just hosting drop servers, or outsourcing the hacked themselves to gain access for you. Let me just get the data for you. There are so many bit players in this ecosystem, the mastermind sits back and says come you know what, its a lot easier to maintain my anonymity if i use all these people to do it for may. So they put together the puzzle pieces and execute the strategy and get what they want for the least amount of money possible. Mr. Slen give us a snapshot of who that mastermind might be. A College Student somewhere, a mathematician . Muchatters it varies very by the type of cyber threat. Tivist, it isck different from a Cyber Espionage campaign. Cyber espionage may be a National Interest that is not what to operate through the apparatus to target the Energy Sector of another country or the Defense Industrial base. A degree of separation and plausible deniability. There will be a group of folks affiliated with the National Interest that operates as a team or group saying, hey, we dont like energy companies, so we will try to steal their stuff. So they will create cause for action. The tools may be partially provided by the government. The for structure may be partially provided by the government. But it is an independent group. So the mastermind is typically somebody either currently or previously in that military capability. That is the national Cyber Espionage operator operating three front. If you move into cybercrime, they use partially national tools, partially privatize. Varies. Crime groups you have a lot of organized crime spillover, traditional organized crime groups have a cyber division, which will have some of you says, ok, here is where we are going after to pick up a information for identity theft, Online Banking theft, online payment systems, all those various flavors, and you have a vp in charge of each one. Then you have the service providers. The effort structure providers you want to use, the vendor list. The tools you want to use, the malware manufactures we want to purchase code from, who are the want tomules if we steal things out of the country and we need some of you to pick up an envelope to ship us money. They build the whole ecosystem of suppliers to their strategy, but they sit very well removed from that. Are almost never involved in the activity themselves. They bear the majority of the profits from it. Mr. Slen are you reverse engineering . Are there fingerprints throughout this entire ecosystem . Mr. Watters yeah, the fingerprint are any one of the suppliers in the supply chain. If your infrastructure provider, somebody who sells malware kits, selling and merchandising stolen credit card credentials or ids that were harvested, all of ande bit players buy from sell to. They are getting their tools from somewhere. They are getting their code from somewhere. They are getting their data from somewhere if they are stealing it. You have who they are buying it from and who they are selling it to. You have this whole ecosystem of to was compromising a victim who is actually selling the tools to do it to who is actually selling the stolen goods that come out of it to who is monetizing the credit cards, who is taking the actual monetization and going to Western Union and sending it back. If you track all those different pieces, who they buy from and sell to, you begin to build a pretty good ecosystem understanding of the campaign. Mr. Slen how are these bad actors, as you call them, john watters, how are they financially compensated . Is there actual cash ever exchanging, or is it all via wire . Mr. Watters almost always Virtual Currency, so bitcoin and currency exchanges. Some barter systems. I will trade you this for that. So a barter system to Virtual Currency to bitcoin. There is a whole variety of mechanisms. Western union or cash in a box like the traditional criminal assets you think of. The same dollar volume youre thinking of either. That credit card may be worth a dollar, 50, anywhere in between. Hese are volume operators the actual bit players do not make that much money. The masterminds make a fortune. The guys behind these things could make tens of millions of dollars per quarter. The actual mule might make tens of thousands of dollars per month. May create code over a month and sell his exploit kit and make 20,000, 30,000. Againste kit used retailers, that was 6,000 he was selling it for. So a few people bought it, there is no honor among thieves, and that these give it to their buddies for free. Next thing you know youre not getting 6,000 anymore because its free. They sell it for the first couple folks, its leaked, then there is no market. So different players have different amounts of money they make from it. Given the fact its a lot a Virtual Currency or electronic currency, does that make it easier to track . Mr. Watters it makes it harder to track him actually. People can load the Virtual Currency on their credit card or bank account. There is a whole myriad of ways to misattribute who wants the various currency. Notoin by its nature has it attributable to the currency and transactions. Most of the Virtual Currency is the same. So the way it is loaded, you may have 10 people who each load up 100 each into a Vir