Punching Miscreants with Jack Mott
Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. [ Music ] Welcome to the Microsoft Threat Intelligence Podcast. I am here with Jack Mott, senior security researcher with Microsoft. Jack, thanks for being here.
Jack Mott: Hey, thanks, Sherrod. It's good to be here, too.
Sherrod DeGrippo: Jack and I just watched an incredibly violent clip from the film "Heat", which is my favorite hacker movie, even though there's really not hacking in it. It's my favorite threat actor, criminal psychology, threat actor psychology movie. So the reason we watched that is because I want to ask Jack, in the movie, Robert De Niro pretends to be security, and I know that you do a ton of work with social engineering. So I was wondering if you could kind of give us some of your point of view on what his cool social engineering tactics were in that clip.
Jack Mott: Yeah, for sure. You know, first off, I don't get why heist movies get so much hate. I feel like --
Sherrod DeGrippo: I love a heist movie. What?
Jack Mott: Yeah.
Sherrod DeGrippo: I love them.
Jack Mott: They get made fun of here and there, but second, the reason why anyone that's working in infosec should love a good heist movie is because of the amount of social engineering, the cat and mouse, the tricks, the gadgets. There's always lots of fun elements. It's not always just one track of gun violence or persuasive interviewing of people. It's always a whole team and a whole crew working together, and everyone's got their specialty and you throw in some altruistic motives to it. It's like a cherry on top, you know?
Sherrod DeGrippo: Yeah, I love them. And I also think that "Heat"'s really good because it shows a lot of pathos. It shows a lot of personal motivation from these people who are quite literally in a threat actor group, right? It shows that they're doing this for various different reasons. At one point, the quote, the action is the juice. For some people, it's not necessarily about the score. It's about the action for them, and there's characters that have all these different motivations. But going back to that clip, Robert De Niro pulls a fire alarm and then pretends to be security. So what do you think are some of the elements in there that you noticed that kind of made him be something that he's really not?
Jack Mott: Yeah, I mean, I think it's a great tactic, right? You are removing people that you don't care about or don't want to be involved out of the way. It gives you perfect cover to sort of move undetected, and furthermore, he's wearing a generic suit. He's got a flashlight. It's like basically this movie's version of the clipboard, but I really like the attention to detail where he stands with his back to the door. So when the guy on the other side goes to look through the peephole, he's sort of like, I don't know, 50-50, is this real or not? And it makes him sort of hesitate. It's kind of the perfect combination of elements.
Sherrod DeGrippo: I totally saw that too. The flashlight was really cool. Robert De Niro pulls the fire alarm. He's walking through the hotel corridor. All these people are evacuating. He's going against the flow of people, pretending to be security. He's got this flashlight out. And when his target comes to the door, like you said, he's facing the other way. And so it gives you that pause, no matter who you are, of, is this real or not? And that's a lot of what you deal with on the threat landscape, especially in the email stream, is it real or not? And so I feel like that scene really gives a lot of social engineering perspective in an awesome action movie. And that's kind of why I wanted to show it to you and ask you, what kinds of stuff do you look at on the threat landscape that you wonder, is this real? Is this real? Is this not real?
Jack Mott: Yeah. I feel like my position, based on the clip, is the person who ends up getting shot pretty violently. So I don't necessarily love that, but, well, I'm the one looking through the peephole, right?
Sherrod DeGrippo: Yeah, you are. You're looking through the peephole.
Jack Mott: I don't want that outcome. But see, it's like being on Blue Team is tough, right? Sometimes that is the outcome. Yeah. I mean, all day long, you're just trying to validate these things. And I think there's multiple layers to the way that threat actors sort of operate, whether it's some of this low-hanging fruit, you know, very easy to detect and sniff out. But, you know, the more targeted or advanced actors, you know, start to divulge into those methods that are a little bit more harder to pick up, right? They're not always surface level. Your sniff test immediately says this is bad. And so that's where it kind of requires that extra layer of eyes or that extra check to sort it out.
Sherrod DeGrippo: I don't know if you remember this, but several years ago, you and I were working on Crudfish detections for Crudfish landing pages. And there was a landing page for a quilting conference. And this link got passed around and passed around at work. And everyone was like, is this real or not? And everything we could figure out sort of was inconclusive. These quilting fans are not super technical, so it looks a little amateur, but also it could be an amateur Crudfish page. And I remember that being such an experience for me where I was like, it's actually really, really hard sometimes to tell if something is legitimate or not. And that doesn't even begin to take into account things that are compromised by a threat actor that are being leveraged. I think it's interesting that so much of what you do is looking at things and determining if they're authentic or not.
Jack Mott: Yeah. Yeah. And a lot of it, it just comes with time. It comes with understanding the threat landscape and just getting comfortable with things that stick out and diving straight into them. You know, I mean, a lot of times we're seeing threat actors moving to things like supply chain attacks, right, compromising legitimate infrastructure as a way to kind of like bypass the sniff test, right? A lot of times we put our guards down when we see things are signed, when we see things are coming from a kind of known source, and it sort of immediately puts our guard down.
Sherrod DeGrippo: What do you think it takes for somebody to be good at the work that you do? What do you need? What do you have to have?
Jack Mott: Truthfully, you know, I think the most important thing that someone who does any sort of research or analysis into these kinds of threats is curiosity. Just having an inquisitive mind and having the wherewithal to kind of say, hmm, something is just a little bit weird about this and I want to chase it down. And even though nine times out of 10, it might just be a fool's errand, that one time can sometimes be very interesting and be a really cool find. And so I think bringing that curiosity in any domain of information security is huge. And you know, I think some of the smartest folks I've worked with never came from a computer science background or even had a degree. Right? It's just a matter of you have the right mind and you want to find the answers. You want to solve the puzzle and you don't want to give up until you find the answer.
Sherrod DeGrippo: Yeah, I think that's true. And that's something I've been talking about with other people that have come on the podcast. There is a mindset of looking for weird stuff, looking for something that doesn't make sense, is out of place, doesn't seem real. And to me, that's kind of why in information security as a job and a profession and an industry and a community, if you're fake or inauthentic, people really don't like that because that's what all of these people do for their jobs is they look for things that are pretending to be something else. And so it's really easy. Like you've mentioned the sniff test, I think a lot of people in security apply that in their social lives too. And so they might look at an email or network traffic or processes on a host as, is this real? Is this good? Is this something bad? And they look at their relationships in the same way. So I think that we all kind of share a shared psychosis.
Jack Mott: Yeah. And I think just to add on to that point as well around being curious and inquisitive is like not being afraid to be wrong, right? There's never anything wrong with chasing down a lead and it coming up empty or having a hypothesis and trying it out and having it not work, right? It just means that you tried something, you had an outcome, and now you can move forward knowing that outcome. And I think I see a lot of people in this industry who are afraid to either be wrong or afraid to make a mistake or something. And it's so hard to convince people that it's okay. It's okay to be wrong sometimes. It's okay to make a mistake, right? As long as you're being responsible about how going forth with that investigation, right? You don't sound the alarm before you know what the issue is, right?
Sherrod DeGrippo: Yeah. No, I agree with you. I think people sometimes get scared of taking chances and taking risks. And I think that's an okay thing to do, especially when you're experimenting. And I also think that people in this space are pioneers a lot of times. They're doing things that no one has really had to do before. And you have to accept that you might make mistakes or fail if you're doing something that probably no one else has ever done. Speaking of things that are novel and that might not have been done a lot, tell me what kinds of things you're seeing out on the threat landscape that are kind of concerning to you and that you're working on. Like, what's happening in your world?
Jack Mott: So one of the biggest things that we're seeing these days that we're trying to put a dent into is, you know, sort of actor-in-the-middle phishing kits, right? So we have a lot of this activity, you know, evil jinx, things that are able to intercept credentials and bypass multi-factor authentication. And this has led to, you know, a higher number of compromises. It's definitely something that does aid threat actors in continuing their operations. And it's something that, you know, we see on the regular in very high volume. You know, the delivery can be widely, you know, varied. So it could be QR codes in the body of an email that lead to, you know, redirection chains going to these landing pages. It could be a PDF containing a link. It could be an HTML attachment that, you know, redirects or even locally just pops open a prompt. But either way, if those attacks are successful, they're having a big impact on percentages of compromises increasing.
Sherrod DeGrippo: Okay. Yeah. This is a big problem. We did write a blog about this on the Microsoft Threat Intelligence blog, but I have a question for you. Everyone I think is wondering, okay, you just said it's defeating MFA. How does attacker-in-the-middle work?
Jack Mott: Read the blog.
Sherrod DeGrippo: God, that's brutal. They get people to give them the generated MFA code from somewhere, right? Like there has to be another vector involved in that threat.
Jack Mott: Typically, the user, you know, gets presented with a false login page, right? For Microsoft, their bank, whatever it might be. The credentials get entered into that phishing site. The phishing site then proxies the request to the actual website. So when the target website returns that multi-factor authentication screen, the user puts their information in, additional authentication occurs, the phishing site proxies the request from the user to the actual target website. And then from there, a cookie is returned, which then allows the attacker to log in with a valid cookie to that target website.
Sherrod DeGrippo: Okay. So it really is getting in the middle with a proxied landing page of some kind. Like the landing page that the victim is putting their credentials into is proxying that back to the threat actor somehow. And are those automated or do those require someone to be hands-on keyboard sitting there?
Jack Mott: This is all automated just due to the fact that the phishing website is sitting in between sort of the user and the targeted company, right, what they're trying to log into. And so because of that, to the user, you're seeing legitimate things coming back. You're entering your credentials and all of that is just automatically sort of happening on the back end. And then the attacker is able to capture that cookie and then turn around and use it.
Sherrod DeGrippo: So it feels pretty seamless when the person is actually interacting with these attacker-in-the-middle pages.
Jack Mott: Yeah. Yeah. I mean, for all intents and purposes, right, we're seeing HTTPS, TLS connections. You're seeing what you would normally see during a login session. And some of the more, you know, tailored sort of actors, you know, make it pretty easy for these pages to load and look sort of, you know, deceptively similar to what they think they're logging into.
Sherrod DeGrippo: Hmm. Yeah, that's been going on for a while. And I think the key there is just be really careful what you click on. I would say, I know this is radical, but if you have to take your phone out to take a picture of your computer, that seems bad. Don't do that. Don't take your phone to take pictures of your computer screen for QR codes or for really anything. If you're taking a picture of your computer with your phone, you should learn how to screenshot. That's what I would say.
Jack Mott: Yeah. I would love to know what IT departments exist that suggest scanning QR codes to do anything. I'm very curious if that has ever come up and if that's ever been successful for that company.
Sherrod DeGrippo: Yeah, that's a workflow I would avoid. So what kinds of things are we doing at Microsoft to make sure that stuff that we block is still being investigated and reviewed by somebody?
Jack Mott: Yeah, sure. So I think we've made a cool transition from almost like the AV mindset of, hey, just block it, move on, into that more threat-informed detection lifecycle. So essentially, we're finding patient zero or the start of a wave, a campaign of sorts, analyzing what we're seeing there, checking first for detections, hey, are we covering this? Do we have misses? Do we have gaps? Identifying how and why, but then moving forward with that knowledge to then continue tracking the actor either through detections or through queries that can help us kind of profile the different delivery aspects of these groups. And that is where we kind of hit the sweet spot, which is the threat intelligence informing detections, detections informing threat intelligence, and getting into this really cool kind of echo chamber where if your queries hunting on infrastructure, hunting on delivery, start to fail, the detections might pick up aspects of that campaign that were missed and vice versa, right? So if we do end up having a detection gap, typically folks who are tracking these groups can inform us quickly, we push out detections, and carry on. So it's really nice, and that's kind of how we stay up to date with some of the most prolific groups, you know, the most voluminous sort of threat actors. And it maintains not just good visibility, but good efficacy, and we're pretty quick to know when things change and how they changed, and continue to kind of adapt from there.
Sherrod DeGrippo: Yeah, I think that that's something that people don't realize necessarily, is that they have to think about both of those things at once, like the detection piece, blocking piece. And we're in this, like as you said, past the evolution of like the old school AV way of thinking into, you've got to get forensics out, you've got to watch it make network connections, you've got to know what's going to happen next if you didn't block it, so that you can block the next flavor, or generation, or pivoted piece of that malware.
Jack Mott: Yeah, I mean, at the end of the day, these are human beings on the other side of the keyboard, right? And human beings lead to patterns, and that leads to behavior that you can kind of recognize. There's a reason you can look at a certain email or a campaign and quickly say, oh, this is that threat group, because it matches, it matches their TTPs, it matches their style, their behavior. And those are the kinds of things that intelligence helps us understand, and then detections help us track and block.
Sherrod DeGrippo: So speaking of detections, you're a very, very famous regular expression wizard. You're like a dark mage, you're like a regex sorcerer. That's what people call you at work. They're like, do you know Jack Mott? And I'm like, the regex sorcerer? And they're like, yes, that's him. And I'm like, of course I know him. So regex is something that I feel like a lot of people need and use all the time, but also that people struggle with. So since I have you here, I wanted to ask you if there's any tips that you have for people who are struggling with writing regular expressions.
Jack Mott: Yeah, I mean, I think like most things in this field, it's just you have to put your hands on the keyboard and start playing with it, and just have fun, experiment. There's really cool websites, regex101.com is a really cool one for helping syntax highlighting, helping understand the breakdown of what a regular expression might be doing, what it might be matching on or not matching on. There's also kind of fun games like Regex Golf that are kind of fun little training tools where it'll sort of give a prompt and say, hey, here's 10 words, match these two only. And you kind of have to work through your brain and kind of logically separate out the things you don't want to see and just the things you want to see. And so I think those are really neat ways to kind of pick it up. But if you're looking at things all day long, just write a regex for it, right? I mean, I would totally say that it's probably one of the most valuable skills you could have working in this industry. I can teach you how to write YARA, I can teach you how to write Suricata, network rules, whatever language, all of it will have regex as a part of it. And that's sometimes the most important piece of it.
Sherrod DeGrippo: That's awesome. I didn't know that there was like a Duolingo for, you know, Mavis Beacon Teaches Regular Expressions. That's pretty cool. So one of the things you mentioned was curiosity. The theme for Blue Hat this year and for the Microsoft security research was curiosity, using curiosity to help protect people, you know, using curiosity to do all those things and using it in a group way, in the community way, in the way that we have partnerships with people and how much we depend on other people in the intelligence community. What are some ways that you think have benefited you and your work in terms of like having community and having partnerships with people?
Jack Mott: Yeah, I think, you know, at the end of the day, there are a lot of folks who share the same mindset, you know, the tenacity of impacting threat actors, disrupting activity and ultimately protecting people. I think that's, at the end of the day, why a lot of us are called to this work and why we put so much time and effort into it. And, you know, I think one of the coolest things that I've found since joining Microsoft has been finding all those different people in all the different places they may lie. And what it's ended up being is a really cool partnership where, you know, you're working with people, they're all sort of trying to address the same problem just from different angles, right? But the point is folks are all sort of looking at the same thing and there's really valuable information that can kind of be gleaned and passed back and forth. Like, I care about a lot of things from a detection perspective because I want to know, first off, do we see it? Can we block it? Did we block it? But a lot of other folks, maybe, you know, if they're in Mystic focusing more on the threat actor, higher-level things that have nothing to do with detections, they're still finding really cool things that will let us have better visibility into what we're trying to find and detect. Same kind of goes with partnerships we have, you know, through MSRC when we're dealing with software vulnerabilities, you know, various exploits, things that are noteworthy, you know, this is a really nice partnership where we can kind of assist in, you know, what are we seeing? Can we detect it? How can we aid in their other detections? And so really just being able to foster those relationships, understand it's a two-way street, and being able to just kind of share things back and forth that make everyone's lives a little bit easier has been really beneficial to me.
Sherrod DeGrippo: I love that. And I think that that's a big part, especially, Microsoft is a huge company. We have 220,000 employees. And I know them all. No, I don't. I know a fraction of them. And I am very grateful to work with all the people that I work with. But that's just Microsoft, right? Like we have 10,000 people working just on detection, security, intelligence. And we have all of our friends at other organizations that work on it too, at other places that we've been or in other community roles and things like that, open source projects, all the bug bounty community, which is very wild and crazy. Those people are really -- they're wild, the bug bounty people. They are just very -- they're on it. And it's interesting to see all that. And I hope to meet some of them next week at Blue Hat. But I think it's really incredible how we've been able to have the communities that we have.
Jack Mott: Yeah. Like I said, I think it comes down to the fabric of a lot of the folks that work in this field. And again, what brings them to work every day and making miscreants cry, you know.
Sherrod DeGrippo: Oh, how do you make them cry? How do you make a miscreant cry? You punch them.
Jack Mott: Make sure that they can --
Sherrod DeGrippo: You punch them, Jack.
Jack Mott: Yeah, you punch them. I didn't want to get violent. I didn't want to get violent on the call. I was afraid --
Sherrod DeGrippo: You just watched a movie where a guy got shot repeatedly.
Jack Mott: That's true.
Sherrod DeGrippo: That was very violent.
Jack Mott: That is true.
Sherrod DeGrippo: It was very violent. Okay. So you love to make miscreants cry. You're a miscreant puncher from the olden days. And Jack, anything else we can follow up with that we should check out to follow up more with you? I know you mentioned Regex 101.
Jack Mott: Yeah. So Regex tools, there's an online tool called regex101.com. It's a very neat kind of interactive syntax highlighter for various regex operations. And then there's a game called Regex Golf that sort of gives you challenges that you solve with regex. I think both are really, really great tools for anyone who's hesitant to jump into regexes. They look crazy. They look scary, but they're incredibly powerful and one of the most useful things that I think any defender can have in their toolbelt.
Sherrod DeGrippo: Crazy and scary. That's where we'll leave it. Jack, thank you so much for joining us on the Microsoft Threat Intelligence Podcast. It was great to talk to you. We will hopefully have you on again and learn more about all the things you work on. Thanks for joining us.
Jack Mott: Thanks, Sherrod. It was fun hanging out. I look forward to the next time. See ya.
Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more and subscribe on your favorite podcast app.
Microsoft Threat Intelligence