1 00:00:00,000 --> 00:00:09,700 Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, 2 00:00:09,700 --> 00:00:13,360 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:13,360 --> 00:00:15,680 Hey, everybody. 4 00:00:15,680 --> 00:00:17,720 Welcome to episode 84. 5 00:00:17,720 --> 00:00:22,920 This week our guest is Roberto Rodriguez, who's here to talk to us about topics related 6 00:00:22,920 --> 00:00:24,560 to attack simulation. 7 00:00:24,560 --> 00:00:28,120 But before we get to our guest, let's take a little lap around the news. 8 00:00:28,120 --> 00:00:30,680 Sarah, why don't you kick things off? 9 00:00:30,680 --> 00:00:37,200 So I've just got one to talk about today, which is the Azure Container apps is now supporting 10 00:00:37,200 --> 00:00:43,000 environment level mutual TLS or MTLS. 11 00:00:43,000 --> 00:00:48,400 It's preview, but what it means is when you need end-to-end encryption, it's going to 12 00:00:48,400 --> 00:00:53,440 the MTLS will encrypt the data between app between different applications within an environment. 13 00:00:53,440 --> 00:00:58,680 So that's pretty cool if you need things to talk to each other securely. 14 00:00:58,680 --> 00:01:01,360 So that's just my one bit of news this week. 15 00:01:01,360 --> 00:01:05,360 Actually, before Mark picks up, I'm actually a huge fan of mutual TLS. 16 00:01:05,360 --> 00:01:09,800 I'm actually a fan of TLS in general as an authentication mechanism. 17 00:01:09,800 --> 00:01:14,320 Ignoring the channel protections for the moment, TLS by default gives you server authentication, 18 00:01:14,320 --> 00:01:17,280 but with mutual TLS, now you've got client authentication as well. 19 00:01:17,280 --> 00:01:19,200 So you're authenticating both ends. 20 00:01:19,200 --> 00:01:20,200 And that's really cool. 21 00:01:20,200 --> 00:01:21,880 So it's good to see. 22 00:01:21,880 --> 00:01:27,480 So since we are talking TLS, TLS is going to be disabled. 23 00:01:27,480 --> 00:01:36,080 I mean 1.0 and 1.1 is completely disabled starting in October in all Windows OSes. 24 00:01:36,080 --> 00:01:39,640 A couple related pieces of news from my perspective. 25 00:01:39,640 --> 00:01:42,360 Zero Trust Commandments are out and published. 26 00:01:42,360 --> 00:01:45,080 So we got the links there in the show notes for you. 27 00:01:45,080 --> 00:01:49,840 And those are essentially kind of the rules of the road, like what is and isn't Zero Trust? 28 00:01:49,840 --> 00:01:52,200 Basically what is good modern security. 29 00:01:52,200 --> 00:01:57,440 And I'm actually going to be in Houston in late October, just before Halloween, to speak 30 00:01:57,440 --> 00:02:03,600 about those commandments, the reference model that's shortly going to be released before 31 00:02:03,600 --> 00:02:05,200 that conference. 32 00:02:05,200 --> 00:02:08,000 Also a panel session that will include CSA. 33 00:02:08,000 --> 00:02:11,480 And I believe we're trying to confirm NIST there as well. 34 00:02:11,480 --> 00:02:15,280 So a number of open standards organizations getting together talking about what Zero Trust 35 00:02:15,280 --> 00:02:16,560 actually is. 36 00:02:16,560 --> 00:02:19,640 So lots of good stuff coming there. 37 00:02:19,640 --> 00:02:22,960 So I wanted to talk a little bit about Entra. 38 00:02:22,960 --> 00:02:29,120 There's additional settings in entitlement management in the policy that is going to 39 00:02:29,120 --> 00:02:34,640 be changed or added into the Entra ID governance. 40 00:02:34,640 --> 00:02:42,760 It will provide more capabilities and would allow the customer to select to not have the 41 00:02:42,760 --> 00:02:48,940 policy create assignments, not to remove assignments and delay assignments removal. 42 00:02:48,940 --> 00:02:52,520 So that is a feature that was being asked. 43 00:02:52,520 --> 00:02:59,000 Also in public preview, cross tenant access settings basically are supporting custom RBAC 44 00:02:59,000 --> 00:03:01,080 roles and protection action. 45 00:03:01,080 --> 00:03:06,920 And what I mean is that cross tenant access settings can be managed with custom roles 46 00:03:06,920 --> 00:03:09,800 defined by the organization. 47 00:03:09,800 --> 00:03:17,480 And this enables you to define your own fine scope roles to manage cross tenant access 48 00:03:17,480 --> 00:03:22,480 settings instead of using one of the built in roles for management. 49 00:03:22,480 --> 00:03:25,560 I'm including some links for more information. 50 00:03:25,560 --> 00:03:27,280 I have a few items. 51 00:03:27,280 --> 00:03:29,200 The first one is in general availability. 52 00:03:29,200 --> 00:03:35,160 You can now use Azure Key Vault to securely store and retrieve the access key when mounting 53 00:03:35,160 --> 00:03:39,920 an Azure storage account as a local share in an app service. 54 00:03:39,920 --> 00:03:46,480 I realize that is incredibly specific, but if you are using Azure storage in an app service, 55 00:03:46,480 --> 00:03:50,040 you can now store the access keys in Key Vault. 56 00:03:50,040 --> 00:03:53,040 So that's a biggie if you care about it. 57 00:03:53,040 --> 00:03:55,480 Next one in public preview, this is one from my own backyard. 58 00:03:55,480 --> 00:04:00,120 You can now configure customer managed keys on existing Cosmos DB accounts. 59 00:04:00,120 --> 00:04:03,680 Historically, you had to create a new account and then migrate your data across, which is 60 00:04:03,680 --> 00:04:05,920 obviously pretty painful. 61 00:04:05,920 --> 00:04:08,640 Well now you can actually do it on an existing account. 62 00:04:08,640 --> 00:04:10,920 So that's great to see. 63 00:04:10,920 --> 00:04:16,360 Now in general availability, trusted launch as the default for a virtual machine that 64 00:04:16,360 --> 00:04:18,280 is deployed through the portal. 65 00:04:18,280 --> 00:04:21,880 Historically, trusted launch was not the default, but now it is. 66 00:04:21,880 --> 00:04:26,940 So trusted launch includes things like secure boot, a virtual TPM, measured boot, and also 67 00:04:26,940 --> 00:04:28,800 boot integrity monitoring. 68 00:04:28,800 --> 00:04:33,440 This is great for helping mitigate malware based root kits and boot kits and so on. 69 00:04:33,440 --> 00:04:36,120 So this is fantastic to see. 70 00:04:36,120 --> 00:04:44,680 A colleague of mine, Andreas Walzer, has written a paper if you are endeavoring on providing 71 00:04:44,680 --> 00:04:48,720 more discrete permission management in SQL Server and Azure SQL Database. 72 00:04:48,720 --> 00:04:52,640 He has a paper out that is worth reading called Delegating Permission Management Using Roles 73 00:04:52,640 --> 00:04:55,080 versus the With Grant option. 74 00:04:55,080 --> 00:04:58,240 So if that's something that you've been worried about or concerned about or have questions 75 00:04:58,240 --> 00:05:01,920 about, then Andreas, who by the way knows more than anyone on the planet to think about 76 00:05:01,920 --> 00:05:05,720 this stuff, is certainly worthwhile taking a look at that document. 77 00:05:05,720 --> 00:05:09,680 We now have in Azure Artifacts support for Rust Crate. 78 00:05:09,680 --> 00:05:13,940 Now you can argue why we even talk about this on an Azure Security podcast. 79 00:05:13,940 --> 00:05:16,800 The reason why we're talking about this on an Azure Security podcast is I'm a huge fan 80 00:05:16,800 --> 00:05:18,480 of Rust and that's the only reason. 81 00:05:18,480 --> 00:05:23,280 But if you're using Azure Artifacts and you're building solutions in Rust, you can now store 82 00:05:23,280 --> 00:05:26,960 those crates as artifacts in Azure Artifacts. 83 00:05:26,960 --> 00:05:28,960 That's fantastic to see. 84 00:05:28,960 --> 00:05:31,600 The last one, there's a bit of a story behind this. 85 00:05:31,600 --> 00:05:36,320 I'm not going to go into the whole story, but if you're familiar with Azure Policy, 86 00:05:36,320 --> 00:05:41,800 maybe you're aware that there are some things in Azure SQL Database you can't control through 87 00:05:41,800 --> 00:05:42,840 Azure Policy. 88 00:05:42,840 --> 00:05:46,880 Because once you get inside of the SQL Engine, it's its own model. 89 00:05:46,880 --> 00:05:50,720 It's its own SQL Server security model and access control model and so on. 90 00:05:50,720 --> 00:05:55,720 Well, one thing that's been asked for a small number of very large customers who have requirements 91 00:05:55,720 --> 00:06:01,960 around securing their environments is the ability to block T-SQL crud features. 92 00:06:01,960 --> 00:06:05,000 So for example, create table, create database and that sort of stuff. 93 00:06:05,000 --> 00:06:07,160 So create, read, update, delete. 94 00:06:07,160 --> 00:06:18,080 You can now actually block those T-SQL statements by setting essentially a policy in Azure itself. 95 00:06:18,080 --> 00:06:22,560 So if you set this policy, there's a link to it in the show notes and the process you 96 00:06:22,560 --> 00:06:23,560 have to go through. 97 00:06:23,560 --> 00:06:25,960 It's actually not part of policy, but it's mimicking policy. 98 00:06:25,960 --> 00:06:30,480 But it will then block things like create database, drop database, alter database, all 99 00:06:30,480 --> 00:06:32,240 sorts of other kind of crud operations. 100 00:06:32,240 --> 00:06:35,000 It will block all of those, which is actually really kind of nice. 101 00:06:35,000 --> 00:06:39,160 You must be an owner or a contributor on the subscription to set this. 102 00:06:39,160 --> 00:06:43,400 But some customers have asked for this because it gives them a much tighter control and helping 103 00:06:43,400 --> 00:06:48,440 restrict kind of drifting away from a secure baseline, which is the whole point of Azure 104 00:06:48,440 --> 00:06:49,440 policy. 105 00:06:49,440 --> 00:06:50,760 So really, really cool to see this. 106 00:06:50,760 --> 00:06:56,280 Again, it's a little bespoke, but for those who need it, very happy to see this in there. 107 00:06:56,280 --> 00:06:57,280 All right. 108 00:06:57,280 --> 00:07:00,320 Now that we have the news out of the way, it's fantastic to see everybody here this 109 00:07:00,320 --> 00:07:01,320 week. 110 00:07:01,320 --> 00:07:02,320 Really great to see. 111 00:07:02,320 --> 00:07:04,640 Let's now turn our attention to our guest. 112 00:07:04,640 --> 00:07:08,920 This week, as I mentioned, we had Roberto Rodriguez, who's here to talk to us about 113 00:07:08,920 --> 00:07:10,840 attack simulation and more. 114 00:07:10,840 --> 00:07:13,160 Roberto, thanks so much for joining us this week. 115 00:07:13,160 --> 00:07:16,120 We'd like to take a moment and introduce yourself to our listeners. 116 00:07:16,120 --> 00:07:18,160 Yeah, thank you very much, Michael. 117 00:07:18,160 --> 00:07:20,000 Yeah, my name is Roberto Rodriguez. 118 00:07:20,000 --> 00:07:25,880 I'm a security researcher for the Microsoft Security Research Organization. 119 00:07:25,880 --> 00:07:29,400 This is part of the Microsoft Trade Intelligence Center. 120 00:07:29,400 --> 00:07:31,920 I used to be part of the R&D department. 121 00:07:31,920 --> 00:07:39,360 I'm still doing R&D, but now as part of the whole Microsoft Security Research Organization. 122 00:07:39,360 --> 00:07:45,480 Usually just doing a lot of research, trying to use a lot of the services that we already 123 00:07:45,480 --> 00:07:51,160 provide to expedite some of our processes to validate security controls internally and 124 00:07:51,160 --> 00:07:52,800 also doing some research. 125 00:07:52,800 --> 00:07:59,640 And then also diving a little bit into contributing back to the community, exploring some of the 126 00:07:59,640 --> 00:08:05,640 features or concepts, I guess, that you can use by probably using some open source tools 127 00:08:05,640 --> 00:08:11,280 to interact with large language models and then just share some ideas, some just proof 128 00:08:11,280 --> 00:08:14,680 of concepts of things that people can do to get more familiarized with that. 129 00:08:14,680 --> 00:08:19,000 And that's what I've been focusing a lot for the past couple of months. 130 00:08:19,000 --> 00:08:23,560 And yeah, so happy to be here and thank you for the invitation. 131 00:08:23,560 --> 00:08:26,880 I am super stoked that you are here. 132 00:08:26,880 --> 00:08:31,000 Obviously, I have seen some of the really cool stuff you do. 133 00:08:31,000 --> 00:08:34,800 Obviously, you've done a lot of community contributions. 134 00:08:34,800 --> 00:08:39,080 So why don't we start with what are you most interested in? 135 00:08:39,080 --> 00:08:41,880 I'll let you decide where we go first. 136 00:08:41,880 --> 00:08:47,040 So I'm very interested in talking about, for example, you guys mentioned Azure Container 137 00:08:47,040 --> 00:08:48,040 Apps, right? 138 00:08:48,040 --> 00:08:52,360 And it's something that I've been exploring a lot to automate a lot of the things that 139 00:08:52,360 --> 00:08:57,460 we want to do from all the way from a basic phishing scenario to like a full business 140 00:08:57,460 --> 00:09:03,320 email compromise, like end-to-end scenario with a lot of components in between where 141 00:09:03,320 --> 00:09:07,240 to me using Azure Container Apps has been super helpful. 142 00:09:07,240 --> 00:09:11,240 And I built a tool already two years ago called Cloud Katana. 143 00:09:11,240 --> 00:09:16,400 And it was a tool that is still out there and it's a tool that is based on Azure Function 144 00:09:16,400 --> 00:09:17,400 Apps. 145 00:09:17,400 --> 00:09:22,600 And I love that because you could do a lot of chaining of actions, trying just to push 146 00:09:22,600 --> 00:09:26,680 all your code in the cloud, like, you know, serverless computing. 147 00:09:26,680 --> 00:09:27,680 That was great. 148 00:09:27,680 --> 00:09:32,280 But then when I started looking into Azure Container Apps, it was pretty clear that it's 149 00:09:32,280 --> 00:09:35,360 super powerful and flexible. 150 00:09:35,360 --> 00:09:41,660 And it fits very well into a lot of the components of a simulation, like what it takes to actually 151 00:09:41,660 --> 00:09:43,680 do some of this, right? 152 00:09:43,680 --> 00:09:48,920 We usually see some basic stuff, like let's say, I don't know, download a file, execute 153 00:09:48,920 --> 00:09:51,680 it and then get the code back to your C2. 154 00:09:51,680 --> 00:09:57,080 When you start thinking about something like phishing, for example, you have to deploy 155 00:09:57,080 --> 00:10:01,080 your own site, you have to make sure that you can adjust maybe some of the timing of 156 00:10:01,080 --> 00:10:04,900 when you execute things, what happens next, how do you bring things down, how do you change 157 00:10:04,900 --> 00:10:07,840 your IP address right away, right? 158 00:10:07,840 --> 00:10:11,160 And it's something that it's just fascinating to see it. 159 00:10:11,160 --> 00:10:16,760 Now, of course, the part also that is very interesting as a researcher is that a lot 160 00:10:16,760 --> 00:10:19,840 of this could be used by threat actors. 161 00:10:19,840 --> 00:10:24,400 So that's also part of the research is to understand some of the capabilities, some 162 00:10:24,400 --> 00:10:27,380 of the things that actually someone could do, right? 163 00:10:27,380 --> 00:10:33,440 So that's also part of this in parallel to talk also to the right teams and also see 164 00:10:33,440 --> 00:10:37,660 if there is anything that we could do to start enabling certain capabilities. 165 00:10:37,660 --> 00:10:40,420 So that's pretty interesting as well. 166 00:10:40,420 --> 00:10:44,760 And then, of course, we can finish by talking about some of the open source tools that I've 167 00:10:44,760 --> 00:10:50,560 been using to share some examples and some ideas of how someone can actually start using 168 00:10:50,560 --> 00:10:57,560 some of the capabilities of generative AI and trying to interact with some either open 169 00:10:57,560 --> 00:11:04,160 NLMs for free or start interacting with some paid services if you wanted to, right? 170 00:11:04,160 --> 00:11:06,400 Let's start with Cloud Katana. 171 00:11:06,400 --> 00:11:12,040 Tell our listeners what it is, why they should go and play around with it, and the cool stuff 172 00:11:12,040 --> 00:11:13,040 it does. 173 00:11:13,040 --> 00:11:20,260 Cloud Katana is a serverless cloud application that uses Azure durable functions in a way 174 00:11:20,260 --> 00:11:23,120 to orchestrate attack simulations. 175 00:11:23,120 --> 00:11:26,000 And a lot of this is against the cloud, pretty much. 176 00:11:26,000 --> 00:11:30,200 There are so many different APIs that you can use to execute, for example, if you want 177 00:11:30,200 --> 00:11:34,600 to send an email, if you want to delete an email, if you want to maybe, I don't know, 178 00:11:34,600 --> 00:11:40,240 add a secret or a certificate to an Azure AD application, probably authenticate as the 179 00:11:40,240 --> 00:11:42,480 application and then maybe read emails, right? 180 00:11:42,480 --> 00:11:50,500 So there are so many things that we're trying to simulate to validate things, let's say, 181 00:11:50,500 --> 00:11:51,880 on a regular basis. 182 00:11:51,880 --> 00:11:56,040 So we were trying to look for something that would allow us to have those capabilities, 183 00:11:56,040 --> 00:11:57,040 right? 184 00:11:57,040 --> 00:11:59,360 Like event-driven, for example, technology. 185 00:11:59,360 --> 00:12:01,700 And Azure Functions does very well. 186 00:12:01,700 --> 00:12:05,680 It comes with a lot of different runtimes that you can use, so it's flexible also for 187 00:12:05,680 --> 00:12:10,880 people that, for example, if you want to write your own function in C Sharp, in Python, in 188 00:12:10,880 --> 00:12:16,400 PowerShell, then Cloud Katana is just a way to set up something that then you can modify 189 00:12:16,400 --> 00:12:19,600 and start building your own orchestration. 190 00:12:19,600 --> 00:12:24,740 Started as a proof of concept because it's something that we wanted to do also internally, 191 00:12:24,740 --> 00:12:30,100 just to understand how this automation could be happening in the cloud. 192 00:12:30,100 --> 00:12:34,440 But then at the same time, it was how can somebody use, once again, Azure Functions 193 00:12:34,440 --> 00:12:36,940 to run a lot of these simulations? 194 00:12:36,940 --> 00:12:42,560 Because when you run something as an Azure Function, you might be using a managed identity. 195 00:12:42,560 --> 00:12:45,720 So what does it look like in the logs, for example? 196 00:12:45,720 --> 00:12:47,280 They will write detections, right? 197 00:12:47,280 --> 00:12:52,160 So it's pretty cool and it's something that I believe people can play around in their 198 00:12:52,160 --> 00:12:53,360 lab environments. 199 00:12:53,360 --> 00:12:57,360 I don't recommend to deploy it just like that in a production environment. 200 00:12:57,360 --> 00:13:04,520 The reason why is because currently the approach is to give or grant permissions to the cloud 201 00:13:04,520 --> 00:13:08,320 application in order to perform certain scenarios. 202 00:13:08,320 --> 00:13:11,960 Some scenarios do require high privilege. 203 00:13:11,960 --> 00:13:17,300 Some permissions that only a privileged user will be able to have or use in the environment. 204 00:13:17,300 --> 00:13:22,040 So we use it usually in these research lab environments and we just try to see what's 205 00:13:22,040 --> 00:13:27,800 going on in there and then we just use the same security tools that a company would use 206 00:13:27,800 --> 00:13:29,440 in their own organization. 207 00:13:29,440 --> 00:13:34,480 The cool thing about this too is that, for example, something that I'm very passionate 208 00:13:34,480 --> 00:13:40,520 about is to make it flexible for someone to also contribute. 209 00:13:40,520 --> 00:13:47,680 Some of the tools out there that, for example, you have to write a lot of different, like 210 00:13:47,680 --> 00:13:53,640 learn a new language, for example, to craft your own campaigns or your own scenarios. 211 00:13:53,640 --> 00:14:00,000 So for me also, as I mentioned before, having different runtimes like Python, C Sharp, and 212 00:14:00,000 --> 00:14:04,720 PowerShell, then you can allow someone to feel comfortable and say, hey, you know what? 213 00:14:04,720 --> 00:14:09,320 I do some of my simulations with these four scripts. 214 00:14:09,320 --> 00:14:10,320 They're all in Python. 215 00:14:10,320 --> 00:14:15,120 So then you could actually use something like Cloud Katana to maybe execute a lot of that. 216 00:14:15,120 --> 00:14:20,560 And as I mentioned before, the durable function component is super powerful. 217 00:14:20,560 --> 00:14:25,960 And now I'm experimenting into how can we now take this idea and start using Azure Container 218 00:14:25,960 --> 00:14:28,340 apps, or Azure Containers in general. 219 00:14:28,340 --> 00:14:34,240 But one cool, I guess, service recently has been Azure Container apps with Azure Container 220 00:14:34,240 --> 00:14:42,000 app jobs, for example, which is similar to an Azure activity function in Azure durable 221 00:14:42,000 --> 00:14:43,000 functions. 222 00:14:43,000 --> 00:14:48,280 And the beauty of that is that you can actually now containerize a little bit more of that 223 00:14:48,280 --> 00:14:54,480 runtime that you could not control that much from an Azure function perspective, for example. 224 00:14:54,480 --> 00:14:59,680 And it has opened the door to a lot of more scenarios where we do not just need to hit 225 00:14:59,680 --> 00:15:05,280 an API and write in a script to, let's say, automate sending an email, for example. 226 00:15:05,280 --> 00:15:11,080 Now we can start integrating phishing sites, maybe start playing with some of those other 227 00:15:11,080 --> 00:15:14,680 open source tools that a thread actor might use. 228 00:15:14,680 --> 00:15:19,800 It's an easier way to containerize all these other components that a simulation requires 229 00:15:19,800 --> 00:15:20,800 to play with. 230 00:15:20,800 --> 00:15:22,920 Hey, so I have a couple of questions for you. 231 00:15:22,920 --> 00:15:25,400 One's security related and one's not, but I'll ask you both. 232 00:15:25,400 --> 00:15:28,360 The first one is, I'm kind of afraid to ask this question, actually. 233 00:15:28,360 --> 00:15:29,360 So what is a durable function? 234 00:15:29,360 --> 00:15:31,160 I mean, I know they've been around for a while. 235 00:15:31,160 --> 00:15:34,720 I've written a whole bunch of function apps over the years, but never a durable function. 236 00:15:34,720 --> 00:15:35,720 So what are the pros and cons? 237 00:15:35,720 --> 00:15:36,720 And what is that? 238 00:15:36,720 --> 00:15:37,720 That's number one. 239 00:15:37,720 --> 00:15:41,160 And number two, what does Cloud Katana simulate? 240 00:15:41,160 --> 00:15:44,120 Can you give us some examples of what it actually does? 241 00:15:44,120 --> 00:15:45,440 Yeah, yeah, sure. 242 00:15:45,440 --> 00:15:53,120 So a durable function is, let's call it a feature of the Azure functions in general. 243 00:15:53,120 --> 00:15:58,000 Usually when you create an Azure function, you do have an HTTP trigger, for example. 244 00:15:58,000 --> 00:16:05,200 So you deploy your function and you say, if somebody hits this HTTP or this API, I want 245 00:16:05,200 --> 00:16:08,880 you to run this script as part of the Azure function. 246 00:16:08,880 --> 00:16:14,080 The durable function, oh, and then you run it once, stops, and then you get the output 247 00:16:14,080 --> 00:16:15,080 back. 248 00:16:15,080 --> 00:16:21,100 But what if you want to start orchestrating multiple of those functions and actually capture 249 00:16:21,100 --> 00:16:25,040 the state of every single execution? 250 00:16:25,040 --> 00:16:31,080 That's what a durable function would do for you, which gives you the concept of an orchestrator 251 00:16:31,080 --> 00:16:37,800 function, for example, that is capable to go to sleep, wake up, and listen to what the 252 00:16:37,800 --> 00:16:39,080 other functions are doing. 253 00:16:39,080 --> 00:16:45,280 For example, if you do a specific pattern, you could say, I want to run one step at a 254 00:16:45,280 --> 00:16:50,520 time from one to 10, and I want my orchestrator to start capturing the state of each one 255 00:16:50,520 --> 00:16:53,380 and maybe do something else when one finishes. 256 00:16:53,380 --> 00:16:56,680 And there's a lot of other patterns that you can use, but that's what a durable function 257 00:16:56,680 --> 00:16:57,680 will do. 258 00:16:57,680 --> 00:17:04,360 It allows you to build workflows and orchestrate multiple functions, something that if you're 259 00:17:04,360 --> 00:17:08,960 using only one function, you only have that trigger capability, but you might not have 260 00:17:08,960 --> 00:17:14,600 the full workflow, once again, sequence maybe of actions that you want to run for a longer 261 00:17:14,600 --> 00:17:15,600 period of time. 262 00:17:15,600 --> 00:17:21,920 And Azure function by itself, I think, I believe last time I checked was still 10 to 30 minutes, 263 00:17:21,920 --> 00:17:25,280 I think, how much a function can run. 264 00:17:25,280 --> 00:17:30,040 A durable function, the orchestrator itself can run for a longer time. 265 00:17:30,040 --> 00:17:33,280 So you might actually say, I have this big task. 266 00:17:33,280 --> 00:17:36,960 You can actually split it in maybe multiple activity functions. 267 00:17:36,960 --> 00:17:39,920 That's part of the durable concepts. 268 00:17:39,920 --> 00:17:43,060 And then you can use an orchestrator to start using them. 269 00:17:43,060 --> 00:17:48,000 So that would be the reason, I guess, why I would use a durable function for attack 270 00:17:48,000 --> 00:17:51,560 simulations, because that's what an attack simulation is. 271 00:17:51,560 --> 00:17:55,400 You run something, you want to go to sleep for 20 minutes, and you want to run something 272 00:17:55,400 --> 00:17:56,400 else. 273 00:17:56,400 --> 00:18:00,200 That's what the durable function capability is super helpful. 274 00:18:00,200 --> 00:18:05,220 So one scenario would be, and this is when this specific scenario, even though it might 275 00:18:05,220 --> 00:18:11,040 sound very simple, it takes some time for some of the steps to actually work. 276 00:18:11,040 --> 00:18:17,880 So let's say you want to simulate someone that has access to an Azure AD application. 277 00:18:17,880 --> 00:18:23,640 And that Azure AD application has, let's say, application roles permissions, which means 278 00:18:23,640 --> 00:18:27,140 that the application itself, the app roles permission. 279 00:18:27,140 --> 00:18:32,640 If it says Mail Read, for example, you can read email, not just your email, you can read 280 00:18:32,640 --> 00:18:37,680 email for the whole tenant, let's say, if the app has enough permissions, because it's 281 00:18:37,680 --> 00:18:39,020 acting on its own. 282 00:18:39,020 --> 00:18:43,560 So one of the things you can do is say, if I have access to this app, my first step would 283 00:18:43,560 --> 00:18:46,840 be let's add a secret to the app. 284 00:18:46,840 --> 00:18:52,100 So that way I can use that secret and authenticate to the app, and then use the app to then do 285 00:18:52,100 --> 00:18:55,840 the next steps, such as read an email. 286 00:18:55,840 --> 00:19:01,560 When you add a secret to an app, the app, in order to recognize a secret, takes sometimes 287 00:19:01,560 --> 00:19:04,400 like a minute, sometimes it takes five minutes. 288 00:19:04,400 --> 00:19:10,320 And if you want to probably create a new application, maybe, and grant more permissions, sometimes 289 00:19:10,320 --> 00:19:12,460 it could take even like 10, 15 minutes. 290 00:19:12,460 --> 00:19:17,320 So for me to use something like Cloud Katana would be let's schedule some of these waits 291 00:19:17,320 --> 00:19:19,960 in between, and so on. 292 00:19:19,960 --> 00:19:24,080 Once I give the secret to the app, I can authenticate with the secret. 293 00:19:24,080 --> 00:19:29,760 Now I'm acting as the app with enough permissions to read email or do things with mail in my 294 00:19:29,760 --> 00:19:30,760 tenant. 295 00:19:30,760 --> 00:19:34,980 So next step would be let's just probably start reading some email or maybe send emails 296 00:19:34,980 --> 00:19:36,420 also to others. 297 00:19:36,420 --> 00:19:42,120 And now it turns into a potential business email compromise internally, where now you're 298 00:19:42,120 --> 00:19:46,800 using an internal source to start sending or interacting with mail in general, I guess 299 00:19:46,800 --> 00:19:48,760 with others in the tenant. 300 00:19:48,760 --> 00:19:53,920 That's a basic use case that it takes the steps of secret, authentication, you run an 301 00:19:53,920 --> 00:19:59,220 API, wait for email, maybe you want to destroy the app or delete the secret. 302 00:19:59,220 --> 00:20:02,140 So there is multiple steps that you will have to do. 303 00:20:02,140 --> 00:20:05,120 So that's something that you could do with Cloud Katana, for example, build your campaign 304 00:20:05,120 --> 00:20:12,440 and just make sure that the Cloud Katana identity has enough permissions to do a lot of this 305 00:20:12,440 --> 00:20:15,400 actions and then you could do it. 306 00:20:15,400 --> 00:20:19,240 One approach that we're trying to take is also to see if we can just allow the app to 307 00:20:19,240 --> 00:20:22,040 use my own permissions. 308 00:20:22,040 --> 00:20:26,880 And that's something also that could be easily modified so that way you don't have a app 309 00:20:26,880 --> 00:20:31,000 with, you know, with a lot of permissions, which is, you know, super powerful, but also 310 00:20:31,000 --> 00:20:33,360 not the best thing to do in your tenant. 311 00:20:33,360 --> 00:20:38,240 Yeah, but I hope that that basic example kind of shows you steps, right, that a simulation 312 00:20:38,240 --> 00:20:39,240 would take, right? 313 00:20:39,240 --> 00:20:48,200 I'm glad that Michael asked what are the normal use cases, I guess, for this tool, because 314 00:20:48,200 --> 00:20:53,360 recently I was playing with Cloud Katana and I was trying to implement it. 315 00:20:53,360 --> 00:20:59,760 Usually there's organizations that have a single tenant and then they give permission 316 00:20:59,760 --> 00:21:07,160 to just individual subscriptions for test dev environment and that way they have the 317 00:21:07,160 --> 00:21:12,080 capability of viewing everything that is happening in all the subscription. 318 00:21:12,080 --> 00:21:17,360 So I thought that my permissions, by having privileged permission in the subscription 319 00:21:17,360 --> 00:21:20,000 was enough, but it seems that it's not. 320 00:21:20,000 --> 00:21:25,640 Can you talk a little bit more about that and describe what type of permission are expected? 321 00:21:25,640 --> 00:21:30,840 Yeah, so for example, something that we do with Cloud Katana right now is to provide 322 00:21:30,840 --> 00:21:35,360 templates of the actions that you can take and some of the actions that you can make 323 00:21:35,360 --> 00:21:42,120 the tool to take for you or some of the flows, the actions, right, that you can take. 324 00:21:42,120 --> 00:21:48,440 Some of them do require the app to, for example, there is one attack simulation that requires 325 00:21:48,440 --> 00:21:54,960 the app to be able to grant permissions or define some app role assignments for a new 326 00:21:54,960 --> 00:21:57,040 identity in the tenant. 327 00:21:57,040 --> 00:22:01,220 And if you want to grant that to an app, you need to be a privileged user or at least be 328 00:22:01,220 --> 00:22:07,120 able to grant permissions and that doesn't happen at the subscription level. 329 00:22:07,120 --> 00:22:11,080 And that's because the tool by default is trying to say, hey, this tool is capable to 330 00:22:11,080 --> 00:22:13,720 do x, y, and z in the tenant. 331 00:22:13,720 --> 00:22:21,380 So it will try to say you need to have permissions to at least grant permissions to this identity. 332 00:22:21,380 --> 00:22:25,880 That's one of the reasons why I think that something that we could do is to allow the 333 00:22:25,880 --> 00:22:32,260 user to maybe enable what use cases they would like to have by default enabled and not enable 334 00:22:32,260 --> 00:22:37,200 the other ones unless you have the permissions for and then you can just run it at the subscription 335 00:22:37,200 --> 00:22:38,640 level. 336 00:22:38,640 --> 00:22:44,880 Something that I had not, to be honest, played with as much because a lot of my research 337 00:22:44,880 --> 00:22:51,520 has been on the identity side of things like Microsoft Entra, for example, and a lot of 338 00:22:51,520 --> 00:22:56,020 these scenarios do require to be a privileged identity. 339 00:22:56,020 --> 00:23:01,040 So that's the only reason why I guess it doesn't work with you only having subscription level 340 00:23:01,040 --> 00:23:04,720 access, I guess. 341 00:23:04,720 --> 00:23:10,720 So it's very powerful and now we're just trying to make it more flexible, more dynamic, I 342 00:23:10,720 --> 00:23:14,280 guess, and try to now explore other scenarios. 343 00:23:14,280 --> 00:23:20,200 Like I mentioned before, doing something like phishing, it's very interesting to deploy 344 00:23:20,200 --> 00:23:28,320 sites, bring them down and try to maybe trick MDOs sometimes and continue just make it learn 345 00:23:28,320 --> 00:23:30,600 about the things that are possible. 346 00:23:30,600 --> 00:23:37,640 And for something like that, you need to containerize applications, you need to build your own probably 347 00:23:37,640 --> 00:23:39,240 Docker container images. 348 00:23:39,240 --> 00:23:44,080 So I'm exploring that a little bit more and seems to be super powerful. 349 00:23:44,080 --> 00:23:49,600 One of the things I want to ask about is looking at this as someone that is definitely not 350 00:23:49,600 --> 00:23:51,720 an expert in this space. 351 00:23:51,720 --> 00:23:57,760 How would someone get started, get involved doing security research, engaging in the open 352 00:23:57,760 --> 00:23:59,840 source community? 353 00:23:59,840 --> 00:24:03,480 How would you recommend someone getting started to do that? 354 00:24:03,480 --> 00:24:05,720 Yeah, that's a good question. 355 00:24:05,720 --> 00:24:11,000 So in general, first it would depend on the type of research that the person wants to 356 00:24:11,000 --> 00:24:12,000 do. 357 00:24:12,000 --> 00:24:18,080 I would recommend to friends in the community that they are very comfortable with using 358 00:24:18,080 --> 00:24:25,360 something like Fiddler or Burp Suite, for example, and then be able to understand how, 359 00:24:25,360 --> 00:24:30,840 for example, let's say an endpoint that has been joined to Azure AD, how it works, what 360 00:24:30,840 --> 00:24:32,640 the communication looks like. 361 00:24:32,640 --> 00:24:36,440 When you authenticate what happens from the client to the server. 362 00:24:36,440 --> 00:24:40,000 And for those things, you need some of those tools. 363 00:24:40,000 --> 00:24:43,080 There are free versions, community versions of that. 364 00:24:43,080 --> 00:24:47,600 So for example, if you want to take that path, I think it's a very interesting path. 365 00:24:47,600 --> 00:24:52,240 You just need to, once again, kind of identify what it is that you want to do. 366 00:24:52,240 --> 00:24:57,680 That's from understanding maybe how your computer communicates with the cloud. 367 00:24:57,680 --> 00:25:03,360 Just be curious into how things work and then try to use some of the tooling around. 368 00:25:03,360 --> 00:25:09,000 Once again, a lot of that is just a community version tools that you can use. 369 00:25:09,000 --> 00:25:12,940 The other thing that I recommend a lot to folks that want to do a lot of the things 370 00:25:12,940 --> 00:25:18,640 that I've been doing for the past couple of years, which is automation, deployment of 371 00:25:18,640 --> 00:25:21,080 research environments, for example. 372 00:25:21,080 --> 00:25:28,980 So at Microsoft, in my team, I'm enabling, helping others that would like to go through 373 00:25:28,980 --> 00:25:35,200 certain scenarios and say, hey, what would happen if a third actor does X, Y, and Z? 374 00:25:35,200 --> 00:25:39,280 Well, to find out, we need to deploy environments. 375 00:25:39,280 --> 00:25:45,560 Even when you start working with, for example, right now, let's say AI, insecurity. 376 00:25:45,560 --> 00:25:51,900 If you're trying to understand how, for example, an application that uses an LLM to do something, 377 00:25:51,900 --> 00:25:59,040 to either be a chat bot or be able to do things for you as your personal assistant, let's 378 00:25:59,040 --> 00:26:02,780 say, if you want to learn how they could be attacked, well, we need to deploy an app. 379 00:26:02,780 --> 00:26:08,120 We need to deploy how, there will be some automation in between so that you can start 380 00:26:08,120 --> 00:26:09,780 testing a few things. 381 00:26:09,780 --> 00:26:16,080 So I always recommend, if you're interested in research like this for simulations and 382 00:26:16,080 --> 00:26:22,720 explore what would happen, I highly recommend to start learning Terraform, Bicep. 383 00:26:22,720 --> 00:26:25,560 Bicep is from Microsoft, right? 384 00:26:25,560 --> 00:26:29,400 Bicep is like your Terraform-like experience. 385 00:26:29,400 --> 00:26:35,440 Or using, for example, how to use ARM templates so you can deploy things in Azure by using 386 00:26:35,440 --> 00:26:38,280 the Azure Resource Manager services, right? 387 00:26:38,280 --> 00:26:40,960 Or maybe you want to learn from AWS. 388 00:26:40,960 --> 00:26:45,120 So you might need to learn also the language that they have. 389 00:26:45,120 --> 00:26:52,080 And a lot of these things are pretty easy to really get into actually learning. 390 00:26:52,080 --> 00:26:57,960 Microsoft, for example, and I'm pretty sure other services, I'm not trying just to say, 391 00:26:57,960 --> 00:27:04,560 do things with Microsoft in general, but in general, you will find the, if you're building 392 00:27:04,560 --> 00:27:10,480 your own little things like testing with one app and maybe with, I don't know, Sentinel 393 00:27:10,480 --> 00:27:17,440 in general, there is always this 30-day trials, three-month trials. 394 00:27:17,440 --> 00:27:23,560 Some limitations are really good to actually play with things for a long time. 395 00:27:23,560 --> 00:27:27,560 And I think that it's pretty interesting to start diving into some of those areas, but 396 00:27:27,560 --> 00:27:31,360 always having, to me, the goal in mind. 397 00:27:31,360 --> 00:27:34,940 My goal is what would happen if somebody uses this? 398 00:27:34,940 --> 00:27:36,920 So then I start bringing my tools. 399 00:27:36,920 --> 00:27:41,280 All right, so I need to bring my Bicep templates, my ARM templates. 400 00:27:41,280 --> 00:27:43,540 I need to start learning about container apps. 401 00:27:43,540 --> 00:27:47,640 So let's just maybe containerize an application locally. 402 00:27:47,640 --> 00:27:50,420 Once we feel comfortable, now how do we deploy it to Azure? 403 00:27:50,420 --> 00:27:53,500 How do we deploy it to other cloud services? 404 00:27:53,500 --> 00:27:58,480 So that's what I would definitely recommend to people, just to start learning some of 405 00:27:58,480 --> 00:28:03,160 those tools that would allow you to start experimenting. 406 00:28:03,160 --> 00:28:09,620 And it's not expensive, to be honest, to do some of these basic testing. 407 00:28:09,620 --> 00:28:15,400 So cloud infrastructure and what happens from your client to the server, from your computer 408 00:28:15,400 --> 00:28:20,360 to the cloud, and exploring that, I think it will open the door to so many different 409 00:28:20,360 --> 00:28:21,360 topics. 410 00:28:21,360 --> 00:28:26,400 I think that by itself would open the door to understanding how authentication works, 411 00:28:26,400 --> 00:28:29,280 what are the different protocols that are being used. 412 00:28:29,280 --> 00:28:35,000 And just take as many notes as you can, and then once you feel comfortable, share it in 413 00:28:35,000 --> 00:28:38,000 a local event. 414 00:28:38,000 --> 00:28:41,120 Share it in a local B-size conference, for example. 415 00:28:41,120 --> 00:28:46,240 And that would also push you to start structuring your research, structuring how you want to 416 00:28:46,240 --> 00:28:47,240 explain things. 417 00:28:47,240 --> 00:28:51,000 The more you explain things to others, the more you feel comfortable, the more you learn 418 00:28:51,000 --> 00:28:57,000 and it just becomes this cycle that turns into a methodology and now you actually start 419 00:28:57,000 --> 00:29:01,320 identifying what works for you for certain research topics. 420 00:29:01,320 --> 00:29:02,320 Awesome. 421 00:29:02,320 --> 00:29:07,400 That sounds like a very intense version of continuous learning across a lot of topics. 422 00:29:07,400 --> 00:29:08,400 Yeah. 423 00:29:08,400 --> 00:29:14,480 I mean, that's what it is and that's what I love my job is, it's just security in general, 424 00:29:14,480 --> 00:29:22,440 I think there is so much to cover, but you realize, I guess, soon that you start doing 425 00:29:22,440 --> 00:29:24,800 similar things, right? 426 00:29:24,800 --> 00:29:30,280 As I mentioned before, deploying a research lab environment, if you want to do it for 427 00:29:30,280 --> 00:29:36,640 an active directory or a hybrid environment or everything in the cloud and maybe now start 428 00:29:36,640 --> 00:29:41,520 testing new applications, like I mentioned before, like AI applications, how can we do 429 00:29:41,520 --> 00:29:42,680 all that? 430 00:29:42,680 --> 00:29:44,880 You follow a similar methodology, right? 431 00:29:44,880 --> 00:29:50,240 You need to understand the fundamentals, build your little PLC, test it a little bit, 432 00:29:50,240 --> 00:29:56,560 take some notes, as I mentioned before, figure out what it is that you can do with it, maybe 433 00:29:56,560 --> 00:29:58,320 build something cool. 434 00:29:58,320 --> 00:30:06,280 For example, I was trying to learn recently, how can we use retrieval-augmented, a generation 435 00:30:06,280 --> 00:30:08,800 or generative? 436 00:30:08,800 --> 00:30:16,480 How can we use that, for example, to make my application that is using a specific large 437 00:30:16,480 --> 00:30:21,920 language model, I don't want to say specific names, but how can we use it to now bring 438 00:30:21,920 --> 00:30:27,600 my knowledge and make the bot actually know more than what he knew until the moment that 439 00:30:27,600 --> 00:30:29,360 he was trained, for example, right? 440 00:30:29,360 --> 00:30:34,720 Because that's one of the limitations of some of these chat bots out there that don't have 441 00:30:34,720 --> 00:30:39,000 the knowledge of the current, like today, right? 442 00:30:39,000 --> 00:30:41,840 Some of them already have some enrichments. 443 00:30:41,840 --> 00:30:49,480 To me, I was thinking, if I'm trying to use a large language model into security and I 444 00:30:49,480 --> 00:30:57,120 bring it to my threat intelligence team, what can I do to provide that TI knowledge that 445 00:30:57,120 --> 00:31:02,440 sometimes it's only available for the company that holds it? 446 00:31:02,440 --> 00:31:05,840 So that was just an experiment, and I was thinking, all right, well, first thing, let's 447 00:31:05,840 --> 00:31:12,560 try to figure out what could be an open source threat intelligence sample, for example. 448 00:31:12,560 --> 00:31:18,360 And then I thought, you know, MITRE ATT&CK has a lot of ATT&CK groups in their own database. 449 00:31:18,360 --> 00:31:24,800 When we are thinking about TI, we're tracking groups, we're tracking the tradecraft of 450 00:31:24,800 --> 00:31:26,280 the adversaries. 451 00:31:26,280 --> 00:31:30,720 So my goal was, all right, let's investigate how we can bring all that data from MITRE 452 00:31:30,720 --> 00:31:37,440 ATT&CK and focus only on groups of MITRE ATT&CK and then see if we can put it into a database 453 00:31:37,440 --> 00:31:42,900 that then we can retrieve that knowledge as we ask questions and then make sure that we 454 00:31:42,900 --> 00:31:48,200 enrich our communications with our application that is using an LLM. 455 00:31:48,200 --> 00:31:53,080 That's retrieval augmented generation, for example, where you are providing additional 456 00:31:53,080 --> 00:31:59,800 information, making the application that you're building retrieve additional knowledge that 457 00:31:59,800 --> 00:32:06,400 it requires to be more accurate into their responses. 458 00:32:06,400 --> 00:32:11,000 And with zero knowledge on all of this, it was just taking those steps, like what do 459 00:32:11,000 --> 00:32:12,740 I have to do first? 460 00:32:12,740 --> 00:32:15,000 What tools can I use that are open source? 461 00:32:15,000 --> 00:32:20,500 And then just start kind of working your way to building a basic POC. 462 00:32:20,500 --> 00:32:25,880 And then I presented that into a couple of conferences already, and it seems that it 463 00:32:25,880 --> 00:32:31,480 has been super helpful for others just to kind of see the methodology of how you get 464 00:32:31,480 --> 00:32:36,280 to something that you were not comfortable maybe six months ago. 465 00:32:36,280 --> 00:32:41,780 But now you feel comfortable enough to share it with others or maybe even internally now 466 00:32:41,780 --> 00:32:47,120 have the conversations that you wanted to have with others that are already talking 467 00:32:47,120 --> 00:32:49,160 a different language. 468 00:32:49,160 --> 00:32:55,800 Six months ago, when somebody was talking to me about this technique, RAG, RAC, retrieval, 469 00:32:55,800 --> 00:32:59,480 documentation, I didn't know what they were talking about. 470 00:32:59,480 --> 00:33:04,960 And I was like, man, I feel that I cannot contribute because I get stuck just at the 471 00:33:04,960 --> 00:33:05,960 conversation. 472 00:33:05,960 --> 00:33:13,600 So, yeah, so that's just one example of what somebody can do with open source stuff for 473 00:33:13,600 --> 00:33:14,600 free. 474 00:33:14,600 --> 00:33:21,920 So talking about open source, back in 2022, you came in and talked about Simuland. 475 00:33:21,920 --> 00:33:28,240 Can you talk a little bit about it, anything new and how you could use it together with 476 00:33:28,240 --> 00:33:29,880 Cloud Katana, etc.? 477 00:33:29,880 --> 00:33:38,880 Yeah, so Simuland is still an open source project where we wanted to say there are specific 478 00:33:38,880 --> 00:33:42,120 attack paths that a threat actor can take. 479 00:33:42,120 --> 00:33:49,860 For example, the topic that we have in Simuland is how you can use Federation services or 480 00:33:49,860 --> 00:33:56,600 an environment that is connected to the cloud via ADFS and how that could be abused or how 481 00:33:56,600 --> 00:34:00,800 can you compromise that environment and what are the different options that you have or 482 00:34:00,800 --> 00:34:03,400 a threat actor might have. 483 00:34:03,400 --> 00:34:10,160 And then what are the security controls that exist around some of those steps in the end-to-end 484 00:34:10,160 --> 00:34:11,160 scenario. 485 00:34:11,160 --> 00:34:16,720 So Simuland was a way to say these are the scripts that you can use to deploy the environment. 486 00:34:16,720 --> 00:34:20,320 There are some manual steps that unfortunately you have to do. 487 00:34:20,320 --> 00:34:24,400 But the way was this is the environment, deploy it. 488 00:34:24,400 --> 00:34:28,240 Once you feel comfortable with it, now these are the steps that you can take to go through 489 00:34:28,240 --> 00:34:30,080 the simulation. 490 00:34:30,080 --> 00:34:35,760 And we didn't want to, of course, come up with new ways to do things. 491 00:34:35,760 --> 00:34:38,480 We just took what the community had already shared. 492 00:34:38,480 --> 00:34:43,800 So there is a pretty good tool, AAD internals, for example, by one of my good friends in 493 00:34:43,800 --> 00:34:47,840 the community, Dr. Ness Story from SecureWorks. 494 00:34:47,840 --> 00:34:52,760 And so it was nice to use something that is already out there and that we are already 495 00:34:52,760 --> 00:34:57,240 tracking how other actors would use it. 496 00:34:57,240 --> 00:34:59,600 And then just simply share the steps. 497 00:34:59,600 --> 00:35:08,480 The idea was also to usually when you share TI around a, let's say, specific attack path, 498 00:35:08,480 --> 00:35:09,960 usually we share alerts. 499 00:35:09,960 --> 00:35:18,200 We share, hey, they run these commands, maybe pay attention to these IPs or maybe those 500 00:35:18,200 --> 00:35:21,560 permissions, those APIs being used, et cetera. 501 00:35:21,560 --> 00:35:27,760 But I think that when you actually run a scenario in your own research lab in a company, for 502 00:35:27,760 --> 00:35:35,880 example, you're exposing the security researcher to more context that a simple report or just 503 00:35:35,880 --> 00:35:38,520 a report in general might not provide to you. 504 00:35:38,520 --> 00:35:44,920 For example, when we did Simulan and then we shared the end-to-end simulation, we actually 505 00:35:44,920 --> 00:35:51,640 found more logs that we had to add to our detections that we had already built in the 506 00:35:51,640 --> 00:35:58,360 past because it exposed us to some of those data sources that we were not as aware. 507 00:35:58,360 --> 00:36:02,120 And we also feel that customers bring their own security stack, right? 508 00:36:02,120 --> 00:36:03,460 They might use something else. 509 00:36:03,460 --> 00:36:07,720 So why not see what else gets generated in your environment? 510 00:36:07,720 --> 00:36:08,720 So that was the idea. 511 00:36:08,720 --> 00:36:11,800 Run it in your environment, follow the steps. 512 00:36:11,800 --> 00:36:16,040 We were not providing a tool to actually execute everything. 513 00:36:16,040 --> 00:36:19,160 We were saying, these are our notes. 514 00:36:19,160 --> 00:36:20,900 This is how we will run it. 515 00:36:20,900 --> 00:36:23,700 And then you take care of it, you as a customer, right? 516 00:36:23,700 --> 00:36:27,640 With Cloud Katana, what you can do is there are some scenarios, especially those that 517 00:36:27,640 --> 00:36:34,640 are only fully cloud-based scenarios, that you can just have a Cloud Katana flow or campaign 518 00:36:34,640 --> 00:36:38,120 to be running, for example, in a sequence. 519 00:36:38,120 --> 00:36:41,960 You can just run it automatically if you wanted to, right? 520 00:36:41,960 --> 00:36:43,880 Granting the right permissions to the app. 521 00:36:43,880 --> 00:36:46,880 So that's how you can mix it up a little bit. 522 00:36:46,880 --> 00:36:53,060 And the news in Simulan is that internally, for the past two years, I've been working 523 00:36:53,060 --> 00:36:59,820 on actually documenting more scenarios internally that we're using to validate security controls 524 00:36:59,820 --> 00:37:07,120 and create new detections, partner with the defenders teams to start providing more coverage 525 00:37:07,120 --> 00:37:08,680 in some scenarios. 526 00:37:08,680 --> 00:37:12,400 And we're going to be releasing more things at the end of the year where there are going 527 00:37:12,400 --> 00:37:17,020 to be some pretty cool scenarios that will align very well with some of the new capabilities 528 00:37:17,020 --> 00:37:19,160 that our products have. 529 00:37:19,160 --> 00:37:20,160 I'm not a salesperson. 530 00:37:20,160 --> 00:37:26,960 I'm just a security researcher that, for me, is very important to be able to say, yes, 531 00:37:26,960 --> 00:37:28,520 these are the 10 detections. 532 00:37:28,520 --> 00:37:32,280 These are the maybe 10 products that you can use to protect yourself. 533 00:37:32,280 --> 00:37:38,640 But let me also share how you could also validate it and maybe test your SOC, for example. 534 00:37:38,640 --> 00:37:47,120 Bring your security team into a day and say, let's run all these simulations in Simulan 535 00:37:47,120 --> 00:37:49,640 and then see how we respond to that, right? 536 00:37:49,640 --> 00:37:50,640 Something like that. 537 00:37:50,640 --> 00:37:51,680 I think that that's the goal as well. 538 00:37:51,680 --> 00:37:56,240 To make people experience that and go beyond just alert, right? 539 00:37:56,240 --> 00:38:00,400 What else is in your environment that we might not even have because you might have a different 540 00:38:00,400 --> 00:38:01,400 tool? 541 00:38:01,400 --> 00:38:04,760 And what happens when this scenario triggers in your environment? 542 00:38:04,760 --> 00:38:06,160 That's the idea. 543 00:38:06,160 --> 00:38:12,640 So Roberto, obviously you do tons and tons of cool things, but I know you've been doing 544 00:38:12,640 --> 00:38:15,360 some things in the open source AI space. 545 00:38:15,360 --> 00:38:19,640 Do you want to quickly tell us about the kind of things you've been looking at there? 546 00:38:19,640 --> 00:38:20,640 Yeah. 547 00:38:20,640 --> 00:38:21,640 Yeah. 548 00:38:21,640 --> 00:38:24,840 So I touched a little bit a couple of minutes ago on this, but just to expand it. 549 00:38:24,840 --> 00:38:31,880 So the goal is we're trying to share we as the open thread research community. 550 00:38:31,880 --> 00:38:38,180 So I'm the founder and also part of this community where we have a few folks, for example, those 551 00:38:38,180 --> 00:38:44,680 that are part of the MysticPy, for example, open source Python library from Microsoft. 552 00:38:44,680 --> 00:38:49,360 Just to start brainstorming around to see how we can share Jupyter notebooks with some 553 00:38:49,360 --> 00:38:55,320 examples, once again, like some proof of concepts of what some of these skills, for example, 554 00:38:55,320 --> 00:38:58,680 would be interesting to learn. 555 00:38:58,680 --> 00:39:01,480 So let's say you want to build your own chatbot. 556 00:39:01,480 --> 00:39:04,480 Yeah, there is a lot of blog posts and videos now. 557 00:39:04,480 --> 00:39:07,880 Like there is a lot actually that gets released every week. 558 00:39:07,880 --> 00:39:12,060 Our goal is to say, how can you apply some of that into security, right? 559 00:39:12,060 --> 00:39:17,600 If you're building a chatbot, can we share that basic example to a Jupyter notebook and 560 00:39:17,600 --> 00:39:22,880 say, let's build a chatbot that might help you to query your database. 561 00:39:22,880 --> 00:39:29,040 Let's use maybe some open source tools like, I don't know, Langchain, Lama index. 562 00:39:29,040 --> 00:39:33,320 There is a lot that you can use out there and start exploring those capabilities. 563 00:39:33,320 --> 00:39:36,040 So sharing a couple of Jupyter notebooks soon. 564 00:39:36,040 --> 00:39:42,680 I shared a few in my recent presentations where, for example, beyond the retrieval, 565 00:39:42,680 --> 00:39:47,800 the generation example that I just talked about, how you can help the LLM to have more 566 00:39:47,800 --> 00:39:51,920 context around the topic that you want to interact with, right? 567 00:39:51,920 --> 00:39:53,240 You need to provide that knowledge. 568 00:39:53,240 --> 00:39:54,240 So how do you do it? 569 00:39:54,240 --> 00:39:57,160 That's what we did with Rack. 570 00:39:57,160 --> 00:40:04,000 One of the things that I was trying to do is, how can we also use some of these capabilities 571 00:40:04,000 --> 00:40:11,720 to query a SQL database by making the LLM learn the schema of the SQL database maybe 572 00:40:11,720 --> 00:40:17,380 or the craft database, and then start interacting with the database in a more natural language 573 00:40:17,380 --> 00:40:18,380 way? 574 00:40:18,380 --> 00:40:24,240 So using natural language, asking regular questions and get that response back. 575 00:40:24,240 --> 00:40:31,960 Once you learn how to interact with a structure, database or data in general, then how can 576 00:40:31,960 --> 00:40:35,000 we actually start doing this in a loop? 577 00:40:35,000 --> 00:40:39,480 How can we say, ask a question, get a response, and then based on the response, maybe trigger 578 00:40:39,480 --> 00:40:40,480 another action? 579 00:40:40,480 --> 00:40:45,640 So then we're diving into the concept of agents, for example, that are super powerful to build 580 00:40:45,640 --> 00:40:50,600 some of these workflows that, yes, you can automate a lot of these things with a couple 581 00:40:50,600 --> 00:40:56,760 of scripts, but having the, let's say, LLM in the middle allows you to summarize maybe 582 00:40:56,760 --> 00:41:02,840 a lot of these responses in a better way, expedite the way how you want to tell someone, 583 00:41:02,840 --> 00:41:07,320 hey, can you put this in a YAML format or in a JSON format? 584 00:41:07,320 --> 00:41:16,240 Or for example, I'm a big fan of MarMate, which allows us to create some beautiful graph 585 00:41:16,240 --> 00:41:21,120 visualizations with a couple of lines that it's not that hard to type, but when you want 586 00:41:21,120 --> 00:41:26,520 to type MarMate for a big document, then it's not that easy. 587 00:41:26,520 --> 00:41:33,120 So maybe having a tool that can easily do that for you because it knows the schema, 588 00:41:33,120 --> 00:41:36,380 that's what we're trying to test, and then how do we take it to security? 589 00:41:36,380 --> 00:41:41,000 How can we go from an event log in XML or JSON to a data frame? 590 00:41:41,000 --> 00:41:45,400 Yes, there are tools to do that, but how can you make it actually query that data frame 591 00:41:45,400 --> 00:41:54,840 also based on, I don't know, a couple questions or probably giving it examples like, hey, 592 00:41:54,840 --> 00:41:59,320 this is what maybe lateral movement looks for me. 593 00:41:59,320 --> 00:42:02,680 Do you see lateral movement in this data frame, for example? 594 00:42:02,680 --> 00:42:03,680 Things like that. 595 00:42:03,680 --> 00:42:07,760 I'm trying just to build something like that and just share it with the community and see 596 00:42:07,760 --> 00:42:11,280 if it inspires others to do the same. 597 00:42:11,280 --> 00:42:17,640 I was very happy to hear some internal researchers, some other friends in the community too, saying 598 00:42:17,640 --> 00:42:23,240 that they learned a lot based on these recent notebooks and presentations that were given 599 00:42:23,240 --> 00:42:28,400 in this past couple of conferences, like CIFCON, for example, in Poland. 600 00:42:28,400 --> 00:42:31,200 And it was just nice to hear that it was helping others. 601 00:42:31,200 --> 00:42:35,920 So why not continue doing that and sharing all that information? 602 00:42:35,920 --> 00:42:43,160 So Roberto, usually we ask a final thought or maybe a recommendation for our listeners. 603 00:42:43,160 --> 00:42:46,040 Do you have one that you could share? 604 00:42:46,040 --> 00:42:47,040 Yeah, yeah. 605 00:42:47,040 --> 00:42:53,240 So I think this might sound, I don't know, that it's something that I always tell people 606 00:42:53,240 --> 00:42:58,280 is just continue being curious about all this stuff. 607 00:42:58,280 --> 00:43:05,000 Don't be afraid to jump into a new project and maybe search for a new open source tool 608 00:43:05,000 --> 00:43:07,760 that you can use to do certain things. 609 00:43:07,760 --> 00:43:09,880 Don't feel that you're reinventing the wheel. 610 00:43:09,880 --> 00:43:15,520 Actually there is where you learn a lot, just trying to build a lot of stuff yourself. 611 00:43:15,520 --> 00:43:21,240 Yeah, and just continue to be curious and share as much as you can with others. 612 00:43:21,240 --> 00:43:22,240 That also helps a lot. 613 00:43:22,240 --> 00:43:23,960 Hey, thanks for joining us this week. 614 00:43:23,960 --> 00:43:24,960 Really appreciate it. 615 00:43:24,960 --> 00:43:28,920 The only thing I love about doing this podcast is you get to talk to really interesting people 616 00:43:28,920 --> 00:43:30,920 and you always learn something. 617 00:43:30,920 --> 00:43:33,160 And this is again, absolutely no exception. 618 00:43:33,160 --> 00:43:37,160 So again, Roberto, thank you so much for joining this week. 619 00:43:37,160 --> 00:43:41,160 And to all our listeners out there, hopefully you found this of use too. 620 00:43:41,160 --> 00:43:43,360 Stay safe and we'll see you next time. 621 00:43:43,360 --> 00:43:46,520 Thanks for listening to the Azure Security Podcast. 622 00:43:46,520 --> 00:43:53,360 You can find show notes and other resources at our website azsecuritypodcast.net. 623 00:43:53,360 --> 00:43:58,160 If you have any questions, please find us on Twitter at Azure Setpod. 624 00:43:58,160 --> 00:44:25,160 Background music is from ccmixtor.com and licensed under the Creative Commons license.