Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey, everybody. Welcome to episode 76. This week, it's myself, Michael, with Mark and Sarah. We have a guest this week, Nagar Shabab, who's here to talk to us about Microsoft Security Research. But before we get to our guest, let's take a little lap around the news. Mark, why don't you kick things off?
So a couple of things that I've been focusing on lately that I thought would be of interest. The first is a call out and request. So the new version of the Microsoft Cybersecurity Reference Architecture or MCRA is in development. So I'm working on that quite a bit lately.
Definitely got a plan for all the things that we're doing in there, but would love to hear any requirements, thoughts, ideas from folks on how you use it, what you wish it had in it, and what you wish was a little bit different or a little bit clearer, had a little more detail, something like that. So I'd love to get feedback on that. So just hit me up on LinkedIn or Twitter or whatever. Love to hear what you are interested in there.
The other thing that's been interesting to me is, I've had a few conversations recently around what I'm calling for the lack of a better term a security alignment paradox. So I posted a slide, it's actually part of the architecture design session module once for the end-to-end Zero Trust architecture that we're delivering through our unified engagements.
It's part of a Rosetta Stone where you got all these different models like defense in depth and Zero Trust principles and the cybersecurity framework, and all these other things that guide us, like a spider attack, etc. And put them all together in one place and explain what they're good for, what they're not. That's part of that workshop that ended in architecture.
But one of them that we ended up creating over the course of this, as we were trying to do some planning and stuff, we realized that it's nearly impossible to map defenses cleanly to attacks or to business outcomes from security.
So security is in this difficult, unexplainable position in some ways, and not unexplainable entirely, but just the things that we do that are the right things, the most important things to do to mitigate risk, they're going to mitigate on a many to many basis different attacks. And so it's not like, oh, you do this one thing and then magically this attack disappears, like that doesn't actually happen. And if you do this one thing, then you magically fix this business risk.
That doesn't happen either. So sort of security is sort of caught in the middle. And I'll be honest with you, it's sort of an interesting realization. It took off on like 15,000 impressions or something like that. And I don't know, a couple hundred reactions. It was very interesting to me that it took off. Because I don't know, I think security people like bad news for some reason. But I'm trying to kind of figure out what to do with it, to be honest, because it's a truth and it's useful.
But I haven't quite figured out what it's useful for. I mean, it helps us explain that security is hard, and it's kind of a nice, simple visual for doing that. But I'm just trying to figure out what people think about it and how we can use it to sort of help our industry move forward. So yeah, definitely interested in folks' feedback. We'll include a link to the LinkedIn post that has a visual and sort of the current discussion, et cetera.
But yeah, those are the two things for me that's going on in my world. So I've just got one piece of exciting news, which is my baby, Microsoft Sentinel is now available in China. So that's something that a lot of customers who have operations in China have been asking for for a while. You may or may not know that Azure in China is a physically, it is separate from the rest of Azure, a bit like our GovNet. So it can adhere to local regulations.
So if you wanted to use Sentinel and you wanted to use it in China, it's now available in public preview in the China East 2 region. And I do know that there are quite a few folks, both within China and come international companies that have presences in China that wanted to use it. So that's good news. And that's just my one bit of news this week. So I've got a few little items. The first one is we have some new confidential VMs.
If you are familiar with the current sort of incarnation of the confidential VMs, they presently use an AMD EPIC chip. And essentially, the root of trust is all the way down in those in those CPUs. We now have some new confidential VMs. They're in preview. They're the DC ESV5 and EC ESV5 series. And they use Intel TDX, which is if you squint, it's a similar idea. So they're in preview right now. Next one is this is actually kind of cool to see.
We're kind of alarmed at how many people don't use auditing in ASI SQL database. And we think part of that may have been the documentation wasn't exactly, let's just say it could be improved. Well, it's been improved. And so there's a link in the show notes to the new sort of landing page for auditing. It explains things really, really well. It explains all the requirements to set up auditing in ASI SQL database. So it's had a complete rework, which is great to see.
Next one, which has got nothing whatsoever to do with security really, but it's something that's in my backyard. There's a new.NET library for T-SQL parsing. Now, more importantly, it's available in open source. And it's called Script DOM. And it's basically just a new get package that you can download.
The nice thing about it is if you wanted to do special analysis of T-SQL statements in some code somewhere, so for example, detecting SQL injection vulnerabilities or something like that, you now have available at your fingertips a library that will actually do the parsing for T-SQL. So T-SQL is TransactSQL, which is the flavor of SQL that SQL Server and ASI SQL database use. And the last point is I wrote a blog post. It's up on the tech community website.
And it's called The Importance of TLS with SQL Server. And same applies to ASI SQL database. But basically, it's explaining just how important TLS is. And it's not for the reasons you think. A lot of people think that it's just about, hey, you know, protecting my credit cards as they fly across the wire. Yeah, that's important. But in actual fact, the most important thing it does is provide server authentication.
And then once you have the server authentication, then you can do the channel protections. And unfortunately, people get that server authentication part wrong many, many times through various settings in their SQL connection strings. So I go through all of that. And basically, at the end of it, just plead with people to please just do TLS correctly. So with the news out of the way, let's turn our attention this week to our guest.
This week, we have Nigar Shabab, who is here from Microsoft in Melbourne, Australia. And she's here to talk to us about Microsoft Security Research. So Nigar, first of all, welcome to the podcast. We'd like to spend a moment and introduce yourself to our listeners. Hello. Hello, everyone. Pleasure being here. I'm Nigar. I've been with Microsoft for three years now. I'm part of Microsoft Trade Intelligence community, working for Windows Defender.
And I've been doing malware research for over 10 years now. That's what I am. Fantastic. So I want to ask the most obvious question to start off with. So you're actually the first person we've actually had on the podcast from Microsoft Security Research. So what do you do? I mean, what does a typical day look like? And what sort of things do you focus on? Do you just sit in front of Ida Pro all day, like debugging malware? I'm just really curious as to what you sort of do on a day-to-day basis.
And what's the team's focus? We have a very large team of researchers. All the day-to-day jobs are kind of different. Even inside Defender, different teams focus on different areas and different types of malware or attacks. For me, I'm part of a team in Malware that we mostly focus on the adverts and browser-based threats. I personally don't use Ida every day, but once in a while.
And so we have our research has a wide range of different things we do from looking at one specific attack module, like looking at it inside Ida, as you said, or analyzing it with different tools, to looking at the whole family or the whole campaign, and doing some sort of threat intelligence, to just trying to improve detection for our known malware.
Yeah, so something I should probably explain is Ida, just spell I-D-A, it's a very commonly used tool for understanding what malware does and also for things like debugging patches and those sorts of things. So it's a very, very common tool used throughout the professional security community. You said different teams focus on different things. Obviously, because there's a huge number of threats out there to research.
Are you able to talk a little bit about specifically what your team do and the kind of things that you can see? Basically, we are not in silos. So we kind of work together with different teams. For example, specifically our team are in contact with Edge or Bing or some other teams to find the research areas we do every day. So we basically focus on any kind of browser-based threats. This is one of our main focuses.
To give you some examples, all the malicious browser extensions, you might get installed on your system. It might be something you install or something that you pick up during installing something else or just browsing the internet. And this is one of the main focuses of our team. And another thing is any other type of adverts, not necessarily browser-based, but any kind, like any tool advertising, hack tools, or whatever. I'm kind of curious. There's a couple of questions that come to mind.
It seems like you focus on browsers. There's obviously people that break down malware of different types, et cetera. So I'm kind of curious, what are the different types of researchers that are sort of out there? Because I'm sort of a novice to the whole security research space in some ways, career-wise. And then the other question I have is, how much of this is proactive versus reactive?
You've got the actual malware and the actual things people are doing versus what could be done more of like a red team attack simulation perspective. I'm kind of curious how that blends out. So are you talking about malware research in general? Just in general. Just thinking of someone that's completely new to security research, how much of what you do is looking at what attackers are already doing versus trying to anticipate what they might try next? That was a very good question.
Actually, we always look at the attacks from these two different perspectives, from an attacker point of view and the defender point of view. In our team, we don't do the red teaming or the offensive part of it. But it's a very big area, security research umbrella. I've done a little bit of that. I tried during these years that I'm doing security research, I tried getting into different areas a little bit. It's very cool to do red teaming.
And I guess it also helps you when you do the other side, like when I'm working on the defensive side, it helps me to have a little bit of knowledge about the offensive side of it. That's interesting. So I didn't realize that there was sort of the red versus blue kind of elements within the research space. That's kind of cool. Do folks kind of cross between different technology and focus areas? Like people get bored with browsers and they want to work on different types of malware?
Do folks tend to focus in the same area? I'm just kind of curious there. We are pretty flexible. We try to experiment different areas. Definitely not a very routine job. And we don't get to work on the same thing or similar things over and over. Depends on the attacks we see every day. We have to kind of adopt the nature of evolving in the attacks, in the attack scenarios. Gotcha. So it sounds like in your world it's very attack driven and what the attackers are doing and trends and whatnot.
Yep. That's right. And I assume that the research that your team does, a lot of that ends up in our various Defender products. Is there any, could it end up in any Defender product? Or is it like Defender for endpoint or something like that? What sort of products do you end up sort of affecting? I guess our research end up in any Defender product. Yeah, we basically everything we do in our team, one of their main goal is to end up in Defender.
Most of our research is what we do, we want to add it to the Defender and improving the detection. So one thing I sort of touched on briefly is, you know, you have different types of researchers like, you know, you got like red, those in red teams and blue teams and so on. Someone was interested in getting into sort of security research, like malware research. I mean, where would you start?
I mean, you know, if I'm sitting at a computer right now, like, you know, I really want to just sort of learn more about malware security research. I mean, what would you advise people to do next? I can say there are different areas in malware research. My suggestion is that to go and learn about, like, get into any of them, like try to see which one do you like, learn from each area a little bit and try to see what are you interested in.
And there are different, they have different, like there are some things in common between all of them, but definitely people are, some people are more interested in the red side. Some of them are more interested on the blue side. Yeah, give it a go. Try to build skills on different sides and see what suits you. All right, let's take it one step further. So let's say you want to be on the blue side, right, which is the defensive side.
So give me an example of what you, or say examples if you could, of what sort of tools or technologies or techniques you think people should set down and study. I think reverse engineering is one of the main skills you need. Even if you want to do malware research or if you want to do incident response or any other areas on the blue side. And I think reverse engineering is, it actually helps you on the red side as well. But yeah, I guess it's one of the main skills you need to have.
So, and that's where Ida comes in, right, to help with the reverse engineering. Yeah. But on that topic though, it's funny you should bring that up. I mean, if you're reversing some malware, you've really got to have a programming background, right? Is that a fair comment? You should know some programming. Yeah, you don't have to be a professional programmer. That's good to know. I mean, I remember this is a while ago and I was debugging something with, someone was watching me do it.
And I ended up stepping through the assembly language. It was on the X64. And this guy's like, what are you doing? Why don't you just debug the C code? It was written in C. I'm like, why don't you just debug the C code? I'm like, I mean, I could, but I really want to see what the code is really, really doing. And an optimizer can easily change the C code or the C++ code to be some completely different assembly language. So I want to just see precisely what the code is doing.
And that's why I was single stepping through, single instructions. And in fact, I think this is my advice, I guess, for people if they want to do reverse engineering, is you're probably going to have to learn assembly language as well, because again, knowing what the malware is doing, they're not going to give you the source code. So you need to really step through the assembly language. So you're going to have to learn basic assembly language as well.
Is that a fair comment or do I just scare a whole bunch of people off? No, that's fair. And I can say that it's not, if you are a C programmer, you don't always get malware written in C. If you want to work on different kinds of malvers, you have to be curious and constantly learning different programming languages. Not like you want to code in that programming language, but you have to understand it.
So yeah, even if you are no C, it doesn't necessarily help you in analyzing all kinds of malvers. Yeah, that's a good point. That's a really good point. Actually, so on that topic. So what languages are we seeing as the predominant languages now that people are using to write malware? Different types of malvers are written in different types of languages, like script malvers. Even some executables are written in script-based languages, like Node.js or different types of programming languages.
And I'm not an expert in that area. Can you tell us a story? Tell us about a fun case at work where someone sort of surprised you or was it interesting or you learned something interesting. I'd love to hear sort of what it's like to sort of run something down. I guess we get surprised every day. So with any piece of new malware or new campaign, you see something new and then you have to learn it. You have to learn how to analyze it and how this would work.
I don't have anything specific on top of my mind, but yeah, definitely like with every malware campaign we work on, we see like new and interesting techniques. With regards to what you see in your research, do we see the same sort of culprits doing attacks over and over again or is it lots of different people? It's just like the whole internet. Are you able to tell us a little bit about kind of what you see at a very high level there? It really depends on the attack itself.
There are some attacks that, as you know, that there are some nation-sponsored attacks. So I can tell you that we've seen like different attacks from the same actor again and again. So the actor might be the same and they might use same techniques or even same modules of the old attacks and the new attacks. But definitely there are new attackers every day. But what we see is that we've seen evolution in the same attack a lot.
Attackers try to prevent getting detected, so they change the attack chain a bit, preventing the detection and getting their way in what they do. If we see a different attack with a new approach, we can say that it's the same attack with a different approach. Yeah, that same actor. Do you find that the different threat actors are learning from each other? Yeah, definitely. Yeah, and we see a lot of different tools, like same tools using by different attackers.
I realize this is, Mike may have an opinion on this, but it's interesting. My guess is there's a whole ecosystem behind this, right? There are people who can generate malware and then people who purchase the malware to be used against victims and so on. Not just threat actors writing their own malware, they're probably purchasing it from other people who are experts in writing malware. Any thoughts on that?
Again, I know Mike will probably have an opinion, but is that something that we see as well? Yeah, definitely. You're right. There are some people that are writing different pieces of malware and they sell it to different people who want to use them. So yeah, it's not always the attacker is writing every piece of every module since they attacked themselves from scratch.
Are you able to talk a little bit about how the research that you do, because of course Microsoft does do the research for a reason, are you able to talk about how the research that you and your team do end up in Defender products? That's a very interesting question. So as I mentioned earlier, one of our main goals for our researchers is to improve the detection for our Defender.
So what we do is when we look at the malware, different modules separately or the whole behavior of the attack, how we add that sort of knowledge into the Defender is by adding some sort of malware signature to the Defender. And malware signature would be like any sequence of bytes from the malware we analyze or something like a hash or something behavioral. So we see some kind of behaviors in the malware or some sort of something unique about a piece of malware.
And we add them as a signature for that malware to the researcher. So everywhere, like in any system, Defender picks up some sort of behavior or a file with data specific features or sequence of bytes. It detects that specific malware. That's really cool. I always find how we get all of this information and all this research that we do into Microsoft products and doing something for people who are using them really, really interesting.
Yeah. I mean, at the end of the day, the stuff's got to be shipped products, right? So it's good to see all this work going into products to protect our customers. All right. So let's wrap this thing up. Hey, Nega. So one thing we ask our guests is if you had just one little thought to leave our listeners with, what would it be? As a researcher, I want to talk to the other researchers in this area.
I want to tell them to stay connected with different researchers because you're going to get some opinion from people and learn new areas every day. People have different skills and different interests. So you might learn new things from staying connected with the community and other researchers. Yeah, that's so true, isn't it? I mean, you think you know it all, but in actual fact, you really don't.
Yeah. Talk to five security researchers and five security people in general. You get 10 different opinions anyway. But that's really good advice. All right. So with that, let's bring this episode to an end. Nega, thank you so much for joining us this week. Again, you're the very first person we've had from Microsoft Security Research. So that was good. Thank you to all our listeners out there. We hope you found this episode useful. Stay safe and we'll see you next time.
Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Setpod. All of our background music is from ccmixtor.com and licensed under the Creative Commons license.