The Microsoft Threat Intelligence Podcast 12.13.23
Ep 8 | 12.13.23

A Journey through Cyberwarcon


Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. Hey, everyone. Welcome to the Microsoft Threat Intelligence Podcast. I am joined by incredible threat researchers, intelligence analysts from Microsoft Threat Intelligence. I've got Mark Parsons. Hey, Mark. I've got Judy Ng. Hi, Judy.

Judy Ng: Hello.

Sherrod DeGrippo: Hello. And I've got Ned Moran. Hey, Ned.

Ned Moran: Hello. Hello.

Sherrod DeGrippo: So I see your beautiful faces on video now, which we're audio only, so no one else can see them, but you guys look great as usual. But I saw you in person two weeks ago at CYBERWARCON in what I've been calling Gem City, which is also Crystal City, Arlington, for the annual kind of APT CONFAB, I don't know what you would call it. It's the big APT conference where the top APT researchers give out what they've seen over the past year. And so I just kind of wanted to hear your impressions. Judy, I'll start with you. What'd you think of CYBERWARCON this year?

Judy Ng: I love CYBERWARCON. A few of us like to joke it's like a big family reunion. You know, you get to see past colleagues and future colleagues all in the same place, and current colleagues, of course, at the same place. So it's a big family reunion. It's always a great time.

Sherrod DeGrippo: Mark, how about you? How's your CYBERWARCON?

Mark Parsons: So yeah, I'll mimic what Judy said. I think it's a big family reunion. It's great to catch up with colleagues that we haven't seen in a while, find out what's going on in their personal lives, but also start working on some tradecrafts, see what current researchers are working on.

Sherrod DeGrippo: Ned, how about you? What'd you think of CYBERWARCON this year?

Ned Moran: Yeah, you know, echoing Judy and Mark, it is really nice to see colleagues that we worked with in the past and will work with in the future. But what I also really enjoy about CYBERWARCON is the ability to sort of discuss in meet space what we do virtually all day, every day. As researchers, particularly in the cyber domain, we can sort of get really engrossed in our laptops and go hours, days, weeks without realizing I actually haven't talked to anyone. So getting on a stage in a room in front of hundreds of people is really good. It forces you to think about your research and present your research in ways that you're not accustomed to when you're just typing into a chat room or you're documenting your research or you're writing a signature or whatever you may be doing. So it's a very different skill that you get to practice, and as researchers, we don't get to do this very often. So it's a lot of fun.

Sherrod DeGrippo: I had a lot of fun at CYBERWARCON. I've been going for the past couple of years and John Holquist is a good friend of mine. He's always been really kind to me and I just love the vibe. The CYBERWARCON vibe is really healthy and it's like, I wish that more groups of people could get along the way the CYBERWARCON people get along. Everyone is so happy to see each other. Competitors, doesn't matter, partners, friends, co-workers, everyone's just really, really excited to spend that time together. Speaking of spending time together, Judy, you put together a little nerd party the night before, which I didn't get to attend, unfortunately, because I had to work at my job. How was the cocktail hour beforehand?

Judy Ng: It was a really great time. As all of us have mentioned, it's a family reunion, so it's really great to get everybody in one location just to meet up and break the ice of the next day. We had presenters come, we had attendees come, and we had people who were coming to CYBERWARCON for the first time partake in our happy hour. So it was just a really good time for everyone to get together.

Sherrod DeGrippo: That's cool. That was really cool that you got to put that together and I hope I can get to go to that one next year. So, speaking of presenters, Mark, Judy, Volt Typhoon, China-based actor focusing on U.S. interests in Guam. You guys were presenting on that threat actor. We also had Morgan Adamski from NSA mention that actor on stage as well. Can you explain to the audience what they need to know about Volt Typhoon if they're brand new? Mark, I'll start with you.

Mark Parsons: Sure. Volt Typhoon is, as you said, a group out of China that we publicly outed in May of this year where we talked about their attacks in Guam and then several locations in the United States. The big thing here compared to most other Chinese actors is we see them basically targeting critical infrastructure. So sometimes you may see China in power, but in this case, we're seeing power, water, other utility-related items that have no espionage value. So it's a group that's showing some interest there, which for some of us gives us some pause and make us go, why are they doing this? What is their purpose?

Sherrod DeGrippo: And when you say no espionage value, what does that kind of indicate?

Mark Parsons: For us, it kind of indicates it's possibly prepping battle space. And I kind of want to go into our talk in a little bit and I can let Judy talk about it more. Why would they compromise or go target utilities when there is no espionage value to them unless they were wanting to prepare for something further down the road that would allow them to cause chaos or disrupt different things inside Guam, the United States?

Sherrod DeGrippo: Judy, what do you want to add to that?

Judy Ng: Just adding to what Mark said, you know, even Morgan mentioned it when they were talking at CYBERWARCON. There's no intelligence value. So why would they go after so many utility organizations and whatnot? This is likely to, you know, get a good idea of the lay of the land and what they can do for future disruptions and whatnot. And you know, one of the things that Mark and I highlighted in our talk is that, you know, we have not seen computer network attack from Volt Typhoon, right? This is all in, this is traditional computer network exploitation, them getting into the environment and likely doing more research so they can stay on these networks, right? And this is the period where we can say something and do something about it, right? So we see them there. We can work with different partners as we highlighted in our talk to be able to do something about it so we can have an effect on this.

Sherrod DeGrippo: So what are the things we should be doing?

Mark Parsons: First, a lot of it's basic security hygiene. One thing with Volt is they're typically compromising things on your edge. So your VPN appliances, maybe your load balancers, or some even endpoint management software that you may have that's accessible to the broader internet, somehow they gain access to those. And then from there, a lot of those devices tend to have higher level accounts or privileged accounts that then allow them to basically go almost directly to domain admin. Several times we see them dumping NTTS, and then from there, depending on the victim, sometimes they poke around the network more. Other times they come back four to six weeks later, dump AD again, and they keep repeating that. So the thing here is a lot of it is just like the basics of security hygiene, logging your infrastructure, looking for suspicious logins, looking for dumps of your AD, all these things that are very mundane. But if you were doing those basics, you would increase your chances of catching an actor like Volt.

Sherrod DeGrippo: Got it. Judy, you actually taught me quite a lot a bit about the edge device situation. What's unique there? It sounds like China loves an edge device. What is the deal with that?

Judy Ng: I mean, I think with all the naming and shaming the industry, and even various government entities have done against Chinese APTs, they've really taken to heart, right, how to be sneaky. Right? We forced them to be sneaky and think of different ways to get on the network, right? So we see them -- you know, this is the effect of the community doing such a good job of highlighting their operations that they've actually gone back to the drawing board to figure out what can they use as part of their toolkit to get on without being so alerting, right?

Sherrod DeGrippo: And so this is an actor that you're not seeing do things like malware, zero days, they're primarily focused, is that correct, on getting into those network devices on the edge?

Mark Parsons: So we have seen them use zero days. They did use a zero day in 2021, but it was on edge devices.

Sherrod DeGrippo: Okay.

Mark Parsons: So that's where they used it. The only times we have seen malware from them was in Guam. Everywhere else has been living off the land type attacks, where they're using WMI or WMI related tool sets like ImpactKit to do a lot of their mining of the network. So outside of Guam, again, it's all been all living off the land coming in from compromised edge devices with legit grids.

Sherrod DeGrippo: I'm going to ask a question that you probably hear a lot, which is, can you explain living off the land to me? There's a lot of people that don't know what that is. So let's talk a little bit about that because it's more and more common. OctoTempest uses it as well.

Mark Parsons: Sure.

Sherrod DeGrippo: They love just stuff that's there.

Mark Parsons: Yeah. I think it's becoming more and more a common technique that we're seeing lots of adversaries use and it's been around for ages. But the idea there is instead of bringing in your own toolkits, bringing your own malware, you use the utilities that are provided by the operating system, possibly in ways that they weren't initially intended, but other times in ways they're intended to be used. And then you do that and it all typically will look like legitimate activities unless you know to look for those unique usages of it. So instead of bringing in things that are easily signaturable or can easily pass around an IOC or indicator of compromise, you have to do more behavioral analysis and look for how things are actually being done across your environment, which can be sometimes a little tougher depending on how you're instrumented.

Sherrod DeGrippo: Okay. So it sounds like living off the land is a good way to kind of hide it within the existing infrastructure and the existing kind of binaries that are already there for them to leverage for their attack, but also kind of hide the tracks a little bit.

Mark Parsons: Yep. And I think that's why we're seeing multiple groups pick up on this more and more.

Sherrod DeGrippo: Got it. Judy, anything else we need to know about Volt Typhoon before we move on?

Judy Ng: Mark and I are very much open to working with people on it. So threat intelligence is a community, right? We share across different organizations. So if you have something to share, we're all ears. Also, it's important to highlight that living off the land and exploiting edge devices isn't just a unique China TTP, right? We've seen other threat groups use it. Like you mentioned, Russian APTs also use this tactic as well. And I'll let Ned speak to how Iranian threat groups use it.

Sherrod DeGrippo: That's a great segue. Thanks, Judy. So Ned, you worked on an update about Iranian-based threat actors. I know that we had Lauren, Emil, and Simeon with you on stage, and we also have a separate Peach Sandstorm episode of the podcast from a couple of weeks ago that people can dive really deep into that threat actor. So Ned, what kind of stuff were you talking about on stage at CYBERWARCON?

Ned Moran: Yeah, so the discussion at CYBERWARCON centered around what we had seen from Iran vis-a-vis the Israeli-Hamas war, how we saw Iran attempting to take advantage of the situation, our assessments as to whether they had pre-coordinated with Hamas in advance. So the goal was to get in front of the audience, present our findings, and seek agreement across the board. Were other people seeing the same thing? Was anyone seeing anything different, sort of the Garmer consensus? And I think we generally achieved that. Our assessment was that, at least vis-a-vis cyber, there was not pre-coordination. Iran hadn't been seeding the battlefield for Hamas in advance of October 7th. In fact, what we saw was what appeared to be Iran reacting, scrambling around, and trying to figure out ways to take advantage of the situation on the ground. The attacks that we documented, again, were very reactive. They were very opportunistic. And in many cases, they were inflated and exaggerated, which is a typical Iranian tactic, which is they launch an attack, and then they, in parallel, launch an IO campaign that seeks to maximize the impact of the attack and perhaps claim things that aren't necessarily true. So they are seeking to maximize, exaggerate, and amplify. So yeah, that was the core of our presentation.

Sherrod DeGrippo: And when you say IO, what does that mean for the audience?

Ned Moran: Information operations. So that would be creating a sock puppet account on Twitter or a Telegram channel under a new persona. In one particular case that we dealt with, the Soldiers of Solomon account was a persona adopted by the Iranians. And through this persona on Telegram, they were making claims about attacking Israeli military infrastructure, about attacking critical infrastructure. So they were somewhat boasting about their successes, what their capabilities were. And we set about to prove or disprove many of these claims with our data. And what we found was that while the Soldiers of Solomon group was able to carry out a ransomware attack, their claims of precision, their claims of impact were overstated. So we were able to show that with data that, yeah, okay, they did have this capability to deploy ransomware, but their ability to precisely target it, their ability to cause impact and disruption was limited. So again, classic Iranian tactic to exaggerate and amplify what they had done.

Sherrod DeGrippo: So they were kind of puffing themselves up to have done a little bit more and have a little more capability than they really do.

Ned Moran: Yeah, exactly.

Sherrod DeGrippo: That's really interesting. I mean, I feel like it's a little obvious, but I want to understand from you, what is the benefit to them doing that? Why would they want to take credit for things that they can't really do?

Ned Moran: Well, I think it probably achieves multiple objectives. So I'll first start by saying, I don't really know because I'm not there with them. So I'm not planning it.

Sherrod DeGrippo: You need to know the truth in their hearts.

Ned Moran: Right. So this is going to be a little bit of an exercise in mirror imaging. This is why I would do something like this, which may or may not be the case for them. But I think a lot of the advantages you can draw out from this is to cause chaos and confusion within your target audience, your adversary target audience. It's going to take your adversary a bit of time to actually determine, like, did they actually do this? Oh, my God. You know, and we've all been called into incident response engagements in the past. And we know those like first 24, 48, 72 hours are very chaotic. You're trying to figure out what actually happened here. What did the adversary do? And if you have the adversary on Telegram telling you what they did, that's going to potentially lead you in a lot of directions that may or may not be the best way to spend your time. You know, it is probably better for you as an IR, someone responding to the incident, to follow the evidence rather than listening to the adversary and have you chasing around looking at all these various leads that may or may not be the right path for you to follow. So it creates confusion. It creates panic. It sows chaos. So that is perhaps one reason they do it. Another reason they may do it is to message internally. So, you know, it's very easy to think about, hey, they're doing this to cause chaos within their target audience, the adversary. But they also may be trying to speak back to their bosses back in Tehran. Hey, look how good we are. Look at all these things we did online. Are their bosses actually checking? Did they precisely target this military base in southern Israel? Oh, well, they said they did it on Telegram. Sounds good to me, guys. Here's more budget. They can achieve a lot of different effects with an IO operation that is exaggerating and amplifying what their actual impact was.

Sherrod DeGrippo: So there's the potential that this is not just for external audiences, but internal employee performance reviews for potential raise and bonus opportunities within.

Ned Moran: Absolutely, yeah.

Sherrod DeGrippo: That's interesting. I never considered that before.

Ned Moran: I mean, we all have Twitter accounts for a reason, right?

Sherrod DeGrippo: To tell everyone how great we are.

Ned Moran: Yeah, we're all building our brand. So I don't know this to be true, but I'm just imagining that, hey, you can kill two birds with one stone. You can sow chaos as well as pat yourself on the back.

Sherrod DeGrippo: Sure. That makes sense. And I think, you know, I, for many years, was heavily documenting Anonymous, especially in, you know, 2005 through probably 2010. And, you know, the side of it that was very credit-taking and internal brand-building within the group was really, really important, both with public social type posting, but also internal and the internal IRC channels saying, hey, I did that, I did that, and kind of building that name for yourself. So I also think that with a kind of moniker like Soldiers of Solomon, it's very -- you know, it has a kind of Lord of the Rings-ish mythical naming convention there, which I find really interesting. It's not as good as the Sandstorm Typhoon landscape naming convention, but it's okay. Okay, anything else that we should know there about that landscape or kind of what's going on in the Sandstorm world?

Ned Moran: And, you know, we're keeping our eye on it and we'll provide updates as we see anything new and interesting.

Sherrod DeGrippo: Watching and learning.

Ned Moran: That's right.

Sherrod DeGrippo: Watching and learning.

Ned Moran: That's right.

Sherrod DeGrippo: Okay, so I watched a lot of sessions. Obviously, I watched your fantastic sessions. We had eight. We're going to count LinkedIn because they're part of the family here. We had eight presenters on stage from Microsoft, and I thought the sessions were really fantastic. They were all really good. I think that I liked your two kind of the best, but I also, of course, loved Glyer's. Did you guys get to check out Christopher Glyer's rom-com presentation? I really enjoyed that, especially his sort of building a mystery style of not really knowing is this an APT actor, is this a crime reactor, are these military guys doing crime on the side? Did you guys check that one out? Any comments on that one?

Mark Parsons: Yeah, I did. Christopher always does a great job when he presents, and to distill all the information he did in a lightning talk was fantastic.

Sherrod DeGrippo: I talked to him and was like, dude, you only have 10 minutes for this. I've got an hour-long podcast you can get on. Come on. So I'm hoping to have him on to do the full thing because he has hours' worth of material to talk about with that actor. It's pretty fascinating.

Judy Ng: Yeah, and I think it's great in Chris's talk how he kind of framed like, do we see the intersection of a cyber criminal doing nation state activity or vice versa? You know what I mean? That's always been a really big question out there, right? Are they dual-hatted? When do they cross the line and things like that? So I thought Glyer did a really good job laying some of that out, and I would definitely listen to his hour podcast on it.

Sherrod DeGrippo: Yeah, I'm excited to ask him more about that. The other thing I loved about it was he used all AI-generated graphics for that presentation, which I thought was incredible. So I have also been using some AI lately in my work. There is a new GPT out there that you can get if you have the full version of ChatGPT. It's called NED-APT. Are you guys familiar with this? Ned looks confused, so Ned is not familiar. Mark, have you used this?

Mark Parsons: I have heard of it. I have not used it myself, but I am aware of it, yes.

Sherrod DeGrippo: Judy, have you used it?

Judy Ng: I have not used it yet either, but I have it bookmarked.

Ned Moran: Why am I only hearing about this now?

Sherrod DeGrippo: Okay, it was posted a couple places. NED-APT has APT expertise. I asked it earlier what it does. NED-APT has APT expertise, different countries and threat actor groups. He has humor with a twist. I've got a caustic sense of humor and a knack for mild insults, so it makes the discussion more engaging, less dry. Occasionally, he goes into rants against the digital nemesis, Billy, who represents common cybersecurity concepts. While I can be sarcastic and humorous, I'm also equipped to interact with users in a helpful, informative way, making complex cybersecurity topics more accessible. Ned, you didn't know that there's an APT, ChatGPT --

Ned Moran: No, seriously, I had no idea. I am certain I know who made this after this brief conversation.

Sherrod DeGrippo: Oh, I know who made it too.

Ned Moran: But I had no idea this was being done.

Sherrod DeGrippo: I really enjoy it because it is very serious. It reminds you that it keeps your data private, that it only uses certain sources, and it can help you with questions about stuff. So yeah, the NED-APT plugin in ChatGPT is available for anyone that has the paid version. You could go check it out. I don't know how it's being maintained right now or what the training data is, so it might be a little wild. But NED-APT. So, Ned, I want to ask it something. What should we ask it?

Ned Moran: Are you going to ask the bot or are you going to ask me?

Sherrod DeGrippo: I'm going to ask the bot, and then I'm going to ask you, and we'll compare the responses. What should we ask it?

Ned Moran: Do you have any questions, Mark and Judy?

Judy Ng: Why does everyone called North Korea threat activity Lazarus?

Sherrod DeGrippo: Why is all DPRK called Lazar?

Judy Ng: I was just throwing that out there. If you guys have a better one, please.

Sherrod DeGrippo: No, let's try it. Let's try it. All right. NED-APT is thinking.

Ned Moran: Should I give my answer?

Sherrod DeGrippo: Let's have Judy explain the question first. Judy, why does everyone call North Korean activity Lazarus?

Judy Ng: I can't give away notes to Ned. I want to hear what Ned says.

Sherrod DeGrippo: Okay. Okay. So the reason we're asking that question, Ned, why are we even asking that?

Ned Moran: Well, because there is a trend within industry for people to build off research that other people have released without vetting and validating against their own internal data sources or their own analysis, and just sort of taking other people's findings at face value and as ground truth. So what you have happen over time is one company releases a report which they call Lazarus. Another company builds off that, marries their own telemetry onto it, and calls this more Lazarus. And since every company is a little different, has different telemetry sources, different methodologies and protocols, what you ultimately have is this hodgepodge of a set actor group built together over time that does not represent who the actor really is. It's totally okay that every company has different data sources, has different methodologies. We can all learn from one another, but we should just not blindly trust everyone's findings and build our own findings on top. Because the further we go along that, the further away we get from truth.

Sherrod DeGrippo: That was a really good explanation. And I have to talk with the developer of NED-APT chatbot, because I feel like you, the real human -- your job is safe, Ned, because the NED-APT chatbot, it did immediately correct me and said the name Lazarus is not used to refer to all DPRK cyber activities. It refers to a prominent APT group associated with North Korea known as Lazarus, high profile attacks. A little light on the details, not as deeply detailed as you, but it did say there are other groups and activities that may be associated with North Korea that are distinct from Lazarus. This answer is not great. I think your answer was a lot better. I think the only thing that I'm questioning now is this, which is, what is the Microsoft name of Lazarus? I don't know. It's a sleet. It's definitely a sleet.

Ned Moran: It is more than likely multiple sleets.

Sherrod DeGrippo: Okay.

Ned Moran: Because, you know, as we talked about, Lazarus has, I think, over time become a hodgepodge of things. So I'm going to look right now to see if I can find how many different sleets we track that match Lazarus. Mark and Judy might -- yeah

Sherrod DeGrippo: So we've got Kimsuki, we've got Andariel, Silent Kolema, and we've got, let me tell you, I live my life in this spreadsheet. It is real crazy how often I am checking this thing. That's the more famous ones that I can see on here.

Judy Ng: We'll have to add a new segment where we can phone in a SME on the podcast asking these questions.

Sherrod DeGrippo: Call someone who knows every name. I've gotten really good at the naming, but I also always, always check the spreadsheet. And in fact, this is a good time for me to remind our listeners that Microsoft threat actor naming complaints are available to be answered on the Microsoft blog. You can download a spreadsheet that is a really great Rosetta Stone, as well as get it in JSON format so that you can plug that right into all of your intel feeds and everything so that you can see the Microsoft name as well as the other names within the industry, which I know is a massive controversy that everyone fights about constantly. So Ned, any plans to maybe work with the developer of NED-APT and improve some of these answers?

Ned Moran: Yeah. Maybe get some licensing revenue for myself.

Sherrod DeGrippo: Yes.

Ned Moran: I think, you know, like those college athletes getting names and likeness, I think my brand is being used here.

Sherrod DeGrippo: I agree.

Ned Moran: Yes. The answer is yes, Sherrod. I'm going to work with the developer now that I know who it is.

Sherrod DeGrippo: I saw you furiously typing. I have a feeling some messages were being sent in some private chat groups.

Ned Moran: Yeah.

Sherrod DeGrippo: Yeah. I love this thing. I think it's super cool. Maybe we can get some people together to keep building it out a little bit. So now we know quite a bit about NED-APT chatbot. What I kind of want to ask the rest of the group about and talk about is like more philosophically, why do you chase APT? Like what makes you interested in the group that you look after, that you are following, that you're working on? And like, why did you choose that as your day-in, day-out life? Because I know you guys are not working nine-to-fives. I know you're sleeping it, eating it, breathing it all the time. So Judy, can I start with you? Why do you do APT work and sort of like, why do you follow the actors you follow?

Judy Ng: I think I really enjoy the chase, right? They're always doing innovative things and it's always, you know, for Chinese APT, some of it is tied to current geopolitics. So it's just fascinating to see how quickly they move against something and how quickly they might turn around their, you know, intelligence requirements in us to see them targeting XYZ. So I think it's always, I wouldn't say enjoyable or lots of fun, but it's very rewarding to be able to put all the pieces together and follow them.

Sherrod DeGrippo: And Judy, have you done any other countries other than China?

Judy Ng: I did a short stint in North Korea, following North Korean actors and Iranian actors, but I always went back to China-based APTs.

Sherrod DeGrippo: Okay. You like that the best?

Judy Ng: I feel very comfortable tracking them. It's just, you know, it's like I've grown up with them in this industry. So, you know, it's checking up on, you know, my homies almost.

Sherrod DeGrippo: Okay. Got it. Mark, how about you?

Mark Parsons: For me, it was, I kind of fell into it the first time I had a large incident response at a job almost 14 years ago. It happened to be a Chinese APT and that kind of got that itch growing, if you will. And I kept scratching it and I've continued to follow China since then. And similar to Judy, I know I haven't gone into other countries too much, but I kind of like the hunt on China. I like to see how they have morphed over the years. They have definitely gotten better and it requires us to get better as well to track them. And I think being able to see where they started from and see where they are now has been a fun effort.

Sherrod DeGrippo: Mark, if you couldn't do China, where would you go? What would you do?

Mark Parsons: Part of me would say Korea right now, because they're doing some amazing supply chain attacks. So being able to see, be involved in that and see how they change and how they grow would be interesting to me.

Sherrod DeGrippo: I saw in the Microsoft Digital Defense report, JadeSleet, they're attributing JadeSleet with over a billion dollars of cryptocurrency theft. And my little crime heart, my little crimey heart, just gets real excited when I hear about the dollar totals, the cryptocurrency dollar totals that they've been able to pull into that regime. It's fascinating. Ned, why do you do Iran?

Ned Moran: I've done a lot of different regions and a lot of different countries over the years. This is an audio-only podcast, so people can't see the gray in my beard.

Sherrod DeGrippo: It looks great. Very distinguished.

Ned Moran: Which tells everybody I've been around for a while. So over time, I've done a little bit of Russia, I've done a little bit of China, I've done a lot of Iran. I like Iran, mostly because, and this is probably not a great reason, is no one else was really looking at it for a while. So people would just leave me alone. And going back to the gray in my beard, you know, I'm the old man yelling, get off my lawn. So I just kind of like to be left alone. But yeah, to your larger question of why APT, I was a political science major in college. I was not a computer science major. In fact, I'm pretty horrible at math and all things programming. So I've always looked at this problem more from a political science perspective. And I got into the field so early that no one really noticed that I couldn't code or was not a computer science major. So I was lucky in that regard. So the mental models that I always had revolved around nation-state activity. And I've just never been able to wrap my mind around the interconnections of the cybercrime ecosystem. It's been very challenging for me. I've done a number of IRs where I've been helping out on ransomware engagements and my mind just quickly -- I lose the thread very fast. So I'm very thankful that we have folks like Christopher Glyer and the rest of our world wars team that can keep all those relationships organized.

Sherrod DeGrippo: Yeah. You know, it's interesting hearing you say what is challenging about cybercrime. And it is definitely what I find the most exciting about it is that it's crazy, confusing and hard to follow. And you're going to get lost and somebody's going to do something really wild and bonkers. It's very chaos reigns, which is my favorite thing.

Ned Moran: You don't sort of have the guardrails that are put in place when you're dealing with a nation-state adversary. Like our adversaries just can't one day decide, you know what, there's a better affiliate program over here. So I'm just going to move shop and move over here and go start supporting this organization. Like there are natural guardrails that the state imposes that makes it a little bit easier for us to track them and keep those mental models in place.

Sherrod DeGrippo: I think to kind of think about what you're talking about with like goals and guardrails and objectives on the crime side, sometimes the objective is Lambo. Sometimes quite literally they're like, when Lambo, going to get Lambo, going to do this campaign until I have cash for Lambo with a cool holographic lime green Lambo wrap and then take a vacation. So that kind of mystery is sort of fun for me to unravel too, I think. Ned, if you didn't do Iran, would you do a different country? Would you come to cybercrime? What would you do?

Ned Moran: That's a great question. Like I said, I've touched every country at one point or another. China is sort of like my first girlfriend when it comes to cyber.

Sherrod DeGrippo: I heard she lives in Canada.

Ned Moran: Right. So she'll always have a special place in my heart. I don't know. I think I might actually try to crack the cybercrime a little bit and maybe spend a little bit more time there.

Sherrod DeGrippo: Yes! I try to convert at least one person every episode.

Ned Moran: Well, I sort of by default have to do it. One of my roles within Mystic is to support our incident response teams and a vast majority of our incidents, probably upwards of 75 to 90% of them involve ransomware. So day to day, I'm dealing with that a lot. So I find myself having to figure it out anyway. So from that perspective, it makes sense to want to learn a little bit more.

Sherrod DeGrippo: That's cool. I didn't know you were doing that. It's hard to keep track of what little projects everyone has their fingers in. For people listening, Microsoft Threat Intelligence, people have their primary focus. And then everyone's doing some other, oh, I do this on the side. I do that on the side. I'm doing disinfo. I'm doing ransomware. I'm doing tracking gift card scams and all this stuff. And it's pretty interesting how people pick other little secondary projects. All right. I think we're at time to wrap up. I really appreciate all of you joining us. Any final thoughts, Mark, Judy, Ned? Anything else we want to share with the audience before we go?

Mark Parsons: This has been great. Thanks for having us.

Sherrod DeGrippo: Thanks for joining, Mark. Judy?

Judy Ng: Nope. Thank you for having us. Thank you.

Sherrod DeGrippo: I hope you guys come back because we have so much more cool stuff to talk about. Ned, any final thoughts? Jerry Springer style?

Ned Moran: I'm going to go spend time on my bot and see if I can train him a little better.

Sherrod DeGrippo: Yeah, I would love for you to do that. Hit me up on chat and we'll get with the developer if we need to.

Ned Moran: Oh, I'm talking to him. I'm talking to him.

Sherrod DeGrippo: I can't believe that Mark and Judy and me all knew about this and you didn't.

Ned Moran: I had no clue. Yeah, but I'm talking to him right now. Yes.

Sherrod DeGrippo: Okay. Well, one of the things I want to do is I want to change the little icon so it's more representative of you. It doesn't really look -- it's just very generic. It needs to have --

Judy Ng: That's the Ned head.

Sherrod DeGrippo: Is that the Ned head?

Judy Ng: That's the Ned head, yeah.

Sherrod DeGrippo: Oh, okay.

Judy Ng: That's the old school Ned head, too.

Sherrod DeGrippo: Okay. It's got glasses on, though. Do you wear glasses? You don't wear glasses, do you?

Ned Moran: I'm supposed to.

Sherrod DeGrippo: Oh, you have them. You're just not wearing them.

Ned Moran: They're next to me. I rarely wear them except when I'm driving. But yeah, they are always near me.

Sherrod DeGrippo: Yes, officer. I'm wearing them when I'm driving.

Ned Moran: Yep.

Sherrod DeGrippo: Thank you guys for coming on the podcast. I really appreciate it. Thanks, everyone, for listening. And I hope I get to talk to you guys again soon.

Ned Moran: Yeah. Sounds great. Take care. Thank you.

Sherrod DeGrippo: Thank you. Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, for more. And subscribe on your favorite podcast app.