Interviews | July 20, 2023

Increased Global Tensions Have Led to More Cyber Espionage Activity

Fortinet | Netscout | ProofPoint | ThreatLocker | Trellix

Derek Manky
Chief Security Strategist and Global VP Threat Intelligence


Q1. What exactly is red-zone threat intelligence? How does it help enterprise organizations improve their security posture?

Red zone intelligence is a prioritized list of the areas that defender should focus on the most – it’s the “open active attack surface,” or the vulnerabilities that remain unpatched.

We calculate the red zone by comparing the open attack surface to the active attack surface—those open holes that we observe attackers actually trying to exploit or attack. It represents the critical areas that absolutely need to be patched and serves as a practical guide to CISOs.

This kind of intelligence is key because it helps really focus security efforts on specific areas, so defenders can prioritize risk mitigation and reduce the active attack surface. This is a far more feasible approach than trying to defend every single endpoint and area of an organization with equal firepower. It also provides a good board-level report to show ongoing correlated activity.

As an example of the kinds of insight that red zone intelligence can provide: When our FortiGuard Labs researchers analyzed CVEs for the second half of 2022, they determined that less than 1% of the total observed vulnerabilities discovered in an enterprise-size organization were on endpoints. However, we would have anticipated that attackers would prioritize CVEs based on their presence on endpoints. Instead, we saw a large number of CVEs that were prevalent on endpoints but rare among attacks. While attackers choose their targets based on a number of factors, it was interesting to see that a multitude of exploitable CVEs didn’t seem to be one of those factors.

Q2. From your vantage point as head of threat intelligence at Fortinet, what are the threats that concern you the most, currently and over the next two years?

We are seeing a shift towards attacks that focus on services as opposed to data—which is the focus of traditional ransomware. Maturing cybercriminal enterprises are increasingly moving toward these types of attacks because they have the tools and resources to do so – and because they can create a bigger impact. They’re effectively transforming the ransomware playbook with this approach, and they are demanding even higher ransom payments in these very targeted attacks. What’s especially concerning is that these attacks are not just targeting enterprises, they are going after critical infrastructure like manufacturing and other industrial sectors. In fact, manufacturing is the number one target we’re observing.

Q3. What does Fortinet plan on showcasing at Black Hat USA 2023?

In addition to unveiling the findings from its 1H 2023 FortiGuard Labs Threat Landscape Report, Fortinet will be showcasing several areas that are extremely pertinent to cybersecurity in 2023, including:

  • Fortinet SecOps solutions for advanced detection and response based on AI and intelligent automation. Presentations and demos will focus on EDR/XDR, NDR, SIEM, SOAR, and SOC-as-a-Service offerings.
  • Cloud and application security experts will demo and discuss the latest innovations in unified SASE, DevSecOps, and other critical topics for cloud-focused organizations.
  • Converged IT/OT security is now widely recognized as an important evolution in risk management and we will have a special emphasis on OT/IoT security across our solutions.
  • Fortinet incident response experts will share best-practices in risk reduction, ransomware attack response and other topics during presentations and at our Expert Bar.
  • As organizations continue to consolidate their security vendors, and our new FortiFlex usage-based licensing makes it simple for our customers to procure solutions and dynamically right-size their cybersecurity spend.

Sanjay Munshi
SVP of Product Management


Q1. Netscout released its Visibility Without Borders platform recently. What business or security issue is the technology designed to address? What's driving the need for such platforms?

As organizations execute their digital transformation strategies, they are faced with three key challenges:

  • Increasing Complexity. They may have hundreds and thousands of applications hosted in private data centers, colocations, the cloud, and SaaS environments - all of which challenge performance, availability, and security. Other trends such as the migration of MPLS to SDWAN, or VPN to SASE further increase the complexity of the deployment.
  • Loss of control resulting in finger-pointing between ITOPS and the SAAS provider teams. As services and infrastructure migrate off-premises into third-party environments of vendors/partners, IT organizations may lose visibility and control over that part of the ecosystem, making it more challenging to solve problems quickly and assure an optimized end-user experience.
  • Ever-expanding threat landscape. As the enterprise infrastructure expands and bad actors increase in number and sophistication, those actors are taking advantage of more vulnerabilities than ever, particularly in the era of new digital technologies like IoT, 5G mobile, and multi-cloud.

All of this has created blind spots in what originally was a well-designed and controlled network and application monitoring strategy. Be it restoring critical application performance, detection and investigation of threats or breaches, or maintaining the availability of business-critical services, the impact of these blind spots is an increase in Mean Time to Restore.

NETSCOUT’s Visibility Without Borders Platform is designed to provide visibility into the blind spots. The platform provides a common network data-based framework that can be leveraged across NETOPS, SECOPS, and AIOPS teams who today use different point solutions and siloed data. By using a common dataset, these teams are essentially speaking a common language enabling them to reduce the mean time to knowledge and ultimately restore.

At the core of the NETSCOUT Visibility Without Borders platform is our patented Adaptive Service Intelligence (ASI) technology. ASI creates real-time metadata derived from scalable, deep packet inspection of network traffic across an organization’s entire digital infrastructure. Our Visibility Without Borders platform provides a common source of packet-derived data that IT, NetOps, SecOps, and AIOps teams can leverage to solve performance, availability, and security challenges.

Q2. What role do you see for AI in IT ops over the next few years? Where do you see AI making the biggest difference with regard to IT operations?

I believe AI will play a crucial role in IT operations (IT Ops) over the next few years. A few areas I think AI will impact are:

  • Automated Monitoring and Alerting: AI can enhance IT Ops by automating the monitoring of system health, performance, and security. AI algorithms can analyze vast amounts of data in real-time, detect anomalies, and generate alerts for potential issues.
  • Predictive Analytics: AI can leverage historical data and machine learning techniques to identify patterns and trends, enabling IT Ops teams to predict potential outages or performance bottlenecks.
  • Intelligent Incident Management: AI-powered systems can analyze incident data, troubleshoot problems, and provide recommendations for resolution. These systems can automate the initial stages of incident management, reduce mean time to restore (MTTR), and enhance the efficiency of IT Ops teams.

Overall, AI is poised to revolutionize IT Ops by enabling faster, more accurate decision-making, automating routine tasks, improving efficiency, and enhancing the overall reliability and security of IT systems. However, these AI-derived outcomes are highly dependent upon quality input data. You constantly see the results of AI not using quality data. For example, many network management or threat detection solutions today use AI/ML, but also generate many false positives causing alert fatigue for Net/SecOps teams. Many of these solutions use a common top-heavy, analytics architecture. That is, all the intelligence and analytics are done in a centralized manner. At NETSCOUT we believe in the opposite approach, a distributed approach to AI/ML.

Underlying any AI system are two key components, the ML models and the data set used to feed the models. While Open-source movements like Open AI etc. have done a great job in democratizing the models and algorithms the challenge the industry is facing is the quality and fidelity of the data set and that is where NETSCOUT is focused on. We conduct most of our ML-based analytics at the source of packet capture in distributed, highly scalable deep packet inspection network sensors. Our domain-specific framework for AI/ML results in a much more scalable deployment, a refinement of signal-to-noise ratio, much less data that is sent to a central console/cloud, fewer false positives, and ultimately faster time to knowledge and restoration.

Q3. How does Netscout plan on engaging with customers and other attendees at Black Hat USA 2023? What technologies and/or services do you plan on highlighting at the event?

At Black Hat 2023, we will be showcasing our Visibility Without Borders Platform for three Enterprise Use Cases:

  • Observability and End User Experience management using nGenius Enterprise Performance Management Software– A solution that monitors, troubleshoots, and maximizes the performance of mission-critical applications and services. The solution integrates with, ITOps, AIOps, and SecOps ecosystems through APIs and data export and import utilities.
  • Advanced Network Threat Detection and Response software Using Omnis Cyber Intelligence – An advanced, deep packet inspection-based network detection and response solution that uses actionable ML-based analytics and insights to defend organizations from increasingly sophisticated and damaging cyberattacks.
  • Dynamic Distributed Denial of Service Attack Protection Using Arbor DDoS Protection Software – An industry-leading DDoS attack protection solution that uses unmatched global visibility, DDoS threat intelligence, and ML-based analytics to conduct Adaptive DDoS Protection designed to stop modern-day dynamic DDoS attacks.

Come visit us at booth # 1250.

Ryan Kalember
EVP, Cybersecurity Strategy


Q1. Based on the findings in Proofpoint's recent "Human Factor" report, how should enterprise organizations be bolstering or adjusting their security defenses to deal with current and emerging threats?

No matter where threat actors look for inspiration for their next attack, a multilayered, people-centric approach to prevention is the key to defending against future threats. Users who are trained to expect the unexpected will be primed to spot a threat and break the attack chain, whether it comes in the form of a note-perfect phishing page or a sly text message purporting to be from an old friend.

Cyberattacks are inevitable. But with the right mindset, tools and policies, they can be a manageable risk. Organizations should deploy solutions that give you visibility into who's being attacked, how they're being attacked, and whether they clicked.

Build robust email defenses. The number one threat vector remains at the top of the charts for the attacks of real consequence, from ransomware to business email compromise (BEC). In the past year, we have seen attackers scale previously niche techniques, like multifactor authentication-defeating proxy phishing, and continue to find ways around malware defenses, from the abuse of OneNote files to HTML smuggling. Investments in comprehensively protecting email - from malware and phishing detection to authentication and user awareness – remain key to countering the threat landscape.

Take away common attack paths through Active Directory and Microsoft 365. Ransomware attackers are highly dependent on escalating their privileges through Active Directory, while adversaries who specialize in financial fraud require the communications, data, and insight into legitimate transactions and relationships that only Microsoft 365 provides. Better securing those environments makes it much less likely that a single compromise will turn into an enterprise-wide breach.

Partner with a threat intelligence vendor. Focused, targeted attacks call for advanced threat intelligence. Leverage a solution that combines static and dynamic techniques to detect new attack tools, tactics, and targets—and then learns from them.

Q2. What prompted Proofpoint to join CISA's Joint Cyber Defense Collaborative? Why are such initiatives important?

It’s impossible to solve cybersecurity challenges in a vacuum. That’s why the public-private partnership facilitated through CISA’s JCDC is so critical to boosting our nation’s cyber defense. Here, the government and private sector work together to identify threats and share information about the current and emerging threat landscape to enhance our collective resilience.

Proofpoint has a world-class threat research team that offers unique insights, while its email and network telemetry provide unparalleled visibility into threats. Our partnership with JCDC underscores our commitment for collaboration with the global cybersecurity community to advance our nation’s cyber resilience and apply our collective capabilities to solving cybersecurity challenges. JCDC membership provides Proofpoint with an opportunity to bolster our practices and products with timely intelligence about emerging threats and vulnerabilities.

One of the additional benefits of JCDC membership is the ability to incorporate preliminary cyber threat data as well as subsequent findings into Proofpoint’s threat intelligence offerings and investigations methods. This information sharing will result in the ability to deploy protection faster and better. And through shared threat intelligence, Proofpoint, JCDC, and CISA will be well positioned to remain ahead of adversaries while protecting organizations with actionable insights.

Q3. What are some technologies or insights that Proofpoint aims to share with the cybersecurity community at Black Hat USA 2023? Are there any specific announcements, talks or engagements that attendees can expect from Proofpoint?

During Black Hat 2023, we invite attendees to visit us at Booth #1640 during expo hours to learn more about our unique people-centric approach to cybersecurity, empowering organizations to stop malicious email attacks, detect and prevent identity-based threats and defend sensitive data from theft, loss and insider threats. You'll see our solutions in action, with live demos of Email Threat Protection, Email Fraud Defense, Data Loss Prevention, Insider Threat Management, Awareness, Web Security/Isolation, and Identity Threat Defense.

Our Threat Research team will also share some of the emerging trends we are seeing with high-profile attack chains and what this means for making confident attributions on Wednesday, August 9th at 10:30 a.m. in Room MB-J. It was always the case that threat actors regularly adopted new tactics, techniques, and procedures to try and defeat defenders: we put new technologies in place, they try and subvert them. In 2023 this cycle of evolution has continued to accelerate. We are observing threat actors iterate changes within their attack chains at an unprecedented rate … but one of the biggest developments is not just new techniques but also the overlap present amongst a variety of high-profile activity.

Danny Jenkins
Co-Founder and CEO


Q1. What prompted ThreatLocker's recent decision to acquire HyperQube? How will your customers benefit from the acquisition?

ThreatLocker aims to make the concept of Zero Trust easy for all IT administrators and end-users alike. On September 9, 2022, ThreatLocker launched its Testing Environment. This feature provided a sandboxed environment where an administrator would have visibility of the software and its dependencies, dynamically evaluating its behavior to see if it attempts to make registry changes, access files, other applications, or the internet. Built on HyperQube's virtual desktop infrastructure, the Testing Environment enhances ThreatLocker's application control products and minimizes the guesswork.

With this new feature, businesses can safely evaluate applications in a cloud-based environment, monitor and decide the best course of action, and evaluate approval requests quickly. The success of this new feature drove ThreatLocker to acquire the assets of HyperQube to continue developing and improving the technology that powered its latest feature. The benefits of this technology have reduced the risk of cyberattacks as users can make informed decisions about the applications they allow, saving ThreatLocker customers time and resources.

This agreement was not just an acquisition of proprietary information but of shared intelligence in the cybersecurity industry as former CEO of HyperQube, Craig Stevenson, has joined the ThreatLocker team leading its newest department, ThreatLocker Ops.

Q2. You have described ThreatLocker Ops as helping organizations reduce their reliance on EDR tools. How exactly does Ops do that?

ThreatLocker has a unique approach in the endpoint protection space by taking a proactive stand on cybersecurity and prioritizing least privilege controls with default deny methodology.

With its robust application control policies, ThreatLocker is now providing even more visibility into what is happening in an IT environment through a more coherent solution. ThreatLocker Ops delivers a console where administrators can monitor behavior, receive alerts, and remediate accordingly. We have seen instances where ThreatLocker customers often pair the software with a well-known EDR to optimize their strategy and where ThreatLocker has displaced EDR solutions. ThreatLocker Ops will remove the headache of dealing with multiple security products by various vendors. It provides similar functionality while integrating seamlessly with other ThreatLocker products, where other policies and automation can be used for remediation.

By eliminating reliance on different tools, ThreatLocker aims to provide customers with a more cost-effective and consolidated solution, boasting features solely for the user to take security into their hands through its Health Center, ThreatLocker Community, and other policies. The shared intelligence of the IT community will provide a valuable tool for dealing with a variety of threats that are industry-specific or vendor-specific. ThreatLocker Ops will offer more security controls, less agent fatigue, and no overhead on managed endpoints.

Q3. Could you provide a glimpse into the topics or areas of expertise that ThreatLocker will be focusing on during its presentations, panels, or engagements at Black Hat USA 2023?

Black Hat is a culmination of some of the brightest minds in IT, bringing the most cutting-edge technology to the forefront. The plethora of security vendors operating in today's marketplace can be overwhelming. With so many options, it's easy to be distracted by the latest, greatest, shiny tool. I will be doing a deep dive into the purpose of endpoint security and how you can use that to your operational advantage and safeguard your business.

In this session, participants will understand the evolution of technology over the years and how cybersecurity needs to adapt, understand the access points and vulnerabilities of modern-day networks, the difference between a reactive and proactive approach to cybersecurity, and why governments are mandating that organizations implement a proactive Zero Trust approach to cybersecurity.

ThreatLocker will also conduct live hacks and demos as a part of its "Threat Talks" at ThreatLocker Booth 1140. These short sessions will be at 30-minute intervals and will feature well-known hacks, how they were executed, and how they could've been stopped. During these "dissect-the-hack" segments, Director of ThreatLocker Ops, Craig Stevenson, will look at everything from brute force attacks, living off the land attacks with native tools like PowerShell, and data exfiltration to vulnerabilities like the Follina zero-day.

John Fokker
Head of Threat Intelligence, Principal Engineer


Q1. You were recently quoted as saying that threat actors are pushing the limits of attack vectors. How exactly are they doing that? What are the implications of that trend for enterprise security defenders?

The geopolitical changes and tensions in the last year have led to a surge of disruptive attacks linked to the conflict zone and spillovers and given rise to cyber espionage campaigns aimed at gauging the political viewpoints of the West. A result of a divide between East and West is also noticeable in the ransomware space, where certain larger groups like Conti Ransomware have dissolved into fragmented splinter groups after issuing a political statement. The increase in splinter ransomware groups using similar attack vectors is forcing certain groups to push the limits and explore more unknown software vulnerabilities in data-sharing platforms to steal sensitive data.

[Also noteworthy is] the rise of hacktivism, as groups of loosely organized individuals fueled by propaganda align for a common cause. They use cyber tools to voice their anger and cause disruption, presenting a new and unpredictable threat to many organizations. Lastly, at the end of 2023, we witnessed generative AI take center stage. As security companies implement some of the powerful capabilities, we have observed threat actors leverage some of the basic GPT functions to create very convincing spear phishing and CEO fraud campaigns. The era of emails full of spelling errors has now passed.

The implications for enterprise security defenders are that the attack vectors are pushed to the limit, and they must now deal with a new group of attackers that they previously did not account for. Unfortunately for the defenders, the threats do not remain static, and due to the interconnection and globalization, organizations might face new threats with the next global event. Having the right threat intelligence and tools to detect and respond effectively will be crucial in facing these threats going forward.

Q2. How has APT threat activity—particularly from China—evolved in recent years? What do security leaders need to understand about APT-related risks?

Threat groups linked to the Chinese government have been active for many years. However, we have seen a slight shift in their potential objectives. In the past we have observed cyber espionage campaigns aimed at predominantly intellectual property. We now see that threat groups, like Mustang Panda, are showing an increased interest in uncovering the western political views on China as well as obtaining insider knowledge when it comes to the deployment and removal of Chinese manufactured core communication technology in western society.

The general rule of thumb that increased global tensions will lead to more cyber espionage activity is also applicable in this situation. From a Tactics, Techniques and Procedures (TTP) point of view, we continue to observe the usage of some highly deterministic Chinese linked APT malware, as well as an increased usage of Living off the Land Binaries and Scripts, which make it harder to detect malicious actions as they are performed by non-malicious tools.

When we talk to security leaders, they often do not realize the value their organization holds for APT groups. From a security point of view, they need to understand the “crown jewels” they possess, and which nation-states might be interested. Having security controls that assist security leaders and practitioners to understand, detect, and respond to state sponsored TTPs is a must. Nation-state threats are often multi-vectored, where cyber is only one tool in their espionage toolkit. If a cyber espionage campaign fails, a nation-state might use more conventional espionage methods. Understanding your organization is at risk is half the battle, as this allows security leaders to put the right security controls and procedures in place to minimize the impact of a potential attack.

Q3. How does Trellix plan on engaging with customers and attendees at Black Hat USA 2023? What services and technologies do you plan on highlighting at the event?

We have many compelling demos and speaking sessions lined up for Black Hat this year that will engage customers and attendees. At Trellix's Booth 1932 we'll be showcasing:

Trellix Endpoint Security
Keeps organizations safer and more resilient with comprehensive visibility, and control to secure endpoints before, during, and after attacks.

  • Manage and Protect Endpoints at enterprise-scale
  • Respond faster with AI-Guided Investigations and Advanced Forensics
  • A Foundational Pillar for XDR

Trellix XDR
Quickly reveal the alerts and threats that matter, cross correlate across vectors and easily determine the critical steps to stop the attack.

  • Close the Gaps with the Most Comprehensive XDR
  • Prioritize with Actionable Threat Intelligence
  • Empower with Exceptional Analyst Experience

Trellix Data Protection
Discovers, classifies, and protects data at rest, in use, and in motion across the organization while also providing context to Trellix XDR, to help SOC analysts quickly identify high-priority threats to the organization.

  • Provide comprehensive Data Security across network, endpoint, and cloud
  • Stop insider threats and outside attackers
  • Be compliant with a growing number of regulatory and industry requirements

Trellix Collaboration Security
As organizations strive to innovate and grow, they create highly complex interconnected networks of external partners, suppliers, vendors, contractors, and customers introducing a largely unprotected attack vector. Trellix Collaboration Security ensures people can work together securely across the extended enterprise emerging threats.

  • Seamlessly Inspect Files Shared via Collaboration Platforms
  • Close Gaps from Third-Party Risks
  • Extend Security Across All Enterprise Applications

We encourage attendees to check out our phenomenal speakers, many who are part of Trellix's Advanced Research Team. Their sessions span:

Apple's Predicament: NSPredicate Exploits on iOS and macOS
Austin Emmitt, Vulnerability Researcher, Trellix Advanced Research Center

Learn about the predicaments posed by NSPredicate exploits on Apple's iOS and macOS platforms. Austin Emmit, an esteemed Vulnerability Researcher from our Advanced Research Center, will delve into the intricacies of these exploits and share valuable insights on mitigating their impact.

SHAREM: Advanced Windows Shellcode Analysis Framework with Ghidra Plugin
Max Kersten, Information Security Specialist, Trellix
Co-speakers: Bramwell Brizendine and Jake Hince

Discover the power of SHAREM, an advanced Windows shellcode analysis framework integrated with the Ghidra plugin. Our experts will showcase how this tool enhances your ability to analyze and combat sophisticated Windows-based attacks.

Unveiling the Shadows: Understanding Information Stealers and the Genesis Market Takedown for Enhanced Cyber Defenses
Taylor, Consulting Solutions Engineer, Trellix

In this session, we delve into the world of information stealers, examining their methods, motivations, and the impact of their activities on victims. We explore the Genesis market takedown as a case study, shedding light on the inner workings of a major underground cybercrime marketplace that facilitated the sale of stolen credentials. By the end of this session, participants will gain a comprehensive understanding of information stealers, the Genesis market takedown, and practical steps to enhance their organization's defenses against these sophisticated attack vectors.

Sustaining Partners