Podcasts
The Microsoft Threat Intelligence Podcast
Ep 7
The Microsoft Threat Intelligence Podcast 11.29.23
Ep 7 | 11.29.23

Threat Landscape with Wes Drone

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Welcome to the "Microsoft Threat Intelligence" podcast, a very special edition with Wes Drone, who I'll warn everyone now, just talking to him at all makes me crack up a lot because he is the bad cop to my good cop. Wes, welcome to the show.

Wes Drone: Thanks, Sherrod. I'm always happy to play bad cop. And, yes --

Sherrod DeGrippo: I can't be the bad cop, you're the bad cop.

Wes Drone: You're already laughing uncontrollably so --

Sherrod DeGrippo: I know, I'm sorry.

Wes Drone: It's going to be a good sesh here.

Sherrod DeGrippo: I love a good sesh. Let me -- okay. Wes Drone, you have a deep background in infosec, threat intelligence, detection engineering, you've been part of the intelligence community with law enforcement, you have tons of experience, you are a programmer developer so you're like a software nerd too, you are kind of like the all-around infosec nerd. What is that like?

Wes Drone: Well, if you remember, Sherrod, when you and I first met --

Sherrod DeGrippo: Years ago.

Wes Drone: I was on that CISO track, right?

Sherrod DeGrippo: I know, what a mistake.

Wes Drone: I was going to be the CISO. And then I met you and you said, "Why don't you come join me in this crazy world of research?" So, yeah, I think that because of my experience is in government, then defending enterprises, and then in the vendor land, which I know you're so fond of, I have some unique perspectives, I've seen it from a couple of different angles. There's still many more angles that I've not seen it from, but infosec is definitely an interesting beast. It will not change in the near term.

Sherrod DeGrippo: So, walk me a little bit through your villain origin story. You were at one time a server in a restaurant and then you got to actually finally be back of the house because -- now, wait, you were back of the house, you were working the grill and you wanted to get front of the house because that's where the money was, right?

Wes Drone: How do you remember these things?

Sherrod DeGrippo: I remember everything. That's my superpower. So, from there, kind of walk me how you went from that -- I know you were in college, I know you did FBI, walk me through your professional background. How did you end up here? Where did you come from?

Wes Drone: I often ask myself how did I end up here, Sherrod. As is every infosec professional at many times. So, yeah, I -- let's see, how far back do you want to go? I don't know if I really need to talk about the restaurant but I went to college and studied computer science, and finished the degree in computer science. After that, I went and worked at a small company where I sort of did everything, jack of all trades if you will. So, I got my start pulling network wire, crimping network wire, which I still to this day make interns do. And [laughs] that was funny. And so, I did all of those things at that company. I did a lot of things with software, wrote a bunch of different software both for websites, I've set up their databases, their servers, all those things. For about six years, I was their sort of in-house IT. And for this company, less than 20 people, I went there for what was like a little startup project and did a bunch of other projects. I wanted to do something a little bit different and maybe a little bit exciting. And so, at that point, that's when I thought, hey, I'll try to go work for the FBI. And about, I don't know, a year and a half or two years after sort of making that decision and applying, I found myself at Quantico. I was under the impression at the time that I was very much getting out of tech. I thought I'm going to go work bank robberies and other things of a criminal nature. Went through the academy, I met a director at the graduation ceremony, and he said, "Hey, well, what did you do before?" And I said, "I was a software developer." And he said, "Oh, I know what you'll be doing." I did not at the time.

Sherrod DeGrippo: Ouch!

Wes Drone: And then I arrived at my first office on the cyber squad where we work mostly nation-state cyber stuff before it was a thing in the private sector really. And so, you know, I was there during like the Madiant report -- APT1 report and all of the things that have come after. So, did my time with the FBI about five years, and then was ready to sort of do something different. And to be honest, move closer to home. And so, I found a gig local in the St. Louis area where I started doing incident response. And did a lot of different things at that job, incident response, threat intelligence, I got to sit in with the red team on many engagements, pop a few shells if you will. So, it was a lot of fun. There are a lot of things that weren't so fun, that turned out to be super valuable in the long term. We did a ton of risk management-type stuff. So, risk acceptances and all kinds of the other side of the house like compliance and policy, things like that. It turns out that actually benefitted me quite a bit later on in my career. And then the other thing, we were in the middle of an agile transformation. So, I got a ton of insight and training into Jira and Confluence, and really all of the things when it comes to sort of DevOps and managing all of those things. So, it was a good experience but they were going through some acquisition, and I met you. So, then we got to work together for a little while. And so, that's when I jumped into vendor space, right? And, you know, the vendor has been really cool. The biggest thing about vendor is just that you have a bigger impact, right? So, you don't just defend one company, you can defend hundreds or thousands of companies, or millions of users, right? And you can do it very quickly. So, when I look back, you know, at the FBI, we were sort of defending people but the latency of that was really long and drawn out, cases took years to complete. But then in a single corporation, you didn't have as much control. But then in the vendor space, you have sort of ultimate control and the largest impact. So, it's not without its challenges, of course, but security is the business whereas it's not always the business when you're sort of working at a corporation, right? So, all that to say lots of different experiences, but it's been fun, right, so far. Many more years to go.

Sherrod DeGrippo: How long have you been at Microsoft?

Wes Drone: Eleven months.

Sherrod DeGrippo: Yeah. Ultimate control. Wes was making fun of me because I made the intern crimp cables for absolutely no reason really because it was not integral to her role, but it was very weird to me to meet someone who said they never made a cable. You never put a crimp on a cable -- you never crimped a cable.

Wes Drone: It's a rite of passage.

Sherrod DeGrippo: It's crazy. So, Wes, what are you working on now? Like what's your focus these days? What are the problems you're solving?

Wes Drone: Yeah, so I am part of the messaging and web research team here at Microsoft. So, we're largely focused on messaging like email, maybe a little bit of Teams tossed in there, and then the rest of the team's also focused on some web threats. So, they all really kind of go hand in hand these days since most messaging ends up with the URL and you end up on the web.

Sherrod DeGrippo: Yeah. Anything lately that you really like? Any cool stuff happening out there?

Wes Drone: Lots of cool stuff happened this year. I just said the other day and I know you've missed it, it's okay, it's okay. The phishing landscape has really changed, just completely changed I would say in the last 12 months, maybe two years, and it's really kind of ramping up. So, the two biggest things are ChatGPT sort of democratizing this capability to write code. It's just wild. And then also what we saw with ransomware, right, and actors and how they went from just a single actor to sort of ransomware to service, right? You see the same thing in the phishing landscape where we sort of see individual people or groups doing phishing and now they've made that a service, right? So, what that's doing is that's allowing everyone to have better phishing capabilities than what they previously had. So, think about geofencing or captchas, or any other sort of more advanced techniques that you might only see from top-tier actors are now available more at scale. That all leads to a ton of activity and a sort of fast, hey, sort of TTP sort of evolution in the space right now. So, lots going on.

Sherrod DeGrippo: It's crazy to think that phishing can still evolve. I thought, you know, maybe it would stop.

Wes Drone: I agree. I don't see it slowing down. It's kind of wild, right, when you think about like, you know, there's like a handful of RFCs that govern how you can send a message from one server to another.

Sherrod DeGrippo: RFC 822, one of my favorites.

Wes Drone: Yes, of course. Of course. And so, I feel like, you know, at the end of the day, it seems like it would be relatively simple to secure. But I think as with anything that we try to secure, the rapid pace at which technology changes has caused us this sort of struggle to complete that, right? And technology is not slowing down, it is only moving forward at a faster pace if anything. So, I don't think that we will solve phishing in the short term.

Sherrod DeGrippo: You mentioned ChatGPT and I want you to be really super honest and tell me what you use ChatGPT for.

Wes Drone: Everything.

Sherrod DeGrippo: You use it for -- do you really use it that much?

Wes Drone: I use it so much. So, I was a bit of an AML AI holdout, if you will. And you could say that, you know, I wasn't really all in on it. Might have tried it a few times, I wasn't super impressed with ChatGPT-3. And you had encouraged me to go ahead and get a subscription. And I did. And so, version 4 I use all the time. I use it to send my kids baseball coach emails. I use it to like write funny things that I send in text to my neighbors. I use it at work to like sort of summarize documents, or if I need to like kind of go write little things just to make me a better writer, I use it for that. I use it for code. ChatGPT is really awesome for writing code. I do it mostly in the browser but like I've started playing with it in Copilot and VS Code. So, yeah, it is really a completely life-altering technology both for defenders and then as we've started to see attackers as well.

Sherrod DeGrippo: I love that. Oh, my God, I love that you say that because I feel like in my career, a lot of the people I've worked with and that I think you've worked with too, they will tell you that they're really good at certain things like you have some people on your team that are fantastic, network detection and engineers, specifically our friend Jack Ma who is also going to be on the podcast this week. He's really good at that. We have all of these people that are good at malware, reverse engineering, that are good at protocols, but they'll tell you, I'm not a good programmer. They'll say like, I don't write code. Oh, my code is bad. I am trying not to use curse words which is what they always say. But like they say their code is crappy. And I feel like some of the development Copilots and ChatGPT are giving confidence to security practitioners and defenders to write better code that they thought they weren't so good at before.

Wes Drone: I think so. Right. I think a lot of times, you know, I've interviewed hundreds of people for infosec positions and I always ask really lightweight sort of coding questions. And what I always get is people are really hesitant to say, "Well, I don't really code." But I'm like, "So, you can look at some code on GitHub and you can maybe change it a little bit and get it to do the thing you need it to do." "Yeah." Okay. So, you're an infosec coder. Like that's like my definition of it, right? And so, if you can get that far, that means that you can probably copy and paste that code into ChatGPT and then tell it how you want it to change, right? And it will give you what you need. Or, you could just straight off a prompt give you something. So, it's an incredibly powerful tool. It's not infallible by any means. I will come out and tell you, I've tried to get it to write amazing Kusto queries for me, it just won't. But that's okay. We have a few people for that for now. Maybe in the next version.

Sherrod DeGrippo: And I see it getting better too. I see it getting better I think. So, that leads me to ChatGPT fallible asking questions. We're now going to ask you trivia questions. Are you ready?

Wes Drone: Oh, don't ask me trivia questions. All right.

Sherrod DeGrippo: It is multiple-choice. Which of the following is a common technique used by malware to hide its presence on an infected system? A, scenography; B, rootkit; C, QuickSort; D, SQL injection.

Wes Drone: So, you're giving me like a little bit traumatic flashbacks from computer science with the QuickSorts.

Sherrod DeGrippo: Oh, good.

Wes Drone: And having to write QucikSort in Java, ah, it's just -- that was really, really miserable. But, yeah, it's B, rootkit. So, yeah.

Sherrod DeGrippo: That is correct. And also, these questions were written by ChatGPT.

Wes Drone: Oh, fantastic.

Sherrod DeGrippo: Yeah. Okay. There's the next one. You might not know this, I didn't know it, but it is pretty funny in my opinion. Which malware is known for the ransom note quote "Oops, you're files have been encrypted"? Is that A, WannaCry; B, ILOVEYOU; C, Zeus; or D, Stuxnet? I guess it can only be one of those, right?

Wes Drone: ChatGPT really wrote these?

Sherrod DeGrippo: Yeah, and I didn't read them before I'm reading them right now. It's a podcast, that's the point.

Wes Drone: That's the point, it's live. We're just making it live. Just making it happen.

Sherrod DeGrippo: We're doing it live.

Wes Drone: So, WannaCry would be the right answer then.

Sherrod DeGrippo: That is correct, it's WannaCry. What is WannaCry, Wes?

Wes Drone: WannaCry, it's this thing that made some people I know that are sort of famous, that impacted the world so it was ransomware that was deployed via a vulnerability and it turned it to a worm basically. So, without really getting into all of the details. And yeah, it kind of went crazy. Almost causing ransomware all over the globe until it was shut down when someone registered basically a kill switch domain, which that malware was checking, and then it ceased. And it led to all kinds of crazy things changing after in many, many historian book. So, yeah, WannaCry was a fun time.

Sherrod DeGrippo: It was pretty pivotal. I feel like it was sort of like the proto-ransomware landscape. And then it just kind of peaked and then is on a plateau now with never-ending ransomware events all around us.

Wes Drone: Yeah. I was defending an enterprise when that happened and I remember -- so if you think back to when that happened, right, so this is when Loki ransomware was like getting delivered in just troves, right, like just millions and millions and millions of messages like every day. And so --

Sherrod DeGrippo: Loki was an attachment. It was an email attachment and you clicked it and basically got it to run and then it became ransomware on your system. Loki, I worked a lot on Loki. And the ransomware cost for a Loki event was $300 in Bitcoin.

Wes Drone: Yeah. Exactly. And so, we were working a ton of those phishing campaigns. And what I remember the morning that WannaCry was kind of going, we were starting to hear about it, and we just assumed it was phishing campaigns. And it took a while, many hours before we learned how it was spreading, and then, you know, it was like that was a whole another nightmare because large companies have lots and lots and lots of inner connections with other companies. And so, then you're sort of like trying to figure out like, okay, is everything shut down, is it locked down? And it was quite the fire drill. Thankfully, we didn't have any issues where I was at. But many were not so lucky and they spent a long time dealing with that.

Sherrod DeGrippo: Yeah, that was a different time back then, a single machine.

Wes Drone: I'll tell you, another memory and I'll even toss out my good friend Ryan Campbell who I used to work with at that job. We were sort of like an intelligence role. And I know it is funny because I used to work with Bryan Campbell. So, you know, at that time, what happened was the email vendors had kind of gotten the hold of Loki and sort of this single machine sort of ransomware delivered via email. So, really the advent and the push for everyone to have dynamic sandboxing of their email attachments and URLs kind of took care of that, right? And it felt almost zero. There was, you know, a few botnet takedowns and things like that. So, you know, we were like, hey, look, ransomware is dead. Yes, I actually wrote down that ransomware was dead on paper one time because, yeah, we did not think that they would start working together and basically crowdsource red team pen-test tactics, right? But then we learned that that's exactly what they did. And so, as a service was born.

Sherrod DeGrippo: As a service was born. It was all the rage in Silicon Valley to do things as a service. Really when you think about ransomware as a service, it is a SaS model, they could get VC if they pitched it right. You just need a VC deck.

Wes Drone: I guess, I had some biases from my like FBI time like I didn't think that the criminals would trust each other as much as is required, right? But it turns out, they've been quite successful.

Sherrod DeGrippo: I also think that -- so the time that you and I are talking about is like 2015, 2016, 2017 when there were individual -- for those of you that are new to the ransomware landscape, this massive ransoming of an entire company is the way things are now. The old way was a single machine. You just put ransomware on a human resources administrator or some IT guy's laptop, and it's ransomed, it's encrypted, there's a big thing that says like, okay, your files are encrypted. And what happened was, these people would take their machine like to their IT help desk and be like, "Help me." And IT would say, "Oh, yes, this is bad. We've seen this before. We're just going to issue you a new laptop so you can get back to work. All your stuff is in the cloud like we've got a backup somewhere like you're cool. Let's just set you up a new laptop and send you on your way." And they were almost treating laptops at that time like they were stolen, like it was kind of like, well, shelf that thing, we'll deal with it later. Maybe we can re-image it, maybe we can't. But the reality is now that it's not just one person in an organization that has a buggy machine, right, like it was just kind of an IT problem. Now, that's like this massive -- we're taking out your entire business.

Wes Drone: Yeah. And leaking your files, right, which was the next step in that evolution.

Sherrod DeGrippo: Well, that's the next part, yeah. It's like we're going to shut you down and then we're going to extort you for even more stuff.

Wes Drone: Yeah, it's, well, there's been an entire evolution. I remember it was probably 2012, 2013 when the first thing like they were just screen lockers, right? It would just sort of pop up and lock your screen. And it was scary, with like an FBI warning or something and say, "Oh, you've been visiting the wrong websites. You have to go pay us Bitcoin or you're going to go to jail," sort of thing. And which is sort of -- it was a really low-level, it just locked the screen. And that's sort of like what I remember seeing first, right? And then we started seeing ransomware. I remember seeing some screen lockers on Android phones. That was a really big thing for a while. I remember lots of phone calls at the FBI office about -- because people would call the FBI and I would be working at the incoming phone and they would ask us about like is this real. And it's like, no, it's not real. You need to take your computer to someone to have it fixed, right? But, yeah, it was about that time. And then it just kind of shifted, right? And it's just been this continual evolution for, I guess, you know, the last 10 years. And, you know, we'll have to see where we evolve to next.

Sherrod DeGrippo: So, speaking about evolution, crimeware, APT, you have to choose one.

Wes Drone: Crimeware, APT?

Sherrod DeGrippo: Yeah, which one you want?

Wes Drone: You know, I have a love affair with both of them so I would probably pick APT.

Sherrod DeGrippo: What? Oh, you traitor. Are you serious?

Wes Drone: Well I -- well --

Sherrod DeGrippo: Reconsider.

Wes Drone: It's -- reconsider, yeah. It's a difficult choice. So, I've worked a lot more cases or investigations or incidents, whatever you want to call them, on the nation-state side. They tend to be a little bit more challenging and I like a good challenge in that regards. But crimeware also has a special place in my heart. It's not nearly as glamourized as APT work but it probably has a much bigger impact on normal everyday people and companies so when we tracked 100 different actors like crimeware actors in the past. So, yeah, I don't know, it's hard.

Sherrod DeGrippo: I find APT scarier. It makes me emotionally more upset than crimeware I think, which is I've really been exploring my emotional and psychological need to focus on crimeware over the past couple of years. And I think it's because APT scares me. It freaks me out. Like I don't like that. Yeah. I can understand like criminal mindset but like APT is -- that's serious business. It's a problem. It's a big problem.

Wes Drone: It is. Maybe it's just because I worked it from inside the government, right? To me, it's just intelligence collection for just normal people who have a job to go collect information about -- and for the most part, right, their adversaries or for policy decisions, things like that, right? There's a lot of -- plenty of intellectual property theft that went along with that. I think the more interesting stuff is the, you know, like Stuxnet and the more, you know, destructive malware that we've seen over the years. But I don't know, I've never seen it to be -- thought about it to be too super scary. But maybe it's because I've never really thought like I'm not like, you know, the top tier target by any means but I wouldn't think that you are either for most of these groups.

Sherrod DeGrippo: Not me personally but I like America. I live here.

Wes Drone: Yeah, yeah, yeah. Yeah, cyber espionage has been like a big thing. It's changed a lot in the last 10 years. But I don't think it's -- you know, you get into somebody's like blended operations. You know, there was a news article about just the other day I think about some blended ops that were going on. So, I think it's interesting. I think it's also -- maybe it's a little terrifying just because of how much of our life continues to be digitized, right, like literally everything is going to -- I just thought to myself like just yesterday, I was like, you know what, I really wish my fridge would just like know what groceries I was out of and would just go ahead and like make sure those got to my house. And I can remember many years ago thinking smart fridges were just like the dumbest thing in the world like why would you want a smart fridge? And here we are. I've been trained into the Matrix.

Sherrod DeGrippo: Yeah, you're a Matrix agent now. I'm sorry about that, very cringe pill of you. I have an internet-connected washer drier and I have the app on my phone and I check my laundry status on my phone to see if my laundry is done. And that is the ultimate thing that, you know, a few years ago I would have been like that is the stupidest thing I've ever heard. That's ridiculous. But I had the same reaction to the concept of a wiki and the same reaction to the phone with a camera on it, I thought these things are completely stupid, and now I use them every day. So, we're the problem, me and you.

Wes Drone: We are. We are most certainly the problem. I think we'll always see that there will be more and more of that, right? And we've been around long like if you think back just 20 years ago to like what a computer looked like and then you think about what it's going to look like in 20. I'm just at this point now where I'm like, wow, especially with ChatGPT and sort of this sort of, you know, AI revolution that's going on. Wow. In 20 years, it's going to be a lot of different.

Sherrod DeGrippo: I love the AI as a consumer. I am all over it. As a user, I'm deep in it like I want it all the time. Things happen and I know that I'm becoming sort of adept at using it as a tool because stuff will happen and I'll say, you know what, I'm going to ChatGPT this. Like this is a weird story but I got a weird letter in the mail that said that I had wrecked a rental car. And I most certainly had not wrecked a rental car, I don't rent cars. I Uber. I'm not a good driver so me wrecking is a problem but I know that so I don't rent cars. Oh, you've been in a rental car with me before, Wes? Did I wreck that rental car?

Wes Drone: You did not hit anything or a person while I was in the rental car with you.

Sherrod DeGrippo: But I'm not a good driver. You can say that. I don't care.

Wes Drone: I did not think your driving was bad but you are notorious for saying that you're a bad driver. So, I'm just going to take your word for it and I do recall you, you know, having a few fender benders and spending a lot of time at the dealership but, you know, other than that --

Sherrod DeGrippo: A few cracks here and there. Yeah. So, I did not rent a car because I know better than that. I don't really rent cars because I know that I'm not a good driver, and especially in a new car and all this. And it was like you just send us $400. I was like I most certainly will not. In fact, I'm going to ask ChatGPT what the laws are on this. And I just got into ChatGPT and was like, "Do I have to pay this debt?" And ChatGPT told me no. So, then he created -- I mean, ChatGPT is a guy for me -- he created me letters to send back to this debt collection company that were like formatted with all the things it needed to say according to the laws of where I live. I sent it off on a registered certified mail via like an eFax-type of service. So, now, my point is when things happen now, when I need something, I'm like I don't need a lawyer, I need to get on ChatGPT for 20 minutes. And I do that. Like I needed to plan a party. Oh, my gosh, I need to make a grocery list, let me think. No, ChatGPT, I want to have a party, make me a grocery list. Make me a liquor store list. Give me the recipes for the grocery list that you made me. And never plan a party again. It's pretty great.

Wes Drone: Yeah. It's really good at making lists. Like really good.

Sherrod DeGrippo: It is, yeah. I have it make lists for me all the time. I love that thing.

Wes Drone: So, yes, it's impressive.

Sherrod DeGrippo: When the machines like enslave us, do you think that they will use this podcast as evidence that we are good humans, that we are cool, or --?

Wes Drone: Good humans are worthy of enslavement.

Sherrod DeGrippo: Oh, yeah.

Wes Drone: I know.

Sherrod DeGrippo: Oh-oh, I shouldn't say so many nice things. ChatGPT, we love you.

Wes Drone: I think we're a little ways off from the machines taking over. I don't think that's going to happen right away. But hopefully -- I mean, I made the comments to a friend the other day, I said, look, in 10 years, we're all going to have a personal assistant, it's going to be a virtual one. It's going to be basically ChatGPT or something that's with you all day, every day, and it's connected to all your things, and you just tell it what to do. And it will go and do these tasks for you. I don't think they'll be sentient by then. But we'll see. I think we're going to have to have some major breakthroughs in compute and power generation in the near future to kind of stay on the same path that we're on. But maybe ChatGPT can help us out with those.

Sherrod DeGrippo: If we're talking about compute in our generation, if we look at Moore's Law, I think we're doing fine. If we can become a Kardashev level 1 civilization and harness the power of our star, or just below the output of our own star, we'd be pretty good. And I think we can do that. We're like a Kardashev like negative.2 right now but we can get there. Just keep working on it. And then the singularity. It's great.

Wes Drone: You just took this podcast like a full nerd, just like all the way in.

Sherrod DeGrippo: That's why you're here. Do you have a favorite threat actor that you like to work on?

Wes Drone: Not these days.

Sherrod DeGrippo: Emotet's gone, Qakbot's gone, TrickBot, don't see it.

Wes Drone: I know.

Sherrod DeGrippo: Who's out there? DarkGate is out there, it's all ransomware. Where are the downloaders? Where's the key loggers?

Wes Drone: They're still there. It's all there.

Sherrod DeGrippo: They're just not getting the news coverage that they deserve.

Wes Drone: Probably not. There are more important threat actors out there. I did enjoy Emotet, although this is a tough actor, right? It's kind of like being a sports fan and your team just stops playing for six months out of the year. What do you do? Right? So, yeah. I think that I've enjoyed tracking a lot of different actors in my career, some of which I can't talk about or name, others that you and I both are aware of. But yeah, I think that I enjoy actors that do things that are novel. And I don't throw that word around lightly, it's actually like -- it's a no.

Sherrod DeGrippo: No, you hate that word.

Wes Drone: I really do, I despise that word.

Sherrod DeGrippo: You've said many times you hate the word novel and you hate the word sophisticated. I've read your blog notes. I have seen you edit blogs, I've seen the comments on the side panel that are like, don't say sophisticated, don't say novel. I've seen you say that.

Wes Drone: So, that's because they're relatively rare. But we tend as professionals to use them as descriptors of activity quite often. And so, I do feel like there are in fact novelties that are unique, TTPs, things that are really well done, well thought out and executed on. And I think working on those types of things that challenge us as defenders to push ourselves, to think about things in a different way are the most interesting, right? What's an example? So, let's say like you don't want to just look at the same like really basic thing happen over and over again, right? So, when you get to that sort of watch or learn about sort of a log TTP, or a log-in campaign that results in something with a lot of unique things, I think it's interesting. There's -- I wouldn't say it's mutual respect so much, but there's definitely this, you know, defenders watch attackers, right, and they do things that are super clever sometimes for all the wrong reasons, of course. And attackers watch defenders, right, and they would say the same. So, it's just a big game right now, or games, right? And that's kind of -- I'm trying to make you laugh with my super old '80s reference.

Sherrod DeGrippo: That's not that old. Oh, geez, am I that old? But I think that that leads also to the better the defenders are, the more the threat actors have to pivot. And ultimately, watching threat actors pivot is fascinating. Watching I think that we all kind of agree, especially in the crimeware side, but in the ATP world too, there's this concept of like they are only going to do what they have to do. We don't typically see threat actors doing like the most, like we don't typically see them being extra because they don't need to. So, in order to watch -- you know, when you're poking at them, in order to watch them kind of dance, you've got to -- you know, they're going to do something different. When you're putting defensive measures, well, they have to change what they're doing and they keep changing what they're doing until they get what they want. And that means that we have to keep changing what the defense landscape looks like too.

Wes Drone: Yeah, absolutely. You know, one of the things that I never thought about before coming to Microsoft was that as defenders, we are sort of used to, okay, new technique, new thing, go right, sig for thing, and then deploy, right? Microsoft, the platform is so big and used so broadly, right? When you make a detection that actually goes to the entire platform, it invokes change very quickly. And it's this idea of sort of like thinking about like where and when you sort of like put in different detections. It's not a space that I have really like considered before because in all of my other roles sort of, you know, when you write a single rule, it didn't have as big of a broad impact, right? But it does here. And so, it's kind of brought this whole different level of sort of strategic thinking about actor TTPs, and you talk about like actors shaping like how can you get the actors to sort of go in the direction that you want them to go so that you sort of can offer a good defense for a while. And there are some actors that are really good, that do more than they have to, that's just actors that are working for really large governments, you know, and they want to sort of be stuffed, they don't use those capabilities more broadly. But yeah, it's just another day.

Sherrod DeGrippo: I think every day is crazy. I've worked in Microsoft I guess seven months now, eight months, and you're almost at a year, and it's definitely wild, it's definitely massive impact, like you said, it's a lot of control and capability. And it's also something that I feel good about because ultimately, we're just protecting a massive, massive amounts of people at Microsoft. And I love that feeling of, you know, my dad uses a Windows computer, right, it's like that's important. People on all kinds of platforms, on all kinds of clouds, on all kinds of devices. Microsoft touches it. Like it's so ubiquitous, it's everywhere, it's product suites that people depend on for work and school and home, and everything. And video gaming, which, you know, my dad always reminds me I work at Xbox. So, it's --

Wes Drone: Right, right. I was going to mention it when you were listing everything off, right? And I think that's the dealer for me too, right? So, you know, when you can sort of piece it together, right, that as the industry has sort of consolidated, right, into different platforms, you know, Microsoft has this platform and, you know, as a researcher, you want to be able to use data insights and your expertise from different parts of that platform, right? That's been one of the coolest things about coming here to Microsoft is just seeing that it's not like I can see everything -- you know, it sounds almost like the Eye of Sauron, like I can't see like every single thing that happens, right? But we can work with different teams throughout Microsoft security research to gain those insights, to share that knowledge, to kind of see like what they're seeing, and work together to sort develop a more holistic sort of picture, and then solution on what we're able to sort of do to make the attackers change and do it all over again.

Sherrod DeGrippo: Okay. I'm going to ask you one last question. This is a personal question, it's not a trivia question. If you can have telemetry access to only one of the following, which would you choose? Email, network, endpoint, cloud?

Wes Drone: All right. So, this is like a trick question, all right. Because if I choose network, I also get email, and I get part of cloud. So, it depends on what I'm doing. So, if I was defending an organization, again, I'd probably pick endpoint. If I was doing research, I'd probably pick email. And if I was, I don't know, I just don't think cloud is there yet, not yet. It's close, but not yet.

Sherrod DeGrippo: Well, guess what, you've got them all here.

Wes Drone: I know. I know.

Sherrod DeGrippo: That and the video game telemetry. Wes, let me thank you again for coming on the "Microsoft Threat Intelligence" podcast. It was great to talk to you. I want to have you back to talk more about your background, what you're seeing in the landscape, threat actor movements, and all those things. So, I hope we'll have you back in a couple of weeks. Thanks for coming on. It's great to actually get to work with you.

Wes Drone: Yeah, it was awesome, Sherrod. I appreciate the pain and I would love to come back.

Sherrod DeGrippo: Thanks, Wes. Thanks for joining us on the "Microsoft Threat Intelligence" podcast." Thanks for listening to the "Microsoft Threat Intelligence" podcast. We'd love to hear from you, email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out msthreatintelpodcast.com for more and subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft