Defending Against Advanced Actors
Ann Johnson: Welcome to "Afternoon Cyber Tea with Ann Johnson," where we speak with some of the biggest security influencers in the industry about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision makers. I'm Ann Johnson. And today, I'm thrilled to be joined by Cristin Goodwin. Cristin is the associate general counsel of Microsoft's Digital Security Unit in the customer security and trust organization. The Digital Security Unit includes Microsoft's threat context and analysis team and the cybersecurity legal team.
Ann Johnson: Recent headlines on the increase in nation-state attacks are certainly wakeup calls to how the public and private sector must collectively prepare for more sophisticated attacks. And while there is a need to strengthen our software and hardware supply chains and modernize IT infrastructure, there has also been discussion about how to promote broader sharing of threat intelligence, including for real-time response during cyber incidents. As an expert who specializes in adversary incidents, helping protect more than a billion customers worldwide, Cristin shared her insights and expertise with global business and government leaders to help lead effective cyber defense strategies and to safeguard against attackers.
Ann Johnson: Cristin joined Microsoft in 2006. And since that time, she has been Microsoft's lead counsel for all aspects of Microsoft security incident response processes and security updates for over a billion customers around the world. From providing legal counsel to the Microsoft Threat Intelligence Center on operational issues, advising on a range of cybersecurity and cybercrime policy issues - and she's also very critical to Microsoft's government security program in supporting her clients and legal and policy experts at Microsoft subsidiaries worldwide. I'm thrilled to welcome you to "Afternoon Cyber Tea," Cristin.
Cristin Goodwin: Thanks, Ann. It's great to be here.
Ann Johnson: What kind of tea are you drinking today?
Cristin Goodwin: So I am on my third cup of Earl Grey, which is my go-to when I need caffeine. I'm not much of a caffeine person, but it's always Earl Grey. I'm much more of a honey aficionado. So it's Earl Grey with Washington Clover Honey.
Ann Johnson: Excellent. I usually, for the podcast, drink lemon ginger tea because I need my throat to be super clear. So that is what I - I am, I think, on my - it's second. I'm trying to, like - my second cup of lemon ginger tea for the day.
Cristin Goodwin: (Laughter) Outstanding.
Ann Johnson: So it's great to have you here. I know you bring this wealth of knowledge about the cyber industry, what's influenced the space - and, you know, from both the threat actor point of view, but also you have this unique legal and policy perspective as well. And I know there's a lot to cover. But let's start with your team and why what they do is so critical to how global organizations understand and respond to cyberattacks.
Cristin Goodwin: Oh, I'm always excited to talk about the Digital Security Unit. I think we've got one of the best missions in all of Microsoft. One of the things that Microsoft and, frankly, the entire tech sector, has been strong in for many years is talking about how attacks happen - which file, which vulnerability, which tactic was used. How did Colonel Mustard end up in the library with the candlestick? But what we hadn't really leaned into is the why of attacks. And that's really essential if you want to change people's behavior. So if you've ever been on an airplane, they tell you, put your mask on before helping others. They don't tell you why. They don't tell you, you have 15 seconds of oxygen before you'll pass out. And then, you can't help anybody.
Cristin Goodwin: So we focus on, why are nation-state attacks occurring? So when our colleagues in the Microsoft Threat Intelligence Center - or MSTIC - have evidence of a nation-state attack, we aggregate. We log that data. We're able to look at victims. We're looking at the geopolitical context of the attack. We're looking at the laws and policies that surround those issues. And then we're advising, internally with our customers and with the world, what is driving those nation-state attacks. And we've been able to learn a lot about how attackers are behaving over time. So that's been a really fulfilling part of what we do is bringing the why. That also helps us on the legal front work with governments around the world to understand why we need to have more effective cybersecurity laws and policies. And how do we help influence their thinking as well?
Ann Johnson: So I think that's an incredible mission, right? And it is one of the best missions at Microsoft. And there's a time when, you know, companies and local governments were unlikely to ever even have to deal with nation-state hackers interfere in their operations. But unfortunately, that's changed, right? The world has changed. Can you comment on why you think the world has changed so much? And what surprised you the most about these bad actors and the way they're behaving now?
Cristin Goodwin: Well, if you think about spy novels and movies of the past, they were always fraught with so much tension because the spy had to go to the adversary's country, find the individuals or find the company and figure out a way in at incredible risk. Now nation states don't have to put their personnel at risk. They can get behind a computer, figure out how to gain access to that same company or that same individual, all from the comfort of their own office or home. And so that was a game changer. And nation-states have taken advantage of that. I think what's been really fascinating about what we've been able to do in the digital security unit and with the MSTIC team is that we're able to look at attacks against our cloud customers and - not any of the content or the victim's data, but look at the aggregation of the attack. And that data helps give us insights that we can then share with the world.
Cristin Goodwin: Previously, when victims were being attacked, it was largely on premises. So those companies were either involved in hand-to-hand combat with those actors, finding them in their networks and removing them, or they wouldn't even know they were there. And nation-state actors would sit inside that victim network for a period of time - a long period of time, as we know - and then choose to take action. So the cloud has given us the ability to see these attacks and share that information with the world, and that's really dramatic. Smaller companies, local governments, they've - there's always been attacks since we've had the digital age. But now what we're able to do is shine a bright light on it.
Ann Johnson: And I think it's incredibly important that we do shine a bright light on it because as the range increases, as the sophistication and the persistence of these attacks increases, forcing these folks out into the light is going to be, you know, very helpful - right? - and being super transparent. And also, you know, helping organizations defend, right? From your standpoint, your - you provide data and you provide best practices and you talk to governments all the time. What do you tell folks that they can do to defend against some of these sophisticated attacks?
Cristin Goodwin: You know, it's sort of funny, Ann, because when you think about nation-state attackers, you think about, like, the Tom Cruise scene in "Mission Impossible," where he's, like, coming down from the ceiling with the wires, and he's all suspended there. But 99% of the time, when a computer is compromised, a password was available but it wasn't installed, right? So you don't always need Tom Cruise when you've left the door open. And so part of what we're trying to do is to help the world understand there is a lot that we can take off the table through patching, through multifactor authentication, through some of the security basics. That does raise the cost to attackers.
Cristin Goodwin: For example, we're seeing a lot of attack tactics from both Russia and Iran right now called password spray. And, you know, we're all humans. We've tried to log in to our computer, and we've hit the wrong keys and we've messed up our password. And so you get a couple of attempts before you lock yourself out, and you've got to call for help. Attackers know that. So they'll send some really basic passwords, like Q-W-E-R-T-Y or 1-2-3-4-5 against every single password, every single account in an enterprise. And, you know, somebody here in the greater Seattle area, where I am today, may have Seahawks2022 as their password or Olympics2022 from our recent Winter Games. And that's all it takes. So there's the unsophisticated, advantageous nation-state attack, and then there's the sophisticated nation-state attack where, for example, during SolarWinds - where the Nobelium attacker out of Russia was customizing Cobalt Strike, a known common technology, customizing that for each individual victim, right?
Cristin Goodwin: That's what's really important to keep in mind is that if you have information - if you're a CISO or you're an executive and your company has information that may be of interest to a nation-state, thinking about the fact that they will either use the window you've left cracked open or they will build the Tom-Cruise-from-the-ceiling, "Mission Impossible" capability to get in means that you have to really think hard about protecting your enterprise and thinking about your defenses from a holistic standpoint.
Ann Johnson: And when you think about those defenses holistically, when I talk to customers or partners, they always say, where do I start? What's the first thing I do? So I'm going to ask you that question. If people can only do one thing to protect themselves, what is that one thing they should do?
Cristin Goodwin: I'd say MFA. And I start with MFA because you can apply it to the accounts that are involved in your enterprise, and you can apply it to your accounts that are involved in your person and in your personal life. Because what we see from a nation-state perspective is that if they can't get you in your work environment, they'll come after you in your personal environment. So if you got to pick one thing and peanut butter it everywhere, it's MFA.
Ann Johnson: I think that's excellent. We always talk about MFA for 100% of your users 100% of the time - anybody who accesses your environment. So as you think, then, about, you know, shifting a little bit to that holistic standpoint, not just the single thing a company can do, where should organizations, whether it's companies or governments, be investing now when it comes to their cybersecurity program?
Cristin Goodwin: That's great. You know, first of all, having a team of trained responders is always an important resource. You know, I've been the attorney supporting the Microsoft Security Response Center, particularly focused on advanced attacks, for well over a decade. And when you march into battle having a team of professionals ready to stand at your side, that's key. That's more of a reactive thing.
Cristin Goodwin: From a proactive standpoint, I think it's really important to think about, from a risk perspective, your basic security hygiene. You know, what are your lowest-hanging fruit things that have been lingering for a while, and how do you burn them down over time? And that's patching those legacy apps that don't have the ability to be supported anymore, migrating off of that sort of technology, patching, MFA, zero trust. You know, I'd like to say that there's some fancy, exciting concept, but it's really the blocking and tackling that you hear about from so many CSOs who are talking about responsible defense - it's the same thing with nation-states.
Ann Johnson: That's excellent. And, yeah, I do think that while nation-states have resources and could certainly have very sophisticated attacks, there's a lot of things in environments that are still the same - right? - that you want to do to protect yourself from any attack. So starting there is always a good place.
Ann Johnson: As we think about, then, you know, moving from technology, you have this wonderful perspective - 'cause I've worked with you so much, right? You understand the technological aspects, but you also understand the legal and policy aspects. So can we just talk a little bit about policy and legal aspects...
Cristin Goodwin: Sure.
Ann Johnson: ...And think about things like cyber treaties and what type of agreement do you think is even possible? And what does a successful international cyber agreement look like to you?
Cristin Goodwin: Oh, you know, it's often said in international law that treaties are the least possible things that everybody could agree to. So I don't want to presuppose what a treaty might do. But I'm excited about how international law and the international diplomacy communities are focusing on the need for cyber norms.
Cristin Goodwin: The Paris Call for Trust and Security in Cyberspace is a really forward-leaning concept, pushing on governments to set appropriate metes and bounds for how they behave in cyberspace. As an attorney, you know, that's really cool because as you think about how do you develop international law, first we need to have custom and consistent state practice. And we don't really have that yet. So I'm heartened by things like the Paris call. It's terrific when you see the United Nations come out and make strong statements in support of cybersecurity. That is building up the practice.
Cristin Goodwin: The other thing that I'm hopeful for is that we will see governments that are victims of cyberattacks start to lean into building cases, holding each other accountable for that sort of attack activity, either in the International Court of Justice or in other international courts or domestic courts, because that creates what we call opinio juris. You need a body of law, you need the history of holding each other accountable in order to evolve that international law to make it something more meaningful.
Cristin Goodwin: So I think that we're seeing - it's exciting as you look at how the law's going to evolve over time because you're seeing the building blocks being created right now. You know, we're all part of that. And so where we are in 20 years will be very different from where we are today.
Cristin Goodwin: I don't think a treaty or some sort of agreement is in the near term because countries are still figuring out what's appropriate and what's not. You know, we're watching Russia right now involved in cyberattacks in Ukraine - well, the - we're hearing lots of allegations of attribution from the Ukrainian government. And so that's where the body of law and policy will still be written. And it's changing literally right now every day.
Ann Johnson: So as you're talking about, you know, the timing that we're recording this, there's an attack happening in Ukraine. The Ukrainian government is also attributing cyberattacks. But one of the cybercriminal groups, Conti, came out today and said they would defend Russia in the event of a cyberattack against Russian assets. We've long had this theory and thesis that the cybercriminal gangs were either aided and abetted or just nation-states pretended they didn't, you know, operate in their country and gave them safe harbor. Do you have thoughts around Conti coming out and saying that?
Cristin Goodwin: So I don't have a reaction to Conti specifically, but this premise that criminal groups do have connections to nation-states - that is one that is a question that's kept me up at night for some time. And frankly, I'm in the process of hiring an analyst who will focus on that exact area. We want to go explore more deeply the connection between criminal groups and, frankly, the cyber mercenary companies that sell those services for hire to governments, too, because it's a force multiplier. It's a force multiplier for major regimes like Russia or potentially China, particularly in that company space. But it's also a force multiplier for smaller regimes who may not have the technical prowess to be able to launch campaigns against journalists or protected minority groups or disadvantaged communities. And so understanding that space so that we can talk more effectively about it with the world is definitely a high priority for me.
Ann Johnson: Yeah, I think that's - I think it's reasonable, and I think we all have - you know, it's hard for anyone to respond to my direct question because it's new information. And one thing that I - you know, I want to encourage our listeners is, much like any situation, cyberattacks also have that element of fog of war. There's things that happen initially that you don't truly understand. And, you know, giving grace to cyberdefenders to not have the immediate answers at the second you want them and understanding that it's a process that they need to complete an investigation is something that I can't emphasize enough.
Cristin Goodwin: Absolutely. Right. Part of the thing that's so important and that the Microsoft Intelligence Center focuses on so much is that, when we come out and make a statement about a cyberattack, it has to be technically credible. It has to withstand scrutiny within the community because, as we all know, the hacker mindset of questioning everything is ingrained in our culture. And so it's really important to understand that, from a threat intelligence perspective, the first answer may not be the right answer. And so we need to think about giving the threat intelligence community the time and the space to work a hypothesis until they are confident enough that the information they're going to share is actionable and technically credible. And that's a really important point you're raising.
Ann Johnson: Yeah, and I think it's something we just continuous - we educate, right? And, you know, cybersecurity is an education because it's still a very nascent industry, particularly for consumers, right? You know, on the enterprise and government side, we've been dealing with it for decades, but, really, consumer awareness has just been raising in the past several years. And with that, you know, what do you think we still need to learn, and what do you think we still need to focus on when we think about nation-state attacks or even cybercriminals that will strengthen our overall security posture in the future?
Cristin Goodwin: So as you think about the citizen or consumer side of this space, there is - one of the big four nation-state attackers primarily goes after individuals, and that's North Korea. And what's interesting about North Korea - you know, it's - upwards of 70% of their attack activity are aimed at consumer accounts. And they're either going after information related to the regime - you know, they're targeting journalists or academics or those who are connected to sanctions in some way against North Korea. The regime wants to know what these experts know and what these experts are thinking. So there's that type of intelligence collection.
Cristin Goodwin: But one of the other challenges for North Korea is, of course, due to the crippling sanctions that have been imposed upon it for its nuclear and other practices, North Korea doesn't have any money. And for many of their government agencies, they have to be self-funding, which is not really well understood as a - you know, a cause and effect of just the practical reality of sanctions. So cybercrime coming out of the North Korean space is in part helping agencies keep the lights on and pay their staff. And those are the types of attacks that individuals have to deal with and manage the ramifications of that all the time. So if there is a scheme that enables a nation-state actor like North Korea to be able to make some money, they will go after individuals to try to do that. So it's important to understand that, sure, there's a lot of cybercrime out there and a lot of terrible criminal actors that are putting pressure on that system. But there are times when nation-states are playing in that space, too.
Ann Johnson: Yeah, understood. And I think that, for the average consumer or citizen, the main thing - it goes back to what you said before - use MFA on all your consumer accounts.
Cristin Goodwin: (Laughter) Please.
Ann Johnson: Keep your anti-virus up to date. Use a VPN. You know, it's just - it's things that we still need to educate people on, though, right? Because they're just not accustomed with it. But - and most people don't realize they are using a form of MFA almost all the time on their smartphone if they're using their thumb or their face to authenticate to it. We need to keep the principles that simple. So it's been a great conversation so far. I want to understand and maybe have our listeners understand what your team is working on currently. What's top of mind? What projects do you have?
Cristin Goodwin: Well, so, obviously, given that it's late February, we're very focused on attack activity around Ukraine. That's - that is front of mind for us and for everybody that works in the threat intel space. We look at attacks on a quarterly basis, and so we'll assess over time, what are the major themes that are emerging for Russia, for China, for Iran or North Korea? And then we'll work on how we communicate that internally and externally for different audiences and communities to be able to do that work. So as I look back at, for example, over the summer, we were really focused on very, very large password spray activity coming from both Russia and Iran. So much so that - usually when you look at victims of attacks, they're about 10% critical infrastructure, maybe as high as 20 for a short burst of time. Over last summer, we saw that attacks against critical infrastructure hit about 45% from the time period of July 1 to September 30.
Cristin Goodwin: So we'll look at what are they going after and why. Both Russia and, to a lesser extent, Iran use this philosophy called compromise one to compromise many. And if you can compromise SolarWinds, for example, you can gain access to their downstream customers. Or if you can compromise a Cloud Solutions provider, you can go after their downstream customers. You know, we talked about that activity publicly on October 25 in a blog post highlighting how we saw Russian actor Nobelium attempting to pursue attacks against Cloud Solutions providers. So it's that sort of activity - what are they going after and why? - that really drives how we analyze attacks.
Ann Johnson: As you think about everything we've learned - right? - particularly since SolarWinds, what's changed in the way your team approaches things? Or what learnings have they taken in that - anything or, you know, you can share openly?
Cristin Goodwin: Yeah. You know, I think what's changing is the hunger for data. When we started this journey of talking about nation-state attacks, it was not as well understood. And now, what you see is that governments in particular are extremely eager for information about what's being attacked in my country? What are the sectors that are most under duress from nation-state actors? And what should we be doing as a society to be responding to these types of threats? And so that's really heartening, right? Because when we started this conversation back in 2017-2018 on these issues, it was more awareness raising. Now it's, you know, looking at you in the eye across the table saying, what do we do about this?
Ann Johnson: That's interesting, and it's - we're only, you know, at the beginning of the journey, I think, Cristin. And with that, you know, we like to send our listeners off with one or two key takeaways about what you can think we can overcome, the threat trends we continue to see. And also I'm always an optimist about cybersecurity, but why are you hopeful and optimistic about the future of cyber?
Cristin Goodwin: Oh, I'm all-in on cyber. One of the things I love about people on cybersecurity is they tend to have an origin story. Mine is that when I was a baby lawyer - right? - right out of law school, I was working for a firm on the 85th floor of Tower One of the World Trade Center, and I moved to D.C. in early 2000 to help a large telecom company build out a cyber practice. So I was in D.C. on 9/11, but having had that connection to the building, you know, I was going to be all-in and all-in forever, and I still am. What I think about when I look at security over time is that the threats are always going to evolve, and the wonderful thing that we have in our corner is that so will the technology. You know, there are always people who are thinking, day and night, 24/7, about how do we stop these attacks?
Cristin Goodwin: The thing that we didn't have 20 years ago that we have today is the cloud. We have a whole team of hunters looking at nation-state attacks, and when they find something, they can develop and deploy a protection for millions of people instantly. So it takes the pressure out of the sysadmin or the CSO needing to be the lone soldier on the wall in defending their own premises, and now brings them into the space where a community of service providers and security teams can partner with their customers to defend as a community. And that's the only way we're going to keep raising the cost to the attackers, developing new ways and mitigations to stop attacks and to move forward in the future. So that's what keeps me optimistic.
Ann Johnson: That's fantastic. Well, I really - it's always great to talk to you. I get to talk to you more than most people and I consider myself lucky about that, by the way, so...
Cristin Goodwin: I am grinning ear to ear and feel exactly the same way.
Ann Johnson: Thank you so much for making the time. I know you're super busy. Thank you for joining us on "Afternoon Cyber Tea" today.
Cristin Goodwin: Thanks, Ann. It's been my pleasure.
Ann Johnson: And many thanks to our audience for listening and join us next time on "Afternoon Cyber Tea."
Ann Johnson: I invited Cristin Goodwin from our digital security unit - she's the leader there - to join "Afternoon Cyber Tea" because she brings this unique perspective of both nation-state attackers and cybercriminals because she looks at it from a legal lens, a policy lens and a technological lens. And Cristin is fantastic about her ability to provide grounded and pragmatic guidance for organizations to better secure themselves against increasingly sophisticated attacks.