Afternoon Cyber Tea with Ann Johnson 11.2.21
Ep 38 | 11.2.21

The Rising Risks of Cybercrime


Ann Johnson: Today, I'm joined by Amy Hogan-Burney, who is general manager of Microsoft's Digital Crimes Unit and associate general counsel. Amy leads a team of global attorneys, investigators, engineers and analysts working together in an ongoing effort to fight cybercrime. Amy has led the privacy compliance team during the implementation of the European Union's General Data Protection Regulation and the Law Enforcement and National Security, LENS, Global Fulfillment Team, ensuring Microsoft's compliance with law enforcement and national security legal obligations. Every day, Amy leverages her extensive experience as a former attorney at the U.S. Department of Justice and Federal Bureau of Investigation. Welcome to "Afternoon Cyber Tea," Amy.

Amy Hogan-Burney: Thank you, Ann. I'm so happy to be here. And I follow you so closely on Twitter, and I get to see your puppies all the time. But it's really nice to be able to talk to you. And I miss seeing you in real life, also. 

Ann Johnson: Oh, thank you. The pups are here keeping me company, but I certainly do miss seeing you and many others in real life. It's been an interesting 18 months. So normally, I would dive right into what you are currently working on at Microsoft. However, when I learned that you used to work for the FBI, I immediately wanted to share with our listeners what you used to do and how that work actually brought you to Microsoft. 

Amy Hogan-Burney: Oh, it's so funny you say that. I usually joke with people, if you've ever seen "Men In Black," where they have that flash pen that Will Smith uses that raises all of your memories - that they take your credentials and your badge, and then they use that pen so you can't talk about anything, but it's not exactly true. But when I was at the FBI, I was an attorney in the National Security Law Branch, which is actually called the National Security and Cyber Law Branch now. And I think that's just indicative of the pivot you're seeing in the U.S. government and other governments, really, to focus on cyber and how important it has become. While I was there, I had a lot of different jobs. I started actually working in policy but also did special collections of information across the intelligence community. So I did a lot of work across the U.S. intelligence community. I worked in terrorist financing for a while. I did online undercover operations. And then my final job was specifically in cyber for the FBI. 

Ann Johnson: That's absolutely fascinating. And we could probably spend a whole episode talking about things like terrorist financing and the overlap with cybersecurity. But maybe talk a little bit about what brought you to Microsoft and why. 

Amy Hogan-Burney: That is such an interesting question. I actually had no plans to leave the FBI, except for there was a job that opened at Microsoft. And it was in compliance with legal demands related to the lawful access of data around the globe. And I worked at the time when Director Bob Mueller was leaving in 2013. And it was a time of transition, and I thought, well, if there's ever a time that you might want to transition, this might be it. So I put one application into one technology company, and the next thing I know, I found myself in the Redmond area and I've been super fortunate because, you know, the Digital Crimes Unit where I am now is just such a natural fit for my experience in government and privacy. And I'm also fortunate, really, because the Digital Crimes Unit at Microsoft is so unique amongst other technology companies. So the ability to lead that group of engineers and analysts and investigators you talked about - I just benefit from my decision in 2013 every day. 

Ann Johnson: Yeah, which is a great transition to talk about this Digital Crimes Unit. And by the way, when I was interviewing at Microsoft in 2015, I was given a tour of Digital Crimes Unit as part of the recruiting process. And it is one of the things that I said, wow, I want to actually work for this company because there's thought, leadership and vision, not just product. It was just fascinating as I went through and saw the work of the team. Kudos to you and the team as we continue to grow the capabilities there, too. 

Amy Hogan-Burney: Yes. Well, thank you. 

Ann Johnson: (Laughter) Yeah. That brings me to what we're doing now. So every year, Microsoft now releases a report that's focused on the cyberthreat landscape. And we currently call this report the Microsoft Digital Defense Report. And it shows us that the cyberattack landscape continues to increase in sophistication as cybercriminals continue and even escalate their activity in terms of crisis. So based on your experience, that, you know, broad breadth of experience you have, what are some of the highlights you think we should all be paying attention to? And tell us what we can learn from the latest version of the report. 

Amy Hogan-Burney: Yeah, the latest version of the report - it's such a great report, and I think the first reason is because there are so many contributors across the company. And so we have all of the teams at Microsoft that are contributing detailed information. And the other piece is they have a lot of data to support their conclusions, and those two things make it just an incredibly worthwhile read. The things I think I would highlight are that we just continue to see cybercrime rapidly evolving. And, really, defenders have to keep increasing their efforts to keep up with the threats. And as everyone knows, ransomware continues to be one of the largest threats. The interesting thing I think about ransomware is there is very little infrastructure, malicious infrastructure needed to make a ransomware attack successful. And they have become very profitable. And criminals are really using intelligence to target specific critical assets, so they can increase their pay. Attackers are not arbitrarily selecting their victims. And they are really looking to understand who each victim is and really conducting deep intelligence operations as I would see them. And we still continue to see identity being very important. So, you know, password sprays and phishing attacks are cheap, and they continue to be used to gain access to systems. So I think those are kind of the top-level things that I continue to see in this space. 

Ann Johnson: So can you talk a little bit about the attackers being really planful - and let's just keep it outside of public sector for a minute - but being really planful for in the private sector about the research they're doing and who they're going to attack and maybe what their motivation would be. And I'll give you one example. With, you know, COVID last year in particular, we saw a lot of attacks versus health care because the health care organizations were struggling anyway, and I know the attackers felt that there would be motivation and impetus to pay. But can you talk - just expound upon that just a little bit? 

Amy Hogan-Burney: Yeah, we consistently see cybercriminals using either the geopolitical climate or using the issues of the day in order to socially engineer their targets. And this is true across all types of cybercrime. So whether we're talking about ransomware, which we already brought up, or business email compromise or even nation-state threats, one of the best ways to gain entry into a system is to leverage the current events of the day. And so I think we continue to see that piece, which means that during the pandemic and working from home and during remote, we would see phishing lures that indicated that you needed to click on this link in order to receive your COVID-related bonus or to get funding to set up your work from home setup or other things that would clearly be of interest to the - to people that had transitioned from being in an office and into being remote. 

Amy Hogan-Burney: And then the other thing that we're seeing is, specifically with respect to ransomware, we are seeing them target much more critical infrastructure. And so moving away from things that were just opportunistic and maybe lower-money reward, but moving to things that I would consider to be a threat to a nation's security. And you saw that with Colonial Pipeline and with JBS in the last couple of months. 

Ann Johnson: And do you think that makes it, then, more of a U.S. national and global security threat as opposed to just a private sector threat? 

Amy Hogan-Burney: I do. I think it is a U.S. national security threat, but there are - and there are other nations that are also impacted beyond the U.S. The Irish government is treating it as a national security threat after the attack on their health care system. And I think other countries need to do the same thing. It is much less, like, street crime as it used to be and much more, like, an actual national threat. And I do think countries are starting to take that very seriously. We're seeing it with the focus the U.S. government is bringing to it, as well as legislation that we've seen pending, which is really going to, I think, help in this space. 

Ann Johnson: Yeah, that's not great news, but I'm optimistic that we're coming together both as, you know, public and private sector in the U.S. but also, globally, to fight these threats. Let's shift a little, Amy. Let's talk a little bit about the industry, as our detection response team, I know, tracks the industries that they do incident response work with and also the geographies. Can you talk a little bit about what the report showed from an industry and geography standpoint? 

Amy Hogan-Burney: Yes. So the Detection and Rapid Response Team, or DART, as we all call them - I have such a hard time with the detection and incident response team. I can only just say DART 'cause it's just much easier (laughter). What they're really seeing is that the top five industries targeted in the past year based on their ransomware engagements are consumer retail and then financial services, manufacturing, government and health care. But the interesting thing, I think, about those top five is actually how closely they are targeted. So consumer retail's at about 13%. Financial services - 12%. Manufacturing - 12%. Government - 11. And health care at 9. And of course, during a pandemic, seeing ransomware actors target health care when it is so essential right now, it's just - it's incredibly disappointing to me. 

Ann Johnson: From a country standpoint, I believe the report is going to show us that the U.S. is leading but closely followed by China, Japan, Germany and the United Arab Emirates. Is that an accurate statement? 

Amy Hogan-Burney: Yes. And I think to a certain extent, cybercriminals are smart, opportunistic, and they look for where they might get the best payout. And given the broad internet access inside the United States and our GDP, I think we're an obvious target and the most targeted country. 

Ann Johnson: Wow. Well, you know, we've definitely seen a leap in attack sophistication, not just in ransomware but in other spaces, which means it's so important than ever that we take steps to establish new rules for cyberspace. And this increase in homoglyphs - or imposter domains, as people may call them - is mentioned in a recent legal civil case Microsoft filed to combat these types of trends. These domains, people may not realize that they're being used in various attacks, especially on small business in North America, and showing that this could become a dangerous new cybercrime trend. What else can you tell us about this growing trend of imposter domains? And what is the Digital Crimes Unit doing to contain these new domains? 

Amy Hogan-Burney: Yeah. First, I think it's important to note that those imposter domains, those homoglyph domains, are used in all types of cybercrime. So the case we filed several months ago was a business email compromise case. But we also see these domains used in nation-state cases, in malware and ransomware distribution. And they're often used combined with credential phishing. And they're specifically used to deceive a victim and to infiltrate a customer network. The case we filed in the Eastern District of Virginia, I find it to be one of our most interesting cases because it started with a single customer complaint. And so, you know, sometimes we have cases that we bring because we have large data sets, and we've looked across those data sets in order to find a case. In this case, the case came to us. And once we received that customer complaint, we were able to look at the information they provided and then identified 17 additional malicious homoglyph domains, that they were registered with third parties. So in order to take those domains out of circulation, we did go to court. So they can no longer be registered. 

Amy Hogan-Burney: But the most important thing, I think, about this case also is that we have started discovery, working with the provider to get more information about the criminal actors. We believe that they're part of an extensive network operating in West Africa. We plan to make a criminal referral in this case so that hopefully we can leverage the information we received and identify suspects that law enforcement will be able to engage with. And then the other part is that every time we get investigation results and that evidence, we're able to look across the company and see where this is also being used. So those 17 domains have led to other domains that we are able to either take down ourselves - because they're hosted on our own services - or reach out to other companies and asked that they be taken down as well to try to get those malicious domains out of circulation. 

Ann Johnson: That's fascinating. And I love the cross-company work. I know the DCU works closely with our, like, MSTIC, our threat intelligence center and our security research folks. And I know that together with the security engineering teams, you're executing a strategy focused - I've been told it's focused on four discrete functions - disrupt, deter, strengthen and communicate. I would love if you could share a behind-the-scenes look at the strategy and share how those four functions are helping not just Microsoft, but helping the industry be more successful in fighting cybercrime. 

Amy Hogan-Burney: Cybercrime is such a big problem that several years ago we felt very overwhelmed. And we thought, how are we going to address this? We have to really focus our efforts on where we can have an impact. And so what we decided to do is to think about it not as a specific type of criminal activity, necessarily, so not - while we do focus on ransomware and business email compromise, we also try to be strategic. And those four pillars are the strategic way that we look at cybercrime, I would say. So for disrupt, we're really looking at the malicious infrastructure that is being used. So what we do is we try to look across all of the types of crime and identify the malicious infrastructure and then use creative legal means to take that malicious infrastructure down. And I think the case we just talked about is the perfect example of that, where we had a business email compromise case, and we took down a number of malicious domains. But those domains can also be used for other criminal activity. And we are very focused on making sure that we try to keep a clean ecosystem out there, particularly if it's first party. You know, Microsoft is a service provider, so we try to make sure cybercriminals are not using our services - and then either going to court or leveraging cooperation with third party providers to do the same thing. And that's really all in service of protecting our customers. 

Amy Hogan-Burney: But the second pillar, I think, is one of the things that makes DCU incredibly unique, which is the deterrence pillar. This really focuses on the criminal actor themselves. So we do work to do attribution on these crimes and to actually identify the person behind the criminal activity. And so we leverage our expertise of our engineers and our view to the online criminal networks in order to do criminal referrals to the appropriate law enforcement agency. You know, we could spend our entire lives just taking down the infrastructure. But it won't be enough until we can actually see some law enforcement around the world. And then the strengthen - what we work to do is take the deep investigations that we do and then share that information with our product and security teams so they can make improvements. And this is one of the most satisfying parts of the relationship, is seeing the virtuous cycle that we've established by doing those deep, detailed investigations, sharing it with our products, watching the improvements in the announcements happen and then getting more data and doing the same thing again. So I really enjoy that part. 

Amy Hogan-Burney: And then finally, is the communication. Back before the pandemic, we used to welcome people to tour our cybercrime center. I miss being there very much. But it's just one way that we communicate. We really do look to partner with both the public and private sector. We spend a lot of time trying to educate our customers. And I will pull out my soapbox for just one minute for any customers that are listening. We do communicate with customers using the M365 message center. And so I urge everyone to check that message center. You will receive messages that indicate whether you've been targeted or compromised. And, in fact, that is the method that we use to deliver the information to the customers that were targeted in our business email compromise case several months ago. And so there's incredibly valuable information there. And I hope everybody's using that as a resource. 

Ann Johnson: Thank you, Amy. I think that was a really good recap of the disrupt, deter, strengthen and communicate strategy. Let's talk a little bit about the actors for just a moment. So cybercriminals tend to be able to leverage our natural human curiosity as one of their tactics. They do things like imitating major brands, including ours - right? - to obtain information. Do you think that the work-from-home trend and the difficulty in enforcing traditional security policies were part of why we saw a shift to more phishing attacks? And what would you say to organizations who want to keep their data safe whilst their employees continue this working remote? 

Amy Hogan-Burney: Yeah, I definitely think the shift to working from home made a substantial difference, and it is one of the reasons why we saw an increase in phishing attacks. The other thing that I think has happened is it's not as if now you go to an office, and you're able to see your colleagues and work together in a professional environment. Now people are managing their children, their pets, their household and trying to juggle working, as well as any health-related issues that may have come up during the pandemic. It's a lot. There is a lot going on. And so when a phishing mail comes in and it says it's urgent - it's something that your boss needs or the CFO or whomever it is has sent you the mail - it is very, very hard not to think, oh, this - I must do this immediately right away. And also, with a 2-year-old on your lap, it makes it even more difficult. And so they - criminals absolutely leveraged that environment. So I think what I would say is because we know that they are leveraging this environment, the first thing to do is to slow down, just really - when something hits your inbox, if it appears urgent, that should be an immediate red flag that it is potentially phishing. The second thing is anything that says that your account will be turned off, that you need to input your credentials - anything of that nature should really make people stop and second-guess that. Criminals are also broadening their attacks, so things will not necessarily just land in your email inbox. We are seeing the use of third-party apps such as WhatsApp or text message - so what we call smishing attacks. And, in fact, I got two this week, where, you know, it was - my account was going to be turned off. Please click this link. So I think everyone needs to be aware of that. 

Amy Hogan-Burney: Anything where it looks to be a change in normal office process - so wire transfers that seem out of the ordinary, invoices that look different. Those types of things should also raise red flags. And then the last point, I think, is as difficult as it is, we used to be able to open the office door and walk down the hall and say to a colleague, is this real? Is this what you want me to do? Now I urge people to pick up the phone and do that. Sending an email means you may be, in fact, still talking with the criminal who has compromised your account. And so please pick up the phone and verify. We are - I guess we would call it paranoid in the Digital Crimes Unit. We don't click on any links without doing phone calls back and forth all the time. And this does take time, but it's also a nice way to connect with your co-workers. So a phone call, please, for verification. 

Ann Johnson: You know, it gives you a reason to call. And I'll pull out just two things you said. One, if you get an email that has this incredible sense of urgency that you must act now and/or threatens that your account is going to be shutdown, it is actually likely a phish. And you should validate that. And the best way to validate is a phone call because if you respond to the email, you might actually be communicating with a criminal. So - and like I said, it gives you a good excuse. And I agree with you. Look. I have - as you know, I have three pups that tend to work in the office with me. And even though they're dogs and may not need as much attention day to day, they can be disruptive. And suddenly, your train of thought and your stress - because they're barking at a critical time in a call. And then you have this email. And, you know, people just - I would say the one piece of advice is, you know, pause. Slow down. Think. Don't react. And it's probably the best advice we could give somebody for phishing attacks. Everything you said is just absolutely wonderful. Thank you, Amy. 

Ann Johnson: I want to go a little different direction and talk about botnets and disruption as part of disrupt strategy. So last year, a judge issued an order allowing Microsoft to go after Trickbot and to seize servers used by the botnet. You mentioned that disruption of the botnet is going to be a continuing challenge. Do you see this as a threat? And how do you think about that next generation of threats? And what guidance do you give an organization, so they can help protect themselves from whatever this new wave of cyberattacks unlike things that we have potentially seen in the past? 

Amy Hogan-Burney: Yeah, I think we joked in the Digital Crimes Unit for several weeks that Trickbot has become our advanced persistent disruption and that we are - we actually are still working on. We continue to work around the globe to take down the command-and-control infrastructure that the cybercriminals are using in that case. We continue to partner with law enforcement there. We're really looking for an opportunity to do a full takedown. And so some some day - fingers crossed - if I keep at it, we will get there. But as we work, I think it is important to point it out and to think about what you - other people can do to protect themselves. And so the first thing I think is to enable two-factor authentication. And I think it was two days ago, maybe three days ago as we tape this, we announced that consumer accounts are now passwordless, which I think is fantastic. We at Microsoft for our work accounts have been passwordless for a long time. And I don't even know what my password used to be. But consumer accounts that are passwordless - that is just a great way to harden your account in addition to that two-factor authentication. The other part is that if you think you are a victim, reporting that through Office 365, through Microsoft's platforms - incredibly helpful to us. As I mentioned earlier in our business email compromise case, that came from a customer complaint. So we do investigate those things. And they can be incredibly beneficial and lead to a - if there is one person who is a victim, it is most likely that there are many victims. And so that's very helpful for us to know, as well. And then one of the things we consistently saw - and we're seeing technical capabilities that make this a little more difficult, but people should still check - is looking at your forwarding rules. In your email inbox, what we found is that if a business has forwarding rules and many accounts are forwarding to one outside consumer email account, this is almost always evidence of criminal activity. And so now it is a rule at Microsoft where we see that many to one - that we sever that forwarding rule. That still does not mean that criminals couldn't use the same mechanism where they take the most important accounts and forward to different consumer accounts. And so I urge people to check and disable any forwarding rules. It's also much more difficult to enable your forwarding rules now because we saw them used so frequently in criminal activity. And 

Amy Hogan-Burney: then the last piece, I think, is that if you are a victim, in addition to reporting to us, victims sharing information with law enforcement - so reporting to the Internet Crime Complaint Center or to the law enforcement in your jurisdiction - is also very helpful. One of the reasons that we are finally seeing the focus of governments on this problem and it is finally being treated as a threat to a nation's security and given the resources needed is because victims are coming forward. Without victims coming forward, people do not understand the scope of the problem. And so being transparent here, I think, is very important as well. 

Ann Johnson: Excellent. I love that. And the forwarding rules, I think - I know it sounds technically complex, but it's incredibly important, as you stated. And I'm glad we've made system changes to actually make it harder. So people have to be really intentional about it and deliberate and thoughtful and - when they're doing it and why. So, Amy, share a bit with our listeners about what the Digital Crimes Unit is working on now. And also, the Microsoft Digital Defense Report, as well as all of our security assets are available at\security. But I'm dying to know what you're working on right now. 

Amy Hogan-Burney: So what we're working on right now is really thinking about the cybercrime as a service economy. So we are seeing what I would consider to be a mature industry. And it's making it much easier for more people to participate in the criminal activity. So regardless of technical knowledge, we're starting to see a robust marketplace where you can purchase a range of services needed to execute an attack. It's starting to be like a criminal syndicate. And so what we are trying to do is not just focus on the type of individual crime - so not just malware distribution, not simply ransomware - but the criminal syndicate behind that work. And so to the extent that we can share information with law enforcement that will demonstrate the criminal network, this is one of the best ways to execute on that deterrence portion of the work we have that we discussed earlier. We're also looking to think of ways to increase the scope and the scale of our operations. All of the work here is - it's technical. It takes a lot of expertise. But to the extent we cannot go after, say, just 17 domains, like we did in our court case in the Eastern District of Virginia - but if we can come up with a systematic way to take down all of the malicious domains that we are able to identify, that's going to have a much bigger impact. 

Ann Johnson: That's fantastic. And the work of your team is so high-impact. It's one of the reasons I want to have you on the podcast. So thank you for sharing all of these insights, Amy. We always like to send our listeners off with one or two key takeaways about how you think we can overcome these cyber challenges and about where you're hopeful about the future of cybersecurity. 

Amy Hogan-Burney: Well, I think first, I really think we can overcome these challenges by working together both in the public and the private sector. And cybercriminals are not geographically limited. And because of that, we also need to have a global view to cybercrime. So the more cooperation that we have globally, the better we'll be able to address the problem. I'm hopeful here, though, because I - we're really starting to see governments take the threat of cybercrime more seriously. They're investing in both the people resources and monetarily to harden systems. And I think we have a real opportunity this time to work together to seize malicious infrastructure, look for ways to make cybercrime less profitable and to share information that hopefully leads to arrests. 

Ann Johnson: Fantastic. I hope so, also. And I think that public-private partnership on a global scale is what we're going to need. We're going to need everyone to lean in, get really serious and leverage whatever law enforcement assets are available to them and not harboring these cybercriminals. I appreciate you joining today. Thank you so much for making the time, Amy. 

Amy Hogan-Burney: Thank you, Ann. This was great fun. I always love to be able to share the work of the Digital Crimes Unit. 

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: So I chose Amy Hogan-Burney to join the podcast because the tremendous work that Microsoft's Digital Crime Unit is doing across the globe to reduce cybercrime and threats and working with both public and private sector. The funny thing is on "Afternoon Cyber Tea," we don't want to always have Microsoft folks on. But as I was thinking about it, we also don't want to be biased against Microsoft folks, who are thought leaders in the industry. And we have a few of them. And it's always great to highlight work that's good for the industry and good for the community. And the Digital Crimes Unit is one of those parts of Microsoft that isn't as well-known, but the work they do is just tremendous. So Amy was a wonderful guest. And I know people will get a lot of great insight from this episode.