Podcasts
The Microsoft Threat Intelligence Podcast
Ep 17
The Microsoft Threat Intelligence Podcast 4.24.24
Ep 17 | 4.24.24

Paul Melson talks ScumBots

Show Notes
Transcript

Sherrod DeGrippo: Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry. I'm your guide in the back alleys of the threat landscape. Welcome to The Microsoft Threat Intelligence podcast. I have a special, to me, guest today and that is former VP of cybersecurity solutions at Target. It's Paul Melson, you guys. Hi, Paul.

Paul Melson: Hi, Sherrod.

Sherrod DeGrippo: Thank you so much for joining us. So you're kind of like a bit of an iconic legendary figure, I feel like. He's rolling his eyes. You are. Like, you've been around a really long time.

Paul Melson: That's a nice way of saying I'm old, but that's true.

Sherrod DeGrippo: You're old.

Paul Melson: I am old.

Sherrod DeGrippo: You're old. How long have you been in security?

Paul Melson: Twenty-two, yeah. A little over 22 years. And I've been in tech 28.

Sherrod DeGrippo: Yeah. Okay. So I'm at 20 years in security and tech 26. So you're even more old school than me, and I'm ancient. But you -- I mean, I think you are iconic because you've -- you've broken a lot of cool stuff, like, in social media. You've, like, put Twitters out that people are like, Oh, my God. And, of course, you run -- you run the scumbots.

Paul Melson: Yeah. That is -- that is kind of a fun -- a fun project. So, yeah. It is -- kept me busy.

Sherrod DeGrippo: Let's talk about it. Let's talk about scumbots.

Paul Melson: Right.

Sherrod DeGrippo: So for those of you who aren't following scumbots on Twitter, you should, right. Everyone should follow it. It's fun.

Paul Melson: Yeah. I suppose. I mean, the bot itself isn't super exciting because what it -- what it is, right, is sort of a -- sort of an IOC feed on Twitter. And Twitter is kind of the worst place to have an IOC feed.

Sherrod DeGrippo: It is now. Yeah.

Paul Melson: Yeah. Well, it wasn't it -- wasn't great before. And to be clear, you know, I've solved that problem on the back end for folks that have shown up with use cases that I thought were worthwhile and promise to, you know, not productize it. So we've had a few of those. I've had a -- there -- in fact, there are still today some commercial threat intelligence companies that are selling the scumbots feed as part of their own.

Sherrod DeGrippo: Really?

Paul Melson: No. The -- so the best is 20 -- it must have been either 2018 or 2019 because I can picture where I was, which office I was in at Target at the time. And somebody from our threat intel team sent me an email, like a marketing email from a company, intentionally not saying their name because, you know, it's water under the bridge now. But they're known. It's a known threat intelligence company who did a whole thing on this and was talking about, you know, the -- sort of the adversary attack that -- so we should probably back up a little bit before I talk too much trash about the threat intel stuff. For folks that aren't familiar with -- with scumbots, what it does on the back end is it scrapes a bunch of paste sites and kind of open infrastructure on the internet, places where anyone can for free either with a signup or in a lot of cases anonymously just upload text, right. And as -- as you well know, you know, you can put a lot of bad stuff in text if you encode it properly. And so this was being used on -- on a pretty regular basis, still is, as a way of staging malicious payloads that threat actors were using. And -- and so the whole idea behind the project was, you know, hey, I've been working on some kind of generic detections for encoded malicious files. Could I use that to go hunting on the internet and then, you know, basically automate a pipeline that says, Hey. I found a thing. Hey, that thing turns out to be a bad thing. Hey, I know what that bad thing is. Hey, here's -- here are the indicators from this -- from this bad thing, from this malware. And so that's why, you know, right, like, is -- that's the genesis of the IOC feed. And what's kind of cool about it is it's pretty quick. It uses a series of kind of asynchronous cues, but the scrapers run pretty short duration from upload to the time the scraper is going to see that file and then about 15 minutes. So I think I calculated the longest theoretical time from the time a threat actor uploaded something to one of the sites that it scrapes to the time that that message hits Twitter, barring any software bugs on my end, which is, you know, not a safe assumption but barring any software bugs, the longest period of time is about 17 minutes. And so, when you think about what that means from sort of a detection of staging perspective, that's part of what I thought was so cool about the project was, you know, catching bad guys and telling on them probably before their victims get popped.

Sherrod DeGrippo: And how many sources go into that? And are you -- are you constantly adding new or, yeah. How many?

Paul Melson: Yeah. So as we -- as we sit here today, as we sit here today, there are eight. But they come and go. In fact, I just spent this past weekend working on one dead one and kind of porting over a new one. I mean, so, yeah. It's a thing I do probably three, four times a year. Some of it just boils down to, like, novel discovery where, like, Oh, hey. I found this site, and it's being used by this actor. I hadn't seen that before. Let me see if I can write a scraper for it and put it into the pipeline so...

Sherrod DeGrippo: I think scumbots is something that a lot of people could have dreamed up, but not many people actually would have done it. Like, I feel like there's a lot of analysts out there who are, like, you know, if I could just get the files and then, like, run a couple scripts and scrape it. But you actually did it and made it available as a service. When did you do that? How long has it been around?

Paul Melson: 2017. And actually, you know, full credit where credit is due, it wasn't -- it wasn't fully my idea, right? Like, the -- so the genesis of it was actually a Twitter exchange with Xavier Mertens, who, at least at the time -- I think he still is, but don't quote me on that -- one of the SANS ISC, like the storm center incident handlers, that we were having a back and forth on generic encoding detection in the context --

Sherrod DeGrippo: As one does.

Paul Melson: As one does, in the context in particular, like, Office macros, like Word Macro contents, saying, okay. If I run this thing in the sandbox and it doesn't call out to anything, are there other things I could be thinking about? You know, so I had been doing this work on -- you know, here are -- here are basically some character strings that you could use. They're good for identifying Windows executables in various encoding states. We were kind of going back and forth on Twitter on that. And he mentioned that I'm going to add this to my paste scraper. And I was like, Your what? I was like -- I was like, yeah. Like, tell me more. And that's -- and that's when he said, Oh, yeah. It turns out pastebin, which was the first site that scumbots ever scraped, used to sell a scraping API access that you --

Sherrod DeGrippo: Yeah. And they stopped -- they stopped having access. Yeah.

Paul Melson: Which is a wild story unto itself that someday hopefully I'll get to tell the whole thing. But, yeah. That was -- that was interesting. It just so happened, that, in spring of 2020 when everybody was locked down and quarantining, I was for a period of a couple of months the only person that had access to pastebin's scraping API.

Sherrod DeGrippo: How did that happen?

Paul Melson: So this is a perfect transition into talking trash about commercial threat intel company.

Sherrod DeGrippo: Okay. Yay.

Paul Melson: So, in fact, it's the same --

Sherrod DeGrippo: Paul Nelson's talking trash, everyone. Here we go.

Paul Melson: Well, because I'm being recorded and I wouldn't want this to come back to me in the future, I won't name the vendor that decided that they could -- because the scraping API access was so cheap, that they would just spin up a bunch of machines, probably containers of some kind, put them all behind static nets, and buy a bunch of licenses and then go back and try and historically scrape everything that pastebin had ever done. So they were trying to create kind of mass ingestion, and --

Sherrod DeGrippo: I mean, that's kind of -- I mean, it's a cool idea. It's a cool idea.

Paul Melson: It is until -- until the site that you're scraping gets a -- you know, gets a five-figure bill for the prior month from Amazon.

Sherrod DeGrippo: My question there, then, is that shouldn't we know the person who did that? I feel like we have to know them. They have to be somebody that we know, right? Like...

Paul Melson: I think I could get it in about five guesses.

Sherrod DeGrippo: Okay. But you're --

Paul Melson: But I actually don't know -- I actually don't know the hands on keyboard who spun up that project. But I know where they worked.

Sherrod DeGrippo: Okay. Yeah. So, if it's you, please message me on Twitter.

Paul Melson: And so -- and so, as a result -- I mean, I think -- I think they've been dealing with some -- with quite a bit of nonsense anyway.

Sherrod DeGrippo: Yeah.

Paul Melson: But I think, you know, finally the straw that broke the camel's back, March of 2020. And they shut off the API. And I think they even -- I think there was -- there were some Twitter exchanges, If I -- if I recall correctly. This is few years ago -- but where they were -- pastebin basically came out and said, you know, this is nonsense. The security community is not entitled to this kind of access. That's not why we did this. That's not why we're selling it. But then pastebin got some blowback for this. And there were -- there were quite a few folks out there. You know, Ryan Moon had this really cool bot that was running -- that was looking for combo dumps so, like, email and -- email address and password pairs that get used in credential stuffing attacks. And there were a few other folks, and people kind of, you know, on social media were sort of shouting a little bit at pastebin saying, like, Hey. There's people doing good stuff with it too. And, for whatever reason, they kind of picked me and my project out of -- out of the group of kind of, you know, IT folks trying to do stuff for the community for free and turned mine back on.

Sherrod DeGrippo: You were, like, the one --

Paul Melson: Was the one.

Sherrod DeGrippo: You were -- you were, like, designated the single trustworthy person.

Paul Melson: Right, right.

Sherrod DeGrippo: I mean, good choice. But wow.

Paul Melson: I had never -- I had never -- well, so part of it was, you know, I -- so scumbots runs at Amazon in AWS, and I didn't want my bill to blow up. So the whole thing is single-threaded. It runs on a -- on a small VM, on a T2small with really, really minimal kind of resources. It's -- and all it's all single-threaded Python, and I just -- the way that I handle scale is just these asynchronous kind of file system cues that I just, you know, like, okay. This -- this fast loop step got done, and it dumped everything here. And then the slow loop step is going to come in and do the analysis. And then this even slower loop over here will handle, you know, the actual malware reversing and extraction because, increasingly, that stuff has got crypto in it and so on. So, anyway, yeah. So they put me out as some sort of example and then turned me back on and left it running. And -- and so for -- yeah. For a few months in 2020, I had -- I was -- I was the only one that was still allowed to use their API and have continued to. And I bought -- I bought the same lifetime that a bunch of other folks had bought. They would do it like a Black Friday sale. And so I think I've only ever given pastebin -- it's less than $100, either 20 bucks, 40 bucks, something like that. Not a lot of money.

Sherrod DeGrippo: You think -- you think pastebin's still relevant for that kind of stuff?

Paul Melson: For sure, for sure. What's -- what's interesting -- so I'll tell the -- I'll start with the beginning of the story, and I'm going to skip to the ending and yada yada over the middle, which, you know, like I said, someday hopefully I can tell the whole thing in a public forum. But the following -- so, you know, so March 2020, they kind of shut it off; and they kick a bunch of people off their scraping API platform. And then they come back, and they turn it back on. And then they start turning it back on for others. I think, you know, you can buy it. And they came up with a commercial tier that was much more expensive and covered their costs better. So I think some of those folks that had been beating them up for you paid us $20 for that IP address, and that IP address is -- you know, is consuming several thousand, you know, HTTP requests a second. Like, back off, kind of. I think they -- I think they found a pricing model that lets those folks back in the door but covers their cost and makes them a little more -- I have no idea how -- how profitable the scraping actually is for them. But then, in January of 2021, they took some of the encoding strings from the scumbots project. And I don't know that I'm exactly the source, but it's the same -- the same strings. And you can sort of test which ones will work and which ones won't. And they blocked the uploading of encoded Windows executables. And, by doing that, they deplatformed a lot of threat actors. So those folks had to go find other paste sites of which there are hundreds, thousands.

Sherrod DeGrippo: There's a ton of pastebin clones that have popped up over the years. And it's surprising, too, because you'd think that there would have been some sort of innovation in that space over the past 10 or 12 years. But I don't feel like there has been. Even more than that, like, 15 years.

Paul Melson: I see a lot of people just standing up their own ghostbin sites.

Sherrod DeGrippo: Yeah. There has been.

Paul Melson: Here's the thing I would say to anybody who's doing it is -- is fine. It's a cool service. But just understand that you're going to attract very quickly the wrong element if you're allowing upload and retrieval text files anonymously on the internet. You're like, basically, as soon as you open your doors, you're going to have criminals. You know, my focus has been on finding malware and malicious payloads because that's interesting to me and kind of aligns with some of the work I was -- I was doing my day job at the time the project started. I mean, but you have the other problems too. You have fraud. You have C-SAM, you have piracy. Like, it's all in there. I don't see any sites that have exceptions to that, unfortunately. The abuse is pretty, pretty standard. I think you -- I think you have to understand that you're setting yourself up for that.

Sherrod DeGrippo: So something I always ask people is do you prefer crime or APT work? You get a chance to answer that also.

Paul Melson: Sure. Well, so -- so I can count on one hand the number of times I've been heads up with -- with an APT adversary, whether it was -- you know, scumbots has seen a little bit of what I would call state-aligned actors.

Sherrod DeGrippo: Sure.

Paul Melson: Not every country works like, you know, the US or our tier 1 adversaries where, you know, those spies are -- and operators are enlisted in part of the government and on a payroll and go to a SCIF and wear a uniform or even civvies. But there are plenty of countries out there, call them the tier 2 players, that are, you know, coercing, bribing their people with capabilities who speak their same language and live within their reach geographically. And definitely I've seen a lot of that, especially -- especially in and around the Middle East, although that seems to be dying out. And I'm seeing the shift of actors that have been relying on paste sites, not that there's not still a pretty heavy, like, Arabic language. But it seems like Brazilian Portuguese is become the new dominant in that space. And that's all pretty much heavily crimeware.

Sherrod DeGrippo: We worked a lot on Brazilian bankers in the past, like, where there are special banking Trojans that are malware that is branded to look as if it is aligned with those South American banks, like using their logos. And that has actually been a really pretty burgeoning space, I guess, is the aligned language to those aligned banks in South America.

Paul Melson: Yeah. It's interesting to see the criminal scenes -- so I'll answer the question now, I guess, which is I like the crimeware stuff better because it's got this local flavor that you don't get, right. The spy stuff is what's going to work against adversary. You're like, right. Like, whoever you're -- whoever you're Targeting, you're really going in for that. And you've -- you've got -- you've got funding. You can -- you know, you can buy things, right. And so, as a result, like, it's very -- there's a lot of purpose-built stuff. Or it's the most commodity thing we can get off the shelf for the longest time, right? Everybody ran cobalt strike? Well, the upside if you're a nation state is cobalt strike looks like everything every other ransomware actor is using. So attribution gets harder but, at the same time, it's also a lot easier to get, like, caught and burned. But if you don't care about the consequence because of your job, right, whereas, right, like the -- yeah. It's fun to see North African and Middle Eastern threat actors are still heavily using things like VB script. And we're still seeing, like, Word macros for like, you know, Word 97. And they're effective because that's still -- like, that tech stack is still very much in the area, right, locally. And that's, you know, that kind of stuff.

Sherrod DeGrippo: There's a lot of piracy, too, which, like, if you're not running updates because you're on a pirated version of whatever it may be, then you are also vulnerable to those versions of things that haven't been updated in however long. So it's, like, a weird -- it's like the first element of it is the pirated software. Then the second element of it is that it's insecure. And then the third element of it is that now with threat actors going after your pirated software. So, yeah.

Paul Melson: Yep. No; 100%. And it totally shapes the landscape for those threat actors, which is kind of neat because, you know, there's a sociological aspect of the intelligence work that maybe is less in play in the -- although no doubt now I'm going to get people in my -- in my Twitter mentions arguing the sociology is a big part in intelligence work at the nation state level. And -- and you know what? I'm open to be broadened.

Sherrod DeGrippo: I'm sure it does.

Paul Melson: That'd be some -- that'd be some of the best tweeting at me that's happened in years. So I'm here for it.

Sherrod DeGrippo: Well, actually, you know, I'll tell you from -- this is so pandering. This audience is actually -- they get it. Like, I've noticed very much that the people listening to this level of niche of a podcast because this is not a podcast with broad appeal. This is a podcast for people who do threat intelligence work and are interested in doing threat intelligence work and do security that involves threat intelligence work. And how many of those people are out there? Twelve, 15. Like, there's -- it's like a very small, small niche audience, which I personally love. But I know at times, I'm like there's only a few people out there that understand what I'm talking about to listen to the podcast.

Paul Melson: It's just Matt and Matt's mom, right, so...

Sherrod DeGrippo: I know. It's like the North Korea -- it's the mystic North Korea team. That's a shout-out to the mystic North Korea team because they're always bringing me bangers. So I want to ask you why you got an InfoSec? What are you doing here?

Paul Melson: How I got into InfoSec. Wow. That's a -- that's an interesting question. I'll own it. I think statute of limitations is up on, you know, the stuff I was doing in high school and college. I started out more interested in -- I was a computer hobbyist. Got into the bulletin board scene in high school. And, you know, gotten interested in kind of hacking at that point in time. I was just, you know, how the things work and -- and this is the -- you know, keep in mind this is the early '90s. And, you know, so the resources that people have now in terms of how to learn different systems and technologies and even how to learn, you know, exploit development and systems exploitation and those things, right, like, the only way to do it, the only way to learn it was to do it. And so, yeah. I got -- I thought it was -- I thought it was interesting. And there's a -- you know, there's a little bit of drunk on power thing that comes with it, too, the first time. I've talked about this with a bunch of folks in various stages across, you know, over the course of my career, right. But there's sort of three different professional endorphin rushes that I've had, right. And the first one was -- so, you know, my first job in security in 2001 was -- was pen testing. I worked for a VAR, so I also did a lot of Blinky box installs, lots of firewall, VPN, IDS type stuff back then. But --

Sherrod DeGrippo: I ran pen testing at a VAR too.

Paul Melson: Yeah. And I don't know if our paths crossed, but the VAR you were at was -- I went to work at a customer of that VAR.

Sherrod DeGrippo: Oh, okay.

Paul Melson: So doing pen testing and -- and that first time, first time you -- you get a shell and land his admin on somebody else's box over the internet without -- without a password, without -- without cheating somehow, right, just figuring out a security flaw in the -- in the box and being able to get onto it, whether it's known or whether it was, you know, novel exploitation or a generic exploit type like SQL injection, whatever the case may be --

Sherrod DeGrippo: Yeah, yeah.

Paul Melson: -- there's this kind of rush that comes with that. The second one didn't come until much later. It would be a few years before I started doing IR as a consultant, and most of those really weren't like incident response in the -- in the way that I think of IR now, those were mostly autopsies, right. Come in, figure out what happened, close it up, help us make sure it doesn't happen that same way again a second time. Or, worse yet, there's disruption going on and help us, you know, evict the adversary and clean up the mess. But the IR where you're -- where you've detected the adversary, they haven't done damage, and you're in that race against the clock to scope the intrusion and evict them from the environment before they can steal the data, wipe the drive, whatever you -- whatever they're after, that rush, getting that right the first time, like, winning heads up against an intelligent adversary, blue pen testing out of the water form, absolutely the coolest thing I had done up until that point. And then the third rush professionally was -- was more in the fields. But being in leadership and helping -- helping somebody develop, helping somebody work on a skill or work towards a professional goal or something and seeing them achieve it. I remember the first time I -- somebody who had been working for me got promoted up to be a peer of mine in the leadership team and thinking to myself, like, that was just the coolest thing and just being so, like, happy for them and also just, like, happy for me, right, because in a way it was -- it was a reflection of like, okay. Whatever -- whatever I was doing, whatever I was teaching that they glommed on to, there's a formula there. There's something repeatable. And just -- but seeing somebody just work hard, and get a win professionally, come up professionally, that's the third.

Sherrod DeGrippo: Let's talk about that a little bit because the Target cybersecurity crew has quite the reputation of being, like, really cool and, like, really good. Everyone, I think that they have -- the Target cybersecurity teams have a reputation of being great at that work. But they also have a reputation of, like, being cool. Like, they're like the cool kids at school. They've got, like, tattoos and skateboards and stuff. So how did that culture come about?

Paul Melson: So I might be able to take a little bit of credit for Target getting good and being able to attract -- you know, I mean, the secret to -- first of all, so for the listeners that don't know, I just left Target after nine years. And it's -- it was my home, and I had an absolute blast working there. I learned a ton.

Sherrod DeGrippo: You met the dog.

Paul Melson: I did meet Bullseye or one of the -- I don't want to get in too much trouble. There's more than one.

Sherrod DeGrippo: Oh. I think that there was a Newsweek article about that, actually. So I love the dog. I love that you met the dog, which of course is one of my obsessions with you working at Target. But, I mean, if you could tell someone in a leadership role in security, if you want to build a team that's successful in the way that the Target team has been successful, right, which is a specific -- it's not just a blanket, oh, they're a good team. It's they're a good team. They give back to the community. They're cool looking and fun. How did you do that? How would you tell someone else to be able to do that?

Paul Melson: Yeah. I don't -- I don't think I get any credit for cool looking or fun. I haven't -- I haven't been on a skateboard in 30 years. I have zero tattoos. You know, for --

Sherrod DeGrippo: But you know -- you know what I'm talking about, though.

Paul Melson: I do. I do. There's some really cool people at Target.

Sherrod DeGrippo: Yeah.

Paul Melson: But I just was never one.

Sherrod DeGrippo: Oh, please.

Paul Melson: So there are a couple of things. One, out of the gate, the decision was -- you know, when we were starting the -- starting to build out what Target now calls its cyberdefense function, that's a -- that is a -- one of the kind of three legs of the cybersecurity program stool. And in the build-out of that, the focus was very much on kind of -- was, one, we're going to look for talent; and, two, we're going to hire for attitude and learning aptitude because things are going to change. And we -- I don't care what somebody was doing five years ago, right. The environment is going to change, and we're going to do this a little different. And we want -- we want people that want to learn. We want people that are fired up. And we want people that understand that this is not a hero show, right, that you're not going to -- you're not going to come in the door and be the save-the-day person. Right. Everybody gets a turn, but everybody's got to pull their weight. This is a team sport. And to make it scale, you can't be -- you can't be about yourself. You can't be a ball hog because, quite honestly, the -- you know, at any sort of scale, the just kind of nonstop onslaught of cybercrime and network garbage that gets thrown at any large enterprise, you need a team. You've got to be able to hand off. And so we focus pretty heavily on trying to build culture. And I -- I want to give credit to Target in its whole. Target's got a pretty awesome corporate culture. It's very -- it's very friendly. It's very collaborative. People are good to each other there. And that, I think, was part of the secret is definitely why I lasted nine years there was -- was -- it was someplace that just kind of show up, be a good person, be on the team, work hard, learn. And -- and we tried to have we tried to have as much fun as we could. You know, there's a lot of not fun. There's a lot of stressful in cybersecurity, especially in, you know, intelligence detection, response, that incident command, incident management role, like, you catch a lot of garbage in roles like that. And so having fun with it and really focusing on -- so we spent time on kind of skills and development. And then the other thing was we just kind of picked a couple of simple sort of true norths, right. We focus really heavily on detect and contain. Then we started focusing on detection quality and performance. And then, from there, started focusing on kind of intelligence completeness. And -- and so a couple of my colleagues at Target released a framework that we called wave that's still in use at Target today that, you know, is kind of the culmination of that. You know, hey. If you know who the actors are coming at you, then, from an intelligence perspective, you can sort of lay their tactics and capabilities out, you know, whether you like -- whether you want to use attack for that or, you know, something like the Lockheed Martin kill chain or something like that. But lay it out across that, and then your intelligence, you kind of score yourself on how current is it. Do we have ongoing observation? Do we know anything about it? And then, based on that, you sort of identify gaps, prioritize gaps. And then that folds down kind of directly into detection, right. Your intelligence should be helping support and feed detection capabilities. And so one of the cool people with tattoos, Ryan Miller, who's the Senior Director of CTI at Target has this -- this deck that he calls the baseball card deck where he can trot out the actors and say, here are our biggest gaps. Here's who we're ready for. Here's what we're feeling good about. Here's where we've got to focus. And it's this pretty -- it's this pretty straightforward prioritization capability that the team built over years and a couple of real hard conversations early, early days.

Sherrod DeGrippo: So they would actually do prioritization around a specific actor's TTPs and how prepared the organization felt for that actor's focused?

Paul Melson: Yeah, yeah. And the idea being that, you know, what -- so these are the actors we know that are interested in retail. That's part of why -- it's part of why the program's been -- had some longevity, too, is, right, actors might -- right. And so we talked about TTPs changing, right. And this is something I know you know real well from your -- from your prior role, that the front-end delivery mechanisms are for sale. But what happens in the middle is a little bit different, whose payloads it's going to be. And then on the -- on the back end of that, what they do post -- you know, post-intrusion has changed over time, right. But what started as, you know -- but you can draw a thru line from the same people that were running dried X and dropping point of sale malware in 2016 to people that are -- you know, that were using emita and dropping ryuke in 2020, right. Literally some people --

Sherrod DeGrippo: And -- yeah. And I think that that's why, in 2024, we're not fighting a threat actor; we're fighting an ecosystem when it comes to crime. We're fighting a system, not just an individual threat actor group and then another threat actor group. It is a fully enmeshed ecosystem. And I think that that's also the reason that it's so squishy and -- and the overlapping visibility with your other friends, like, that's the key, I think, is that -- I'm friends with people at Mandiant. I'm friends with people at CrowdStrike. I'm friends with people in Proofpoint. I'm friendly with people at Target because everyone's seeing something different. And it's like that sort of proverb about, like, people touching an elephant, and everyone describes something completely different. And it's like that's where you're going to exist unless you have the posse friendship to kind of bring with you on the visibility side, with crime especially. Especially with crime.

Paul Melson: Oh, 100%. Yeah. I think, gosh. I want to say it was 2019, but dates don't mean anything to me anymore courtesy -- courtesy of the -- courtesy of COVID, right. But -- so anyway, yeah. A few years ago, we were -- we were just -- we had started talking about them in terms of markets, right, that there are -- that there are actual places, right, whether it's a telegram channel or a bulletin board or, you know. But there's some --

Sherrod DeGrippo: The darkest of the dark web; the dark web; the dark, dark, dark web.

Paul Melson: So which -- which -- I can't keep dark web and deep web straight. One of them means -- one of them means a website with a password. The other one means Tor. But I'm not sure which is which. Anyway...

Sherrod DeGrippo: I mean, no. I've sort of given up on things. The dark web, but what if I know of a darker web? The web that I have found is the darkest of the webs. It's -- it's always funny when you read -- when you read public reporting on a threat actor. And they're like, oh, and they were talking about it on the dark web. And then -- and then when you dig in and you find out like, you mean that bulletin board over there? Yeah, yeah. You mean these forums that anyone can sign up for? Yeah. Look. I made my profile my dog. Like, I'm on the dark web, too.

Paul Melson: Right.

Sherrod DeGrippo: Yeah. I like to -- I usually say, like, underground, like underground forums and then hope people can extrapolate from there.

Paul Melson: That's fair. But, yeah. That there are these actual locations. And so who's active in -- in those locations sort of defines who can collaborate, right? And that, that piece of it, the comms monitoring piece of intelligence has become so critical for crimeware. So we were -- we were talking about that, like I said, internally in terms of markets and saying what would it take to start taking what we know about these actors and their TTPs and start trying to work back to, okay. So we think this is this actor, and we think this is this actor. We're not exactly sure. Can we find where these two are talking to each other? And, if we can, then we can sort of expand that view out and identify who else is there so who else could be involved. And then -- and then it was probably about six months after we started talking about it that we internally at Target, that Mandiant released the Mixmaster report. And, to me, that was kind of a groundbreaking report because that's the first time I remember seeing somebody just come out and say, like, yeah. It doesn't matter that that's who this campaign is because any one of these players could swap out at any point for these other ones. And that's the point is we've been talking about this fin actor and this fin actor but, really, any more, they all can -- you know, they're specializing. And I think that's the other thing that ransomware kind of did was it isn't about -- it isn't about long run -- it isn't about long run persistence anymore, right? It's a smash and grab. And, if it's a smash and grab, you can specialize. And so it's been interesting to watch that transform over the last, you know, five, six years.

Sherrod DeGrippo: Yeah. I think over the last five or six years the thing that brought me so much feeling of insight, like I could understand more, was the Conti leaks. Like, I feel like they just really -- there were chats where, like, there's three guys arguing over who's making what money, and they're all sharing essentially their pay agreements with the overarching hierarchical -- basically, their boss. You start to read those and, honestly, like, one, it's fascinating. Like, it's -- it is the truest of true crime, right. Like, you're watching the criminals do their thing. And you're watching them embody their personalities. Right? Like, you're seeing who's kind of a jerk. You're seeing who's mean. You're seeing who says please and thank you. You're seeing who's chill because you're watching their inner monologue be typed out at you.

Paul Melson: No; 100%. Who's got good taste in music? Who's got terrible taste in music? That's in the Conti leaks.

Sherrod DeGrippo: I know.

Paul Melson: Yeah. That was so much fun to read. And, at the same time, like, the whole time I'm reading through these -- you know, because, when they -- when they dropped, I'll own it. I went and got a copy and started getting through. For sure. It was some of the --

Sherrod DeGrippo: We had a task force at work whose job was to go through them. Like, we were, like, Okay, everyone. Get ready to start copy/pasting into translate apps because we need to know what's going on here and piecing it together. And I think somebody on my team made like a PowerPoint timeline.

Paul Melson: Wow.

Sherrod DeGrippo: With the time -- yeah -- of, like, the leaks came out, this happened, this person quit and went to a different group. So my point, I guess, is, is that, like, with crime, if you think of it as an ecosystem, one of the entry level ways, or one of the entry points -- I shouldn't say entry level. One of the entry points to mapping that all out in your own brain is to, like, walk through the Conti leaks and understand not necessarily who these people are in their soul but who they are in their work.

Paul Melson: Right, right. Yeah. Yeah, it was definitely a really, really kind of crucial piece of evidence to sort of validate that approach and -- and that, right. Like, that, yeah. These are -- it is organized crime, right? No -- no way around it. At the same time, it's a bit of a bummer that -- that that got burnt because, right, like, think about the -- think about the ongoing value of something like that. Now you just in a very public way forced all of these people to reconsider their operational security so...

Sherrod DeGrippo: Well, I agree with that. And I also think that that is kind of an integral part of it because it was very much, from my perspective, like my old days in Live Journal. It was very, like vindictivey and mean and, like, I'm going to hurt you. I'm going to do something mean to you. And I'm going to release private conversations the way that, like, somebody would release, like, mean text messages between, like, teenage girls.

Paul Melson: Just a -- just a -- an aside, just a personal question I've got to ask. Do you find it fascinating that like, the 19, like, early 90s IRC culture of doxing people as a way of trying to do damage over the internet has become kind of like -- so, of course, you see, you know, anonymous and groups like that pick that up and run with it, you know, in the -- in the 20-teens. But, like, to see nation states using that and, like, Russian cybercriminals use it, like, yeah. Doxing is a weapon when it just used to be -- we would wait for, like, elite zines to drop in pompack, right.

Sherrod DeGrippo: I was in high frequent in undernet. That was my hang. That was my main hang. But I'll tell you something else that I find fascinating is that Live Journal, I can't remember what year, but it was passed around through various hands. Brad Fitz started it. Rod Fitzgerald started it. You know, it's written in BML, which is Brad Markup Language. It was eventually purchased by Sup, which is a Russian utility company, because the word for blog in Russian is Live Journal. Like, Live Journal is like an underpinning or was, you know, for several years, decades an underpinning of Russian communications because it was purchased. Yeah. So Live Journal was really integral, I think, in my interest in threat intelligence, which is kind of weird. So, Paul, we're going to wrap up. But let me ask you, like, what do you think the next kind of evolution of the threat landscape is going to look like? Like, what are you worried about coming up from the threat actors that we know or threat actors that we don't know?

Paul Melson: That's a good question. I think right now the state of things for most companies is they're finally waking up to, you know, that stronger MFA, right, really have any get to like the high assurance tokens, move to software authenticators or something along those lines but gotta get off SMS and email. And it'll be interesting to see what happens on the other side of that because what's -- what I think has changed is the rate at which some of the threat actors in the crime space have gotten access to resources, and will they turn around and try and use those for additional forms of access, right. And I think the scary part is, we've seen just how good social engineering can be in kind of the SIM swapping and kind of help desk attack space, which is stuff that is -- is old hat for people that have been doing social engineering pen tests for the last 20 years. But what happens when we start to innovate around, you know, bribery and some of the other things like that? What, you know, where -- how long before there are good patterns for -- because we see it. But I see examples of the bribery thing now, but they're fairly clumsy. I don't think it's highly effective. But I think that buying insider threat, right, like, they have resources. They have money. They have some ability to move money internationally and launder it. So then the question is what does it take to -- to pay people basically to be your person on the inside?

Sherrod DeGrippo: I've seen a lot of that too. A lot of people that get approached for that will post, like, I got this text message saying, you know, this person will give me $1,000 for every SIM swap I do. Or, you know, they'll pay me $300 for every username and password I reset for them. It's getting very personal, and that's, I think, definitely part of the frontier that's coming.

Paul Melson: Yeah. And exactly. And at what point do they start moving into other parts of the ecosystem around -- around the potential victims? If you want to know what's keeping me up at night, that's it. That's where -- that's where I'm concerned.

Sherrod DeGrippo: Okay. Well, Paul Melson, thank you so much for joining us. Everyone, go follow scumbots. And I hope to hear from you soon when you land in your next reality.

Paul Melson: Yeah, yeah. Thanks, Sherrod. This has been a lot of fun. Thank you for having me.

Sherrod DeGrippo: Thanks, Paul. Thanks for listening to The Microsoft Threat Intelligence podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft