1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,380
where we discuss topics relating to security, privacy,

3
00:00:09,380 --> 00:00:13,440
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,440 --> 00:00:16,500
Hey everybody, welcome to Episode 37.

5
00:00:16,500 --> 00:00:17,740
This week, we have a full house.

6
00:00:17,740 --> 00:00:20,960
We have myself, Michael, and we have Gladys, Sarah, and Mark.

7
00:00:20,960 --> 00:00:23,820
We also have a guest, Roberto Rodriguez,

8
00:00:23,820 --> 00:00:25,360
who's here to talk to us about

9
00:00:25,360 --> 00:00:29,020
attacker tradecraft and a tool that we have named Simuland.

10
00:00:29,020 --> 00:00:32,600
But before we get to Roberto, let's talk about the news.

11
00:00:32,600 --> 00:00:33,560
I'd like to kick things off.

12
00:00:33,560 --> 00:00:35,360
I really like to kick the news off the last couple of weeks,

13
00:00:35,360 --> 00:00:37,360
but I really want to get this front and center.

14
00:00:37,360 --> 00:00:39,640
So the first one I want to get out of the way is,

15
00:00:39,640 --> 00:00:41,560
there is now a public preview for

16
00:00:41,560 --> 00:00:44,400
PrivateLink user-defined route support.

17
00:00:44,400 --> 00:00:46,500
There's also public preview for

18
00:00:46,500 --> 00:00:49,640
PrivateLink network security group support.

19
00:00:49,640 --> 00:00:52,040
Now, I know that I think a lot of people who have been working

20
00:00:52,040 --> 00:00:53,840
with PrivateLink, some private endpoints,

21
00:00:53,840 --> 00:00:55,600
have really been looking forward to this.

22
00:00:55,600 --> 00:00:57,760
So it's now in public preview.

23
00:00:57,760 --> 00:00:59,280
Talking of PrivateLink,

24
00:00:59,280 --> 00:01:01,800
the Azure PrivateLink service is now generally

25
00:01:01,800 --> 00:01:04,000
available in our Chinese region,

26
00:01:04,000 --> 00:01:05,640
probably not a lot more to say other than

27
00:01:05,640 --> 00:01:07,320
it's available in China now.

28
00:01:07,320 --> 00:01:11,080
Next one is Azure Virtual Desktop.

29
00:01:11,080 --> 00:01:13,760
We now have screen capture protection.

30
00:01:13,760 --> 00:01:16,720
This mitigates things like taking a screen grab,

31
00:01:16,720 --> 00:01:19,120
using print screen or snipping tools,

32
00:01:19,120 --> 00:01:21,520
and third-party applications that can be used,

33
00:01:21,520 --> 00:01:24,760
essentially leak sensitive information from a screen grab.

34
00:01:24,760 --> 00:01:27,200
This secures a single session host,

35
00:01:27,200 --> 00:01:28,920
or you can use Active Directory to

36
00:01:28,920 --> 00:01:31,280
manage different host pools centrally.

37
00:01:31,280 --> 00:01:33,760
So this is another nice thing to see and also,

38
00:01:33,760 --> 00:01:36,120
there's no extra cost to actually use it.

39
00:01:36,120 --> 00:01:40,920
Finally, for me, Azure Files now supports SMB 3.1.1.

40
00:01:40,920 --> 00:01:43,400
The big change here is the inclusion of

41
00:01:43,400 --> 00:01:47,320
AES-128 and AES-256 in Galois Counter Mode.

42
00:01:47,320 --> 00:01:50,600
So for those that require more modern ciphers,

43
00:01:50,600 --> 00:01:53,240
there you are, SMB 3.1.1.

44
00:01:53,240 --> 00:01:56,440
This is Gladys. For some time now,

45
00:01:56,440 --> 00:01:59,320
the Azure AD team has been working on

46
00:01:59,320 --> 00:02:04,320
moving the Azure AD graph features into Microsoft Graph.

47
00:02:04,320 --> 00:02:08,320
A lot of documentation has been released about this move,

48
00:02:08,320 --> 00:02:12,240
and now on June 30th, 2022,

49
00:02:12,240 --> 00:02:15,560
Microsoft is retiring the Azure AD Graph.

50
00:02:15,560 --> 00:02:21,560
This means that to avoid service disruption before that day,

51
00:02:21,560 --> 00:02:25,080
organizations will need to update all applications that

52
00:02:25,080 --> 00:02:30,440
use the Azure AD Graph to use Microsoft Graph instead.

53
00:02:30,440 --> 00:02:34,520
Some of the new features that will be included with

54
00:02:34,520 --> 00:02:40,160
the Microsoft Graph are a single endpoint for APIs from

55
00:02:40,160 --> 00:02:43,920
Azure AD and other services such as Microsoft Team,

56
00:02:43,920 --> 00:02:45,600
Exchange, and Intune.

57
00:02:45,600 --> 00:02:48,800
Built-in support for retry handling,

58
00:02:48,800 --> 00:02:51,800
secure redirect, transparent authentication,

59
00:02:51,800 --> 00:02:53,560
and payload compression.

60
00:02:53,560 --> 00:02:57,400
To help migrating applications,

61
00:02:57,400 --> 00:03:01,120
Microsoft has also provided a checklist which

62
00:03:01,120 --> 00:03:05,840
contains key differences between the APIs,

63
00:03:05,840 --> 00:03:10,080
ways to examine the APIs being used within

64
00:03:10,080 --> 00:03:13,400
your application and the permissions required.

65
00:03:13,400 --> 00:03:16,360
It also provides guidance for using

66
00:03:16,360 --> 00:03:19,320
the Graph Explorer to experiment,

67
00:03:19,320 --> 00:03:23,080
and guidance to deploy tests and extend your application.

68
00:03:23,080 --> 00:03:25,880
The next news that I wanted to share is that in

69
00:03:25,880 --> 00:03:28,920
on August 31st, 2021,

70
00:03:28,920 --> 00:03:33,720
all 1x version of Azure Active Directory Connect will be

71
00:03:33,720 --> 00:03:40,120
retired because they include SQL Server 2012 components

72
00:03:40,120 --> 00:03:42,560
that will no longer be supported.

73
00:03:42,560 --> 00:03:47,280
It is recommended to upgrade to the most recent version of

74
00:03:47,280 --> 00:03:50,240
Azure AD Connect by that date.

75
00:03:50,240 --> 00:03:54,480
Within the information provided, Microsoft shares

76
00:03:54,480 --> 00:03:57,080
how to do in-place migration,

77
00:03:57,080 --> 00:04:01,840
swing migration which may be necessary if you need to

78
00:04:01,840 --> 00:04:03,840
upgrade the server OS.

79
00:04:03,840 --> 00:04:07,720
It provides guidance on how to move a custom configuration

80
00:04:07,720 --> 00:04:11,280
from the Active Server to a staging service

81
00:04:11,280 --> 00:04:13,160
and some other information.

82
00:04:13,160 --> 00:04:14,800
Last but not least,

83
00:04:14,800 --> 00:04:19,960
Windows 11 will become generally available on October 5th.

84
00:04:19,960 --> 00:04:25,000
Windows 11 is in public preview as part of Azure Virtual Desktop.

85
00:04:25,000 --> 00:04:28,760
Go and play with Windows 11 and validate

86
00:04:28,760 --> 00:04:32,160
your environment using Azure Virtual Desktop.

87
00:04:32,160 --> 00:04:36,400
From my side, the long-awaited videos

88
00:04:36,400 --> 00:04:39,840
covering the latest cybersecurity reference architecture,

89
00:04:39,840 --> 00:04:43,240
affectionately known as the MCRA for a number of folks,

90
00:04:43,240 --> 00:04:46,400
are released and so they're up there on YouTube and ready to be watched.

91
00:04:46,400 --> 00:04:49,160
Actually, there's about 1,200 last time I checked.

92
00:04:49,160 --> 00:04:51,760
People that have already watched it so far.

93
00:04:51,760 --> 00:04:57,480
There's also a company-ing set of videos that are focused a little bit more on

94
00:04:57,480 --> 00:05:00,320
security program rather than security architecture

95
00:05:00,320 --> 00:05:03,480
for the Cloud Adoption Framework Secure methodology.

96
00:05:03,480 --> 00:05:07,320
I did those with our executive security advisors here at Microsoft.

97
00:05:07,320 --> 00:05:09,280
Really enjoyed the conversations.

98
00:05:09,280 --> 00:05:12,720
They're anywhere from 10 to 20 minutes typically.

99
00:05:12,720 --> 00:05:15,320
Most of them are around 15 to 20 minutes,

100
00:05:15,320 --> 00:05:18,200
but really got deep into these topics and

101
00:05:18,200 --> 00:05:20,880
just walk through each of the architectures and

102
00:05:20,880 --> 00:05:22,600
the elements, what they mean, etc.

103
00:05:22,600 --> 00:05:24,600
So definitely check them out, share and

104
00:05:24,600 --> 00:05:27,480
enjoy and links are in the show-outs.

105
00:05:27,480 --> 00:05:30,360
So hi everybody. It's good to be back.

106
00:05:30,360 --> 00:05:33,120
Apologies I've been away for a couple of weeks just because of

107
00:05:33,120 --> 00:05:38,160
some tricky time zone scheduling stuff that we couldn't resolve, unfortunately.

108
00:05:38,160 --> 00:05:39,960
So for my news this week,

109
00:05:39,960 --> 00:05:42,920
first of all, it's now generally available that you can run

110
00:05:42,920 --> 00:05:46,760
cross-service queries between Azure Monitor and Azure Data Explorer.

111
00:05:46,760 --> 00:05:48,920
Now, this is something very cool.

112
00:05:48,920 --> 00:05:51,680
What it means is if you're using Azure Monitor Services,

113
00:05:51,680 --> 00:05:56,480
which includes log analytics and then by proxy Azure Sentinel.

114
00:05:56,480 --> 00:06:00,560
If you're using application insights and other Azure Monitor services,

115
00:06:00,560 --> 00:06:04,760
you can now also cross-query over to Azure Data Explorer.

116
00:06:04,760 --> 00:06:08,280
So if you've got things that you need to correlate between those two services,

117
00:06:08,280 --> 00:06:10,840
you can actually do a cross-service query.

118
00:06:10,840 --> 00:06:14,480
You can also query from ADX back to Azure Monitor.

119
00:06:14,480 --> 00:06:16,360
In the log analytics side of things,

120
00:06:16,360 --> 00:06:18,880
you do this with a KQL operator,

121
00:06:18,880 --> 00:06:20,000
but it's not just queries,

122
00:06:20,000 --> 00:06:22,520
you can also use things like workbooks,

123
00:06:22,520 --> 00:06:25,040
PowerShell and REST APIs.

124
00:06:25,040 --> 00:06:28,800
So very cool. That's as close to Sentinel as I get this week,

125
00:06:28,800 --> 00:06:31,520
so which is surprising for me, I know.

126
00:06:31,520 --> 00:06:34,000
So yeah, go and check it out.

127
00:06:34,000 --> 00:06:38,080
Next up is a load of Azure Security Center things and Azure Defender.

128
00:06:38,080 --> 00:06:40,600
So couple of things going into public preview.

129
00:06:40,600 --> 00:06:44,920
Defender for endpoint for Linux is now supported by Azure Defender for servers.

130
00:06:44,920 --> 00:06:49,280
We've got some new recommendations around managing endpoint protection solutions,

131
00:06:49,280 --> 00:06:52,320
and Security Center is now able to auto provision

132
00:06:52,320 --> 00:06:55,200
the Azure Policy Guest Configuration extension.

133
00:06:55,200 --> 00:06:58,480
So that's just really good for being efficient and being

134
00:06:58,480 --> 00:07:01,360
consistent and reducing some manual work.

135
00:07:01,360 --> 00:07:04,360
In terms of GA things for Azure Security Center,

136
00:07:04,360 --> 00:07:08,440
we've now got more built-in troubleshooting and guidance for solving common issues

137
00:07:08,440 --> 00:07:10,040
that ASC highlights.

138
00:07:10,040 --> 00:07:14,800
We also have the regulatory compliance dashboards Azure Audit Reports,

139
00:07:14,800 --> 00:07:16,120
they're now GA.

140
00:07:16,120 --> 00:07:19,000
We've also got rid of the deprecated recommendation,

141
00:07:19,000 --> 00:07:22,960
the log analytics agent health issue should be resolved on your machines.

142
00:07:22,960 --> 00:07:25,320
I've seen that many times before myself.

143
00:07:25,320 --> 00:07:29,320
It is a bit of a pain because sometimes it's not obvious why it's there.

144
00:07:29,320 --> 00:07:33,720
And for that reason, it's actually been deprecated because it was,

145
00:07:33,720 --> 00:07:37,000
for at least some people, a little bit difficult to troubleshoot.

146
00:07:37,000 --> 00:07:39,960
Recommendations in Azure Defender,

147
00:07:39,960 --> 00:07:41,880
you can now support in force.

148
00:07:41,880 --> 00:07:47,680
So if there's a recommendation and you choose as an organization to enforce that,

149
00:07:47,680 --> 00:07:52,960
Azure Defender can help enforce that rather than just alert you that something's happening.

150
00:07:52,960 --> 00:07:54,360
There's a couple of other things.

151
00:07:54,360 --> 00:07:57,320
We'll put the links in the show notes, but I could be here a while.

152
00:07:57,320 --> 00:07:58,920
So I'll move on to my next one,

153
00:07:58,920 --> 00:08:03,600
which is there's general availability for the update and policy compliance

154
00:08:03,600 --> 00:08:07,440
for AKS or the Azure Kubernetes Service policies.

155
00:08:07,440 --> 00:08:13,440
So if you've got policies, if you've got policy assignments that actually have conflicts,

156
00:08:13,440 --> 00:08:19,520
you will now get a notification and you will have to resolve that before the policies become active.

157
00:08:19,520 --> 00:08:22,720
If you manage to have a conflict with any of your prior policies,

158
00:08:22,720 --> 00:08:27,040
then unfortunately they will still work, but you'll have a notification.

159
00:08:27,040 --> 00:08:29,760
But it is quite easy to have these conflicts.

160
00:08:29,760 --> 00:08:36,640
So hopefully this is going to help people resolve those a lot and keep their AKS clusters nice and slick.

161
00:08:36,640 --> 00:08:43,120
And then last but not least for me, it's Windows Server IoT 2022 is now generally available.

162
00:08:43,120 --> 00:08:48,720
So if you are using one of the earlier versions, it's definitely time to maybe start checking it out.

163
00:08:48,720 --> 00:08:52,080
As you know, we do give customers a lot of time,

164
00:08:52,080 --> 00:08:57,360
but of course when we bring out new versions, we're generally deprecating something else as well.

165
00:08:57,360 --> 00:09:03,360
And it's always good to be on the most recent OS that you possibly can be

166
00:09:03,360 --> 00:09:08,400
because of course that's how we keep things in support and patched and up to date.

167
00:09:09,120 --> 00:09:11,520
And that's the news for me.

168
00:09:11,520 --> 00:09:13,440
Well, thanks for getting the news out the way.

169
00:09:13,440 --> 00:09:19,280
Now let's turn our attention to our guest, Roberto Rodriguez, who's here to talk to us about Simuland.

170
00:09:19,280 --> 00:09:20,960
Roberto, welcome to the podcast.

171
00:09:20,960 --> 00:09:24,080
Would you like to spend a moment just to explain what you do at Microsoft?

172
00:09:24,800 --> 00:09:27,200
Yeah, thank you very much for the opportunity guys.

173
00:09:27,200 --> 00:09:29,040
So yeah, once again, my name is Roberto.

174
00:09:29,040 --> 00:09:36,400
I'm part of the Microsoft Threat Intelligence Center known as Mystic, specifically in the R&D division.

175
00:09:36,400 --> 00:09:41,840
So my role, I guess, is, well, there's a lot of things that I do, but in general, I would say

176
00:09:41,840 --> 00:09:47,840
is to empower other security researchers, either if it's in my own team or other teams at Mystic

177
00:09:47,840 --> 00:09:51,200
or any other team outside of Mystic, and then just collaborate.

178
00:09:51,200 --> 00:09:56,400
And then I start building open source tools and start sharing all that knowledge with the community.

179
00:09:56,400 --> 00:09:59,520
So that summarizes what I do at Microsoft.

180
00:09:59,520 --> 00:10:04,960
And because of that, there is a lot of projects that I work on and a lot of collaboration efforts

181
00:10:04,960 --> 00:10:07,680
also across different teams on Microsoft as well.

182
00:10:07,680 --> 00:10:11,520
So one of the tools that you work on is this tool called Simuland.

183
00:10:11,520 --> 00:10:17,120
Johnny, there was an explanation of what that is, why it was invented, what does it do,

184
00:10:17,120 --> 00:10:21,600
and then let's sort of drill down into some of the nuances about the product.

185
00:10:21,600 --> 00:10:23,040
Yeah, yeah, definitely.

186
00:10:23,040 --> 00:10:27,280
So Simuland is an open source initiative by Microsoft.

187
00:10:27,280 --> 00:10:33,200
It's to help security researchers around the world to deploy, let's say, lab environments

188
00:10:33,200 --> 00:10:39,120
or research environments where they can start testing, for example, different techniques

189
00:10:39,120 --> 00:10:42,480
performed by threat actors out there, like known threat actors, for example,

190
00:10:42,480 --> 00:10:47,280
because we share some of those steps as well into how to go through a simulation plan.

191
00:10:47,280 --> 00:10:51,440
And then also to validate detections, to trigger a few alerts,

192
00:10:51,440 --> 00:10:54,880
just make sure that what we are providing also through our products

193
00:10:54,880 --> 00:10:59,680
and what people are building and sharing in the community, it's being validated, right?

194
00:10:59,680 --> 00:11:04,000
Because you want to know if something happens in your environment, make sure that you're covered.

195
00:11:04,000 --> 00:11:08,240
And maybe that also could help you to start creating your own rules, for example,

196
00:11:08,240 --> 00:11:14,080
start kind of sharing, for example, what telemetry can be enabled.

197
00:11:14,080 --> 00:11:21,360
We try to also pack all these simulation labs with, for example, security controls for example,

198
00:11:21,360 --> 00:11:27,680
Microsoft 365 Defender. We also deploy an Azure Sentinel, make sure that we send all the alerts

199
00:11:27,680 --> 00:11:34,240
from M365 to Azure Sentinel. And then we also try to, for example, enable other data sources

200
00:11:34,240 --> 00:11:39,600
that, for example, such as, you know, system for Windows, for example, I'm thinking about

201
00:11:39,600 --> 00:11:45,440
system for Linux already, but that's coming next. But all these telemetry that we can collect

202
00:11:45,440 --> 00:11:50,720
from a computer can go through Sentinel and then anything that we get from M365 Defender,

203
00:11:50,720 --> 00:11:55,840
also, you know, can be flown through, you know, through Azure Sentinel. So we try to just provide

204
00:11:55,840 --> 00:12:01,920
all these different technologies into one place and then allow customers or anyone in the community

205
00:12:01,920 --> 00:12:07,440
just to experience that in their own environments. That's kind of like the main idea. And of course,

206
00:12:07,440 --> 00:12:12,160
we want to make sure that all this is open source so that people can, you know, replicate the whole

207
00:12:12,160 --> 00:12:18,720
thing. And also, we try to make sure that anything that we share is well documented. At the same time,

208
00:12:18,720 --> 00:12:23,120
we want to expedite a lot of this process. So we share a lot of, for example, Azure

209
00:12:23,120 --> 00:12:28,160
Resource Manager templates so that we can deploy everything like in a few minutes. So we try to

210
00:12:28,160 --> 00:12:33,440
make it easy for someone to go through the whole, you know, project. I'm going to be honest. I mean,

211
00:12:33,440 --> 00:12:38,880
I kind of know of Simuland. I'm not going to pretend to be an expert by any stretch. So what's

212
00:12:38,880 --> 00:12:44,080
kind of the elevator pitch here? Like, why would anybody even be remotely interested in this tool?

213
00:12:44,080 --> 00:12:49,840
I mean, what's its job at the end of the day? Yeah, yeah, yeah, definitely. So for example,

214
00:12:49,840 --> 00:12:56,720
there is a lot of lap, well, first, there is a lot of lap environments that get shared in the

215
00:12:56,720 --> 00:13:01,520
community, right? So there's a lot of different templates that people share to build something.

216
00:13:02,080 --> 00:13:08,480
But the first thing that I would say with Simuland is that a lot of the environments that I've seen

217
00:13:08,480 --> 00:13:14,960
do not cover much of the, for example, hybrid approach that a lot of customers and a lot of

218
00:13:14,960 --> 00:13:20,880
people in the community also are moving towards. So, you know, having their own prem Active Directory

219
00:13:20,880 --> 00:13:27,760
and then syncing, for example, accounts to Azure AD or having that federated access, for example,

220
00:13:27,760 --> 00:13:34,400
and try to simulate some of the stuff that we see also like in real life, right? So that's the first

221
00:13:34,400 --> 00:13:41,600
thing that I would say that Simuland provides a way to simulate some of that, a federated environment

222
00:13:41,600 --> 00:13:47,120
first. And that's something that I haven't seen out there yet. So I think that people that want to

223
00:13:47,120 --> 00:13:54,080
experience that, this is the first, I would say, project open source that has that type of environment.

224
00:13:54,080 --> 00:13:59,360
Number two, I would say that there is a lot of security controls that, of course, all these

225
00:13:59,360 --> 00:14:05,120
research environments are missing. So in my opinion, when we start also sharing how to deploy,

226
00:14:05,120 --> 00:14:11,040
for example, once again, Microsoft 365 security controls such as Microsoft Defender for Endpoint,

227
00:14:11,040 --> 00:14:17,680
Identity, you know, Cloud Application Security, you know, etc. Right? There is a lot of stuff

228
00:14:17,680 --> 00:14:25,360
that we can test. So a lot of the even instructions of Simuland allows you to, for example, like,

229
00:14:25,360 --> 00:14:30,560
you know, get a trial license for, you know, 30 days, and then you can extend it for maybe 60 days,

230
00:14:30,560 --> 00:14:34,640
and then you can go through that whole experience so that you can also get an idea

231
00:14:34,640 --> 00:14:39,200
into what it is that you might be missing, what it is that you might probably complement with what

232
00:14:39,200 --> 00:14:43,840
you have right now. And at the same time, having something like Azure Sentinel in the middle,

233
00:14:43,840 --> 00:14:48,560
then allows you to see how you can just start connecting a lot of the things that you might get

234
00:14:48,560 --> 00:14:52,560
with, you know, from these products, but at the same time, how can you connect what you currently

235
00:14:52,560 --> 00:14:57,680
have? Right? So let's say you are a company or someone in the community doing research

236
00:14:57,680 --> 00:15:03,040
that is very comfortable with, let's say, once again, Sysmon for Windows, right? And then you

237
00:15:03,040 --> 00:15:09,440
can start seeing that telemetry being correlated with additional telemetry from other controls.

238
00:15:09,440 --> 00:15:15,040
So you can see the value and you can start identifying maybe what it is that you might need

239
00:15:15,040 --> 00:15:20,480
right now in your environment. Or if you want to do research and identify additional telemetry

240
00:15:20,480 --> 00:15:25,360
that could tell you more about the adversary tradecraft, then this is a place where you can

241
00:15:25,360 --> 00:15:31,280
start doing those type of experiments. So if you want to learn about adversary tradecraft,

242
00:15:31,280 --> 00:15:37,680
identify some new telemetry, or complement what you have, and experience a hybrid environment,

243
00:15:38,240 --> 00:15:43,840
I think that Simulant is definitely the place to actually start working with and go with.

244
00:15:43,840 --> 00:15:49,920
So I want to make sure I understand this. So if I were an organization, let's say I'm a healthcare

245
00:15:49,920 --> 00:15:56,400
organization, and I want to make sure that I understand the craft of being an attacker,

246
00:15:56,400 --> 00:16:02,480
as it were, tradecraft of being an attacker, am I also going to get data out of that that's going

247
00:16:02,480 --> 00:16:09,440
to show me what common kinds of attacks look like to make sure that my systems are going to respond?

248
00:16:09,440 --> 00:16:12,880
Is that a fair way of looking at like, it's all very well saying, hey, you know, we bought all

249
00:16:12,880 --> 00:16:16,800
this stuff, we have Sentinel, and we have Defender for this and Defender for that and whatever,

250
00:16:16,800 --> 00:16:21,920
you know, in my events I'm malware and we have intrusion detection, we have intrusion protection.

251
00:16:22,800 --> 00:16:25,760
At some point you've got to exercise it, right? You got to make sure that this stuff actually

252
00:16:25,760 --> 00:16:35,040
works. Can I use this tool for that? Yes, yes, yes. So Simulant is, I would say, a whole framework.

253
00:16:35,040 --> 00:16:42,480
So it's definitely modular enough for someone to pick what it is that you want to do with it.

254
00:16:42,480 --> 00:16:49,360
For example, Simulant is broken down into a few parts. So the first one is the preparation part.

255
00:16:49,360 --> 00:16:54,720
Second one is deployment. So preparation and deployment technically is to help you to have

256
00:16:54,720 --> 00:16:59,600
the whole environment set up so you can do testing, etc. But then the other part is the

257
00:16:59,600 --> 00:17:04,960
simulation detection. And also we have like a few recommendations like mitigations for a few things.

258
00:17:04,960 --> 00:17:11,680
So technically, if you already have your environment where you have, for example, a similar setup,

259
00:17:11,680 --> 00:17:16,960
let's say a lot of people would have a hybrid environment already. And of course, if you're

260
00:17:16,960 --> 00:17:22,320
working with Azure, then you're going to start testing anything that we share through the simulation

261
00:17:22,320 --> 00:17:28,080
and detection section of the project. So you can take everything that you did in your lab

262
00:17:28,080 --> 00:17:32,160
environment, you're going to start taking it all the way to your production environment. Of course,

263
00:17:32,160 --> 00:17:37,360
by having the right processes to do some simulations in your environment. And then with

264
00:17:37,360 --> 00:17:42,560
all the detections and maybe alerts that we map every single simulation to, then you're going to

265
00:17:42,560 --> 00:17:48,000
start validating that also in your environment. Now to your question also into, how can we take

266
00:17:48,000 --> 00:17:54,160
this into practice as well? That's also one of the goals of Simulant, that every time, for example,

267
00:17:54,160 --> 00:18:01,680
we talk about a new threat actor or a new technique that came out. We share detections,

268
00:18:01,680 --> 00:18:06,960
we as Microsoft, we share detections, we start maybe building a few alerts on the

269
00:18:06,960 --> 00:18:12,880
top of some of the security products that we have. But you as a security analyst or as a threat

270
00:18:12,880 --> 00:18:21,040
researcher, you might not understand the whole context around that detection or alert. And a

271
00:18:21,040 --> 00:18:25,280
lot of the research actually comes from that, where you say, okay, someone, for example,

272
00:18:25,280 --> 00:18:33,280
acts as my active directory federation server. And there is four detections through Azure Sentinel

273
00:18:33,280 --> 00:18:38,480
that I can take a look at. Great. But is there anything else that I can do with it? Is there

274
00:18:38,480 --> 00:18:44,160
any maybe additional telemetry that I can complement that with and maybe create a new detection or

275
00:18:44,160 --> 00:18:52,000
maybe try to enhance by built-in detections? So Simulant allows you to then create that

276
00:18:52,000 --> 00:18:57,120
additional context if, of course, it exists in your environment. Because you might once again be

277
00:18:57,120 --> 00:19:04,320
collecting more telemetry, maybe that behavior in your environment needs some tweaking. So that

278
00:19:04,320 --> 00:19:10,160
additional experience is definitely what Simulant is built for. So you can get that additional

279
00:19:11,120 --> 00:19:17,040
exercise that your security analyst, ENSEA responders, threat hunters, definitely need.

280
00:19:17,040 --> 00:19:22,000
From a forensic perspective, for example, there's a lot of forensic artifacts that are going to be

281
00:19:22,000 --> 00:19:28,800
generated. But if I just share a detection query or just an alert with you, you will not be able

282
00:19:28,800 --> 00:19:36,080
to experience the forensic side of things. So that's also one of the ideas of why it's good to

283
00:19:36,080 --> 00:19:40,400
have something like Simulant walk you through a whole end-to-end scenario.

284
00:19:41,040 --> 00:19:45,840
So what kind of services are being used in this lab environment?

285
00:19:45,840 --> 00:19:54,640
Yeah, good question. So we have first, I would say, every single micro 365 defender product,

286
00:19:54,640 --> 00:19:59,920
I would say. So we're talking about endpoint, talking about cloud app security. So we have

287
00:19:59,920 --> 00:20:08,400
MCAS MDE, MDI. And then we have also the Azure Sentinel solution as well. That will, I would say,

288
00:20:08,400 --> 00:20:13,280
open the doors to other services where we can collect data from. So we have, for example,

289
00:20:13,280 --> 00:20:20,320
data from Azure AD, like audit logs, the new signing logs also from ADFS. So you have all these

290
00:20:20,320 --> 00:20:25,600
things going through Azure Sentinel. Other stuff that we deploy and configure would be related

291
00:20:25,600 --> 00:20:32,080
more towards, for example, Azure AD Connect. So trying to have those hybrid AD services,

292
00:20:32,080 --> 00:20:39,760
so communications between the on-prem domain controllers with Azure AD. Other than that,

293
00:20:39,760 --> 00:20:45,520
I would say that we also have, what else do we have in there? The Azure Monitor agents, for example,

294
00:20:46,480 --> 00:20:53,360
getting data from our Windows endpoints. And I would say that that's pretty much it from when

295
00:20:53,360 --> 00:20:59,760
it comes down to Azure services. So every security product that it's out there that we share, when

296
00:20:59,760 --> 00:21:05,440
there is a detection to share, it's there installed. So all of that, I think that that would be pretty

297
00:21:05,440 --> 00:21:11,040
much it. Yeah. So how is this deployed? Is the tenant provided, the licenses provided? Yeah,

298
00:21:11,040 --> 00:21:17,760
good question. So we do not provide the tenant or the licenses. So what we provide is an automatic

299
00:21:17,760 --> 00:21:23,920
way to deploy it, you know, whatever you want to. So it could be in your own right tenants,

300
00:21:23,920 --> 00:21:30,960
like, for example, free subscription where you can acquire a free license as well or not free,

301
00:21:30,960 --> 00:21:36,560
but try a license for some of the products. So for example, the project is modular enough

302
00:21:37,280 --> 00:21:43,920
so that you could say, I want to deploy only the environment without any other security products.

303
00:21:43,920 --> 00:21:49,120
The Azure Resource Manager templates that we share allow you to do that. You can actually modify it

304
00:21:49,120 --> 00:21:55,120
so that you do not deploy any other security controls. And that's up to you, right? It's open

305
00:21:55,120 --> 00:22:00,560
source where you can do anything you want with it. And in that case, you can have it in a,

306
00:22:00,560 --> 00:22:05,120
you know, free tenant. You know, Azure Sentinel also has a free tier so you can collect some data

307
00:22:05,120 --> 00:22:10,640
from a lab environment and play with that. But then if you want to, of course, use, for example,

308
00:22:10,640 --> 00:22:17,040
things such as Microsoft, right, 365 defender products, then you need to have a license. So

309
00:22:17,040 --> 00:22:23,680
once again, this could be a trial, EFI license. And the reason why we need the EFI is to enable

310
00:22:23,680 --> 00:22:29,200
every single capability from a security perspective. And then, and then from there, I guess that

311
00:22:29,200 --> 00:22:34,640
that will be the only license that someone would need to buy if you want to continue, right,

312
00:22:34,640 --> 00:22:41,040
doing this whole testing. A lot of the people that we have talked to already have their environments,

313
00:22:41,040 --> 00:22:45,440
you know, they already have their licenses so they can just deploy it in their own tenants.

314
00:22:45,440 --> 00:22:50,080
And of course, people in the community that we have talked to, a lot of them like the trial

315
00:22:50,080 --> 00:22:56,240
licenses, right, like 60 days, you can extend it and then you can test it out. And then from there,

316
00:22:56,240 --> 00:23:01,040
so I guess that it's up to you what you do next, right? But it's like the whole experience to go

317
00:23:01,040 --> 00:23:07,040
through the process, I think it's very valuable. So you're saying that in order to get,

318
00:23:07,040 --> 00:23:11,840
it's said that the customer want to try out licenses. Do you have a link or

319
00:23:13,040 --> 00:23:16,880
somewhere where they can go through the process of requesting those licenses?

320
00:23:17,920 --> 00:23:22,400
Yes, yes, great question. So part of the preparation section of Simulant goes through

321
00:23:22,400 --> 00:23:28,880
that process and shows you how to actually request a trial license. And it goes through every single

322
00:23:28,880 --> 00:23:35,920
step. So that was also one of the goals with the whole documentation in there was to make sure that

323
00:23:36,560 --> 00:23:41,840
I also go through the process as if I didn't work from Microsoft and then share every single step

324
00:23:41,840 --> 00:23:49,360
that I did, you know, to get to the scenario. So yes, everything is in the preparation part

325
00:23:49,360 --> 00:23:56,880
of the project, which is a folder in the GitHub repo. So Roberto, I love Sentinel, it's my baby.

326
00:23:56,880 --> 00:24:04,080
And so I've got to ask a question in relation to it. Obviously, Simulant is about simulating attacks

327
00:24:04,080 --> 00:24:09,360
Azure Sentinel monitors for attacks. So I know I've definitely had customers ask me,

328
00:24:09,360 --> 00:24:15,440
what can I do with Simulant? How can I use this? Is it something I can do to test my Sentinel

329
00:24:15,440 --> 00:24:20,160
deployment? And I was just wondering if you could tell us a bit more about your thoughts on what we

330
00:24:20,160 --> 00:24:25,680
could do there. Yeah, yeah. So I would say that so there's a couple of things that we can do with

331
00:24:25,680 --> 00:24:32,560
Simulant and Sentinel, right? So the first one to me would be that the correlation with, for example,

332
00:24:32,560 --> 00:24:38,320
like if you only have Sentinel right now, and you want to see how you can start correlating even

333
00:24:38,320 --> 00:24:43,120
alerts with things that come from Microsoft Defender for endpoint, for example, right, MDE.

334
00:24:43,120 --> 00:24:49,360
And you can understand what type of context you get out of that correlation. That would be one

335
00:24:49,360 --> 00:24:54,960
use case, right, trying to understand how what you currently have can complement with other security

336
00:24:54,960 --> 00:25:00,880
controls. Like, that's just like the first one. That of course takes you to, for example, there is

337
00:25:00,880 --> 00:25:06,240
a couple of visualizations to understand a whole chain of events into what it would look like,

338
00:25:06,240 --> 00:25:12,320
how it maps to incidents. You can create even like your own incident teams channel as well. So

339
00:25:12,320 --> 00:25:18,880
you can pretty much go through a whole kind of like incident response process if you want to.

340
00:25:18,880 --> 00:25:24,560
And so that would first be good for training, understanding that you have the right, you know,

341
00:25:24,560 --> 00:25:31,040
processes to go through that exercise. I think that that's huge because a lot of people once again,

342
00:25:31,040 --> 00:25:36,640
just receive the detections, receive the alerts, built in detections, get shared across all the

343
00:25:36,640 --> 00:25:42,480
share across all the customers, but they do not experience the what will happen if something like

344
00:25:42,480 --> 00:25:49,600
that would trigger, right? So that's kind of like the, in my opinion, the idea of that. Now,

345
00:25:49,600 --> 00:25:57,680
for example, companies can, yes, use, for example, other frameworks such as, for example, like Metasplore

346
00:25:57,680 --> 00:26:05,680
or like PowerShell Empire or any other open source, maybe framework, right? But in in Simulant,

347
00:26:05,680 --> 00:26:10,640
that will be only, for example, so when we talk about Simulant once again, it's a framework,

348
00:26:10,640 --> 00:26:18,240
right? So we have the environment all the way to a simulation lab. So a lot of stuff that we want

349
00:26:18,240 --> 00:26:26,640
to do also is to focus on the adversary tradecraft. So either if you want to, for example, execute

350
00:26:26,640 --> 00:26:32,560
the scripts that we provide with Simulant, we try to get all the way to the specifics into

351
00:26:32,560 --> 00:26:40,160
what actually each action is going to be. So for example, if I have something from PowerShell

352
00:26:40,160 --> 00:26:46,160
Empire or Metasplore that says this module is going to export the ADFS configuration, right?

353
00:26:46,160 --> 00:26:51,840
The Active Directory Federation Service Server, they will just give you the module, you click on it,

354
00:26:51,840 --> 00:26:57,760
and then by magic, you get the configuration back, right? So that's how it would work if you use some

355
00:26:57,760 --> 00:27:05,440
of those open source projects that automate some of these simulations. With Simulant, we want to be

356
00:27:05,440 --> 00:27:12,560
very specific. Like we want to make sure that you understand what each step is doing. So if we say

357
00:27:13,200 --> 00:27:20,000
export the ADFS configuration of a server, that takes a lot of steps. We're talking about

358
00:27:20,640 --> 00:27:26,880
connecting to the ADFS server, exporting the ADFS settings, getting the settings of the

359
00:27:26,880 --> 00:27:34,400
server, exporting the certificate in the encrypted format, try to get the key from the Active Directory,

360
00:27:34,400 --> 00:27:40,320
which is going to then allow you to derive another key and then to encrypt the certificate that was

361
00:27:40,320 --> 00:27:46,720
encrypted in the first place, and then be able to do something with that. Like for example, in this case,

362
00:27:47,840 --> 00:27:54,000
try to use a certificate to start signing tokens, right? And what I meant with exporting

363
00:27:54,000 --> 00:28:00,400
the ADFS configuration actually meant exporting the key to sign tokens. So still if you do it with

364
00:28:00,400 --> 00:28:05,120
an open source project, you're going to get to that goal, and it might take only a few seconds.

365
00:28:05,680 --> 00:28:11,520
We want to show you exactly what each step would do. And then as we explain each step,

366
00:28:12,080 --> 00:28:19,600
we start mapping detections, alerts, et cetera. So it's kind of like walking a researcher

367
00:28:19,600 --> 00:28:25,200
through the process by each step and not just try to automate everything and tell you, hey,

368
00:28:25,920 --> 00:28:30,320
click this button, run this module, and then move to the next topic. No, no, no, we want to know

369
00:28:30,320 --> 00:28:36,160
exactly what would happen. So in Simulant, for example, if you go to one of the first steps

370
00:28:36,160 --> 00:28:41,200
of the simulation plan, you can see that if you click on the first one, it's going to start opening

371
00:28:41,200 --> 00:28:47,840
up to, oh, we have five steps. The next step or sub step is going to have two or three variations.

372
00:28:47,840 --> 00:28:54,240
So we try to also share those variations with the community so they understand also why certain

373
00:28:54,240 --> 00:29:00,160
detections might work in certain cases, why some alerts will trigger in one way or the other.

374
00:29:00,160 --> 00:29:06,080
So I believe that that definitely is valuable if you're working with something like Azure Sentinel,

375
00:29:06,080 --> 00:29:10,800
because you might end up also, for example, identifying once again that there is some

376
00:29:10,800 --> 00:29:17,600
additional telemetry that you might be collecting that might also shine some light in a specific

377
00:29:17,600 --> 00:29:22,560
technique. So I think that that's also one of the values of why you want to run through this

378
00:29:22,560 --> 00:29:28,000
and then have Azure Sentinel where you can collect more telemetry than if you're only using,

379
00:29:28,000 --> 00:29:34,320
for example, let's say, M365 Advanced Hunting Queries, which gives you a lot of stuff. But of

380
00:29:34,320 --> 00:29:39,200
course, we know the Azure Sentinel was built to collect additional telemetry that clients might

381
00:29:39,200 --> 00:29:47,200
be collecting already. So let me see if I understand this correctly. We have scripts to deploy the

382
00:29:47,200 --> 00:29:56,400
lab kind of like infrastructure as a code. And then we have scripts that are in phases to basically

383
00:29:57,440 --> 00:30:04,480
do certain tasks that normally attackers would do, right? And help the customer or the user

384
00:30:04,480 --> 00:30:10,640
to learn how the attacker does these things and how the tool behaves. Is that correct?

385
00:30:10,640 --> 00:30:17,920
That's correct. Yes, we want to get to the behavior, like the adversary tradecraft. And so in order

386
00:30:17,920 --> 00:30:23,120
to do that, we want to, you know, breaking it down into different sections, and we can start

387
00:30:23,760 --> 00:30:29,200
addressing each section with some code. At the end of the day, once again, other solutions would

388
00:30:29,200 --> 00:30:34,960
pack all this in a module and just tell you, run it. Now granted, there will be some cases where

389
00:30:34,960 --> 00:30:40,960
maybe a module will make sense, but we're trying to be very specific so that people understand exactly

390
00:30:40,960 --> 00:30:48,640
what's going on in each step of the simulation plan. So can I create my own custom environment,

391
00:30:48,640 --> 00:30:54,240
or does it come sort of air quotes, shrink wraps? I would say that you can create your own labs as

392
00:30:54,240 --> 00:31:01,440
long as you understand, for example, the Azure Resource Manager templates that come with the

393
00:31:01,440 --> 00:31:07,360
products. So for example, one thing that I didn't mention is that Simulant is built on the top of

394
00:31:07,360 --> 00:31:14,880
two open source projects that are also managed by me in the community. So I also run the open

395
00:31:14,880 --> 00:31:21,840
thread research community in the infoset community. And so one of the projects is called Blacksmith,

396
00:31:21,840 --> 00:31:27,360
and the other one is called Azure Sentinel to Go. So Blacksmith is a project where I decided to

397
00:31:27,360 --> 00:31:33,120
start sharing all the templates that I use to deploy a Windows box, to deploy a Linux box,

398
00:31:34,000 --> 00:31:38,320
you know, deploy a lot of different resources that I use for research. And then the other one,

399
00:31:38,320 --> 00:31:45,520
Azure Sentinel to Go is to grab those templates from Blacksmith and then deploy an Azure Sentinel

400
00:31:45,520 --> 00:31:51,280
solution on the top. So the reason why I mentioned this is because if you go to Simulant, what you

401
00:31:51,280 --> 00:31:57,600
get is a template that is going to leverage all the research that has been already shared with a

402
00:31:57,600 --> 00:32:04,560
community that has all the different building blocks into, for example, this environment requires

403
00:32:04,560 --> 00:32:10,320
two computers with a domain controller and an ADFS server. All right, let's go to Blacksmith and

404
00:32:10,320 --> 00:32:16,080
let's take a look at what it is that we can use and we can just point to that instead of rewriting

405
00:32:16,080 --> 00:32:20,960
the whole code, we just point to those resources and then we deploy it. And then we go to Azure

406
00:32:20,960 --> 00:32:25,120
Sentinel and say, hey, this actually works well with these resources. Let's just point to those

407
00:32:25,120 --> 00:32:31,120
templates as well. So if you go to Simulant, you're going to get to those resources. So,

408
00:32:31,120 --> 00:32:37,440
which means that you could say, you know what, I'm going to maybe deploy also an exchange server

409
00:32:37,440 --> 00:32:42,080
in this template. So all you have to do is point to the exchange server in Blacksmith,

410
00:32:42,080 --> 00:32:47,360
and then that would allow you to also deploy it through Simulant. So it's very modular and that's

411
00:32:47,360 --> 00:32:52,240
what we wanted to make it open source. So people can just go and say, I understand how to build

412
00:32:52,240 --> 00:32:59,680
this myself. So let me reuse some of this code in here and then use it. So it's very flexible if

413
00:32:59,680 --> 00:33:05,520
you really understand like how the ARM templates work and all this stuff, which is pretty straightforward.

414
00:33:05,520 --> 00:33:13,520
Yeah. So these scripts basically integrate all the tools together, right? That's correct.

415
00:33:13,520 --> 00:33:20,400
That's correct. We have a script for the tools, the security controls from M365 and also from

416
00:33:20,400 --> 00:33:26,960
Azure Sentinel. For example, something that we do also with Azure Sentinel is we enable a few

417
00:33:26,960 --> 00:33:32,080
detections. So we have the templates already, right? But we have to enable them. So instead of

418
00:33:32,080 --> 00:33:37,680
telling someone to go and click and enable some of the templates in Azure Sentinel, we just use

419
00:33:37,680 --> 00:33:44,720
the API and then we just enable the alerts for whoever is using Azure Sentinel. I'm glad about

420
00:33:44,720 --> 00:33:54,560
this because one of the value of our tools is that integration with other products, not just

421
00:33:54,560 --> 00:34:03,840
Microsoft but third party. So this is a great way that customers can see how all the information

422
00:34:03,840 --> 00:34:10,880
is correlated within one service and across. That experience of having everything together

423
00:34:10,880 --> 00:34:18,720
plus the potential forensic artifacts that will be generated and it's so valuable for a researcher

424
00:34:18,720 --> 00:34:22,640
in general, security analyst, threat hunter. At the end, we're all researchers, right? Because

425
00:34:22,640 --> 00:34:29,520
we're trying to learn a little bit about what the adversary is doing out there. So I believe that

426
00:34:29,520 --> 00:34:35,200
even if you don't want to deploy the whole thing and you want to test some of the steps of the

427
00:34:35,200 --> 00:34:42,720
simulation plans in your environment, I think that that itself is also eye-opening because

428
00:34:43,360 --> 00:34:50,160
the first scenario that we share is, for example, the golden sample techniques, right? So it kind of

429
00:34:51,280 --> 00:34:58,400
makes you wonder a little bit what it is that you also can do in your own organization to maybe

430
00:34:58,400 --> 00:35:03,840
start, for example, testing some of those mitigations. And that's also one of the big advantages of

431
00:35:03,840 --> 00:35:09,920
having something like Simulant because you can see each step. Yes, you experience a whole scenario.

432
00:35:09,920 --> 00:35:14,960
You maybe see some new telemetry that you did not even think of, something that you can complement

433
00:35:14,960 --> 00:35:19,520
with what you have already. But at the same time, you will say, wait a minute, that's something that

434
00:35:19,520 --> 00:35:25,360
we haven't even done yet in our environment. So our ADFS might be exposed already. We don't know.

435
00:35:25,360 --> 00:35:31,680
So you can start doing some of that testing first with the LAP environment, but also you can

436
00:35:31,680 --> 00:35:36,320
directly just start testing it with your own environment. Of course, once again, following

437
00:35:36,320 --> 00:35:43,280
the right best practices to simulate something in your environment, right? Which changes across

438
00:35:43,280 --> 00:35:50,400
organizations. So, Roberto, could you tell us a little bit about what's coming up for Simulant

439
00:35:50,400 --> 00:35:57,680
and what you've released since its big release a little while back? I know also now Cloud Katana

440
00:35:57,680 --> 00:36:04,880
is a thing as well. Let's say Simulant was released in May. And since then, so we've been first trying

441
00:36:04,880 --> 00:36:10,000
to get a lot of feedback from customers, from people in the community. I have added a few

442
00:36:10,800 --> 00:36:15,440
variations to some of the simulations that I initially shared through the project.

443
00:36:15,440 --> 00:36:21,200
So one of the efforts that we also have going on in the community is a collaboration with some

444
00:36:21,200 --> 00:36:27,360
researchers that are very interested, for example, in identity management and Azure AD

445
00:36:27,360 --> 00:36:32,640
like in general. So we have been testing a few things, discovering some new ways that

446
00:36:32,640 --> 00:36:38,560
something could be done or executed in an environment. So we have added some of those.

447
00:36:38,560 --> 00:36:43,840
So we have created also new detections. I contributed a few already to the Azure Sentinel

448
00:36:43,840 --> 00:36:50,720
GitHub repository. So that's also one of the goals is that if you as either customer or in

449
00:36:50,720 --> 00:36:56,560
general community member try Simulant and you identify some new detections, that would be

450
00:36:56,560 --> 00:37:02,320
amazing to also get that contribution back to Azure Sentinel GitHub repository, right?

451
00:37:02,320 --> 00:37:08,080
So we've done that a lot for, so we're trying to maintain the current scenario, the golden

452
00:37:08,080 --> 00:37:13,920
SAML attack, try to add more variations and then contribute more detections. Now that's from a

453
00:37:14,480 --> 00:37:20,480
concept of Simulant as how it was built initially. The other thing that we have been working on is

454
00:37:20,480 --> 00:37:26,800
Cloud Katana. Cloud Katana is a cloud native serverless application that is built on the

455
00:37:26,800 --> 00:37:33,120
top of Azure Functions that allows the orchestration and execution of simulations. So this could be

456
00:37:33,120 --> 00:37:39,600
as a single action, right? You can request via a serverless API, you can request the action,

457
00:37:39,600 --> 00:37:44,160
and then the Azure Function application will execute the action in your environment.

458
00:37:44,160 --> 00:37:50,640
In this case, it will be in Simulant. So what we're trying to do is now take the basic concept of

459
00:37:50,640 --> 00:37:55,760
execution of an action to a sequence of actions, which we're calling workflows,

460
00:37:55,760 --> 00:38:01,520
and then taking those workflows and start translating what we show through Simulant,

461
00:38:01,520 --> 00:38:06,480
like every single step, but now do it in an automatic way. So using an Azure Function,

462
00:38:07,040 --> 00:38:14,400
send an API request, and then execute the whole scenario. So this is because we also got some

463
00:38:14,400 --> 00:38:20,240
feedback of companies that were very excited to go through the whole scenario, but then after that,

464
00:38:20,240 --> 00:38:24,960
they wanted to see how they could actually now, after understanding the tradecraft,

465
00:38:24,960 --> 00:38:30,720
all the detections, can we have this running on a regular basis? So I think that that's why,

466
00:38:30,720 --> 00:38:36,880
and I started thinking about it this year, and then Cloud Catana came out. So that's something

467
00:38:36,880 --> 00:38:42,720
that was released on August the 4th, and then I have updated already this past couple of weeks,

468
00:38:42,720 --> 00:38:49,520
so I'm currently working on that project. And so far, I think that it's almost there to simulate

469
00:38:49,520 --> 00:38:55,040
the whole thing. And one of the things also that is very interesting about Cloud Catana is that

470
00:38:55,040 --> 00:39:00,240
some of the scenarios that we're trying to build are going to be hybrid scenarios. So that's something

471
00:39:00,240 --> 00:39:05,440
that is coming for Simulan as well. So we want to keep building things on-prem and cloud, but at

472
00:39:05,440 --> 00:39:11,760
the same time, we're trying to do cross-cloud providers type of scenarios, so with other

473
00:39:11,760 --> 00:39:18,720
cloud providers. So maybe a company uses Azure and then uses also other cloud providers as well.

474
00:39:18,720 --> 00:39:25,520
So why not set up a scenario that would allow somebody to go through those steps that maybe

475
00:39:25,520 --> 00:39:30,800
a cloud provider gets compromised and how they move from there to Azure? Or who knows? Vice versa,

476
00:39:30,800 --> 00:39:35,440
right? Depends who is holding the identity provider. So I think that that's kind of like what we're

477
00:39:35,440 --> 00:39:41,040
trying to do as well is to expand those scenarios and not just try to share something also only

478
00:39:41,040 --> 00:39:47,280
Azure, but expand it. And the same thing applies to Cloud Catana. The Cloud Catana is, in my opinion,

479
00:39:47,280 --> 00:39:54,160
the technology behind is flexible enough to be able to take care of those scenarios as well.

480
00:39:54,160 --> 00:39:58,160
That's like the whole idea in the roadmap for Simulan and Cloud Catana.

481
00:39:58,160 --> 00:40:03,600
So, Reverser, if you had one final thought, you would like to leave our listeners, what would it be?

482
00:40:03,600 --> 00:40:10,960
I would say that in my opinion, it would be be curious, stay curious with what you can do with

483
00:40:10,960 --> 00:40:16,240
your environment, because there is a lot of stuff that you will see in Simulan that it would make

484
00:40:16,240 --> 00:40:22,880
you think that the moment you execute one step, second and step, and third step, there is a lot

485
00:40:22,880 --> 00:40:29,360
of context that you can build some new detections from. So keep that in mind. Once again, we don't

486
00:40:29,360 --> 00:40:37,520
just want to share detection, share an alert, and just feel like that's it. Your job is done.

487
00:40:38,080 --> 00:40:43,120
Depends on your environment, you can start helping your organization, but also helping us,

488
00:40:43,120 --> 00:40:48,320
if you would like to contribute, how you can also improve everything that we share. The feedback

489
00:40:48,320 --> 00:40:53,760
to all the detections that we share or the alerts that we create are definitely very valuable and

490
00:40:53,760 --> 00:41:00,080
can help you and also can help others in the community as well. So, stay curious and please

491
00:41:00,080 --> 00:41:05,920
give us some feedback if you have it and stay tuned. There is just a lot of stuff coming out and I hope

492
00:41:05,920 --> 00:41:11,440
that Simulan can help you also to focus a lot on adversary behavior, adversary tradecraft,

493
00:41:11,440 --> 00:41:14,640
and that's what it was built for. This is really cool. Thanks so much for turning up this week,

494
00:41:14,640 --> 00:41:18,960
Roberto. I really appreciate it. I know you're a busy guy and I appreciate you taking the time to

495
00:41:18,960 --> 00:41:23,120
come talk to us. Although I learned a lot about Simulan, I mean, my exposure to Simulan has been

496
00:41:23,120 --> 00:41:27,520
relatively remote, but I'm certainly going to start kicking the tires on it. I certainly know a

497
00:41:27,520 --> 00:41:32,000
couple of customers that come to mind, especially in healthcare, who would be really interested in

498
00:41:32,880 --> 00:41:38,240
understanding, mainly to make sure that their tools kind of work with these simulated attacks.

499
00:41:38,240 --> 00:41:43,120
I think that's very cool. So once again, thank you so much for turning up. Thank you to all of you

500
00:41:43,120 --> 00:41:47,520
out there for taking the time to listen to this podcast. We really appreciate it. Stay safe and

501
00:41:47,520 --> 00:41:53,120
we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes

502
00:41:53,120 --> 00:42:00,000
and other resources at our website azsecuritypodcast.net. If you have any questions,

503
00:42:00,000 --> 00:42:06,960
please find us on Twitter at azuresecpod. Background music is from ccmixter.com and licensed

504
00:42:06,960 --> 00:42:15,200
under the Creative Commons license.