Podcasts
The Microsoft Threat Intelligence Podcast
Ep 9
The Microsoft Threat Intelligence Podcast 1.10.24
Ep 9 | 1.10.24

Microsoft Ignite Special Edition

Show Notes
Transcript

Sherrod DeGrippo: Welcome to "The Microsoft Threat Intelligence Podcast." I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage? Cyber crime? Social engineering? Fraud? Well, each week dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide through the back alleys of the threat landscape. Hello and welcome to "The Microsoft Threat Intelligence Podcast." I'm joined with fantastic guests today. Jeremy Dallman, Principal Security Research Director; Steve Ginty, Principal Security Research Manager; and Kimberly Ortiz, Senior Security Researcher, who all work on Microsoft Defender Threat Intelligence, which is where you get all of that sweet, sweet, sweet Microsoft Threat Intelligence straight into your grubby little hands. So Jeremy, can you kind of introduce yourself a little bit, tell us what you do day-to-day? And we'll learn from all of you.

Jeremy Dallman: Sure. Happy to be here. This is exciting. Looking forward to it. So, my name is Jeremy Dallman, I'm a director here in the threat intelligence team of Microsoft. The team that I believe does a great job bringing context to the research that Microsoft does and the hunting Microsoft does around threat intelligence and getting that to our customers. The idea is as customers confront prevalent threats in their environment, they want to know who it is, what it's about, what techniques are being used, and what they should do about it or how they should hunt over it themselves. So the team that we're apart of, customer ready intelligence inside of Microsoft, does just that. We bring the context to the customer so that they can investigate and understand the threats that they're facing every day. I've been at Microsoft for about 20 years. Been around for a while. So I have a little bit of those history stories to bring along as well.

Sherrod DeGrippo: Wow, that's a long time, Jeremy. You doing okay? Alright, Kimberly, give us kind of an idea of what you're working on and what your day-to-day is like.

Kimberly Ortiz: So I work for Steve and Jeremy. My specific role on the team is to kind of track our internal incidence response efforts. And then out of that, when there is intelligence that we feel needs to be shared with our customers, I make sure that gets published in places like MDTI or sometimes we might put a blog out there for customers. Most of that intel kind of revolves around vulnerabilities, threat actors, if we actually see threat actors on our network. Oftentimes we can gain insight into the different TTPs in use. That's my job.

Sherrod DeGrippo: Awesome. Steve, what about you?

Steve Ginty: So, I'm a manager under Jeremy and my focus is really to look at how we can better deliver the intelligence into our customer's hands. So working across a bunch of Microsoft's teams to ensure that we have the right tooling, the right collection in place, and the right capabilities to effectively scale and deliver our intelligence. As this is, you know, a newer motion for some of us. And as they're pushing some of this intelligence into MDTI, we have to kind of work on technology improvements to more effectively get that into the system and in front of our customers.

Sherrod DeGrippo: So let me ask you about that then a little bit. Intel moves quick and it needs to get into the right person's hands from a security role quickly. So Kimberly and Steve, can you kind of tell us like what are the challenges with that, first of all, and how do you overcome those challenges of trying to get intel to the right place, to the right people, at the right time?

Steve Ginty: Do you want me to start, Kimberly, or do you want to rock, paper, scissors for this?

Kimberly Ortiz: I would love to say that it's a well oiled machine because we've been doing this for a while. It kind of is, but like any team, our processes are constantly evolving. We're always looking for how do we get things out the door quicker? How do we, you know, make sure things are accurate? It's definitely always improving.

Sherrod DeGrippo: Steve, want to give us some insight into that?

Steve Ginty: Yeah. You know, it's an evolving process, right? And so Microsoft has been a trusted organization in the threat intel space for a while. But a lot of that sharing took place in trust communities and other places and our delivery mechanism, you know, was to publicly blog and tell people about the information once we had a grasp on what the situation was. And we're changing that with this team, right? We're looking to find methods and ways to get intelligence into our customers' hands at a faster pace. And that can be messy, right? You have to kind of look at new systems to do that delivery. And if we want to be effective, how do we do more machine to machine delivery of, you know, say IMCs while we're trying to figure out what the full story is for getting threat actor or a campaign. And so, you know, a lot of the focus that this team has gone through is how do we push people a little bit faster? What's that comfort zone? And maybe how do we make everybody just a little bit uncomfortable so that we can deliver intelligence quicker? And so I think, you know, that's what Kimberly does on the response side. Jeremy's been key in getting kind of a bunch of partner research teams to work with us to deliver that intelligence faster. So it's been a -- it's actually been impressive to watch a big organization shift the way we have over the last 12 months.

Sherrod DeGrippo: It's interesting. Jeremy, give us some of your insight on that.

Jeremy Dallman: It's really interesting. Steve said it's been a great year, certainly our team has taken on this charter. But really what it comes down to is understanding where customers want to access threat intelligence. And where they're going to need that to be most effective. And then really our team, I think Kimberly touched a little bit on this as well, is like how do we get this out in a timely manner and then make it accurate, relevant, and actionable for the customer? In as clear of a way as possible. And I think really what that's developed into is this notion of creating a central point of threat intelligence for Microsoft. Steve mentioned this, we've blogged a lot over the last few years around threat actors and techniques. But actually being able to build out a full encyclopedia or reference library of all the threat knowledge inside Microsoft is kind of what we're steering toward. A lot of that is surfacing in Microsoft Defender Threat Intelligence, which is becoming kind of a dashboard for all things threat intelligence. And then tying that back into our products. So it's accurate and actionable to our customers when they see the alert or when they're dealing with that threat is kind of becoming our next charter. So that's kind of where we're trying to steer this is to make it accurate, relevant, and actionable for customers.

Sherrod DeGrippo: Well talking about that single place, what kinds of signals are going into MDTI? Where does it come from? So essentially, like what are the source materials for Microsoft Threat Intelligence?

Steve Ginty: So I like to think about this in two different ways, right? We have kind of the intelligence reporting that is going into MDTI. And that comes from a broad swath of research teams. So our team works very closely with other security research teams inside the organization to, you know, to extract and contextualize incidents, events, investigations that those different researchers are conducting to up level it to a customer. And so that could be in the form of an actor profile about a given actor. And it can be something we call an activity profile. More of a campaign report. Something that is dynamically happening right now that we think customers should be aware of. Whether that's, you know, some activity around Peach Sandstorm password spray or it's around, you know, some of the adversary in middle type phishing campaigns we're seeing. We're trying to get that information to the customer quickly in the form of, you know, a short form write up. What do we know, what are IOCs associated with that campaign, what recommendations can we give you as Microsoft to better defend yourself? And that comes from, you know, a whole broad swath of research organizations. MDTI also has a broadscale set of collection, which we refer to as the workbench. These are things like passive DNS, who has information, SSL certificate information, a whole bunch of raw collection that's indexed. And that puts that indexed information in the hands of an analyst so that they can kind of take the investigation further. Right? They can, you know, they can use our research as a jumping off point. They can come in and use incidents and alert information as a starting point to contextualize and understand what they're responding to. And so both of those things kind of are different components of the platform that I think are very valuable in different ways.

Sherrod DeGrippo: One of the things that I really like being a Microsoft employee is that I have access to the internal request form. So I can just find a thing that I find interesting out on the landscape, either within one of our internal systems or another group, another intelligence organization, or a private sharing group that's talking about something. I go into that form and I just make requests from Microsoft Threat Intelligence like hey, can you guys pull all the data on this? Can you put together profiles on this? And it's been super helpful to be able to tap into that and have a group that can go -- and that gets published, you know, into those systems as well. But for me, personally, it means that I can have something nice and finished that I can do the rest of my work off of which is really great to have. Data and information, that is processed into things like Microsoft Threat Intelligence when we see threat actors in that data. Microsoft Threat Intelligence, Security Copilot, how do those two things interact? What do they do together?

Jeremy Dallman: Yeah, that's a good question, Sherrod. I think the obvious benefits of Security Copilot as Steve described and as Kimberly as talked about, we can be able to -- SOC analysts can jump in and use Copilot to hunt and pivot and ask better questions, drive better investigations. But the benefit of getting Security Copilot and MDTI in the same offering, MDTI is the brains of threat intelligence for Copilot. It's sitting there and it's scaled off of that dataset. But that same dataset, defender threat intelligence product, you're able to go in and actually access that encyclopedia. Go to that library, pull the books off the shelf, and read about the actors, read about the vulnerabilities, read about the latest news and information straight from the defender threat intelligence platform as well. So I think that's an important piece to point out, that you not only have that resource in Copilot but you can actually go in and read it physically, understand the context of the threats there, and as Steve described, dive into all those workbench tools and capabilities and pivot into the IOCs. And dive into the DNS records and the Whois records. And really augment your hunt within that defender threat intelligence platform.

Sherrod DeGrippo: That's so cool. So essentially, all of the trillions of signals and all the stuff coming into Microsoft, it goes a lot of places, including MDTI. It goes into Security Copilot. It goes back into products to help protect customers. So we're really leveraging the threat intelligence that we produce across Microsoft to tower to make things more secure wherever we can.

Jeremy Dallman: That's right. That's what our team is doing. We take all the hunt across all the different silos and investigation and hunting teams at Microsoft and we look across all of it, figure out what's customer ready, and we surface it to MDTI so the customers can have it to understand their threats better.

Sherrod DeGrippo: And then once it's in MDTI, Security Copilot can get to it, too. So you could ask Security Copilot if you don't feel like searching.

Jeremy Dallman: Bingo. Hey, Kimberly, I think it might be interesting as kind of another example of ways we collect information and get it out to customers, here over the summer, we had Storm-0558, which was a major investigation inside of Microsoft that you were a part of. Talk a little bit about how we get that internal incident response pieces out to customers as well. Because you played a very instrumental part in getting that blog post out. It might be interesting to some people to hear how that unfolded.

Kimberly Ortiz: Yeah, so as you can imagine, the incident response process is composed of, you know, a large number of groups brought together from throughout Microsoft, so we have engineering, we have the various SOC teams, we have the Customer Ready Intelligence Team, which is what we're a part of. Kind of all coming together to understand the threat, conduct the investigation, figure out the different components that we need to share with customers so that they can take steps needed to either protect themselves from the same threat or maybe go out and do some threat hunting or whatnot. In this specific instance, we were able to identify the particular threat actor as somebody we were familiar with. So we were able to come together and kind of based on our internal observations of the TTPs that they employed, add those to the specific actor profile, which we then publish and share with our customers within MDTI. And we also see those published in the defender console as well as threat analytics. So if there are specific measures that we think that people should take that would specifically defend themselves against the threat, then we can kind of surface those particular assets and point them to the threat analytic write-up, which tells them why they should then be tackling those vulnerabilities and whatnot.

Sherrod DeGrippo: And so where do you get a lot of your vulnerability information from, Kimberly? Like how are you pulling that and then once you have got vulnerability information in front of you, how do you prioritize what to work on?

Kimberly Ortiz: So typically for incident response, we have an internal team that goes looking for zero day vulnerabilities in Microsoft products. So that will be one place we find them. But then also, we have a bug bounty program. So anybody, you know, external to Microsoft can come into MSRC and report a finding that they have. And once that's done, engineering goes to work in order to, you know, verify that it is indeed a vulnerability and then figure out what needs to happen to put the patch out. And then beyond that, the rest of the investigation is going to center around understanding whether or not there are any throughout actors that we can see that have an exploit that's targeting the particular vulnerability. And then understand how widespread that may be. So, we would use those factors when determining how quickly we need to get that patch pushed out. So widespread targeting of something, especially by a group maybe that is known to deploy ransomware, is definitely going to receive higher priority when it comes to pushing the patch out and us creating, you know, the write-up to advise customers as to what's going on.

Sherrod DeGrippo: Got it. Vulnerability research is something that I feel like we don't necessarily talk as much about in threat intelligence until it's in the wild. That has really, when it goes from sort of theoretical and found to actively in use in the wild, that's when intel teams typically start thinking about it. So I'm glad that we're doing things so much more ahead of the curve before we start seeing it out there.

Steve Ginty: Actually, it's kind of timely, Sherrod, because we just released just last week at Ignite when Microsoft Defender Threat Intelligence pushed out a bunch of new features, one of those key features that our team is leading the way on is the new type of profile, I call vulnerability profiles, that are focused on CBE based intelligence. Getting customers that insight and context to a threat. So vulnerabilities, you're right, they haven't been very prevalent. But what we're seeing through Security Copilot and MDTI and many of our other products is customers care a lot about the vulnerabilities in the wild and the vulnerabilities that are impacting the systems deployed in their environment. So we're trying to give them that context right in MDTI so that they can treat it.

Sherrod DeGrippo: You're doing vulnerabilities, threat actor profiles, campaign type stuff, and then there's also a large contingent of your team that works on Osnet, right? Can you tell me a little bit about that?

Steve Ginty: Yeah. Happy to jump in there. One of the core things that we did with the PassiveTotal platform as a part of RiskIQ was help organizations understand, you know, what's the high fidelity threat intelligence that's out in the market today, right? You know, I have limited resources as an analyst to understand all the context for a specific OIC. So what if we use our crawling infrastructure to go out and interrogate these blogs that are being publicly published, extract the IOCs, extract a summary of that report, and dynamically link it inside of the platform and this carried into MDTI and we're expanding this capability of really bringing that open source view to our customer. Which is different and is going to be a little different than what Microsoft has, you know, a view of the world. But both are really important in my opinion to inform an organization. We understand our environment, we understand the threat actors we track as Microsoft, we try to consume as much open source intelligence as possible to drive our understanding of threat actors. We want to be able to empower our customers to be able to do that as well in MDTI. And so, you know, having a team that goes out and looks at reporting from industry peers, that looks at it and says okay, what else do we know outside of our collection? How does this relate to what we track as adversaries? How do we start to better create that overlap in understanding so that we can inform our customers about the latest threat is always really important. And so, you know, not only can you come into Microsoft Defender Threat Intelligence and see Microsoft's view of the world of actors and vulnerabilities and threats, which you can get that open source intelligence view as well extracted for you and enriched in some cases. Teams don't have a lot of time to go digging into all of the data that's associated with -- that we have access to. So we have analysts that go and do that for them. And put those into reporting as well so that it saves them time.

Sherrod DeGrippo: Got it. So, help me understand if I'm like working in a SOC. And I'm looking at alerts and I'm exhausted. What are some ways that threat intelligence overall, but specifically like what can MDTI really do for me if I want my life to be a little better?

Steve Ginty: I think it starts with, you know, our ability to provide reputation based information across all of our intelligence and open source intelligence. Right? If you are a SOC analyst and you want to start to better triage incidents and alerts, you know, one of the things that we do with Sentinel, you know, and other first party product capabilities is we use that intelligence and do entity extraction and enrichments so that we can help organizations prioritize the alerts they're looking in, right? We all know alert fatigue is a thing. And so how can we take our knowledge not only of discrete actors and campaigns, but also, you know, just question what infrastructure on the internet and use that reputation based information to help prioritize your incidents and alerts.

Sherrod DeGrippo: Got it. Kimberly, did you want to share something about that?

Kimberly Ortiz: I was just wondering if we could talk about Security Copilot. Because I am so excited for the capabilities that that is going to bring. And being built on top of our, you know, huge body of threat intelligence that we've been working on for the last, you know, 18 months or whatever it's been is going to be a game changer. Like I would have killed to have something like this when I was working in a SOC. Just ask the question, hey, I work in the finance sector and I would like to know what the top threats are that are targeting me. Boom, there it is. I didn't even have to go search MDTI and figure out hey, can I query this tag? It just told me the answer. Like what are the top vulnerabilities I should care about because this is where I work. Boom, there they are right there. How do I go see if I have any machines that need to be patched? Boom, right there. Like I'm super excited for this.

Sherrod DeGrippo: So, for people listening who might not be fully caught up on Security Copilot and what's coming there first, you'd need to go back to the Ignite on demand sessions and watch so many on demand sessions about Security Copilot and MDTI, there's a ton of them. But essentially Security Copilot will be that ride along for a SOC analyst or even a CISO who says, look, I need to know stuff and I need the barrier to entry to be a lot lower than it is. One of the examples that I really liked was hey, if I ask about a threat actor but I'm not super deeply technical, can you give me a three bullet summary of what this threat actor is and how it impacts my environment? Because I think we all know there's certain threat actor groups that don't really care about certain other sectors for now. Like there's certainly APT groups that aren't interested in finance, for example. That's more of a crime work kind of based thing. So I feel like Copilot can do some of that sorting for you and give you the information that you need to know from what I can tell. So, Steve, let me ask you, where does Microsoft Threat Intelligence, MDTI, all of that data that you were talking about, PassiveTotal data, Reputation, Whois, SSL, all of those things from Microsoft, internal threat intelligence, how does that interact with Copilot?

Steve Ginty: I agree with Kimberly's excitement. Right? Like you know, the ability to ask a natural question about intelligence and receive an answer is amazing. And it's going to be a really great capability. From a Security Copilot standpoint, MDTI is bundled with Security Copilot. So everybody who goes into Security Copilot has access to that, the corpus of threat intelligence. And that workbench information that I mentioned earlier. And so, right out of the gate we believe that threat intelligence is core to answering security functions. Next so it's a key component of Security Copilot. And so you can enable -- you have the plugin enabled, and it allows you to go directly and start asking and prompting Security Copilot with these questions. But as we're learning kind of about Security Copilot and how to ask the right questions, we're also deploying things that we call prompt books. You know, these are a set of different questions that you could go ask the model about a threat actor or a vulnerability. And we go and do that summarization for you. And so, you know, it makes it a little easier for a SOC analyst to go in and say "Tell me about Peach Sandstorm," or "Tell me about this vulnerability." What intelligence is just available for you? If you're not familiar with large language models and AI, sometimes the way you ask a question gets you better or worse results. And so we've tested a lot of ways to ask the model questions. And return the best results for our customers. And that's the idea behind these prompt books.

Sherrod DeGrippo: I love that. And I also learned something at Ignite as well. And that is -- I mean it makes sense, but I never really thought about all the implications. Security Copilot can write KQL queries for you. So, Jeremy, what could that possibly mean for somebody that's in a SOC if they've got a Copilot that can write queries for them? Not just KQL, lots of different kinds of queries.

Jeremy Dallman: Yeah, we'll use KQL as an example because I think it's a good one. I think there's some fantastic opportunities for up level SOCs here. Not only helps you get to an investigation faster. Because if you're looking to enact a profile where a vulnerability impact assessment that you got from one of these prompt books Steve talked about, an actor can go in, hit asterisk in the prompt of Copilot, and this whole catalogue of prompt books just opens up for them to tap into. And they can start asking Copilot about an actor or a vulnerability. But beyond just getting the information in kind of question and answer, like you said, Copilot, you can actually ask Copilot to build basically your hunting lodge, your query that you want to go throw in against your data to see if that vulnerability or that actor relevant are present in your environment. You don't have to take the time to build that, Copilot will do it for you. I think that not only gets you the time efficiencies, speed to investigation, speed to discovery, faster remediation, but the other benefit I think people are really going to learn here is you're able to bring new talent onboard faster in your SOC. So the security industry has a hiring challenge right now, there's not enough talent for us to bring in to meet the demand of our insecure world today. And helping SOCs be able to up level talent and get them to learn skills faster is really going to be helped by Copilot. Copilot being able to help craft a KQL query that you can go run. But then maybe a junior analyst can look at that query and help refine it and understand the logic behind it. It's going to help close some of that skill gap and be able to bring talent up faster with the power of Copilot.

Sherrod DeGrippo: That's something I learned and I also learned about Copilot's ability to do script analysis. Which is really similar to like the GitHub Pilot capabilities where it can look at benign coding, but in our environment, we might have downloaded, for example, a malicious script or a piece of malware and Copilot can actually look at that script, tell you what it did, and tell you where your concerns should be. I find that really, really fascinating because in my history, dealing with so many malware analysts, so, so many malware analysts that say I want to be a better reverse engineer. I want to be a better -- oh, you know, there's always a couple people on the team that are like oh, they're the best reverse engineer. I want to be as good as them. And I think that now Security Copilot can kind of take you further down that journey of becoming a better malicious script analyst or becoming a really great reverse engineer. Kimberly, did you -- you were kind of nodding your head on that. Did you see some of that, too?

Kimberly Ortiz: Yeah, and I was just agreeing with everything you said because that's exactly what I wanted to hit on next. I think it's so cool. I mean and look at companies who can't hire malware analysts, like okay, now your SOC personnel can maybe start to dissect what's going on a little better. And exactly as you said, Jeremy, kind of skill up there. That's super exciting.

Sherrod DeGrippo: I think that's really cool. You can kind of turn Security Copilot into your personal security skills mentor. And walk it through or have it walk you through what's happening in an incident or creating an incident report. And the other thing that I think is really cool is that not only does it copilot you, right? So it sits besides you and helps you out. But you can kind of have it do things for you, too. Like it can close alerts. It can write a little report summary. It can do these tasks, like it can create the KQL, but it can also run the query for you or tell you where the best place to run that query is. I think that that kind of stuff is really going to be a big game changer.

Kimberly Ortiz: For example, I worked in threat intelligence for a long time and you know how many times I have had the CISO come park himself right next to my desk and show me, you know, some headline that he read on Feedly and say are we affected by this? And I haven't even read it yet. But can you imagine being able to go to Security Copilot and -- which machines are affected by vulnerability in my network? And boom there it is right there. And I can turn around and tell him or her, this is it.

Sherrod DeGrippo: Yeah, that's awesome. I think that'll be a really -- you know, a lot of people are talking about how important this is for new people in a SOC. I think it's just important for CISOs and executives to have access to it because they'll be able to self serve so much. Steve, did you have something you wanted to say about that?

Steve Ginty: Yeah. I think the self service piece is very key. Right? Like since it's an approachable way to interact with all sorts of data, it makes it easier for someone to jump in and start asking those questions. And get that information back. And Kimberly and I have talked about this a bunch. Is you know, you feel like as a threat intel analyst, you're spending most of your time going to find out where the data is. So that you can answer the question anyways. You know, and this hopefully starts to kind of flip that percentage a bit into you're spending -- you're able to spend more time kind of doing the analysis as opposed to finding the data to which you need to do analysis on.

Sherrod DeGrippo: Love it. Jeremy, you know, I wanted to ask you from -- you're a leader of this team and it's become more and more focused at Microsoft on threat intelligence, making sure that threat intelligence is back in products and in the hands of customers and the people who need it quickly, where do you think the role of threat intelligence is going to go, you know, as we move into this AI world? How is it going to kind of impact each other? It feels like we're at the beginning of a new industrial revolution kind of. Like it's the beginning of the invention of gunpowder or iron or something.

Jeremy Dallman: I think we've really been touching on a lot of it. It really comes down to, you know, AI's going to help us ask better questions. It's going to help us get better answers. I think more importantly, though, AI's going to help us respond faster. It's going to help us build -- we were talking about queries. It can be queries, it can be new automation, new capabilities that help us get ahead of threats of left of boom more effectively and anticipate the trendsetter around the corner. I think it's going to help us identify emerging techniques, emerging threats, and be able to address them more quickly. So I think that's it's going to be truly, truly a copilot for threat intelligence. Where it's helping us navigate, helping us uncover what we need to anticipate next. Helping us see the forecast, the weather forecast, the turbulence that's coming so that we can anticipate and get ready for it. So I think it's going to be a powerful tool.

Sherrod DeGrippo: It can help us predict the typhoons, blizzards, sleets, and sandstorms that are potentially coming our way. Speaking of the landscape, I wanted to just kind of close out with asking each of you if you have a favorite threat actor and if you have anything on the landscape you wanted to mention about them. Kimberly, I'll start with you. Do you have a favorite actor you like to track?

Kimberly Ortiz: I do have a favorite actor. My favorite actor would be Secret Blizzard. This is a Russia based group that conducts espionage. And my reason for kind of being interested in this actor is purely selfish because I was hired into my very first cybersecurity job directly as a result of some campaigns that this actor had embarked upon way back in the day. So I always find it interesting to see what they've been up to lately. Although it's been a little quite recently, but I guess since the Snake malware takedown in like May of this year I haven't seen much reporting on them. But always interesting.

Sherrod DeGrippo: That's a good one. Yeah. Jeremy, do you have a favorite threat actor?

Jeremy Dallman: You know, I can't say I have a favorite threat actor. I tend to follow a lot of the sponsored actors that come out of China most closely. But most recently, the one I've really been fascinated by and following is an actor we just recently called, renamed, Octo Tempest. This in the industry is referred to as Octopus, Scattered spider. I think ELK3934 is the other one. But this is a really fascinating actor. There was actually talk at Ignite about it. The incident response team at Microsoft did some analysis of their techniques and their tactics. But this is kind of a fun actor because they've evolved. And it's fun to like track their evolution from doing SIM swapping and social engineering and now they're starting to dive into adversary in middle techniques. And using a lot of this fairly sophisticated, not fairly sophisticated, you know in some ways, use social engineering. And then they use AitM, but ultimately to exact ransomware attacks against, you know, most prominently hospitality, gaming, a bunch of different industries for pretty big impact. I love following Octo Tempest's evolution and seeing where they go. And more exciting to me, like how quickly we can see it, knock it down, and help customers mitigate the threat. So, Octo Tempest has been kind of my latest fascination.

Sherrod DeGrippo: They're definitely one to watch, I completely agree. And I got to see the session at Ignite with the Microsoft IR team. Fantastic overview of Octo Tempest. We'll link to that on demand session in the notes here as well as we did a full podcast with some of the Microsoft incident response and threat intelligence teams about Octo Tempest. That threat actor is absolutely one to watch and a super fascinating threat actor, especially when you look at their TTPs, how they go from social engineering into the network. Steve, you have a favorite threat actor?

Steve Ginty: I do. And I just learned that it's the same as Kimberly's favorite threat actor. I also have a fascination with Secret Blizzard. Because when -- a while, a long time ago when we were looking at bringing SSL certificates into PassiveTotal as a data source, we dumped all of our known IOCs that we had labeled and we, Brandon and I, just slammed them against every certificate we collected. And what we found was that there was unique SSL certificates associated with their command and control infrastructure for satellite communication. And so that was the first use case where we were able to really highlight to our customer base back then how powerful this dataset was. And then a couple of years later, while still kind of following it, we noticed that they also were impersonating cars.com in their infrastructure? Still not sure why to this day. But you could follow cars.com redirects and their Google Analytics codes, and if you just followed that code, you would see IP addresses stood up for their infrastructure. And that was a key way for us to track them. I think that's gone away now. But that's been very close to my heart for both of those methodologies of tracking their infrastructure.

Sherrod DeGrippo: Awesome. That's great to know. I think, you know, I've always been a big fan of Strawberry Tempest in terms of tracking and understanding their focus. Which I would say that Strawberry Tempest is kind of a proto Octo Tempest. I feel like they kind of started the game in a lot of ways. But I'm obsessed with Jade Sleet now, who's a North Korean actor that stole over a billion dollars in cryptocurrency. I can't stop. I can't stop thinking about effective they have been at cryptocurrency theft. Literally we're over a billion dollars into that ecosystem and DPRK and that's just -- that's massive. Especially for a country in the diplomatic situation that North Korea is in. So, I really appreciate Jeremy, Kimberly, Steve, all of you for joining "The Microsoft Threat Intelligence Podcast." I hope I can have you back and we can do some more updates on the threat landscape, which we'll be getting into heavy in 2024 when we start that out. Jeremy, Kimberly, Steve, thank you for joining me.

Jeremy Dallman: Thanks, Sherrod. That was fun.

Kimberly Ortiz: Thanks for having us.

Steve Ginty: Thank you.

Sherrod DeGrippo: Thanks for listening to "The Microsoft Threat Intelligence Podcast." We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more. And subscribe on your favorite podcast app.

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft