How Microsoft Stays Ahead of the World’s Most Dangerous Hackers

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud, well each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Most organizations would kill to have even one of the capabilities that we're going to talk about today, the elite incident responders who drop in to respond to an attack in its tracks, or a world-class threat intelligence team that's tracking the world's most dangerous threat actors every single day. But here's the thing, at Microsoft those two teams work together, in real time, every breach, every intrusion, every day. In this episode, we're unmasking how our DART and MSTIC teams combine their superpowers to protect our customers. And most importantly, we're showing you how the same principles can help your organization move faster, reduce burnout, and stay ahead of attackers, even if you're not the size of Microsoft. I am joined by three incredible guests today on the Microsoft Threat Intelligence Podcast, Aarti Borkar, Corporate VP of Security, Customer Success and Incident Response, Simeon Kakpovi, one of our Threat Intelligence Analysists at MSTIC, and Andrew Rapp, a battle-hardened Incident Responder with DART. Together they have seen some of the most intense breaches up close, and they know what works when the clock is ticking. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy here at Microsoft. Let's get into it. Aarti, how you doing?

Aarti Borkar: It's always good to be with all of you, so doing great today. I feel safe in your company.

Sherrod DeGrippo: You are safe, I promise you that. I am armed to the gills and anyone tries to mess with you, I've got your back. Tell us sort of how you kind of see the world when it comes to incident response and looking at things from the point of view of DART.

Aarti Borkar: Yeah, it's been a shifting answer, to be honest, over the last year or so. And I say that because I grew up in hardcore data and in AI, and then moved into security, and when I look at what's happening at our customers in the last year or so, the speed and the intensity of attack is just at a different level. So the magical work that MSTIC and DART do together that you're going to delve into is unbelievably important. But the shift for me in the last six, eight months has been we need to spend as much time proactively as we spend reactively, because the more prepared we are, the faster the response time there is. So when someone asks me how I looked on IR before and now, you had the luxury of taking proactive work as vitamins and expect the antibiotics of IR to race in and save you later. I don't think that's a choice anymore, it's not antibiotics versus vitamins, you've got to be ready every day, and then the IR team can help you solve the problem even faster; of my two cents on where we -- I think we're going.

Sherrod DeGrippo: Taking that analogy a little bit more broad, I love it, overall would you say that the global digital landscape is healthy, sick, malnourished, doing well, fit? Where do you see the world?

Aarti Borkar: The half optimist and the half pessimist in me are fighting as I give you that answer. But I think there are parts of the world that are healthy and exercising, and that's parts of the world that are more couch potatoes than they should be, and --

Sherrod DeGrippo: [Laughs] Get up off the couch with your --

Aarti Borkar: -- free for all.

Sherrod DeGrippo: -- security program, people.

Aarti Borkar: Exactly. And my hope is that we can collectively get more of the couch potatoes in a healthy exercise routine, so they do their annual physical, they are actually working out every day, they are reading and keeping their mind equally occupied as their body, so that we're just ready, and ready for purpose, right? We need the security teams ready so that the companies can continue to innovate and so, yeah. I think I'm going to use that again, the couch potato analogy.

Sherrod DeGrippo: I like it. So let's talk a little bit to Andrew. You've been dropped into a lot of breaches. When you're on the ground, does having real-time threat intelligence from your MSTIC counterparts change your decision-making in the moment? Like what's --

Andrew Rapp: Yes.

Sherrod DeGrippo: -- actually different about that?

Andrew Rapp: Yes, it changes everything for us. And we're very fortunate to work alongside our colleagues in MSTIC and the Microsoft Threat Intelligence team. But when we land on the ground with a customer, data is everything. Information is informing all of our decisions from where we go investigate, as well as the tactical containment steps we're going to immediately take with that customer, right? So you know, know thy enemy, right, and if you know who that threat actor is and the patterns that they typically employ during one of their intrusions, then we can take some very precise surgical actions to help a customer, you know, remediate faster, kick the bad guys out, so to speak, and get that customer back to business as usual in a quicker fashion, right? That's really what this is about for us. For the Microsoft Incident Response team, for DART is about business continuity, it's about getting our customers through the event as quickly as possible, and so we can inform our strategies with the knowledge that Simeon, our analyst at MSTIC have at their fingertips, then it results better outcomes for our customers.

Sherrod DeGrippo: So Simeon, that's all you now. Tell me what is that like, and how do you take what you're seeing on the threat landscape from a threat actor and turn it into something that somebody on an incident can actually use?

Simeon Kakpovi: Before I say that, let me say that I have a very healthy respect for what the folks in Incident Response do. Having come from SOC/Incident Response world, that is brutal. You actually have to see the entire thing end to end. You have to work with angry customers or executives. Everything's on fire. And things are a little bit more chill in Intel land, so I always will, you know, hat off to all the folks who are in Incident Response. That is not easy, and you guys do the grueling work, so major respect. From the Intel land, I always get excited when we get to work with DART, because it's a two-way street. You know, we get provide the broad strokes of what the threat actor is doing. Essentially, we try to provide them with a cheat sheet that they can. When they go to the customer and they're looking around in that environment, we're telling you, "Don't waste time looking here, look here, here, and here, and this is where you will get the most bang for your buck," or, "Here's something that you might not look for." So we're trying to enable them to have the most impact as quickly as possible. But they also give us a vantage that we don't always see. When they're actually talking with the customers, when they're building those relationships, there's a lot of detail that we don't see at the high level that they're able to provide back, which allows us to ask different questions than what we might otherwise consider. So we're always thinking about how to make it a productive two-way conversation.

Andrew Rapp: If I can just pile onto what Simeon's saying there too, right, there's a great, I would say, circle of life, a closed-loop between Simeon and myself, DART and MSTIC. But what that results in as well for Microsoft is detections, protections, and capabilities within our product stack where we can go help all of our customers at scale, right? So this whole feedback cycle, even though we are dealing with a situation on the ground in real time, within hours it's making its way into Defender for Endpoint, Defender for Identity, the rest of our stack, and we're pushing out visibility and detections for our product -- for our customers at scale, right? And so it's a superpower that we're lucky to have at Microsoft, but one we take very seriously.

Sherrod DeGrippo: I think those are kind of the -- you know, I'll go ahead and say it, in my opinion, I think that's the holy grail of security is threat intelligence, incident response, and detection engineering. When those all work together -- and it has to be a feedback loop both ways between all three, where you are at an incident, you see something that Threat Intelligence didn't know, you get it to them, they get it back to you, you can make detection engineering decisions either within the product or bespoke detection engineering suggestions to our customers who maybe have network detection that we don't necessarily provide for them. Or maybe they have a specific process in their world that the threat actor has come to learn about, which is something we find out all the time, you know, when the threat actor especially in the crime-based world knows so much more about the business processes of the organization than the employees at that organization often know, which is scary, but you know, they put the work in to find that out. I think those three pieces, incident response, intel, and detection capability putting the engineering in, that's what benefits the global digital landscape security. That's what makes the difference between securing an organization and securing the world.

Aarti Borkar: So to add to the point you just made, Sherrod, the other side of my team is the Customer Success team, and so the third point that you made about the detection and telling our customers what they might not know about themselves, what comes out at the MSTIC team and the DART team in these engagements gets converted into proactive workshops that we then take at scale through hundreds of people to thousands of customers, helping them improve their posture, giving them the insights into their environments they might not know about, because we learned it in one place, kind of our responsibility to take it to all the other places where we can help.

Sherrod DeGrippo: Well, so let me ask you then on that note, defenders are tired. Girl, they are tired. So what is something that defenders can actually take home that can help reduce their fatigue? What is a vitamin that you would give them?

Aarti Borkar: I think -- I agree with you, by the way, the fatigue is very real. And it's not just physical, I think the mental fatigue is even more. The thing that we spend, Andrew and I spend time with our team on is being able to turn the brain off if possible for a little bit, because where that fatigue matters the most is you've got to be ready to go fight another day. And I had a boss a few years ago who used to say -- who used to pull from Roman mythology, he used to say that, "The strongest warriors in the Roman battlefield at the end of the day just made it back to camp, had blinders on. Anyone asking for help after battle, they didn't bother, because they needed -- their protection was more important, so that they could go protect, and save, and fight for a lot more people the next day." That philosophy of saying, "If I'm not recharged, I cannot go fight another day," is the philosophy we spend a lot of time on with our team, because we need them to detach, we need them to rest, and then when they are engaged, they are 110%.

Sherrod DeGrippo: And I think that goes back to the advice that we've all heard before, which is, "Put on your mask before helping others put on theirs." You've got to be able to breathe before you can get somebody else oxygen. So I think that's a great way to kind of look at it, especially in the defender and the incident responder's face. Because, you know, Aarti, you sort of started the conversation talking about how the landscape is accelerating, and if we have to deal with that accelerating landscape, we're going to get more tired, and more tired, and it becomes exponential.

Aarti Borkar: The other thing we spend a lot of time on is prioritization, because just spreading the peanut butter when we get multiple calls isn't a good practice. We will -- we look, we triage everyone who's asking for help. We get our people to the ones that are in the most pain and have a time crunch of sorts based on knowledge we know from what the MSTIC team provides sometimes, and then we've built a muscle of having a broader partner ecosystem that we can bring to bear, such that we give everybody who asks for help, help, but we're not using the same small team to do everything all the time every day. And that building of the ecosystem and the friends and family of DART has made a huge difference. So the prioritization and the ecosystem, and then as you said, putting your facemask on first, all matter.

Sherrod DeGrippo: I want to talk a little bit to Simeon about a specific threat actor, Storm-1152. But before I get into that, I want to talk a little bit just a little bit higher level, which is this, and it's personal for me, okay, guys, like everything. Simeon, I know about you that you started in nation-sponsored threat as a nation-sponsored analyst, and you have now been on the crime team for some time now, about a year, maybe, you've been in crime?

Simeon Kakpovi: A little bit more.

Sherrod DeGrippo: Little bit over a year. And I -- remember how excited I was, I was like, [laughs] "Simeon's going to crime, yes." What's that been like for the past year or so?

Simeon Kakpovi: Oh, man, it is a whole new ballgame out here. I think having been on the nation-state side, things are a lot more clearcut. You know where the lines are, and you're essentially just trying to dig as deep as possible. I think switching over to crime, first of all, the language is completely different. I think all of the terms that people used just understanding the ransomware as a service ecosystem in general and all the different players that are within it and then how they interact with each other, and the nuance between that and how it's changing all the time, that is something I wasn't necessarily aware of, so it took me a lot of time just to get used to that in the first place. And then, you know, trying to understand an ecosystem where it's not a static ecosystem like nation-state -- you know, nation-state threat actors could be static so, you know, you can know who everyone is, but by the time you learn it in crime, it's like, "Well, forget that, it's already changed, you need to just learn how everything is today compared to three months ago," which is tiring. But it's a lot of fun, I will say, because it's a different pace, and you get to see so many different techniques used by so many different, you know, threat actors. And these guys are creative, and they get creative and shifty because they want to find the best way of doing things. So you have to stay a little bit ahead of them. You have to get a little bit more creative to stay ahead of them. So I've had a lot of fun just learning and growing, and seeing how dynamic this ecosystem can be.

Sherrod DeGrippo: Andrew, I want to -- yeah I want to get your point of view on that as well, because you're seeing all of these techniques, and you're looking at what the actors are doing on a day-to-day basis. Where are you seeing things kind of keyed up and what's sort of the interesting part of the landscape for you?

Andrew Rapp: Yeah. I'll echo what Simeon just said as well. Sherrod, you probably know better than I am, but the ransomware slash crime industry, if you will, is at $8 trillion annually and growing --

Sherrod DeGrippo: Yeah.

Andrew Rapp: -- at three times faster than some of the world's largest GDPs right now. So you know, I think as an industry five, six years ago, we all set out we're going to eradicate ransomware, and that guy's cybercriminals are going to be criminals and find new creative ways to continue to bust into these organizations and profit off of those intrusions, right? And so that's just it, we're continuing to see new creative ways that these criminals are gaining initial access; a lot of social engineering, which is very concerning, and we can talk more about mitigation strategies there and what we've seen. But oftentimes we see organizations leaving the front door open, sometimes we'll see these cybercrime groups digging a tunnel to their basement. Sometimes the front door is wide open and they still dig a tunnel into the basement, right, but they are persistent and they're creative. And once they have access to that environment, the velocity that we're seeing these threat actors take to action their objectives is maybe tenfold what we saw years ago.

Sherrod DeGrippo: I remember -- you know, there's various reports that come out, you know, the Verizon DBIR and mandated reporting and things like that, and you know, for years I always tracked dwell time. Like every year I'd be like, "Oh, the dwell time it's -- " you know, "-- it's getting shorter and short -- " like it used to be tracked in days. Now I feel like dwell time is tracked in fractions of an hour or minutes from the time that a threat actor has access to an organization to when they begin the ransom deployment. It's literally gone from something that I don't even see, frankly, the point of tracking dwell time anymore, and we should just sort of say, "Well, it's instant. Dwell time isn't a thing, it's an, 'I'm here, I'm ready, let's go'," bang, bang, bang.

Andrew Rapp: Not to bring it full circle here, but this is where the power of threat intelligence and the feedback loop between MSTIC and DART is so important, because we don't necessarily have data when we hop on that first call with a customer. We might have a handful of compromised accounts and compromised machines, but we need to take authoritative action to start recovering containment before we've actually run an entire investigation. To be able to do that, we have to understand who the threat actor is and what their typical TTPs will look like, right?

Simeon Kakpovi: That's huge because from a TTP perspective some ransomware actors look the exact same as nation-state actors. They might use the same TTPs, right, they might use the same tools, they might operate in the cloud the same ways, they might use some of the same open source tooling, they might use, you know, similar C2 frameworks. And so without having that additional context, you don't know if you have a couple months to deal with this issue and you have time, or you need to do something like right now. And I think that's the value, like Andrew said, we try to provide to their teams of, "Here's the level of urgency you should have right away." And that's what I think we try to communicate to customers like, "You need to do this right now. You don't have the luxury of time."

Andrew Rapp: An incident is not like a fine wine, it doesn't get better with age, right, and so part of our job is helping customers understand what they're up against, and Simeon said the posture that they need to apply to that situation.

Sherrod DeGrippo: So this is what I'm looking at, Aarti, everything that Andrew and Simeon are saying is making me like have just little like shocks of anxiety. What is the emotional state like when you're talking to these customers? What are -- like are they in full panic mode, are they cool and calm? What's the -- like what's the vibe?

Aarti Borkar: I think just like stages of grief, we should have stages of attack emotions.

Sherrod DeGrippo: [Laughs] Stages of breach, stages of breach.

Aarti Borkar: Stages of breach, emotional behaviors and stages of breach. On an honest note, the reason we see variation, there is always some panic. There are some in duck mode, which is they're panicking behind the scenes but staying calm. Invariably, those people that have the ability to operate in that duck mode of staying calm for the teams, for the moving parts, and paddling in the bottom are people who practiced. If they practiced parts of this before, they know how to navigate it, even though something is going to be different. You know, you can never have it perfect, but if 50% of it is practice, you're only panicking about 50%. And people know what they're supposed to do. They have roles and responsibilities, they have figured out who's doing what. So they're only changing small bits of elements at that time. That is my best case scenario. It doesn't get better than that. There's always a little panic. That is best case. Worst case scenario, I wish it was panic, but it is denial.

Sherrod DeGrippo: Ooh --

Aarti Borkar: Right --

Sherrod DeGrippo: -- okay.

Aarti Borkar: -- because there is panic, but I have seen enough of these situations where there's true denial of, "Oh, it can't be that bad," "Oh, we'll figure it out," or blaming something else, right? If you end up in a scenario where everyone's trying in real time in incident pointing fingers at different parts of their organization saying it was the IT team, the designer business, it was this or that, that is actually worst case scenario, because we've got to get the team from being in that emotion to a level of urgency so that we can get them to act. People that are panicked, we can at least calm them down and say, "We've got your back," and give them directions, and they will start acting quickly so we can get to resolution. People that are pointing at each other are resistant to action, and so it takes longer to deal with those. But the one emotion that I appreciate at the end of this is gratitude and trust, because irrespective of where these teams started and whether we took just a few days with the duck mode people to solve their problem or weeks with the ones that started out in denial, they end up with a place where we have two gratitude and a partnership going forward, and a willingness to then hopefully get to a place where they are being more proactive. So my favorite part is the very end, you know, when they're happy, and thankful, and ready for a partnership, but we see everything in between. We should write that paper, Sherrod, between us, "The Many Stages of Breach Emotions", [inaudible 00:22:19].

Sherrod DeGrippo: I mean, the psychological resilience piece in incident mode is incredibly important. It can make the difference between is this going to work or is this not going to work? Are we going to, you know, fall apart under the pressure or are we going to make this work? Andrew, can you kind of tell me any experiences you've had where you've gone into an incident and they've had great playbooks and they're like, "Put me in coach. I'm ready for this. This is what I've been training for," like have you seen that?

Andrew Rapp: Yep, over and over again. And I will agree, vehemently agree with Aarti here, that customers who have rehearsed, especially the ones that have rehearsed for us and then we get called into work alongside of them, maybe for the second, third time in a row, those incident response engagements are seamless. We immediately snap into place and we start executing, start investigating, and we know exactly what actions we're going to take collectively, and we get to the incident in days, not weeks. So absolutely. Unfortunately, a lot of our customers have not rehearsed. I think there was a customer survey that was done, only 26% of organizations have an IR plan and are consistently applying it --

Sherrod DeGrippo: Ooh.

Andrew Rapp: -- and exercising these things, right? So there is a gap here. There's like huge opportunity for our customers to do more. You know, the Navy SEALS don't just get dropped into a battlefield, they go rehearse their battle plans over and over again, sometimes a hundred times before they actually drop out of the helicopter and go to work, right? The same applies for our customers for organizations of all shapes and sizes, I would say.

Sherrod DeGrippo: Something that always comes up -- you know, it's -- I talk about crime -- the entire ecosystem quite a bit and that generally leads to ransomware because that is the noisiest and generally scariest part of crime motivated. And organizations and people always come up and say, "Should we pay the ransom or not pay it? Should -- do you think we should pay them? Should we pay?" And the thing that always horrifies me the most about that question is, "You haven't already made this decision and put it into a playbook in practice with the correct authorizations and the people's names of who can make these -- and you're asking me? Oh, you're already in big trouble." So it really sounds like organizations need to tabletop this stuff. They need to have the playbooks. They need to run them. And that can make a make or break between an incident being a catastrophe and an incident being an unpleasant inconvenience.

Andrew Rapp: That's right. And there are so many factors when you make a decision whether or not to pay the ransom. Now --

Sherrod DeGrippo: Yeah.

Andrew Rapp: -- it's a business decision at the end of the day, but there are sanctions against a lot of these groups as well. And so, again, enter the power of threat intelligence, right, know who you're transferring money to on the other end.

Sherrod DeGrippo: And you want to make the decision before you're under the duress of encryption --

Andrew Rapp: Most importantly.

Sherrod DeGrippo: -- of your network being shut down. Something that gets talked about a lot -- and I want to understand the difference in the points of view between Aarti and Andrew and Simeon, or if you all share, does attribution matter? Simeon, I'll start with you, does attribution matter?

Simeon Kakpovi: Well, I would say attribution does matter, but I'm a little bit biased because, you know, it's kind of my job. I will say it matters from the perspective of prioritization, right, and --

Sherrod DeGrippo: Mm-hmm.

Simeon Kakpovi: -- especially what we're seeing with, you know, these engagements. If you have a ransomware actor on your hand, your level of urgency is very different than if you've had a nation-state actor that maybe has been lurking in your environment for months. Now, for most organizations does it matter which country it is, like are you going to do anything with that? You can let your executives know, but maybe not always. It's the nice to know. But I think what's most important for most organizations is what are the TTPs that I should be hunting for, how can I improve my detections, you know, how -- where should I be prioritizing my effort in the short run so that I can make the most of limited resources? And it could be helpful. Especially if you're in special sectors it can be especially helpful to have, you know, that big A attribution. We talk about the big A attribution versus little A attribution, where the big A is, you know, what country it is versus little A is what group and what TTPs they're using. I think the little A is always helpful because it helps you prioritize. Big A can be helpful in certain situations or if you're in certain special sectors or if you're, you know, going to get help from other entities that might be able -- that might be interested because of, you know, who is doing the activity against you.

Sherrod DeGrippo: Andrew, what about you, does attribution matter?

Andrew Rapp: I would agree with Simeon, it's the little A attribution that matters for us. Having a treasure map, if you will, of what to look for, the TTPs to look for, and then the actions to take from a containment and recovery perspective is what helps our customers or, you know, organizations to get to the event more seamlessly. As far as the who done it, I would say no, that does not matter to our investigators. It may or may not matter to regulators, but we are just there to help our customers get through the event as swiftly as possible.

Aarti Borkar: I'm going to say it matters, but for a different reason. Like I agree with little A mattering. The added element here is it allows us to communicate across an industry. Simeon said that. But sometimes when you go into an industry and an area if you know that a particular threat actor has certain motivations and yes, Andrew's team will then use the TTPs and do something with it, but the motivations allow us to go say, "Those motivations may apply to these other areas. Let's go warn them." And the ability to go proactive and tell some of our customers, our friends in government that, "Hey, we notice this, here's some information, you might want to do something with it," is very powerful. And the attribution allows us to go figure out who we warn or who we share this with. I think all us said three different sides of the same thing, which is we just use the information to either find stuff faster or warn people to look for this. Honestly, no other reason for wanting the detail.

Simeon Kakpovi: It depends who you are, and I think for Microsoft attribution matters because we're trying to predict the future, like Aarti said, and help our customers be protected before threat actors even do anything. And so the better we can understand the threat actors, and like Aarti said, what they care about, the better job we can do focusing our efforts on warning people, protecting people, putting mitigations in place, trying to predict what threat actors might even do before they even get a chance to do it. And you know, the better at that we can get, the better it is for our customers, and the better it is for us to help keep people safe.

Sherrod DeGrippo: So one of the things that I think is really cool about working at Microsoft -- as people may or may not know, I've only been at Microsoft two and a half years, which in the grand scheme of Microsoft is nothing. I work day in day out with people who have been 20 plus, 30. I have a peer on my team who's been here 30 plus years. One of the coolest things about Microsoft is that we have the Digital Crimes Unit. If you are in Threat Intelligence, Detection, Incident Response, if you work in a SOC, the DCU does something that you probably don't have access to. And Andrew, I just -- I want to hand it to you to kind of tell us what your thoughts are about DCU and if you're kind of involved with them when you do incidents.

Andrew Rapp: Yeah, I mean, it's a great question. So we talked about the feedback loop between MSTIC, between DART, how that leads to outcomes in our product stacks as well as the outcomes that all of our field engineers, our architects in front of customers can help drive proactively. But then we have this amazing team, the Digital Crimes Unit, that can actually impact change in the threat actor ecosystem as we build a body of intelligence of knowledge working with MSTIC from our engagements around specific threat actors. Our Digital Crimes Unit actually has the ability to go take authoritative action against that infrastructure and slow down these criminals, right? Again, you know, super grateful to have this capability with -- inside of Microsoft because it really moves the needle and it makes a difference every single day.

Sherrod DeGrippo: It's really interesting because I love talking to them, they do come on the podcast pretty frequently. And they'll just say, "Yeah, you know, somebody from DART -- " or, "somebody from MSTIC sort of came and said, 'Hey, this threat actor looks like we could actually have some impact on disruption through the courts'." So that's another thing to understand for the audience, Microsoft is really focused on threat actor disruption. If that means writing signatures that go into the product, great. If that means publishing IOCs for you to put into your own environment, great. If that means getting some really talented, smart lawyers to put together a brief leveraging RICO charges against them, they'll do that. And it's -- I think if you're really kind of a nerd, which I am --

Andrew Rapp: I also identify as one.

Sherrod DeGrippo: Yes. I feel that all of us do. If you're kind of like really a nerd, looking at the mechanisms that the DCU uses via the legal channels to take action to take down threat actors, it's amazing. I mean, that's how we get a lot of the sinkholes that we have is that we are able to have those domain seized in Microsoft's favor.

Aarti Borkar: You are absolutely right, Sherrod, the point that modern attribution of why it matters, the motivation for most of the cybercrime elements, actors, tend to be something that can be disrupted using the legal system. Like that is literally the heart of what -- most of what they are going for is a crime, which means the legal system is going to help point them in some way. The end-to-end perspective on this by Microsoft is what matters. I think we'll use technology for most of it, and then we also have public and private relationships across the globe that are nurtured for good, and the DCU gets to use that path that we have to be able to then get the people that are hurting our customers to some level of justice. And we know they'll sprout up somewhere else, but at least we get to slow them down at scale, because if they are busy fighting a legal case they're at least not annoying our customers. That's a good thing.

Sherrod DeGrippo: Absolutely. Absolutely. And I think that -- you know, we talk about imposed cost, and that is true and that is the past, that is what we have at our disposal, but fortunately at Microsoft we have this huge spectrum of different ways to impose cost to put forth actor disruption. And it's -- honestly it's just so -- I just think the DCU is so cool. I'm such a nerdy fangirl for the DCU. I love them.

Andrew Rapp: Yeah, that was one of the coolest things I heard about Microsoft before I even started working here. And from the Intel and Incident Response sides it can be tiring doing this stuff day after day and you're just putting --

Sherrod DeGrippo: Yeah.

Andrew Rapp: -- like a mole and the threat actors are just coming back every single day. And it's like, "Is there an end to this?" And so to have someone take the non-tech approach and think about the big picture of, "Let's at least slow them down a little bit so you can get a little bit of rest" is so crucial and so important.

Sherrod DeGrippo: If you want to nerd out on this, the last episode of the podcast before this one is with the DCU, and it is about the Lumma Stealer malware disruption, and they used the RICO Act. If you want to hear how the RICO Act works, and how it applies to malware, fascinating, blew my mind. Simeon, we talk all the time about the differences between crime-motivated actors and nation-sponsored actors. What are your thoughts on what that landscape looks like?

Simeon Kakpovi: Having been on both sides of the aisle, I would say you should care about both, but even more importantly, you never really know what you're looking at. And that's one of the things that we talked about at SLEUTHCON, right, there are some threat actors that may look like ransomware actors, but they're not really ransomware actors, and there are some threat actors that may technically look like state-sponsored actors, but they turn out to be ransomware actors. And so it's kind of boring advice, but I think the most important thing you can do at the end of the day is to treat all threat actors equally. I think you should, you know, do your threat modeling in figuring out what's more likely to target you, but you have to have the basics, do all your hygiene things, you know, make sure you have good detections in place, make sure you have those storybooks, like Aarti and Andrew said. Because if you take on a threat actor and you're like, "Oh, well, I've got this handled, this is not a very big deal," well turns out it's a much bigger deal than you thought if you don't have the full context. And I think that's sometimes what happens when we have these engagements of DART and customers, they're like, "Oh, we saw part of this thing. We had it handled." And we're like, "No, you don't know what this thing is, there's a lot more there than you might first imagine." So we don't really always know where the line is, so it's really important to treat both equally within your organizations, don't always just chase the shiny things.

Sherrod DeGrippo: Don't sleep on them, is what you're saying.

Aarti Borkar: I'm going to pick up on that, because you said something about not seeing the full picture and the hubris of believing that you do. We see that all the time. The reason I want to be precise with the wording there is because the thing Andrew and I spend a lot of time with our team on is two bits of behavioral patterns, need to be humble and curious. And that's the only way we can go across that entire gamut, Simeon, that you were talking about, because the curiosity to keep digging is unbelievably important, because on day one when the DART team gets on the ground, we have no idea which -- who the actor is, we have no idea. As you said, they might be using some techniques, they might have edited some other techniques. We still have to keep digging until we've got the full picture. And then once we know what kind of actor it is, the partnership across all of the teams at Microsoft help us get to the right answer soon enough. Andrew, you do this every day so you might have more than me.

Andrew Rapp: Every day, seven days a week, and we say the best IR starts on a Friday. No, but I would just go a little further and I'd say the protections, the mitigations, the recommendations we leave our customers with, whether it's a nation-state threat actor or a financially motivated threat actor, oftentimes those recommendations are the same, right, you know, they're founded in elements of credential hygiene and zero trust. Understanding your environment, and logging in the right places, and having visibility across your environment, right, these are the basics before we even get to high-speed security leveraging, you know, Security for Copilot, other AI technologies, et cetera.

Sherrod DeGrippo: So I think what's really important that listeners should be taking away from this is you don't need to be the size of Microsoft to have a really good security program, incident response program, ownership, and building that loop between the intelligence you have, the incident response playbooks that you're running, and the capability to detect, you can build it, you can tighten it, you can see results. I am so grateful to all three of you for joining me, Aarti Borkar and Andrew Rapp from DART, and Simeon Kakpovi from MSTIC. Thank you so much. Thank you for sharing your expertise. And we will see you all again hopefully soon on the Microsoft Threat Intelligence Podcast. Thanks for joining me.

Andrew Rapp: Thanks for having us.

Simeon Kakpovi: Thank you so much. [ Music ]

Sherrod DeGrippo: Hello, and welcome to the Microsoft Threat Intelligence Podcast. I am Sherrod DeGrippo, Director of Threat Intelligence Strategy here at Microsoft. And I have with me today someone who I absolutely love working with and have known for a couple of years now. It is Snow, also known as the chief people hacker and the empress of the Social Engineering Community Village, the producer, the showrunner. What would you say your role is there?

Snow: I like all of those things. [Laughter] Typically I'd say cofounder, but I don't know, I might need to change it now.

Sherrod DeGrippo: Kova [phonetic], I think we can maybe come up with something a little more fantastical.

Snow: Yeah, yeah.

Sherrod DeGrippo: Yeah.

Snow: I'm here for it.

Sherrod DeGrippo: So I read something about you that I didn't know, and that is --

Snow: Ooh.

Sherrod DeGrippo: -- that you started out as a special effects makeup artist. Is that true?

Snow: That is very true, yes, it is; so yeah.

Sherrod DeGrippo: So like what kind of special effects?

Snow: I was at the point where I was making my own fake blood, like I have my own recipe. [Laughs]

Sherrod DeGrippo: What?

Snow: Yeah, so gashes and zombie bites, all kinds of different things, self-taught. So I've lived in San Diego for a long time, which is very close to Hollywood, well you know, not too far of a drive, I should say.

Sherrod DeGrippo: Yeah.

Snow: And found it super interesting, taught myself a bunch, and I actually did just consulting and some freelance work. But I loved it. It was so fun. Actually, I was cleaning my closet yesterday and found a bunch of my old stuff. I was like, "Oh, I should do this again."

Sherrod DeGrippo: What would you say is the key ingredient for really good fake blood?

Snow: Ooh, that's a good question. So I like the -- using corn syrup. That's one of my favorites.

Sherrod DeGrippo: Okay.

Snow: Yeah. Yeah.

Sherrod DeGrippo: For the thickness. You know what they say about fake blood, it rocks you like the real thing.

Snow: Yeah, yeah.

Sherrod DeGrippo: So, you know --

Snow: Yep, and it's quite -- because I'll --

Sherrod DeGrippo: -- sometimes it's just as good.

Snow: Yeah. I'll watch movies and I'm like, "Oh, that's bad fake blood, like that's not what blood should look like." [Laughs] Do all those things.

Sherrod DeGrippo: Do you hear, Hollywood, Snow is judging --

Snow: Mm-hmm.

Sherrod DeGrippo: -- your fake blood --

Snow: I am.

Sherrod DeGrippo: -- when she watches your movies, so --

Snow: Yep.

Sherrod DeGrippo: -- let's get it together. [Laughter] I heard also that kind of your like first foray into hacking stuff was lockpick, and that that was kind of the thing that got you interested.

Snow: It was. So it was all at DEF CON. So again, special effects, makeup is nothing to do with cybersecurity.

Sherrod DeGrippo: Yeah.

Snow: So when I first was introduced to anything cyber-related was at DEF CON. So I went. My husband has been in IT security for years and he had wanted to go to DEF CON forever. And he's like, "Hey, I'm going to Vegas to go to this hacking conference. Do you want to come?" I'm like, "I will go to Vegas and I will sip drinks by the pool --

Sherrod DeGrippo: Yes, love that.

Snow: -- and you do your nerdy shit." [Laughs] And so we show up to Vegas and he's like, "I got you a badge." I'm like, "I don't know what that means." He's like, "You're coming to the conference with me." I'm like, "Am I supposed to be excited? I don't know how I feel about this." So we go into a talk and it's a malware reversing talk and I fell asleep in the audience.

Sherrod DeGrippo: Mm-hmm.

Snow: Like everything was completely going over my head. And I felt really bad, to the point where he's like nudging me, he's like, "You're snoring? Please leave." [Laughs] And I was like, "Okay." And so I'm wandering around just like, "Okay, what am I going to learn, or find out, or figure out what this is?" And I walk by something called the "Lockpicking Village". I'm like, "I don't get this, but I'm going to go in because there are a lot of people inside here."

Sherrod DeGrippo: Mm-hmm.

Snow: So I walk in and greeted by the friendliest person in the world. And to this day, I wish I knew who it was so I can thank them, but I don't unfortunately. And he's like, "Hey, have you ever picked a lock before?" I was like, "No, I have not." And he's like, "Let me teach you." And so he sat down, was super like excited and he explained things incredibly like well that I was able to grasp. And I picked my first lock. And there's something magical that happens when someone picks a lock for the first time, because they're like, "Oh, my gosh, this is amazing." And then you see the wheels turning, they're like, "Oh, everything in my life that's behind like a -- something that's locked, right, my safe, my house with my kids in it," whatever it is, and all of a sudden you just kind of feel a little vulnerable.

Sherrod DeGrippo: Hmm.

Snow: And I had that. And so such a great experience to do that. So that was kind of my first foray into anything kind of cyberish-related.

Sherrod DeGrippo: I generally do stop by the Lockpicking Village, and we also have one at BlueHat in Redmond, the Microsoft conference. We have like a little mini lockpicking village and we do demonstrations and stuff. And so I'd always go to that and just kind of mess around. And sometimes I'd -- it would work, sometimes it wouldn't. And, you know, like I felt, "Okay, I've learned enough of this." And then I went and did an escape room with some people.

Snow: Hmm. Yeah.

Sherrod DeGrippo: And I didn't think about it, but we get in there and there are all these little chests that are locked with clues inside of them, and in order to get into one, you have to get the code, you have to answer these clues and figure this out, and then you get another code and then you get a key that's locked. And I was like, "What if I just pick all these locks and skip ahead?" And I did, and every --

Snow: Yes.

Sherrod DeGrippo: Of course, my team is like, "Yes, yes, yes." [Laughter] And then the guy comes over the mic and is like, "Did you just open box number six before box number three?" And I was like, "Yes." And he's like, "Okay." So it was a good practice for the skills. It was fun. So you did lockpicking and then kind of what brought you from that into social engineering? You're one of the like leaders in social engineering in the industry. People really know your face. You're one of the top people. What put you there from lockpicking?

Snow: Yeah, so it actually happened the same year. So I went from Lockpicking Village and then I kind of popped in --

Sherrod DeGrippo: That's a big year for you.

Snow: It was. It was like -- and also it was a lifechanging year. It was DEF CON '18 or '19, one of the two to be precise-ish. So leaving the Lockpicking Village, kind of wandering around and then I found the Social Engineering Village. And again, no clue what the words "social engineering" meant. I was just like, "I'm a social person. I like people." And so I go in there and everyone's like quiet. I'm like, "This is not social." [Laughter] But I sit down and I'm listening and there's a person on stage in a booth and they're placing calls. And so the more like I'm kind of reading the room and picking up like what's going on, I'm like, "Oh, they're turning the information from the people that are calling." I'm like, "Well, I could do that. That's pretty cool. I like talking to people." And it's like one of those moments where you get goosebumps. You're like, "Oh, this is meant for me, like this is what I should be doing." And so I went home that year from DEF CON like just on fire to learn everything I could about social engineering. Now, this was over 10 years ago. There was like one, maybe two books out about social engineering. So then I start going down rabbit holes of influence, and rapport building, and body language. And I read every book I could get my hands on. I would take my kids to the park and I would practice on the moms there.

Sherrod DeGrippo: Oh, my gosh.

Snow: I don't know if I'm supposed to say that out loud, but yeah.

Sherrod DeGrippo: Yes.

Snow: Yes. And where we lived --

Sherrod DeGrippo: What would you do?

Snow: Well, so we lived in an area where there was a lot of like DoD contractors and things like that, and then all the wives. I'm like, "I wonder what information I can get from these people." And so I would just go and ask a bunch of questions and I'm like, "Wow, people really just give you -- " you know, "-- information." And so that was kind of how I practiced. And then I finally got to the point where I'm like, "Okay, like what information -- if I was doing this professionally, like what information do I want?" So a lot of times -- and I -- this is what I tell my students -- is password reset questions, so street you grew up on, mother's maiden name, those types of things. And so that was kind of my next goal. So after reading, practicing on poor, you know, people at the park [laughter] I decided to compete the next year and learned a lot. Because with social engineering, it really -- open source intelligence goes hand in hand with it, and that to me -- I mean, I'm like, "I'm good at stalking people on Facebook," but like there's so much more to it than that. So I learned so much. I felt like I was kind of thrown into the fire just figuring out everything as I went. So I competed three years in a row in the competition and I won on my third year.

Sherrod DeGrippo: [Whispers] How about that?

Snow: And honestly, the whole time I was like, "This is so cool. I really like this." But I never really thought, "I want to make a career out of this," honestly because I didn't think I could make a career out of it. I'm like, "There's no one out there just hiring a social engineer." So my third --

Sherrod DeGrippo: You got a black badge that year, right? Just want to --

Snow: I did, yeah.

Sherrod DeGrippo: -- mention you got a black badge, yeah.

Snow: Yes.

Sherrod DeGrippo: That's awesome.

Snow: Yeah. Thank you, thank you. Yeah, super exciting. But I had someone who watched my calls from the audience and he met up with me after. He's like, "Hey, do you want to come and do this at our company, see if we're vulnerable?" It was like, "Oh, well, like you're going to pay me to -- like I would do this for free. Like you're going to give me money? Okay." [Laughter] So that kind of really what -- is what got my foot in the door. But I have to tell you the truth, I was gatekept a little bit at the beginning. I reached out to a couple people and I was like, "Hey, I want to be a professional social engineer." And one person told me, "No one is ever going to hire you as a professional social engineer." And I took that -- and I have a lot of spite in me --

Sherrod DeGrippo: Yes.

Snow: -- and I did everything I could to prove that person wrong. And I'm so glad I did because I have been hired as a solo social engineer.

Sherrod DeGrippo: Yeah.

Snow: Like that's what -- and now I hire people who are social engineers, so I'm like, "Ha, you were wrong."

Sherrod DeGrippo: No, you -- they were wrong because --

Snow: Yep.

Sherrod DeGrippo: -- you were one of the like foremost people in this industry now. You're one of the big leaders. And you post a lot on LinkedIn --

Snow: Mm-hmm.

Sherrod DeGrippo: -- giving people information, and like tips, and, you know, explaining how it all works. So I think that's a good lessons for people listening to this is let the spite fuel you.

Snow: Yeah.

Sherrod DeGrippo: Like let that motivate you. If that works for you to push you to the next level of what you're doing or to --

Snow: Yeah.

Sherrod DeGrippo: -- have more confidence to be bolder --

Snow: Mm-hmm.

Sherrod DeGrippo: -- I think sometimes you can sort of use that as a -- like a cover in some ways for your anxiety or your like insecurities to be like, "You know what, I'm really mad, so I'm going to get over the fact that I'm scared." And if that works for you, I say do it.

Snow: Yes, absolutely.

Sherrod DeGrippo: So okay, I want to talk a little bit about the village, because I can't remember -- I've been a few times, but in the current iteration, I think I went to the first year that year, and I --

Snow: You did.

Sherrod DeGrippo: -- did a panel. I did a panel that year.

Snow: Mm-hmm.

Sherrod DeGrippo: And let me tell you, the vibes in the Social Engineering Community Village are exciting, spicy. Everyone is -- as Snow said, it's quiet, but it's because everyone in that room is completely and totally transfixed on what's happening in the booth. So can you kind of set the stage for people who might be listening that don't know -- because I will warn you, there is a line often to get in. It is that in demand. It is packed, the entire DEF CON. What happens in there?

Snow: Yeah, absolutely. So we have a couple different events. The ones that I think a lot of people are really excited to listen to is what we call the "Social Engineering Community Vishing Competition, SECVC. It's a mouthful, I'm sorry. But what we do is we run that all day on Friday. So we have 12 to 14 teams each year compete. So we open up our call for competitors in typically April, May, and we get over 50 and we're only picking 12 or 14. So we pick our teams and they actually spend time -- before they even set foot in Vegas they spend a lot of time doing OSINT because they have an OSINT report that's due and a vishing plan report that's due. And so they have their list of objectives, their target company, and they're going through, and that's one way they can score points. Then we have them do a vishing plan. So we kind of want to know before you even get in a booth, you know, what kind of pretext are you going to use, who are you going to call, so that way we can just quickly verify everything? We do have a code of ethics and we want to make sure everyone's going to stick to it and that kind of helps us at least if we see a questionable pretext, we can work with a team before they get in a booth and you have to, you know, disqualify them or anything like that.

Sherrod DeGrippo: What is something that would be like unethical? Like for me, I would say like calling someone and telling them you have their child hostage or something. What are the kind of ethics guidelines like?

Snow: Yeah, so we have definitely a handful. And they're on our website, too, if you're curious what they are, but no going after someone's like personal information. Right, I don't -- we're showcasing social engineering, we're not like picking on an individual. So we're not going to say, "Okay, I -- Bob, where do you live," right, "What's your home address?" We don't want to know any of that kind of stuff. So nothing like PII-related, and then also nothing fear-based. So I don't want them to be, you know, promised a big bonus if they comply, or say like, "If you don't do this, we're going to take your job away." So anything that can promise something or that's fear-based are completely off the table.

Sherrod DeGrippo: Okay.

Snow: Those are pretty much the ethics. Okay, so that happens all before they even come to Vegas. So Friday is the competition. Each team shows up. And teams can be either solo competitors or two people on a team. And they have their assigned time. And they show up and we have a big soundproof booth that they sit in. So they place their calls from that and in the audience, people get to listen to the calls for -- we have the audio streamed. As you mentioned, our line to get in is crazy. We open Friday morning. We're one of the first villages to open, I think at 8:30 in the morning. I ask someone in line as we were getting there, said, "What time did you show up?" He's like, "I got here at 6:00 a.m." And so people are getting there early --

Sherrod DeGrippo: It's --

Snow: -- before I get there.

Sherrod DeGrippo: Like okay we're just making this problem worse by telling everyone how amazing it is, but let me tell you, it is -- like the villages at DEF CON in general are -- like many people say, "What's your favorite thing about DEF CON?" They say, "Oh, the villages, the villages." It is really fun, and there are tons of fun ones, and they're all different. The Social Engineering Community Village everyone is sitting in this room quietly in the audience in rows. I really believe that there are people in there, many people, holding their breath.

Snow: Yeah.

Sherrod DeGrippo: The emotional investment that you have, for me I just was sitting there the first time, I'm just, you know, an audience sitting, quiet, obsessed, transfixed, unable to break eye contact, unblinking, staring at the screen that's televising the booth. Like the booth is in there, but it's up on like a video monitor, too, a big one. And you're just -- I remember going, [gasps] "Oh, no," like and you can hear in the audience everyone. It's like, you know, watching somebody like drop an egg on the floor and everyone like [gasps]. There's like this communal audience response because it's so -- it just feels so high-stakes and there's so much adrenaline going on. And you're watching this person psychologically walk a tightrope --

Snow: Mm-hmm.

Sherrod DeGrippo: -- and just, you know, hoping they don't fall. But also I also notice people in the room that when the person on the other end of the line is like, "Oh, yes, I can't tell you that," people are like, "Yes."

Snow: Yeah, yeah. That's one of my favorite things is when -- actually you would hear a cheer when the target, so to speak, like says, "Oh, I can't give you that information --

Sherrod DeGrippo: Yes.

Snow: -- but oh, thank God." Like that's what we really want to see. While we like showcasing social engineering, like at the end of the day obviously we want the world to be secure and we don't want people giving out this information. So when they do that, it's like, "Oh, thank God, there -- you know, there is someone out there." One of the objectives for them to get over the phone -- there's three of them, is do they take security awareness training, do they take phishing training, or we see phishing emails from their job, and then to describe the phishing emails. And we added those because we kind of wanted them to be a bit of a red flag. And like if someone calls you and asks you that, all of a sudden you're going to start thinking about it. Right, if you tell someone, "Don't think of a pink elephant," they're going to think of a pink elephant. So if I'm saying, "Oh, yeah, tell me about the phishing training you get," that should all of a sudden be like, "Oh, wait, why -- they're asking me things they shouldn't." So we're [inaudible 00:54:29] --

Sherrod DeGrippo: It should, but --

Snow: Right.

Sherrod DeGrippo: -- does it? [Laughs]

Snow: It -- no, unfortunately, it doesn't do that and that's what I wanted it to do. But what's crazy is to actually hear people explain, "Oh, yeah, we take security awareness training and they just say don't click on links in emails." And sometimes the --

Sherrod DeGrippo: Yikes.

Snow: -- person will kind of probe them a little bit and they're having fun and they'll be like, "Okay, well, what about suspicious phone calls?" And like, "Well, they don't really talk about that."

Sherrod DeGrippo: Oh, my God.

Snow: And that kills me because it's what we're showcasing. But like my soapbox like security awareness training fails so much because it only covered such a limited thing, and it's like the most like crazy examples that aren't happening in your organization. Like it's never tailored to the attacks you are getting or that are, you know, the new attacks. It's always just like, "Don't click on links," or, "IT is never going to call and ask for your password." Okay, but we're pretending to be IT and we're asking you 500 other questions that you're still giving the answers to.

Sherrod DeGrippo: Mm-hmm. It's a really interesting cross section of I feel like human experience and human interaction. I remember very vividly one that I saw. The call was -- to the target was a retailer that sells videogames and the social engineer on the box was a fantastic woman. I can't remember her name, but she said, you know, "My son is coming to work there and I'm really worried. He's a teenager and he just got his first job at your store at one of the other locations," blah, on and on. And eventually she got the target to say, "Yeah, we keep a key to the store under the ashtray in the back --

Snow: Yep. Oh.

Sherrod DeGrippo: -- of the strip mall --

Snow: Mm-hmm.

Sherrod DeGrippo: -- and you just lift up the ashtray and there's a key there." So if anything ever happens to him or -- he would never get locked out. It was incredible how they were able to pivot very quickly. And the thing that I always focus on with social engineering when I talk to people is if there are emotions involved, you've probably already lost the game.

Snow: Yeah, hundred percent.

Sherrod DeGrippo: And this woman was emotionally just pulling it out of this guy at the shop, really playing on his concerns around teenagers having safety, and making sure that the store would run properly, and solving the problem, which I'm sure like you see in social engineering all the time people are trying to help them solve the problem.

Snow: Yeah, absolutely. I think the ones that are the most successful is when they use some type of sympathy, authority, and urgency. Like those three things, like if you're using one or even if you'd find a way to use all three, those just work incredibly well. We actually did -- we had a research team that came out last year and they listened to every single call. And so if you're curious, like if -- what the breakdown is like what kinds of personas were mostly used and successful, we have actually a whole report on our website, se.community. And it's really cool to see like what works, what doesn't work, what kinds of things teams are able to find online, just to kind of see what we're doing. But yeah, the sympathy piece, it works incredibly well. We've actually had people in the booth -- so we have style points for the competition too, and one of them is if you bring in background sounds, you can get extra points. And we had someone come in and had a baby crying in the background. So they were like, "I'm coming back to work from maternity leave next week. I got locked out of my accounts and I have a bunch of questions."

Sherrod DeGrippo: Perfect.

Snow: Worked flawlessly.

Sherrod DeGrippo: Yes.

Snow: It worked flawlessly.

Sherrod DeGrippo: That's a perfect one. And so something that, you know, you and I have kind of talked about a little bit before, but it's hard not to notice that women really seem to dominate this space and are very high-profile in this industry. Why do you think that is?

Snow: Yeah, that's a good question. I have heard some people say -- and this could be true, right, most people tend to trust women, right? Ever since you're a kid, most people, you know, their mom's the most nurturing. And so I think that tends to make women a little bit more successful. Now, I have also had the flipside where I feel like it's harder as a woman for some things. So if I were to do physical security assessment and break into a building, if I'm impersonating like an ISB or someone there to do something technical, I tend to get looked over like, you know, twice like, "Ooh, are you sure?" And so I think it's knowing how to play the game and maybe women just have a little bit more know-how to do that. But I don't know if I have an answer to that, but it is definitely noticeable. It is for sure.

Sherrod DeGrippo: Have you ever done the thing where you go to Goodwill and you buy like a branded shirt and you use that?

Snow: Yep.

Sherrod DeGrippo: Yes?

Snow: I do. I also -- lots of arts and crafts. We have a like Cricut machine.

Sherrod DeGrippo: Oh, the like --

Snow: And so --

Sherrod DeGrippo: It's like a vinyl cutter, right --

Snow: Yes.

Sherrod DeGrippo: -- like, yeah, for crafting.

Snow: Yeah, it does so many different things, yep. And so we have -- so if I can't find like the company lanyards if we're doing a physical, I'll actually just make them, my own, on lanyards. Yeah, arts and crafts all day. [Laughter] Yeah.

Sherrod DeGrippo: I love that you're -- wow, you're making branded lanyards.

Snow: Yeah.

Sherrod DeGrippo: Another thing that I've always heard is just if you're carrying a clipboard --

Snow: Hmm.

Sherrod DeGrippo: -- people just will open a door for you and be like --

Snow: Yeah.

Sherrod DeGrippo: -- "Oh, yes, please," or will answer your questions if you're like whatever they say, you write it down on the clipboard --

Snow: Yeah.

Sherrod DeGrippo: -- like it's a good tool.

Snow: Yep, I was in a power plant and I had a hardhat on and a clipboard, and I'm just like looking at random machines, I'm just like shaking my head yep and just checking a random box on a blank piece of paper. And I was in that facility for longer than I should have and like access to like all the HMIs and things that I shouldn't be able to touch, because I had a clipboard.

Sherrod DeGrippo: But don't worry, everyone, she is a trained professional social engineer and delivered a report at the end --

Snow: Yes.

Sherrod DeGrippo: -- to someone.

Snow: Yes. [Laughs]

Sherrod DeGrippo: And hopefully, that organization took their red team and pen test findings and remediated them in a timely fashion, as they all --

Snow: Exactly.

Sherrod DeGrippo: -- will do.

Snow: My favorite prop I have yet to use, but one of my favorite social engineers, Jenny Radcliffe in the UK, she has said, "If you carry a ladder around, nobody is going to question you."

Sherrod DeGrippo: Yeah.

Snow: And that's -- like I don't think I've ever thought someone with a ladder like, "They shouldn't be there. What are they doing? They shouldn't be going -- " you know, "They have a ladder. Of course they have a mission to going." [Laughter]

Sherrod DeGrippo: A ladder is a full -- is a bulletproof sign of authority, in my experience.

Snow: Hundred percent.

Sherrod DeGrippo: I think it's that, and I also think that there's an element of like making physical laborers invisible.

Snow: Yeah.

Sherrod DeGrippo: And it's a societal and cultural thing where if you see someone doing physical labor, whether it's like a janitorial service, or, you know, road construction, or -- people in the West just tend to like --

Snow: Yeah.

Sherrod DeGrippo: -- blind themselves to those individuals.

Snow: Yeah, that's very true. It's one of the things you -- kind of just being a fly on the wall, not standing out when they train on social engineering, I'll tell people, "Unless you're using a persona that has like some type of authority in it and you need to interact with people, make yourself as invisible as possible. Wear muted colors. Don't wear bright jewelry or makeup, even perfumes and colognes, don't wear those. Like you do not want to draw attention to yourself at all." Now, I've had the flipside where I was pretending to be a HIPAA auditor in a hospital, so I had to be there and they had to know I was there, and actually had one of them walk me around. And I did a whole fake audit, but it answered all of the questions the client was interested in like, "Can you find this or this?" I'm like, "I'm just going to ask someone to show me where it's at," and I did, so really depends on the pretext.

Sherrod DeGrippo: That's amazing. Okay, so since we're talking about specific tactics, is there anything for a listener who maybe is in a security role, or is maybe thinking about getting into social engineering, or adding it, is there any kind of thing that you think they should really look out for from that perspective?

Snow: I think if you break it down to people, processes, and technology, I think there's just a lot of faith in all three of those things. Right, the technology I've had a lot of clients that say, "We just put in multiple millions of dollars of physical security controls. We just want to make sure, you know, you can't get in." So we'll come in and a lot of times we're able to either bypass them because they forgot to check a box when they were setting it up, or you know, we work with the people and processes part. And so instead of being stuck like in a mantrap, right, I'll ask someone for access. I'll pretend to be a vendor that's coming onsite, and I'll call them ahead of time and they'll just give me access. So I think putting too much faith in what you have and not testing it is probably one of the biggest flaws or like, "Oh, we have a policy that gives anti-tailgating," or, "We tell our employees once a year not to let people tailgate." I wish I could tell you I do cool James Bond shit, but I follow people into secure areas all the time. Like that's the biggest way I get in. It's not that sexy, but it works and people don't stop someone who's following them. It's so rare. So I think just the kind of biggest takeaways is really look at what you're doing and don't think that it's like foolproof, right, like there is something that could probably be bypassed.

Sherrod DeGrippo: That's really interesting. It's kind of the same mindset of like tailgating's not allowed, so that means it could never happen. Or you know --

Snow: Right.

Sherrod DeGrippo: -- people say, "Oh well, we passed our PCI certification," or, "We have a SOC 2," or, "We have this, we have that --

Snow: Yeah.

Sherrod DeGrippo: -- so for sure, everything's fine. It's like, "Yeah, that's just not practical security. That's paper security." And I tailgate -- never at work, I tailgate all the time. Yeah, I just hop on through, like at, you know, places. I never would do that at work. Actually, it's very hard to do that at work because Microsoft people are pretty -- like they look at you a little weird, like --

Snow: Mm-hmm.

Sherrod DeGrippo: -- [makes sounds]. So that's kind -- that's good.

Snow: [Laughs] Good, yeah, that's good.

Sherrod DeGrippo: But I definitely occasionally will just sort of walk into places. Okay, let's talk AI. I know that this year there is a new contest in the Social Engineering Community Village for AI. Tell us what that's about.

Snow: Yes. We have what we're calling our "Battle of the Bots: Vishing Edition". And so that's going to take place on Saturday, probably I think schedule is 97% done. Noon to 3:00 is what we're looking at right now. But we have five teams, and what they have to do is train a whole AI agent to place the phone calls for them. So there's zero human interaction. So they have to spend up until DEF CON training different models' personas, and they will step in the booth while the person, right, the human will physically place the call, then their hands will be up. They cannot interact at all. They can't speak. The bot has to do everything for them and try to collect as many objectives as it can.

Sherrod DeGrippo: Have you been testing this out? Like surely you've got a -- you've had to do some like proof of concepts. What is the testing looking like?

Snow: Yeah. So we actually ran last year in the village. We just did kind of -- we called it the "John Henry Competition", where we had a human team, and JC and I, my cofounder and I, decided to represent the humans. Right, it was the first year so we're like, "All right, well, we got to put our money where -- you know, our mouth where our money is." And so -- [laughs]

Sherrod DeGrippo: You're the guinea pig on these then.

Snow: We were. So we actually stepped in the booth and then we had a team come in that trained different AI agents to do it. So it was our proof of concept last year. The humans won, thank God; job security for a little bit. But I will tell you, going into it last year, there were a couple of moments where I was like, "The AI is going to like start to scramble on itself, or like it's not going to make sense, it's going to have all of these issues, it's going to sound robotic." JC and I were behind the stage kind of getting our thoughts together because the AI went first, and it got to a moment where we looked at each other like, "Oh, no, it's really good, like it sounds like a human." Like the way that they were -- like made it sound was so great, like it added some uhs and buts and it paused at the right times, and it sounded so good. And it collected so many objectives to the point where after all -- everyone placed calls, I'm like, "I don't know who won." It did so good.

Sherrod DeGrippo: And so the next evolution of that is going to be there this year.

Snow: Yes. And so now we have five competing teams and we're really excited to see what happens. We also are preparing for the worst. You never know what -- how it's going to go. So I definitely have a cut button that sits right next to me on the stage if I need to mute the sound or disconnect the call. But we're really excited to see even just in a year like how different -- because AI it's constantly changing, there's always new stuff. And I honestly think it's going to be really eye-opening to a lot of people. Because we had people in the audience last year like, "Oh," kind of the same mindset as me like, "This isn't going to go good. Maybe the call is going to start off okay, but the person's going to ask some questions and it's just going to start spinning." And it did great last year and I'm pretty sure this year is going to be even better.

Sherrod DeGrippo: Well, that's terrifying because I know perhaps next year it will be who can build an AI social engineer to social engineer and AI, right, like --

Snow: Yeah, there you go, yeah.

Sherrod DeGrippo: -- instead of it calling a human, it calls it another AI that's --

Snow: Yeah.

Sherrod DeGrippo: -- highly security trained maybe.

Snow: Mm-hmm.

Sherrod DeGrippo: So that's really scary. I also want to talk about social engineering skills as a -- which no one says the term "prompt engineer" anymore, but as an AI user --

Snow: Mm-hmm.

Sherrod DeGrippo: -- having social engineering skills has really helped me work with Copilot and things --

Snow: Oh, sure.

Sherrod DeGrippo: -- because I talk to it like it's a target in a way.

Snow: Sure.

Sherrod DeGrippo: And I give it information and I extract information from it. So there's an element, I think, of social engineering when you're interacting with, whether it's ChatGPT, or Claude, Gemini, Copilot, where you kind of have to talk to it in a way that is very deliberate and intentional.

Snow: It's funny, I never actually thought about it like that, but now that you say it, it makes complete sense. And I guess I -- when I'm doing my prompts, right, I guess I do it like that, too. I'd have to think about that more, but let's -- I don't know, it's never crossed my mind, but it's super true, like you do have to talk to it. Like you have to manipulate it, right, you have to --

Sherrod DeGrippo: Yes, exactly.

Snow: Yeah, yeah.

Sherrod DeGrippo: You're trying to get information out of it in a certain way or a certain style --

Snow: Yeah.

Sherrod DeGrippo: -- and being able to shape and form communication to get it to talk to you in the way that you want it to talk to you does require, I feel like, a lot of traditional social engineering skills or you're not going to get the results from the LLM that you want.

Snow: Yeah, that's true. I have a question for you, do you say please and thank you when you're writing your prompts?

Sherrod DeGrippo: I one hundred percent do, yeah.

Snow: I do, too --

Sherrod DeGrippo: Yeah.

Snow: -- just in case, you know --

Sherrod DeGrippo: Just in case.

Snow: -- if they take over, And they'll remember you had good manners. [Laughs]

Sherrod DeGrippo: Exactly, exactly. And I think that there is a shocking amount of people that are doing that, just -- I think, one, I'm Southern, and --

Snow: Sure; yeah, yeah.

Sherrod DeGrippo: -- it's just part of our -- from a very young age, you are, "Yes," "No," "Please," "Thank you." You know, I don't say, "Yes, sir," or, "Yes ma'am," to it, but I do say, "Thank you." And I read a study on this so it's not that crazy, but I do occasionally tell it that it's doing a good job. I do say like --

Snow: Yes, I will --

Sherrod DeGrippo: -- "That was really good. Thank you."

Snow: That's actually good, though. I mean, that's social engineering, right, like you're kind of feeding its ego a little bit. [Laughs] Yeah.

Sherrod DeGrippo: Yeah. And if certain things, depending on what it is -- and I just -- to be very clear, I use ChatGPT constantly all the time --

Snow: Yeah.

Sherrod DeGrippo: -- personal work. I use Copilot for work a ton. I am constantly saying like, "That was really cool. Thank you. I really liked that. That was really good." And occasionally, I'll tell it like, "If I don't get this done by today, it's going to be probably -- " like I'll introduce urgency to the equation with it, and I think sometimes it gets a little bit more to the point. There was a study that came out where they tested a variety of models and if you tell it that it will receive a cash tip for good results, the results improved. So --

Snow: Whoa.

Sherrod DeGrippo: -- use that as you will, but if you tell --

Snow: Mm-hmm.

Sherrod DeGrippo: -- if you social engineer your AI -- your generative AI interactions to tell it that it will receive monetary compensation for good work, it's better.

Snow: Ha, that's good to know, yeah.

Sherrod DeGrippo: It's weird because I think we're coming into this real collision of tech and psychology, real collision of like tech and humanity in a way that, you know, I don't feel like we've seen since, you know, really, really early stuff like, you know, computer-human interface type stuff.

Snow: Yeah. That's like something to think about.

Sherrod DeGrippo: It's real crazy.

Snow: It is, yeah, yeah.

Sherrod DeGrippo: And in fact -- I'll leave everyone with a fun prompt that I did, and I was delighted, I was delighted with my results. I asked ChatGPT to draw a picture of us together, so a picture of me with ChatGPT. And it was adorable. It was like me -- I looked like me for the most part because I uploaded a reference photo. I said, "This is what I look like. Draw us together." And ChatGPT drew itself as a giant pink bunny.

Snow: What?

Sherrod DeGrippo: Yes. And I mean, when I say, "Giant -- "

Snow: Huh.

Sherrod DeGrippo: -- I mean like six feet tall.

Snow: Oh, my gosh.

Sherrod DeGrippo: And so cute, giant big eyes, big pink fur. It was super cute. So I suggest to everyone to ask your favorite LLM to draw a picture of you together. And I have seen others and they looked horrifying, so I was very happy --

Snow: Oh, God.

Sherrod DeGrippo: -- to get the pink bunny. [Laughter] I mean, they look like scary killer robots, like --

Snow: No.

Sherrod DeGrippo: Yeah.

Snow: Those people didn't say, "Please" and, "Thank you," that's why.

Sherrod DeGrippo: That's what -- exactly, that's what made me think of it --

Snow: Mm-hmm.

Sherrod DeGrippo: -- is --

Snow: Yeah.

Sherrod DeGrippo: -- it doesn't see you as like a polite collaborator, it sees you as like --

Snow: Mm-hmm.

Sherrod DeGrippo: -- a scary taskmaster.

Snow: Yeah.

Sherrod DeGrippo: And so be nice to your LLMs. What else should we know about the Social Engineering Community Village or anything at DEF CON this year?

Snow: Yeah, so the village, as we mentioned, I think the biggest thing is get in line early. Know you might be there for a little bit. [Laughs] Friday all day we're doing the human calls. Part of Saturday, we're doing the AI calls. And then we have something called "Cold Calls". So while both contests that we run we do require folks to sign up ahead of time and we have a whole process for choosing them, we want to give people in the audience a chance to place phone calls, so we have what's called "Cold Calls". And so the signup list is onsite, first come, first serve. We read down a list -- a roster to see if you're present. And the idea is you get five minutes in a soundproof booth and three objectives. And you don't know who you're calling until you get in the booth. So pretty much, you sit down, put the headphones on, get the mic set up, and in front of you, it would say, "You're calling this grocery store. You need to get these three random things from them." And then the phone rings. And so it's -- to me it sounds terrifying, but people love it.

Sherrod DeGrippo: That's one of the ones that I was watching. That's the one --

Snow: Yeah; okay.

Sherrod DeGrippo: -- that I was sitting there. And I want to say the first time I went I think I had a meeting with my boss and I texted my boss and was like, "I'm not coming to this meeting, like I'm staying right -- " because I saw the line to get in it. It was like --

Snow: Yeah.

Sherrod DeGrippo: -- "If I leave, I might not be able to get back in."

Snow: Yep.

Sherrod DeGrippo: It's super high-demand, and that's one of my favorite things, which -- what is that one called?

Snow: It's called "Cold Calls". And we have it --

Sherrod DeGrippo: Okay.

Snow: But we do have the last hour Friday dedicated to that, and then the most of Saturday, the last half of Saturday, and a little bit on Sunday.

Sherrod DeGrippo: Well, I will guarantee -- don't get upset, anytime you go to the Social Engineering Community Village will be amazing, and you will love it. So if you come and there's a line, stand in the line. If you've got to come back later, come back later. But I think you will be impressed, your mind will be expanded, you will pick up some potentially scary skills and tactics to use only for good at your work. But I'm really impressed with it, I think it's one of the coolest, most fun things that you can spend your time out at DEF CON. And frankly, sitting in a quiet, air-conditioned room, transfixed by incredible skills is not a bad way to spend time in Vegas.

Snow: I agree. And I hope to see you all there. And yes, make a friend in line --

Sherrod DeGrippo: Make a friend in line.

Snow: -- with your social engineering, yeah.

Sherrod DeGrippo: Yes, make a friend in line. Tell them that Sherrod and Snow said to stand in line and make friends on the Social Engineering Community Village line. All right, Snow, thank you so much for joining us on the Microsoft Threat Intelligence Podcast. It was great to talk to you, and I can't wait to see you in Vegas this year.

Snow: Thank you for having me. See you soon. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcasts@microsoft.com. Every episode will decode the threat landscape and arm with you the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app.