1 00:00:00,000 --> 00:00:09,600 Welcome to the Azure Security podcast, where we discuss topics relating to security, privacy, 2 00:00:09,600 --> 00:00:13,280 reliability and compliance on the Microsoft Cloud Platform. 3 00:00:13,280 --> 00:00:17,620 Hey everybody, welcome to episode 95. 4 00:00:17,620 --> 00:00:20,760 This week is myself, Michael, with Mark and Sarah. 5 00:00:20,760 --> 00:00:24,800 And this week our guest is Sherrod de Grippeau, whose hitch talks to us about threat intelligence. 6 00:00:24,800 --> 00:00:28,280 But before we get to our guests, let's take a little lap around the news. 7 00:00:28,280 --> 00:00:30,400 Mark, why don't you kick things off? 8 00:00:30,400 --> 00:00:31,400 Thanks, Mike. 9 00:00:31,400 --> 00:00:38,640 So for me, I actually spoke recently at Tampa B-Sides and I was quite amazed at how big 10 00:00:38,640 --> 00:00:39,640 the event was. 11 00:00:39,640 --> 00:00:42,280 It was like 1,900 people or something like that. 12 00:00:42,280 --> 00:00:46,640 And it was a great event, lots of good speakers, you know, except for me. 13 00:00:46,640 --> 00:00:50,400 I mean, I spoke there too, but I did speak on the SOC. 14 00:00:50,400 --> 00:00:53,560 I couldn't believe they approved it, but it was the No BS SOC. 15 00:00:53,560 --> 00:00:56,400 And I was like, okay, yeah, I'll make the talk about that. 16 00:00:56,400 --> 00:00:58,240 It landed pretty well and I shared the slides for it. 17 00:00:58,240 --> 00:01:02,320 And so we got the link there in the show notes. 18 00:01:02,320 --> 00:01:06,600 The interesting thing that I picked up actually is sort of the newsworthy element. 19 00:01:06,600 --> 00:01:08,240 There's a great CISO panel. 20 00:01:08,240 --> 00:01:14,400 There was, I think, eight CISOs involved too, co-hosting and six on the panel itself. 21 00:01:14,400 --> 00:01:16,440 And it was a great two-hour discussion. 22 00:01:16,440 --> 00:01:21,760 And like over 45 minutes, if I recall correctly, we're focused on a really interesting topic 23 00:01:21,760 --> 00:01:29,160 that I wasn't fully expecting was how important it is for security to do really kind of awareness, 24 00:01:29,160 --> 00:01:34,440 partnership, integration, education of all of the various different parts of the business. 25 00:01:34,440 --> 00:01:39,320 So, you know, business leaders, business unit leaders, on down and directors, managers, 26 00:01:39,320 --> 00:01:42,760 as well as of course, IT partners. 27 00:01:42,760 --> 00:01:48,320 And it really sort of the amount of time that they spent on it, these very seasoned CISOs, 28 00:01:48,320 --> 00:01:52,200 was sort of a very interesting signal to me and it sort of helped me understand that, 29 00:01:52,200 --> 00:01:56,340 you know, at the end of the day, security doesn't do stuff, right? 30 00:01:56,340 --> 00:01:57,560 We don't manage these systems. 31 00:01:57,560 --> 00:01:58,560 We don't keep them up. 32 00:01:58,560 --> 00:02:01,960 You know, we don't, you know, sort of make the decisions in many cases. 33 00:02:01,960 --> 00:02:03,920 It's often the business and the IT folks. 34 00:02:03,920 --> 00:02:07,000 And at the end of the day, we're really a support function, enablement function for 35 00:02:07,000 --> 00:02:08,720 the rest of the org. 36 00:02:08,720 --> 00:02:12,760 And you know, basically, as CISO said, the best bang for the buck is working with getting 37 00:02:12,760 --> 00:02:17,480 all these other folks, you know, aware and on board and understanding what's going on. 38 00:02:17,480 --> 00:02:20,300 So you still have to have a sock, you still have to respond to stuff, you have to track 39 00:02:20,300 --> 00:02:22,340 the attackers and all those kind of things. 40 00:02:22,340 --> 00:02:25,920 But the reality is, is that the people that take action and keep the incidents from happening 41 00:02:25,920 --> 00:02:30,040 or, you know, make the attackers work a lot harder to make the incident happen, you know, 42 00:02:30,040 --> 00:02:32,720 really are the partners in the business and IT piece. 43 00:02:32,720 --> 00:02:35,160 So that was a really interesting insight for me. 44 00:02:35,160 --> 00:02:37,360 And so I think they recorded it. 45 00:02:37,360 --> 00:02:41,600 I'm not quite sure what the plans are, but we'll definitely post a link when and if that 46 00:02:41,600 --> 00:02:42,600 does happen. 47 00:02:42,600 --> 00:02:47,600 Okay, so I only have one thing this time round. 48 00:02:47,600 --> 00:02:52,820 For those of you who might be interested in using this, the Azure Virtual Network Manager 49 00:02:52,820 --> 00:02:57,480 security admin rule config is now GA in 45 regions. 50 00:02:57,480 --> 00:03:01,240 I actually don't remember how many regions we have now. 51 00:03:01,240 --> 00:03:05,040 The fact that the new says 45 suggests we have more now. 52 00:03:05,040 --> 00:03:08,080 Mark, Michael, do you know how many regions we have? 53 00:03:08,080 --> 00:03:09,080 No idea. 54 00:03:09,080 --> 00:03:14,080 But I think it's great that they added a new role to Virtual Network Managers. 55 00:03:14,080 --> 00:03:15,560 I think that's great. 56 00:03:15,560 --> 00:03:16,560 Yeah. 57 00:03:16,560 --> 00:03:20,880 And so basically, it lets you enforce security policies across subscriptions and regions, 58 00:03:20,880 --> 00:03:22,020 but globally. 59 00:03:22,020 --> 00:03:29,120 And they're evaluated before NSGs, if we think old school firewalls and the way that we process 60 00:03:29,120 --> 00:03:35,160 different rules in an order, which means it's going to be, it will be enforced uniformly 61 00:03:35,160 --> 00:03:37,400 across wherever you apply it to. 62 00:03:37,400 --> 00:03:44,040 So pretty cool, and you should go and check it out if you are using network configuration 63 00:03:44,040 --> 00:03:47,320 in Azure, which I'm pretty sure most folks will be. 64 00:03:47,320 --> 00:03:48,960 Yeah, I have a small number of items. 65 00:03:48,960 --> 00:03:55,040 The first one is in GA is Azure Virtual Network Encryption is now available in all regions, 66 00:03:55,040 --> 00:03:57,240 which is probably bigger than 45. 67 00:03:57,240 --> 00:04:01,120 But this allows you to enable encryption of traffic between virtual machines and virtual 68 00:04:01,120 --> 00:04:03,760 machine scale sets on the same virtual network. 69 00:04:03,760 --> 00:04:07,300 And that's both regionally and globally, paired virtual networks. 70 00:04:07,300 --> 00:04:11,200 Great to see more of these defenses coming into play. 71 00:04:11,200 --> 00:04:15,960 Another one, which is in my backyard, is enabling Key Vault for SQL Server on Linux. 72 00:04:15,960 --> 00:04:20,000 First of all, a lot of people don't even know it's available on Linux, but there you go. 73 00:04:20,000 --> 00:04:22,920 But now we have support for using transparent data encryption. 74 00:04:22,920 --> 00:04:30,200 We can store the key encryption keys in Key Vault from the Linux VM, which is really nice. 75 00:04:30,200 --> 00:04:36,240 All the Linux instance running SQL Server 2022, that's using cumulative update 12 and 76 00:04:36,240 --> 00:04:37,240 beyond. 77 00:04:37,240 --> 00:04:42,240 And it's great to see that now we can have centralized management of keys across our 78 00:04:42,240 --> 00:04:44,560 SQL Server customers who are running on Linux. 79 00:04:44,560 --> 00:04:50,840 Also in GA and also from my backyard, Azure Database for PostgreSQL Flexible Server now 80 00:04:50,840 --> 00:04:52,320 supports PrivateLink. 81 00:04:52,320 --> 00:04:59,640 I know a lot of customers are really interested in using PostgreSQL on Azure with PrivateLink. 82 00:04:59,640 --> 00:05:06,720 Another one also from my backyard is in public preview is long term retention for database 83 00:05:06,720 --> 00:05:09,800 for MySQL Flexible Servers. 84 00:05:09,800 --> 00:05:13,520 We can now store your backups for up to 10 years. 85 00:05:13,520 --> 00:05:20,200 I believe the limit was literally about a month prior to this update. 86 00:05:20,200 --> 00:05:24,040 So this is really awesome to see mainly for compliance and regulatory requirements. 87 00:05:24,040 --> 00:05:26,600 All right, so that's the news out of the way. 88 00:05:26,600 --> 00:05:30,240 Now let's turn our attention to our guest, as I mentioned at the beginning. 89 00:05:30,240 --> 00:05:35,600 Our guest this week is Sherrod de Grippeux, who's here to talk to us about threat intelligence. 90 00:05:35,600 --> 00:05:38,040 So Sherrod, first of all, thank you so much for coming on the podcast. 91 00:05:38,040 --> 00:05:41,320 We'd like to take a moment and introduce yourself to our listeners. 92 00:05:41,320 --> 00:05:42,640 Yeah, hi. 93 00:05:42,640 --> 00:05:43,640 My name is Sherrod de Grippeux. 94 00:05:43,640 --> 00:05:47,040 I am the Director of Threat Intelligence Strategy at Microsoft. 95 00:05:47,040 --> 00:05:53,720 I've spent the past 20 years focusing on information security and past 18 of those years working 96 00:05:53,720 --> 00:05:57,240 at information security and threat intelligence vendors. 97 00:05:57,240 --> 00:05:59,600 So I've been doing this a long time. 98 00:05:59,600 --> 00:06:05,580 And essentially, the whole point is to watch what threat actors do and report back on that 99 00:06:05,580 --> 00:06:07,720 and use it in ways that help protect people. 100 00:06:07,720 --> 00:06:10,760 I'd like to start with the basics, if that's okay. 101 00:06:10,760 --> 00:06:13,120 So tell me, and by the way, I'm a huge fan. 102 00:06:13,120 --> 00:06:17,200 I love your Ignite sessions and all that kind of stuff and your podcast as well. 103 00:06:17,200 --> 00:06:19,760 Tell us, how do you view threat intelligence? 104 00:06:19,760 --> 00:06:22,640 What is it useful for? 105 00:06:22,640 --> 00:06:24,560 Why should people care? 106 00:06:24,560 --> 00:06:30,960 And honestly, how are people using it incorrectly as a term or as a data source? 107 00:06:30,960 --> 00:06:36,560 That question is one that it's a firestorm in the industry. 108 00:06:36,560 --> 00:06:41,760 When I think about threat intelligence, threat intelligence to me is the difference between 109 00:06:41,760 --> 00:06:48,920 knowing that no one has broken into your house and me telling you who has tried to break 110 00:06:48,920 --> 00:06:53,120 into your house, what they look like, the car they drive, the kind of clothes they wear, 111 00:06:53,120 --> 00:06:55,760 their height, weight, date of birth. 112 00:06:55,760 --> 00:07:00,260 And I can tell you the other houses they've broken into down the street. 113 00:07:00,260 --> 00:07:06,320 Either way, your home still has not been broken into, but now you're armed with information 114 00:07:06,320 --> 00:07:10,040 that can help you protect yourself more than you were before. 115 00:07:10,040 --> 00:07:13,060 And that's sort of how I see threat intelligence is. 116 00:07:13,060 --> 00:07:19,600 It gives you the understanding of what you need to know to make better security choices. 117 00:07:19,600 --> 00:07:20,600 Gotcha. 118 00:07:20,600 --> 00:07:25,320 So it's more than just a file hashes and IP addresses. 119 00:07:25,320 --> 00:07:29,280 Sorry, don't mean to trigger you, but I do mean to trigger you. 120 00:07:29,280 --> 00:07:32,280 IOCs are not threat intelligence. 121 00:07:32,280 --> 00:07:38,360 So right, if you're not in this world, something that we talk about quite a bit is data. 122 00:07:38,360 --> 00:07:41,920 And an example that you use is a bunch of file hashes. 123 00:07:41,920 --> 00:07:45,680 So if you have a feed of file hashes, is that threat intelligence? 124 00:07:45,680 --> 00:07:47,380 I would say absolutely not. 125 00:07:47,380 --> 00:07:48,800 It is not threat intelligence. 126 00:07:48,800 --> 00:07:50,080 It is data. 127 00:07:50,080 --> 00:07:57,200 And it has maybe an additional metadata point, which is these are file hashes that are malicious 128 00:07:57,200 --> 00:08:00,280 and they're malicious in a certain way. 129 00:08:00,280 --> 00:08:06,560 Data has to be processed and analyzed before it can become part of threat intelligence. 130 00:08:06,560 --> 00:08:09,600 And I argue that even that isn't enough. 131 00:08:09,600 --> 00:08:14,120 In order for it to actually be credible threat intelligence, it needs to be processed by 132 00:08:14,120 --> 00:08:19,240 someone who has threat analysis, training, education, and experience. 133 00:08:19,240 --> 00:08:20,240 Gotcha. 134 00:08:20,240 --> 00:08:23,640 So it's really effectively, it's the context to help you make a decision. 135 00:08:23,640 --> 00:08:29,000 It's a context to help you make a decision, and I think one of those big decisions that 136 00:08:29,000 --> 00:08:33,520 we would talk about would be resource allocation is a really important example. 137 00:08:33,520 --> 00:08:38,200 So if people aren't familiar who are listening, we typically break threat actors up into two 138 00:08:38,200 --> 00:08:39,440 main groups. 139 00:08:39,440 --> 00:08:46,120 And that typically is APT or nation-sponsored threat actors, which are your traditional 140 00:08:46,120 --> 00:08:50,400 espionage groups that are a lot of times government employees for the most part. 141 00:08:50,400 --> 00:08:53,600 And they work with the military intelligence or they work in some kind of security services 142 00:08:53,600 --> 00:08:54,980 for their country. 143 00:08:54,980 --> 00:09:00,360 And they are tasked with espionage responsibilities and they do that espionage over cyber channels, 144 00:09:00,360 --> 00:09:01,360 so over the internet. 145 00:09:01,360 --> 00:09:05,840 And then we typically see on the other side of that financially motivated or crime. 146 00:09:05,840 --> 00:09:11,840 There's also like third, fourth, fifth categories of like hacktivism and disruptor and private 147 00:09:11,840 --> 00:09:13,840 sector offensive actors and things. 148 00:09:13,840 --> 00:09:17,840 But for the most part, we break them into those two categories. 149 00:09:17,840 --> 00:09:23,920 And if you're an organization that traditionally is not targeted, for example, by nation-backed 150 00:09:23,920 --> 00:09:30,480 threat actors, let's say you're a retail enterprise, most governments are generally not attacking 151 00:09:30,480 --> 00:09:31,720 retail enterprise. 152 00:09:31,720 --> 00:09:34,440 It doesn't have a lot of espionage value. 153 00:09:34,440 --> 00:09:39,680 So that would mean I would advise you to focus your resources around fraud, financial and 154 00:09:39,680 --> 00:09:40,680 crimeware. 155 00:09:40,680 --> 00:09:42,560 So that's where you would want to put your time. 156 00:09:42,560 --> 00:09:46,720 It doesn't mean that you'll never get attacked by a nation-sponsored actor, but it does mean 157 00:09:46,720 --> 00:09:50,640 that you'll essentially get a bigger return on your investment if you give a little bit 158 00:09:50,640 --> 00:09:52,880 more focus to those crimeware actors. 159 00:09:52,880 --> 00:09:56,920 So one thing I hear all the time are these sort of, I'm not going to sugarcoat this, 160 00:09:56,920 --> 00:09:58,640 but all these sort of funky names. 161 00:09:58,640 --> 00:10:05,000 When we come to describe what's going on in the world, is there like a meaning to those 162 00:10:05,000 --> 00:10:06,000 names? 163 00:10:06,000 --> 00:10:09,240 I mean, or does someone just come up with a random idea and say, hey, well, let's call 164 00:10:09,240 --> 00:10:13,880 these things something funky or what's the story behind all that? 165 00:10:13,880 --> 00:10:17,720 That's a great topic, which is one that people talk about quite a bit in the industry. 166 00:10:17,720 --> 00:10:23,640 It's a bit of a spicy, spicy topic. 167 00:10:23,640 --> 00:10:28,000 So essentially we want to differentiate these groups when we do something called attribution. 168 00:10:28,000 --> 00:10:35,260 Attribution is essentially saying this particular activity is, you know, there's a responsible 169 00:10:35,260 --> 00:10:38,200 party and that responsible party is this group. 170 00:10:38,200 --> 00:10:41,120 We typically think of threat actors in groups. 171 00:10:41,120 --> 00:10:48,440 If you're not familiar with this world, you might think of like a lone hacker in a attic 172 00:10:48,440 --> 00:10:55,440 who's doing her hacking and she's going after a company to steal their information. 173 00:10:55,440 --> 00:10:56,800 That's a bit storybook. 174 00:10:56,800 --> 00:11:03,500 We actually more see groups that are organized into a professional operation and whether 175 00:11:03,500 --> 00:11:12,720 those groups are employed by a nation or employed by sort of a crime organization, they typically 176 00:11:12,720 --> 00:11:14,640 fall into group categories. 177 00:11:14,640 --> 00:11:19,000 In order to track those groups, we give them names. 178 00:11:19,000 --> 00:11:25,840 And Microsoft about a year ago released a new naming convention, which is made up of 179 00:11:25,840 --> 00:11:27,160 two pieces. 180 00:11:27,160 --> 00:11:32,560 It's a modifier and then an indicator that tells you the country of origin. 181 00:11:32,560 --> 00:11:39,040 So as an example, Sandstorm will always be an actor that is based out of or sponsored 182 00:11:39,040 --> 00:11:40,040 by Iran. 183 00:11:40,040 --> 00:11:42,080 Do you have some other examples? 184 00:11:42,080 --> 00:11:43,080 Just other names? 185 00:11:43,080 --> 00:11:44,560 Yeah, there's so many. 186 00:11:44,560 --> 00:11:49,920 So we track over 300 different actor groups and once we know enough about them to give 187 00:11:49,920 --> 00:11:51,720 them a name, they graduate. 188 00:11:51,720 --> 00:11:56,720 They start off as a storm group, a storm in a number, and then they eventually get graduated 189 00:11:56,720 --> 00:11:57,840 into a full name. 190 00:11:57,840 --> 00:12:07,120 So Octo Tempest is a crime war group that's quite a big topic in the news right now. 191 00:12:07,120 --> 00:12:13,120 Silk Typhoon or Volt Typhoon, those are both actors that are based out of China. 192 00:12:13,120 --> 00:12:18,180 The tsunami groups, those are what we call private sector offensive actors. 193 00:12:18,180 --> 00:12:24,640 So those are typically part of some kind of private entity that works on behalf of a government. 194 00:12:24,640 --> 00:12:29,800 Lizards are based out of Russia and sleets are typically based out of North Korea. 195 00:12:29,800 --> 00:12:35,920 So each country sort of has its own assigned weather pattern and then we add a modifier 196 00:12:35,920 --> 00:12:40,540 in front of it, like a color or a texture or a type so that we can kind of keep them 197 00:12:40,540 --> 00:12:42,200 all separated. 198 00:12:42,200 --> 00:12:47,280 And there are people within Microsoft threat intelligence that are responsible for focusing 199 00:12:47,280 --> 00:12:49,860 on that particular group. 200 00:12:49,860 --> 00:12:59,360 So we have individuals in Microsoft who they focus 100%, for example, on, let's see, Cadet 201 00:12:59,360 --> 00:13:01,920 Blizzard, which is a Russian-based threat actor. 202 00:13:01,920 --> 00:13:07,080 And that's really who they track and they watch the threats that that threat actor sends 203 00:13:07,080 --> 00:13:12,160 in their attempts to do espionage operations against Microsoft customers. 204 00:13:12,160 --> 00:13:13,160 Okay. 205 00:13:13,160 --> 00:13:20,720 I'm going to ask just for anybody out there who's listening who might not know, what is 206 00:13:20,720 --> 00:13:23,720 an APT, Sherrod? 207 00:13:23,720 --> 00:13:25,640 So we level set on that. 208 00:13:25,640 --> 00:13:26,760 There's no level setting. 209 00:13:26,760 --> 00:13:28,440 That's also very controversial. 210 00:13:28,440 --> 00:13:34,320 Oh, there's so many fights over the definition of APT. 211 00:13:34,320 --> 00:13:37,840 So APT stands for Advanced Persistent Threat, which Sarah of course knows. 212 00:13:37,840 --> 00:13:45,360 And that typically has become over time synonymous, correct or not, synonymous with nation-sponsored 213 00:13:45,360 --> 00:13:46,360 threats. 214 00:13:46,360 --> 00:13:54,640 I try to leverage the terminology of nation-sponsored, meaning that a particular country's government 215 00:13:54,640 --> 00:13:58,360 is in support of the activity of that group. 216 00:13:58,360 --> 00:14:01,320 An APT could be a crime group. 217 00:14:01,320 --> 00:14:02,320 It depends. 218 00:14:02,320 --> 00:14:03,800 It's a bit subjective. 219 00:14:03,800 --> 00:14:11,360 But I would say that certain crime groups of the past probably were worth considering 220 00:14:11,360 --> 00:14:13,760 at that APT level. 221 00:14:13,760 --> 00:14:20,120 Like FIN7, for example, which I don't have the Microsoft name off the top of my head 222 00:14:20,120 --> 00:14:21,120 for FIN7. 223 00:14:21,120 --> 00:14:25,800 But FIN7, I would say would definitely qualify as an APT group. 224 00:14:25,800 --> 00:14:27,680 They were advanced. 225 00:14:27,680 --> 00:14:29,520 They were persistent. 226 00:14:29,520 --> 00:14:36,240 And it's really a lot of times the persistence that tends to be the qualifier. 227 00:14:36,240 --> 00:14:43,520 A lot of those threat actors are not super advanced, but they might be nation-sponsored 228 00:14:43,520 --> 00:14:44,520 and they might be persistent. 229 00:14:44,520 --> 00:14:47,000 So they get that APT designation. 230 00:14:47,000 --> 00:14:50,480 FIN7 is Sangria Tempest at Microsoft. 231 00:14:50,480 --> 00:14:53,440 So APT is sort of like the big baddies. 232 00:14:53,440 --> 00:14:54,440 They're organized. 233 00:14:54,440 --> 00:14:55,440 They're operational. 234 00:14:55,440 --> 00:14:58,760 They're typically sponsored by a country's government who's comfortable with the work 235 00:14:58,760 --> 00:14:59,760 they're doing. 236 00:14:59,760 --> 00:15:02,520 And they're typically going after things for espionage purposes. 237 00:15:02,520 --> 00:15:07,920 Now, is some of the confusion around that APT term is that it was originally sort of 238 00:15:07,920 --> 00:15:13,920 a, hey, we can talk about this in public about a nation-state without naming that nation-state, 239 00:15:13,920 --> 00:15:17,520 like going back 20 some years and then it's sort of evolved since then? 240 00:15:17,520 --> 00:15:22,160 Or I'm just kind of curious, how did we get to this level of confusion? 241 00:15:22,160 --> 00:15:24,640 I don't want to be responsible for how we got here. 242 00:15:24,640 --> 00:15:26,320 No, I think you're right. 243 00:15:26,320 --> 00:15:32,240 Well, I think what's happened is, yeah, so APT-1 was released, you're right, about 20 244 00:15:32,240 --> 00:15:33,680 years ago or something. 245 00:15:33,680 --> 00:15:40,800 And over time, I think what has really caused the merging and squishiness and sort of gray 246 00:15:40,800 --> 00:15:44,080 areas in a lot of places is this. 247 00:15:44,080 --> 00:15:49,600 Every organization, whether they're private enterprise, public sector, such as a government 248 00:15:49,600 --> 00:15:55,240 entity, if they're a think tank, they could be an NGO, they could be a nonprofit. 249 00:15:55,240 --> 00:15:59,160 All of these analysts that are responsible for doing this tracking have a different point 250 00:15:59,160 --> 00:16:00,340 of view. 251 00:16:00,340 --> 00:16:05,800 So every organization sees a different slice of data, kind of like if you've ever heard 252 00:16:05,800 --> 00:16:11,800 that parable of people touching an elephant and they're all describing something different 253 00:16:11,800 --> 00:16:17,600 and ultimately, it's because they only have this narrow limited visibility. 254 00:16:17,600 --> 00:16:21,960 The trunk, the tail, the leg, et cetera, they think it's a tree or a brush or whatever. 255 00:16:21,960 --> 00:16:22,960 Right, exactly. 256 00:16:22,960 --> 00:16:28,640 They're unable to see the whole picture because of their restricted visibility. 257 00:16:28,640 --> 00:16:33,280 And I think that that's true about all of the analyst groups that do this work. 258 00:16:33,280 --> 00:16:38,080 And that has kind of led to a separation in the way that we do naming, in the way that 259 00:16:38,080 --> 00:16:44,280 we consider things APT, in the way that we consider things nation-sponsored versus private 260 00:16:44,280 --> 00:16:47,560 sector. 261 00:16:47,560 --> 00:16:48,560 It is squishy. 262 00:16:48,560 --> 00:16:49,880 And I'll tell you this though. 263 00:16:49,880 --> 00:16:57,600 What I love about it is that threat intelligence is data analyzed and put through not only 264 00:16:57,600 --> 00:17:05,800 rigor but subjective designations and subjective commentary based on an individual's experience. 265 00:17:05,800 --> 00:17:15,040 That subjectivity is very, very important because it brings a sense of opinion, background, 266 00:17:15,040 --> 00:17:18,320 and direction that you can't just get from data alone. 267 00:17:18,320 --> 00:17:22,480 Yeah, because ultimately, these are humans on the other end and these are just the digital 268 00:17:22,480 --> 00:17:26,680 trails that they've left that were able to infer things about their motivations, which 269 00:17:26,680 --> 00:17:31,200 are just as fluid as any other humans and doing a job. 270 00:17:31,200 --> 00:17:33,720 I love that because the thing that... 271 00:17:33,720 --> 00:17:35,080 We talk about this quite a bit. 272 00:17:35,080 --> 00:17:36,080 You're exactly right. 273 00:17:36,080 --> 00:17:39,280 Most of these groups are operationalized and they're either doing... 274 00:17:39,280 --> 00:17:43,920 They're generally doing a job for their employer, whether their employer is an organized criminal 275 00:17:43,920 --> 00:17:47,860 group or their employer is a government of some type. 276 00:17:47,860 --> 00:17:50,800 Most of these threat actor groups are given directions. 277 00:17:50,800 --> 00:17:52,760 They're given operational projects. 278 00:17:52,760 --> 00:17:54,440 They're given tasks. 279 00:17:54,440 --> 00:17:58,520 And really, if you think about it, what's so crazy is that people in threat intelligence 280 00:17:58,520 --> 00:18:04,480 and information security, all our job is to make the other person's job not work. 281 00:18:04,480 --> 00:18:10,040 They're just doing their job and we are just trying to make them really bad at their job. 282 00:18:10,040 --> 00:18:13,260 And that's just the back and forth of it. 283 00:18:13,260 --> 00:18:14,680 Our success is their failure. 284 00:18:14,680 --> 00:18:16,280 I actually just posted on LinkedIn about that today. 285 00:18:16,280 --> 00:18:20,280 It's quite amazing that there are people, especially in the criminal world, I think 286 00:18:20,280 --> 00:18:24,400 that's something that a lot of people don't understand or aren't familiar with. 287 00:18:24,400 --> 00:18:28,960 In Eastern European and Russian criminal, as well as Nigeria, Middle Eastern, the crime 288 00:18:28,960 --> 00:18:35,480 war groups generally don't see what they do as illegal or immoral or unethical. 289 00:18:35,480 --> 00:18:37,860 They don't really see themselves as criminals. 290 00:18:37,860 --> 00:18:40,000 Their family doesn't see them as criminals. 291 00:18:40,000 --> 00:18:45,040 They see themselves as, well, I'm a software developer or what, I'm a computer engineer, 292 00:18:45,040 --> 00:18:46,360 but I run internet. 293 00:18:46,360 --> 00:18:50,080 I follow the directions that I'm given and I make these things happen. 294 00:18:50,080 --> 00:18:51,080 It's not a big deal. 295 00:18:51,080 --> 00:18:52,080 It's just computer stuff. 296 00:18:52,080 --> 00:18:58,200 And so you kind of have to understand their job is really to hit the targets that they've 297 00:18:58,200 --> 00:19:00,080 been told to hit that day. 298 00:19:00,080 --> 00:19:03,520 And our job is to prevent them from hitting the targets they've been told to hit that 299 00:19:03,520 --> 00:19:04,520 day. 300 00:19:04,520 --> 00:19:05,520 We have to make them fail. 301 00:19:05,520 --> 00:19:07,760 We're trying to make people fail at their jobs. 302 00:19:07,760 --> 00:19:09,800 So that's actually a very interesting segue. 303 00:19:09,800 --> 00:19:14,640 So if we get to the absolute practicalities of it, I mean, it's fair to say that these 304 00:19:14,640 --> 00:19:18,160 threat actors are obviously going after cloud resources, right? 305 00:19:18,160 --> 00:19:19,560 That's why we're the AZZI Security Podcast. 306 00:19:19,560 --> 00:19:20,560 Yes. 307 00:19:20,560 --> 00:19:25,120 So what sort of things can you share with our listeners about what things you're seeing 308 00:19:25,120 --> 00:19:29,280 and perhaps more importantly, what can they do? 309 00:19:29,280 --> 00:19:35,400 So I think one of the things that I always talk about with groups and CISOs and engineers 310 00:19:35,400 --> 00:19:42,760 and everybody when I think about this is, so if I had a choice to raid your personal 311 00:19:42,760 --> 00:19:49,800 checking account or your employer's checking account, your employer's bank account, which 312 00:19:49,800 --> 00:19:52,320 one do you think would be more attractive? 313 00:19:52,320 --> 00:19:53,960 I would assume it's your employer. 314 00:19:53,960 --> 00:19:55,880 For all of us, I'm sure it is. 315 00:19:55,880 --> 00:19:59,020 But when you think about it from that perspective, you have to understand that threat actors 316 00:19:59,020 --> 00:20:08,000 find corporate enterprise identities to be extremely valuable because what they can do 317 00:20:08,000 --> 00:20:10,240 is they can log in as you. 318 00:20:10,240 --> 00:20:12,120 They can get into your identity. 319 00:20:12,120 --> 00:20:13,880 They can become you. 320 00:20:13,880 --> 00:20:18,040 Once they become you, they can operate as you, meaning they can send email as you. 321 00:20:18,040 --> 00:20:20,120 They can read email that you've sent. 322 00:20:20,120 --> 00:20:23,680 They can start forwarding your email to other services. 323 00:20:23,680 --> 00:20:27,240 They can do things like set up rules where certain email goes certain places. 324 00:20:27,240 --> 00:20:29,800 They can reply to threads as you. 325 00:20:29,800 --> 00:20:31,280 They can get into your files. 326 00:20:31,280 --> 00:20:34,120 They can start looking through your data. 327 00:20:34,120 --> 00:20:41,360 So cloud threat in my world is extremely tied to identity threat. 328 00:20:41,360 --> 00:20:46,240 Thinking about threat actors having the ability to become you, that's a super important thing 329 00:20:46,240 --> 00:20:47,920 that you want to think about. 330 00:20:47,920 --> 00:20:52,080 I also think that if you want to do something about it, I think one of the number one things 331 00:20:52,080 --> 00:20:56,640 that you can do is think about your logging situation and your logging strategies. 332 00:20:56,640 --> 00:21:02,040 Those tend to be the places that it's like ripping the mask off the Scooby-Doo villain. 333 00:21:02,040 --> 00:21:06,160 It's sort of like, okay, now I can see what's really going on. 334 00:21:06,160 --> 00:21:09,960 I think that that's a really important thing to do as well as making sure that your identities 335 00:21:09,960 --> 00:21:14,260 are... your identities and the identities of those that you're responsible for protecting 336 00:21:14,260 --> 00:21:21,280 are strong and are using multi-factor authentication and are set up in a way that is as secure 337 00:21:21,280 --> 00:21:24,080 as it possibly can be in a best practice. 338 00:21:24,080 --> 00:21:30,680 So if we have all this intel, are we doing something to our products based on this knowledge? 339 00:21:30,680 --> 00:21:36,120 Do we take that threat intel and I'm not going to say productize it, but at least put some 340 00:21:36,120 --> 00:21:38,560 elements of the data into our products? 341 00:21:38,560 --> 00:21:39,560 Absolutely. 342 00:21:39,560 --> 00:21:41,720 So we do productize the threat intelligence itself. 343 00:21:41,720 --> 00:21:45,400 You can access that through something like Copilot for Security. 344 00:21:45,400 --> 00:21:50,800 You can go and ask it specifically, like, tell me about Octo Tempest and it will. 345 00:21:50,800 --> 00:21:57,440 But the majority of those 78 trillion signals and we take that information, we're watching 346 00:21:57,440 --> 00:21:58,560 what threat actors are doing. 347 00:21:58,560 --> 00:22:02,400 We're watching their attempts to break into your house, for example. 348 00:22:02,400 --> 00:22:06,920 We're watching their attempts to distribute malware or brute force passwords or break 349 00:22:06,920 --> 00:22:08,580 into web panels. 350 00:22:08,580 --> 00:22:13,040 We're watching threat actors do those things and we're seeing and understanding those attempts 351 00:22:13,040 --> 00:22:18,160 and we're taking that information and we're putting it back into the product to protect 352 00:22:18,160 --> 00:22:23,760 people better and better and better across the full portfolio of products, whether it's 353 00:22:23,760 --> 00:22:29,440 cloud or endpoint or email or web browsing or browser or search. 354 00:22:29,440 --> 00:22:33,000 Those are constantly being updated, literally all day. 355 00:22:33,000 --> 00:22:36,760 That's the majority of what threat detection engineers at Microsoft do is they take the 356 00:22:36,760 --> 00:22:41,160 threat intelligence we have and they turn that into a detection capability. 357 00:22:41,160 --> 00:22:46,720 Now I know that we have all these different threat actors with different names, but I 358 00:22:46,720 --> 00:22:52,400 wondered if you could tell us about, I don't want to use the word cool because cool doesn't 359 00:22:52,400 --> 00:22:59,200 seem the right word to say to describe them, but some of the interesting groups that we've 360 00:22:59,200 --> 00:23:05,480 been tracking and what they've been up to because I always find this stuff fascinating. 361 00:23:05,480 --> 00:23:06,480 Absolutely. 362 00:23:06,480 --> 00:23:14,080 I think I also find it fascinating and I think that's pretty common in the threat intelligence 363 00:23:14,080 --> 00:23:15,360 world in the industry. 364 00:23:15,360 --> 00:23:21,220 People say, oh my gosh, did you see this TTP, which is a way to say, did you see what they're 365 00:23:21,220 --> 00:23:22,940 doing, their tactics? 366 00:23:22,940 --> 00:23:25,280 Did you see this interesting thing that threat actor is doing? 367 00:23:25,280 --> 00:23:29,600 I think right now the industry is really focused on OctoTempest. 368 00:23:29,600 --> 00:23:36,000 OctoTempest is also known as Scattered Spider or UNC 3944 and they actually leverage a significant 369 00:23:36,000 --> 00:23:37,920 amount of social engineering. 370 00:23:37,920 --> 00:23:43,320 So they'll call a help desk, they'll pretend to be an employee and they will attempt to 371 00:23:43,320 --> 00:23:49,800 get the help desk to reset the password of that employee and then the threat actor will 372 00:23:49,800 --> 00:23:55,900 log in as that employee and start trying to elevate privileges or leverage exploits. 373 00:23:55,900 --> 00:24:02,480 They use this combination of social engineering immediately to some kind of technical capability 374 00:24:02,480 --> 00:24:08,640 once they're able to log in and then they typically, very quickly, and I mean within 375 00:24:08,640 --> 00:24:14,040 a couple of hours, like extremely quickly, they understand the entire network landscape 376 00:24:14,040 --> 00:24:20,400 of that target organization and then they do ransomware, meaning they encrypt all of 377 00:24:20,400 --> 00:24:24,420 the data that they have access to and they start making ransom demands. 378 00:24:24,420 --> 00:24:27,800 This is a very high profile threat actor. 379 00:24:27,800 --> 00:24:31,000 We've talked about them on the Microsoft Threat Intelligence podcast. 380 00:24:31,000 --> 00:24:32,680 We've written blogs about them. 381 00:24:32,680 --> 00:24:36,160 OctoTempest is a significant actor on the crime or landscape right now. 382 00:24:36,160 --> 00:24:41,160 Are there any other choice groups you can tell us about? 383 00:24:41,160 --> 00:24:42,480 Oh, there's so many. 384 00:24:42,480 --> 00:24:44,560 So Peach Sandstorm is another one. 385 00:24:44,560 --> 00:24:52,200 So Peach Sandstorm is typically associated with activity that is considered intelligence 386 00:24:52,200 --> 00:24:53,200 gathering. 387 00:24:53,200 --> 00:24:55,480 They also are based out of Iran. 388 00:24:55,480 --> 00:25:02,400 So we see that group doing things like using SAML attacks to exfiltrate data. 389 00:25:02,400 --> 00:25:07,640 We see them doing persistence, which means that they will stay within an environment 390 00:25:07,640 --> 00:25:12,540 and they'll try to get back into an environment if they do get evicted from it. 391 00:25:12,540 --> 00:25:19,960 We have a lot of information on Peach Sandstorm doing things like spearfishing and using Red 392 00:25:19,960 --> 00:25:21,800 Team tools that are open source. 393 00:25:21,800 --> 00:25:28,800 So if you ever see some of those arguments online about should open source offensive 394 00:25:28,800 --> 00:25:32,840 tools be allowed because they are used by threat actors, in this case, Peach Sandstorm 395 00:25:32,840 --> 00:25:34,880 is one of those actors. 396 00:25:34,880 --> 00:25:39,740 Also, they go after remote management tools. 397 00:25:39,740 --> 00:25:45,360 So any of those remote management and remote access tools that are legitimate, they try 398 00:25:45,360 --> 00:25:50,840 to leverage those and get into them so that they can control a machine remotely. 399 00:25:50,840 --> 00:25:57,280 And finally, they're known to typically go after the energy sector and the defense sector. 400 00:25:57,280 --> 00:26:00,360 So they have a specific targeting vertical that they like to hit. 401 00:26:00,360 --> 00:26:06,080 I'm sure that we could talk probably about most of these groups all day. 402 00:26:06,080 --> 00:26:11,400 But in the interest of time, I won't ask you to keep listing them even though we should 403 00:26:11,400 --> 00:26:13,720 totally talk about them offline sometimes. 404 00:26:13,720 --> 00:26:17,000 For anyone listening, if you're interested in these threat actor profiles, just follow 405 00:26:17,000 --> 00:26:22,560 the Microsoft Threat Intelligence blog and you'll get all of the updates and profiles 406 00:26:22,560 --> 00:26:23,920 as we publish them. 407 00:26:23,920 --> 00:26:24,920 They're pretty fascinating. 408 00:26:24,920 --> 00:26:26,960 So where does AI fit in all of this? 409 00:26:26,960 --> 00:26:29,280 I mean, AI seems to fit in absolutely everything these days. 410 00:26:29,280 --> 00:26:30,840 So I mean, are the attackers using AI? 411 00:26:30,840 --> 00:26:32,080 Are they leveraging AI? 412 00:26:32,080 --> 00:26:33,080 What's going on there? 413 00:26:33,080 --> 00:26:35,480 Yeah, that's something we're watching closely. 414 00:26:35,480 --> 00:26:40,800 And honestly, what are threat actors doing with AI for probably the past 12 or 18 months 415 00:26:40,800 --> 00:26:44,000 has been the number one question that I've gotten. 416 00:26:44,000 --> 00:26:50,040 And I'll tell you, we did a really nice report in February about threat actors and how they're 417 00:26:50,040 --> 00:26:51,760 leveraging AI. 418 00:26:51,760 --> 00:26:57,680 And we specifically focused on the four primary nation-sponsored groups, which is Russia, 419 00:26:57,680 --> 00:27:00,000 North Korea, China, and Iran. 420 00:27:00,000 --> 00:27:06,700 And we found that all four of those countries had groups leveraging AI. 421 00:27:06,700 --> 00:27:08,280 They're using it for reconnaissance. 422 00:27:08,280 --> 00:27:13,800 They're using it to help them build scripting tools or scripting to build tools. 423 00:27:13,800 --> 00:27:16,840 They're using it to refine their development capabilities. 424 00:27:16,840 --> 00:27:23,520 So they're using it for pretty technical assistance type co-pilot work. 425 00:27:23,520 --> 00:27:25,660 They're doing vulnerability research. 426 00:27:25,660 --> 00:27:30,680 They're using it to better understand how they can socially engineer their targets. 427 00:27:30,680 --> 00:27:36,360 They're also using it to evade detection mechanisms, meaning they're trying to figure out how they 428 00:27:36,360 --> 00:27:40,520 can make their attacks not noticed by detection and protection products. 429 00:27:40,520 --> 00:27:43,960 And of course, the good guys are using it for good as well. 430 00:27:43,960 --> 00:27:48,640 Like, we have products like co-pilot for security, which we talked about a couple of weeks ago. 431 00:27:48,640 --> 00:27:49,640 Right. 432 00:27:49,640 --> 00:27:56,520 And what's noteworthy to me is that the defenders, those who create detection products and security 433 00:27:56,520 --> 00:28:00,760 products, we've been using AI and machine learning and data science. 434 00:28:00,760 --> 00:28:02,760 We've been using that for years and years and years. 435 00:28:02,760 --> 00:28:07,280 We're actually very, very good at using it for detection and protection. 436 00:28:07,280 --> 00:28:13,840 So while the threat actors are experimenting with this now, it's likely that they will 437 00:28:13,840 --> 00:28:16,920 go deeper and deeper and get better at it and better at it. 438 00:28:16,920 --> 00:28:22,000 But we're pretty well ahead of the game in terms of using AI for detection. 439 00:28:22,000 --> 00:28:24,340 So I think we're very well positioned there. 440 00:28:24,340 --> 00:28:27,520 We being Microsoft or we the defenders? 441 00:28:27,520 --> 00:28:29,800 Well we being Microsoft. 442 00:28:29,800 --> 00:28:33,720 So I have a much deeper view into Microsoft than I do anywhere else. 443 00:28:33,720 --> 00:28:38,080 And I absolutely see that Microsoft has been using AI for protection capabilities for years 444 00:28:38,080 --> 00:28:39,120 and years. 445 00:28:39,120 --> 00:28:46,600 So yeah, I'm 100% in agreement with you on the Microsoft use of all the various different 446 00:28:46,600 --> 00:28:49,080 generations of AI technology and machine learning. 447 00:28:49,080 --> 00:28:53,880 Because I've been very impressed with what I've seen our product teams do with that. 448 00:28:53,880 --> 00:28:57,360 There are other, in my opinion, there are other good uses of it in industry as well. 449 00:28:57,360 --> 00:28:59,860 So Microsoft's not the only one that's doing that. 450 00:28:59,860 --> 00:29:04,600 So security is definitely a team sport and we are all defenders. 451 00:29:04,600 --> 00:29:05,920 That's one of my big things. 452 00:29:05,920 --> 00:29:12,120 One of the things that we do, Sherrod, is we always ask our guests as a final closeout. 453 00:29:12,120 --> 00:29:13,680 What are your final thoughts? 454 00:29:13,680 --> 00:29:18,320 Something you'd like to leave our audience with to plant a seed and get them thinking 455 00:29:18,320 --> 00:29:21,760 on what you think is important or interesting for them to think about? 456 00:29:21,760 --> 00:29:24,800 I think something really, really important to think about, especially if you're cloud 457 00:29:24,800 --> 00:29:34,680 focused, is constantly tapping into that little spider sense, tingly feeling concern that 458 00:29:34,680 --> 00:29:38,760 you have when you see something and you think, that's weird. 459 00:29:38,760 --> 00:29:45,640 If you can really listen to that feeling, I think it brings a broader security mindset 460 00:29:45,640 --> 00:29:47,080 to what you do. 461 00:29:47,080 --> 00:29:52,760 If you're constantly checking in with yourself of, when I look at this code, when I look 462 00:29:52,760 --> 00:29:57,120 at this diagram, when I look at this behavior, when that little weird blip came up on the 463 00:29:57,120 --> 00:30:01,120 computer when I clicked that link, what was that? 464 00:30:01,120 --> 00:30:06,120 If you hold onto that feeling for a moment and say, I worry that I need to investigate 465 00:30:06,120 --> 00:30:10,120 this a little more, and you dig a little deeper, maybe you ask a friend. 466 00:30:10,120 --> 00:30:12,120 Maybe you find somebody in your security team. 467 00:30:12,120 --> 00:30:16,680 Maybe you use some of the tools that you have in your organization to report security concerns. 468 00:30:16,680 --> 00:30:21,720 I think we've got to all better listen now to our intuition because security is every 469 00:30:21,720 --> 00:30:23,040 single person's job. 470 00:30:23,040 --> 00:30:28,680 It's every single person's responsibility, whether you're a coder, developer, operations, 471 00:30:28,680 --> 00:30:30,480 security, anything. 472 00:30:30,480 --> 00:30:33,080 Security is number one and you have to focus on it. 473 00:30:33,080 --> 00:30:38,040 I know we could probably spend the next couple of hours going over some example crime groups, 474 00:30:38,040 --> 00:30:39,440 but we just don't have time. 475 00:30:39,440 --> 00:30:40,440 So look, hey. 476 00:30:40,440 --> 00:30:42,440 I'll come back and we'll talk. 477 00:30:42,440 --> 00:30:43,440 All right. 478 00:30:43,440 --> 00:30:46,000 Hey, look, Cheryl, thank you so much for joining us this week. 479 00:30:46,000 --> 00:30:47,480 I know you're really, really busy. 480 00:30:47,480 --> 00:30:51,560 I learned something on every single episode, but this one, there's a lot that I know I 481 00:30:51,560 --> 00:30:52,560 didn't know. 482 00:30:52,560 --> 00:30:53,560 So this has been really useful. 483 00:30:53,560 --> 00:30:56,000 Again, thank you so much for joining us this week. 484 00:30:56,000 --> 00:30:59,440 And to all our listeners out there, we hope you found it of use as well. 485 00:30:59,440 --> 00:31:01,480 Stay safe and we'll see you next time. 486 00:31:01,480 --> 00:31:04,640 Thanks for listening to the Azure Security Podcast. 487 00:31:04,640 --> 00:31:11,480 You can find show notes and other resources at our website, azsecuritypodcast.net. 488 00:31:11,480 --> 00:31:16,640 If you have any questions, please find us on Twitter at Azure Setpod. 489 00:31:16,640 --> 00:31:21,640 The music is from ccmixtor.com and licensed under the Creative Commons license.