Welcome to the Azure Security podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to episode 95. This week is myself, Michael, with Mark and Sarah. And this week our guest is Sherrod de Grippeau, whose hitch talks to us about threat intelligence. But before we get to our guests, let's take a little lap around the news. Mark, why don't you kick things off?
Thanks, Mike. So for me, I actually spoke recently at Tampa B-Sides and I was quite amazed at how big the event was. It was like 1,900 people or something like that. And it was a great event, lots of good speakers, you know, except for me. I mean, I spoke there too, but I did speak on the SOC. I couldn't believe they approved it, but it was the No BS SOC. And I was like, okay, yeah, I'll make the talk about that. It landed pretty well and I shared the slides for it.
And so we got the link there in the show notes. The interesting thing that I picked up actually is sort of the newsworthy element. There's a great CISO panel. There was, I think, eight CISOs involved too, co-hosting and six on the panel itself. And it was a great two-hour discussion.
And like over 45 minutes, if I recall correctly, we're focused on a really interesting topic that I wasn't fully expecting was how important it is for security to do really kind of awareness, partnership, integration, education of all of the various different parts of the business. So, you know, business leaders, business unit leaders, on down and directors, managers, as well as of course, IT partners.
And it really sort of the amount of time that they spent on it, these very seasoned CISOs, was sort of a very interesting signal to me and it sort of helped me understand that, you know, at the end of the day, security doesn't do stuff, right? We don't manage these systems. We don't keep them up. You know, we don't, you know, sort of make the decisions in many cases. It's often the business and the IT folks.
And at the end of the day, we're really a support function, enablement function for the rest of the org. And you know, basically, as CISO said, the best bang for the buck is working with getting all these other folks, you know, aware and on board and understanding what's going on. So you still have to have a sock, you still have to respond to stuff, you have to track the attackers and all those kind of things.
But the reality is, is that the people that take action and keep the incidents from happening or, you know, make the attackers work a lot harder to make the incident happen, you know, really are the partners in the business and IT piece. So that was a really interesting insight for me. And so I think they recorded it. I'm not quite sure what the plans are, but we'll definitely post a link when and if that does happen. Okay, so I only have one thing this time round.
For those of you who might be interested in using this, the Azure Virtual Network Manager security admin rule config is now GA in 45 regions. I actually don't remember how many regions we have now. The fact that the new says 45 suggests we have more now. Mark, Michael, do you know how many regions we have? No idea. But I think it's great that they added a new role to Virtual Network Managers. I think that's great.
Yeah. And so basically, it lets you enforce security policies across subscriptions and regions, but globally. And they're evaluated before NSGs, if we think old school firewalls and the way that we process different rules in an order, which means it's going to be, it will be enforced uniformly across wherever you apply it to. So pretty cool, and you should go and check it out if you are using network configuration in Azure, which I'm pretty sure most folks will be.
Yeah, I have a small number of items. The first one is in GA is Azure Virtual Network Encryption is now available in all regions, which is probably bigger than 45. But this allows you to enable encryption of traffic between virtual machines and virtual machine scale sets on the same virtual network. And that's both regionally and globally, paired virtual networks. Great to see more of these defenses coming into play.
Another one, which is in my backyard, is enabling Key Vault for SQL Server on Linux. First of all, a lot of people don't even know it's available on Linux, but there you go. But now we have support for using transparent data encryption. We can store the key encryption keys in Key Vault from the Linux VM, which is really nice. All the Linux instance running SQL Server 2022, that's using cumulative update 12 and beyond.
And it's great to see that now we can have centralized management of keys across our SQL Server customers who are running on Linux. Also in GA and also from my backyard, Azure Database for PostgreSQL Flexible Server now supports PrivateLink. I know a lot of customers are really interested in using PostgreSQL on Azure with PrivateLink. Another one also from my backyard is in public preview is long term retention for database for MySQL Flexible Servers.
We can now store your backups for up to 10 years. I believe the limit was literally about a month prior to this update. So this is really awesome to see mainly for compliance and regulatory requirements. All right, so that's the news out of the way. Now let's turn our attention to our guest, as I mentioned at the beginning. Our guest this week is Sherrod de Grippeux, who's here to talk to us about threat intelligence. So Sherrod, first of all, thank you so much for coming on the podcast.
We'd like to take a moment and introduce yourself to our listeners. Yeah, hi. My name is Sherrod de Grippeux. I am the Director of Threat Intelligence Strategy at Microsoft. I've spent the past 20 years focusing on information security and past 18 of those years working at information security and threat intelligence vendors. So I've been doing this a long time. And essentially, the whole point is to watch what threat actors do and report back on that and use it in ways that help protect people.
I'd like to start with the basics, if that's okay. So tell me, and by the way, I'm a huge fan. I love your Ignite sessions and all that kind of stuff and your podcast as well. Tell us, how do you view threat intelligence? What is it useful for? Why should people care? And honestly, how are people using it incorrectly as a term or as a data source? That question is one that it's a firestorm in the industry.
When I think about threat intelligence, threat intelligence to me is the difference between knowing that no one has broken into your house and me telling you who has tried to break into your house, what they look like, the car they drive, the kind of clothes they wear, their height, weight, date of birth. And I can tell you the other houses they've broken into down the street.
Either way, your home still has not been broken into, but now you're armed with information that can help you protect yourself more than you were before. And that's sort of how I see threat intelligence is. It gives you the understanding of what you need to know to make better security choices. Gotcha. So it's more than just a file hashes and IP addresses. Sorry, don't mean to trigger you, but I do mean to trigger you. IOCs are not threat intelligence.
So right, if you're not in this world, something that we talk about quite a bit is data. And an example that you use is a bunch of file hashes. So if you have a feed of file hashes, is that threat intelligence? I would say absolutely not. It is not threat intelligence. It is data. And it has maybe an additional metadata point, which is these are file hashes that are malicious and they're malicious in a certain way.
Data has to be processed and analyzed before it can become part of threat intelligence. And I argue that even that isn't enough. In order for it to actually be credible threat intelligence, it needs to be processed by someone who has threat analysis, training, education, and experience. Gotcha. So it's really effectively, it's the context to help you make a decision.
It's a context to help you make a decision, and I think one of those big decisions that we would talk about would be resource allocation is a really important example. So if people aren't familiar who are listening, we typically break threat actors up into two main groups. And that typically is APT or nation-sponsored threat actors, which are your traditional espionage groups that are a lot of times government employees for the most part.
And they work with the military intelligence or they work in some kind of security services for their country. And they are tasked with espionage responsibilities and they do that espionage over cyber channels, so over the internet. And then we typically see on the other side of that financially motivated or crime. There's also like third, fourth, fifth categories of like hacktivism and disruptor and private sector offensive actors and things.
But for the most part, we break them into those two categories. And if you're an organization that traditionally is not targeted, for example, by nation-backed threat actors, let's say you're a retail enterprise, most governments are generally not attacking retail enterprise. It doesn't have a lot of espionage value. So that would mean I would advise you to focus your resources around fraud, financial and crimeware. So that's where you would want to put your time.
It doesn't mean that you'll never get attacked by a nation-sponsored actor, but it does mean that you'll essentially get a bigger return on your investment if you give a little bit more focus to those crimeware actors. So one thing I hear all the time are these sort of, I'm not going to sugarcoat this, but all these sort of funky names. When we come to describe what's going on in the world, is there like a meaning to those names?
I mean, or does someone just come up with a random idea and say, hey, well, let's call these things something funky or what's the story behind all that? That's a great topic, which is one that people talk about quite a bit in the industry. It's a bit of a spicy, spicy topic. So essentially we want to differentiate these groups when we do something called attribution.
Attribution is essentially saying this particular activity is, you know, there's a responsible party and that responsible party is this group. We typically think of threat actors in groups. If you're not familiar with this world, you might think of like a lone hacker in a attic who's doing her hacking and she's going after a company to steal their information. That's a bit storybook.
We actually more see groups that are organized into a professional operation and whether those groups are employed by a nation or employed by sort of a crime organization, they typically fall into group categories. In order to track those groups, we give them names. And Microsoft about a year ago released a new naming convention, which is made up of two pieces. It's a modifier and then an indicator that tells you the country of origin.
So as an example, Sandstorm will always be an actor that is based out of or sponsored by Iran. Do you have some other examples? Just other names? Yeah, there's so many. So we track over 300 different actor groups and once we know enough about them to give them a name, they graduate. They start off as a storm group, a storm in a number, and then they eventually get graduated into a full name. So Octo Tempest is a crime war group that's quite a big topic in the news right now.
Silk Typhoon or Volt Typhoon, those are both actors that are based out of China. The tsunami groups, those are what we call private sector offensive actors. So those are typically part of some kind of private entity that works on behalf of a government. Lizards are based out of Russia and sleets are typically based out of North Korea.
So each country sort of has its own assigned weather pattern and then we add a modifier in front of it, like a color or a texture or a type so that we can kind of keep them all separated. And there are people within Microsoft threat intelligence that are responsible for focusing on that particular group. So we have individuals in Microsoft who they focus 100%, for example, on, let's see, Cadet Blizzard, which is a Russian-based threat actor.
And that's really who they track and they watch the threats that that threat actor sends in their attempts to do espionage operations against Microsoft customers. Okay. I'm going to ask just for anybody out there who's listening who might not know, what is an APT, Sherrod? So we level set on that. There's no level setting. That's also very controversial. Oh, there's so many fights over the definition of APT. So APT stands for Advanced Persistent Threat, which Sarah of course knows.
And that typically has become over time synonymous, correct or not, synonymous with nation-sponsored threats. I try to leverage the terminology of nation-sponsored, meaning that a particular country's government is in support of the activity of that group. An APT could be a crime group. It depends. It's a bit subjective. But I would say that certain crime groups of the past probably were worth considering at that APT level.
Like FIN7, for example, which I don't have the Microsoft name off the top of my head for FIN7. But FIN7, I would say would definitely qualify as an APT group. They were advanced. They were persistent. And it's really a lot of times the persistence that tends to be the qualifier. A lot of those threat actors are not super advanced, but they might be nation-sponsored and they might be persistent. So they get that APT designation. FIN7 is Sangria Tempest at Microsoft.
So APT is sort of like the big baddies. They're organized. They're operational. They're typically sponsored by a country's government who's comfortable with the work they're doing. And they're typically going after things for espionage purposes. Now, is some of the confusion around that APT term is that it was originally sort of a, hey, we can talk about this in public about a nation-state without naming that nation-state, like going back 20 some years and then it's sort of evolved since then?
Or I'm just kind of curious, how did we get to this level of confusion? I don't want to be responsible for how we got here. No, I think you're right. Well, I think what's happened is, yeah, so APT-1 was released, you're right, about 20 years ago or something. And over time, I think what has really caused the merging and squishiness and sort of gray areas in a lot of places is this.
Every organization, whether they're private enterprise, public sector, such as a government entity, if they're a think tank, they could be an NGO, they could be a nonprofit. All of these analysts that are responsible for doing this tracking have a different point of view.
So every organization sees a different slice of data, kind of like if you've ever heard that parable of people touching an elephant and they're all describing something different and ultimately, it's because they only have this narrow limited visibility. The trunk, the tail, the leg, et cetera, they think it's a tree or a brush or whatever. Right, exactly. They're unable to see the whole picture because of their restricted visibility.
And I think that that's true about all of the analyst groups that do this work. And that has kind of led to a separation in the way that we do naming, in the way that we consider things APT, in the way that we consider things nation-sponsored versus private sector. It is squishy. And I'll tell you this though. What I love about it is that threat intelligence is data analyzed and put through not only rigor but subjective designations and subjective commentary based on an individual's experience.
That subjectivity is very, very important because it brings a sense of opinion, background, and direction that you can't just get from data alone. Yeah, because ultimately, these are humans on the other end and these are just the digital trails that they've left that were able to infer things about their motivations, which are just as fluid as any other humans and doing a job. I love that because the thing that... We talk about this quite a bit. You're exactly right.
Most of these groups are operationalized and they're either doing... They're generally doing a job for their employer, whether their employer is an organized criminal group or their employer is a government of some type. Most of these threat actor groups are given directions. They're given operational projects. They're given tasks.
And really, if you think about it, what's so crazy is that people in threat intelligence and information security, all our job is to make the other person's job not work. They're just doing their job and we are just trying to make them really bad at their job. And that's just the back and forth of it. Our success is their failure. I actually just posted on LinkedIn about that today.
It's quite amazing that there are people, especially in the criminal world, I think that's something that a lot of people don't understand or aren't familiar with. In Eastern European and Russian criminal, as well as Nigeria, Middle Eastern, the crime war groups generally don't see what they do as illegal or immoral or unethical. They don't really see themselves as criminals. Their family doesn't see them as criminals.
They see themselves as, well, I'm a software developer or what, I'm a computer engineer, but I run internet. I follow the directions that I'm given and I make these things happen. It's not a big deal. It's just computer stuff. And so you kind of have to understand their job is really to hit the targets that they've been told to hit that day. And our job is to prevent them from hitting the targets they've been told to hit that day. We have to make them fail.
We're trying to make people fail at their jobs. So that's actually a very interesting segue. So if we get to the absolute practicalities of it, I mean, it's fair to say that these threat actors are obviously going after cloud resources, right? That's why we're the AZZI Security Podcast. Yes. So what sort of things can you share with our listeners about what things you're seeing and perhaps more importantly, what can they do?
So I think one of the things that I always talk about with groups and CISOs and engineers and everybody when I think about this is, so if I had a choice to raid your personal checking account or your employer's checking account, your employer's bank account, which one do you think would be more attractive? I would assume it's your employer. For all of us, I'm sure it is.
But when you think about it from that perspective, you have to understand that threat actors find corporate enterprise identities to be extremely valuable because what they can do is they can log in as you. They can get into your identity. They can become you. Once they become you, they can operate as you, meaning they can send email as you. They can read email that you've sent. They can start forwarding your email to other services.
They can do things like set up rules where certain email goes certain places. They can reply to threads as you. They can get into your files. They can start looking through your data. So cloud threat in my world is extremely tied to identity threat. Thinking about threat actors having the ability to become you, that's a super important thing that you want to think about.
I also think that if you want to do something about it, I think one of the number one things that you can do is think about your logging situation and your logging strategies. Those tend to be the places that it's like ripping the mask off the Scooby-Doo villain. It's sort of like, okay, now I can see what's really going on.
I think that that's a really important thing to do as well as making sure that your identities are... your identities and the identities of those that you're responsible for protecting are strong and are using multi-factor authentication and are set up in a way that is as secure as it possibly can be in a best practice. So if we have all this intel, are we doing something to our products based on this knowledge?
Do we take that threat intel and I'm not going to say productize it, but at least put some elements of the data into our products? Absolutely. So we do productize the threat intelligence itself. You can access that through something like Copilot for Security. You can go and ask it specifically, like, tell me about Octo Tempest and it will. But the majority of those 78 trillion signals and we take that information, we're watching what threat actors are doing.
We're watching their attempts to break into your house, for example. We're watching their attempts to distribute malware or brute force passwords or break into web panels.
We're watching threat actors do those things and we're seeing and understanding those attempts and we're taking that information and we're putting it back into the product to protect people better and better and better across the full portfolio of products, whether it's cloud or endpoint or email or web browsing or browser or search. Those are constantly being updated, literally all day.
That's the majority of what threat detection engineers at Microsoft do is they take the threat intelligence we have and they turn that into a detection capability.
Now I know that we have all these different threat actors with different names, but I wondered if you could tell us about, I don't want to use the word cool because cool doesn't seem the right word to say to describe them, but some of the interesting groups that we've been tracking and what they've been up to because I always find this stuff fascinating. Absolutely. I think I also find it fascinating and I think that's pretty common in the threat intelligence world in the industry.
People say, oh my gosh, did you see this TTP, which is a way to say, did you see what they're doing, their tactics? Did you see this interesting thing that threat actor is doing? I think right now the industry is really focused on OctoTempest. OctoTempest is also known as Scattered Spider or UNC 3944 and they actually leverage a significant amount of social engineering.
So they'll call a help desk, they'll pretend to be an employee and they will attempt to get the help desk to reset the password of that employee and then the threat actor will log in as that employee and start trying to elevate privileges or leverage exploits.
They use this combination of social engineering immediately to some kind of technical capability once they're able to log in and then they typically, very quickly, and I mean within a couple of hours, like extremely quickly, they understand the entire network landscape of that target organization and then they do ransomware, meaning they encrypt all of the data that they have access to and they start making ransom demands. This is a very high profile threat actor.
We've talked about them on the Microsoft Threat Intelligence podcast. We've written blogs about them. OctoTempest is a significant actor on the crime or landscape right now. Are there any other choice groups you can tell us about? Oh, there's so many. So Peach Sandstorm is another one. So Peach Sandstorm is typically associated with activity that is considered intelligence gathering. They also are based out of Iran. So we see that group doing things like using SAML attacks to exfiltrate data.
We see them doing persistence, which means that they will stay within an environment and they'll try to get back into an environment if they do get evicted from it. We have a lot of information on Peach Sandstorm doing things like spearfishing and using Red Team tools that are open source. So if you ever see some of those arguments online about should open source offensive tools be allowed because they are used by threat actors, in this case, Peach Sandstorm is one of those actors.
Also, they go after remote management tools. So any of those remote management and remote access tools that are legitimate, they try to leverage those and get into them so that they can control a machine remotely. And finally, they're known to typically go after the energy sector and the defense sector. So they have a specific targeting vertical that they like to hit. I'm sure that we could talk probably about most of these groups all day.
But in the interest of time, I won't ask you to keep listing them even though we should totally talk about them offline sometimes. For anyone listening, if you're interested in these threat actor profiles, just follow the Microsoft Threat Intelligence blog and you'll get all of the updates and profiles as we publish them. They're pretty fascinating. So where does AI fit in all of this? I mean, AI seems to fit in absolutely everything these days. So I mean, are the attackers using AI?
Are they leveraging AI? What's going on there? Yeah, that's something we're watching closely. And honestly, what are threat actors doing with AI for probably the past 12 or 18 months has been the number one question that I've gotten. And I'll tell you, we did a really nice report in February about threat actors and how they're leveraging AI. And we specifically focused on the four primary nation-sponsored groups, which is Russia, North Korea, China, and Iran.
And we found that all four of those countries had groups leveraging AI. They're using it for reconnaissance. They're using it to help them build scripting tools or scripting to build tools. They're using it to refine their development capabilities. So they're using it for pretty technical assistance type co-pilot work. They're doing vulnerability research. They're using it to better understand how they can socially engineer their targets.
They're also using it to evade detection mechanisms, meaning they're trying to figure out how they can make their attacks not noticed by detection and protection products. And of course, the good guys are using it for good as well. Like, we have products like co-pilot for security, which we talked about a couple of weeks ago. Right.
And what's noteworthy to me is that the defenders, those who create detection products and security products, we've been using AI and machine learning and data science. We've been using that for years and years and years. We're actually very, very good at using it for detection and protection. So while the threat actors are experimenting with this now, it's likely that they will go deeper and deeper and get better at it and better at it.
But we're pretty well ahead of the game in terms of using AI for detection. So I think we're very well positioned there. We being Microsoft or we the defenders? Well we being Microsoft. So I have a much deeper view into Microsoft than I do anywhere else. And I absolutely see that Microsoft has been using AI for protection capabilities for years and years. So yeah, I'm 100% in agreement with you on the Microsoft use of all the various different generations of AI technology and machine learning.
Because I've been very impressed with what I've seen our product teams do with that. There are other, in my opinion, there are other good uses of it in industry as well. So Microsoft's not the only one that's doing that. So security is definitely a team sport and we are all defenders. That's one of my big things. One of the things that we do, Sherrod, is we always ask our guests as a final closeout. What are your final thoughts?
Something you'd like to leave our audience with to plant a seed and get them thinking on what you think is important or interesting for them to think about? I think something really, really important to think about, especially if you're cloud focused, is constantly tapping into that little spider sense, tingly feeling concern that you have when you see something and you think, that's weird. If you can really listen to that feeling, I think it brings a broader security mindset to what you do.
If you're constantly checking in with yourself of, when I look at this code, when I look at this diagram, when I look at this behavior, when that little weird blip came up on the computer when I clicked that link, what was that? If you hold onto that feeling for a moment and say, I worry that I need to investigate this a little more, and you dig a little deeper, maybe you ask a friend. Maybe you find somebody in your security team.
Maybe you use some of the tools that you have in your organization to report security concerns. I think we've got to all better listen now to our intuition because security is every single person's job. It's every single person's responsibility, whether you're a coder, developer, operations, security, anything. Security is number one and you have to focus on it. I know we could probably spend the next couple of hours going over some example crime groups, but we just don't have time.
So look, hey. I'll come back and we'll talk. All right. Hey, look, Cheryl, thank you so much for joining us this week. I know you're really, really busy. I learned something on every single episode, but this one, there's a lot that I know I didn't know. So this has been really useful. Again, thank you so much for joining us this week. And to all our listeners out there, we hope you found it of use as well. Stay safe and we'll see you next time. Thanks for listening to the Azure Security Podcast.
You can find show notes and other resources at our website, azsecuritypodcast.net. If you have any questions, please find us on Twitter at Azure Setpod. The music is from ccmixtor.com and licensed under the Creative Commons license.