Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey everybody, welcome to Episode 39. This week we have a full house. We have myself, Michael, Sarah, Mark, and Gladys. Our guest this week is Mark McIntyre, who's here to talk to us about the Microsoft Digital Defense Report. But before we get to Mark, let's take a look at the news. Sarah, why don't you kick things off?
Sure. I'm going to talk about the usual things that I talk about, which is security center and a bit of Sentinel, of course, my baby. The first thing I'll talk about, let's go through some Sentinel stuff. We released just this week when we were recording this, Playbook templates, which means now you don't have to go into the GitHub repo. You can go straight into the UI and you can find Playbooks.
There's a template there that's been prebuilt, tested, and you can just deploy it straight from the UI, which is really cool and we'll be adding more of those. Also, we've released our DHCP normalization schema for the Azure Sentinel information model or ASIM. So go and have a look at that if you're wanting to look at how we are continuing on our normalization journey.
Then in Azure Security Center, we've got the Microsoft Threat and Vulnerability Management added as a vulnerability assessment solution. So that's extending our integration between Defender for Service and Defender for Endpoint. You can now auto-enable vulnerability assessment solutions as well. So if you're using QOLIS or you're using the Microsoft version, you can now have that auto-enabled.
You don't have to go in and turn it on manually, which of course is important if you want everything to be monitored. I'm going to leave it there, otherwise I'll talk about Sentinel forever. Hey, before you run away, what's normalization? So normalization is the process of basically standardizing different data sources in a way that ASIM understands it. So say you get a log source in and it's got a number of IP addresses and maybe it's called IP address in the data column it comes in in.
Another data source might bring in IP addresses as well, but it might give it a slightly different name. It might just be IP. It's still the same piece of data, but without normalization, your SIEM won't necessarily understand that that's the same piece of data. And the reason you want to normalize everything is so that we can write collateral for the SIEM that's source agnostic.
So it means that if you've normalized all your data, Sentinel will know when it comes to this source, this is an IP or it's a host or it's a message. And that means that it simplifies our writing rules and other collateral for a SIEM. It's an important thing and it just makes everybody's lives a lot easier. So we love a bit of normalization. Yeah, I mean, I kind of thought I knew what it was, but unless it really didn't. So thanks for that.
So on the news front, a couple of things sort of caught my interest the last couple of weeks. The first one is I know it's not directly as you related, but Windows 11, as some of you are probably well aware, there's a TPM trusted platform module 2.0 requirement. That's caused a lot of people to sort of ask, why is it required? You know, what's going on there?
We've actually released a video, which is actually a really cool video actually, of the need for the TPM 2.0 in light of the current really sophisticated attacks. In fact, we even give demos. There's a demo of a Windows 10 machine with all the defenses turned off, where there's all sorts of really low level attacks being performed against bootloaders and so on. Then the same attack is done against Windows 11, default to Windows 11, and the attack just fails. The video is well worth watching.
It's about 12 minutes long. I can almost guarantee you will learn something from it. If nothing else, the demos are entertaining. I do want to spell something else as well, that was called out in the demo, in the video, sorry. And that is, these defenses have been around for quite some time. I mean, they've been available in Windows 10. They just weren't enabled by default. But whereas now we're requiring them to be enabled by default for Windows 11.
The other item that took my note the last couple of weeks is the OWASP Open Web Application Security Project. They just had their 20th birthday. And it's funny I was talking to the guy that actually started OWASP a few weeks ago. I'm like, I'm not sure if that's a good thing or a bad thing, being 20 years old when your job is application security.
But that being said, the impact that OWASP has made, both in Microsoft, both in Azure, and with our customers, and with their regulatory requirements, really can't be underplayed. They've made a really big impact on application security. And for those of you who are not aware, they've also released their 2021 OWASP top 10. And without trying to sound too cynical, this is by far, in my opinion, their best OWASP top 10. I agree with just about everything that's in there.
Not that, you know, my opinion is anything special, but prior top 10s, I've had sort of concerns with it. Sort of various items being at different levels of abstraction, different vulnerability classes, where they've actually gone to be quite consistent in the way they represent vulnerability classes.
They've also, for the very first time, called out threat modeling as a requirement, which is fantastic to see because as you're probably well aware, Microsoft threat modeling is something that we're really big on. And it's great to see threat modeling being called out as a requirement around designing secure systems. Yeah, so the two things that I picked up in the recent weeks was I updated Mark's list.
So the set of links that I keep, that I constantly refer to colleagues, customers, partners, you name it, and added a few items there around the Ninja training for all the various different products, Defender for IoT, Sentinel, Defender for Endpoints, you name it. There's a really nice set of in-depth training for each of those. So I added that there. We also announced on the last podcast, we have the cybersecurity reference architecture videos are out, as are the CAF secure.
So we have these sort of program and components and disciplines of security kind of reference model of what good looks like, what success looks like, and then a architectural reference as well for that more technical view. And then the other piece, of course, is the MDDR, the Microsoft Digital Defense Report, which we're going to talk about in a lot more depth with Mark McIntyre. Hello, everyone.
This is Gladys, and I wanted to let you know about a blog that talked about a 2.4 terabyte DDoS attack that Microsoft observed targeting an Azure customer in Europe. This attack was 140% increased than any previous network volumetric event experienced on Azure. The traffic originated from about 70,000 sources from many different countries.
The blog goes on into explaining how UDP was used with very short live burst and how Azure DDoS protection could scale to absorb the volume and allow the customer to continue business as usual. The one mitigation that I was pleasantly surprised to learn about was that Azure dynamically allocated mitigation resources to the optimal location which were closest to the attack sources.
So the traffic that originated in Asia Pacific and U.S. basically never reached the customer region, but was instead mitigated at the source countries. Another thing discussed in this blog is how to enable the DDoS protection. Every property in Azure is protected by Azure infrastructure DDoS basic protection at no additional cost. DDoS protection basic helps protect all Azure services including past services like Azure DNS. But DDoS protection is standard.
It's availability guarantee, cost protection, mitigation reports, and many others. So I recommend looking, searching for the Azure customer despite a continue business as usual despite of 2.4 DDoS attack blog to read more about it. Also, if you have listened to our previous podcast, you have heard me talking about how Microsoft focused on enabling the interconnection and cross-service collaboration of first and third party services.
Basically enabling this data integration provide customers with more comprehensive analysis due to the many sources of data correlated and it helps speed up resolution since automation can be used to deal with the issues across those services. Well, Microsoft has been named a leader in the 2021 Gardner Magic Quadrant for data integration tools. It basically shows our continual commitment delivering comprehensive and cost effective data integration solution.
The blog also talks about the future of analytics since we have the capability of correlating so much data in the use of AI and ML to accelerate insight. In addition, it goes into explaining how Azure Synapse Analytics make it possible to ingest, explore, prepare, transform, manage, and serve data for business intelligence and machine learning in a centralized and secure environment.
This is one service that I'm spending a lot of time learning about because I see how the automation and the insight that this service enables. So I recommend adding this service to your future learning roadmap. Alright, thanks for the news everyone. As Mark alluded to, our conversation this week is going to be about the Microsoft Digital Defense Report. To talk to us this week about that is Mark McIntyre. Hey, Mark, welcome to the podcast. Thank you so much for joining us.
Why don't you spend a moment and just explain your background to our listeners? Sure thing. This is almost like getting the band back together with Simonos and Michael here. Actually, you know what? It kind of is. How long have we worked together? Well, I'm not going to sing, so you won't get that out of me. Long enough. Yeah, I've been here about 14 years. Who would have thunk? I joined the company in 2007.
Prior to that, I had been in the US government and my intention was to do one year in the private sector, scratch that itch, learn some things, and go back to government service. And for a variety of reasons, free Starbucks, whatever the reasons, here I am 14 years later. That's been great. Last five years, I've been one of our executive security advisors in the old cybersecurity solutions group, which has now been re-ordered into the modern work and security organization.
And so I work primarily with the United States government CISO community and with key US state and local government CISO customers as well on digital transformation and risk management. And I should give props to Simonos for his reference. No pun intended. His reference to the reference architecture, because I show that frequently. It's really, really popular. It's just a great set of material for us to show our partners and customers.
Don't keep saying that too much. We'll never get back on the podcast again. We'll start charging. Is that charging for you? I mean, the first question is pretty obvious, right? So what is the Microsoft Digital Defense Report and why should anybody care? Well, I'm a huge fan of this. You know, when we were planning this podcast, I had a few other topics in mind, but then when the day landed, I said, this is too good to pass up. Timing is too good.
So just last week, Microsoft released our latest annual MDR Digital Defense Report. Some of you might remember this as the old Security Intelligence Report that was published back in the day by the old Microsoft Malware Protection Center. That was twice a year, cadence back then. But this is a look back on the previous year, you know, what is Microsoft's C going on around the global threat landscape?
What types of incidents, emergencies, how are people, have our security teams been dealing with the most? It's a great way, you know, looking back to put a lot of our, you know, Microsoft's, let's say, global security data estate into an executive level summary like this. And of course, other companies have, you know, really good products too as well. But just a really good, you know, look back a good level set.
And of course, no report like this would be complete or would truly be a service if it didn't actually, you know, also leave readers with things to do, you know, what's in it for me? What does this mean to me? You know, what do I have to do so that, you know, the next year before Microsoft comes out with the next one, I don't end up in the news. Yeah, I mean, that's one thing I just want to reinforce that I really love about this report is how much it focuses on the actionable insights.
And it's not just here's a bunch of data, here's a bunch of analysis, it's actually okay. And what should you do about it? That's one of the things that I love about it. Yeah, so actually, I had a look at the reports a few days ago, and you know, it's a big report. I'll be honest with you, I kind of glanced through it. I didn't really read the whole thing, at least not yet anyway. I probably will.
So, you know, could you just sort of share with our listeners what the key findings are, you know, sort of the quick sort of list of interesting items. Sure. So, a couple of big takeaways for me. You know, first of all, the growing, let's say, sophistication and maturity of the, let's say, attacker landscape.
You know, this is truly a, you know, sophisticated service driven, bifurcated environment where attackers, you know, with a credit card or with motive, without perhaps even much technical acumen, can reach into the underground economy and essentially procure, you know, attack as a service, right?
And so, you know, it's, for me, it's a really important way to drive home the economics, you know, that if you're a state local organization or educational institution or small medium business, you know, whatever business you're in, if you don't think that your data is of interest to an attacker, the economics of the, you know, for the attacker just too attractive.
And so, you know, from a pragmatic risk management perspective and from an assumed compromise, you know, perspective, just understand that that's what we're up against. That was one, you know, one key finding. The other one, of course, you know, was that we're seeing cyber attacks going into pretty much, you know, all economic or let's say all sectors, right? And so, you know, obviously government and critical infrastructure and healthcare, financial services or retail.
So, for a variety of reasons, the attackers are equal opportunity. So, again, you know, no one should assume that you're a little corner of the earth and that your, you know, data are not attractive for whatever reason, you know, to an attacker. That reason typically has profit, but not always. That was a key finding. Another one that I thought was really interesting in this, there's no rocket science here, but it should come as no surprise.
You know, we have some content in the, you know, in the blog posts and then the accompanying PDF that once again, you know, shows a list of compromise, you know, harvested passwords, right? And it's just, it's the usual. And in this case, we looked at some operational technology devices. But, you know, we saw the same thing admin, right? User default administrator, you know, admin one, user one, so a little bit of creativity there.
And so, you know, again, it's, and this is just Microsoft report, you know, I have to imagine that others in the industry are going to, as they come out with their annual reports, which I assume we'll get to as the end of the year approaches, which expect to see more and more of this, you know, and this isn't naming and shaming, this is not naming and shaming, this is just, you know, reality.
And this is, we're all humans, we like using simple things and passwords can be quite simple, but unfortunately, it's just kind of a losing game. That hit me as well, you know, not because it wasn't expected, but because it's just, it's still there, right? And we, for whatever reason, collectively, we're not, you know, doing as good a job as we should in incentivizing, you know, others or doing our own work to move away from passwords.
I just wanted a key off of what you're saying about the different industries.
I really liked, one of the things I really like to see in the report, not that I like to see the attacks, but there was a sort of an industry by industry analysis in the IOT section that, you know, kind of went through, you know, because a lot of good research went in there from Section 52 from the Cyberx Acquisition from about a year ago, and some of the other IOT and OT research we've done, you know, it was just really nice to see sort of the way that
the attacks were playing out against different industries, they could start to think about, you know, what I should worry about, you know, depending on the industry you're in. Sure thing. I mean, we're talking about, you know, some industries that are, you know, literally using operational technology, you know, from, you know, little apps or solutions from companies that may no longer even be in business.
And, of course, the stakes are much higher in some of those, you know, healthcare and oil and gas and such. Yeah, my new rule of thumb when I think about the OT space is that the equipment might be 50 to 100 years old, and there's literally some stuff still running on steam. And then the electronics were modernized anywhere between, say, 30 and 50 years ago, you know, with quote, unquote, modern electronics at the time, which are, of course, nowhere near usable today.
They barely support IP, let alone, you know, modern authentication protocols are absolutely out of the realm of possibility. I know it wasn't covered directly in the paper and report, you know, but just this morning I was doing a briefing virtual, of course, with a critical infra company back east.
We were talking about a couple of some of the findings here and, you know, I mentioned, you know, Azure Sphere as an example of where we can help, in a sense, democratize, lower the cost of entry for, you know, creating what could be, you know, repromising net new ecosystems, you know, of devices. No question it's going to take, you know, innovation, it's going to take, in some cases, you know, just fundamental rebuild.
But if, you know, the more we can put data like this out there, the more we can just make people aware that there are some really basic need to do. You know, this will help us, help us secure the ecosystem. I'm a huge fan of Azure Sphere. I mean, you'd be amazed how many threat models I built with customers where they've had these IoT devices. And it's like, okay, so how do you authenticate the IoT device where we use TLS? I'm like, okay, so where are the keys stored?
Well, stored like in some configuration file on this micro OS. I'm like, well, what are the protections on those, you know, on those files? And it's like nothing. But then when you look at something like, you know, Azure Sphere, that idea of protecting sensitive data is just part of the product. I've done quite a bit of development actually with the Azure Sphere. There's an Azure Sphere SDK for those of you not aware.
And if you are, you know, either intellectually curious or you actually have a need for it, play around with it, kick the tires, just load up Visual Studio Code, load up the Azure Sphere SDK and get a device that's cheap and an experiment. It's actually a breath of fresh air. There's so many great security services that come with Azure Sphere. It's good to see.
Yeah, I mean, they actually did include in this report the seven properties of highly secured devices, which is basically what we figured out. Okay, let's take an analysis of what we learned on, you know, Xbox and Surface and all the different hardware that we've done. And, you know, how do you actually keep, you know, a device that's going to be out there in the wild and the world secure?
And then, you know, instead of just doing principles, they actually took it to properties, you know, something you could measure and you can ask a question and answer a question of, you know, does it do all these things? And if so, great, you know, that's a secure device. Things like air reporting, small trusted computing base, defense in depth, hardware, trust, et cetera. And so I'm a huge fan of Azure Sphere.
The one thing that I did learn is it's something that because of the whole SDK element of it, it's something that you do actually have to sort of write an app for it for the particular device, which if you're producing a device makes all the sense in the world because you have to anyway. But the thing that was interesting was like the first case study on that was actually Starbucks. It's a public case study that's on the Microsoft site.
We can add a link to the show notes because they had standardized on a single device. They were actually able to put this secure Azure Sphere device. I think they called it a Guardian module in front of all of those different pieces of equipment and write one app that worked, you know, however many thousand times at Starbucks as machines and provided that secure sort of instrumentation that, you know, secure.
But it also gave them important business benefits, which is I think how they probably justify the project and that, hey, you know, they knew, you know, because they have these, you know, sort of, you know, younger employees there that are operating these machines that may not have been fully trained or may not know fully like, okay, this is when this happens, it's probably that the little dispenser for grinds in the back is full.
And so they had to, you know, end up sending up trucks for false alarms all the time. That was costly. And so the business ended up saving money by having this, you know, kind of modern day instrumentation on these machines. But they had to have it secure because that's how Starbucks rolls. And so it's really a sort of an interesting case study there. I applaud any company that focuses on, you know, making it easier and more secure for me to get coffee.
So it's, you know, it's interesting because I can, it's funny how conversations are framed by before and after the pandemic.
But right before the pandemic, I remember meeting in a briefing center with the CISO team of a large European power generator, forgetting quite the company making power equipment, and they were looking at sphere and because in their mind, they were determined to essentially recommend that they essentially sell off part of their power, power generation capability just to a local,
to a very like a provincial authority and just kind of let them use whatever power system they were using as long as they need to. They didn't see the benefit in trying to go back to these large systems. They wanted to start over essentially. They wanted to create net new, you know, from the ground up, you know, chip up clean energy, you know, with, you know, essentially wire or I guess wireless from the beginning. And it's kind of, you know, it's co-opportunities.
Whether it's, you know, again, the technology is there for you. It's a matter of what business decisions that you want to make coming out of how you use it. Just quickly, the, you know, the what's in it for me, you know, on this report, the very last substantive slide, I guess infographic is, I don't know who did this design this slide. The first time I've seen it, at least with the Microsoft, it's the, it's a bell curve, a cybersecurity bell curve.
And I really found this visually impactful and essentially it's a bell curve. And it just says that, says that basic security hygiene still protects against 90% of attacks. So use anti malware, apply lease privilege, enable multi-factor authentication, keep your software up to date and protect your data. And so it was good to see there's so much innovation out there, so much interesting work going on, important work being, you know, being done.
But in the end, even after this report that summarizes all of our, you know, what we see in our data over the years, we close with a slide that is sort of so elemental and so timeless in a way that, you know, it's responsible message and it's still very relevant. One of the interesting things, I'm actually kind of switching to the earlier part of the report, the ransomware piece, actually was, I did some of the review work on that before it went out.
And there was some really interesting stuff because, you know, it's really kind of, even though that the vulnerabilities are remaining constant, the monetization has really transformed in the past couple of years. And there's some really good analysis there. You know, some of the things that kind of caught my eye around, you know, essentially the amount of money people are paying for ransoms are giving these ransomware gangs budgets that are probably rivaling, you know, nation states.
And some of the reasons we really don't want people to pay because it's kind of a tragedy, the commons type of thing where, you know, maybe individually, it's your best interest to do it, but, you know, that's going to boomerang back on you and everybody else. And there's also some data there on like how much stuff costs on the dark markets, including ransomware kits.
Because like one of the things a lot of people don't realize is that the ransomware thing is not just a single dude doing this or lady, there might be, you know, lady ransomware attackers too. Ultimately, it's an ecosystem in many ways. And like the most, at its most basic, there's the kit providers, you know, that either sell, you know, access to the kit or, you know, take a cut and sort of help and assist and sort of a ransomware as a service model.
And then there's the operators. These kits often have multiple tools. They have different attack techniques. They have different pieces of malware they'll install. And then the operators don't necessarily stick with just one kit provider. They might try two or three different kits and, you know, then the kit providers offer new compelling features. And so sometimes they use multiple different kits, even though it's the same actor or same operator that's operating the malware.
And so it's really an interesting sort of view into the complexity of that ecosystem and that you're really facing like an underground or a dark economy, more so than you are the skills and limitations of one particular person or small group. It's almost commodified. Yeah, completely. In fact, I would suspect that if anything, the price, the prices that attackers will pay.
So for example, you can, you know, procure a rental list of sole and password, username, password pairs for under $1,000, right? Even one estimate here, I'm looking at this as $150 or $400 million. And so I suspect that as more and more, you know, this information is harvest at the price price goes down because they have a supply and demand dynamic as well in the ecosystem. So I'm going to ask something a little bit, well, in the report, but a little bit different about.
We've been talking about disinformation and disinformation and misinformation and spreading doubt. So it's slightly less technical, but I think it's a really important thing because it does also affect security. What's your take on that, Mark, and what we should be doing or what organizations should be doing because, you know, it can affect an organization, not just a person.
First of all, just full disclosure or interest of transparency, I actually recently, just recently joined advisory board of a startup that's working on this issue. So I want to be very clear that I'm speaking on behalf of Microsoft, what I think is best for us and our customers. But I joined that other companies board because this issue, I wasn't even paying attention to this issue, Sarah. I never thought about it until the last couple of years. I was always generally aware it was going on.
But I haven't been on Facebook in several years, you know, so LinkedIn is really my only social networking tool or app. And so the more I'm reading about this, it's terrifying. And it's indicative of the larger of some of the findings in this report. That number one is clearly a nation-state driven.
I'm not going to pick on any particular governments or government sponsored actors, but it's clearly done for nation-state purposes to so discord and tear, you know, literally tear populations apart in countries. But it's also becoming a for-profit economy or for-profit segment, I guess, in the underground economy.
And that sounds very troubling to me because once these attackers can, you know, or once they see motive, financial motive, whatever, it's really hard to stop because it's the motive is there, the tools are there, the AI is there now for attackers to use. And so like any other criminal issue is going to come down to we're not going to stamp it out. I think it'd be really hard to stamp it out.
In this case, you know, political, let's say political election security, things like that, it's going to really be required to really, really help election officials and, you know, and related personnel understand what they're up against, you know, and this can be a really tough one because of differences in budgets and differences in perception of how people view, you know, threats and such.
And so I know that, for example, our team does quite a bit of work, you know, within Microsoft of our legal team, you know, training people that run voting infrastructure. And this is that's really important work. So I was going to take a lot of that type of work. But again, it's sort of an asymmetric, you know, arms race here because the attackers can just keep doing this.
And especially as they reach into the citizenry, people who aren't really incentivized to care about something's accurate, make them feel good, they're going to click on it. It's a very tough issue. Yeah, I mean, that's that's one of the ones that worries me a lot because we've had such essentially trustworthy news sources in a lot of countries around the world. You know, they might be biased here or there, but they weren't, you know, deliberately trying to misinform in a lot of countries.
And so when you have, you know, this sort of switch to sources of social media, which are much more, I don't know, I kind of jokingly call it gossip, you know, because it fits that more. It's just whatever someone says, as opposed to, you know, like a vetted and validated kind of statements, etc. As many of our societies today just don't have the muscle to doubt automatically like we used to. And so we tend to trust what we see. So it's definitely something that bothers and concerns me as well.
One thing that really stood out for me was there was an infographic in there. There is an infographic in there about email attacks or email-born attacks. I think most people think about phishing and that's about it. But this infographic actually goes through all different kinds of email-born malicious attacks, which I learned a lot just from that, you know, just from that alone. But is there any kinds of attacks?
I know Mark is always going on about ransomware and discussing ransomware, especially human-operated ransomware. But I mean, are we seeing other kinds? Yeah, I don't know. I don't mean to sound that way. But the point is, we're seeing, you know, we're seeing big increases in certain classes of attack. And what sort of driving that?
Most threat actors don't need to be good, you know, they can be pretty good, because they can always rely on, you know, they'll always find, you know, weaker links somewhere in a supply chain. The ones that can be very good, the ones that have the, you know, let's say national security imperative, or say national interest imperative, they have the patients to do so. And they can take months or even years, I suppose. You know, those are the ones that a macro, I guess, really concerned me.
Like, if you look at nobellium, that was really interesting. It was shot across the bow in terms of what it revealed about the patients and the stealthiness of an attacker. I'll be interested in a mark take on this, given the ransom or angle. But I think, you know, you have nobellium on the one side. Again, that's a just clarification.
That's Microsoft's term for essentially, you know, what was also known as the Slargate, SolarWinds attackers going back, I guess about 10, 10 and a half months or so now. By the way, Microsoft uses the table of elements because it can't be a trademarked. So it's just a way for us to refer to attackers.
Those concern me because they have outsized impact, they make policymakers, they make our companies certainly think in a different way about all the various things that we have to do sort of in conjunction or in parallel to take on the attackers. And this, you know, this, I mean, these real societal issues for most of us, for most people, most organizations, companies would have you, you know, it's the more commodity type ransomware, you know, pretty good threat actors. They just want money.
Some of them claim to have a code of ethics. We shall see. There are, I guess, because honor among thieves. It wasn't only covered in the report, but my, you know, my concern, like I'd really hate for us to be having this discussion next year. And we're having to talk about an increase in killerware, right? In attackers that just say, we don't care, we're just, we're taking this pipeline down, we're taking this hospital offline consequences be darned.
You know, that's, that's what really scares me, that we'll just start getting people who are so nihilistic or so dedicated to a certain cause that can't sway them. Yeah, that's, that's one that also worries me, you know, as we get into sort of more and more critical infrastructure targets, or as we see them getting into those, which, you know, which, you know, has increased recently for sure. That's definitely something that I watch and worry about as well.
And one of the, one of the things just on the, to kind of wrap up on the ransomware topic is there is a link there to our ransomware guidance. It's just the aka.ms slash ransomware. And it does actually highlight the order that we recommend organizations focus on mitigation. And it is in many ways opposite of what most people expect, because everyone was like, oh yeah, let's just block block first and then I can forget about the rest. That's, that's all I need is the front of the roadmap.
We actually did it in a different order on purpose because of how hard it is to prevent them from getting in. And the last thing we want to do is set up a front line that, you know, is only the front line. And then if they get one way through, then, well, sorry, we don't have a plan and the whole thing goes, you know, in a hand basket to somewhere.
So the, so the way that we actually ordered that was deliberately to focus on making sure your backups and your ability to restore them are your top priority, because you don't want to have to pay them to recover in the worst case scenario.
We want you to not do other things and not try to prevent, not try to detect, not keep them out of the admins group and getting control of them, etc. But we want to make sure that like one of the first things you check is to make sure you don't have to pay them and use their usually terrible and ugly tool to actually recover. So that's, that's one of the top priorities that we do recommend there in that ransomware space.
Hey, do we ever have people like paying the ransom and then the attack is saying, haha, just kidding? It happens from what I understand. But I don't think it happens a lot. Now the ransomware gangs, when it's expedient for them, do go offline. Sometimes they share the keys. Sometimes they don't. There is no guarantee, right? Because I mean, these are, you know, they pretend to have morals and ethics and try to impose them on you to force you to pay.
But really, you're trusting the word of a criminal that's anonymous. And we actually have some chats included in the report that actually talk about the dialogue where you can kind of see how rough and hard knows they get in the negotiations. It's, it's not pleasant because they have access to your financial records and whatnot. And so they know what's in your accounts because they're getting over the systems that you use to manage those accounts.
You know, what I have to imagine, think about it, I guess, incentives, this is sort of pure capitalism. They're just trying to make money, you know, lower risk and costs and maximize gain. And so obviously not to be sympathetic there, but their business model wouldn't, you know, wouldn't be so attractive or appealing if they took the payment and didn't didn't pay back. The next victim is going to know better.
Yeah, I had a quick couple of highlights of you don't want the one that was a couple things, a couple of things caught my eye. Like there was a really interesting one on sort of the browser search results manipulation, which I had never personally experienced, but it was a nice little screenshot that showed like a before and after of how they're kind of monetize, you know, attacks that way.
I really, really like the adversarial machine learning, which is like how are the attackers going to, you know, go after your defensive machine learning and the different types of attacks and what they look like and how they work. I thought was kind of interesting there. And then just the nation state section, like there's definitely insights on a per nation state basis.
But one of the interesting points that I picked up was that they, you know, I mean, sometimes they do, I mean, they tend to be the ones that do new techniques, right, like supply chain attacks and whatnot. But generally they tend to also use a lot of the same attack techniques that the commodity attackers of different flavors or in somewhere and whatnot also do.
But the point that that was made in the purple, I really like to set there actually resources sophisticated enough to actually figure out which one would work best in this circumstance. So they're not, you know, trying to do a phishing email when it would be a lot easier to take another technique or vice versa. So I thought that was a really interesting observation on what kind of sets nation states apart. But Mark, I'd love to hear your perspective.
For me, it's a little more personal because, you know, my previous life before coming to Microsoft, I spent some time as a North Korea analyst. So anytime my eyes is always gravitated to the face of something about North Korea. So in this case, you know, it's interesting. This report does a few tidbits, couple slides or infographics on North Korea as one of the sort of five or six actors that we focused on. To me, it's the most interesting because it embodies so much from what's at stake here.
They have their neighborhood, dangerous neighborhood. And so they're using, you know, they're using offensive cyber or cybercrime to, let's say, project strength, you know, of course, in absence of national strength. And of course, because they're largely cut off from the global economy, they're conducting cyber activities simply to make money. There's a, you know, national security and national economic comparatives that come together.
It's probably the most, like the crisp, the most, the cleanest way, the crispest way you could imagine. It's very visceral there in North Korea. Now, this report, for example, also highlighted Vietnam and Turkey. And I'm forgetting if it's this one or last year's, but they even had, I think, a reference to South Korea. This is where it gets more and more interesting because now you're seeing, I'm not going to say second tier, that's not fair.
But you're seeing governments or government affiliated groups or actors clearly operating with some level of government protection. It's fanting out, right? Activity isn't just the usual suspects, China and Russia, Iran, North Korea. Now you're seeing, you know, sort of secondary actors. That's troubling because there's no reason to believe that next year when we're covering the report, we're not going to see, you know, two or three more examples.
New or, you know, new or criminal groups from other parts of the world getting into this for a variety of reasons. So that makes it very dangerous because, you know, as Microsoft's President Brad Smith still says, and Tom Byrd, who runs our customer trust, you know, there really aren't any guardrails right now. There aren't any real agreed on norms. And that's, that's, that's very tough, especially for those of us, you know, trying to play, you know, defense.
It's very hard to act against actors that don't have guardrails. Yeah, essentially, there's no equivalent of a Geneva Convention that says this is out of boundaries, always kind of thing. Again, my concern about the term you're hearing now about killer where where you might just get any number of groups, disinfected, you know, people, criminal groups, whoever, nation states, they might just say, we're just going to take this thing offline. And that's it.
So getting back to Mark's point earlier about, you know, ransomware and we have to do a much better job, all of us working together to help make sure that our partners and customers understand how to do backups and, you know, and how to protect and modernize their infrastructure. I have a question that maybe it may be a little contentious. I realize I'm putting on the spot. I should probably both of you on the spot.
What role do we see here for digital currencies being used to pay ransoms and so on? I mean, is this are we seeing a spike in ransomware and appropriate criminal activity because of digital currencies, which are to some degree anonymous and, you know, wiring someone some money to a bank account? Yeah, I mean, I'd love to hear what Marcus thinking, but from my perspective, it's absolutely an enabler. Now, if we if those disappeared tomorrow, would this model continue? Very potentially so.
You know, they're bold enough and brazen enough that they might deal with a wire transfer and find some other way to kind of like figure that out. But it's definitely the ease of use of that is definitely an enabler for these models for sure.
Yeah. I like to believe that investigators, regulators, law enforcement would have you in the poll, perhaps other groups that, you know, they're also I suppose, I guess, ironically, they may see opportunities to use technology in this case to chase technology. You know, there might be a way you're establishing essentially, you know, what's called a paper trail. There's probably some level of visibility into into tracking some of these transactions.
So I'm not by any means an expert on digital currencies. I still have dollar bills my wallet. So, you know, but I have heard some interesting briefings recently from, you know, international police agencies talking about this. And, you know, they're they're certainly I think learning as they go. But again, technology is a is agnostic, right? It's how people for good and bad enable it and use it. All right. Let's start to bring this thing to a close.
So one thing we ask all I guess Mark is if you had one final thought to leave our listeners with, what would it be? This isn't so hard for me because I've been doing this. I've said this recently in a couple other panel, online panels and such.
But, you know, despite the threat environment, despite the innovation and the attack or ecosystem and all the advanced tax and such, despite what's in the news, the much of what you can do, you know, is there at your own fingertips, but it's right there for you. It's this I call I said earlier, this cybersecurity bell curve, you know, if it can still help you take a fresh look at practices, you're probably already utilizing modernize them in a way, you know, we think that's a good idea.
We think confident that this can make a measurable improvement in your cybersecurity posture. So nothing else. Please, please pay attention to, you know, to the hygiene. Yeah, I know Mark has mentioned hygiene at length as well in the past. So it's good to see someone else sort of concurring there. Well, look, hey, Mike, thank you so much for joining us this week. I know we already appreciate you taking the time and are you really busy?
And yeah, this is like every episode I've learned something and this is an area I don't normally spend a lot of time on. So I probably learned significantly more here than I would do on other podcast recordings. And so all you listening out there, thank you so much for tuning in this week. Stay safe. And we'll see you next time.