Podcasts
The Microsoft Threat Intelligence Podcast
Ep 43
The Microsoft Threat Intelligence Podcast 4.30.25
Ep 43 | 4.30.25

Inside THOR Collective, a Dispersed Team Delivering Open-Source Research

Show Notes
Transcript

Sherrod DeGrippo: Hey everyone, it's Sherrod. Before we get into the episode, I just wanted to let you know, I will be speaking and attending at the RSA Conference in San Francisco at the end of April, and I really hope to see you there. Come on by and say hello. [ Music ] Welcome to the Microsoft Threat Intelligence" Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come hear from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. [ Music ] Hello, and welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, and I am joined by just a wily cast of characters today. Let me introduce you to Lauren Proehl, Global Head of Detection and Response at Marsh McLennan. Lauren, thank you for joining me.

Lauren Proehl: Thanks for having me back.

Sherrod DeGrippo: It's good to have you back. It's fun to have the IRL crew on the podcast. I'm also joined by Sydney Marrone, Principal Threat Hunter at Splunk. Sydney, thanks for being here.

Sydney Marrone: Thank you. Appreciate it.

Sherrod DeGrippo: And another returning guest to the podcast, the famous Jamie Williams, Threat Intelligence Researcher at Unit 42 at Palo Alto. Jamie?

Jamie Williams: I'm loving these adjectives, "wily," "famous," really an honor and pleasure to be here.

Sherrod DeGrippo: The three of you are quite the crew, right? So I think it's only fitting to let the audience know that this is some heavy hitters in terms of thought leading, leading thoughts.

Jamie Williams: Oh.

Sherrod DeGrippo: Yeah. Be prepared. Those thoughts are being led, but I wanted to talk to the three of you because I've been hearing around, I've been hearing in the InfoSec Threat Intel circles, about the THOR Collective. I also saw a THOR Collective post from Jamie, which I really, really enjoyed, and so I wanted to get the opportunity to learn about it for myself and hear about it from all of you. So Sydney, tell me about your shirt.

Sydney Marrone: My shirt? It says "THOR Collective." So what is THOR Collective? If you are wondering, it is an initiative that was spun up by myself, Lauren, and our previous coworker, colleague, John Grageda. We have a bunch of projects that we have started under it. So one of them is Hearth, which is a open-source threat-hunting repository, which you can contribute to. You can get threat-hunting ideas from. It's really cool. Another project we're working on is called Dispatch, and this is a publication we have on Substack, and we post twice a week articles about threat hunting, InfoSec, threatening memes, a little bit of everything. We include a lot of guest authors as well, which Jamie just so kindly was a guest a few weeks ago, and I think we're going to talk a little bit about his post today. But yeah, we're just trying to do good for the community, the InfoSec community, the threat hunting community, and give back. That is really our goal at the end of the day, to just promote InfoSec more and encourage others to be a part of it. And so we just want to share our experience and our knowledge with everyone.

Sherrod DeGrippo: I love that. That's so positive.

Jamie Williams: Right? It's truly amazing, isn't it? It's like -- I'm a big fan, as you know, of knowledge bases. Like, let's just like write everything down and like -- that was my experience. Again, thank you for letting me like guest post, but I just forgot how hard it is to write a blog. That said, like I worked, did all this research, wrote this crap, and then like you folks are still publishing stuff, it feels like, every other day, and it's not just, oh, this is threat hunting. It's like, this is the business side. These are metrics. It's so amazing because it's just thinking back, you know, where I was years ago, like having that kind of resource where you can search and find and like, oh, like here's not only what someone's doing that's amazing, but you actually are pretty vulnerable. Like, this is the stuff we've done that didn't work, or this was a really bad idea and this is what we learned from it. And that's going to be something that just exists for -- you know, hopefully forever, but we'll see how the internet survives. But I just can't thank you enough for not only welcoming me, but generally, what you're doing. It's just truly phenomenal.

Sydney Marrone: Thank you, and I told Lauren when we started, like it's not just about threat hunting or thrunting, it's about InfoSec, anything InfoSec-related. If she wanted to write an article about how ultra marathons were the best exercise for InfoSec professionals, go for it. Let's write it.

Lauren Proehl: Oh, no. That's my upcoming podcast. I want to hear your thoughts.

Sherrod DeGrippo: Oh, gosh, Lauren. I worry about you on those. I don't want -- no. I only run if someone is chasing me.

Lauren Proehl: Well, we can make that happen. Don't worry.

Sherrod DeGrippo: Oh, okay. I won't go very fast, and I'll definitely lose but -- so what I think is really interesting about this THOR Collective Initiative is we've had the big thinkers in InfoSec, Bruce Schneier, and the acolytes that have pushed the ideas and the philosophy, and what does security mean, and been authors and architects of the first principles of information security. And we've operated off of those first principles for 30 years now -- 20-30 years now, since I've been in the game for 20, And I really think we need some new, fresh voices. I think that that cohort of those pioneers in security are really important. The Dave Aitels, the Gaudi Evrons, they're super important pioneers, but I feel like we're kind of at a point where we're missing some new, fresh voices, which I think this really has.

Lauren Proehl: Yeah. It's really interesting. When we were first starting this project, I'm not quite as prestigious as you, Sherrod, with the 20 years of experience reading Bruce Schneier's blogs, but I grew up on Dave Bianco, right, and Chris Sanders' posts when they were what I had to read, and long-form media, like we see on THOR Collective Dispatch, was still a thing. It wasn't just 140-word tweets that like I'm trying to make sense of shortened ampersands and all this stuff, and you've got to get your message across really quickly. So there's a lot of love in my heart for that, and I'm really excited that we've been able to highlight some new voices. Jamie, it's funny you say you think we post every other day, because we've been pretty religious about twice a week. Once from Sidney, John, or myself, or all three of us, or some combination, and then once trying to highlight those newer voices. You know, we had -- Jamie, obviously, you're a force of nature, a Boy King of Mitre, right? I love everything that you've ever posted. It's been an honor to have you on, but then we also have people like Stacey Lokey Day, who was a SOC analyst, and she's moved into threat hunting, and she can talk about her journey and get some of those early InfoSec insights and audiences as well. So we're trying to have something for everybody.

Sherrod DeGrippo: This post and the dispatch overall has a really fresh feel to it. It feels very modern, and I feel like a lot of the things that we read that are InfoSec philosophy or InfoSec principles tends to feel like it's from almost the 90s, even if it's only from a few years ago. It has this very sort of antiquated feel, but I love the way you're using a like really fresh font. You're using really fresh graphics. It actually, I feel, is a way to skirt the brain rot that I experience. I'm fighting it so hard. I started a book club with a friend because I'm trying to read actual books. My attention span is absolutely shot, and it's a function of the way that we consume media today. Reading blog posts, reading incident response reports, reading indictments, that's still consuming media, and it's hard when your attention span is completely trashed like mine is.

Jamie Williams: It's a big competition out there. Yeah, it's like -- even scrolling Twitter for 10 seconds, you're like, I see three blogs, two videos, two podcasts, and I'm like, oh, like, it's just so much. So I love the embrace of memes to, like you said, not only capture and grab attention, but one of my favorite things about most of these posts is like you scroll through and read the memes, and they're really informative. Like it's not just funny or a funny laugh. You're like, oh, I actually see the thought, the process, and what you're trying to communicate. And like even if like I don't remember half of what I read, that meme is imprinted in my brain, and I'm like, oh, yeah, I should, like, count what I'm doing and not just, like, say I hunted and didn't find anything. And it's like -- and I think that's to your point. Like not only the evolution from like the more textbook, like philosophical writing and style, but also, like the exactly -- like Lauren said, like there's just a need for quick injects of, how do I make you better? How do I make you see this problem a little bit differently? And then rinse and repeat. Good luck with everything else you might consume.

Sherrod DeGrippo: Yeah, it's gotten to the point, I think, where people's abilities to consume, like we've really got to shape the messaging. As -- I'll speak for myself, but I think you all probably are in the same place. I'm trying to get large cohorts of people to follow my advice, to get informed with the information that I have to give them, especially when it comes to threat intelligence briefings, and finding ways to insert that into people's brains is really hard. I can see, you know, the scroll brain disassociating in people's eyes. Like there's a lot of media that you have to consume, and so I feel like taking this new, like fresh approach that THOR seems to have is really positive.

Jamie Williams: I'm curious, Lauren and Sydney, like you mentioned religiously you're doing pretty consistent posts. One of the other things that I like -- one of my mentors shared with me, and I love it, and I think see it implicitly in your posts, is don't assume anything because I've had that same realization with content is like a lot of what we're doing, especially in the computer security space, is like very nuanced and very, like -- it's very easy to go into way too much depth and get that glass side, like, it sounds smart, but I have no idea what you're talking about. And at the end of the day, you're like, well, what did anyone learn from this that I know more about this than you? Which is kind of a pointless takeaway versus let's start from, you know, not to belittle your audience, but like let's start from a very accessible place and be very inclusive in terms of, hey, you've maybe never touched this or you've never thought about this or seen this problem. But let me like softly cradle you into something that's a little bit, you know, actionable for you versus I'm just going to show off how wicked-smart I am. Look how amazing this is. Good luck, everybody.

Sydney Marrone: Yeah, I love hearing that. I know I really try hard in my posts to make sure we are breaking that disconnect. Like right now, you know, you might have your stock analysts who are very junior, and then you have your really advanced people who are, you know, 10-20 years of experience, and you're trying to get them to build to that, and you need to be able to make it approachable for them. So like I posted about machine learning, and I tried to make it -- I tried to break it down to like the simple terms so that someone like a stock analyst could take a look at it and be like, I can maybe do this. I could try it and see and learn something from it. Like we just want to, like I said, help the community and have fun with it too. We're having fun with it on our side, so we want you to all have fun. That's why all the memes are there.

Lauren Proehl: Sydney also makes the machine learning stuff super-accessible for a manager because I'm like, I haven't hunted in like, I don't know, three or four years, and so I'm reading this. I'm like, oh, my God, you can do what? This is possible in Splunk? Where has this been all my life? And so now I can help translate that to my folks as well and be like, hey, this is a feature we haven't looked at. Maybe we should go after some machine learning elements of hunting.

Jamie Williams: I had the same approach. I was like, I haven't taken a math class in like a decade. So like you're doing all these like, you know, it's like a proof or something, and I'm just like, yeah, yeah, yeah, good stuff. Like I'm just going to take your word for whatever that is. But like at a very, at least, you know, usable level, I understand what you're talking about. I might not, you know, be able to reproduce it, but that seems smart, and I'm going to, you know -- kind of go with the vibe here.

Sherrod DeGrippo: Speaking of vibes and people with maybe newer experience, the rise of vibe coders, have you guys kind of seen this in social media where they're just hopping on any AI interface and just having it create code for them with no -- oh, Lauren. I'm giving Lauren a headache as I'm speaking.

Lauren Proehl: Oh.

Sherrod DeGrippo: With really no experience, and there are countless social media posts where these vibe coders are like, I made an app. I made a SaaS platform, and I just got completely wrecked. People are making API calls. It's spending thousands of dollars. I can't figure out how to stop it. So we're all now responsible in security for dealing with some of that. Lauren, you kind of had a reaction there. Have you seen that out there too?

Lauren Proehl: So I saw the tweet, and I'm going to keep calling them tweets because that's what I believe in, but I saw the tweet you're referring to and like number one, my first reaction is, oh, my God, this poor person. Like, they're just trying to -- I mean, we've all been told, hey, you got to get along with AI. AI is not going anywhere.

Sherrod DeGrippo: Right.

Lauren Proehl: You need to figure out how to use it. They're doing the right thing by trying to learn how to incorporate AI into their role, but I think this goes back to what we've seen. I mean, I even saw it coming out of school however many years ago, right? Where you have folks that learn how to hack or learn how to program, but they don't learn how the foundational technology works, and I think that is what ends up missing. Like I would much rather hire somebody that knows, like, the TCP IP stack versus someone that could tell me how to analyze brute force alerts in our sim because I know like you can translate that TCP IP knowledge into any network-based attacks. I have not personally seen anyone outside of the internet doing the AI coding where they are just like straight like rip-and-run. Here we go, ChatGPT. I trust your code implicitly, but I think we're going to see this develop a lot more, especially because the messaging is, hey, you need to learn how to use AI for your jobs and for the future jobs.

Jamie Williams: Yeah, I think that's a really like nuanced take. Again, I'm of the school of tweet as well. I think the best response I saw online was SwiftOnSecurity just noted that same tweet and said, I really appreciate the poster leaving it up because there was people jumping in and saying, what the hell are you doing? This is terrible. You're an idiot, all this stuff, but they just said -- they were very transparent of, hey, I, again, not a coder. I have no background. This is what I was trying to do, and this is what I experienced. This is what I learned. I think that's really important because I'm a big fan of like parallels and analogies. It kind of reminds me of like an Easy Bake Oven. You're like, hey, like I might not understand like culinary skills, but like I said, throw a steak in there and cook it for, you know, this many degrees and this amount of time, and exactly your point. I don't know what like diseased food looks like. I might eat it and like, oh, crap, like now I'm sick and I don't know why. So I think it's just a natural progression of like humanity is that, you know, ideas and innovation kind of maybe proceed our like understanding of how to do something appropriately. Again, bigger fan of let's try to learn from this, see it, and kind of, again, to your point, address -- it's not going away. People are going to buy code. People are going to AI-enable everything, but let's not just repeat the same things over and over again. Let's use these as case studies. Let's highlight them, not just in a damning way, but what did we actually learn, and how does it change from both the vendor, user, everyone in between, kind of approach to making this not terrible?

Sherrod DeGrippo: I think it, too, really highlights -- first of all, when I clearly we've all seen the same experience. I, for sure, thought this was not real. I was like, oh, I have been trolled, and then I went looking and I was like, this is real, and I think it honestly highlights sort of that ancient dynamic between developers and security professionals, which is software engineers. They want to build things that people want to use, and oftentimes, information security professionals want to break things that we can make sure that people can't use because they want to do something malicious with it, and that's sort of the two different points of view that you see is that like coders, developers, engineers, they want to build amazing things for people to enjoy. A lot of times in InfoSec, we want to pretend like we're threat actors and make sure that threat actors can't do bad things, and I think that the entry, the entree, of vibe coding into that dynamic is going to be frustrating for everyone, let's say.

Jamie Williams: I don't know if it's scary or not, using the right adjective. It might not be the right adjective, but everything you just described is in such a bubble.

Sherrod DeGrippo: Yeah.

Jamie Williams: Like we all know this post, and we're like, oh, vibe coding, vibe coding, and then we talk to people who aren't in technology or even InfoSec and they're like, what are you talking about? Most people are just like, oh, the app is there. I use it. I don't care where it came from. I don't care if it's insecure. What permissions? Great. So it's like, it's kind of scary because we're off in the corner fighting this, what we think is monumental battle, and the rest of the world is just kind of going about their business, downloading whatever, getting, what was it? Shiba Inus on their VS code and downloading ransomware.

Sherrod DeGrippo: The VS code I saw?

Jamie Williams: Yeah, like, who cares? Like, oh, I got ransomware. I was going to throw this laptop away and get another one. You know, you're like, it drives us crazy. I imagine it's the same thing of like watching a dentist, like, oh, maybe I'm not flossing, and they're like freaking out and I'm like, I don't care. Like, whatever, such is life.

Lauren Proehl: I like the throw the laptop away disaster recovery solution. I'm going to make sure I like -- yeah, yeah, right.

Sydney Marrone: Just take that thing right over to the Best Buy Recycle Bin.

Lauren Proehl: Geek Squad would like to know your location, please. You know, Sherrod, I'm actually really hoping, I think vibes coding is here to stay like AI is here to stay. So I'm hoping there's smarter people at vendors like Microsoft that can get Copilot to say, like, hey, you're about to accidentally expose your Azure API key. Like, are you sure you want to do that? Like I think that's where we're heading based on what I've seen, again, from much smarter people than me who know AI security is, hey, yes, AI can introduce some of these problems if you don't know what you're doing. But also, we're seeing where AI can help identify and in some cases, fix some of these problems in code where there are some, let's say, insecure coding practices.

Jamie Williams: Are we doing hot takes on shared responsibility model because I'm a big fan of that, as well.

Lauren Proehl: Yes.

Jamie Williams: It was like -- I think I've seen a couple of you folks at least share the same sentiment. Like, technology is meant to be safe. Like, you're never going to get users to not click on stuff, to not open things. Like, that's just the, you know, hey, I'm riding a bike. I'm supposed to pedal. Like, what are you talking about? It's the same thing even outside of the bucket of, like, AI. Like, thinking about, like, ClickFix. I know there's a couple blogs recently that came out about that. It's like, hey, like, if you -- and I love the way Microsoft framed it. It's like, it is a social engineering attack against our human nature to troubleshoot. Like if you throw a prompt up and say, hey, your browser's broken, or you can't join the Zoom call or whatever, copy and paste this command. Like I understand why my mom, someone --

Sherrod DeGrippo: Hundred percent.

Jamie Williams: -- someone out in the world would do that.

Sherrod DeGrippo: Yes.

Jamie Williams: Rather than bash them and say, hey, how dare you, terrible pun, run that batch commands. Well, it's probably not batch if not Linux, but how it's like, how dare you, like, copy-and-paste, like, encoded PowerShell into a run terminal? It's like, okay, how do we think about, like, a user might see that and just be tired on the 13th hour, or just want to join the Zoom call late, kids yelling in the background, dog needs a walk, whatever. How do we, like, build a framework and, like, harness around them to say, I know what you're doing. I see what's happening. It's not your fault. Adversaries are out there. Let's keep, you know, the gun from being pointed at your foot.

Sydney Marrone: We think trust but verify, like, just as security thresholds. But the whole world, like, we're a small bubble. The whole world doesn't get it, and we need to teach them.

Sherrod DeGrippo: Yeah, I think that it's really important for the audience of this podcast specifically to understand that most of the people that we're securing, the vast majority of people that we're securing, their responsibility is to serve their customers, analyze the financial spreadsheets, create the graphics for the new campaign, look at HR records, do background checks. Their responsibilities are very clear to them. Their job is very clear to them. The security part is our responsibility, and that job is very clear to us, and we have to provide that for them. And to go a step further, we have to provide that to them via technology, not by telling them, hey, you as an individual human are going to fight a Russian cybercrime today, Dave. What is that? Why do we get -- why do InfoSec people think, like, hey, I know that there's a IRGC threat going around, and it's your problem now, person who's responsible for, like, maintaining facilities and making sure that, like, desks and offices are available for people? It just -- it's so strange to me that in InfoSec, we take our responsibilities and dump it on everyone else, but if they try to give us their responsibilities, we're like, no, we don't do that. So I think we need to kind of see things from the other point of view. That's what they're paying us for.

Jamie Williams: Right.

Sherrod DeGrippo: Literally.

Jamie Williams: Quick pause for the podcast. Like, I know it's just audio, virtual standing ovation. Like, thank you. That's spot on. We absolutely -- it's such a -- and it seems, it seems like almost obvious until you, like, actually realize it, and you're like, oh, like, I -- we, whether you're doing Intel, Red Team, Blue Team, Hunt, Executives, Procurement, we are serving our, like, greater world. We're not, like --

Sherrod DeGrippo: Yeah.

Jamie Williams: We don't have any other, like, nature of a relationship. We are trying to enable them to be their best selves. So it seems kind of obvious, but at the same time, I think there's a lot of decisions where we can apply that a little bit better and be a little bit more graceful about how we actually execute.

Sherrod DeGrippo: Yeah, I think so, too. And I think that, honestly, going back to the THOR Collective stuff, I think that that's something that the tone and kind of focus of what that is looking at doing is really bringing things into a more approachable, more appealing kind of tone. I mean, we've -- for those of you who are a little older, you might remember the BOFH, the Bastard Operator from Hell. Those were just, like, a systems administrator. I think he was in Australia or New Zealand at a college, and just, it was story after story, essentially, about how much this guy hated his users and how terrible he was to them, and they were funny. They were comedic. But ultimately, I think in InfoSec, we've got to move away from that attitude of everyone's stupid except me and try to get more inclusive.

Lauren Proehl: Yeah, there's something to be said about it like, Jamie, I think you said it perfectly, which is just giving users, especially users, but I think fellow people in InfoSec a little bit more grace. I come from a very ivory-tower job role where I can buy virus total. I can speak with preeminent threat intelligence professionals and be like, hey, is this Salt Typhoon or is this cybercrime? Like which is it, right? And then I also remember when I was a junior stock analyst one year out of college and I didn't have those resources, and so some of the solutions that are being proposed out there didn't work for me or didn't work for my users. That's the tone we've really tried to set with THOR Collective is, hey, there's best practice. There's also other ways to approach this. How can we be helpful in multiple different ways for people in different situations?

Jamie Williams: I love that, and I think -- I always think of carrot and stick, and I think that's like the carrot approach of like, let's try to be graceful and nice. But like potential hot take, the other side of that is like as an industry, like we actually don't really solve that much. Like we kind of just -- we don't really eliminate threats. We don't eliminate risk. So like if we actually gave ourselves a report card, it's like, okay, not to -- you know, I'll pick on Microsoft because we're on a Microsoft podcast. Like the elimination of macros in Office documents.

Sherrod DeGrippo: That was a win. That was a big win.

Jamie Williams: A huge win.

Sherrod DeGrippo: Got a massive win for Microsoft.

Jamie Williams: Exactly. Amazing. Literally changed the landscape.

Sherrod DeGrippo: Thank you Clippy.

Jamie Williams: But like in the bigger picture, we just like shifted and we're like, okay, cool.

Sherrod DeGrippo: Oh, yeah, absolutely. It's a process, not a product, to quote my personal acolyte, Bruce Schneier. Yeah, I know he's wild, but he has said some incredibly important things. We are on a security process. It is a process of security that we are going to have to work, and when we do something like take away the ability to automatically enable macros in Excel, Word, et cetera, threat actors are like, whoa, you took away my cool, easy threat vector. Gotta find a new one now and --

Jamie Williams: Right, and like we're sitting back and we're like, why would a user ever open like an ISO file, like a container in an email? And we're like, oh, because they're -- I don't know, like their lure makes sense. The context is there. We're seeing zip files, ClickFix. So it's like exactly to your point. I always think of it like very similar to like health. Like we're not going to really like cure anything. We're just going to perpetually treat and kind of advance what we can do and how we can diagnose things and how we can kind of like at least create comfort and create safety. But you're really just kind of kicking the can around and risk. So at the same time, like, I guess the bigger takeaway is like, don't be a jerk because we're not really making it super easy for people to do the right thing.

Sherrod DeGrippo: I also think the concept of security is subjective, and if you -- you know, your CISO comes up to you and says, hey, is our organization secure? No one should be saying yes. Everyone should be saying, well, it depends. It's sort of, you know, a feeling, a vibe, there's levels, there's context. There's a lot of things that go into saying whether or not we're secure, and I think that that's part of sometimes, honestly, I think what draws a lot of very creative and interesting and super weird personalities to InfoSec is that we're taking a very subjective thing and we're trying to apply objective measures to it, right? Security is very subjective, and we're trying to say, this is secure. This is secure to this degree. This is not secure, but it depends.

Sydney Marrone: Such an analyst answer. It Depends.

Lauren Proehl: It's the right answer, or I could just say, well, we have 100% coverage and we're unhackable, and --

Jamie Williams: That would be a first.

Lauren Proehl: Boardrooms love it.

Sherrod DeGrippo: A sticker that says that we have 100% coverage, and we're unhackable. Then you just like mic drop and leave the conference room. Is that what you do?

Lauren Proehl: Yeah, that's my job. No, no, it depends is a frustrating answer, I think for business people, but it's the right answer. And Jamie, your personal health analogy makes a lot of sense. When I used to be a consultant, people are like, okay, so if I just enable MFA, I'm never going to have to worry about getting breached, right? And it's like, well, that's like saying if I wake up early, I'm going to be like fittest man alive. And like, no, like there's levels and layers to this, but it does not guarantee an outcome, right? It's a statistics game. It makes you a more prickly target for the threat actors, and maybe they're going to go on to another.

Jamie Williams: I absolutely hate absolutes. Like never, like that kind of stuff.

Lauren Proehl: There are no absolutes.

Jamie Williams: The other analogy I always use is like, it's getting back to your marathon habits. Good for you. It's like, rather than like going from like full sprint to walk to full sprint or walk, like it's really just how do you build that marathon pace? And like, whether it's running a 20-minute mile down to 15, down to 10, like whatever it is, comfortable. Like how do we continuously build? Just because exactly you said, I think -- Sherrod, you had an excellent point. It's a weird mental state that a lot of us are in because we recognize that like, we're never going to win the war. The war is never going to be over. We're just like winning tiny battles. Like, oh, we defeated macros with the understanding, let's celebrate the hell out of this. Amazing. Next week, something is going to happen. Something weird is going to show up. Adversaries never stop innovating, whatever, whatever. But like, let's, you know, as much as possible, recognize the victory, what the forecast might still grow into something. At least we embrace it. It's interesting.

Lauren Proehl: Yeah, Sherrod, can Microsoft fix the toll scams going on because I think there's like eight warrants for my arrests for unpaid tolls.

Sherrod DeGrippo: I got that one too. So actually, I can address a little bit of that. Unfortunately, they do come in as SMS text messages, which is not something that Microsoft has a solution for. However, SmartScreen, I believe, is detecting if you go to the URLs where they try to get you to pay, many of those are blocked. So I've looked at quite a bit of those. Obviously, as we all know, in detection engineering, it's a constant back and forth of new landing page goes up, new detection blocks it. New landing page goes up, new detection blocks it, but for those of you who haven't gotten those there is a -- I live in Georgia and it said that I had Peach Pass, which is the Georgia Toll -- automatic toll payer app or whatever it is. Yeah, and yours said you were going to get arrested?

Lauren Proehl: Yeah. They were like, if you don't pay this, we're going to issue a warrant for your arrest, and it's for like DC. And I was like, oh, Jamie, what happened last time I came up to ShmooCon that I don't remember, right?

Jamie Williams: Road trip, yeah.

Lauren Proehl: Yeah. Yeah, they, I think they've gotten a lot more persistent, and I mean, like, like we've talked about, right? I'm hoping to stop these before they get to my grandmother, because like, that's the whole reason I'm in this. She's not going to be able to right click, report as spam block, like know how to do anything except play cards on her computer. So that's where we come in and try to stop this before it gets to the end users.

Sherrod DeGrippo: It's incredible that social engineering is so -- it really is like the persistent gift that keeps on giving to threat actors, and ultimately, I think what we know is that social engineering has been around for thousands of years, and it's just technology enabling it at scale, right? That's just what these threats are. It's social engineering, and it's you take technology, and instead of having to walk up to one person on the street and tell them, you know, some tale, you can send that out to millions and millions of people all at once with the click of a button.

Jamie Williams: We have a Boris sighting.

Lauren Proehl: Boris.

Sherrod DeGrippo: Yeah, everyone, they can't see because of our audio, but Boris is in the frame. My dog Boris, he's laying on the payphone.

Jamie Williams: As one does on a glorious Friday evening -- afternoon in a global forum.

Sherrod DeGrippo: Let's go around. I'm going to start with Sydney. Sydney, the term thrunt. What are your feelings?

Sydney Marrone: I am an advocate. I have made many thrunting stickers and front stickers. If you know me, you know that. So I am, like I said, an advocate.

Sherrod DeGrippo: Pro-thrunt. Okay, Jamie, thrunt?

Jamie Williams: Pro-thrunt through and through, and I think I forgot, was it like somewhere in The Collective's post, but Sydney outlined it perfectly. Thrunt is not like a process. It's not a tool. It's a community. So it's thinking about the people and the sharing and all the feels and the vibes. So, I mean, it is means threat hunt, but it means so much more than that, as well.

Sherrod DeGrippo: Lauren, thrunt or not thrunt?

Lauren Proehl: It depends.

Jamie Williams: Oh, dagger, nice.

Lauren Proehl: Prothrunt in the community. I think it is a community thing. Anti-thrunt in a corporate setting or in like a like -- I'm not, I'm not using it at work. I don't expect Microsoft to come out and put thrunt on their decks, right? That's not what it's for, right? That's what threat hunting is for. Thrunt is for the people and the community or collective dispatch, but thrunt is for the people.

Sherrod DeGrippo: Thrunt is for the people.

Jamie Williams: That was a million-dollar answer.

Sherrod DeGrippo: Yeah, that was so good. That's why you get paid the big bucks. For me, I love to say thrunt because I find it's -- people, it's just so irritating, and I just -- like I have the troll soul. Like my, the deepest true core of who I am is the ultimate internet troll. For anyone who knows me well, you know, I am a deep, deep troll, and I feel that thrunt is a kind of the lingua franca, if you will, of, of trolls. I like that.

Lauren Proehl: You know, I -- people have such a visceral reaction to it, and I get like, it's kind of like in line with how moist feels when you hear it.

Sherrod DeGrippo: Oh, yes. Like, gross.

Lauren Proehl: Like, like it's visceral, but also like, it's just shortened. Did people object to defer being shortened when it was around, like, or CTI or whatever? It's hard for me to wrap my head around people being like, oh, my God, I can't believe people are using the word thrunt. And I'm like, it's on a blog with memes. Like, yes, there's a laser-eyed Bob Ross at the bottom of the page. Of course we're using the word thrunt.

Jamie Williams: I love that that's the meme you remember. I really appreciate that. One of my favorite stories is like, bless your heart, Lauren, amazing. So I was doing this like -- what was it -- TOP Red talk in Vegas, and like, Lauren's flying in. I was like, oh, like, I'm going to try to make it. I think your flight was late or something. You landed like 30 minutes early before the talk. So like, I'm like, oh, no worries. Don't, don't worry about it. Like, it'll be fine. You rush, come in with your bags, sit down. So I'm like, oh, crap. Now I actually have to do like a really, really good job. Because like, I've traveled day-of stuff, and I'm like, I know you're like stressed out, headache. You've got airport clothes on, whatever. So I'm like scrolling through trying to put on a show. Every meme, I just like, I hear everyone's laughing, whatever, whatever, whatever. Very distinct. I was like, LP, laugh, perfect, perfect, perfect. I'm like, that is my, like -- everyone here, I'm glad you enjoyed us, whatever. Like, my signal for success is like, absolutely dialed into you. And like, so really --

Lauren Proehl: I appreciate that.

Jamie Williams: Really, from one meme fan to another, respect.

Sherrod DeGrippo: A meme connoisseur, yeah.

Jamie Williams: Yeah.

Sherrod DeGrippo: You and Sidney have the best meme game, I think, in InfoSec. I'm over here like a 60-year-old man, like, referencing things from like 2012 because I think that's when my pop culture meter stopped. But you all have really hit it on the head, and InfoSec should be fun.

Sydney Marrone: It should be fun because I feel like there's so much stress, and it's so dramatic, so much the rest of the time, and also, the personalities are, frankly, exhausting, okay? I -- everyone listening to me, you exhaust me, but I'm never leaving, and I love everyone, but I think that we're at a place where, like, I think that's why I love InfoSec and why it's my career, is because the absurdity, the embracing of absurdity is so universal across the industry. Most people are just like, well, that's ridiculous. Yeah, I'll take it.

Jamie Williams: And how many, like, especially in D.C., like, everyone talks about their job. Like, we are so job obsessed. Like, it's our personality, and like, everyone has hills they'll die on.

Sherrod DeGrippo: Yeah, it's my identity.

Jamie Williams: Right, and like, they have very strong opinions about everything, and it's like -- it's not unique to us, but I think it's definitely a defining characteristic of just who we are, is like, these nerds who just, you know, very, you know, experienced a lot of wins, losses, and we're just not afraid to tell people about it.

Sherrod DeGrippo: I love it. Something I tell people, like, newer in career, even people who are, like, trying to figure out, like, what they want to do next, in InfoSec, I'm telling you, you are paid for your opinion. You are valued for how you feel, what your point of view is, what you think is important, because it is so subjective.. Your point of view gets you further. Sharing your opinion, sharing your editorial commentary, those are the things that get you further in your career and get you further in your objectives. So don't be afraid to have your opinions. Be kind, but say how you're feeling.

Jamie Williams: That's, like, one of my favorite themes of, like, talks is that exact, like, you, again, someone in the room has to be the voice, but at the same time, all of us, raise your hand if you've never been wrong. And it's like, you kind of have to -- it's an interesting, I love hearing the greats. And like you said, the kind of, you know, pioneers of this industry highlight that back end of, like, at the time, this made a lot of sense.

Sherrod DeGrippo: Yeah.

Jamie Williams: Or this decision was really good, but in the full perspective of things, obviously, hindsight is 20-20. But I just think it's such a -- again, it's like you said, it's so subjective and it's so vibey. But at the same time, silence is probably the worst answer. So even if -- it takes a lot of confidence and a lot of, obviously, empowerment and is why community is such a big thing with us, but I think it's, that's one of the, at least for, like, mentoring and people that are more junior or just, you know, anywhere in your career. I love what you're highlighting in terms of, you have probably a perspective that exists -- is pretty unique to you and exists because of your, you know, background, education, whatever it may be. So, like, don't overwhelm people. But at the same time, don't kind of let that, whatever that insight might be, just kind of die and fizzle out. It's a really tough balance, but that's the game we signed up for.

Sherrod DeGrippo: And it's the game we're going to win. We're playing to win, Jamie.

Lauren Proehl: Yeah, yeah. Well, I think we're just winning the battles is what Jamie claims. But, yes, the war is forever.

Jamie Williams: Yeah, you win long enough to hand it off to the next, you know, generation of generals.

Sherrod DeGrippo: Well, I want to thank Lauren Proehl, Sydney Marrone, Jamie Williams for joining me on the Microsoft Threat Intelligence Podcast. That was fantastic. We'll put the link to the THOR Collective Dispatch in the show notes so everyone can check out this great post and subscribe to all of the things that they're sending out there in the new world of thought leadership for information security threat hunting. Thank you all for joining me.

Sydney Marrone: Thank you.

Jamie Williams: Thanks for having us.

Lauren Proehl: Thank you, Sherrod. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out. msthreatintelpodcast.com for more and subscribe on your favorite podcast app. [ Music ]

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Producer is Rob Petrillo, Production Manager is Max Solomon, Scheduling and Administrative Support is Elliot Volkman, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft