The Microsoft Threat Intelligence Podcast 10.11.23
Ep 2 | 10.11.23

Incident Response with Empathy


Sherrod DeGrippo: Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. Hello, everyone. I am here today with Matt Zorich, and I am so excited. He is a principal consultant with Microsoft Incident Response. Matt, thank you for joining us.

Matt Zorich: That's absolutely my pleasure. Thanks for having me.

Sherrod DeGrippo: So you're Australian; is that correct?

Matt Zorich: I am Australian. That's right.

Sherrod DeGrippo: Okay. So you're Incident Response, responsible for down under. Look. I don't want to overly fan girl, but I saw your tweets or your X's. I don't know what it's called now. And I was super excited by some of the things that you were talking about, and I wanted to ask you about them. So the first one that I saw was talking about lots of people are new to M365 and Entra ID forensics. So you put together a free and open source forensics kit, including Kusto queries and things like that to help people get better at inter forensics. So the first question I have is, why do you have such a good heart?

Matt Zorich: I think that probably comes from, like, before jumping into cyber as a career, I was kind of a sys admin, you know, one-stop shop. You know, there are sys admins out there that are doing everything.

Sherrod DeGrippo: Yeah.

Matt Zorich: Anything with power, right. They're looking after the printers. They're looking after the coffee machine in the kitchen.

Sherrod DeGrippo: Yeah.

Matt Zorich: And they're doing all the IT. And then they're also trying to do the cybersecurity things. So I've always had, you know, a soft spot for those kind of people who aren't as well-resourced, whether that's people or budget and things like that. And there's a lot of great tools out there to do forensics. And, you know, it doesn't need to cost anything apart from a bit of time to learn. So that was kind of the desire for me. Just put these things out there. It's sometimes hard to find the guidance, as well as the other thing, you know, Microsoft Learn docs, overwhelming at times, just even finding what you're after plus all the third party stuff. So that was really the desire of mine, just get it in front of people. And then, hopefully, if they do have an incident, they've got something they can refer back to and maybe do a bit of learning on the fly and even better if they could do it in advance and kind of a little bit of training for when the day comes that they need it.

Sherrod DeGrippo: I love that. And I just want to mention the URL, if you want to check out some of these things is /kustofree. So there's some resources there. There's resources on your Twitter, which is reprise underscore 99. If you're into Entra ID forensics, I feel like, Matt, you're kind of this, like, guru of all these different things. And I just love it because my background is network and email security, host-based. Didn't really do a lot of it in my career. So what made you so interested in Entra ID which used to be Azure AD, or Azure AD? It's now called Entra. What do you like about working with it?

Matt Zorich: I think my interest in it started probably like a lot of people. I think it was when people started to migrate from on-premises Exchange up to using Office 365. And then, at the time, Azure Active Directory was kind of a key part of it. But, initially, it only drove office 365. And then, over time, the product's obviously evolved massively. And now it's a full-blown identity system. So I think a lot of people probably like myself that come from an on-premises Active Directory background, that's kind of moved into Azure Active Directory or Entra ID, just as the technology has moved. As we use more cloud products, as we use more M365, we've all had to pick up those skills. And then forensics follows on from that because obviously the threat actors and the adversaries, they're also showing an interest in Entra ID versus, you know, more traditional phishing and malware and vulnerability, exploitation and things like that. So you're kind of just moving your forensic skills with the technology. Just like anything, as it evolves, you need to stay what's current.

Sherrod DeGrippo: So let me ask you: What are you seeing in those logs when you're doing incident response? What are you looking for, and what makes you stop in your tracks?

Matt Zorich: Yeah. I guess the unique thing, I guess, about identity forensics is that, you know, this is a malware. When you see -- when you find malware on a device, you know it's bad. And you know it doesn't belong, so it's very clear cut. With identity based indicators, it sometimes get a -- gets a little bit murkier. We obviously have IP addresses and things like that, which can be indicators. So if -- you know, if we've got a malicious IP and we're seeing that on a user, we know that's bad. Where it can get kind of a little bit unclear is if -- if an adversary has kind of compromised a VPN or they're also on the corporate network. So you have the legitimate user using their account day to day, reading their email, clicking messages, you know. Plus you've got the adversary at the same time doing bad stuff. So trying to peel those apart is always interesting.

Sherrod DeGrippo: So help me understand a little bit about that too. Essentially, let's say, you're looking at an account. And it's, for whatever reason, been compromised by a threat actor. You're telling me you have to look through the threat actor's activities and untangle them from the legitimate user's activities who's logging in at the same time.

Matt Zorich: Yeah. That's right. Yeah. So we've got to try and differentiate between what the user was doing and what the adversary was doing as the user. So sometimes it's quite easy if you've got other indicators so IP addresses, user agents potentially. Sometimes it's very difficult, and sometimes it involves asking the user what they're up to and then did that -- did they do these actions? Sometimes that's the best way to decouple that.

Sherrod DeGrippo: And so you're -- you're potentially looking at compromised accounts, trying to find out sort of almost like a split personality situation of who were you really when you were doing this activity in the logs? Anything interesting that you've seen while that was happening?

Matt Zorich: Yeah. We see a lot of quite interesting stuff. You know, it makes you quite paranoid at times, as well, obviously, talking to the users. And you're like, am I talking to the user? Am I talking to the threat actor? But we see a fair bit of, you know, social engineering. So we see, you know, adversaries pretending to be IR firms or representing, you know, security teams and -- and things like that. We see them hiding, obviously hiding emails, you know, mailbox rules and things like that, which you'll probably be more -- more aware of. So it's always certainly interesting.

Sherrod DeGrippo: Well, so let me ask you this. Let me ask you mailbox rules. So my past has a lot of email work in it. I've done email for a long time. And so, like, give me some examples. Let's say you're a threat actor, and you don't want to get caught. What are you doing with mailbox rules?

Matt Zorich: Yeah. So it's probably similar to what you've seen. I think it often -- it speaks to what their -- what their desired outcome is and I guess what their motivation is. If it's kind of, you know, the classic business email compromise where it's financial gain, then -- then usually they're targeting, you know, a couple of particular users within there might be accounts payable teams, you know. So often they'll have a look around kind of the directory and get a feel for how an organization kind of handles invoices before kind of inserting themselves into that conversation. So, usually, it's very specifically targeted just at couple people. You know, they don't -- they won't do things like delete all emails because the user will become aware that they're not receiving any email, and that will flag it. So it might be from one or two users, and they'll hide the emails in -- often it's like the RSS feeds folder, or they will hide them in another folder, because what they essentially want to do is reply to those emails themselves. And, at that point, they might, you know, change the payment details on an invoice, to redirect it to their bank accounts and things like that. So it's often very subtle, rather than something that users won't -- you know, they might not notice emails missing from one or two users. And then once, you know, they can remove those rules, and everything goes back to normal.

Sherrod DeGrippo: I've always said that, if I was going to do crime, I would just put my bank account numbers in a bunch of accounts payables at medium, small and medium businesses and just live off that annuity because I feel like that's so under the radar, right? Like, just change the account details on some invoices, and watch as it comes in. You have to do some money laundering. You have to have some mule accounts and things like that. Like, I know it's not that easy. But it's a pretty good way to sit back. And, I mean, I think it's a lot better than ransomware because it's quiet. No one gets upset for a while. They don't know that you're there.

Matt Zorich: Yeah. And you also -- I think you read the stats about business email compromise, and it's a -- it's an obscene amount of money every year. And you're absolutely right. You know, the small, medium businesses, they might only get targeted by -- it might be a $50,000 invoice, which to a huge company is a rounding error, but to a small or medium business that could be the difference between them ongoing as a business. So -- and those small, medium businesses, they don't have the capability or the protections. So I always feel for those people, as well. Like, I've got friends that are in like the building industry. And you hear stories of, yeah, $20,000 here, $30,000 here. But that could be their payroll for the next month, you know. So, yeah. It's -- yeah. But those ones always get to me as well.

Sherrod DeGrippo: I love the empathy that you have, and the way that you're just going out in the community and putting all of these free toolkits and everything together because I want to be clear. This one tweet is not it. Like, you've put together multiple free guides and resources for doing often ID forensics for quite a while. That's been something that you've published a lot of.

Matt Zorich: Yeah. That's it. I think, yeah. Like I say, understanding incident response, I think you do have that empathy. We -- at Microsoft, we obviously skew towards the bigger companies when we do incident response, but I can certainly appreciate the people that read LinkedIn or read Twitter and things like that often are, you know, the one man band. And they're -- they're trying to keep everything together. So they might not have access to a full CIM, or they might not be able to just call an IR firm when something happens because it's not especially cheap to do that. So if they can do a little bit of it themselves and get to the bottom of what happened and, you know, find out what happened for next time and put some rules in place and hopefully prevent it next time, that's really my desire for those teams and just, you know, share that knowledge.

Sherrod DeGrippo: I love that. I love that you have this view that where you're doing incident response, probably a pretty large enterprise and then thinking, you know, I think we all kind of do when we see breaches and things. We think, oh, my gosh. If that happened at, like, a local accounting firm or, you know, an ice cream shop or, you know, even a larger operation like a manufacturing firm or somebody local. They couldn't get out of it without possibly destroying their business and losing a lot of money and not being able to make payroll. I think that's something that threat actors really think, like, if they if this is an organization that has a payroll, I could take all that money.

Matt Zorich: Yeah. Exactly. I think the -- you know, the ransomware and things like that certainly skew towards a certain size of company that threat actors know have the ability to pay, for sure. But there's this whole tier of cybercrime out there that affects the small, medium businesses that don't have a cybersecurity team. They might not have an IT person at all. You know, they might have a little managed service provider that helps them out. And, like you say, a cyber event for them could be business ending, unfortunately, because they don't have the resources to kind of bounce back from it.

Sherrod DeGrippo: So let me ask you about this because this is something I think about all the time, especially when it comes to taking money from bank accounts, which is something I think about constantly. I wake up in the morning; I think about taking money from bank accounts. I go to sleep at night; I'm just having dreams about taking money from bank accounts. I'm just kidding. So my question about that is this: There's this kind of bifurcated dual reality for most people. Like, for me, I have a personal email account. I have many. I create them constantly. I'm constantly making new email addresses. But I have my personal email. And one thing about my personal email is, you know, I'll ask you, like, if you didn't check your personal email for a couple days, whatever. But if you don't check your work email for a couple of days, that's -- you better be on vacation. You better have an out of office. It's a problem. And I think that people need to kind of understand that they essentially have two identities that can be stolen. They have their personal identity, and then they have their work identity. And think of it as the difference between your driver's license and your badge to get into work. I can't drive on my badge at Microsoft. I have a Microsoft badge. I can't drive with that thing. But I can get into the building at work. And I think that people kind of need to understand the differences from a threat actor perspective of, like, logging into your personal email account versus are they coming after your work account? And I think that that's important to think about because one of the things when it goes back to bank accounts, which I'm obsessed with, if I was a threat actor, would you rather have access to my personal checking or to, like, an accounts payable at a company, right?

Matt Zorich: Yeah. That's exactly right. And it's -- I guess the threat actors have only so many hours in the day, as well, like we do.

Sherrod DeGrippo: Oh, yeah.

Matt Zorich: So we have to, you know, pour one out for the adversaries as well. You know, they --

Sherrod DeGrippo: They're okay.

Matt Zorich: Okay. But, you know, they -- they have to decide what to target, as well, and what they think is going to be the most -- ultimately the most lucrative or what's going to -- they're going to have more success with. And there's obviously different threat actor groups out there that target different tiers of application. There's plenty of personal cybercrime going on as well. It's probably not as well-documented, especially, you know, in our line of work. We tend to skew towards, like you said, the big side of town. But people are losing money on personal scams, personal phishing at similar rates. It's just, you know, a personal -- individual person's probably not going to be ransomed for, you know, $50 million.

Sherrod DeGrippo: Thirty million. Yeah.

Matt Zorich: It's going to be lower. But it all adds up. And it's as significant to that person because if I, you know, I don't have $50 million.

Sherrod DeGrippo: Not yet. You start obsessing over breaking into bank accounts like I do, maybe you could.

Matt Zorich: One day. You certainly learn the tricks of the trade if you ever wanted to turn bad and become the antihero. But I don't think that's in my blood.

Sherrod DeGrippo: No. I also don't think that's in your blood. It's not in my blood, either. But I think about it all the time, I think, because I'm so interested in threat actor psychology. Like, what are they -- what are they doing, and why do they think that this is okay? And they're just -- they're destroying, like we said, like, small and medium businesses. There's a single person who works IT. And they're, you know, taking advantage of the fact that this organization doesn't have a lot of resources, sort of the opposite of what you do with your free guides and all the roundups of things that people can do and the free resources. They're seeing that as an opportunity to take advantage of, whereas you're working to help those people. You see that as an opportunity to share with the community and give free, you know, Kusto queries and, like, free kits and everything on GitHub. I'm telling you. I don't think people understand. I was surprised. You actually really seem to put a lot of effort into it, and I love that. Like, they're beautiful written threads and guides and links. And I think if you're new, too, so let me ask you, you have all your guides out there. If someone is new and wants to start thinking about before they get breached, where should they think about looking and starting to maybe polish up some skills?

Matt Zorich: Yeah. I think that the two key bits of information you're going to be interested in is sign-in data. So that's going to tell you where your users or yourself if you're testing, you know, you can -- where am I signing in to. Am I suddenly being signed into from overseas or from an IP address I've never seen. And -- and we use that data heavily to kind of understand what users have been up to. And then the second one is the audit log, so that traps kind of any user changes. So, you know, if you register a new MFA method, for instance, or you change your name and things like that, that's all registered in the audit logs. So they're the two places that I would check. You can also, like I say, you can sign up to lots of free stuff. There's Kusto free, which I use all the time still to practice stuff. You can sign up for M365 developer license, as well. So that gives you the full E5 suite. So you get all the auditing. You get all the cool stuff. And if you make a few community contributions, Microsoft will kind of keep rolling your developer subscription forward. I've had mine for years. I just made sure I submit something on GitHub now and then, and I get an email saying, Yeah, you're good to go. And so that's what I'd do is just get in there and look and have a -- have a play. I think even sometimes at our level of incident response understanding where the logs are is sometimes the biggest battle, like, especially in big companies. If you need firewall logs, if you need, whatever, it's finding where that stuff is. Once you actually have access to it, that's generally a little bit easier. But so, if you just -- for people beginning or, you know, MSPs that are looking after smaller businesses, I just say you get in there and have a play and understand how this data works. And, you know, put your minds in the eyes of an attacker and go register a new MFA method and -- and see what that looks like. And set up a mailbox rule and see what that looks like because it's all registered, and it's all logged. And then you'll know kind of where to look should the day come.

Sherrod DeGrippo: So you mean, like, go and set up like a test rule in a mailbox and see what kind of logs are generated from that action?

Matt Zorich: Yeah. That's -- and that's generally what I do. If I'm interested in writing a query, I'll jump into my lab and just go do it. So I'll create a rule on my mailbox called, you know, something. And I'll move emails from the inbox to the RSS feeds or deleted items. And then, you know, give it a few minutes. Then go have a look at the logs and be like, Oh, yeah. This is -- is this event happening? And then make the query a bit nicer. And then you've got something you can detect on or -- or use during incident response.

Sherrod DeGrippo: So let me ask you too. When you're -- you know, over the course of your career and your time at Microsoft, when you're doing incident response, is there any recurring thing that you think, gosh. I wish this organization had done XYZ? Is there anything that keeps coming up? You're like, Oh, I wish they had done this. I wish they had done this before I got here.

Matt Zorich: Yeah. I think, with incident response, what you learn is that it's not as sophisticated often as, you know, the media or even threads on Twitter make you believe. It's usually the same things. It's just at a bigger scale. Like, don't get me wrong. We get some very sophisticated actors out there. But a lot of the times initial access is phishing. It's lack of MFA. It's kind of all that good hygiene stuff you talk about. We definitely see that in the real-world. So the thing I always try to say is that, in really, really big companies, you're not going to prevent every user from ever being compromised. Your users will get compromised. That's the nature of it. They're going to click on phishing, or they're going to click on an SMS they got, however it is. We can do our best to stop that. But the reality is, is users are going to keep clicking, and they're going to keep putting their credentials in. So what we then need to do is what we want to prevent the compromise of a single end user kind of being the start of a chain reaction that leads to ransomware or loss of control of your tenant and things like that. So it's about protecting the tier zero accounts, the really privileged accounts, and those paths through. That's -- that's the thing we'd like to say is, if you've got 50,000 users, it's very hard to protect all 50,000. But, of those 50,000, if 10 of them are global admins, then you can protect those 10 for sure.

Sherrod DeGrippo: So I guess one of the things that I'm taking away from that is that organizations need to understand who those people are and maybe wrap additional training or levels of privilege or extra security measures around those specific people if they don't have money to do the full thing for every single person in the org.

Matt Zorich: Yeah. I think that's exactly it. So it's -- you know, we've got really great technology like passwordless and phishing resistant MFA and things like that. I think, you know, IR teams understand more probably than anyone that -- that doing that at a huge scale is really, really difficult because you could have people all over the world. You could -- it might be a budget thing like getting everyone new laptops that support, you know, Windows Hello for Business, whatever it is. It's very hard to do that for a 300,000 person organization. But what you say is you start with those tier zero accounts, and then just work your way out. And the other ones, you know, high-risk users so finance people, you know, board members, anyone that has like a -- on the website, those ones that are going to get targeted. And just kind of -- it's just about reducing risk. And if you can secure your global admins or your domain admins back in heyday world, you get like a really great risk reduction for not much work. And then it kind of filters down and filter down to your users slowly. And, obviously, if you can do that phishing resistant MFA and things like that for everyone, that's awesome. But, yeah. Starting with the most privileged accounts for sure.

Sherrod DeGrippo: I like that. And I like to talk to organizations and, like, CISOs and practitioners and say you should have two lists. I like to have a list of what are typically considered execs or VIPs. Those are the people who can press the button and make things happen and go super wild. So they want to be considered important. And then I also think you should have that list of people who have real access and are truly juicy, juicy targets, like a brand new senior accountant. That's a different kind of role than the CFO who's been there for 15 years. And I think you need to understand who you're protecting and think about them in those separate ways. Like, yeah. The CEO can yell and throw a fit and get anything he needs or she needs. But that doesn't mean that they're the ones that are the juiciest, most appealing target to threat actors. So you kind of have to, I think, satisfy both personalities in that way and say, look. You're very important, and I know you're very important. And then also have that list of accounts and people that you're like, okay. But you're the ones that the threat actors are really going to come after.

Matt Zorich: Yeah. I think you're absolutely right because there's -- yeah. There's risk and there's privilege associated with both. One's the classic one that we think of from an IT perspective is that they're a global admin, so they can literally do whatever they want. And then there's CFOs and CEOs and things like that, that they're definitely a target, but it's just in a different way. It might be because of their business knowledge. It might be because of what's in their email is interesting. It might be because they can approve invoices and things like that. So you definitely -- you're definitely right. And I think it's about approaching, you know, your business and what's the biggest risk for your particular business. If it's, you know, financial fraud, then frame your controls around that because, you know, every team, even big cybersecurity teams, even they're still understaffed. They're not going to be able to reduce the risk of everything. There's no such thing as 100% secure. Just it doesn't exist. So it's understanding what would cause you to push the big red button in your business, in particular, and then try to prevent -- prevent it. We always say you can have -- you can either have a preventative control, or you can have a detective control. So you can either stop it, or you can detect it. And the more you can stop, the better because the detect -- the detection is always after the fact. And there's always going to be a delay. So if you detect it two days later, the damage may be done, whereas, if you prevented it, then you've saved yourself some grief.

Sherrod DeGrippo: I think that speed and time to detect and time to mitigate equation is really important right now and over the past couple of years with ransomware because, you know, if you look at the stats, the ransomware attack chain has gotten in time shorter and shorter and shorter. I mean, it's gone from the day before to like the hour before. They're getting so much faster.

Matt Zorich: Yeah. That's it. They're just getting -- they're just getting reps. They're getting better at what they're doing, just like hopefully blue teams do. You know, the more you do these things, the better -- the better at it you become. And the more practice you get, unfortunately, it goes both ways. If you practice at being bad, you get better at being bad. That's what happens.

Sherrod DeGrippo: Right. No. There's inertia. There's momentum either way. Like, if you get -- if you're bad at something, you just keep getting worse unless you're trying to really put concerted effort into improving. And you get experience being bad at stuff.

Matt Zorich: That's it. You do. Yeah.

Sherrod DeGrippo: That's a good point and really kind of a weird twist of humanity. Let me ask you about multifactor. So every couple of years, the multifactor debate comes up. Do you have any opinion on text message as multifactor, let's call it.

Matt Zorich: Yeah. This one always comes up. It's always an interesting conversation. There seems to be -- it's almost like a religious debate, which is there's a -- there's a body of people that think SMS MFA is the worst thing ever, and you shouldn't bother at any point. And there's a group of people that say it's better than nothing. I think it's certainly better than nothing. That's the camp I stand in. If you've got just a username and password and you get phished, for instance, that's it. Game over. If you even have SMS on top of that, it's still a win. Like I think everyone appreciates that there's issues with SMS MFA. I don't think anyone's denying that. But I think for certain businesses, it's a very low barrier to entry, and I think it still reduces risk significantly. As I mentioned earlier, though, what I would say is that, for your admins, for your very high-risk VIPs, for your -- for your board members and things like that, those are the people that you should migrate off SMS more quickly. For your -- for your kind of end users and your frontline workers and things like that, I think if SMS is the best you can do, then I think that's still valuable without doubt.

Sherrod DeGrippo: I think, for me, listening to you talk about it made me realize that I agree with you. My sticking point that I will fight people to the death on, I will not allow you to call SMS two-factor. I think calling it two step is okay. But, to me, SMS is not an additional factor. It's an additional authentication step that I -- doesn't really get you to the two-factor requirements, in my opinion. Gets you to like one and a half or something.

Matt Zorich: No, no. I agree with you. And what I think what it does is, look. There's a certain element of threat actor where SMS MFA or SMS two-step is not going to -- is not going to dissuade them at all.

Sherrod DeGrippo: Yeah.

Matt Zorich: That said, it's going to dissuade some threat actors. And it's a bit like, you know, if on your house you've got security cameras, that might be enough to dissuade the person that's just walking by and thinks you're a good target. If someone especially wants in your specific house, the security cameras are not going to prevent that particular person. So I think that's -- that's why we -- that's the way I think about it is like SMS might make you the -- you know, not the easiest target on the block, and that's okay. But it's not going to prevent someone that really wants to come and -- come and steal your table or steal your -- steal your stuff.

Sherrod DeGrippo: Don't steal my stuff. I don't -- I feel like I don't really have anything in the interest of stealing. Every time I kind of look around the house, I'm like, my TV is bolted to the wall. Like, I don't know how people steal televisions anymore because they're all installed. And then I've got a couple of computers, but they're all -- you're not going to get into these computers. Like, even, like local access would still be really hard because I have all the Microsoft remote wipe stuff and everything installed. So I don't know. I guess you could steal my jewelry. That's all fake. It looks real. I have a lot of jewelry that looks real. It's fake.

Matt Zorich: I'm the same. I don't really collect stuff in my house. I'm just like I'm happy with my -- I've got my iPad, which I just watch, you know, Twitch on, and that's about it. Other than that, I just -- I don't buy things.

Sherrod DeGrippo: I know. I feel like actually stealing from my house would not really net a whole lot. Let me ask you about threat intelligence. So this is The Microsoft Threat Intelligence podcast. As an incident responder, how does threat intelligence play into when you're working in case you're trying to figure out what's going on. Does threat intelligence play a big part for you? How important is it? What do you think of the state of that in IR? How does TI work for you?

Matt Zorich: It's very, very important, for sure. So, obviously, at Microsoft, we have access to significant threat intelligence, and that can help drive investigations. It can help drive, you know, threat actor motivations, what we believe they might be, ultimately, their goal. And I think the cool thing from an IR perspective is that we're kind of the first responders. So when we're down there and we're finding malicious activity or we're finding, you know, IP addresses or we're finding malware or whatever it is, where -- we're the ones that often feed that back up the chain. And then, you know, a week or two weeks later, we might find that that's actually loaded as a detection into the defender products. So it's really cool to see that the lifecycle, I guess, of threat intelligence, where we might be the first people to find it. Then other -- you know, other customers are then protected from it or they're alerted on it, just from what we found, which is -- it's a great feeling, right, knowing that you've potentially protected future customers. It still sucks for the customer they got compromised. If you're the -- you know, if you're the first one to get a certain malware variant or a bad IP address, unfortunately it was just kind of your day and you had your name on it. But it's awesome to be able to see that that lifecycle, and that's where you feel like you're making real impact if you then see, you know, malware blocked at another organization. You're like, oh, that's cool because I found that and, you know, we work closely with The Microsoft Threat Intelligence Team on our engagement. So they're often standing by and looking at things we're finding, as well, which we've had a really great relationship there.

Sherrod DeGrippo: Yeah. I've -- you know, I work primarily on the threat intelligence side with those teams. And it is so fun when, you know, you see someone from IR pop up in one of the chats and kind of say, Hey. Does anyone have any information? Anyone ever seen this? And you watch the Intel teams and IR teams collaborate real time, talk about things that are going on. And it's just -- it's really nice to see the camaraderie and the partnership between people who are doing the work on the ground and the Intel teams that probably have been potentially tracking that actor or waiting for that actor to do something new. Everyone is really excited about the development because it means, hey. This thing we've been tracking is actually active. It's actually happening. And they can get more information, like you said, to put detections and intelligence back into Microsoft products, which is really cool. Let me ask you just quickly, how did you get into incident response? And sort of what do you feel like is the thing that keeps you there?

Matt Zorich: I've been doing incident response for just over a year now. So, prior to that, I was kind of a bit of everything in cybersecurity. So, obviously, I always skewed towards identity. But we also -- the company I was working at was like an early adopter of Microsoft Sentinel. And so I had to learn how to write Kusto kind of. So I spent --

Sherrod DeGrippo: Oh.

Matt Zorich: Yeah. So that's where --

Sherrod DeGrippo: You have trauma from learning. That's why you're trying to help others. Okay.

Matt Zorich: That's it. Yeah. So very early on, whenever I couldn't write a query, I'd just log a support case with Microsoft and ask them to write it for me, to be honest.

Sherrod DeGrippo: Oh, okay. Pro tip. Life hack.

Matt Zorich: That's it. Yeah. I didn't take that -- oh, that's how you -- that's how you do it, and this is what I'm trying to detect. And that's where I wrote all the -- kind of all the stuff that's sitting in GitHub because I thought, you know, if I'm -- if I'm finding this stuff, other people are probably looking for it, as well. So then I moved to Microsoft just over a year ago. And that was my first shot at incident response. So definitely learning on the fly. The identity side, I'm certainly more comfortable with. But traditional Windows forensics wasn't my strong game. So I'm still learning. I think everyone is still learning. You're always finding something. Whether it's in threat intelligence or IR, there's always something new. And I think that's what keeps you there. It's no two engagements are really the same, whether it's, you know, threat actors doing, you know, very novel things, whether it's just, you know, talking to the customer. And we wear a lot of hats in IR. We're investigators. We're trying to help them secure their environment. We're kind of grief therapy at the same time, as well. You know, the first couple of days, if it's ransomware, can be quite, quite difficult. Like, I know coming from like a blue team, I was lucky enough to not be hit by ransomware or anything significant. But I could just imagine the feeling. You know, cybersecurity teams and blue teams take their environments very personally, I think, often. And they feel quite personal when it gets hit by ransomware or it's in APT or whatever it is. And it's often not the failing of really anyone. It's just lack of budget, lack of resources, or just someone that really wanted in. And sometimes it's hard to defend against. So, like, the blue teams need to be perfect kind of every single day of the year. And adversaries can just keep trying. Like, if they miss, tomorrow's another day.

Sherrod DeGrippo: Yeah. And they have, like, volume and time on their side I feel like, too, whereas, if you're a defender in an operational security role on, like, blue teams, you only have so many hours in the day. And it's -- it is really, really hard. And I can't imagine the emotional impact of going through a ransomware incident from that side of something that you've worked however many years to protect and then seeing, there was a tiny crack that we missed, and that's what caused a ransomware event.

Matt Zorich: Yeah. And often sometimes it's not even a tiny crack they missed. Like, often technical teams are very aware of the gaps in security tooling, whether it's not been able to be fixed because of budget or legacy or any number of reasons that -- but certainly, in a lot of our engagements, in terms of like how it happened, it's not a massive surprise to the technical teams for sure. And I think having sat on the other side, I can appreciate that as well. You know, businesses have X amount of budget for cybersecurity or IT or whatever it is, and there's only so many hours in the day. And you can only do so much. Otherwise you'll -- you know, you'll burn yourself out, and you're going to be working 18 hours a day. And no one really wants that. So, yeah. It's often the blue teams understand their environment as well as the threat actors, and they knew the paths through, for sure.

Sherrod DeGrippo: Matt, this has been so cool. This was purely a personal interest of mine to get you on the podcast to learn about all these things because I find IR and ID and all those things so fascinating. I hope we can have you on again to talk more. Thank you so much for coming. We really appreciate hearing from you.

Matt Zorich: Absolutely. My pleasure. I would love to come back. Thank you so much.

Sherrod DeGrippo: Thanks, Matt. Thanks, everyone. Thanks for listening to The Microsoft Threat Intelligence podcast. We'd love to hear from you. Email us with your ideas at Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out for more, and subscribe on your favorite podcast app.