BEC: Homoglyphs, Drop Accounts, and CEO Fraud
Nic Fillingham: Hello and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research, from across Microsoft Security, Engineering, and Operations teams. I'm Nic Fillingham-
Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest thread intel, research, and data science.
Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security. If you enjoy the podcast, have a request for a topic you'd like covered, or have some feedback on how we can make the podcast better-
Natalia Godyla: Please contact us at securityunlocked@microsoft.com or via Microsoft Security on Twitter. We'd love to hear from you.
Natalia Godyla: Hi Nic. Welcome to Episode 13.
Nic Fillingham: Thank you, Natalia. Uh, welcome to you as well. I'd just like to say, for the record, I like the number 13. I'm embracing 13. Do we know why 13 is unlucky number? Is there ... Is it just superstition?
Natalia Godyla: There are a lot of theories. 13 people at the Last Supper, that's part of the reason. 13-
Nic Fillingham: At, really?
Natalia Godyla: ... steps to the gallows.
Nic Fillingham: I'd, I think this is baloney. I don't think-
Natalia Godyla: (laughs)
Nic Fillingham: ... this is real. I think-
Natalia Godyla: I think-
Nic Fillingham: ... 13's a great number. I think we should celebrate it-
Natalia Godyla: You know what? That's a, that's a good approach. Let's do it.
Nic Fillingham: And we should celebrate it-
Natalia Godyla: With jokes-
Nic Fillingham: With a joke (laughs). So, before we started rolling, we were lamenting the fact that there are very few, if any, like, true, sort of security, cybersecurity-flavored jokes. So, we sort of created some, or we, we've evolved some. Do you wanna go first, Natalia? 'Cause you've got a joke that I've not heard. So this would be, in theory, a genuine reaction. Do you wanna give me your joke?
Natalia Godyla: Yeah. Ready?
Nic Fillingham: Yep.
Natalia Godyla: What's a secret agent's go-to fashion?
Nic Fillingham: I don't know. What's a secret agent's go-to fashion?
Natalia Godyla: Spyware.
Audience: (laughs)
Nic Fillingham: Spyware. Yes. That's all right.
Natalia Godyla: Wow. Didn't-
Nic Fillingham: It's okay.
Natalia Godyla: ... even try for a chuckle.
Nic Fillingham: I did. No, I genuinely did. I was like-
Natalia Godyla: I barely got a smile, guys.
Nic Fillingham: Aw, I was hoping to like that one. It just-
Natalia Godyla: (laughs)
Nic Fillingham: ... spyware, yeah. No, it's okay. So, you've heard this already, but the audience haven't, and I know that they're all gonna be absolutely cracking up when they hear this. So, what do you do when your pyramid gets infected with Ransomware? You encrypt it. That's pretty good, right? That's pretty good.
Natalia Godyla: I've got a new one. We're gonna try-
Nic Fillingham: Okay.
Natalia Godyla: ... a new one.
Nic Fillingham: I'm gonna try and laugh. Like, I'm gonna be in the right frame of mind for, if it is funny, I'm gonna try and laugh. You ready? (laughs)
Natalia Godyla: I like that little "If it is funny." All right-
Nic Fillingham: Well.
Natalia Godyla: Why doesn't Superman fight cyber crime?
Nic Fillingham: Why?
Natalia Godyla: Because he's scared of cryptocurrency.
Nic Fillingham: Oh, no, no, no, no, no, no, no, no. Okay, so it's a joke about. It's a jo, no, no we're gonna pull this one apart and we're gonna fix it.
Natalia Godyla: Right. Right.
Nic Fillingham: So it's a word play on cryptocurrency. So, it's gotta be something like, Superman's laptop, no that's not it. But we're gonna work on this.
Natalia Godyla: Strong start.
Nic Fillingham: If you're a, a dear listener of the podcast, if you think you can make this Superman joke work for us, let us not. Securityunlocked@microsoft.com or hit up on the Twitter's MSFD Security.
Natalia Godyla: So do we wanna tell everyone about this week's episode?
Nic Fillingham: (laughs) I, I guess we probably should. On today's episode, we speak to Peter Anaman who is gonna talk to us about business email compromise. This is the fourth of five conversations we're having on the podcast to cover content from the MDDR. Peter explains to us the difference between sort of general phishing in the consumer email space, and phishing and email compromise in sort of sort of business corporate world, and also what the attackers are doing once they do compromise a business email account. Make sure to follow along at home by downloading the Digital Defense Report aka.ms/whackdigitaldefense. And then after that, we speak with-
Natalia Godyla: Scott Christiansen a senior program editor at Microsoft who as he says it "is the security conscience for our company". So, he does a lot of work on the software development lifecycle and ensuring that we are delivering secure code, that we're adhering to our policies and standards around what it means to have secure code. And, in addition to all of that, he's a professor so he talks to us about the cybersecurity program that he's part of and it's a great conversation.
Nic Fillingham: It is. On with the pod.
Natalia Godyla: On with the pod.
Nic Fillingham: Peter Anaman welcome to the security unlock podcast. Thanks for joining us.
Peter Anaman: Thank you for inviting me.
Nic Fillingham: Well, we'd like to start the podcast off with getting our interviewees to give us a quick introduction to who they are. Obviously we'd love to know your title but more uh, interestingly is tell us about what you do uh, day to day. What's your, what's your job look like?
Peter Anaman: So my name is Pierre or Peter Anaman and I work in the digital crimes unit in the Microsoft [inaudible 00:05:08] Organization, which is the legal group. And within this group I'm part of the Global Strategic Enforcement Team, and we currently are focusing on BEC or Business Email Compromise. As regard to my title, Cyber crime Investigator, so I focus on developing cases that we then either pursue with a civil lawsuit or, you know, or to identify the thread actors, or we develop cases that are then subject to a criminal refer to law enforcement where we believe the thread actors are located. So, that's what I do on my day to day basis. As far as looking at prints, looking at intelligence, dark web data to try and see how the criminal, online criminals are using different tools in order for us to try and be ready and up to date.
Nic Fillingham: That's an amazing title. I'd love to have that on a business card.
Peter Anaman: (laughs)
Nic Fillingham: So is your background law enforcement? Are you a lawyer? This might be a very uh, broad question but how did you get to where you are?
Peter Anaman: So I started off pursuing um, once I finished my high school I always wanted to be a lawyer, and so I pursued legal studies and went to law school in the UK. And when I finished law school I, I had a, uh, a passion for pursuing like legal, um, law enforcement related activities, and the law and police was one but I heard the army had a very stringent course in France, and so I pursued a full month uh, accelerated course to become an officer in the French Army. And uh, so, and thereafter I was a Lieutenant. I had to leave but always had a purs, um, a passion for enforcement and from there I ended up working in a law firm trying to combat online piracy as well as different types of cyber crimes.
Peter Anaman: So, it, it included piracy but it was also, child sexual abuse material where you know, we uh, support the law enforcement where we can. And that just developed. And I developed skills. I did amass this in information security to learn some of the tools, how the internet works, and just learned what I needed to and was curious. I spoke with a lot of experts that they taught me so many things on the way. And now I ended up working in this amazing organization.
Nic Fillingham: On today's episode in this discussion, we're talking once again about the, the Microsoft Digital Defense Report, the MDDR which came out uh, in September of, of this year of 2020. And Peter, you're here to talk to us about a section or, or part of the state of cyber crime which is called phishing and business email compromise. You, you contributed heavily to this report. Could you just sort of tee us up, if, if, if you've not heard about the MDDR, the Microsoft Digital Defense Report and you're sort of you know, interested in downloading it and learning more, tell is about this section of phishing and business email compromise. What, what's the scope of this section and what, what are you gonna learn in it?
Peter Anaman: Phishing has been um, you know with a Ph for those who don't know, involves where, typically involves where people [inaudible 00:07:57] are sent emails to people, and once in the inbox entice you to click a link, you know to upgrade, update your password or something of that nature, increasingly is being related to themes like news, like Covid-19, or election related. And when you click the link you go to a site where they ask you for your credentials, and once they have your credentials then they in most cases, may have access to your account. Unless you've got two factor authentication or some other security measures.
Peter Anaman: And so, this section what we try to deep dive, is try to explain the different types of cases that may fall in that, in that category of online crime. And what I mean by that is you see from the sections there's one on credential phishing, there's a second which is more based on BEC Business Email Compromise, sometimes called CEO Fraud and we can speak about it a bit later. And then there's a third category which is really a combination of first two where the thread actors use credential phishing and then lead to some kind of fraud, financial fraud.
Natalia Godyla: So wha, what patterns are you seeing when it comes to credential phishing? How does this manifest in an attack? What would an example of credential phishing look like?
Peter Anaman: So when you look at each of these sections, the three of them, I can provide a little bit more depth. And so, in the first instance, credential phishing, as I mentioned earlier, it would be when a person would receive and email claiming to be you know, security department or a, you know, some h, highly important thing that they have to do, and when the person clicks the link, they are then sent to a webpage which looks like the, the legitimate office 365 login page as an example. And when they enter their credentials, the source code of that webpage has a form and the form has instructions. And those instructions are, when someone clicks submit, collect information in the username and password, and send it to what we call a drop account. Right? It's like an email address that collects the information submitted on that page.
Peter Anaman: Now, we know this because through our investigations, we analyze you know, a p, I think we're on about ten [inaudible 00:10:06], hundreds of thousands of URL's every day to determine if they are phishing or not. And so we have seen how the in, information submitted from the email and from that email, what they do in some instances, in credential phishing is that they know that some people, like researchers will submit dummy information. So what whey do is they do a, a check. Right? They take the credentials and try to impersonate someone sent connected to the account, using some con, uh, they call it an SMTP checker, it's a, as in to keep the protocol for sending email. And so they check the credential and it works, they know it's valid. If it's not valid, they get rid of it.
Peter Anaman: And then, once it's valid, we have seen like literally in minutes, it can lead to what we call BEC and our [inaudible 00:10:51]. So that's credential phishing essentially. But boldly the three differently areas we're seeing these credentials being used, we see them being sold on the dark web for very little. Because then other people can use it to send spam for example, or unsolicited commercial emails. They could use it to look at the person's account and steal confidential information, or business email compromise. So, that's how credentials are used typically.
Peter Anaman: We then move to BEC and CEO fraud. There it's uh, I think most of the time, some people like to use BEC to include phishing but it's really a different type of activity. And the reason they use business email and compromise, is that this activity is targ;eting companies. And the reason is, it's another way of stealing money from the bank, right so to speak. And what I mean by that is that they've realized, the criminals have realized that companies have processes in place. Right? So for example I wanna b, I wanna pay for a service. Well it goes to procurement, and it goes to accounts payable, and they make a, a payment.
Peter Anaman: Well, understanding this kind of almost a supply chain, right? The criminals have realized that, s,
Peter Anaman: If they can monitor for wire transfers or transactions, they can like take over that conversation and redirect the payment to a different account. And this is how it could work based on what we've seen. So, as I mentioned, you have credential, they then have access to your account. When they have access to your account, in most cases we see two things happen. One, they add a forwarding rule. So they add an inbox forward- forwarding rule which says if you receive an email and in the subject or the body, you see accounts payable, invoice, USD, EUR, so different keywords that are related to a transaction, forward it to this email account. In other cases, what they do is they say forward it to an RSS folder. So a folder in your account and so then they will access your account and that specific folder to get the email messages which makes it harder to identify who they are, right? Because if they have an email or someone accesses that email.
Peter Anaman: So once they add the forwarding rule and messages are sent and they find an email about the payment due, what they do is they look at who are the parties and depending on who, who is the person receiving the money, they'll get rid of them on the chain and create a homoglyph domain name. A homoglyph, it's like the Egyptian times, right? Something that is made to look like. It impersonates another domain name. For example, an I becomes a one. Right, or O for Oscar becomes a zero. So it's a slight change. And what they do then is that they have to use the same name as the person who they've removed and they continue the conversation. And at some point they say, hey, my account has changed. Updated PDF, this is our new bank account.
Peter Anaman: Well because the people on the chain have been part of the chain, they think is legitimate. And so they make changes to the payee, to the instructions. And then the money is moved to a different account. It's just terrible when you see how much money has been lost. And if you read all the reports, you know, it's in the billions of dollars that have been lost this way. And that's why BEC has become very, very important to tackle as a type of crime.
Peter Anaman: Now the third category, we said was a combination. And the reason is that in BEC, the second category, there are cases where it's almost like a stakeout, right? They see a company because they go to a website like, uh, the city has to make public, all the RFPs, you know, orders that they have to do 'cause they have to be public. So they see who may be bidding for a contract. And then they'll impersonate that person and try and get access to the payments for that government contract as an example. So that doesn't use credential phishing, right? It's, they're just looking for public information in order to understand what relationships are and to take over a transaction. Fascinating stuff, you know. Someone could make a movie out of how these people operate.
Nic Fillingham: And is BEC the sort of end goal for the phishes? So for example, is phishing in the consumer space, the harvesting of, of credentials then being used to launch and mount, uh, BEC attacks in order to actually make some money?
Peter Anaman: So I think there is a way we can distinguish between consumer and enterprise phishing. So the difference between sort of a, a spray concept, which is for consumers, just try and get as many accounts compared to the enterprise, the business email compromise, where it's more targeted. And the difference is that when you create a new Hotmail or Outlook or Gmail account, the systems know it's new, right? When I say it's new, is that if you were to send me an email from outlook.com, right, I would know it was created yesterday. But if it started to send emails to like a lot of, 200 people is highly suspect. But if you were able to get a person who's had the account, like let's say for 10 years, right? Well maybe that's not a anomaly because the person has lots of friends. They have lots of contacts, right. The, it looks like a real person. And so it's more likely to go under the radar when it comes to detection. And those could be some of the benefits of using compromised consumer email accounts. Just one example, there are many others.
Peter Anaman: On the enterprise side, what we've seen for example in some of the attacks, is that the people who are being targeted typically within the category, right? We see a lot of executives, for example, in the C-suite that'd be being targeted. We see a lot of people in the accounts department, which have been targeted. We see directors being targeted because these are people who can authorize payments. They're not looking to send an email to a person who cannot help them, unless maybe it's an executive assistant who then can give them access to the inbox of the C-suite.
Peter Anaman: Now in my presentation, I've spoken at times of dark web and I think I'll just put a sentence behind that. You know, dark web is a word that is used often, but in this context, I'm just speaking about places where people sell, conduct activities associated with criminal activity. The web is divided into four categories from my lens. One is the surface web, which is indexed like through search engines. The second is called the deep web. Those are websites that are either password protected like an online forum, where you have to register an account before you get in or a dynamically created website. So for example, a new site where the content changes, changes on a regular basis. So that's a deep web, it's not index. One of the biggest parts.
Peter Anaman: Then the dark web is really tall, right? That's where you need a specialized search engine, you have to use, go to dot onion websites and that's a different category, dark web. Then you have the vetted web. The vetted web are websites where in for you to get access you need to be vouched. Which means that another criminal has to say you're a bad guy, and or girl. And so then you will be able to access it. And it's a way for them to try and trust each other. But in my context-
Nic Fillingham: It's the, it's the Twitter blue tick of, of the bad guys.
Peter Anaman: Yes, they're trying, they're trying, they're trying. Uh, but [inaudible 00:18:17] all of them. So, you know, for, for what that matters.
Natalia Godyla: One other section of the Microsoft Digital Defense Report that you had covered was the section on COVID-19 themed phishing learners. So can you talk a little bit about how these techniques for phishing and Business Email Compromise were leveraged during the time of the pandemic and are continuing to be levered?
Peter Anaman: So one of the, one of the patterns or trends we've noticed is that often the criminals change their attack mechanisms or the way they send messages based on lures which are relevant to a group of people in a specific time. As an example, we saw the same with you see it with, uh, elections or sport games or something to do with a celebrity. In this case with COVID-19 at the beginning of the year, we started to see a change and he came from a specific and came in different people were doing it, but we saw it more naturally with one group. Where we were tracking them for mid-December on the activities they were conducting, phishing activities they were conducting. They were using for example, financial statements, or they were using bonuses or different lures about finance and then all of a sudden they changed and they started to use COVID-19 bonus as a lure where they would say, "Hey, click this link to find out about your club COVID-19 bonus."
Peter Anaman: And so when people click the link, it was sent to an Office 365 login page, and they submitted their credentials. A lot of people submitted their credentials from the logs we've analyzed because they believe that it was something that was relevant for them at that time. And that was part of the lure. And after a few months they changed, we were able to technically counter what they were doing and they moved to a different method of attack. It's just using, using the time.
Peter Anaman: We just recently saw it with elections, for example, the same thing, the US elections. And we saw there were, there were some groups who had modified how they presented the email to people in order to encourage them to click the link and lead them to a phishing page. So the COVID-19 lures are something that we've noticed. It's part of a broader theme related to, uh, societal events, which are criminal's trying to take advantage of to increase the possibility of people clicking a link, right? It has to be believable. And it has to be a sense of urgency.
Natalia Godyla: Do you ever think we'll preempt the societal moments? So if there's some big moment happening, we can assume that a cyber crime would leverage that societal moment as a lure and so we could plan ahead?
Peter Anaman: One thing which would be difficult is as a company, we have a wide array of customers and we want all our customers to show up the way they want to show up, you know, without having to try and be someone else and not authentic. And with that in mind, it really, and even a step further, these people, right? They work for different organizations and in different organizations, they have different cultures that they have different ways of working. If you look at, for example, a manufacturing company where maybe IT may not be at the forefront, what the way they interact with IT will be very different to if you went to a startup, a tech startup, where that's what they do most of the time, not manufacturing, right? And so when we have such a wide array of customers and we've got governments, right, we got governments from different countries, some like each other, some don't. We have banks, we've got, we have different types of customers and Microsoft, all of a sudden becomes the protector, right? Because criminals are targeting banks, but they're our customer. So they rely on our security as well.
Peter Anaman: So when we go back and speak about lures and things, these are things that we have to as cyber-crime enforces, we have to understand it happens. And so as we build technical measures, we have to implement technical measures that are adjustable and can, can change based on patterns it's observing. So I think the way to attack it is always to have this kind of different measures that are working together and leverage artificial intelligence and machine learning models in order to help us distinguish between different types of criminal activity and protect our customers. If that makes sense.
Natalia Godyla: And what is our guidance to customers on what they can be doing to help prevent against these attacks?
Peter Anaman: One is always to have good policies in place within the company, right? So that all employees are aware about how to make sure the devices are up to date. Don't pick up a USB on the street and put it in, you know, uh, make sure internally there are policies on backups, make sure you've got an online and offline backup, right? So you have to have policies in place that help protect the organization. The second part is to work hand in hand with their technology providers, right? So for example, if you work with Office 365, make sure that we have something called a Secure Store, a Secure Score. that's Secure Score is based on experience. We can say, hey, maybe if you have, to have a better score put MFA, Multi-factor authentication. Some of your users allow forwarding, block it. [inaudible 00:23:40] make sure it's admin can only authorize forwarding, right? Or off. 2.0, make sure that, uh, consent has to be from the admin. So there's a secure store that it helped them really implement in a much more secure environment, which will be frictionless. Number three is to have regular tests
Peter Anaman: ... with any organization. So that, I mean, that could be part of the policy, but typically is not always. Where you have fishing simulations, which are taking place, right? So that you can start to e-, keep the education at the forefront because we're all very busy and sometimes we forget. And I think four is that we have to work, we have to look always to use technology to advance the way you work forward. And what I mean by that is that companies need to think about the digitalization of their work processes. And what I mean is, uh, I mean, this may be a little bit off, but investigating some ransomware cases.
Peter Anaman: For example, recently we saw that part of the problem is that some customers have old infrastructure on-prem, for example. And so that is what is being attacked. And once they get into that, then they can pivot and move laterally elsewhere into the organization. So I think digital transformation is by looking at your processes overall, by saying, "Are there ways we can modernize in a way that creates a better security landscape?"
Nic Fillingham: Well, thank you for your time today. Again, we were, we were talking about the Microsoft Digital Defense Report, which is available to download for free. We'll put the link in the show notes. Peter Anaman or Pierre Anaman, thank you so much for your time.
Peter Anaman: Okay, thank you very much. Be safe.
Natalia Godyla: And now let's meet an expert from the Microsoft Security team, to learn more about the diverse backgrounds and experiences of the humans creating AI and tech at Microsoft. Hello, everyone, and welcome back to another episode of Security Unlocked. Today, we are joined by Scott Christiansen, who is a Senior Security Program Manager at Microsoft, as well as a Professor at Bellevue University. Thank you for joining us, Scott.
Scott Christiansen: Well, thanks for having me. I appreciate it.
Natalia Godyla: I'm really looking forward to this conversation. So, so let's kick it off by just giving a little bit more context behind those two roles. Can you tell us what your day and, and night look like as a program manager and professor? What do you do? What does your team look like? What do you teach?
Scott Christiansen: Yeah, absolutely. So let's start with Microsoft, that's the thing that takes the majority of my time. So (laughs) I work in our customer security and trust group. And, specifically within that, our security engineering group within customer security trust. And then, more specifically, I work in our data analytics and insights team. And our group, as a whole, our security engineering team, is responsible for ensuring the company meets the software development life cycle, operational security assurance, policies and requirements that we have. As for any shipping software that we have to ensure that what we're shipping out meets our own internal, um, security standards and our internal security rigor.
Scott Christiansen: Which then is tied to plenty of different external security compliance objectives and things like that. So that's kind of a mouthful, but we help ensure that the company's delivering secure code is kind of the nutshell. Or as we like to say, we're kind of the security conscious for the company. We have security teams throughout the products and then throughout the organization. And we're the conscience that comes through and says, "Is everybody doing everything they can be doing? And are there areas where we could be doing better and, you know, how can we help in that space?"
Scott Christiansen: And so what we started doing is we started pulling in all the bugs across the company. So we've got like 700 different Azure DevOps repositories where engineers are storing work items and working with. And they generate roughly about probably 50 to 60,000, uh, new work items every single month. And so we suck in all that data to one gigantic data warehouse and we perform kind of analytics on that. That's really branched out to kind of work streams that I very specifically work on. One, I've spoken a little bit externally about this, where there's a blog up on the Microsoft blog site. I've spoken at RSA this past year and it's kind of their machine learning work that we've done with security bug classification.
Scott Christiansen: So we pulled in all of the security bugs to this one spot. We said... and some of them are labeled as security, some of them aren't. And we took a look at that and we said, "Well, are there any that aren't labeled as security that should be labeled as security?" So about four years ago, probably, we started a little hackathon project trying to answer that question. And, uh, it's been a small project kind of throughout time with that. But, ultimately, it turned into a product that we've put together where we built a machine learning system, uh, that accurately classifies, uh, these bugs and says, "Hey, this pool of bugs is security and this pool of bugs is non-security."
Scott Christiansen: And then for the, the pool of bugs that it says it is security, it will, um, say, "Hey, yeah, these particular subset of those bugs are critical security bugs. These are important security bugs, or these are some other particular severity with that." And we've had just unbelievable accuracy with that. So that's one of the things that I work on. Yeah, so we've got that model built and we're in the process of really, uh, we've got it built. We've classified all this data that we have within the company, and now we're in the process of making that more operational, so the engineering teams can take advantage of it. And then, in turn, finding a way to take that and spend it externally, probably through GitHub.
Scott Christiansen: Uh, that's kind of the target that we're looking at, but so external customers and just the security industry as a whole can kind of take advantage of this auto classification piece. I spend a portion of my day doing that. The other portion of my day is kind of around this, this compliance report and GitHub bot. A really incredible code analysis tool. Used to be called [inaudible 00:29:11]. And it does just a phenomenal job at finding software vulnerabilities. And it's our team's job to kind of get that deployed within the company. And right now with getting static analysis stuff rolled out i- is the biggest priority. So that's pretty much what I spend my day on.
Scott Christiansen: And the evenings, like you had mentioned, I'm a master's level cybersecurity professor at Bellevue University, uh, specifically, in their online cybersecurity program. And there I teach a few different classes, but most specifically I teach their masters in, um, architecture and design.
Nic Fillingham: Thanks for that intro, Scott, uh, oh gosh, I've, I've written down like four questions coming back to, I think, one of the first things you just talked about in your day job, if we can call it that, your Microsoft role, how do you use machine learning to classify whether a bug is security related or not?
Scott Christiansen: It started as this, as this summer hackathon project, and it was just a few of us, myself, uh, one of my colleagues, Alok Kumar and one of our other colleagues, Naveen [Nurenja 00:30:09] sat down and said, "Hey, are we missing anything in this space?" And none of the three of us were, were data scientists by any means. Alok had a little bit more an understanding experience with some of the machine learning work. And so we sat down and we go, "Who are the big hot tents in July?" And I started chewing through this problem and I was an expert in the security space. And so I said, "Well, well, those guys were going through and they were looking to see if they could find a machine learning model that might kind of work to help us solve this problem."
Scott Christiansen: I went through and I did manual sampling of the bugs to determine if there was actually an issue there or not. So we went through and took a couple thousand bucks that were taken as security and looked to see if we had any misclassified or misidentified bugs there. And then we took a bucket of the bugs that were not classified as security, like another 2000, 3000 random sampling of bugs. And said, "Are there any security bugs in that space that we're missing?" And so we found discrepancies in, in both spaces. And so clearly the things that aren't showing up on the security radar are potentially a problem. The, the good thing is there's a good side to this whole story is that engineers fix bugs regardless if they're security bugs or not.
Scott Christiansen: So the stuff that we found that didn't necessarily show up as a security bug was still getting fixed and it was getting fixed within a, a good SLA. So that was good, the right thing was happening, but it wasn't necessarily maybe showing up on everybody's radar. And, more importantly, it wasn't necessarily showing up on a radar where a security assurance person can come say, "Hey, I see you doing some security work over here. Maybe I can give you a hand and I can help you out with that.2 And the, the same was true for the space where we saw all of these security bugs or things that were tagged as security bugs, but they weren't necessarily security related.
Scott Christiansen: You know, engineers are wasting kind of these trimmed down SLA fixed times for these, you know, supposed security bugs that aren't there. And so we're spinning up all this excitement around, "Hey, oh, here's the, the security bugs that come in and you have to fix these things." But they're not actual security bugs, and so you're just kind of spinning your wheels on that and, and wasting available engineering effort. So we started building our own machine learning algorithm kind of around this. And we started kind of doing this manual assessment and said, "Okay, out of these bugs that are security, can we find clusters of bugs that are misclassified?"
Scott Christiansen: And so, eventually, we did that and it took us a while, it took us a good probably year and a half to come up with, what we would say, was a really kind of gold standard training dataset. We had this big block of bugs, uh, roughly about 300,000 bugs that were classified as security and ahead with the right security severity. And we were confident in those classification numbers. And so that's what we used to then train the model. So as we're going through this, and we got about to that point, we said, "We really need data science expertise." We hired, uh, Mayana Pereira and she's our data scientist for the project. And she's absolutely fantastic.
Scott Christiansen: She found error rates associated with the data and how flexible we could be as error information potentially got introduced to our training dataset. She's shifted the algorithms that we've used a couple of different times, and we are light years beyond where we were thanks to kind of her joining the team, uh, and joining the project. And so, yeah, it's been about a four year journey, probably.
Nic Fillingham: So just to clarify this, so the machine learning model is simply looking at the title of the bug. It's not looking at like Reaper steps or any other data. It's just, what is the title of the bug?
Scott Christiansen: Yup, yup, that's correct.
Natalia Godyla: So the courses that you're teaching are around infrastructure and the work that you do and Microsoft is around software development. So how did you get into security? What have you done within the security space? What brought you to these particular domains within security?
Scott Christiansen: So I used to actually live in Omaha. I'm not from there, originally from North Dakota, part of the small cluster of people that, that, in this world, that are from North Dakota. But I met my wife up there and we moved down to Omaha. I restarted kind of, kind of my education once I went to Omaha into computer science. I went to school there, I got a job, and eventually, I started working at an architecture engineering company. I say it's a small company, it was a 1200 person company, but it was, at the time, it was the fourth largest architecture engineering company in the, in the US. So it was decent sized.
Scott Christiansen: Being a small company, you get hands-on with a lot of different things. And so I'm going to school, I'm working, I'm starting to run all the infrastructure components that, that we have within the company. And we've got like 13 different offices in the US. We started to expand internationally, so I got a lot of exposure in that space. As I'm going to school, I'm trying to figure out exactly what kind of discipline of IT I want to do. At that time, it wasn't necessarily development. I like the Microsoft products, I like server products, I like Linux products. It was really the, the infrastructure stuff. And so I started getting into networking, and then I kinda got bored with that.
Scott Christiansen: And so then I kind of went to systems administration of Windows stuff. You know, that one was where I was thinking my focus was going to go. And then I kind of got bored of that. One of the unique things about Omaha is it has a really large, uh, department of defense presence down in Bellevue, Nebraska. They've got an air force space and they have strategic command that's down there too. And one of my professors happened to be a security person that worked at StratCom down at the base.
Scott Christiansen: And he was really into security and he kind of taught us some security stuff. And I was like, "Whoa, this is kind of like the Jedi, Sith type of cool, you know, dark hacking. This was before like hacking was like super cool like it, like it is now. It was just kind of this thing, but it's was like, "Hey, you can get software to do things that the software developer didn't expect to do." I'm like, "This is kind of interesting. It's got like the prankster type of thing, right?" And you get this creative mind going and you start going, "I want to do security." So I'm working at the architecture business and I said, "Hey, I'd really like to shift my role into security."
Scott Christiansen: So I started doing some security stuff for them, but it's not really necessarily a high target type of business when they said, "Hey, you know, if you're ever looking for something, we're looking for a lead in our incident response group." And, and so shortly thereafter, I moved over and I was the lead for the incident response team for, uh, TD Ameritrade for a number of years. And TD Ameritrade absolutely has targets, they have, not, uh, not only normal criminal targets, they've got nation
Scott Christiansen: ... state attackers and anybody that's looking to try and steal money an- and hack into large financial enterprises, so that was a really exciting job and we did a lot of really exciting, cool things there, and some neat stuff happened. And then one day, I, I got a call from our, uh, sort of VP of security engineering at the time and he said, "Hey, we really need some help over in the software assurance space." And so I moved over onto that team and wrapped up my dev and my code view chops, and started doing kind of code review and code analysis.
Scott Christiansen: And, specifically around that time, we were getting into the mobile app space, and so that's where I really focused my effort, was the kind of mobile applications and ensuring we had security coding practices with that. And then, and then, eventually expanded to kind of, to, to the rest of the enterprise. So, I was working at TD Ameritrade during the day, and I was teaching the one location at night, and then teaching online in between that.
Scott Christiansen: And then, I was writing some, uh, the local, um, security groups, too, like the OWASP Omaha, I was president of that for a little while. I was the president of Nebraska InfraGard for a little bit. So pretty active in there, and, uh, Microsoft reached out to, out to me, and said, "Hey, look. We've got this opportunity, and we'd like to talk to you about it." And it's Microsoft, right? So I'm not gonna say no. It's like, you know, some of the smartest people in the world working on these kind of world-changing problems.
Scott Christiansen: And I came out, and I will say it took the third different position at Microsoft before I finally actually moved out to Redmond and started working for Microsoft full time. I had two different opportunities tha- that didn't work out. So anybody who's ever interested in working for Microsoft, don't give up. There's enough people here and enough opportunities, I'm sure the right opportunity exists out here for you. And, and clearly it was, because this was ... Eventually when I came out here to do this work, this was absolutely the right fit for my skillset, for the company, and it was this kind of perfect blend, and I, I wouldn't think of anything different beyond that.
Scott Christiansen: I absolutely love what I do, and I'm now in a role where I have an opportunity to ... You know, I'm not just securing an enterprise or securing a company. I'm part of, uh, really changing a- around the world as a whole. So it's this really, kind of wonderful opportunity and wonderful role that, that I get to do and these kind of global changing types of things that we ... problem solving, I guess, that we get to work on within the company.
Natalia Godyla: I love the context and I can absolutely vouch for your statement about Microsoft. I came to Microsoft after the second roll, um, so going inside Microsoft or having the inside out perspective, I now understand the sheer size of Microsoft and the fact that you just keep trying. If the right fit is there, it'll happen. But your story seems to really have started with a professor who highlighted security as an opportunity. So is there any connection between that professor and your desire to go into teaching? How did the professorship start?
Scott Christiansen: Very good question. I was pretty active in the local Omaha security community with the different groups, and there was a guy named Ron Warner, and Ron's a good friend of mine, still is a good friend of mine, and he was very active in the community as a whole. And, around the time that Bellevue University was standing up their cybersecurity program, Ron was there, and he called me up, uh, he was standing up the program. He was the director of the program at the time.
Scott Christiansen: And he said, "Hey, look. We're standing this thing up, and I know you've had some experience teaching at ITT Tech." And I started teaching at ITT Tech, 'cause I graduated with my master's degree. I was still, um, friends with some of the professors there, and they said, "Hey, you should come teach for us." And, interestingly enough, I decided to teach for one very specific reason. I wasn't a very cohesive public speaker, and it was a skillset that I really wanted to grow and develop, and I thought. "Wow. A, there's no way for me to be a better public speaker than to go up day and day in front of a group of people and try to deliver a message, and I'm not just talking about something at that point in time. I'm teaching them something, so they have to come away with knowledge after that."
Scott Christiansen: So it was really like a self-growth thing in a space that I felt like I had some level of expertise. Over the course of time, I really started to, to, to develop kind of a rapport, and almost a character, like y- y- you'd put a hat on say, "Okay, this is, this is my teaching hat. This is what I'm gonna go do," and you deliver something that's interesting and engaging. And there was a personal growth component with that, because I'm this old guy by this time. I'm married and I've got kids. I don't have a lot of extracurricular time on my hands, but I have all of these students.
Scott Christiansen: It was, uh, it was a scattering of, of male and female students. So I could start to take new ideas and present them as seeds to the students. So like, "Hey, I wonder if you did this," or, "There is an interesting security tool. Do you think you could do this with it?" And I could pique their interest and they go out, and the next week they came back and they're like, "Hey, look at this thing that I did." And so then we all got to learn together with them. That was really, really personally rewarding to be able to do that, to help people learn, but also to see the feedback and me, individually, grow from the knowledge that they were presenting back to myself and back to the class, too. So it was really incredible.
Scott Christiansen: And security is hard. It's not an easy discipline. It's not an easy space. It covers the gamut of everything. If you think about security kinda holistically that, you have all these engineers building all of this technology to do thing, security is trying to understand what they did and figure out where they went wrong. So, I don't have to get a lot of people excited about security anymore. They're already excited, 'cause they've started the program. There's definitely some level setting that you have to do, and let them understand kind of what the space looks like, versus what they think it's gonna look like.
Scott Christiansen: Everybody think they're gonna come in and they're gonna be a pin tester and they're gonna make millions of dollars and find all these vulnerabilities, and that might be the case for some people. I mean, there's bug bounty programs out there, where people are making significant amounts of money. But there's a space than that, and that's a very specific subset of everything that you can do in security. There's a lotta opportunities for lots of other people to do lots of different things. So I'd like to help do that, too.
Scott Christiansen: But more importantly, I'd like to help the students understand how to properly secure things. There's a lot of misinformation kind of in that space, or people have misguided expectations on how to secure specific things. There's a definitely a right way to r- to do things and a wrong way to do things, and so that's one of the things that I feel I probably contribute the most is saying, "Here's a right way to do this." But sometimes, if you have some knowledge or, or you have that background already, i- the online experience can be very successful for you, or if you're just really good at ... you don't mind asking questions.
Nic Fillingham: I love that you said if you find yourself not succeeding in an in-person environment, go check out online and see if that's the right thing for you, and, and the inverse. That's fantastic advice. Well, Scott, is there anything you wanted to plug or, uh, point people to before we let you go? Any sort of resources, blogs, communities you like?
Scott Christiansen: Besides assessing that the machine learning model is the right tool, or the machine learning that we built right now is the right tool for external customers, we're doing a lot of our own, individual assessment. You know, Microsoft has gone down this awesome path of responsible AI and ethical AI. So, wh- We're no different to that process. In addition to seeing how well the model does within this outside Microsoft, we're also running it through the gamut.
Scott Christiansen: So we've taken it through, um, our legal resources to say, "Here's our model." You know, "If we were to release this thing tomorrow externally, would you be okay with it? Here's the data that we used. Here's the data owners that own the data that we're using. Do you think it's okay with them that we've built this model and it does these things?" We've got security teams now within the company that do, uh, this responsible AI and security AI work, and we've talked to them through the risks associated potentially with our model and, and what the model could do.
Scott Christiansen: That whole security AI space is really new, so it's interesting for a security team to come out with this security classification model and then kind of go through all those reviews. We're in the process of starting to work with some security AI pen testers now within the company, so people that in their specific skillset is attacking these AI and, and ML models and finding vulnerabilities and flaws kind of associated with that. So we're engaging with them, uh, to do that.
Scott Christiansen: So we're doing a lot of different work kind of with that. And, again, that's all because we've trained this model on a non-public data set. So, if we expose the model externally, we wanna make sure that it's not gonna expose any of this non-public information to the rest of the world. If all this turns out and it fails, so far, it looks like it's not, but if it does, then, you know, being a responsible engineer in this space, we have to go get public data to do this.
Scott Christiansen: And if we trained it with public data, that would be fine, but it's taken us three years to kind of get to this particular point to build up this kind of reference data set. It's gonna take that long externally. And so what we wanna do is try and see if what we have is, is good enough to put out there, but, uh, do it in absolutely the most responsible way for Microsoft and our engineers and our customers that we possibly can. So if there's any plug, i- it is that plug and that responsible AI is super, super important, and we're doing our best to kind of adhere to those goals.
Nic Fillingham: Well, Scott Christiansen, thank you so much for being on Security Unlocked.
Scott Christiansen: Yeah, absolutely. Thank you so much for having me. I ... Uh, it was really rewarding. I really appreciate it.
Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.
Nic Fillingham: And don't forget to tweet us at MSFTsecurity or email us at securityunlocked at Microsoft.com with topics you'd like to hear on a future episode. Until then, stay safe.
Natalia Godyla: Stay secure.