The Microsoft Threat Intelligence Podcast 11.1.23
Ep 5 | 11.1.23

Octo Tempest Threat Actor Profile


Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries and shape the future of cybersecurity. It might get a little weird, but don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Hey and welcome to the "Microsoft Threat Intelligence" podcast. I am joined today with some Microsoft threat research experts, threat analyst experts and we're going to talk about a blog that just dropped from Microsoft Threat Intelligence and Microsoft Incident Response groups previously tracked as DART and MSTIC. And we're just going to dig into this threat actor and some of the TTPs that we're seeing, a threat actor called Octo Tempest, you may have heard of them, 0ktapus, Scattered Spider, UNC3944. Hey, team. Welcome to "Microsoft Threat Intelligence" podcast.

Expert 1: Hey, glad to be here.

Expert 2: Thanks for having us.

Expert 3: Hey, Sherrod, thanks for having us.

Sherrod DeGrippo: Thanks for joining me. So, this is a very intense blog. Like there is a lot going on in here. You've all read it. It's a far-reaching read. I mean, we're seeing in this timeline they're going all the way back to October 2022 with stuff about the tradecraft being used here. This threat actor, I mean, for all intents and purposes, let me ask you your opinion here, it is financially motivated in a crime group, but, when we talk APT, I would definitely give them that advanced and persistent tag. What do you think in terms of the advanced and persistent side of it?

Expert 1: So, I'm not so much sure as advanced as they are very persistent, and the way that they do things is - some of the tools that they're able to use and the way that they use them is very ingenious. They're essentially reimagining some old tried and true techniques. But I'll let the others chip in and see if they have a different opinion.

Expert 2: I would agree with that statement. And they're highly effective. And I don't want that to be lost with the previous comment there. And it's because they use - they exploit fundamental weaknesses in organizations where there's breakdowns in security. And they're very effective at, as previously stated, tried and true techniques like social engineering. And they're incredibly persistent once they've found a victim that they are interested in and they keep coming back and back and back until they finally realize success.

Sherrod DeGrippo: Okay. And, in the blog, it says, kind of to that effect, like they progressively advanced their motives, targets and techniques. So, like they are tracked in this particular blog that came out from early 2022 all the way up to mid-2023. And it looks like they continue to just kind of upskill their craft over and over again. It looks like there's a big array of TTPs. You mentioned social engineering, which I want to get into, but the thing that freaks me out the most about this is the SIM swapping. So, could one of you kind of walk me through, for people that might not know, what exactly is SIM swapping and why is it such a problem?

Expert 1: Essentially, at its core, what happens with SIM swapping is if an adversary is able to quote/unquote "swap your SIM," they're able to essentially transfer your phone number to theirs. So, it defeats things such as SMS 2-factor. That's one of the ways that they utilize that. So, it actually - in one of the engagements how it all started is a user note - actually noticed - woke up and noticed that he had lost cell service. None of his messages were going through. And then there were certain accesses to his account that he couldn't actually get into because he couldn't use his phone. So, that's how the whole thing started. So, at its core, that's what SIM swapping is.

Sherrod DeGrippo: So, would you say then that like if somebody wakes up and their phone isn't connecting to their cell network that they are potentially looking at SIM swapping?

Expert 1: It could be. Right? That's one of the ways that you could recognize or realize that you may be a victim of SIM swapping.

Sherrod DeGrippo: Okay. And I also see in here SMS phishing employee phone numbers with a link to a site configured with a fake login portal. And then they use adversary-in-the-middle. That's a tactic that we've seen across a threat landscape in terms of sending links. They're using SMS to do it. Are they specifically going through - from what it looks like, they're specifically going through and collecting lists of employees that they can then SMS phish with something really - like really crafted and configured specifically for that particular employee. Is that a big part of the TTPs here?

Expert 1: Right, it is. And I think that another reason why they do it through SMS is because most - some organizations may not have visibility into that like they would normal phishing, right, because if you get a phish, it's going through email filters, you may have certain email protections in there. However, with SMS, maybe ORCs don't have that same visibility so that if a user does click on their personal device, there's really no visibility or way to respond within that. Unless, of course, you're using some type of MDM for that particular user.

Sherrod DeGrippo: Okay. So, basically, that SMS vector is essentially really attractive because it's out of the visibility of an enterprise security program.

Expert 1: Right.

Sherrod DeGrippo: Okay.

Expert 1: It can be. Again, for most of them, I mean, how many of us our personal devices are actually enrolled in some type of MDM for our companies? Right? So, it's common for work phones. But, again, a reason why I think they target personal devices is to avoid that visibility, like I mentioned before.

Sherrod DeGrippo: And, so, something else, like if they're collecting lists of employees to send SMS phish targeting to, it also, in this blog, says that they're using enumeration and information gathering on those environments both - it looks like on people, systems, et cetera. So, from what we can see here, what is that initial reconnaissance like ahead of time? Is it really thorough? Is it quick and dirty? How much of that reconnaissance does it look like they're doing initially?

Expert 1: That's a challenging question to answer because, prior to their engagement with a victim, it's difficult to know like how much is done on like open-source research against employees on social media and some of those you may never know. But I think this speaks back to one of your earlier points about kind of the wide gamut of things that they use and how they keep upscaling. And it comes back to the research. And I think one of the things that makes them very good at what they do is that they - and their social engineering and their success rate and how well they are - how good they are at phishing their targets is their research. And something that helps them with their TTPs is that they're not afraid of tailoring what they're doing to the specific organization. So, it's obvious from how well they craft some of their phishing messages at times that they've done extensive research against some of these organizations because of how well the message is crafted to blend in with what normal for that organization would look like. And I'll yield to comments from my peers here as well.

Expert 2: Yeah, I think I'll piggyback off of that in they're also - I wouldn't say unique, but they are very efficient at let's say utilizing data that they may have compromised in prior breaches, right, looking through that data, seeing if there are any individuals that work for companies that they may want to target. And then they'll go ahead and target that specific company. And then they also - you know, because of that prior intrusion they have specific data or may have specific data, PII information so to speak. We have been a part of some engagements where the threat actor was in the midst of social engineering the help desk personnel. They were going through, the help desk personnel was doing their job and they asked for a second form of identification. In this case, it was a Social Security number. And, in these recordings that we were allowed to listen to, the threat actor would pause for maybe a minute or so and then they'd come back with the actual Social Security number of the victim that they were targeting. Right? So, they combine and they're able to leverage all of that in order to utilize and get an initial foothold into an organization.

Sherrod DeGrippo: So, they can actually be challenged - in an IT help desk social engineering scenario, they can actually be challenged, "I need additional identification from you," and produce a Social Security number within a few minutes on that phone call.

Expert 2: Yeah. It's actually happened more than once.

Sherrod DeGrippo: So, that is super, super fast. That's crazy fast. And then the other thing that I've heard, and I'd love to get all of your opinion on this, something we've watched over the past several years are all the reports that come out about dwell time. Like what is the dwell time between when a threat actor, any threat actor, has access to your network and they begin the encryption process? So, for ransomware-type events, what is that dwell time? And, you know, years ago, it was like two or three weeks, a month, a couple months. And everything that I've heard about this threat actor is that their dwell time is incredibly short. Compare and contrast for me, help me understand, when it comes to Octo Tempest, where do they fall in that dwell time hierarchy?

Expert 2: That is - the appropriate answer to that is "it depends." And nobody likes to hear that answer because it really depends on their victim environment and the security measures in place and the credentials that they access the environment with. But, on average, their dwell time is very low. And I mean that they're very fast. I've personally witnessed them go from initial access to spinning up their own infrastructure in a victim environment in under three hours.

Sherrod DeGrippo: Three hours is super fast. Like I think there was a DBIR report last time that was like - that gave a dwell time of like 24 hours. This actor, from everything that I've heard about them across all of the different reporting that I've read, it just sounds like the dwell time is so short that it almost makes it - like the game is really - the deck is really stacked against you as an enterprise in terms of discovery to prevention.

Expert 2: Again, it depends on your environment. And it depends on the control mechanisms that you have in place. It depends on the mitigations that you have in place. Because that's something that we always are discussing with customers and with clients is at one end of the spectrum you have all the security posture and all the security mechanisms that you could possibly put in place on an enterprise. And on the other end of the spectrum you have business alacrity and business productivity. And they're on opposite ends of the spectrum. And each business finds somewhere on the spectrum that's comfortable for them. They have to allow productivity and they have to make a business risk decision of how many security measures they're going to put in place to allow that to exist in a secure environment. And the more that you have in place, the more mitigation, the less privilege escalation you can see. The more you can slow a threat actor down, the more signals that you're going to have to witness them earlier and the faster you can remediate. And it's all about getting customers comfortable with being more secure, having more telemetry, having more signals and realizing that there are ways to do things in a more secure way that isn't going to impact your business productivity, but it might inconvenience users as they adapt to them. If that makes sense.

Sherrod DeGrippo: Yeah, sure. I think that that's a pretty common - you know, the business is always competing against the security. Right? Like I think making business super, super, super easy to do a lot of times isn't the secure way to do things. And, so, you kind of have to find that balance. Let me ask you this from a technical angle, what is the malware angle here? Because malware has traditionally always been like the initial access vector for a lot of stuff. Are they leveraging malware? I see a lot of mention of open-source tools. Obviously, they do a lot of living off the land. Are they leveraging much malware?

Expert 2: So, they don't leverage a lot of malware. They have in some engagements. But, generally, they are utilizing - they're living off the land. Right? And one of the things that this threat actor's really good at doing is leveraging an organization's own security controls against them. For example, in one engagement, they utilize three or four different RMM tools that one of which the customer did use, but the other three they didn't. And, so, from their standpoint, why go about using malware when you can accomplish the same thing with legitimate software? Right? You can utilize legitimate software for malicious purposes. And, that way, you know, you don't have to worry about security tools or a dip in alerting and things like that. You're relying on organizations to be aware of different softwares and applications that are in their environment. Which is, in some cases, a lot harder to identify than let's say malware. But, again, that's not to say that they haven't used it entirely. We have been on engagements where we have seen them leverage tools in which to push out whether it be ransomware or infostealers and things of that nature. But, normally, by that time, they've already had a - put hold on the environment, they've been in there for a little bit, they're typically modifying some of these security tools in which to allow this malware to run. Because, normally, those security tools will block it, but they do a good job of, like I said, modifying some of those security controls in which to allow the malware to run.

Sherrod DeGrippo: And there's a whole section about that in this blog - the security product arsenal sabotage evading defensive tools in this blog. And one of the things that it says is that the threat actor modifies the security staff email box rules to automatically delete emails from vendors that might raise the target suspicion. So, why would it - why would a threat actor do that? What are they getting when they actually go to the point of editing mailbox rules? What are they getting for that?

Expert 2: Oh, again, it depends on which vendors they're modifying and the context in which they're modifying the emails. In some cases, where if you have like a vendor who was previously compromised by the threat actor and was trying to notify the customer that they were impacted, you can modify the inboxes to prevent notification of their victim that they're impacted. In some cases, they have also modified vendor emails for like EDR tooling so that they're not receiving specific email notification alerts, but when they go and look at the EDR tooling, the alerts are unmodified. So, they're not modifying any of the tooling under the hood, so everything looks normal, but they're not receiving email notifications. So, like if you have alerts set so that you receive email notifications for specific criteria on the weekend when most of the staff is not in, those just are deleted that you never see them.

Sherrod DeGrippo: I mean, to be honest, it's like quite a clever, you know, thing to do, right, is it's not like a toolkit or a piece of malware or - it's like just a operational security choice of hiding your tracks.

Expert 2: Right. And, again, this is part of the, you know, reimagining some of these tried and true techniques that we've seen adversaries over the years employ, because every single business email compromise case that, you know, most of us can think of, whether it be advanced or your common script kiddie, will go in there and modify an inbox rule, right, just to try to hide their tracks. But, in this case, it's different. They're trying to, you know, hide certain alerting and things of that nature. So, it's just reimagining some of these tried and true techniques.

Sherrod DeGrippo: In the blog, there's an analysis graphic and it shows all of the different TTPs across initial access, discovery, creds, defense evasion, persistence and then objectives. And that defense evasion part is really, really fascinating because it says that they're leveraging the EDR and management tooling, which I think it takes hands-on keyboard to really do that. So, is that something with this threat actor? Are they super, super bespoke hands-on keyboard really involved maybe compared to other threat actors?

Expert 2: Absolutely. I'll let the others chime in. But, yeah, absolutely.

Expert 1: This is where it comes into the resounding theme of research for the environment that they're in is that they will spend the time to figure out what tooling the victim has and what looks normal. And they will attempt to use it and they will research what is in the enterprise that they're in and try to use the tooling of the victim against them so that it blends in as much as possible so if they have management tooling already, they'll try to use that and in a non-standard way to achieve their goals, as my colleague previously alluded to, because it's hard to detect what is normal and not normal when they're using the standard tooling within the environment. The same thing with the EDR.

Sherrod DeGrippo: It sounds like the - this particular threat actor is super like bespoke hands-on, very DIY, doing a lot of things moment by moment and managing the like second-by-second intrusion. Which is on a spectrum of like the other side of that coin is threat actors that we see, especially in the financially motivated side of the house, that just like spray things out, like just massively blast out email campaigns full of, you know, a cred phish landing page or a multi-stage malware download, and they just kind of are hoping for the best. It sounds like Octo Tempest is very specific and very moment-by-moment involved with that intrusion up to the ransomware point.

Expert 2: Right. I would agree with that. There have been instances where literally it's almost - to borrow the phrase, it's almost keyboard-to-keyboard combat. Right? You block one instance and then in the next, honestly, 17 minutes, you know, there's another hands-on keyboard, there's another identity, there's another shift between persistence mechanisms. There really is something that is intense as far as when you're responding to an incident with Octo Tempest. We know they're fast, or they can be fast, but it's also you know that you're actually going against another adversary who has hands-on keyboard. And, like my colleague said earlier. they are very, very persistent. Sometimes when you respond to certain incidents, maybe adversaries will, you know, just take what they have and run. But Octo Tempests will like to stay in and they will keep coming until you shut them out completely. And, even then afterwards, depending on the target, they are going to keep trying to probe and see if they can get back in. So, it's definitely something that is a little bit different when dealing with certain adversaries.

Sherrod DeGrippo: When you say 17 minutes, what's happening in 17 minutes?

Expert 2: There was an instance where we were engaged with a customer who had an Octo Tempest issue and we had cut off one instance of their persistence mechanism. And then, within 17 minutes, they had shifted to another persistence mechanism. So, it's very fast.

Sherrod DeGrippo: Man, these people are stressing me out. Just hearing about this is very stressful to me.

Expert 2: Well, I mean, I think you need to frame it in the standpoint of, like you mentioned earlier, other groups that just, as you said, use the spray and prey kind of automated mechanic of we're going to blast out a lot of phishing emails, we're going to see what we get and we're going to grab what we can and we're going to go, versus this group who takes the opposite approach of we're going to do the research, we're going to directly engage their victims, there's not a lot of automation there, and we're going to do kind of like a low-density, high-success, high-human interaction with the victim organization. Because it has to be that way because we're - they're tailoring their TTPs and their methods to that specific organization, so it has to be more interactive on their end to fit that mold.

Sherrod DeGrippo: And do you think, as they're compromising and like ripping through an organization, are they making choices or does it seem like there is a established roadmap of a plan? We're going to go here, we're going to do this, we're going to go here, we're going to do this? Or does it sound like they're making a lot of decisions on the fly?

Expert 2: I mean, I think that they have an overarching playbook that drives them and that puts them down certain decisions on their side, because you can always make a prediction of what they're going to do initially and they're going to research the organization and try to find out what's within an organization, what level of access that they have and how an organization likes to do business and manage their IT. And, from that research, then they make their decisions on how they're going to continue to engage that victim organization.

Expert 1: That's a good point that was just raised. When we see them gain initial access, normally they're targeting specific users, let's say an IT user or something like that. When they gain access or find the level of access that they want, what they'll do is they'll scrape the entire environment for information about how this environment works, what are the egress points, what are the ingress points, where is your VPN, how is - do you have 2-factor in front of your VPN, how is that set up, how does your user provisioning work and things like that. So, they're doing a lot of research. They're scouring different repositories. For example, depending on the type of organization, you know, they might scour your code repositories and things like that for secrets. Right? They're trying to gather as much intelligence about your organization as they can in order to do what we had just mentioned to make those decisions to try to stay as persistent as possible within the environment.

Sherrod DeGrippo: So, it sounds like they're doing that reconnaissance and intelligence collecting before the actual operations actually start against an organization, and they're still doing it, is that correct while they're inside?

Expert 1: Right. So, like I said, it's hard to know what they're able to gather through open-source intelligence beforehand. But, once we have seen them inside an organization, they almost always try to gather that specific information, as much information as they can, about the organization and ways to stay persistent, how their IT processes work. In some instances, we - you know, we'll see them go through certain personnel - IT personnel's email to try to gather more information about the ins and outs of the org, who may need to contact who for what type of permissions, what type of access, so.

Sherrod DeGrippo: Does it sound like those profiles, those personas, like the responsibility areas of the individuals that they - that Octo Tempest likes to target are like help desk people, admins, stuff like that, are those the primary types of people?

Expert 1: So, that is definitely one aspect. They do like to target IT individuals and people with access. Right? But I think sometimes it is - it's kind of like I mentioned before where they're able to leverage some of the data that they were able to successfully actually trade from other organizations and then use that to then pivot and try to target other orgs. So, I'm not going to say that's the only individuals that they target. Sometimes, you know, if they have information about a particular person that works for x company, I'm sure that they'll start with that and then try to move laterally and see if they can move laterally to other higher privileged users. But I'm not going to say that's the only one. I don't know if either of my colleagues have something they want to add to that.

Expert 3: Yeah, I would say that's right. I think primarily what we're looking at is the extensive recon that's done by Octo Tempest. They look at whoever they can find that works at a certain company that they're targeting, whether it's through open-source research, and they're really effective in finding individuals that they can get elevated like PII access to. And they can find their Social Security numbers, they can find their other pieces of personal information that they can use to - when they call up the help desk or try to socially engineer somebody else. And I think a lot of that stems back to if you think about like who Octo Tempest is and kind of how they started, right, when they have - when they started with SIM swapping activity and cryptocurrency thefts, time and research was really needed for those activities. They needed to know everything about a target, they needed to know how they can gain access, how they can social engineer their way to access. And I think it also speaks to how fast they are because, you know, once they SIM swap somebody or once they're attempting to, you know, steal cryptocurrency, as they did in the past, right, time is not on their side. They have to move very quickly. So, I think that's where we see a lot of that type of tactics roll over to what they're doing now, especially this year.

Sherrod DeGrippo: I keep hearing the word "fast," they keep being described as very fast. Which I think is part of the interest in this as a threat actor group because it does create that like keyboard-to-keyboard, as you were saying before. And I also think organizations - you know, the savvy organizations, when they read these profiles on this threat actor, are seeing how fast they are. And it's really, really deeply concerning that they're able to just like snap their fingers and turn around, you know, a breach into a ransomware event.

Expert 2: Well, I think that part of that is necessity because not every victim organization is - the hyperbole I'm going to use here is incompetent because a lot of the people that they target are highly competent organizations that can respond and do respond and respond quickly. And they have to move quickly because they know that they're going to be detected at some point.

Sherrod DeGrippo: It kind of increases the stakes. And I think it's really interesting that there is this sort of personality of this threat actor group, from what I can tell. You know, they've adapted to become this particular kind of like almost digital crash and - you know, like smash and grab kind of situation, but they are grabbing potentially millions and millions of dollars. Speaking of that, let me ask this. It looks like final payload is primarily BlackCat. Is it always BlackCat ransomware? Is it always ransomware? What are we seeing in terms of - it's listed as BlackCat in the blog. Are there other variants? Are they doing stuff other than ransomware? What's the end game?

Expert 3: Yeah. Typically, what we see is a mixture. I think the goal, right, is financial gain. And a lot of that is - when they started in 2023, it was through extortion. They partnered with the BlackCat like ransomware leak site to extort victims by, you know, threatening to release information that they've stolen from the environment. Soon after, we started seeing deployment of ransomware. I think, to this day, we haven't seen anything outside of BlackCat. But I think, ultimately, their goal is to identify some financial gain one way or the other once they compromise these companies. One thing I wanted to add, too, that's kind of unique, and it's also listed in the blog, is primarily when you look at ransomware actors, they're in Eastern European regions or regions where Western law enforcement cannot reach them. This is kind of an interesting difference about Octo Tempest. As far as we know, you know, they're native English speakers, they are presumed to be in areas that are not in those traditional ransomware ecosystems or environments. So, they're playing a different game while still being in this ransomware ecosystem.

Sherrod DeGrippo: That's interesting. And I read in one of the other writeups, I can't remember who the vendor was that did the writeup on it, but it said that they're potentially - when they're doing the over-the-phone social engineering of like IT admins and stuff, they're like using fake accents. Have you guys heard that?

Expert 2: Yeah. So, we've had the privilege of listening in to a few calls. So, there are some fake accents. And, honestly, the - it probably speaks to some of the maturity of this group, but there have been instances of just obvious trolling. One instance that always comes to mind is they had social engineered the help desk into removing MFA and resetting the user's password. And this particular help desk agent was trying to be helpful and he was using I think a command prompt. And then the Octo Tempest person on the other end was like, "Oh, you're a ninja with that PowerShell. Man, I've never seen that before." Right? So, there's a little bit of - there's both, there's accents, there's trolling, you know, the whole - the full gambit. But I think I'll say, at least in the calls that I've been privy to, there's never been one where we sat back and was, "Oh, well, that's just perfect social engineering." Right? There's always some type of awkward pause, for example, like I mentioned before, that, you know, retrieving the Social Security number, I think there was maybe like a minute of dead air. So, there's always something. Right? Or, in some instances - actually, in a couple instances, the help desk agent, you know, would say, "No, this isn't right. I'm terminating the call," or, you know, "I know who so and so is and you're definitely not them. I'm terminating. And I'm going to, you know, start an instant." Right? So, they're not some social engineering savants. Right? There's some in some cases. And, actually, most cases that I've see, there's always something there that kind of sticks out that should raise a red flag, you know, if help desk personnel are following proper training.

Sherrod DeGrippo: Got it. And, so, let me ask you about that then. What's one thing that you would say - and I'll open this up to all of you. But what is one thing you say - that you would say that organizations really need to do if they're trying to protect against this particular threat actor group?

Expert 1: Well, you asked the question on something that I wanted to bring up that my colleague just mentioned. And that's I think in just about every engagement that I've been involved in here where the help desk was socially engineered, one of the questions we ask is, you know, "Was help desk protocol followed in this instance where the password was reset or something happened that allowed the initial access?" And I think in almost every incident or instance the protocol was not followed. Or I think maybe in just one they just didn't have a very strong protocol for it. And because they engineered urgency on the call, they - whatever reason in the social engineering, the help desk just did not follow protocol and reset the password or reset the MFA. And if there's something to impart on organizations, it's to have a strong policy for how do you truly identify the person that's requesting the password change or the MFA reset and realize how important that is in terms of brokering access to your environment, and how do you track those, how often do they happen, who can actually do it, and are you auditing if the process is truly being followed. Because, in most cases, where we've been here, the process was just not followed this one time and this happened. And it just flew under the radar and they got in. And that would be something that I'd want to impart because one of the remediation steps that nearly all the organizations that we've worked with is they had to impose some pretty heavy-handed restrictions on that process so they got things back under control.

Sherrod DeGrippo: Any other things we should mention? Yeah?

Expert 1: Yeah, what I would add to that also is that users with highly privileged roles should be subject to stringent controls. So, that's going beyond just the 2FA with text messages. Right? We should try to - if you have highly privileged users, they should be subject to satisfying phish-resistant multi-factor. So, we're talking, you know, things like FIDO keys. Right? Because, just to borrow the cliché, right, with great power, comes great responsibility. Now, things that may be acceptable for your average users or would be - excuse me, unacceptable for your average user to go through, right, it's that - that - it's that balance of convenience versus, you know, the business processes versus security. So, an average user may not want to use a FIDO key, or maybe having session-enabled conditional access policies may be a little bit too much for the average user. However, for highly privileged users, those things need to be enabled. Organizations need to have control over the devices that they allow to authenticate to their environment. The same thing with where they allow their users to authenticate from. So, it might not be the same for average users, but definitely for highly privileged users there needs to be more stringent controls.

Sherrod DeGrippo: Yeah, I think that's a tried and true problem that we've had for a long time, right, is identity access management, secrets management, permissions management, lease privilege, need to know, stuff that's written in colorful books going back 30 years. That really is security theory that it sounds like this particular threat actor group has been able to leverage and exploit to get into organizations that aren't doing the best practices they should be doing.

Expert 2: One of the low-hanging fruits that we always try to stress on our customers is if you have users with high levels of permissions, separate the account from their normal user account. And some people will roll their eyes and say that that's, you know, a fundamental security practice. But the application of that is not. And, in a lot of the compromises that we've dealt with in this threat actor, the person they socially engineered ended up being highly privileged on their normal user account. And that aided in the low dwell time that we referenced earlier in this episode. And, you know, along the vein of what can people do, what can organizations do is separate the privileges from normal user accounts.

Sherrod DeGrippo: I hope, though, this rundown and the blog, which is available on the Microsoft Threat Intelligence blog and it has a ton of hunting stuff, both cloud, Sentinel, threat intelligence reporting, this blog has a ton of stuff in it that I think it really makes sense for people to read and get comfortable with. I want to leave just with one topic that's a much bigger umbrella topic. And it's this. We have seen a trend I think over the past 12-18 months, certainly the past six months or so, where we are seeing red teams at organizations dissolved, reduced, et cetera. And we're also seeing, probably over the past two or three years, this idea that social engineering shouldn't be part of red team exercises because it's not particularly valuable. Some people say it's too easy. Any comments? What would you like to share in terms of red team role here and red team role of social engineering?

Expert 2: Yeah, I guess I'll start with the red team role in general. It really is - not only it's unique, but it's also important. It's extremely important for red and blue teams to be able to work together. They both serve different functions. And if you have a highly functioning red team and blue team, that goes a long way in protecting organizations. Now, as far as the social engineering aspect, you know, that can get messy at times, especially when you talk about, you know, corporate policy and what is and is not off limits. I don't think one of the things we had mentioned that this threat actor had done in the past would be to threaten certain users. It's rare, but we've seen it happen. I believe there's a couple screenshots in the blog as well. So, there's always that fine line. But I think, generally, organizations should assume breach, right, assume that a password is compromised and then, "Now what?" But, as far as the red teams and the usefulness of a red team, it really does - red team and blue team go hand in hand to protect an organization.

Sherrod DeGrippo: I love that, yeah. I feel like red team kind of fallen out of favor a little bit over the past couple years. And I'd like to see a big resurgence there, especially with threat actors like this that are so incredibly creative. I mean, they're almost operating just with so much impunity and so much creativity, really the way a good red team would operate.

Expert 2: I think a lot of that - I used to be a red teamer before I switched I guess to the blue team. And I see a lot of the value. And a lot of what I run into is like, when you look at something like conditional access policies, and I sit down with the customer and I say, "What are your conditional access policies supposed to be doing," and they walk me through it, and I say, "Well, have you tested that these work," and they say, "Well, we think that they do," I'm like, "Well, that's what the red team is supposed to be doing. You have a design document for your conditional access, have your red team go in there and do that." If you don't have somebody doing that, how do you know your controls are working? And everybody wants to focus on like the annual penetration test. But are you testing your controls that your controls are functioning the way that you intended them to work? And, like as my colleague alluded to, like social engineering can get messy because everyone wants to talk about what you see at BlackCat and all of the conferences and the media, but just have someone call the help desk and try to get their password reset out of policy, that's a social engineering test. It doesn't have to be, you know, something high end or, you know, sketchy that pushes the boundaries of what's appropriate and what's not.

Sherrod DeGrippo: Yeah, I'd like to see, you know, some of the highly functional or red teams that are evolving go check this blog out, see which of these tools and tactics you're using, not using, you could potentially incorporate into your red team engagements, because there - this blog is a fantastic guide to a host of creative attack techniques that you should start incorporating if you're really, really trying to mimic real threat actors, because this is, in my experience, one of the most creative and prolific threat actors in terms of this short period of time that I've seen.

Expert 2: Yeah, definitely. They definitely do adapt. No two engagements are generally the same. So, that's been the unique thing when responding to some of these is the way that they're able to take, like I said, these tried and true tactics and put a different spin on them or reimagining some of the things that you can do with tools, legitimate software, in an environment. Right? So, we've seen them do things like leverage an EDR response capability in order to push out and do things on a certain endpoint. You know, who needs malware when you can just use EDR, right? So -

Sherrod DeGrippo: All right, before we wrap up here, any final things you'd like to share that everyone should know about the threat actor, or anything we didn't cover?

Expert 2: Well, I think, for me, one of the primary things to take away, from my standpoint, is that organizations are going to have to rethink their security posture to combat this threat actor. And, honestly, the inevitable copycats that are going to follow. So, like my colleague said before, this group was able to gain initial footholds into many organizations, most of which with very, very capable security teams. You know, they weren't peppering ORS with zero days, they were just reimagining some tactics - tried and true tactics. Right? And then I guess the second thing would be, as people are reading the blog, I really want to underscore this is the sheer speed at which, you know, they progress from initial access to just full domain dominance. Right? So, like we said before, it's not days, sometimes it's hours. So, just something to be aware of.

Sherrod DeGrippo: Full domain dominance. Wow. Anything else to add there?

Expert 1: I don't have anything to add on that particular point. But something that I did want to bring up, not just particularly with Octo Tempest, but in general in this day and age is organizations need to be posturing themselves to assume that the first factor is already compromised, assume that the password is lost and that the threat actor has the password. And you need to build your initial access controls around the assumption that the password's already lost, and how do you structure your alerting and your detection, your MFA and your conditional access to policies around that. Right?

Expert 2: Yeah, defense in depth works. Absolutely.

Sherrod DeGrippo: When you're 100 years old, like me, you keep hearing the same things from the beginning of your career. See, I talk about the CIA, confidentiality, integrity, availability, almost like a couple times a week 'cuz it's that relevant still. But, yeah, things like 2-factor identity and access management, this threat actor really seems to know how to leverage gaps in those security programs that they can, you know, wedge in and start moving around just from one or two tiny mistakes at an organization. Thank you for listening. Thank you all for joining me. I really appreciate hearing from your perspectives. We've got a lot more to talk about in our next episodes. But, until then, make sure you go check out this blog on Octo Tempest. It's on the Microsoft Threat Intelligence blog. And thank you all for joining me on the "Microsoft Threat Intelligence podcast. [ Music ] Thanks for listening to the "Microsoft Threat Intelligence" podcast. We'd love to hear from you. Email us with your ideas at Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out,, for more. And subscribe on your favorite podcast app.