Security Unlocked 11.25.20
Ep 6 | 11.25.20

The Mechanics of Digital Crime


Nic Fillingham: Hello and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft security, deep dive into the newest threat intel, research and data science.

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft security. If you enjoy the podcast, have a request for a topic you'd like covered, or have some feedback on how we can make the podcast better-

Natalia Godyla: Please contact us at or via Microsoft Security on Twitter. We'd love to hear from you. Hi Nick, welcome to another episode. How's it going?

Nic Fillingham: Hi, Natalia, I'm a little angry, actually. I'm a little cranky. I don't know if I've said on the podcast before, I live on sort of a small farm, about 30 minutes East of Seattle. And we've got some farm mammals, we've got piglets, recently, they were born in the spring. And this morning the piglets found our delivery of fresh fruit and vegetables from CSA and they ate them all. They ate $75 worth of beautiful organic fruit and veggies, that was meant to last us for the next month. So I'm having pork for Thanksgiving.

Natalia Godyla: Those are the brattiest pigs.

Nic Fillingham: Yeah well we initially... Their names when they were born, they were super sweet and we called them June and July, my daughters called them that, but we've renamed them to Beavis and Butt-Head because they are stupid jerks.

Natalia Godyla: Wow, that's harsh.

Nic Fillingham: You think they listen to the podcast? I have given both of them iPhones. Apart from that I'm good, how are you Natalia?

Natalia Godyla: Wow, I mean, I can't compete with that story. I'm definitely not at war with one of my piglets.

Nic Fillingham: You're in Boston, Massachusetts, I think... You're not downtown, you're in more of the leafy green, sort of, oldie worldy part, aren't you?

Natalia Godyla: I am, I'm near Cambridge dealing with equally bratty, but amusing animals. While I don't have the farm set up you have, I have the Somerville turkey.

Nic Fillingham: The Somerville turkey? Is that a ghost of a Turkey?

Natalia Godyla: Right, it sounds like the headline to a scary movie.

Nic Fillingham: Yeah, it's like a turkey shaped poltergeist, what is that?

Natalia Godyla: It's just the turkey that causes mayhem in our little neck of the city.

Nic Fillingham: Is the turkey's name Somerville or is that the neighborhood?

Natalia Godyla: Oh, that's the neighborhood.

Nic Fillingham: Does the Turkey have a name?

Natalia Godyla: I don't know if it deserves a name.

Nic Fillingham: And what does it do, how does it cause mayhem? Is it tipping over trash cans and spray painting swear words on sides of people's houses?

Natalia Godyla: I think you might be mixing up a hoodlum with a turkey. No, it blocks traffic and is a great source of distraction for everyone doing remote work in Boston right now.

Nic Fillingham: I mean, because you live so close to the storied Cambridge University, I can only assume that a turkey is a much more sophisticated, intelligent turkey. And when it's blocking traffic, it's pulling out traffic cones, it's setting up fake road work, à la Ghostbusters Two.

Natalia Godyla: Yeah, this was a very unexpected turn, but I'm impressed at the short number of leaps until we got to Ghostbusters.

Nic Fillingham: Hey man, I can get to Ghostbusters in two leaps. Doesn't matter what the topic is. And speaking of turkeys and Thanksgiving, these two turkeys, that's you and me and Natalia, we are very thankful for our guests that joined us on episode six of Security Unlocked. First up, we continue our exploration of some of the topics in the Microsoft Digital Defense Report, the MDDR. Donal Keating is joining us to talk about the increase in sophistication in cyber attacks, and so what does that mean to have seen an increase in sophistication in cyber attacks over the last sort of 12 to 18 months? And some of the sort of high level observations that are in the report, that's a great conversation.

Natalia Godyla: And we have Michelle Lim on the show today, threat Hunter at Microsoft. She'll be sharing her path to security and how industry organizations and mentorship have helped her identify new skills and interests within this security space. It's really great to hear how she's leaned on the community to help drive her career and her passions for the cybersecurity realm.

Nic Fillingham: And happy Thanksgiving to everyone celebrating in North America. Everyone else happy late November, early December to you. We hope you enjoy the podcast.

Nic Fillingham: Welcome to the podcast, Donal Keating.

Donal Keating: Hi.

Nic Fillingham: Thanks for your time. So Donal we like to start the podcast by asking our guests to give sort of a brief introduction to themselves. What's your job at Microsoft, but sort of what does that look like day to day?

Donal Keating: So my role is I'm director of innovation and research for the digital crimes unit, and I generally accepted I have the best job in Microsoft. But what it really means is I sit between a group of people who have regular investigative and analytic jobs and the lawyers who take the cases that we build up and what I consider the data hacking. So we have access to lots of data, lots of crime mechanics, and it's my job, really, to figure out techniques to unveil the criminality and see if we can assist an attribution or mitigation against a particular crime. I'm just sort of the new guy on the block when it comes to new types of crime or new patterns in cyber crime.

Nic Fillingham: Are you the Oracle, if I can use a DC universe analogy, or do you prefer a different... What's the superhero role that best fits what you do?

Donal Keating: Glue. I'm just incredibly inquisitive glue. And I know very little and it's great having... I feel like a three-year-old going around Microsoft asking, "What does that do?" You need to be inquisitive in this.

Nic Fillingham: That's sort of what Natalia and I are doing on the podcast. That sounds awesome. So Donal, thank you for joining us. In the conversation today, we want to talk about, really one of the biggest headlines coming out of the recently released Microsoft Digital Defense Report for 2020. So it's a report that came out in September. Tom Burt, who leads, I think the organization you're a part of, customer security and trust. He authored the blog post announcing the report and sort of the big takeaway... The big headline there was that, in this last period, cyber threat sophistication has increased and we've never seen it sort of this sophisticated. And so we've invited you onto the podcast today to really help us unpack this idea of cyber threat sophistication and the fact that it is increasing. So if I could start with sort of a pretty big question, cyber threat sophistication is increasing. What does that mean? How do we think about that? How do we measure that? What does it mean for folks out there to know that cyber threats are increasing in sophistication?

Donal Keating: Yeah, that's a good question and the way I would... The reason, first of all, the sophistication of this cyber crime is increasing, is largely that the sophistication of the defense has increased significantly. So as more workloads run on cloud environments, operating systems become more secure. People would become more security conscious, there is just more technology in the production area. Criminals by their nature need to adapt to that challenge, so in one area and what I would call traditional hacking where people are trying to gain remote access to a device. They have pivoted away from trying to find zero day exploits and they've actually pivoted to some human engineering. Now, the human engineering may be to get the malicious workloads to run on machines to unlock them and allow malware to be installed.

Donal Keating: So that's one area that they need to have got more sophisticated just to get around the defenses. But the second area of where we see sophistication, is cyber crime is now a business. And as a business, there was specialization in that business. So you have very specialized people who will develop malware, ransomware, their specialization and the distribution of that. People who have droppers, people who have networks, botnets, where they will use those botnets to do other things such as proxy attacks, enterprises, proxy attacks on other types of resources.

Donal Keating: Even within that, we see a level of automation that we have not seen in the past. So what we would call machine on machine activity is certainly evidence of some of the attacks that we see. But even in the final stages of a cyber crime attack, where it comes to either the ransomware, the exfiltration of data, or just the pure stealing of money out accounts as a result of phishing. The way that money is being muled has also increased. Now, not at the same rate as the sophistication we see in the phishing lures or in the methods of getting people's credentials, because the old saying goes, people used to hack into a computer system, now they log in. A lot of what cyber criminals are doing initially on the attack, is getting some set of credentials to get onto the environment, and then do what they do best, which is do cognizance work across the organization to see more people get more credentials and basically map out the network.

Natalia Godyla: With that, can you talk us through a couple examples of how these threats have changed or what new emerging trends are coming out?

Donal Keating: Let me give you an example, so banks obviously need to have a significant amount of protection for people logging in, so remote banking. So there's normally a control that says from a given IP address, there can only be, for a given user, there can only be a certain number of login attempts. Now, if you're like me, that's almost guaranteed to be five login attempts because I can never remember what my password is, but I know it's some combination of something. So it is not unusual for normal behavior to be one IP address, one username, three, four, five login attempts. Therefore, any protections that the bank put in place to make sure that the people who are hacking, it needs to meet that criteria, you don't want to disable the customer. And those controls very often called shape controls, will limit the amount of traffic coming into the bank from any one IP address.

Donal Keating: So I have seen a case doing what's called credential stuffing. So that's a single IP address with a single username and then multiple attempts to log in. So the attack that we saw, the bank had that control, how many attempts it had been set up at over 20 attempts per hour were allowed. And the bank realized they were having this credential stuffing attack. So what they did is they reduced the number of login attempts that were allowed. And within about an hour, this particular attack dropped down to 14 attacks per hour. Now this was not one IP address, there were 400 IP addresses per hour, probing the banking system. And as the banking system can change their controls, this network of machines adjust to their controls. They also need to do one other thing, the bank had controls as to where those IP addresses had to be located.

Donal Keating: The criminals had organized a botnet to deliver the traffic via proxies only in the region where they would be accepted. So they had done two things, they had modified the rate at which they were probing the username, password combination, and they were coming from the location that they were expected to come from. In cyber crime, that's becoming quite a common pattern, that you're not getting the IP addresses from halfway around the world, the login attempts are coming from the area that you expect them to come from. It starts to become quite difficult for defenders to defend against. Now, more barriers will be put up and the cyber criminals will figure a way to get around that, but the improvement in protections and the more security that is applied, requires these cyber criminals to become more inventive in the way they do their thing.

Nic Fillingham: So is that rapid agility, that ability to respond? Is that in part the sophistication increase that we're seeing the fact that, to use your example there, that those attackers were able to ascertain that the number of permitted tries per hour was reduced from 20 to 15, and the ability for them to identify that and then adjust their attack. That's in some way, what you're seeing in sophistication increase, whereas in the past, either that wouldn't have happened or it might've taken them weeks or even months to make that change?

Donal Keating: Well, two things, one is they are now using cloud resources to do this. So the attack is not coming from a PC somewhere, this is a battery of VMs set up to behave in a particular way. Their ability to deploy VMs at scale, give them instructions at scale to do these things is a thing that first of all, it just wasn't available previously. But the fact that they are now using the sophistication of technology that large enterprises use to commit crime is indication to me of increasing sophistication. For instance, there are many automated systems to take down. So there's lots of defenders in the world and they see traffic coming from things that they understand are malicious. There are many, many systems to communicate that threat intelligence across companies and those things such as a URL, a malicious URL can be taken down relatively quickly. But if the domain has the ability to stand up thousands of URLs per hour through automation, it becomes a machine on machine war.

Natalia Godyla: And on top of the speed and scale, it seems like there's also sophistication in the level of deception. You noted earlier that now it looks like a common user, they can spoof it. So can you talk a little bit more about that? So how does the ability to bypass our detection feed into them being more sophisticated?

Donal Keating: Well, let me give you an example. The weakest link now certainly, in security systems, are the humans. So one of the things that most security systems are very good at is recognizing malware, when it can see the malware itself. So for instance, you have a macro embedded in a document, basically that can be detected relatively simply. Well, if you then encrypt that document and send it through an email, the mechanics of detecting the malicious payload is hampered by the fact that that document is encrypted. But then what you need to do is you need to socially engineer the person receiving the document to enter a password and deploy the malicious payload. And that's where I'm saying, people log in rather than hacking anymore. They can assemble enough information about somebody to make an email coming, even from an unrecognized sender to be sort of believable and to encourage a conversation.

Donal Keating: And it's not a single email. If you're being targeted, like if you're a CFO or an admin of a system or something, they can be quite persistent over time. They can develop a relationship with that person and then eventually bingo, the malicious payload gets delivered. And they can send that in two parts. They can send an email and say, "Here is the password for the document that I am going to send you." That then, the human reaction to that is, okay, now I am expecting a document from this person. The document comes in and you have the password, that's social engineering.

Donal Keating: Now, there are lots and lots of lists of username passwords. And what they tell everyone is, do not share passwords across different systems, especially your private stuff and your work environment. Well, if you're like me and you have a terrible memory, one password is a really attractive proposition. And you may not go with just one password, you make it really clever and add a one, two, three, four at the end of the password. But for people who are looking at thousands and thousands of passwords and millions of passwords, because they've been leaked, they can understand the patterns that people use.

Donal Keating: The example is, if I'm trying to hack someone in Microsoft, I'm going to put the word Seahawks somewhere in the dictionary attack, because apparently that's what humans do. It's like, there are certain keywords that people trigger off and think, Oh, nobody can think of Seahawks. And I'm in Seattle. So let's say one individual is compromised in the company, that allows them then to log in to that account and then watch traffic. So what will they do? Someone might change their password, they don't want to be sitting on the email all the time. So what they will do is, they're going to your email preferences and they will forward emails that contain particular words. I've seen an attack where anything that has the word payment, invoice or bank in the email to forward it out to an external Gmail account. Then I don't need to get back into that account anymore because all of the emails containing those keywords are now being sent to me out on a disposable Gmail. I get to see all that email traffic.

Donal Keating: So now I have one half of a conversation. And this is where the sophistication becomes really important. Somebody sends in an invoice, we'll say for payment. Well, when that invoice for payment comes in, now, someone has a template of an email that contains an invoice and all of the language. I take the person, the email who sent that invoice in, and I generate a homoglyph of it, meaning a domain that looks almost identical to the sender. Very often it can be even just a different TLD. So instead of, it could be Microsoft dot GZ. And I can use exactly the same username.

Donal Keating: So now what I do is I insert a new mail into the chain, so I have the previous thread because they've been harvesting email from that person. And I now put it in my new email and says, whoops, there's a correction on the previous invoice, please change the banking information to this email. And we've seen this in phishing attacks. That sort of thing can be very pernicious. And that is quite widespread. That behavior of monitoring the email, the registration of a homoglyph, and then the conversion of a payment to a different bank account. We see that quite a bit now.

Natalia Godyla: So how are we thinking about response to these new threats? What's next for security to combat them?

Donal Keating: Well, all the time in the background machine learning, AI is getting smarter and smarter and smarter to protect the assets. And that's why in a lot of the cases that I talked about the objective is to get the username password, to commit that crime that is to login, not to hack in. Now, once they log in, they can do a lot of things. They will deploy remote access tools onto the network to enable them to do a lot of other things like the deployment of ransomware for instance. You need access to the system to encrypt everything. But that first step nearly always is the human element, the engineering, the human element to crack it open.

Donal Keating: And, it's a bit like with COVID-19, we're told to wear a face mask, wash our hands and keep six feet apart. The things that we tell people to do are not new or exciting. Make sure you're using multifactor authentication, keep unique passwords for each site, make backups. All of those things, it's good hygiene. But for instance, the use of multi-factor authentication, I've not verified it myself, but I've seen statistics that say that in excess of 90% of username password compromises would have been thwarted if people had been using multi-factor authentication. So-

Nic Fillingham: Some of the User ID team will quote 99% or greater. It's pretty significant.

Donal Keating: Yeah. so that to me is the wearing a face mask and washing your hands of protection from cyber crime. I have a small carve out for nation state. If the Russians or the North Koreans want to go after you as an individual, you need to tiptoe very carefully. There's all sorts of nastiness that can be done to you as an individual. But the reality is for most targets, it is this people access, username password combination, they log in and then they start the progressive taking over the account to do whatever it is they do. The worst being ransomware.

Donal Keating: It's not unusual. So, you talk about increasing sophistication. Ransomware was a big thing and then it took a hit. Why did it take a hit? Because people had deployed ransomware that were really destructive ware. They encrypted stuff and there was no keys existing. So suddenly everyone says, "Well, there's no point in paying a ransom because I'm not going to get my stuff back." So then the criminals had to go and do something else to prove that no, no, no. Really we can decrypt your stuff. So it's a kind of a marketing campaign.

Natalia Godyla: There's something very comical about the fact that the hackers had to get people to trust them that they were going to do what they say they're going to do.

Donal Keating: Oh, absolutely. Yeah, yeah, this is business no different from any other business. You get a bad reputation for something, you got to fix the reputation, or you got to get another way of leveraging people to do what you want them to do. And that's why I say there are people who are specialized in thinking up these social engineering things. They may not be coders at all, they may not know how to turn on a laptop, but they understand how humans work. There's other people then who are geniuses at writing the malicious payloads, writing the PowerShell scripts, obfuscating the PowerShell script so as normal detection won't pick them up that.

Donal Keating: This is a whole stack of various things with various levels of sophistication and increasing sophistication. But the criminal will tend to go to the softest part of the ecosystem to make their money.

Natalia Godyla: You mentioned that part of the challenge right now is that users are just getting smarter and so the hackers are responding in turn. If our users have been taught cybersecurity education on what is a phishing email, how is the evolution of education going to happen or what's next for education for the users so that they can prepare for this next wave of social engineering attacks?

Donal Keating: A whole bunch of interesting things tumble out of that question. The first one is we used to always say, go look for mistakes in the phishing email. If it looks like bad English, it's probably phishing or whatever. I actually heard at a conference that they were sometimes deliberately put into an email to trigger the spiny senses of anyone who is halfway security savvy. And the reason was, the person who fell for the phish was then going to be more gullible. They were trying to cut down the amount of traffic that was coming to them for someone who would do... I'm talking specifically about something like tech support fraud, where you'd get an email that your computer was about to run out of its license key or it had some horrible vicious malware on it, and you needed to contact this number.

Donal Keating: They would actually put in the sort of deliberate clues to anyone who was savvy. The result then, the people who were calling that number, were going to be much more gullible. So you also have to understand what is the goal of the criminal? And the phishing emails yes, they are getting much, much more sophisticated. But we especially in cloud, when you're looking at O 365 advanced threat protection, that description that I just told you, if something coming from and then another email comes in from microsoft.gz, we actually have exactly that detection running. These look alike domains, where you haven't communicated with that domain before, advanced threat protection will regard that as a high risk email.

Donal Keating: So for-

Nic Fillingham: That's a homoglyph, right Donal? You mentioned-

Donal Keating: A homoglyph, that's exactly yeah, homoglyph. It means something that looks like another thing. So, the classic example are the Microsoft spelt and O, you replace it with a zero. The I you replace with a one. And this business has become during the election for instance, people will look for the registrations of all of the legitimate vote Arizona or whatever. it was I think, and of course, someone registered I think it was. It looks exactly like you would expect. The response to something like that for government especially, you should only be standing up state material on a dot gov domain.

Donal Keating: So there are lots and lots of things that we need to educate people.

Donal Keating: The IRS, for instance, will never ask you to pay your income tax with iTunes cards. You would wonder how does that scheme ever work?

Nic Fillingham: Yeah.

Donal Keating: But they say that

Nic Fillingham: I've never had one of those phone calls, because I really want to hear the logic from the person that's trying to tell me what happened to the IRS as an institution where they now are relying on the consumer retail supply chain and the company Apple. And that's the only way they're able to accept funding. I want to hear that story straight from the person trying to try and pull the wool over my eyes.

Donal Keating: One of the things we do actually is, we call these people. So, every time we get the numbers, there was one that-

Nic Fillingham: I hope at home.

Donal Keating: ... we do actually what we call test phone calls. So, if you look at some of the other, I know this is not the subject of the podcast but, we've recently had big raids in India where 10 call centers were raided. All running tech-support scams. Taking people who thought they had something on their computer and paying subscriptions of to $300 a year to keep your computer protected. They are unsophisticated crimes. But the sophistication of persuading someone that they do have a problem is sophisticated.

Nic Fillingham: Awesome. Well, Donal, thank you so much for your time. Again, the report that we're referencing here at the top of the conversation is the Microsoft Digital Defense Report. It's about 38 pages of fascinating insights into the state of cybersecurity. And a lot of the topics that Donal touched on in this conversation are elaborated on in much more detail there. We'll put the link in the show notes. Again, Donal, thank you so much for your time.

Donal Keating: Very happy to be here. Thank you.

Natalia Godyla: And now, let's meet an expert from the Microsoft security team to learn more about the diverse backgrounds and experiences of the humans creating AI and Tech, at Microsoft. Today we're joined by Michelle Lam, a threat hunter at Microsoft. Well, thank you for joining us, Michelle.

Michelle Lam: It's a pleasure. Thanks for having me.

Natalia Godyla: Yeah, of course. Well, can you start the show by just telling us a little bit about your day-to-day? What do you do at Microsoft? What is your day-to-day look like?

Michelle Lam: Sure thing. So, I could tell you about the boring things, which is that, I look at a bunch of data and spreadsheets. And I look at them and I say, " Bad things happened, or everything is fine and people are off doing their normal things." But I guess the more complicated story to my work is that, what I look for is patterns in data that might indicate malicious activities. So that, might, could be anything from human-operated ransomware, to new malware strains, or even just new pivots in activity in general. So, things that we can feed into the rest of the Microsoft ecosystem for security.

Natalia Godyla: And threat hunting is a relatively new space, correct?

Michelle Lam: Yes it is. But I think it's interesting, because the concept of threat hunting has existed, but it's always been in other realms and security. So, if you think about things like security-tracking or security operation centers already looking at alerts and whatnot, or on the idea of incident response, the concept of threat hunting is already baked into a lot of these more traditional spheres of security. So, yes, it is new, but I think it's always existed in one form or another.

Natalia Godyla: Do you feel like it's become a stand-alone part of security now? So it's been baked into these different aspects of security in the past, but now we need it as a stand-alone function?

Michelle Lam: I think that really depends on where you're at? What kind of organization you're in? And what are you trying to do with that data? Because, it doesn't make sense to go hunting for data and the deep, deep sea of data that exists. If you have data that you need to analyze for a purpose, I think that's what threat hunting is really great for. For me, I'm looking for data because I want to figure out," what context can I give it that will be helpful to a customer? Or to the rest of Microsoft as a whole?" I think if you ask that question to anyone else in any other organization, then it's a different story because what part of that data is interesting to you is different for everybody, depending on your sector, depending on your organization, depending who you are even.

Nic Fillingham: And what is that sort of, Stat focus area for you, Michelle. How do you scope down that near limitless sea of data for looking for threats?

Michelle Lam: That's a fantastic question. I think I'm really interested in looking at different techniques that already are well known in the industry. So, things like using PowerShell, using Scripts, different ways of disabling security mechanisms. Those are techniques that already exist and can be used in one-off occasions. But what I'm really interested in, and when I look for this data is how I can correlate all of these little things that might happen one at a time, in a benign case. But if they happen all together, how can I combine that and say, "Is this related to a specific activity group? Or is this someone who's doing a penetration test? What sort of things can I identify about how they were executed or how they're launched? And can I make that connection to something else and provide that context elsewhere?"

Nic Fillingham: Would you mind telling us about your journey into security? And then how you found yourself working for Microsoft?

Michelle Lam: Sure thing. So I guess my story, even entering security really has to start with this journey of me entering tech as a whole. So, I myself, I come from a low-income family, and a family of immigrants. And so it was really interesting for me to decide what my career path was going to be as I started this journey of, "okay, well, I'm leaving high school. Where do I go?" And the direction that I was going to take was in the business direction. And I ended up deciding, with the encouragement of a few of the teachers that I'd had at the time to go into computer science. I won't lie, I was a little motivated by money, who isn't? But when I actually got into college and I discovered what you could really do in the field, I was really intrigued.

Michelle Lam: And I tried to figure out, " What does it take to be more technical? And what else is out there?" So, while I was at college, I actually joined a security club. And there were a couple of students there that helped mentor me for the process of writing my own code, to do the very simple things like encrypting or decrypting data. And that moved on into me actually getting internships and learning how to code and ending up at Apple and working in cryptography and wondering, "what the heck am I doing? This is so cool, but I have no idea what I'm doing." So, my entry into cybersecurity was really fueled by this curiosity of, "I have no idea what I'm doing, but I'm going to continue to do it". And for me, that continued up until my last year of college. When for a lot of low-income and first-generation college students, there's this very common pattern of, it takes you a little bit longer to graduate from college because no one you've ever known has been through this process.

Michelle Lam: And for me I was, to be frank, I was scared. I didn't know what it would mean for me to go out into the industry. So, I wanted to figure out what I wanted to do. And I wanted to figure out what to do in security. So, I actually attended a Women in CyberSecurity Conference, and I attended a talk by these two women that I really admire in the industry, Malware Unicorn and Maddie Stone. And they were super friendly and they did this course on Reverse Engineering and Assembly. And I was like, "Oh my Gosh. This is so cool. This is a field where I don't necessarily have to be coding, but I can put a lot of that low-level knowledge to use that I've learned in college and I can figure out what malware does. I can solve a problem."

Michelle Lam: So I really took that into consideration as I moved forward. And I ended up teaching a course for my senior project about reverse engineering. I didn't know very much at the time, but that is what I decided to teach. And I also took an internship that was based in Incident Response and Computer Forensics at a government laboratory. And it was a super weird internship to have. It's not normal, I think for a lot of my peers to have that experience of, you go to a government lab, and it's a very different experience than what you expect. And you also reverse malware and you figure out what the baddies do. So, it's a little hard to explain to your peers, but I absolutely loved it. And I figured out, "This is what I want to do when I grow up. When I exit college and I graduate this is going to be it."

Michelle Lam: So, that's my short story of how I got into security. And from there, it was a bit of a pivot before I ended up at Microsoft itself. So, after college, I had decided to go down this route of, " I can do a little bit of incident response. Okay, I'm going to take a job in incident response." So, I moved to Atlanta to take our role in incident response consulting, where I learned a lot. And they did a bunch of little things, but I didn't really know if I was advancing myself or learning about the baddies in the way that I wanted to. And it so happened that I attended a conference that's very focused on reverse engineering called REcon, which is in Montreal. And I met a few people that I'd actually met at some other security conferences when I was a little more junior in my college career.

Michelle Lam: And I was like, "Well, what's going on?" And they're like, "Hey, I'm at Microsoft. I do cool things. You should come here and do cool security things too." And I was like, "But, are you sure?" And they're like, "yeah just chat, it'll be fine." Long story short, a few months later, I took a job offer from Microsoft, for my current team, The Microsoft for Experts team. And here I am getting to hunt on and look at really interesting data. So for me, it's been this really interesting journey of exploring and running into this field, and trying to figure out, how do you enter it without a ton of mentorship from those around you?

Nic Fillingham: If someone listening to the podcast sees a bit of themselves in your story here, what would you recommend for how they maybe, go and find some of those support groups, maybe some of those mentors, maybe some of those industry bodies that could help them out early on in career, to get some of these experiences? Is there any tips or tricks you'd want to pass on?

Michelle Lam: Yeah. So, I would say the biggest things for me were building a really strong network over social media. So that doesn't mean, go out and tweet all the time because, I certainly don't, but I definitely found a lot of really resourceful things on Facebook groups and Twitter groups. Even some of the internships that I actually applied to and got offers from, were things that were shared on a Facebook group for like Women in Security or Women in CyberSecurity. I only found out about a lot of conference sponsorships for following different Twitter feeds and seeing, "If I follow a bunch of these people, someone at some point is going to share some way that I can attend DEF CON or another conference for free or for reduced rate or some form of sponsorship. So, that's been really important for me as I grew my career and I definitely plan on giving back at some point because, I would not be here if it weren't for that.

Natalia Godyla: It's interesting because I think for many of the people that we've chatted with, it's been a little bit more of a winding journey to security. But in your case you started with Comp Sci but you ended up thinking about security already when you were in school. So, how was that experience seem different than some of your other colleagues who have started in other backgrounds and have then made their way to security? Do you feel like it's been helpful to know that security was your path when you were in college? How does Comp Sci factor into it?

Michelle Lam: For sure. So, in a way I do feel like it's been really helpful for me to join security and find out about security so early on, because, I feel like I've been able to learn a lot and be able to put a lot more of, I guess, some of the foundational computer science skills into use. Things like learning assembly which in college, if you're a college student right now and you're taking any assembly course, you're like, "I'm never going to write in this super low-level language. Why am I doing this?" Well, it so happens that when you work in this industry, you want it. Or if you take compilers. Compilers is surprisingly useful in security.

Michelle Lam: So, I guess, what I think about a lot in terms of my career progression in comparison to some of my peers, is that I do feel a bit of a disadvantage sometimes because, I'm still quite junior in my career. I'm maybe two or three years out of college at this point, so there's still plenty that I have to learn, but I do feel that I don't have that traditional security experience. A lot of folks on Twitter and in the traditional security spheres, talk about this concept of, "You need CIS Admin experience to be a security person. You need to know all of these things. You need to have worked for 10 years, 15 years in security before you can become a threat hunter." And I'm like, "Did I make a career mistake?" To be honest, I have imposter syndrome about it quite a lot. But, if you think about it, everyone has this different take on what they're looking for when they're threat hunting.

Michelle Lam: And what's valuable for me, coming from such a junior and such an almost indoctrinated security experience, is that I see these things and I see that they look bad, but I have a different way of relating to the data in which I might say instantly, "This is bad, and here's why," or "This looks weird," and someone's like, "No, you're wrong." And I'm like, "Well, you're just saying that because it looks like something you've used before. But I've never seen it and it looks malicious."

Michelle Lam: So I think it's all about, there is a joy and a need for us to have different perspectives when we're hunting across data, and when we're looking across data. Because everything looks different to everyone, especially in this industry. And it's about, how do you take those arguments and how you condense it down to, "It's not argument. It's us trying to understand the data," that's really important.

Natalia Godyla: So Michelle, how does AI and ML factor into your role? How do you leverage those tool sets to help our customers?

Michelle Lam: We actually use AI and ML in several different detections that we use. Whether that be ranging from the antivirus in the AV side of things, to things like Windows Defender for endpoint. We might be looking at different signals and putting those together in different ways to figure out, if users are performing this type of recon several times in a row, that's malicious, that looks like exploration activity, right? There are other ways that we're looking at using it that might involve... We see this particular activity group perform this activity in sequence. When we see that, that's an indication to us that there is maybe this activity group is on this machine.

Michelle Lam: And that's really interesting data for us to have, especially as we hunt and we track that data because maybe we're not completely sure the history of what we've looked at in security, I think, has always been very indicator of compromised base. It's been very focused on, we see these hashes, we see these files, we see these IP addresses, but what happens in a world when you can't really use that information anymore to hunt? For me, I'm really interested in when I see this behavior, how can I use that? I think that's something where AI and ML is super powerful and super helpful for us as we figure out like, if I were to move away from a world of IOCs, this is where we would go and this is how we would build a detection in order to actually catch a group in action.

Nic Fillingham: We've already spoken to a few folks on the podcast, Michelle, that are working on behavior based detections and try and leverage ML and AI to do that. I'd love your perspective on your role as a threat hunter and what makes threat hunting as a process, and as a task, and as a role, what makes that sort of a uniquely human-based function, as opposed to simply a bunch of algorithms out there running in the cloud?

Michelle Lam: I think there's two different ways to think about this. And one of them is that, well, how did the algorithms get created? You still have to teach the algorithms how to use that data. We are working with several data scientists to actually figure out how do we feed your algorithm that data that actually says that this is tied to an actor. And you can't do that without actually having a human to hunt across that data and understand what it means.

Michelle Lam: I think the second component to that question is that attackers are human too. If they weren't human, then it would probably be a lot easier for us to catch them, and maybe we wouldn't be having this conversation, and maybe I wouldn't be having this job. But because attackers are human, we have to pivot ourselves to align with them. You can't expect machines to catch everything that a human is doing, but if we have humans that are looking at other humans activity, we might be able to predict and start learning off of what they're doing and build that into our algorithms so that algorithms can assist us to do the heavy lifting while we look for the new things that are happening.

Nic Fillingham: I love it. That was a great answer.

Natalia Godyla: This is a bit of a big picture question, but it sounds like a lot of your path to security has really brought you to this role to threat hunting. What would be next for you? Are you interested in continuing to pursue a career in threat hunting, or are you looking to explore other aspects of security down the line?

Michelle Lam: I think that's a really wonderful question and it's tough for me to answer, being so early on. I think about a lot of the questions that you get asked about when you're pretty junior in your career, right? I won't lie, everyone has asked me, "What's your dream in five years? What do you want to do in five years?" And I'm like...

Natalia Godyla: Every time you come home for the holidays.

Michelle Lam: Yes. So, I don't know. I think about this a lot and I have to say, I actually do think I'm in my dream position right now. It's a different question of where I want to take my role and what I want to do with it really, because I love hunting across data. I love finding weird things. Like, what does this do? And how can I learn what it's doing?

Nic Fillingham: What's the weirdest thing you found? What was your, like, you woke up in the middle of the night with like, "Oh my God, that was so weird?" Has anything stuck out?

Michelle Lam: I want to say that I could answer that, but I'm not sure that I can actually share it, so it will just have to be a mystery.

Nic Fillingham: Can you hint at something that doesn't jeopardize any OPSEC?

Michelle Lam: No, that's kind of the joy about being a threat hunter. I don't want to share too much, I don't want to tip anybody off.

Natalia Godyla: What big problems are you passionate about solving in cybersecurity? Are there any challenges that you're seeing that you'd like to tackle throughout your career?

Michelle Lam: That's such a hard question to answer, because I feel like I am tackling a lot of really big problems as it is, fighting the fight against human operator ransomware is huge. But I think if there's anything that really is important to me in the way that I was raised and how I got into this career, it's about how do we make security and option for those who security might not have occurred as a first option? How do you make sure that security shows up for those that are underrepresented communities?

Michelle Lam: Because it's not just a matter of physical security, but cyber security is so incredibly important for these communities. How can you make sure that they have access to it when they need it? There are a lot of scenarios that these communities have to reach out and figure out how they can get support in tough times in these kinds of situations. I would love to figure out what does that look like for me and for others.

Natalia Godyla: I feel like this comes back to what you said earlier about all the communities that you can reach out to. It's always an aspect of you reaching out to try and find these communities. I think that proves out that some of these resources or niche are difficult to find right now, and that you have to put the effort into doing it. So just easing that access.

Michelle Lam: For sure. And I think that's something that I've always struggled with, is this idea of how do I balance my career, progressing in my career versus helping the communities that I've come from. I've done work in the past, a volunteer with organizations like Girls Who Code, and we've brainstormed quite a bit internally of how do we volunteer our efforts to actually teach underrepresented communities, people of color, women who are younger, who might not traditionally come from a tech career path? How do we teach them these cybersecurity skills? Because we're constantly running out of cybersecurity professionals and the only way to solve it is to grow the base of cybersecurity professionals that exist. So how do we teach them and how do we introduce them to this field in a way that makes them feel like they belong?

Michelle Lam: I feel like that's a really important problem to solve, especially because I come from a place where had I not gotten lucky at college and ran into a club full of cybersecurity people, maybe I wouldn't be here. And for me, that's scary to imagine because I love what I do. And I love that I get to feel like I'm saving the world. So what does it mean if I teach others to do that? How do I do that? That execution is... I don't know, the idea of that is so interesting to me and I think there's a lot of impact that I could have.

Nic Fillingham: Michelle, are there any organizations you want to plug?

Michelle Lam: I would like to talk a bit about Blackhoodie, which is this really awesome organization that was founded by a couple of ladies off of the Twitter security community. It's really a community of women who are teaching these reverse engineering workshops that are meant to be technical, and to really teach you about technical low-level skills that could get you into reverse engineering or into the security community. All of the women that I've met from being a part of Blackhoodie have been absolutely amazing. I stay connected to them to this day, and I've even taught a course for them at a previous Microsoft conference, BlueHat. If you are a lady listening to this, I would super recommend that you go check them out on Twitter and see if they've got any courses coming up that you might be able to attend because they're free and they're taught by some really, really intelligent woman across the security industry.

Nic Fillingham: What do you like to do in your free time, michelle?

Michelle Lam: That's a really great question. My favorite-

Nic Fillingham: Apart from quarantine for eight months.

Michelle Lam: Okay, fair. Quarantining is a fantastic hobby. My hobbies are drinking lots of bubbly water, playing with my puppies, and fashion. I love fashion. Someday, if I'm good enough, I would love to compete with Jessica Payne in Malware Unicorn. We'll see if I get there, but I want to have a security idle fashion competition.

Nic Fillingham: As in where you make clothes? No, what would that look like?

Michelle Lam: I don't know. I guess we could all just attend a security conference and wear ball gowns and I don't know, compete against each other. I'm not sure what it would look like.

Nic Fillingham: Tell us about your puppies.

Michelle Lam: Yes, I have two puppies. One of which was obtained during coronavirus, her name is Kali, after Kali Linux. Very secure. And our other pup is Nelly, who is a beautiful rescue.

Nic Fillingham: Do they have an Instagram account?

Michelle Lam: No. I mean, even if they did, I'd like to maintain a little bit of OPSEC, so maybe not. Sorry.

Nic Fillingham: Well, Michelle, we're very happy that you found your path to both security Microsoft and thank you for doing the work that you do and best of luck helping others find their path as well.

Michelle Lam: Thank you.

Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.

Nic Fillingham: And don't forget to tweet us @msftsecurity or email us at with topics you'd like to hear on a future episode. Until then, stay safe.

Natalia Godyla: Stay secure.