The Microsoft Threat Intelligence Podcast 2.28.24
Ep 13 | 2.28.24

Throwing Darts in the Dark With Microsoft Incident Response


Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage? Cybercrime? Social engineering? Fraud? Well, each week dive deep with us into the Underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Welcome to the "Microsoft Threat Intelligence Podcast." We are back for 2024, and we've got two fantastic guests here today. Stella Aghakian, a consultant for cybersecurity within Microsoft doing incident response. As well as Holly Burmaster, who is working also in incident response as a cybersecurity consultant at Microsoft. So we've got two incident responders from the organization formerly known as DART. Stella. Hello. Welcome to the podcast.

Stella Aghakian: Hi, Sherrod. Thank you for having me.

Sherrod DeGrippo: Thanks for coming. It's great to have you here. And, Holly, thanks for coming.

Holly Burmaster: Hi. Thank you so much, I'm so excited.

Sherrod DeGrippo: So just to give some background really quickly, I met both of you in Seattle at Microsoft Ignite. Tell me just really quickly, what did you think of Ignite and then we'll talk a little bit about your topic at the show.

Holly Burmaster: Well, for me, this was the first time I had been to Ignite or any of Microsoft's conferences in person. So seeing it was such a wonderful experience, being able to meet so many different people and answer so many different types of cybersecurity questions. It really was its own charm being able to be there in Seattle. And I hope one day to be able to do it again and learn and meet new people.

Sherrod DeGrippo: That was a really fun experience to see you there because I met you both in the green room. Stella, what was your experience with the Ignite event?

Stella Aghakian: I really liked it. This is the second Ignite I got to speak at.

Sherrod DeGrippo: Oh.

Stella Aghakian: The second Ignite I've also ever been at. So I really liked the conference. Very interesting for me to be able to meet new people like that, yourself included. Most of the people that I do know at Microsoft are DART. I'm not as familiar with a lot of our partner teams outside of the ones that we work with, Ghost and Mystic. So to be able to kind of experience that with Holly, meet all of the different people, especially in the big hall where all of the different teams were at, was a really cool experience.

Sherrod DeGrippo: It was really fun. And you two did some content on one of the most talked about threat actors right now, Octo Tempest. So for those who don't know Octo Tempest, Holly, can you give us kind of the quick overview of what people might need to know about Octo Tempest?

Holly Burmaster: Oh, yes, of course. I would say whenever anyone thinks of Octo Tempest, the first thought is the fact that they are these social engineering masters, basically. Their first foothold into most environments isn't what people usually would think it is. It's not malware. It's not gaining your credentials, directly hacking into you. Sometimes, it's usually just a phone call, and they'll get in, and they'll move up just by claiming that they're the help desk or someone as a business partner. And then they will utilize that to take down your MFA, change up passwords. And they get in purely by using the silver tongue, and I think that's fascinating about them.

Sherrod DeGrippo: That's awesome. So, Stella, Holly, walk us through how they get in. Can you give us kind of an overview of what Octo Tempest does once they've gotten access into an organization?

Stella Aghakian: Of course. A lot of credential theft. You know, they really want to escalate privilege to be able to gain those admin privileges that are going to then give them access to, you know, those high-value assets. A lot of what we've been seeing recently is exfiltration and then follow-on activities into ransomware deployment in a lot of the customers that I've dealt with recently. Which is definitely different, right? They've evolved over time. It wasn't always ransomware. It's later in 2023 where we started seeing the ransomware deployment. But a lot of social engineering, like Holly mentioned. They use it to get in, initially. But one of the threat actors that I've seen recently that's also using the social engineering while they're already in the environment to escalate privilege, as well. Usually, I've seen it through more credential theft [inaudible 00:04:49] you know, anything like that. But a lot of heavy use of social engineering throughout the attack chain for them.

Sherrod DeGrippo: Fascinating. Yeah, I've worked with some of the Microsoft Threat Intelligence Team on, you know -- they're building those intelligence profiles of Octo Tempest and combining what they have with what you find in incidents has been really fascinating. I read a lot of those entries. I have a lot of the team within Mystic that loves to drop me links internally and say, oh, go read this update. Go read this incident, you know, this is going on. So would you say, like, let me -- I won't ask you specifically Octo Tempest, but, like, across the threat actors that you've worked, is there any group or, like, TTP that you feel is really compelling to work on, like, that keeps your interest? Stella, I'll start with you. Like, is there a favorite threat actor that you have? Or a favorite type?

Stella Aghakian: Definitely, I would say cybercrime. You know, my first Ignite talk was on Lapsus$. I thought they were -- I mean, obviously, what they're doing is not cool, but the TTPs that they used were -- it was just really cool to me how they were able to achieve, you know, the smash and grab. And it's so effective because they're not using, like, the really sophisticated techniques like the APTs and the nation-states, but, like, the basics. But it's so incredibly interesting to me how effective it is. And then now, kind of, Octo Tempest and they're doing the same thing. So those cybercrime threat actors where they're maybe not the most sophisticated threat actors in existence, but the impact is still incredibly high for those victim organizations. I really love those threat actors.

Sherrod DeGrippo: I also love cybercrime. And, in fact, I like Lapsus$ a lot, too. But they actually have my favorite threat actor name at Microsoft, which is Strawberry Tempest. That is my favorite so far of the threat actors that have come over to the new -- or that have been renamed and, like, discovered since we did the new naming scheme. Strawberry Tempest I think is -- like, I want a frozen Strawberry Tempest on a beach with an umbrella and my dog. Like, that's -- the Strawberry Tempest name is so good. Holly, what about you? Do you have a favorite threat actor group?

Holly Burmaster: Well, now that we're talking about names, I have a couple different answers for you.

Sherrod DeGrippo: Okay.

Holly Burmaster: Because I also think Vanilla Tempest sounds like a wonderful name for a threat actor, and --

Sherrod DeGrippo: It's like a warm coffee drink, maybe.

Holly Burmaster: Yes. Exactly. And reading over that I'm, like, I know that I'm investigating this, but I just really want, like, a warm comfy drink right now while looking into this threat actor.

Sherrod DeGrippo: Yeah.

Holly Burmaster: But I do love the idea of cybercrime and the social engineering. It's particularly those threat actors or those criminals who use the things that people don't expect when they think of a hacker. People think of someone with these extremely high-end skills that are always looking at the things that no one expects, and sometimes it's just that they're right under your nose. It's that they picked the right words, it's that they looked at just the right application, or they found somebody online. All those little things can stack up so quickly. But if I really had to pick a threat actor -- besides Octo Tempest, because now they have a special place in my heart, of course. And maybe this is a very typical answer, but Midnight Blizzard is always very fascinating, and I think it's just because of how just under the radar it can be. I feel like I'm always learning something new when I'm looking into Midnight Blizzard. Some new form of attack, some new piece of the Cloud, things like that, and I just think they give such a great learning opportunity. Like, once again, I know what they're doing. Not great. But when I'm able to learn and grow from researching them makes them one of my favorites.

Sherrod DeGrippo: I love that. And I think people in threat intelligence tend to kind of have that same attitude, I think, that both of you do, and that I do, as well, which is you're watching these groups or -- these small groups of people, sometimes, executing their craft. And so there kind of becomes this -- you know, it's like an artist watching another artist paint, in a way. It's, like, wow, that's -- or an art lover, I guess you could say. It's, like, wow, those techniques are something that I would not have thought of. I'm trying to figure out what you're going to do next. I had not guessed that. And I think that there is a tendency in threat intelligence for analysts and researchers to have that attitude of, like, whoa, that's impressive. Whether or not it ends, you know, in disaster, the fact of the matter remains, wow, that's clever.

Holly Burmaster: I agree completely.

Sherrod DeGrippo: Okay. So let's talk a little bit about incident response, which is your world. What do you guys think are the incidents that are the most challenging? Like, is there any aspect that you kind of think, oh, no. Ugh, I hate these. Or, oh, these are so hard. Anything specific that's, like, really challenging when you do an incident?

Stella Aghakian: I think for me, personally, it's the ones where we have an active threat actor in the environment that's also destructive. So many times, you'll hear of people on DART where it's, like, I have never been on an engagement where the customer has been ransomed under my watch, and this is not about to be the first time. So then it's rough because it's super long hours, right? But it's worth it in the end, always, because you see that you're, like, actively helping these people out on what could very well be the worst day of their professional life. But I think, like, the technical aspect of maybe it's difficult to harden this environment or we have a destructive threat actor aside, the other aspect that a lot of people don't talk about is that you're also kind of trying to manage people's emotions on the side because they are going through this incident and it can be really difficult. Because I've had, for example, people where it's, like, their active directory admin who's refusing to make any of the changes we suggest because they feel like it's kind of going to prove that they were handling things incorrectly beforehand and it's their fault that the incident occurred. The CIO calling me up on the side, after I became a lead asking, like, who should I fire? Especially with active threat actors. And then having that on the side of how you manage their emotions to make sure that they're dealing with this effectively.

Sherrod DeGrippo: Yeah, I think the people aspect of things usually does end up being the most difficult to manage, right? Computers are relatively straightforward and simple.

Stella Aghakian: Yeah.

Sherrod DeGrippo: Holly, how about you? Anything specific in incidents that you find really challenging when you show up?

Holly Burmaster: I would say the one or two things that become the most difficult for me is when we have a threat actor that is very dedicated to making sure we can't follow them. So there are some that will go about and they won't delete anything. They'll just get in quickly and get out, and it's very easy to follow from Point A to Point B. But other ones can get very particular about renaming their things, making sure they delete things. Delete the fact that they deleted the things. And it makes it very hard to follow that trail along with them. It's fascinating, but it can be fairly difficult. But on the topic of losing trails, I would say the other part is sometimes, for me, when they transition from on-prem to the Cloud or back and forth. It's like suddenly the trail just stops and I have to figure out how to pick it back up on the other end. And that can create its own little interesting bridge to try and get over. So those are usually some of the more difficult ones, but they also end up being some of the more fascinating ones.

Sherrod DeGrippo: I hadn't thought about that. So you're, like, kind of doing active forensics while you're in the incident, as well?

Holly Burmaster: Yes, essentially. And if you can't perform those active forensics, it can make it hard to figure out what your next breadcrumb is.

Sherrod DeGrippo: Wow. Okay, that's really interesting. So I've taken a lot of forensics classes and I've taken a lot of incident response classes in the early part of my career, and I found it was too stressful for me. But a lot of that training is very much forensics not under the gun. It's very much, like, here's your dd'd image, do with it what you like. And that might show how old I am that we really didn't do anything in the Cloud 20 years ago. So let's kind of talk about how your workflow goes. Like, when are you pulled into something? How many other people are you working with? Kind of give us an idea of, like, what's your day like. Holly, I'll start with you on that.

Holly Burmaster: Yeah, that sounds great. What's so wonderful about being in incident response is you can never predict when the work is going to come at you. You could be in the middle of something completely different and you'll simply get, like, a Teams message on the side that's, like, "Hey, are you ready?" And you've got to be ready. So you pick that up, you dive in. The team that you normally have with you is -- you'll have one lead who, of course, does a lot of the communicating, making sure you're getting the resources you need, is talking with the customer, calming them down, getting them where they need to be. You'll have a hunter or two, depending on how big the problem or the environment is. Typically, we try not to have people go purely solo, so that way we can have more ground to cover and we can double-check anything that might be missed in certain areas of expertise. And then we will have the infrastructure individuals, and they will go in and they will deploy our tools so that we can pull back the information that we're going to hunt through. They may perform remediation and containment. That way, we can get the customer in a comfortable spot where they can bring up their environment again and resume regular business activities. And that's normally how an engagement will start. And they sometimes last anywhere between one to three weeks, on average, or so.

Sherrod DeGrippo: Oh, wow, one to three weeks? Stella, anything in there that you want to add about kind of how the day goes?

Stella Aghakian: I would absolutely agree with Holly. I have no idea how my day is going to go at any point on this team, ever, but she's totally right. You have the lead, one hunter, one infra within infrastructure. We have our recovery-focused people who go in and do, like, the heavy recovery. And so different ways that we get engaged, also, which is why it's so difficult because sometimes, you know, like, the customers go file a ticket with CIRT and then it gets escalated to DART from there. But we also have escalations that just come straight from Microsoft's senior leadership to DART and then we get engaged. So it's very different and it's very difficult for us who are not incident managers to know when an incident is coming, but we're always ready to get that message that says, "Are you ready to party?" And we've got to get ready to go.

Sherrod DeGrippo: So it sounds like you two are always ready to party. And let me ask you this, like, psychologically, what do you think has caused you to be comfortable with that level of uncertainty?

Stella Aghakian: I think it's the level of uncertainty that I like. I think I would be so bored if it was just the same 9 to 5 every single day. But I never know what's coming and it's really -- it's really interesting for me, so I like that aspect. But I'm comfortable with that fact because of the people that we have on DART. Even if I do get an engagement thrown my way that I'm maybe not as familiar with -- I got an Azure IoT one a few weeks ago. I don't know anything about IoT -- I know I have a team of a hundred people on DART who would be there to support me. And then our Mystic partners, if I ever needed their help, to poke them and be, like, have you ever seen a threat actor doing this thing that I'm seeing on my engagement? So just the support.

Sherrod DeGrippo: Holly, do you have a particular personality that is nurtured by this kind of chaos?

Holly Burmaster: I would say yes. And I kind of have to agree with Stella, the way she had explained it. The uncertainty can make the job a lot more fun. If we roll into having too much predictability every day, I do feel like I'd get bored a lot faster. And it's kind of great because even the work that we do outside of engagements usually is very entertaining. You feel like you're putting in a lot of good impact by doing those things. But those things usually have the ability to be paused, reasonably, before you dive into an engagement. And the team is very sensitive and careful about making sure that your well-being is taken care of. So if you're working those really long days, those 12 to 16 hours, you know, you'll get the chance to make sure you're eating, taking care of yourself. If you need days off after a really long or stressful engagement, you will get those. And so always knowing that there is a push and pull and a balance to make sure that we're healthy, even in such an unpredictable environment, makes it much easier to digest and continue to be excited about.

Sherrod DeGrippo: I love that. I'm so glad to hear that. I'm in a different org than you guys. So I work more with Microsoft Threat Intelligence side, which we kind of see, like, Mystic and DART as little besties that hang out together all the time. Because we've had, actually, quite a few other DART people on the podcast, and I just sort of go with it, like, they're all the same big team. Which we are, we're all the same big team. But one of the questions that came in from social media was something Stella mentioned, which is the partners in Mystic. So, Stella, can you kind of give us an idea of, like, how does that -- sharing work? What is the relationship? Kind of where does, like, Mystic fit in with DART?

Stella Aghakian: Yes. So the threat intel sharing between our two teams -- there's obviously, like, the normal channels that exist at Microsoft for threat intel sharing. But for DART and Mystic, specifically, we actually have the Mystic analysts -- I think they're still called the Mystic Hunt Team -- who actually sit with us on our engagement and are working, you know, side by side with us, day after day. And through that, we're able to actually enrich each other's hunting with additional information as they find it in real time. Which is why it's so effective for us. I can just message anyone on the hunt team on the side and be, like, I'm seeing this. And they have access to our databases and they can go look at that data, as well, and then give us the additional information from what they're seeing as they're tracking these threat actors. They're also really an invaluable resource for us because DART will never, ever do attribution. But we do have some cases where those Mystic analysts that we're working with will come sit with us on the customer calls and actually do that attribution for us. And tell the customer, like, this is who the threat actor is and these are the TTPs, and what they've often done in other victim organizations. And for me, as a lead on DART, that is invaluable because then I can take that information that Mystic has shared and then kind of use that to convince the customer that they need to take action when it comes to the recovery work. With, you know, ransomware, for example, I've had a customer who Mystic was, like -- it was Octo Tempest, actually. And they were, like, Octo Tempest will encrypt and deploy ransomware. And the only way I got them to take any action was, like, remember last week when our Mystic hunt analyst told you that they will encrypt your environment? That's about to happen. And that's how I can kind of convince them to take action rapidly; whereas, they didn't want to beforehand.

Sherrod DeGrippo: That's really interesting. You know, I guess I realized, but I hadn't really thought about the fact that, you know, Mystic is doing the attribution aspect of the incidents that you're responding to. Which, hopefully, like you said, you can go into the various platforms and databases internally and kind of see the future, right? Like, if you can look at threat intelligence attributed to that particular actor that you know you're doing the incident response for, it almost -- you know, if they follow their same TTPs, it allows you to kind of see what they're going to do next.

Stella Aghakian: Absolutely.

Sherrod DeGrippo: Holly, do you interact with the Mystic teams very much? And where do you see them in your workflow world?

Holly Burmaster: I do, and usually in engagements. But there is a small set of Mystic people I talk to outside of engagements, which I will touch on here in a little bit. I love talking to them. But it's great when Mystic gets pulled into a gig because it's like they can just work magic that I don't 100% understand. So I will hand them a list of things I've seen in an engagement, TTPs, and they'll come back with, like, a likelihood that, oh, it's probably this person. And I can tell based on just this one thing you provided me. And I'm, like, how did you even do that? That's amazing. And so they give me that information. And very much like Stella, it's like Mystic is the ghost of Christmas past, present, and future. Because not only do they let you take a peek at what the threat actor, especially if they're active, might do next to your customer, if you feel like you've hit any walls, if you're stuck between a rock and a hard place when investigating, they can give you the likelihood of it being a certain threat actor. And you can go and you can pull up their history, the TTPs they've used in the past, and use it to try and piece together parts of the puzzle that you couldn't see before because you're not quite sure what you were dealing with. But now that we know, not only can I pick up the future, but I can pick up pieces that I missed in the past.

Sherrod DeGrippo: I love that. And for those listening, I'm going to talk with Holly offline. We're going to get the names of the people that she's got working magic for her and we'll get them on the podcast next.

Holly Burmaster: Yes, please do. Because also, the Mystic people that I like to work with outside of actual engagements have also created this platform called KC7 the Kill Chain 7 is what it's short for. And it's for teaching people of all levels, ages, and knowledge how to do cybersecurity. And so just a quick callout for them, too. They are lovely. I love Simeon, Greg, and Emily. If you ever want to talk to them, they might be a great choice to bring on here, too, if you haven't already.

Sherrod DeGrippo: So KC7 is a big part of kind of Microsoft's extracurricular activities. Simeon has been on the podcast. So Peach Sandstorm, you can go check that episode out if any of the listeners want to hear from, you know, an Iranian threat landscape walkthrough of Peace Sandstorm, which is an Iranian-based APT actor. And we have Greg scheduled to record this week or next week. So we will have some of the KC7 founders on the podcast very soon. And if you're not playing KC7 now, I know some people that are obsessed. Obsessed. Cannot stop posting about it on social media. They're not from Microsoft, they're from other places. So definitely go check out KC7 if you want to learn threat intelligence and things like that. It's super cool. And a bunch of them were at CYBERWARCON at the end of last year, too, talking about KC7. I think they might have been a sponsor. Okay. So we have a couple of questions coming in from social media because I reached out and said, hey, what do you want to hear from Microsoft's elite incident response team. Somebody said what's the most valuable dataset for you? Stella, do you have a preferred dataset that you can get at when you're doing an incident?

Stella Aghakian: I will take any and all data that you are willing to give me. I want it all. But if they have a SIM, the historical context they can actually provide if they're centralizing their data in there with a well-defined retention policy is so, so valuable. There's been so many times where, you know, the key questions that the customer wants us to answer, we can't. The data just does not exist. It has rolled. They're not centralizing it. They're just not logging it. I've seen customers where they're just not logging their 4624 event. Please log your 4624 event.

Sherrod DeGrippo: What is that? What is 4624?

Stella Aghakian: Successful login.

Sherrod DeGrippo: Oh, successful login. Okay. Is that part of Entra ID?

Stella Aghakian: No, it's -- I'm a non-prem Windows [inaudible 00:25:27] forensics, so 4624 Windows security event log is the source of truth for authentication. So if you're not logging that --

Sherrod DeGrippo: How do you know who's logging in?

Stella Aghakian: Exactly.

Sherrod DeGrippo: Okay. So that's our number one tip. And actually, I think Matt Zorich also gave that tip when he was on the podcast. So let me -- let me make sure that the audience and myself hears this correctly. Make sure that your house is in order when it comes to logging, when it comes to populating your SIM with any and all security events, and one of those things that you absolutely must be logging and keeping correct is your 4624 notifications or logs.

Stella Aghakian: Yes, among many, many other things. But please have that one for sure.

Sherrod DeGrippo: Please have that one. For the unlikely event that you do experience an incident, Stella is going to ask you immediately for those logs. So have them handy. Holly, what is something that makes your life easier and better in terms of datasets when you're called into an incident?

Holly Burmaster: I would say there's two particular things that are my favorites to look at when we get them in for an engagement. And kind of like Stella said, the more the better. If we can get as much information as possible, we can give you a much more thorough storyline. But Stella listed a very particular log that would be good to have. But just in general, having the logs, period, is like the number one thing that helps us solve any kind of engagement or problem. That is the easiest way for me to follow the timeline is following those logs that you have in your environment. So I would say that's probably the number one thing I always check first is the event logs. And that's coming from anywhere. From security, from on-prem, any of those logs would be fantastic. But if I had to pick kind of like a favorite, we do have a dataset that comes in -- usually, they come in separated by the different artifacts that we can pull from them and there is one just for scheduled tasks. And for some reason, it's like the luck of the draw, every time I look at the scheduled tasks for the engagements I'm assigned to, I find something for persistence. And it is just my favorite thing for that reason alone. So those are my two favorites. Give me your scheduled tasks and give me your event logs.

Sherrod DeGrippo: Just quickly for people listening. When you say "persistence" what do you mean by that and why does it matter to you?

Holly Burmaster: So particularly, when persistence comes through with these scheduled tasks, it's a threat actor going into your environment and setting a task that's going to repeat at a certain time interval that they designate. And sometimes that can be to search through your environment, see what information you have. It can be to run a piece of malware or, like, a keylogger. It's a way for them to kind of get a foothold or like a little hook in your environment so they can stay there without you sensing them very easily and continue to pull information from you. So they are persisting by continuing to stay there when they're not welcome.

Sherrod DeGrippo: Okay. Unlike the vampires who have to ask before they come in.

Holly Burmaster: Exactly. Do I wish threat actors were vampires?

Sherrod DeGrippo: So let me ask you guys this, too. Dwell time. So for, you know, kind of the advent of the ransomware era, which probably in earnest, like, to be really considered an era, I would say, started around 2015, 2016. What are you seeing in terms of dwell time? This came in from a social media post that I was, like, what do you want to hear about? But it kind of made me think, like, have you -- have you observed a drop in dwell time? Like, are threat actors going after smash and grab, take what they can? Are they exploring systems, looking for really valuable, juicy data assets to take? What's the dwell time looking like, and what are the threat actors doing during that dwell time?

Stella Aghakian: I think it depends on the threat actor, unfortunately.

Sherrod DeGrippo: Mm-hmm.

Stella Aghakian: So, you know, some of them do go for the smash and grab, where they don't care what they take but they're going to take it anyway. You know, I've seen threat actors where, like, they're in and out within 24 hours. So definitely, smash and grab. Then we have the other stealthier threat actors who do want to persist and explore for those high-value assets. So dwell time is much longer. They'll have been in the environment for months and months without, you know, customers having recognized that the threat actor was in there in the first place. And sometimes, you know, we'll see that they haven't done anything in a month where, like, there's this month gap in our timeline that they just weren't doing anything. They were waiting. They were remaining undiscovered. So as annoying of an answer as it must seem, it genuinely does depend on the threat actor and what their actions and objectives are.

Sherrod DeGrippo: Sure. Holly, what are your thoughts on dwell time and what you've seen, like, lately, or maybe when you started doing this work? Have you seen any changes that are worth kind of calling out?

Holly Burmaster: I think from the engagements that I've been on so far throughout the timeline -- when I first started, I think I saw a lot more smash and grab than what I do now. If it is a smash-and-grab gig, it's -- I've only maybe had one or two in this past, like, near time period. And what's interesting with those is I feel like it's always very easy to know when the threat actor is going for a smash and grab because the pattern that I've seen is that they're a bit more vulgar when they're going through to do smash and grabs. So you can easily what is the threat actor based on simply what it's named, which is very interesting. But I have seen a lot more, at least recently, engagements where the threat actor does take their time. And I think it's because, depending on who their victim is that they're going for, they may feel more comfortable that they're not going to be caught and can spend a little bit more time finding what may be more interesting to them. And it can be something where I see a lot of lateral movement at the very beginning where they're just hopping around to different places, different accounts, to see what information they hold or what kind of permissions they may have. And so that is a little bit more of what I see in that area. And sometimes, they just kind of go straight for the ransom and then kind of use that time while they have the environment down with the ransom to explore then and then pull the files down that they want. And so, yeah, I'm seeing a little bit more of the take your time than the smash and grab. At least, currently, for me.

Sherrod DeGrippo: Got it. And, you know, something I've always kind of wondered, too, is how often we've seen threat actors get access to systems and just kind of wander off and forget. Is that something that's common, or do they tend to close their own loops and backpack out when they get into something?

Stella Aghakian: I think, generally, close their own loops. Every so often I'll see, you know, a threat actor where I'm, like, is this your C team that came in here? Because they get on the, like, organization's box and start Googling, like, how do I get admin privileges? How do I deploy ransomware in a Windows environment? And I'm, like, why are you -- why are you doing this now? And it kind of seems like they give up and move on. They're definitely the more smash-and-grabby threat actors, though, as Holly was saying, where it's more vulgar also. They name things -- so it gets really awkward on our out brief presentations, where I'm, like, do I actually, like, verbally tell you what the name of this scheduled task is? Can you just read it, please? But for the most part, they close their own loops. Every so often they don't and it's odd. Maybe they found something better. Maybe they, you know, just don't know how to do what they were planning on doing. I always want to know. That's been the hardest part for me, kind of just dealing with the fact that I will not always know because I'm not in the same room as these threat actors, and I don't know why they make the choices that they make.

Sherrod DeGrippo: Well, okay, so that's a question that we've talked about before on the podcast. Which is, if you could ask a threat actor anything and they had to answer, what would you want to know?

Stella Aghakian: I think I would want to know why they choose the organizations that they target. Because they -- sometimes, you know, they jump from, like -- even Octo Tempest, like, we've definitely seen, like, the evolution of targeting from the telcos to who they're targeting now. And I'm so curious, like, why?

Sherrod DeGrippo: Mm-hmm. Okay. Holly, do you have a burning question that you would want to ask a threat actor?

Holly Burmaster: I think mine would be very similar to Stella's of why, but more so in the realm of motivation. Why do you do the things you do? Because in some degree, of course, we can answer that and we can say it's political, we can say it's money, but just a little bit deeper down, like, why is this the avenue you took to get your money? Why is this the avenue you took to push the political piece that you're looking for? What made you decide that going through cybersecurity and hacking was what was going to bring you the results you were looking for? Why not use the skills you have to do something else? What brought you to this is the conclusion that I've decided? I would be very curious to just know in someone's head what makes them choose the route that they've gone down. And very similar to asking anybody else, like, why would you get into cybersecurity to help people? Just on both sides, what made you choose the route you chose?

Sherrod DeGrippo: Well, that's a great question for Stella.

Holly Burmaster: Yeah, Stella.

Stella Aghakian: I always tell everyone that I ended up here because I hated the E-con class I took at USC. And it is the absolute and utter truth. I was an international relations major. They made me take global E-con. I hated it, so I dropped the class. And I was very bored. My sister was, like, go take an ITP class in USC's Information Technology Program because she's, like, it two units. It'll be easy. She had taken, like, a web design class or something. So I chose the one that had "hackers" in the name because I was, like, this is so cool. And I loved it, and I ended up sticking with it. And one of our professors made a new major at USC that combined international relations and cybersecurity, so I switched over, and I decided to go down the forensics route because I just loved forensics so much. Kind of like putting together a puzzle, and I loved how you had to connect the pieces and figure out what happened. I also learned forensics with images shared, so you're not old.

Sherrod DeGrippo: I don't know what's going on out there with these things.

Stella Aghakian: No, no, I did image forensics. That's how I learned forensics. There was is no Cloud forensics that I've seen. Hopefully. It'd be a lovely course. But I also learned forensics that way and I just ended up loving it so much. But genuinely, I ended up here on accident because I hated E-con.

Sherrod DeGrippo: I love turning your hatred into your passion and profession.

Stella Aghakian: Yeah. I'm so glad it happened.

Sherrod DeGrippo: Holly, how about you? If a threat actor were to ask you how you ended up on this path, how would you answer them?

Holly Burmaster: I would say my journey actually started with my mom at the very beginning. She had introduced me into computers and the internet and everything when I was very young, and I was very quickly fascinated and hooked onto it. And I asked her tons of questions about what she did at work. Why she was motivated to do what she did. And I always felt so proud of myself when I was little and tiny that I could answer what certain things were on computers, and I felt, like, that I was just doing such an amazing job. But it was fun to continue to learn those things and continue to grow. And so by the time I had gotten into high school, with already having this interest in computers, I had taken this career and life planning class. And at the time, I didn't even know what cybersecurity was. All I knew was that I loved computers and I wanted to help people. Those were the two things that I had decided on. And originally, I thought I was going to go into law school and thought that I would do, like, internet-based law and privacy law. And when I had an interview with a lawyer, what they told me at the very end of the recording was don't go into law, you'll hate your job. And I was, like, oh. Well, you know, I'll just look into other things and see where the interest is. I'm sure law is lovely. I'm sure tons of people love law. But that made me look into just different things out of purely interest. And it came from this quiz that I took during the class where it listed the types of careers that would be best for you, and the number one thing that popped up was cybersecurity. And I actually had still no idea what it was at the time. And so it explained that it was still law-related, you were still going to help people, and it was all computer-centered. And I was, like, this is amazing. This is something I would love. This is going to have the impact that I'm looking for. This is something I want to study. And so I looked up how do I get into this field? What do I need to do? And getting a degree in cybersecurity was still something that was so new at the time that I was lucky that just one of the colleges around me actually offered the program and had a really high ranking for the program that they taught very well. So I decided to go to the University of Central Missouri, get my degree in cybersecurity. Cyberoperations, specifically, because that's more forensics than the other one, which I think is more coding. And that is how I decided to get on the path that I am today.

Sherrod DeGrippo: I love that you both have these very strange stories of hatred being the kind of villain origin story, but you turned it into this, like, you hated it so much that you planted that seed and grew a flower. That's adorable.

Holly Burmaster: That's what you've got to do with life, right?

Sherrod DeGrippo: I love that it started out, like, well, I really hated this one thing and so I had to go another direction. Well, so I think that's kind of all the time that we have. Anything else that we should know about, kind of, Microsoft's capability around forensics? Stella, I'll just leave it with you. Anything that we should know about incident response, forensics, or anything like that coming out of Microsoft, in your experience?

Stella Aghakian: I wouldn't say coming out of Microsoft, specifically. I will plug because you have Holly and I on here, we need more women in incident response and forensics. And DART is hiring, so please come join us.

Sherrod DeGrippo: Okay. I will send the call out. If you are a woman who has come upon some part of professional life that you hate, you just really find it horrible, well, incident response at Microsoft might be the path.

Stella Aghakian: And it's never, ever too late to get into cybersecurity, either, so --

Sherrod DeGrippo: It's never too late. It's never too late. Just find that thing that motivates you to get in there. Good or bad. Holly, what about you? Anything you want to leave us with?

Holly Burmaster: I would just say that I am so grateful to be a part of Microsoft's Detection and Response Team because the type of people we have here that are willing to teach and show you new things and bring you such a wonderful environment to learn in creates an environment, also, for our customers where they feel welcome and safe and secure in our hands. We try and do our best to get them back up on their feet. And I can just say that I'm proud of the just extremely wide range of expertise that our team and the other teams that we're connected to have. And so if you have a choice in incident response, you'll be happy with Microsoft.

Sherrod DeGrippo: I love it. I feel that way, too. I think that talking with people like you and Stella, learning from the Microsoft Threat Intelligence Team, everyone just blows my mind every day. And there are certain people -- I think you guys kind of hinted at it. There are certain people within the org when your Teams pops up and it's them you go, oh, this is going to be good. Uh-oh. I think that we're just kind of constantly perpetuating that culture and energy of really interesting things happen. Really cool things happen here day in, day out, and you never know what they're going to be. All right. Stella. Holly. Thanks for joining me. And hopefully, we'll have you back again a little bit later to learn about whatever new, wild, chaotic threat actors are out there. Thank you so much.

Holly Burmaster: Thank you.

Stella Aghakian: Thank you.

Sherrod DeGrippo: Thanks for listening to the "Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, for more, and subscribe on your favorite podcast app.