Podcasts
The Microsoft Threat Intelligence Podcast
Ep 19
The Microsoft Threat Intelligence Podcast 5.22.24
Ep 19 | 5.22.24

Andrew Morris and Lauren Proehl on Infosec

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week dive deep with us into the underground. Come here from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Welcome to the Microsoft Threat Intelligence Podcast. I'm already horrified. I am terrified of this episode because it is our first time having external guests. And I will tell you, these are some wild trigger warning content problem people, but here they are; I've got Andrew Morris, the no longer CEO of GreyNoise. What is your title now?

Andrew Morris: Yes, that's right. I'm the Chief Architect, baby. Hey, Sherrod.

Sherrod DeGrippo: Hey. Andrew Morris is now the Chief Architect at GreyNoise, which means that you tweet all day, I guess.

Andrew Morris: Yes, pretty much.

Sherrod DeGrippo: Okay.

Andrew Morris: But I mean what else is new?

Sherrod DeGrippo: I mean, yes, so you've just parlayed that into more of a fulltime job. I am also here with Lauren Proehl, Director of Global Cyber Defense at Marsh McLennan. Lauren is a serious person, while Andrew and I are sort of clownish. Lauren, thank you for agreeing to do this.

Lauren McLennan: Of course. Allegedly I'm serious. [Laughs]

Sherrod DeGrippo: I mean, I've seen you be pretty serious, and I feel like you're kind of that up and coming serious security generation that we have waiting in the wings to save some of the people that have been around and are a little tired, so I love your energy and --

Lauren McLennan: Oh, thank you.

Sherrod DeGrippo: Adaptation to the craft. So let's get into it. Okay, this is the first time having like real external guests on this podcast, which is exciting and very dangerous. Let's talk ransomware

Andrew Morris: Let's do it.

Sherrod DeGrippo: What do you think is going to happen over the next year, or two years, or three years on the ransomware front, extortion, data dumps, and then I have a hotter take after that. What do you think is going to happen? Andrew, I'll start with you.

Andrew Morris: More of the same. I think there's going to be more ransomware where the payments don't matter. Like it's not real, it's not even -- it was never to make money. I think we're going to start to see -- I think it's possible that you're going to start to see like, you know, physical devices not working. I think the more likely thing is just like a business critical system somewhere goes bad, which then causes a bunch of like physical infrastructure things to not work. I feel like a lot of the -- like a lot of ransomware actors aren't really sophisticated enough to like achieve stuff like that. It usually like tends to run away from people. You might see some like reversed ransomware type deal where it's kind of like, "Hey, unless you pay us, we're going to release all your data to everyone." I think those are going to be a bit more en vogue. And then, yes, I think those are my big ones. And then I think more ransomware in embedded systems, but yes that's just because I think well any bad thing that can happen to an embedded system is just going to happen faster in the future is sort of my -- is my take.

Sherrod DeGrippo: Lauren, what about you, what's your prediction for ransomware coming up?

Lauren McLennan: I think it's just going to be more terribleness over, and over, and over again; the same stuff that we're seeing now. I do think the code amongst thieves, if that even exists anymore, is broken. So I think we're going to see ransomware on ransomware violence, which is, I mean, kind of fun from my perspective because they're not coming after, right, consumers. But yes, I mean, double extortion, triple extortion. I think a lot of it is just name and shame. We're going to see people posting more and more. You saw -- I think it LockBit they started publishing files from like mid 2023 and there's evidence that some ransoms have actually been paid, and they're just like, "Nah, it's out. Here you go. High five."

Sherrod DeGrippo: Oh, so like you're seeing the ransoms get paid but it doesn't even matter because they're still doing the data dumps anyway?

Lauren McLennan: Yes, or portions of data dumps, and then not removing them.

Sherrod DeGrippo: For a long time in the early stages of ransomware when it got at that scale of ransoming entire organizations, the general guidance was hey if you pay -- and that's terrible, but if you pay, they will probably give you your stuff back. And Andrew, do you think that's still true?

Andrew Morris: I don't know. There's the sort of -- like the two things that happens at the same time is one is that like all the bad guys realize like how easy this is to do and how much money that you can make. And like that's self-perpetuating because like your one buddy down the street is driving a Maserati and you're like, "How did you get that Maserati?" "You know, all you do is like these little handful of things." But then the other side of that is the like more big powerful powers that be are starting to get like really mad about ransomware, and like the crimes, and the punishments, and like the consequences are also going up. So like I don't really know. I don't have like a great answer on it, but yes, the stuff's like kind of -- I don't know, that's what kind of jumps to mind for me.

Sherrod DeGrippo: So this is something that I love to talk about with ransomware. And Lauren, I'm going to dump this on you first. Should there be some kind of banning of payments to ransomware actors? Will that fix the problem?

Lauren McLennan: You know, I've been in the industry for ten years, and I think my entire ten years every year somebody's like, "We should ban --

Sherrod DeGrippo: Yes.

Lauren McLennan: Ransomware payments.

Sherrod DeGrippo: Every month.

Lauren McLennan: So this is the solution. And 90% of the time I feel like that's a very technical person making that response coming from a very privileged view of a protected organization or a service provider. And I think banning ransom or payments is nice in theory until you realize that there's still like thousands of SMBs and mom and pop shops that like their only option is to pay. They don't have backups. They don't have anything. So like you've kind of got to trust that if they pay they're going to get their data back or else we're going to see major business disruption. I don't know if it's the right solution. I know that the government's been looking at policy and sanctions and things like that, but then you just see people going to ransomware negotiators to try to pay through a different avenue so it's not as attributable. I don't think banning ransomware payments is going to stop things anytime soon.

Sherrod DeGrippo: Andrew, please solve this.

Andrew Morris: I've got nothing for you. I mean, it's like -- you know, it's like paying for -- it's paying for like an actual ransom, right, where it's like --

Lauren McLennan: Yes.

Andrew Morris: You're kind of killing the next person. But like what are you going to do, you know? So that's like -- I mean that's the context that I tend to look at it. And sometimes -- I'm one of those sort of -- like my security philosophy is that, you know, the -- you should really tend to assume that every bad thing will happen and try to live under those circumstances. So like the conversations about ransomware like should be conversations about backups a lot of the time. Right, like they just should, and like disaster recovery, and like, you know, boring stuff like that, like business continuity. And then there's another part of me that thinks that like ransomware is kind of like a healthy sort of counterbalance to being like too online. Like one of the things that you hear about -- you know, about like developing countries or about like just less technologically connected countries or areas of the world is -- you know, they'll have cyber problems. And it sucks; it's like really bad. But then they're like, "Yes, back to pen and paper with us," like, you know, "This is how we did it five years ago, ten years ago, like no big deal -- 15 years ago; like we're good." And so there's a part of me that's like, "Do you really want to be so online that you can't like do the most basic things without computers; like don't want to be able to like buy groceries maybe at the bare minimum or like gas or something?" I don't know whatever, right? I'm making, you know, silly made-up examples over here. But I guess like my take is if you're so online that a computer like not going to work, like really not working, like really completely like halts I think things like super, duper, duper bad, then maybe you've got to look at the organization in the mirror and you've got to say like, "Man, are we really -- " like, you know, like if it wasn't ransomware, then what if the computer just broke? Right, so I don't know, that's the -- I know it's maybe silly and it's like grossly oversimplifying, but I do feel that way.

Sherrod DeGrippo: So you're saying that really all of that boring stuff that we had to study in the various security classes, and trainings, and CISs, P manuals [phonetic] of business continuity planning and disaster recovery are actually the solution to ransomware.

Andrew Morris: It's the "A" in the CIA [overlapping] --

Sherrod DeGrippo: [Laughs] It's the "A".

Andrew Morris: A third of this whole deal. It's the "A".

Sherrod DeGrippo: That's the one that everyone doesn't care about, too.

Andrew Morris: Yes.

Sherrod DeGrippo: Any security person they do not care about availability. They don't want to talk about it.

Andrew Morris: No one cares about the "A".

Sherrod DeGrippo: They don't.

Andrew Morris: Everyone forgets about the "A". And it's a third of it, so anyways.

Sherrod DeGrippo: The "A" is the most boring part. I'll give my view on banning ransomware payments, and it's this; and it's my favorite thing to say to people who really advocate it. Yes, if so somebody pays, how do you punish them?

Andrew Morris: Yes, like -- [Laughter]

Sherrod DeGrippo: They just paid X million dollars; you're going to find them another million?

Lauren McLennan: Yes.

Andrew Morris: How are you going to ban someone from giving money to a criminal? [Laughter] Good-bye.

Sherrod DeGrippo: I mean, other crime laws, more crimes.

Andrew Morris: Yes.

Sherrod DeGrippo: But I just -- it just doesn't --

Andrew Morris: More laws.

Sherrod DeGrippo: Seem -- more laws, more crimes. It just doesn't seem realistic to say, "Holding these large organizations that are falling by paying to these crime groups, you know, 'Hey, you paid, you got back online, and now also it's going to cost you an extra fine percentage on top of that'," it just is not a good look. I would like to see, you know, organizations better protect themselves and then the vendors really step up and handle this problem.

Lauren McLennan: On the inverse -- one second, on the inverse, how do you reward people that don't pay either? Like if a large organization gets posted and then they recover and they don't pay the ransom, like what do you --

Sherrod DeGrippo: The reward is that all your computers are encrypted; [Laughter] you can't use them and you get a day off.

Lauren McLennan: That's it, right? [Laughs]

Sherrod DeGrippo: Like Andrew was saying is you can't buy gas or groceries so you might as well just go home and relax.

Andrew Morris: Yes. Yes, get offline --

Lauren McLennan: Yes.

Andrew Morris: And touch grass, as they say. [Laughter]

Sherrod DeGrippo: The reward is no computers, which is truly a reward -- [ Overlapping ]

Andrew Morris: The reward is fantastic. [Laughter] I'm about to go download some ransomware.

Lauren McLennan: I'm going to ransom myself.

Sherrod DeGrippo: It's the new screen time control is ransomware. [Laughter]

Andrew Morris: Nature is healing.

Lauren McLennan: Yes, I know.

Sherrod DeGrippo: Okay, so where organizations in your opinion -- because both of you have seen like a pretty broad swath of different security programs. Where is the best place to put money and resources? You cannot say disaster recovery and business continuity planning or anything about availability. Lauren, where do you want to see money?

Lauren McLennan: I mean, the basics, right, EDR, MFA, like -- [Laughs] [overlapping].

Sherrod DeGrippo: Storage frozen. [Laughs]

Lauren McLennan: Yes, I mean like everybody wants the hot GenAI tool that's going to detect BEC on the fly and like then they don't have MFA on any of their email accounts. So like what are we solving here? And I always say detection is a must. Like prevention is nice, cool, you've got this like -- again, I'm coming back to GenAI because that's the new hotness AI that's going to analyze all your DDoS packets and automatically stop it when it's over 30 gigs. Cool. But like do you have logs for when packets are dropping in between your network segments? Are you even segmenting your network?

Sherrod DeGrippo: That's availability again --

Lauren McLennan: [Laughs] I forgot, we don't believe in that, and it's just like --

Sherrod DeGrippo: Packets dropping is a part of the availability part. Andrew, what do you -- where do you think organizations need to spend?

Andrew Morris: Couldn't say it any better. I mean, the basics, right, like everybody wants to be the super cool -- all right so every --

Sherrod DeGrippo: I want to be super cool. That's very important to me. [Laughs]

Andrew Morris: I try so hard every day to be super cool. But it's just like everybody wants to be -- everyone wants to be like the defender who is defending against like the most sort of sophisticated actor. And that's the way we all want to view ourselves, as you know, defenders. Like, again, I'm speaking in, you know, generalities. But like we all want to think that like our biggest threats are the biggest, scariest, sexiest, most targeted, most advanced threats. And for 99.999% of people or organizations, that's just literally like unequivocably not true, it's just not even a little bit true. Just the same way that like you're just probably not going to get killed by like Russian gangsters like a regular person; like you're more likely to like -- I don't know, like you -- I can't -- like you --

Sherrod DeGrippo: Have a heart attack.

Andrew Morris: Yes, oh like get heart disease or something, you know, boring, right? And so like -- and I guess the basics like absolutely times a thousand beyond that I would say the ability to -- if somebody calls you on the phone, like if the bureau calls you and they say like, "You're popped. You have to find this file or this thing in your network, or your network is talking to this. Like that's all we know, you're popped, that's it," like you need to be able to do something with that; you know what I mean?

Sherrod DeGrippo: I love that. And I want to comment, too, that this also applies to your vendor, such as Microsoft. And the thing that I have heard when talking to law enforcement, specifically FBI, and DHS, and CISA, all of them, they say, "No one even answers the phone. We can't even get in contact with people. They don't have an easy way to contact them because we want to tell them they're breached, they've got this huge problems. Not only do they not pick up the phone, but the ones who do, they don't believe us." It like doesn't even get to the point where they start doing a hunt or they've got incident responders that can help. They don't -- they're just like, "This isn't the FBI. I don't know, I don't care. I don't know." And it just goes on and on and on. That's the biggest complaint I've heard from law enforcement. Lauren, I know you work a lot with a lot of those agencies and are a big information chair. Do you feel that kind of stuff, too?

Lauren McLennan: Yes. I think it depends on the organization. I think a lot of people need to learn to make friends with the feds, like, "Okay, cool, we've had our fun spotting the fed at DEFCON, but like low key, pick up the phone when we call you." Like go talk to somebody outside of like private sector because they're going to be able to help you when things hit the fan. But yes, I've heard a lot of people don't answer, or honestly they don't have the staff that are equipped to make those connections and do intel sharing or do like collaboration with LAO.

Sherrod DeGrippo: Okay, let's talk about CISOs. Andrew, do you want to be a CISO?

Andrew Morris: Never; like absolutely -- Like not even ever been even tempted to want to be a CISO.

Sherrod DeGrippo: It sounds like my nightmare.

Andrew Morris: I have actually spent remarkably little time talking to CISOs because I spend a lot more time talking to like practitioners and like people who like hands on keyboard do the work. But not to say the CISOs don't do work, but to say, you know, like they're probably not smacking their hands on the keyboard quite as often. No, it feels like a terrible hard job.

Sherrod DeGrippo: It seems so hard. It sounds like it --

Andrew Morris: Sometimes --

Sherrod DeGrippo: Sounds terrible.

Andrew Morris: It really does look like they are hiring you just to fire you when the bad thing happens, that it does seem that way sometimes. And it feels exhausting.

Sherrod DeGrippo: Right. I want to relax. I don't have that kind of energy.

Andrew Morris: I am a vendor, so like I am always beating down people's doors to pedal my wares. I cannot imagine being on the other side of that like trying to like do work and secure an organization while every single vendor and their grandma is like beating down your door, kicking your door down trying to sell you stuff that you don't need that you didn't ask for, and you're just like, "Please -- " like you know --

Sherrod DeGrippo: "Help me eat a sandwich." [Laughs]

Andrew Morris: Basic -- you know, like basic monitoring like, "Let's get a password policy," you know, stuff like that. So no, hard no.

Sherrod DeGrippo: So Lauren, I asked Andrew that question first because I knew how he was going to answer it, and I also know that you are looking to be a CISO someday. How do you pursue that?

Lauren McLennan: I am. I'm that like person here. [Laughter] [Overlapping] --

Andrew Morris: What's wrong with you, Lauren?

Sherrod DeGrippo: That was on purpose. Yes, tell us what particular personality defects or problematic traits you have that have caused to want to go in that direction.

Lauren McLennan: [Laughs] I want to make actionable change. I actually have had very good CISO examples in my life. And I've had very bad also. So I've seen what a good CISO looks like and when the org treats them more than like a sacrificial lamb, and they trust them to make tangible change. I've seen CISOs who are really, really good about partnering with the business and getting like security as a culture pushed forward instead of just being like -- you know, the old CISO it's like, "You can't do anything. We're blocking all of the internet from you because that's the only way to keep you guys safe."

Andrew Morris: Users are the worst thing to ever happen.

Lauren McLennan: Exactly. Yes, if I hear one more person who's like, "I want to be a CISO, but if I could just get rid of all the users I'd never have any incidents," I'm going to scream.

Sherrod DeGrippo: Well, they're the number one problem. I mean --

Andrew Morris: Like, "These dang users."

Sherrod DeGrippo: Who needs them?

Lauren McLennan: [Makes sound] Yes. [Laughs] I don't know, I -- like I used to not want to be a CISO, ironically, and now I do. But it's because I've had good examples and because I want to like benefit an organization in a positive way; because I'm technical so I want to be able to explain it to people. [Laughs]

Sherrod DeGrippo: You both are very technical. And we're going to talk about that in a second. But I think you both sort of hit on it, there's like this huge spectrum of different types of CISOs at different types of organizations, and some of them can be super successful, some of them are just in so much pain and it's torture, and horrible, and they're getting their doors beaten down by people like Andrew Morris, which would be awful. And it's like there's so much that comes with it to me that just seems exhausting and scary. And like there's just a lot of those things out there that makes it seem really hard, and I am not hopeful and -- no I am very hopeful and optimistic. But I think it's just a really tough role. And so that being the case, I'm very clear. I've said on all the silly little social medias that I think CISOs should be quite technical. And Lauren, I'll start with you, like what are your thoughts there, and kind of why?

Lauren McLennan: Yes, so I have the saying that every person in defensive security should be an analyst first. And it's like a super cheesy take on, "Every Marine is a rifleman first." I know it's like kind of gross, but like I think everyone should have the basic skills of a junior security analyst. Like that is not uncommon; you should know what a TCP handshake is, you should know enough to be dangerous, because you need to be able to pass the sniff test on things. When these vendors come beating down your doors, like you should be able to say like, "Yes, that's in the realm of possibility," or, "No, this is a pipedream I'm being sold by a VC," right? So I don't think CISOs need to be like GREM certified, and be reverse engineering on their weekends, and coding Python programs. But they need to have some level of technical acumen to be able to understand what their teams are telling them, and what they are pushing forward from a strategy perspective.

Sherrod DeGrippo: Andrew, what do you think?

Andrew Morris: I think that's exactly right. How are you supposed to secure networks of computers if you don't know how computers or networks work? Yes, so I think --

Sherrod DeGrippo: Now then the yelling starts. [Laughter]

Andrew Morris: I'm sorry, I -- and then you know, before we came on the show they literally just said -- they used the whole spiel about how like, "You're okay with your audio levels." Sorry about that. No, but seriously, like if you're going to like secure computers and networks, you've got to know how computers and networks work. And I feel like there is a kind of CISO -- like there's a brand of CISO. Maybe you've met him before. It's the business CISO, okay?

Sherrod DeGrippo: Of course.

Andrew Morris: Like the --

Sherrod DeGrippo: You've got to talk to the business --

Andrew Morris: The super --

Sherrod DeGrippo: The board of directors.

Andrew Morris: Business -- the super business CISO who like literally has no idea what is going on in the network, what is going on in the environment, like what the risks of the organization are; like no clue, no idea, but they are like -- super, duper understand like the business, you know, how to put everything into, you know, dollar terms and like things like that in ways that make the executive team feel really good about a lot of different things. And maybe they're a great communicator and maybe they're, you know, whatever, that's fantastic, but they don't know anything about how computers work. And that's a big problem when the role of the CISO is to control in lots of ways, you know, the amount of risk that the organization is having -- is accepting for information that flows into and out of the organization. And all that happens on computers. It doesn't happen on like -- I mean, sure it can happen on [inaudible 00:22:16], but still. So you're just going to really struggle, I think, to actually be good at the job. As Lauren said, thousand percent, if you don't know what you're talking about, if you aren't technical to at least a degree, then you're not going to have any ability to tell when people are just lying to your face. And sometimes it's not even people are lying to your face, it's when people think that something, you know, well-intentioned, they think something is a big deal, or they think that something's broken, or they think that something's totally all right. And sometimes you've just got to -- you don't have to do it every day, but you've got to just kick the tires on something or really make sure that it like works or that it, you know, whatever. And it would just be very unfortunate if -- you know, if you aren't able to do that. Yes, CISO should absolutely be technical, a hundred percent. >> So Andrew, let me ask you this. As a vendor, as am I a vendor, I've been a vendor for 18 years in the information security face -- space, and in your security face, both, who do you prefer to sell to as a customer, a highly-technical CISO or someone who's not? Oh, like empirically a highly technical CISO, because I mean, honestly, like I am a giant nerd and so I default to telling people how stuff works instead of like what it does and why. And so I get along really well with other technical nerds. So that's -- it makes sense. We have a technical product that solves like a relatively like niche technical series of edge cases, and like the patterns of which you don't really -- it's tough to appreciate unless you're relatively technical or ideally super technical so you could actually understand how hard it is to do and all of the different sort of moving pieces. I find as a vendor, as long as the leadership trusts their people, you know, they trust the directors and the managers and stuff like that to -- who -- and it's like the users who are using stuff when they give clear guidance of whether something is good or bad, as long as the leaders trust them, I don't really care if they're technical or not. But if I had a choice, I would always choose to sell to a super technical CISO. In fact, I'm pretty sure like 90% of the CISOs we have sold to are highly technical CISOs; so yes.

Sherrod DeGrippo: That's surprising to me because I assume you would want to peddle your snake oil to the least suspecting -- [laughter] just kidding. [Laughter] Okay --

Andrew Morris: I'd be at a beach right now, Sherrod.

Sherrod DeGrippo: I know, right? Maybe you need to aim a little lower on that technical bar. So and I say that because I kind of want to hit the point home that when somebody argues that a CISO doesn't need to be technical, I kind of want to say that's the dream of a sort of FUD snake oil salesperson is someone who can't understand what they're being sold, or someone who gets dazzled by the wrong thing while the underlying foundational technology is not actually as good as it's being claimed. Those CISOs, you know, they need to be able to do that and understand that, especially when they potentially have a group of technical people who have been wined and dined by a sales team and an account manager, and they really like them, and they're cool, and, "Oh, yes, but the product isn't that great. But CISO doesn't know, so it's fine." Lauren, any other comments on that?

Lauren Proehl: On technical CISO versus not?

Sherrod DeGrippo: Yes.

Lauren Proehl: No. I think we're going to see an emergence of more technical CISOs as the cybersecurity industry matures, which is dope. I always find it interesting when people are like, "Oh, you don't really need to be technical to be a CISO," because they would never make me a general counsel of a company without like a JD and experience.

Sherrod DeGrippo: I would.

Lauren Proehl: Well, thank you.

Sherrod DeGrippo: I trust you.

Lauren Proehl: You believe in me.

Sherrod DeGrippo: I do.

Lauren Proehl: Thank you. [Laughs] You heard it here first. Companies that have general counsel openings, please call me.

Sherrod DeGrippo: But that's also why I'm not a CEO, right, is because I'm not -- I'm picking people off of like who my friends are; like, "You'd be -- Lauren, you'd make a great general counsel. [Laughter]

Lauren Proehl: Yes.

Sherrod DeGrippo: I believe in you and you can do this, and, you know, we've got six months of runway, so let's make it work."

Lauren Proehl: [Laughs] What's the law matter, anyway, you know, just --

Andrew Morris: Lauren, I've had this exact conversation with a lot of people outside of the industry quite a few times where they're like, "Oh, cyber -- " like I'll say, "Oh, I work in cybersecurity," blah, blah, blah, and they're like, "Oh, that's so cool," you know, "How did you get into this," blah, blah, blah. And I always tell people the same thing, I'm like, "You know, honestly, it's like really lucky because, you know, there's all these other crafts and like fields that have been around for hundreds or maybe even thousands of years, like medicine, and like law, and like civil engineering." There's just a right way that we've just of agreed to many times. Cybersecurity is just the wild west, man, the thing's only been around for like 20 years, maybe. So you've got CISOs and stuff, who like when they were in college age, like the internet didn't exist.

Sherrod DeGrippo: Yes.

Andrew Morris: And like -- I mean, so, you know, you're like, "Oh, hey, how do you -- " you know, "How do you feel about securing the email inbox," and blah, blah, blah. And they're like, "I'm going to be straight with you, I didn't get a computer until I was 45 years old. I don't know anything about how any of this stuff works," like blah, blah, blah. And I'm not trying to be ageist about this. You can be a fantastic -- like especially like programmers, networking people, et cetera that have been doing it forever, but like, "You've never used a computer and you're probably not going to be a very good CISO."

Sherrod DeGrippo: Yes. And I think that that -- I want to go back to that point, too. When I started college -- only 22% of Americans had internet in their home when I started college -- the year I started college. And so people look at me and they're like, "Didn't you go to school for cybersecurity or computer?" No, those programs barely existed and they certainly didn't exist where I grew up, so no, I didn't have that option. And what that does to that generation of people is that we had to just guess and learn it on IRC in between the net splits, and the cursing, and the inappropriate ASCII art. [Laughter] We had to figure out how to do home networking that was quickly made illegal basically by the cable companies, and we had to figure all this stuff out with a book. I learned most of what I know about the internet from a book because I didn't have internet at my house. [Laughter] That's all I know. Okay. So --

Andrew Morris: On that note, the last thing, I was just thinking about this on the technical CISO thing, the inverse of this is also true. You know, like love nerds, love them; love, love nerds.

Sherrod DeGrippo: Yes.

Andrew Morris: But the nerds --

Sherrod DeGrippo: Yes, I'm here for this.

Andrew Morris: You've got to learn how to like make this stuff make sense to other people. You have to. No one else cares. No one else knows how it works. They are paying you to not know how it works and to not care, so you have to be able to explain stuff in terms that are going to make sense. So no matter how technical the CISO is -- and I hope they are very technical, they also have to be able to make things make sense to people.

Sherrod DeGrippo: I think that's true. And I think that we also ask a lot of that role. You know, I -- part of the reason that I say that it sounds like a nightmare to me is because of the insane demands of you need to be highly technical. You need to be technical in security. You need to be able to speak and talk to the business, and you need to be a great leader that people want to work for in really unpleasant situations, right? If you look across the C-Suite, the CISO is the one that's dealing with nightmare emergencies. The CISO is the one that's dealing with a team of people that they need to follow them morning and night during a breach, confusing questions about an incident, possibly targeting from ABT actors that are really frustrating, and scary, and hard to deal with, and they need to be a great leader at the same time. And that's part of, I think -- it's almost this impossible bargain to get a CISO that's doing all of that and a well-adjusted, happy work/life balance person. Like it's not a real thing.

Andrew Morris: Pick one.

Sherrod DeGrippo: Lauren, you ready?

Lauren Proehl: It sounds so fun. Well, it's -- so the other thing is like I feel like there's a time span on CISO roles, right? Like you can do it for like four or five years. And then my plan is to go on a goat farm and never touch a computer again for the rest of my life.

Sherrod DeGrippo: Oh, will you make the cheese, the chevre?

Lauren Proehl: Yes, 100%.

Sherrod DeGrippo: Yes.

Lauren Proehl: And hopefully it's by the time I'm like 43, because I'm sure I'll look like I'm 60 at that point from all the stress.

Andrew Morris: From being a CISO.

Lauren Proehl: From being a CISO, exactly.

Sherrod DeGrippo: [Overlapping] CISO stress it's aging you. [Laughter] That's another reason I don't want anything to do with that. I don't need the extra wrinkles and lines. Okay, let's talk about the threat landscape really quickly. We just released a report about threat actors leveraging tax time, and social engineering around those sorts of things. We continue to see that sort of stuff. I think the days of initial access brokers and downloaders are still here and here to stay probably. Edge devices are horrifyingly unprotected. If you are listening to this, go home and reboot and update all of your edge devices. Andrew, I'll start with you, what kinds of stuff are you seeing out there that's kind of hitting on the landscape lately?

Andrew Morris: Embedded systems; I mean, embedded systems, anything that's going to face the internets or remote access software, you know, like your remote access gateways, your secure gateways, you know, stuff like that. Anything that runs on MIPS board, like, you know, at all, a lot of command injection, vulnerabilities, and again, in embedded systems and stuff like that. And yes, those are the -- I mean, obviously, you know, you ask a dude who runs a bazillion honey pots like what I'm seeing, "Well, it's people attacking, you know, stuff on the edge. Who would have thought?" But no, it's -- in large part, it's embedded systems; it's network gear. Obviously, now like more people, more bad actors are getting clever about doing stuff in the backbone and like with, you know, further upstream switches, and routers, and things like that, which is -- you know, that sucks. So those are some of the things that I'm seeing. Yes. And then, you know, the whole universe of like people attacking the user and stuff like that is stuff that I don't -- I just don't really see as much. I have a big bias to it. But basically, everything that Dan Geer said in the "Black Cat" talk, cybersecurity is a real politick like maybe ten years ago like literally all just coming through now.

Sherrod DeGrippo: Lauren, how about you, what's your landscape looking like?

Lauren Proehl: Yes. I mean, I can't talk to my organization's landscape, but I can tell you like from a research perspective what I see. Everything old is new again. Like we're just recycling the same attacks, just with a different CV number, and like sometimes even the same vendor. [Laughs] But lots of targeting of VPNs, firewalls, edge devices, that's the hotness; and then users. Smishing is not dead. In fact, I feel like it's getting worse because I get a new USPS phish every day on my phone, which is super annoying [overlapping] --

Andrew Morris: Lauren, it's me, your CEO, I need you to buy ten 50 dollar Amazon gift cards and send them to me right now.

Lauren Proehl: I'm on it.

Sherrod DeGrippo: Take pictures of them and send them to me. Speaking of that, Andrew, do you ever engage with those.

Andrew Morris: I used to --

Sherrod DeGrippo: You don't [overlapping] anymore?

Andrew Morris: And it made it a hundred times worse. So then I started getting like 15 a day and -- but I did very, very briefly. You can use AppleScript -- you know, that scripting language that everyone forgot that Macs have, you can use AppleScript to automate iMessage and like stuff like that. So I did like write a little bot that would just -- it would just take them down the rabbit hole. I would deceive, I would lie to learn more about my adversary --

Sherrod DeGrippo: I love that.

Andrew Morris: And trick them into revealing their TTPs to me.

Sherrod DeGrippo: That's reverse social engineering; trick them. Lauren, you ever talk to them?

Lauren Proehl: I do. And like Andrew said, it makes it worse. [Laughter] I have like thousands of Chinese women messaging me every day about wanting to take me on a date or whatever. And I'm like, "Okay, at some point I have to stop replying because they know that I'm going to try to sniff out all their TTPs and they get mad."

Andrew Morris: Lauren, are you telling me that you don't ever when you're texting someone for the first time include a model photo of yourself?

Lauren Proehl: Yes. That's what I do --

Sherrod DeGrippo: "Hey, this is me."

Lauren Proehl: I send a headshot every time; yes.

Andrew Morris: Hey, yes, "Hey, it's me, your boy Andrew."

Lauren Proehl: Yes, hello? [Laughter]

Sherrod DeGrippo: Yes. Yes. I think we all start actually doing that.

Lauren Proehl: I think we should; so like --

Sherrod DeGrippo: We should all just start all text conversations with an overly photoshopped, incredibly unreal looking picture of ourselves. Maybe we can get AI to generate them to be like, "Hey, it's me," and then just use a made-up name. It's -- and it's always a really, really generic -- they're always named "Michelle", basically, and it's like --

Lauren Proehl: "It's Brittany." "Oh, okay." [Laughs]

Sherrod DeGrippo: Yes, yes, like --

Lauren Proehl: I'm sure.

Sherrod DeGrippo: There are tons of them. Okay, so I saw both of you at CYBERWARCON, which was delightful, as always, back in November. What kinds of events do you like to go to, what are you looking forward to; Lauren?

Lauren Proehl: Blue Team Con in Chicago is super, super great; heavily defender-focused. I'm Kansas City, so BSidesKC and SecKC is the like monthly meetup out here; and then, hopefully, SouthCon, but DEFCON for friends and meetup. And I don't do RSA because I'm sick of all the vendor emails, especially from GreyNoise.

Sherrod DeGrippo: They will continue.

Andrew Morris: Yes, it's pretty bad; yes.

Sherrod DeGrippo: I will not. I will --

Andrew Morris: I'm about to go set you on the triple list.

Lauren Proehl: Oh, no.

Andrew Morris: No. [Laughs] Yes. No. The ShmooCon for your boy. And it's my favorite conference. This year is going to be the last year or whatever next year. They just had the second to last, which is -- I'm heartbroken about. It's the first security conference I ever went to when I got in this space in like 2010 or '11, I think. And the BSides, Anywhere. Charm in DC or Baltimore is a great time. Yes, exactly like Lauren said, DEFCON Black Cat just to see everyone and go to Zero Talks, or fun fact, if you don't know, if you're at DEFCON, you can stream the talks from your hotel room. They are on the CCTV. That is one of my favorite things to do. Those are some of the places.

Sherrod DeGrippo: So hopefully everyone listening can show up to those and harass Andrew and say hello to Lauren. [Laughter] I just want to mention Microsoft's BlueHat is real. It's going to be May 20th through 21st in Tel Aviv. I will be there --

Andrew Morris: I went a few years ago, and it was honestly one of the sickest conferences I've ever been to. It was so much fun.

Sherrod DeGrippo: I've seen the videos, and it looks off the hook. It looks beyond like anything I've ever seen at a conference; because I've obviously been to BlueHat in Redmond quite a few times, and this is a completely different ballgame.

Andrew Morris: Yes.

Sherrod DeGrippo: Tel Aviv is not playing around. They are very serious about this business.

Andrew Morris: No.

Sherrod DeGrippo: It is intense.

Andrew Morris: I took a slide; like I slid into the conference on like a slide.

Sherrod DeGrippo: Yes, it's like big energy. So --

Andrew Morris: Checkmate, RSA. [Laughter]

Sherrod DeGrippo: Yes; no, it's checkmate.

Lauren Proehl: No slides, not going.

Sherrod DeGrippo: I will be at the RSA Conference. I will be at Blue Hat Israel. And let me tell you, if you have not made plans to be at SLEUTHCON, the Cybercrime Congress, May 24th in Arlington, Virginia, you're missing out. Book it now. Get it on your calendar. I have absolute bonkers insanity planned for SLEUTHCON. Get ready.

Andrew Morris: I'm going to be there.

Sherrod DeGrippo: You're going to be there?

Andrew Morris: You're going to talk about crime?

Sherrod DeGrippo: I love crime.

Andrew Morris: You're going to talk about some crimes?

Sherrod DeGrippo: I'm going to talk about it so much. It's like my -- crime is my favorite. Andrew, you talk a lot about being a vendor. I'm a vendor. I will never leave vendor land if I have anything to do with it. What are some things that you're seeing kind of from a vendor perspective that you think people should know?

Andrew Morris: I think the whole -- the security industry is weird. If you work in the security industry, you should be actively trying to work yourself out of a job. And security should -- if it is a cost center, right, it's a thing that should not -- like it's a thing that just costs money, right? And that's what it should be. It shouldn't necessarily, you know, be a way that you think about how to maximize profit, or revenue, or something like that; like it is a thing that costs money. And it is -- you know, it should be boring. In my opinion, it should be super boring. The more boring it is, kind of the better. You can still have fun. You can have a great time. But the markets are all very confusing. Vendors make them more confusing. Lauren said it best at the beginning of this podcast, everything old is new again. Like there are -- there were firewalls and then there were firewalls that put data in them, and they were called "meshed-in firewalls", but -- and it's firewalls. Right, it's either -- it's on your PC, or it's on your router, or it's on another more expensive bigger router. And you can set the rules or you can pay somebody else to set the rules, but you're going to have a firewall sitting on your thing, and it's going to do firewall stuff, right? You can have antivirus, and then, you know, it's going to get better, and it's going to do more stuff. And it's still going to be just an endpoint that's trying to make sure that you don't have malware in your box. Everything old is new again. It's really easy to get caught up and think that like the industry is changing constantly. And I guess there's a portion of that that is true. But things don't change very often in security.

Sherrod DeGrippo: Lauren, any final thoughts?

Lauren Proehl: Most people don't need to be freaking about APTs that much. Like 90 --

Andrew Morris: Preach.

Lauren Proehl: Percent of you really your threat model is cybercrime. And trying to focus and get distracted by all the razzle-dazzle from, you know, threat actor characters, yes they're cool, but like they're probably not coming for you. So focus on the stuff -- the really boring stuff. Andrew said it best, like security should be super, super boring. Patch your stuff, put MFA on, right, put EDR in place, keep your rules updated, and then when someone comes knocking, block them, pull them away, can move on to the next one.

Sherrod DeGrippo: I heard today that non-actionable threat intelligence is threat entertainment; and [laughter] I agree with that. But the problem is I really like threat entertainment. [Laughter] Andrew, Lauren, thank you so much for joining us on The Microsoft Threat Intelligence Podcast. It was so awesome to talk with you, and I hope everyone enjoyed that, and when they see you at conferences and events that they come say hello. Do not miss Andrew or Lauren when you're out, because they do a lot of public speaking, so you can definitely catch them on stages here and there. Thanks, guys.

Andrew Morris: Thank you, Sherrod.

Lauren Proehl: Thank you, Sherrod.

Sherrod DeGrippo: Thanks for listening to The Microsoft Threat Intelligence Podcast. We would love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft