Security Unlocked

Share

Celebrating Women in Security

Ep. 18

Today is International Women’s Day, and we are celebrating with a very special episode of Security Unlocked. Hosts Nic Fillingham and Natalia Godyla revisit their favorite interviews with some of the prominent women featured previously on the podcast. 


We speak with Holly Stewart, a Principal Research Lead at Microsoft and known in the Defender organization as “The Queen of AI.” Holly shares how building a security team with different perspectives helps to better understand and stop threats.


Next, we talk with Dr. Anna Bertiger, a Senior Applied Scientist at Microsoft. Anna has an incredible passion for math and explains how she’s using math to catch villains and make computer networks safer. 


Finally, we explore what it’s like to hunt down threats with Sam Schwartz, a Program Manager with Microsoft Threat Experts. She came to Microsoft right out of college and didn’t even know what malware was; now she’s helping coordinate a team of threat hunters on the cutting edge of attack prevention. 


Security Unlocked will be highlighting female security leaders at Microsoft throughout the month of March. Subscribe now to make sure you don’t miss an episode! 


In This Episode, You Will Learn:

• How math is used to help analyze attack trends 

• How AI and ML help identify patterns that can stop attacks 

• How threat hunters are tracking down the newest security risks 

• Why Microsoft Threat Experts are focused on human adversaries, not malware 


Some Questions We Ask:

• How do AI and ML factor into solving complicated security problems? 

• What’s next on the horizon for data science? 

• How do you use math to determine if an action is dangerous or benign? 

• Why do threat hunters need to limit the scope of their work? 

• What skills do you need to be a security program manager? 


Resources: 

Sam Schwartz’s LinkedIn:

https://www.linkedin.com/in/scschwa/


Dr. Anna Bertiger’s LinkedIn:

https://www.linkedin.com/in/bertiger/


Holly Stewart’s LinkedIn:

https://www.linkedin.com/in/hollyjstewart/


Nic’s LinkedIn:

https://www.linkedin.com/in/nicfill/


Natalia’s LinkedIn:

https://www.linkedin.com/in/nataliagodyla/


Microsoft Security Blog:

https://www.microsoft.com/security/blog/


Related:

Security Unlocked: CISO Series with Bret Arsenault

https://SecurityUnlockedCISOSeries.com


Transcript

[Full transcript can be found at https://aka.ms/SecurityUnlockedEp18]


Nic Fillingham:

Hello, and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft security engineering, and operations teams. I'm Nic Fillingham.


Natalia Godyla:

And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security. Deep Dive into the newest threat intel, research, and data science.


Nic Fillingham:

And, profile some of the fascinating people working on artificial intelligence in Microsoft Security.


Natalia Godyla:

And now, let's unlock the pod.


Nic Fillingham:

Hello Natalia, welcome to a very special episode of Security Unlocked, how are you doing?


Natalia Godyla:

I'm doing great, and it is a very special episode. It is International Women's Day today and, we are going to be celebrating that with our compilation episode, pulling together a few of the awesome women that we have been interviewing throughout the course of the podcast.


Nic Fillingham:

Yeah, we have taken, uh, three interviews that actually went live, uh, in episodes one, four, and seven respectively. So, if you haven't made your way back through the archive, if you haven't binged the Security Unlocked series so far, uh, you may have missed these ones. And, they are amazing, uh, interviews so we wanted to sort of, bring them out of the archive and pull them together for this special episode. First up, you're gonna hear from Holly Stewart, who was the first person that we profiled on the, on the podcast on the first episode. Holly is affectionately known inside the Defender Org as the Queen of AI, She gives a sort of, a wonderful perspective on, on ML and AI.


Nic Fillingham:

Then we hear from Dr. Anna Bertiger, who has a PhD in Math and has this incredible energy and passion for how she uses her math to catch villains, I think you'll, you'll love that perspective. And then, we round it out with Sam Schwartz, who provides a wonderfully fresh viewpoint on security and coming into security as someone that's a little, sort of, newer in career into, in the cyber security space. I think it's gonna be great episode.


Natalia Godyla:

Yes, and it doesn't stop there. We will be highlighting women throughout the month. So, we'll be covering different Deep Dive topics with female security leaders at Microsoft as well as profiling a few women in their careers.


Nic Fillingham:

On with the pod?


Natalia Godyla:

On with the pod.


Nic Fillingham:

Welcome to the podcast, Holly Stewart. Hi Holly, thanks for your time today.


Holly Stewart:

Hello, thank you for having me.


Nic Fillingham:

Awesome. So, let's start with if you could just give us your title at Microsoft but, maybe more interestingly, sort of, walk us through what the day to day function is of your role?


Holly Stewart:

Sure. So, I am a Principle Research Lead at Microsoft, and I work in the endpoint protection side of research. And, I like to say, sort of, our teams super power is using AI to help protect people. Machine learning and data science techniques are used everywhere within our research team, but with our team we have a primary focus on using those techniques to try to help people and keep them safe.


Nic Fillingham:

That's awesome. And, you run a team is that right Holly, how big's the team?


Holly Stewart:

It's about 25 now.


Nic Fillingham:

Yep, and they're all in the, sort of, AI data science, sort of, realm?


Holly Stewart:

Yeah, actually they're this super interesting mix of researchers, data, and data scientists and they come from all walks of life. We have folks who are security experts, who really understand what threats do, how they work, some of them understand criminal undergrounds and other things like that. And then, we have data scientists that come from many different facets, many of them not particular experienced in security, but some may be an expert in deep learning, another person may be more on the anomaly detection side. But, you know, you take all these folks with different perspectives and different strengths and you put them together and really cool things happen.


Nic Fillingham:

So holly, you talked about learning French and, sort of, what you studied at college, what other things in your, your education, your history pre Microsoft do you, sort of, feel, sort of brought you to where you are now, and that you're, sort of, using in your day? Perhaps things that, that maybe seem a little unorthodox.


Holly Stewart:

You know, I'll say that I, I grew up with a really strong work ethic, my family actually comes from farming. And, you know, my father has this really strong work ethic, he gets these guilt complexes about... if he's not doing something productive, he hasn't made... th- you know, day is not complete. And, and somehow I'm instilled with that and so when I got into security, I kept seeing so many problems, just sort of the threat de jure, every single day we're just bombarded with information, it's, it's sort of an overload. And I always thought, how can we better solve this problem? How can we help people really understand what matters? And when I started getting into data science, I thought, this is the way this is how we can make better decisions, help people make better decisions, and help protect them in a way where, you know, sort of focusing on the problem de jure, really wasn't getting us anywhere, really wasn't moving the needle.


Nic Fillingham:

So perhaps that drive that maybe thought you were going to the Peace Corps, you're, you're sort of utilizing a similar motivation there, but now in the data science realm.


Holly Stewart:

Yeah, absolutely. I mean, I love being able to say that I go to work and the work that my team does, we are trying to help people every single day to keep them safe, keep them protected. It's, it's something that I feel good about.


Natalia Godyla:

That's great. And and how does AI and ML factor into that when you're thinking about all of these big complex problems you want to take on?


Holly Stewart:

Yeah, it's a great question. Like if you think about how maybe we traditionally approach security research where a researcher might reverse engineer some malicious program, figure out what it does, find some heuristic techniques to be able to detect that in the future, make sure those heuristic techniques don't detect the good things that want our computers to run. That takes a lot of time. And the truth is that malware has become so complex, that there's literally hundreds of millions of features that feed into what makes malware malware. It's really difficult for the human brain to wrap your mind around all these permutations, but that's the beauty of machine learning and AI, it's built for that.


Holly Stewart:

And so we take this incredible ecosystem diversity from, you know, benign applications to malicious applications, we feed that information into the machine learning systems, we train them how to recognize good from bad, and they can come up with these permutations that the human brain wouldn't be able to wrap their heads around. And that, that's really how I connect all those things together in our day to day.


Natalia Godyla:

Got it. And so what types of... when we say AI and ML, that's a relatively broad set of acronyms there you know, what type of techniques, what type of approaches do you and your team use, or where you sort of heavily invested?


Holly Stewart:

We invest in lots of things, so if I break down, and I'll say AI in quotes because I, I kind of use it interchangeably, to really just mean data science , it means data science approach. We use many different techniques from what you call supervised machine learning to unsupervised machine learning. With supervised machine learning, you're using signals to help teach the machine how to detect something new. So I may take a set of say, 100 files and 10 of them are bad and 90 of them are good, I extract a bunch of features from those files and then I feed that into machine learning system to teach it how to detect new things that are similar to those files in the future. So that's what you call supervised.


Holly Stewart:

Unsupervised, is really good at finding what we call the unknown unknown. So, you know with supervised learning, you're teaching it something that you already know and it just gets better at that. With unsupervised, you're trying to find those pockets of uncertainty that maybe haven't even been classified before, or maybe should be clustered together. Or perhaps you know, using past data you find that, "Hey this is an anomaly, something I haven't seen before that doesn't have a label, but that could indicate that something bad is going on." And so we really use a combination of all of these approaches to help train machines to amplify human knowledge and also find the things that maybe as humans we were not thinking about in the first place.


Natalia Godyla:

Can you share a couple examples so how this AI and ML


Natalia Godyla:

I was driving some of the Microsoft products, even products that, like Nick said, we use day to day.


Holly Stewart:

Yeah, absolutely. So there are a lot of files that use what we call social engineering to try to trick people into opening them. So one example that we saw over the past year is these attackers were using local business names and making it look like they were sending an invoice for that local business name, I think it was, uh, a landscaping firm or something like that. And so they were using that invoice that looked like it was from a local landscaper, sending it to these other businesses to try to trick them into opening up this invoice. And so inside it, it led to this phishing site and they would try and collect their credentials. Uh, and so, you know, when you're just looking at this file, you may not see that it looks benign, but the-the machine learning system because it was able to extract all these different features from that file, it was able to see, Hey, this-this is not a normal type of invoice that I would see from a legitimate business, and it was able to flag that as malicious and help keep those customers protected.


Natalia Godyla:

So Holly, what's next on the horizon, what are you most passionate about trying to solve next?


Holly Stewart:

Sure. So today we've done a pretty good job of using AI to help discriminate malicious software from benign software, not perfect but we've made a lot of progress in that area. But what's next on the horizon for us is really deeper than that, so it's great to discriminate malicious from bad but what more can I learn from that. Say for example, if we understand the entire Kill Chain of-of that malicious activity from how it arrived, to the victim, to what it did after, if the victim installed it or clicked it, to the file, sort of, motive of the attacker. And if we can understand that entire story, we can look at all of the pieces in that, what we call Kill Chain, and be able to provide protective guidance and automate protections to essentially learn from what attackers are doing today, and make our defenses stronger and stronger over time. And that's really the evolution of AI in security, is to help automate that for the customer. Because the amount of threats that we're facing, the amount of security information is an overload. And we have to get better, we have to automate, and we have to use AI to do it, to really get to where we need to go.


Natalia Godyla:

And how far away do you think this next step in the evolution is?


Holly Stewart:

I'm sure I'll be working on it for the rest of my life. (laughs).


Natalia Godyla:

(laughs).


Nic Fillingham:

Holly, do you have a Twitter account, do you have a blog, do you have anything you want to promote if folks want to learn more about you, your team, if you're hiring?


Holly Stewart:

So we post all of our content on the Microsoft Security blog, so you can find it there. And we are hiring data scientists, uh, here in the next week or so, we should have the postings up.


Nic Fillingham:

Great, so you would find them on the Microsoft careers website, probably under data science?


Holly Stewart:

Under data science or look for defender and data science, and you'll find us.


Natalia Godyla:

Thank you, Holly for your time today, it was fantastic to hear about your insights on AI.


Nic Fillingham:

Yeah thank you Holly, uh, you know, your time is busy, you're running a big team, doing some great work. We really appreciate you coming on the podcast.


Holly Stewart:

Thank you.


Nic Fillingham:

It was great to revisit that conversation with Holly, I'm really glad we got to pull that one out of the archive and bring it to newer listeners of the podcast. Up next, Dr. Anna Bertiger who tells us about her superpowers, which are utilizing math to catch villains. So I hope you enjoyed the conversation.


Nic Fillingham:

Dr Anna Bertiger, thank you so much for joining us. Welcome to the Security Unlocked podcast.


Dr Anna Bertiger:

Thank you so much for having me.


Nic Fillingham:

Um, if we could start with what is your title, and what does that really mean in sort of day to day terms. What do you do with Microsoft?


Dr Anna Bertiger:

So my title is senior applied scientist, but what I do is I find villains.


Nic Fillingham:

You find villains, how do you find villains?


Dr Anna Bertiger:

So I-I find villains in computer network, it's all the benefits of the job as a superhero with none of the risks. And I do that using a combination of security expertise, and mathematics and statistics.


Nic Fillingham:

So you find villains with math?


Dr Anna Bertiger:

Yes, exactly.


Nic Fillingham:

Got it. And so, let's talk about math, what is your path to Microsoft, because I know it heavily involves math. How did you get here, and maybe what other sort of interesting entries might be on your LinkedIn profile?


Dr Anna Bertiger:

So, I got here by math, I guess.


Nic Fillingham:

(laughs).


Dr Anna Bertiger:

So, I come from academic mathematics, I have a PhD in math, and then I had a postdoctoral fellowship in the department of combinatorics and optimization at the University of Waterloo, in Waterloo Ontario, Canada.


Nic Fillingham:

Could you explain what that is because I, I heard syllables that I understood, but not words?


Dr Anna Bertiger:

(laughs). So that is the department unique to the University of Waterloo. So, optimization is, you know, maximizing, minimizing type problems.


Nic Fillingham:

Got it.


Dr Anna Bertiger:

And combinatorics is a fancy word for counting things.


Nic Fillingham:

Combinatorics.


Dr Anna Bertiger:

Yeah, which you can do in fancy and complicated ways, and so-so that's what I did when I was not going to make mathematician, is I counted things in fancy and complicated ways that told me interesting things frequently about geometry. And then I decided that I wanted to see the impact of what I did in mathematics in the real world, in a timeframe that I could see, and not on the sort of like, you think of beautiful thoughts, it's really lovely it's a lot of fun. And then hopefully someone uses them eventually. And so I looked for jobs outside of academia. And then one day, a friend at Microsoft, uh, sent me a note that said, if you like your job that's great but if you don't, my team wants to hire somebody with a PhD in combinatorics. And I said, That's me. (laughs).


Nic Fillingham:

(laughs).


Dr Anna Bertiger:

And so, I, uh, you know, it took a while. I flew out for an interview, they asked me lots of questions. I, when I'm interviewing for a job, I evaluate how cool the job is by how cool the questions they asked me are. If they asked me interesting questions, that's a good sign. If they asked me boring questions, maybe I don't want to work there.


Natalia Godyla:

Was there something that drew you to the cybersecurity industry when your friend showed you this job wo-, did you see security and go, Yeah that's cool?


Dr Anna Bertiger:

So I didn't actually see security in that job, like that team was, didn't only work on fraud, we worked on, we also worked on a bunch of marketing related problems. But I really loved the fraud related problems, I really loved the adversarial problems, I-I like having an adversary. I view it as this like comforting, friendly thing, like you solve the problem. Don't worry, they'll make you a new one


Nic Fillingham:

(laughs).


Dr Anna Bertiger:

It's true.


Nic Fillingham:

So hang on, so you, you go to bed at night and sleep soundly knowing that there are more villains out there?


Dr Anna Bertiger:

I mean, I would kind of like to get rid of all the villains, but also like, they're building me some really old problems, like on a-


Nic Fillingham:

Yeah, you-you're a problem solver and they're throwing some good challenges at you.


Dr Anna Bertiger:

Right, I'm gonna like make the world a better place. School of thought, I would like them all to disappear off the face of the planet. On the like entertaining me portion, problems are pretty good. And so I worked a bunch on-on credit card fraud related problems on that team, and at some point a PM joined that team, who had a, who was a cybersecurity person who had migrated to fraud. And I said, well, you know, I'm not a cybersecurity person. And he said, Oh no, you are. It's a personality type and it's you.


Nic Fillingham:

(laughs).


Dr Anna Bertiger:

And then, and then I worked at some other things, you know, worked on some other teams at Microsoft, did some windows quality related things. And it-it just wasn't as much fun, and I found my way back to cybersecurity and I've been here since.


Natalia Godyla:

How do you use AI or ML tools to solve some of these problems?


Dr Anna Bertiger:

So, the AI and ML is about learning what's normal. And then when you say, Hey, this isn't normal, that might be malicious. Someone should look at it. So, our AI and ML is human in a loop driven. We don't act on the basis of the AI and ML the way that some other folks might, and there are certainly security teams that have AI and ML that makes decisions, and then acts on them on its own. That is not the case. My team builds AI and ML that powers humans


Dr Anna Bertiger:

... who work in security operation centers, to look at the results. And so, I use ML to learn what's normal. Then, what's not normal, I say, "Hey, you might want to look at this because it's a little squiffy looking." And, then a person acts on it.


Dr Anna Bertiger:

And so, I use a lot of statistical modeling to figure out what's normal. So, if it, uh, a statistical distribution to some numerical data about the way the world is working. And, then calculate a P-value, that you might remember from Stat 1 if that's something you've done, to say, "Oh, yeah. Well, there's, you know, only a tenth of a percent chance that, like, this many bites transferred between these pair of machines under normal behavior. Someone should look at that. That's a lot of data moving."


Dr Anna Bertiger:

And, there, I like to use a group of methods called spectro-methods. So, they're about, if I have this graph, I have a bunch of vertices and I can have edges between them, I could make a matrix that has a one in cell IJ, if there's a vert- if there's a edge between vertex I and vertex J. Let me know if I am getting too technically deep here.


Nic Fillingham:

You are but keep going.


Dr Anna Bertiger:

And (laughs), and then, now I have a giant matrix. And so, I can apply all the tools of linear algebra class to it. And, one of the things I can do is look at its eigenvalues and eigenvectors. And, one way you might, sort of, compress this data is to project along the eigenvectors corresponding to large and absolute value- eigenvalues. And, now, you know, we can say things like, "All the points that are likely to be connected end up close together."


Dr Anna Bertiger:

And, we can try and learn something about the structure of the network and what's strange. And, we've done a bunch of research in that direction. That is stuff I'm particularly proud of.


Natalia Godyla:

What are you most interested in solving next. What are you really passionate about?


Dr Anna Bertiger:

I'm really passionate about two things. One of which is, sort of, broadly speaking, finding- finding villains. Finding bad guys. So, part of what I do is dictated by what they do. Right? They- They change their- change their games, I have to change mine, too. And then, also, I have a collection of tools that I think are really mathematically beautiful that I'm really passionate about. And, those are spectral methods on graphs and, sort of, graphs in general.


Dr Anna Bertiger:

And so, I'm really passionate about finding good applications for those. I'm passionate about understanding the structure of how computers, people, what have you, connect with each other and interact. And, how that tells us things about what is typical and what is atypical and potentially ill-behaved on computer networks. And, using that information to find horrible people.


Dr Anna Bertiger:

I think- I stopped being surprised by what our adversaries can do. Because, they are smart people who work hard. Sometimes, I'm disappointed in the sense of like, "Damn, I thought I solved that problem and they're back." But that's (laughs) I mean, and that's mostly just you feel like the, like, sad balloon three days after the party.


Natalia Godyla:

At the end of the day, why do you do what you do?


Dr Anna Bertiger:

I think there are two reasons I do what I do. Uh, the first which is I want to make the world a better place with the ways I spend my time. And, I think that catching horrible people on computer networks makes the world a better place. And, the other of which is that it's really just a ton of fun. I- I really do have a lot of fun. We- We think about really cool things. Neat concepts in computing and beautiful mathematics. And, I get to do that all day, every day, with other smart people. Who wouldn't want to sign up for that?


Natalia Godyla:

You've called Mathematics beautiful a couple of times. Can you elaborate? What do you find beautiful about Math? What draws you to Math?


Dr Anna Bertiger:

I find the ideas in Math really beautiful. And, I think that's a very common thing for people who have a bunch of exposure to Advanced Mathematics. But, isn't a thing we filter to folks in school as well as I would like. The- If you think about the Pythagorean theorems, that's a theorem that most people learned in high school. Geometry that says that-


Nic Fillingham:

I know that one.


Dr Anna Bertiger:

... square of the lengths of the two sides of a right- two legs of a right triangle equals the- sum together equals the square of the hypotenuse lengths. And, if you-


Nic Fillingham:

Correct.


Dr Anna Bertiger:

That is-


Natalia Godyla:

(Laughs)


Dr Anna Bertiger:

... a fact. Okay. And, if you learn it as a piece of trivia then you go, "Okay, that's a thing that I know for the test. And, you write it down and you put it on a flash card or whatever. But, what I think is really beautiful, is the idea of, "How do you think that up?" And, the, sort of, human ingenuity in figuring out that thats's true. And, the- the beautiful ways you can show that that is true. For sure, there's some really, really beautiful ways to be able to prove to yourself that that is true.


Nic Fillingham:

Changing topics, sort of, slightly. Are you all Math all the time? You know, do you have a TV show you're binging on Netflix? Do you have computer games you like to play? Are you a rock climber? What's the other side of the Math brain?


Dr Anna Bertiger:

So, the other side of the Math brain for me is things that force my brain to focus on something that is entirely not work. And so, I really love horses and I have a horse. And, I love spending time with her and I love riding her. She's both a wonderful pet and just a thrill to ride.


Nic Fillingham:

Awesome.


Natalia Godyla:

Well, Anna, it was a pleasure to have you on the show today. Thank you for sharing your love of Math and horses and hopefully we'll be able to bring you back to the show another time.


Dr Anna Bertiger:

Thank you so much for having me.


Natalia Godyla:

I'm so thankful we go to re-listen to Anna's episode. Up next, we'll be talking with Sam Schwartz who is a program manager for the Microsoft Threat Experts team. But, she wasn't always targeting security. She started out as a chemical engineer. So, hope you enjoy hearing about her career from chemistry to security.


Natalia Godyla:

Hello, everyone. We have Sam Schwartz on the podcast today. Welcome, Sam.


Sam Schwartz:

Hi, thanks for having me.


Natalia Godyla:

It's great to have you here. So, uh, you are a security PM at Microsoft. Is that correct?


Sam Schwartz:

That is correct.


Natalia Godyla:

Awesome. Well, can you tell us what that means? What does that role look like? What is your day to day function?


Sam Schwartz:

Yeah. So, I support, currently, a product called the Microsoft Threat Experts. And, what I'm in charge of is insuring that the incredible security analysts that we have, that are out saving the world every day, have the correct tools and processes and procedures and connections to be the best that they can be.


Natalia Godyla:

So, what do some of those processes look like? Can you give a couple examples of how you're helping to shape their day to day?


Sam Schwartz:

Yeah. So, what Microsoft Threat Experts does is it is a manged threat hunting service provided by our Microsoft defender ETP product. And, what they do is our hunters will go through our customer data in a compliant safe way and they will find bad guys, human adversaries, inside of the customer telemetry. And, then they notify our customers via a service called the Targeted Attack Notification Service. So, we'll send an alert to our customers and say, "Hey, you have a adversary in your network. Please go do these following things. Also, this is the story about what happened. How they got there and how you can fix it."


Sam Schwartz:

So, what I do is I try to make their lives easier by initially providing them with the best amount of data that they can have when they pick up an incident. So, when they pick up an incident, how do they have an experience where they can see all of the data that they need to see. Instead of just seeing one machine that could have potentially been affected, how do they see multiple machines that have been affected inside of a single organization? So, they have an easier time putting together the kill chain of this attack.


Sam Schwartz:

So, getting the data and then also be- having place to visualize the data and easily make a decision as to whether or not they want to tell as customer about it. Does it fit the criteria? Does it not? Is this worth our time? Is this not worth our time? And then, also, providing them with a path to, with that data, quickly create an alert to our customers that they know what they're doing.


Sam Schwartz:

So, rather than our hunters having to sit and write a five-paragraph essay about what happened and how it happened, have the ability to take the data that we already have, create words in a way that are intuitive for our customers and then send it super quickly within an hour to two hours of us finding that behavior.


Sam Schwartz:

So, all of those little tools and tracking and metrics


Sam Schwartz:

... and easier, like, creating ... from data, creating words, sending it to the customers, all of that is what I plan from a higher level to make the hunters be able to do that.


Nic Fillingham:

Tell us about how you found yourself in the security space and, maybe it's a separate story, maybe it's the same story, and how you got to Microsoft. We'd love to learn your journey, please.


Sam Schwartz:

It is the same story. Growing up, I loved chemistry.


Nic Fillingham:

That's too far back, too far back.


Sam Schwartz:

I know, I know, I know.


Nic Fillingham:

Oh, sorry, sorry.


Sam Schwartz:

I loved-


Nic Fillingham:

No, let's start there.


Sam Schwartz:

I loved chemistry. I loved like molecules and building things and figuring out how that all works. So when I went to college, I was like, "I want to study chemical engineering." Um, so I, through my education, became a chemical engineer (laughing). But I found that I really liked coding. Uh, we had to take a- a fundamentals class at the beginning and I really enjoyed the immediate feedback that you got from coding, like you did something wrong, it tells you immediately that you messed up. And also when you messed up and you're super frustrated and you're like, "Why didn't this work?" like, "I did it right," you didn't do it right. It messed up for a reason, and I really liked that and I thought it was super interesting. And I found myself like gravitating towards jobs that- that involved coding. So I worked for girls who code for a summer. I worked for Dow Chemical Company, but in their robotics division so I was still like chemical engineering, but I got to do robots.


Sam Schwartz:

And then when I graduated, I was like, "I think I want to work in- in computer science. I don't like this chemical engineering." It was quite boring. Even though they said it would get more fun, it never did. We ended up watching water boil for a lot of my senior year of college and I was like, "I want- I want to join a tech company." And I looked at Microsoft and they're one of the only companies that provide a program management job for college hires so ... And I interviewed, I was like, "I want to be a PM," sounds fun, get to hang out with people and I ended up getting the job, which is awesome. And I walked on my first day, my team and they're like, "You're on a threat intelligence team." I was like, "What does that mean?" (Laughs) And-


Nic Fillingham:

Oh, hang on. So did you not know what PM role you were actually going to get?


Sam Schwartz:

Nope. They told me that I was slated for the Windows ... I was going to be on a Windows team. So in my head like that entire summer, I was telling people (laughing) I was going to work on the start button just 'cause like that's what I ... I was like, "If I'm going to get stuck anywhere, I'm going to have to do the start button." Like that's what my-


Nic Fillingham:

That's all there is. Windows is just now ... It's just a start button. So yeah.


Sam Schwartz:

I was like that's what ... I was like, "Guaranteed, I'm going to get the start button," or like Paint. Actually, I probably would've enjoyed Paint a lot, but the start button (laughing). And I came and they're like, "You're on a threat intelligence team," and I was like, "Oh, fun." And it was incredible. It was an incredible start of something that I had no idea what anyone was talking about. When they were first trying to explain it to me like in layman's terms, they're like, "Oh, well, there's malware and we have to decide how it gets made and how we stop it." And I was like, "What's malware? Like I don't ... " I was like, "You need to like really dumb it down (laughs). I have no idea what we're talking about."


Sam Schwartz:

And initially when I started on this threat intelligence team, there were only five of us. So I was a PM and they had been really wanting a PM. They, apparently before they met me, weren't ... were happy to get a PM, but weren't so happy I was a college hire. They're like, "We need ... " They were like, "We need s-


Nic Fillingham:

Who had never heard of malware.


Sam Schwartz:

"We need structure." (Laughs)


Nic Fillingham:

And thought Windows was just a giant anthropomorphic start menu button.


Sam Schwartz:

They're like, "We need structure and we need a person to help us." And I was like, "Hi. Nice to meet you all." And so we had two engineers who were building tools for our two analysts. Um, and it was ... We called ourself like a little startup inside of, uh, security research, inside of the security and compliance team 'cause we were kind of figuring it out. We we're like, "Threat intelligence is a big market. How do we provide this notion of actionable threat intelligence?" So rather than having static indicators of compromise, how do we actually provide a full story and tell customers to configure to harden their machines and tell a story around the acts that you take to initiate all of these- These configurations are going to help you more than just blocking IOCs that are months old. So figuring out how to best provide ... give our analysts tools, our TI analysts and then, allow us to better Microsoft products as a whole. So based on the information that our analysts have, how do we kind of spread that message ac- across the teams in Microsoft and make our products better?


Sam Schwartz:

So we were kinda figuring it out and I shadowed a lot of analysts and I read a lot of books and watched a lot of talks. I would watch talks and write just like a bunch of questions and finally, as you're around all these incredibly intelligent security people, you start to pick it up. And after about a year or so, I would sit in meetings and I would listen to myself speak and I was like, "Did I say that?" Like, "Was that- was that me that, one, understood the question that was asked of me and then also was able to give an educated answer?" It was very shocking and quite fun, and I still feel that way sometimes. But I guess that's my journey into security.


Natalia Godyla:

Do you have any other suggestions for somebody who is in their last years of college or just getting out of college and they're listening to this and saying, "Heck, yes. I want to do what Sam's doing?" Uh, any other applicable skills or tricks for getting up to speed on the job?


Sam Schwartz:

I think a lot of the PM job is the ability to work with people and the ability to communicate, and understand what people need and be able to communicate that in a way that maybe they can't communicate, see people's problems and be able to fix them. But I think a lot of the PM skills you can get by working collaboratively in groups and that, you can do that in jobs. You can do that in- in classes. There's ample opportunity to work with different people: volunteering, mentoring, working with people and being able to communicate effectively and connect to people and understand, be empathetic, understand their issues and try to help is something that everyone can do and I think everyone can be an effective PM.


Sam Schwartz:

On the security side, I think reading and listening. I mean even the fact that ... I mean the hypothetical is someone listening to this podcast are already light years ahead of I was when I- when I started, but just listening, keeping up to date, reading what's going on in the news, understanding the threats, scouring Twitter for all the- all the goodness going on. (Laughing)


Sam Schwartz:

That's a way to- to stay on- on top.


Nic Fillingham:

Tell us about your role and how you interface with data scientists that are building machine learning models and sort of AI systems. Where- where are you able to ... Are you a consumer of those models and systems? Are you contributing to them? Are you helping design them? What's ... How do you- how do you fit into that picture?


Sam Schwartz:

So a little bit of all of the things that you mentioned. Being a part of- of our MTE service, we have so many parts that would love some- some data science, ML, AI help, and we are both consumers and contributors to that. So we have data scientists who are creating those traps that I was talking about earlier for us, who are creating the indicators of malicious, anomalous behavior that our hunters then key off of. Our hunters also grade these traps and then, we can provide that back to the data scientists to make their algorithms better. So we provide that grading feedback back to them to have them then make their traps better. And our hope is that eventually, their traps, so these low fidelity signals, become so good and so high fidelity that we actually don't even need them in our service. We can just put them directly in the product. So we work, we start from the- the incubation, we provide feedback and then we, hopefully, see our- our anomaly detection traps grow and- and become product detections, which is an awesome lifecycle to be a part of.


Natalia Godyla:

Thank you, Sam for joining us on the show today. It was great to chat with you.


Sam Schwartz:

Thank you so much for having me. I've had such a fun time.


Natalia Godyla:

Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.


Nic Fillingham:

And don't forget to tweet us @msftsecurity or email us at securityunlocked@microsoft.com with topics you'd like to hear on a future episode. Until then, stay safe.


Natalia Godyla:

Stay secure.

More Episodes

6/2/2021

Pearls of Wisdom in the Security Signals Report

Ep. 30
It’s our 30thepisode! And in keeping with the traditional anniversary gift guide, the 30thanniversary means a gift of pearls.Sofrom us to you, dear listener, we’ve got an episode with somepearlsofwisdom!On today’s episode, hostsNic FillinghamandNataliaGodylabringback returning champion,Nazmus Sakib, to take us through the newSecurity Signals Report. Sakib walks us through why the reportwasdoneand then helps us understand the findings and what they mean for security.In This Episode You Will Learn:How pervasive firmware is in our everyday livesWhy many people were vulnerable to firmware attacksHow companies are spending the money they allocate towards digitalprotectionSome Questions We Ask:What was the hypothesis going into the Security Signals Report?How do we protect ourselves from vulnerabilities that don’t exist yet?Wereany of the findings from the report unexpected?ResourcesNazmusSakib’sLinkedIn:https://www.linkedin.com/in/nazmus-sakib-5aa8a6123/Security Signals Report:https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-study-shows-firmware-attacks-on-the-rise-heres-how-microsoft-is-working-to-help-eliminate-this-entire-class-of-threats/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/26/2021

Securing Hybrid Work: Venki Krishnababu, lululemon

Ep. 29
On this week’s Security Unlocked we’re featuring for the second and finaltime,a special crossover episode of our sister-podcast, Security Unlocked: CISO Series with Bret Arsenault.Lululemon has been on the forefront of athleisure wear since its founding in 1998,but while many of its customers look atitexclusively as a fashionbrand,ata deeper level thisfashion empire is bolstered by a well thought out and maintained digital infrastructure that relies on ahard workingteam to run it.On today’s episode, Microsoft CISO Bret Arsenault sits down with VenkiKrishnababu, SVP of Global Technology Services at Lululemon.Theydiscuss the waysin whichtechnology plays into the brand, how Venkileada seamless transition into the remote work caused by the pandemic, and how he’s using the experiences of the past year to influence future growth in the company.In This Episode You Will Learn:Why Venkifeels sopassionatelyabout leading withempathyWhy Venki saw moving to remote work as only the tip of the iceberg; and how he handled whatlaidbelow.Specific tools and practices that haveleadto Venki’ssuccessSome Questions We Ask:What is the biggest lesson learned during the pandemic?How doesone facilitate effective management during this time?Howdoes Lululemonviewthe future of in-person versus remote work?Resources:VenkiKrishnababu’sLinkedIn:https://www.linkedin.com/in/vkrishnababu/Brett Arsenault’s LinkedIn:https://www.linkedin.com/in/bret-arsenault-97593b60/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/19/2021

Contact Us; Phish You!

Ep. 28
Threat actors arepeskyand, once again,they’reup to no good.A newmethodologyhas schemers compromising onlineformswhere userssubmittheir information like their names, email addresses,and, depending on the type of site, some queries relating totheir life.This new methodindicatesthat the attackers have figured out away around the CAPTCHA’s that have been making us all provewe’renot robotsbyidentifyingfire hydrantssince 1997.Andwhat’smore,we’renot quite surehowthey’vedone it.In this episode, hosts NataliaGodylaand Nic Fillingham sit down with Microsoftthreat analyst, Emily Hacker, to discuss what’s going on behind the scenes as Microsoft begins todigintothis new threat and sort through how best to stop it.In This Episode You Will Learn:Why this attack seems to be more effective against specificprofessionals.Why this new method of attack has a high rate ofsuccess.How to better prepare yourself for this method of attackSome Questions We Ask:What is the endgame for these attacks?What are we doing to protect againstIceIDin these attacks?Are we in need of a more advanced replacementforCAPTCHA?Resources:Emily Hacker:https://www.linkedin.com/in/emilydhacker/Investigating a Unique ‘Form’ of Email Delivery forIcedIDMalwarehttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.comTranscript[Full transcript can be found athttps://aka.ms/SecurityUnlockedEp26]Nic Fillingham: (00:08)Hello and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nick Fillingham.Natalia Godyla: (00:20)And I'm Natalia Godyla. In each episode we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research, and data science.Nic Fillingham: (00:30)And profile some of the fascinating people working on artificial intelligence in Microsoft Security.Natalia Godyla: (00:36)And now, let's unlock the pod.Nic Fillingham: (00:40)Hello, the internet. Hello, listeners. Welcome to episode 28 of Security Unlocked. Nic and Natalia back with you once again for a, a regular, uh, episode of the podcast. Natalia, how are you?Natalia Godyla: (00:50)Hi, Nic. I'm doing well. I'm stoked to have Emily Hacker, a threat analyst at Microsoft back on the show today.Nic Fillingham: (00:58)Yes, Emily is back on the podcast discussing a blog that she co-authored with Justin Carroll, another return champ here on the podcast, called Investigating a Unique Form of Email Delivery for IcedID Malware, the emphasis is on form was, uh, due to the sort of word play there. That's from April 9th. Natalia, TLDR, here. What's, what's Emily talking about in this blog?Natalia Godyla: (01:19)In this blog she's talking about how attackers are delivering IcedID malware through websites contact submission forms by impersonating artists who claim that the companies use their artwork illegally. It's a new take targeting the person managing the submission form.Nic Fillingham: (01:34)Yeah, it's fascinating. The attackers here don't need to go and, you know, buy or steal email lists. They don't need to spin up, uh, you know, any e- email infrastructure or get access to botnets. They're, they're really just finding websites that have a contact as form. Many do, and they are evading CAPTCHA here, and we talk about that with, with, with, uh, Emily about they're somehow getting around the, the CAPTCHA technology to try and weed out automation. But they are getting around that which sort of an interesting part of the conversation.Nic Fillingham: (02:03)Before we get into that conversation, though, a reminder to Security Unlock listeners that we have a new podcast. We just launched a new podcast in partnership with the CyberWire. It is Security Unlocked: CISO Series with Bret Arsenault. Bret Arsenault is the chief information security officer, the CISO, for Microsoft, and we've partnered with him and his team, uh, as well as the CyberWire, to create a brand new podcast series where Bret gets to chat with security and technology leaders at Microsoft as well as some of his CISO peers across the industry. Fantastic conversations into some of the biggest challenges in cyber security today, some of the strategies that these big, big organizations are, are undertaking, including Microsoft, and some practical guidance that really is gonna mirror the things that are being done by security teams here at Microsoft and are some of Microsoft's biggest customers.Nic Fillingham: (02:52)So, I urge you all to, uh, go check that one out. You can find it at the CyberWire. You can also go to www.securityunlockedcisoseries.com, and that's CISO as in C-I-S-O. CISO or CISO, if you're across the pond, securityunlockedcisoseries.com, but for now, on with the pod.Natalia Godyla: (03:12)On with the pod.Nic Fillingham: (03:18)Welcome back to the Security Unlocked Podcast. Emily Hacker, thanks for joining us.Emily Hacker: (03:22)Thank you for having me again.Nic Fillingham: (03:24)Emily, you are, uh, coming back to the podcast. You're a returning champion. Uh, this is, I think your, your second appearance and you're here-Emily Hacker: (03:30)Yes, it is.Nic Fillingham: (03:30)... on behalf of your colleague, uh, Justin Carroll, who has, has also been on multiple times. The two of you collaborated on a blog post from April the 9th, 2021, called Investigating a Unique Form-Emily Hacker: (03:43)(laughs)Nic Fillingham: (03:43)... in, uh, "Form", of email delivery for IcedID malware. The form bit is a pun, is a play on words.Emily Hacker: (03:51)Mm-hmm (affirmative).Nic Fillingham: (03:51)I- is it not?Emily Hacker: (03:53)Oh, it definitely is. Yeah.Nic Fillingham: (03:54)(laughs) I'm glad I picked up on that, which is a, you know, fascinating, uh, campaign that you've uncovered, the two of you uncovered and you wrote about it on the blog post. Before we jump into that, quick recap, please, if you could just reintroduce yourself to the audience. Uh, what, what do you do? What's your day-to-day look like? Who do you work with?Emily Hacker: (04:09)Yeah, definitely. So, I am a threat intelligence analyst, and I'm on the Threat Intelligence Global Engagement and Response team here at Microsoft. And, I am specifically focused on mostly email-based threats, and, as you mentioned on this blog I collaborate with my coworker, Justin Carroll, who is more specifically focused on end-point threats, which is why we collaborated on this particular blog and the particular investigation, because it has both aspects. So, I spend a lot of my time investigating both credential phishing, but also malicious emails that are delivering malware, such as the ones in this case. And also business email, compromise type scam emails.Nic Fillingham: (04:48)Got it. And so readers of the Microsoft Security Blog, listeners of Security Unlocked Podcast will know that on a regular basis, your team, and then other, uh, threat intelligence teams from across Microsoft, will publish their findings of, of new campaigns and new techniques on the blog. And then we, we try and bring those authors onto the podcast to tell us about what they found that's what's happened in this blog. Um, the two of you uncovered a new, a unique way of attackers to deliver the IcedID malware. Can you walk us through this, this campaign and this technique that you, you both uncovered?Emily Hacker: (05:21)Yeah, definitely. So this one was really fun because as I mentioned, it evolved both email and endpoint. So this one was, as you mentioned, it was delivering IcedID. So we initially found the IcedID on the endpoint and looking at how this was getting onto various endpoints. We identified that it was coming from Outlook, which means it's coming from email. So we can't see too much in terms of the email itself from the endpoint, we can just see that it came from Outlook, but given the network connections that the affected machines were making directly after accessing Outlook, I was able to find the emails in our system that contains emails that have been submitted by user 'cause either reported to junk or reported as phish or reported as a false positive, if they think it's not a phish. And so that's where I was actually able to see the email itself and determined that there was some nefarious activity going on here.Emily Hacker: (06:20)So the emails in this case were really interesting in that they're not actually the attacker sending an email to a victim, which is what we normally see. So normally the attacker will either, you know, compromise a bunch of senders and send out emails that way, which is what we've seen a lot in a lot of other malware or they'll create their own attacker infrastructure and send emails directly that way. In this case, the attackers were abusing the contact forms on the websites. So if you are visiting a company's website and you're trying to contact them a lot of times, they're not going to just have a page where they offer up their emails or their phone numbers. And you have to fill in that form, which feels like it goes into the void sometimes. And you don't actually know who it went to in this case, the, the attackers were abusing hundreds of these contact forms, not just targeting any specific company.Emily Hacker: (07:08)And another thing that was unique about this is that for some of the affected companies that we had observed, I went and looked at their websites and their contact form does require a CAPTCHA. So it does appear that the attackers in this case have automated the filling out of these contact forms. And that they've automated a way around these CAPTCHAs, just given the, the sheer volume of these emails I'm seeing. This is a good way of doing this because for the attacker, this is a much more high fidelity method of contacting these companies because they don't have to worry about having an incorrect email address if they have gotten a list off of like Pastebin or a list, you know, they purchased a list perhaps from another criminal. Emily Hacker: (07:52)A lot of times in those cases, if they're emailing directly, there's gonna be some, some false emails in those lists that just don't get delivered. With the contact form, they're designed to be delivered. So it's gonna give the attacker a higher chance of success in terms of being delivered to a real inbox.Natalia Godyla: (08:11)And so when we, we talk about the progression of the attack, they're automating this process of submitting to these contact forms. What are they submitting in the form? What is the, and what is the end goal? So there's malware somewhere in their-Emily Hacker: (08:27)Mh-mm-hmm (affirmative).Natalia Godyla: (08:27)... response. What next?Emily Hacker: (08:29)Yeah. It's a really good question. So the emails or rather the contact form submissions themselves, they're all containing a, a lore. So the contents themselves are lore that the attacker is pretending to be a, um, artist, a photographer, and illustrator, something along those lines. There's a handful of different jobs that they're pretending to be. And they are claiming that the company that they are contacting has used an image that belongs to the artist, illustrator, photographer on their website without permission. And so the attacker is saying, "You used my art without permission. I'm going to sue you if you don't take this down, if you wanna know what aren't talking about, click on this link and it'll show you the exact art that I'm talking about or the exact photo." What have you, all of the emails were virtually identical in terms of the content and the lore.Emily Hacker: (09:21)The attacker was using a bunch of different fake emails. So when you fill out a contact form, you have to put your email so the, the company can contact you, I guess, in reply, if they need to. And the attackers, almost every single email that I looked at had a different fake attacker email, but they did all follow a really consistent pattern in terms of the, the name, Mel and variations on that name. So they had like Melanie, I saw like Molina, like I said, there was hundreds of them. So the email would be Mel and then something relating to photography or illustration or art, just to add a little bit more credence, I think to their, to their lore. It made it look like the email address was actually associated with a real photographer. The, the attacker had no need to actually register or create any of those emails because they weren't sending from those emails. They were sending from the contact form. So it made it a lot easier for the attacker to appear legitimate without having to go through the trouble of creating legitimate emails. Emily Hacker: (10:16)And then the, um, the email itself from the recipients view would appear other than the fact that it felt fishy, at least to me, but, you know, I literally do this for a living. So maybe just everything feels fishy to me. Other than that, the email itself is going to appear totally legitimate because since it's coming through the contact form, it's not going to be from an email address. They don't recognize because a lot of times these contact forms are set up in a way where it'll send from the recipient's domain. So for example, a contact form, I don't know if this is how this works, but just as an example at Microsoft might actually send from Microsoft.com or the other large percentage of these that I saw were sent from the contact form hosting provider. So there are a lot of providers that host is kind of content for companies. And so the emails would be coming from those known email addresses and the emails themselves are gonna contain all of the expected fields, all in all. It's basically a legitimate email other than the fact that it's malicious.Nic Fillingham: (11:17)And, and just reading through the sample email that you, that you have in the blog post here, like sort of grammatically speaking it's, it reads very legitimately like, the-Emily Hacker: (11:26)Mh-mm-hmm (affirmative).Nic Fillingham: (11:27)... you know, the s- the, the grammar and the spelling is, it's colloquial, but it's, but it seems, you know, pretty legitimate. The idea of a photographer, a freelance photographer, stumbling upon their images being used without permission. You know, you hear stories of that happening. That seems to be somewhat plausible, not knowing how to contact the, the infringing organization. And then therefore going to the generic contact us form like this all, this all seems quite plausible. Emily Hacker: (11:52)And, definitely. And it's als one of those situations where even though, like I said, I do this for a living, so I read this and I was like, there's no way that's legit. But if my job was to be responsible for that email inbox, where stuff like this came in, it would be hard for me to weigh the consequences of like, is it more likely that this is like a malicious email? Or is it yeah. Is it possible that this is legit? And if I ignore it, my company is gonna get sued. Like, I feel like that kind of would give the recipient that, that weird spot of being like, "I don't want to infect the company with malware, or, you know, I don't wanna click on a phishing link if that's what this is, but also if I don't and then we get sued, is it my fault?"Emily Hacker: (12:33)I just, I, I feel for the recipient. So I, I understand why people would be clicking on this one and infecting themselves. And speaking of clicking on that is the other thing that's included in this email. So that was the last bit of this email that turns us from just being weird/legitimate, to totally malicious. All of the emails contain a link. And, um, the links themselves are also abusing legitimate infrastructure. So that's, uh, the next bit of abused, legitimate infrastructure that just adds that next bit of like believability if that's a word to this campaign.Nic Fillingham: (13:05)It is a word.Emily Hacker: (13:06)Okay, good believability. Is that the, the links, you know, we're, if you don't work insecurity, and even if you do work in security, we're all kind of trained like, "Oh, check the links, hover over the links and make sure it's going somewhere that you expect and make sure it's not going to like bad site dot bad, dot bad or something," you know, but these don't do that. All of the emails contained a sites.google.comm link. And I've looked at literally hundreds of these, and they all contain, um, a different URL, but the same sites.google.com domain. If you click on the link, when you receive the email, it'll take you actually to a legitimate Google authentication page that'll ask you to log in with your Google credentials, which again, every step along the way of this, of the email portion of this, of this attack, the attacker just took extra steps to make it seem as real as possible, or to almost like every piece of security advice. Emily Hacker: (14:01)I feel like they did that thing. So it seemed more legitimate because it's not a phishing page. It's not like a fake Google page that's stealing your credentials. It's a real where you would log in with your real Google credentials. Another thing that this does outside of just adding an air of legitimacy to the emails, it also can make it difficult for some security automation products. So a product that would be looking at emails and detonating the link to see if they're malicious and this case, it would detonate the link and it would land on, you know, a real Google authentication page. And in some cases it may not be able to authenticate. And then it would just mark these as good, because it would see what it expected to see. So, outside of just seeming legit, it also makes, you know, security products make this think it's more legit as well. But from there, the, uh, user would be redirected through a series of attacker own domains and would eventually download a zip file, which if they unzipped, they would find the IcedID payload.Emily Hacker: (15:06)So in this case, it's delivering IcedID, although this technique could be used to deliver other stuff as well, but it's not necessarily surprising that it's delivering IcedID right now, because pretty much everything I feel like I'm seeing lately as I study. And I don't think I'm alone in that there's murmurings that IcedID might be replacing Emotets now that you Emotet has been taken down in terms of being, you know, the annoyingly present malware. (laughs) So this is just one of many delivery methods that we've seen for IcedID malware lately. It's certainly in my opinion, one of the more interesting ones, because in the past, we've seen IcedID delivered a lot via email, but, um, just delivered via, you know, the normal type of malicious email if you will, with a compromised email sending with a, a zip attachment, this is much more interesting.Emily Hacker: (15:56)But in this case, if the user downloaded the payload, the payload would actually do many things. So in this case, it was looking for machine information. It was looking to see what kind of security tools were in place to see what kind of antivirus the machine was running. It was getting IP and system information. It was getting, you know, domain information and also looking to access credentials that might be stored in your browser. And on top of that, it was also dropping Cobalt Strike, which is another fun tool that we see used in every single incident lately. It feels like, um, which means that this can give attacker full control of a compromised device.Natalia Godyla: (16:38)So, what are we doing to help protect customers against IcedID? In the blog you stated that we are partnering with a couple of organizations, as well as working with Google.Emily Hacker: (16:52)Yes. So we have notified Google of this activity because it is obviously abusing some of their infrastructure in terms of the sites at Google.com. And they seem to be doing a pretty good job in terms of finding these and taking them down pretty quickly. A lot of times that I'll see new emails come in, I'll go to, you know, click on the link and see what it's doing. And the site will already be taken down, which is good. However, the thing about security is that a lot of times we were playing Catch Up or like, Whack-A-Mole, where they're always just gonna be a step ahead of us because we can't pre block everything that they're going to do. So this is still, um, something that we're also trying to keep an eye on from, from the delivery side as well. Emily Hacker: (17:34)Um, one thing to note is that since these are coming from legitimate emails that are expected is that I have seen a fair bit like, uh, a few of these, uh, actually, um, where the, the customers have their environment configured in a way where even if we mark it as phish, it still ends up delivered. So they have a, what is like a mail flow rule that might be like allow anything from our contact form, which makes sense, because they wouldn't wanna be blocking legitimate requests from co- from customers in their contact form. So with that in mind, we also wanna be looking at this from the endpoint. And so we have also written a few rules to identify the behaviors associated with the particular IcedID campaign. Emily Hacker: (18:16)And it will notify users if the, the behaviors are seen on their machine, just in case, you know, they have a mail flow rule that has allowed the email through, or just in case the attackers change their tactics in the email, and it didn't hit on our rule anymore or something, and a couple slipped through. Then we would still identify this on the endpoint and not to mention those behaviors that the rules are hitting on are before the actual IcedID payload is delivered. So if everything went wrong in the email got delivered and Google hadn't taken the site down yet, and the behavioral rule missed, then the payload itself is detected as I study by our antivirus. So there's a lot in the way of protections going in place for this campaign.Nic Fillingham: (18:55)Emily, I, I wanna be sort of pretty clear here with, with folks listening to the podcast. So, you know, you've, you've mentioned the, the sites.google.com a, a couple of times, and really, you're not, you're not saying that Google has been compromised or the infrastructure is compromised simply that these attackers have, uh, have come up with a, a, you know, pretty potentially clever way of evading some of the detections that Google, uh, undoubtedly runs to abuse their, their hosting services, but they could just evasively has been targeting OneDrive or-Emily Hacker: (19:25)Mh-mm-hmm (affirmative).Nic Fillingham: (19:25)... some other cloud storage.Emily Hacker: (19:25)That's correct. And we do see, you know, attackers abusing our own infrastructure. We've seen them abusing OneDrive, we've seen them abusing SharePoint. And at Microsoft, we have teams, including my team devoted to finding when that's occurring and remediating it. And I'm sure that Google does too. And like I said, they're doing a pretty done a good job of it. By the time I get to a lot of these sites, they're already down. But as I mentioned, security is, is a game of Whack-A-Mole. And so for, from Google point of view, I don't envy the position they're in because I've seen, like I mentioned hundreds upon hundreds of these emails and each one is a using a unique link. So they can't just outright block this from occurring because the attacker will just go and create another one.Natalia Godyla: (20:05)So I have a question that's related to our earlier discussion. You, you mentioned that they're evading the CAPTCHA. I thought that the CAPTCHA was one of the mechanisms in place to reduce spam. Emily Hacker: (20:19)Mh-mm-hmm (affirmative).Natalia Godyla: (20:19)So how is it doing that? Does this also indicate that we're coming to a point where we need to have to evolve the mechanisms on the forms to be a little bit more sophisticated than CAPTCHA?Emily Hacker: (20:33)I'm not entirely sure how the attackers are doing this because I don't know what automation they're using. So I can't see from their end, how they're evading the CAPTCHA. I can just see that some of the websites that I know that they have abused have a CAPTCHA in place. I'm not entirely sure.Nic Fillingham: (20:52)Emily is that possible do you think that one of the reasons why CAPTCHA is being invaded. And we talked earlier about how the, sort of the grammar of these mails is actually quite sophisticated. Is it possible? This is, this is a hands on keyboard manual attack? That there's actually not a lot of automation or maybe any automation. And so this is actually humans or a human going through, and they're evading CAPTCHA because they're actually humans and not an automated script?Emily Hacker: (21:17)There was another blog that was released about a similar campaign that was using the abusing of the contact forms and actually using a very similar lore with the illustrators and the, the legal Gotcha type thing and using sites.google.com. That was actually, it was very well written and it was released by Cisco Talos at the end of last year, um, at the end of 2020. So I focused a lot on the email side of this and what the emails themselves looked like and how we could stop these emails from happening. And then also what was happening upon clicks over that, like I said, we could see what was happening on the endpoint and get these to stop. Emily Hacker: (21:55)This blog actually focused a lot more on the technical aspect of what was being delivered, but also how it was being delivered. And one thing that they noted here was that they were able to see that the submissions were performed in an automated mechanism. So Cisco Talos was able to see that these are indeed automated. I suspected that they were automated based on the sheer volume, but I Talos is very good. They're very good intelligence organization. And I felt confident upon reading their blog that this was indeed automated, how it's being captured though, I still don't know.Natalia Godyla: (22:35)What's next for your research on IcedID? Does this round out your team's efforts in understanding this particular threat, or are, are you now continuing to review the emails, understand more of the attack?Emily Hacker: (22:52)So this is certainly not the end for IcedID. Through their Microsoft Security Intelligence, Twitter account. I put out my team and I put out a tweet just a couple of weeks ago, about four different IcedID campaigns that we were seeing all at the same time. I do believe this was one of them. They don't even seem related. There was one that was emails that contained, um, zip files. There was one that contained emails that contained password protected zip files that was targeting specifically Italian companies. There was this one, and then there was one that was, um, pretending to be Zoom actually. And that was even a couple of weeks ago. So there's gonna be more since then. So it's something that, like I mentioned briefly earlier, IcedID almost feels to be kind of, it feels a little bit like people are calling it like a, the next wave of replacement after Emotech are taken down. Emily Hacker: (23:43)And I don't know necessarily that that's true. I don't know that this will be the new Emotech so to speak, Emotech was Emotech And IcedID is IcedID but it does certainly feel like I've been seeing it a lot more lately. A lot of different attackers seem to be using it and therefore it's being delivered in different ways. So I think that it's gonna be one that my team is tracking for awhile, just by nature of different attackers using it, different delivery mechanisms. And it'll be, it'll be fun to see where this goes.Nic Fillingham: (24:13)What is it about this campaign or about this particular technique that makes it your Moby Dick-Emily Hacker: (24:17)(laughs) Nic Fillingham: (24:17)... if I may use the analogy.Emily Hacker: (24:20)I don't know. I've been thinking about that. And I think it has to do with the fact that it is so, like, it just feels like a low blow. I don't know. I think that's literally it like they're abusing the company's infrastructure. They're sending it to like people whose job is to make sure that their companies are okay. They're sending a fake legal threat. They're using legit Google sites. They're using a legit Google authentication, and then they're downloading IcedID. Like, can you at least have the decency, descend to crappy like unprotected zip attachment so that-Nic Fillingham: (24:49)(laughs)Emily Hacker: (24:49)... we at least know you're malicious, like, come on. It's just for some reason it, I don't know if it's just 'cause it's different or if it's because I'm thinking back to like my day before security. And I, if I saw this email as this one that I would fall for, like maybe. And so I think that there's just something about that and about the, the fact that it's making it harder to, to fully scope and to really block, because we don't want to block legitimate contact emails from being delivered to these companies. And obviously they don't want that either. So I think that's it.Nic Fillingham: (25:22)What is your guidance to customers? You know, I'm a security person working at my company and I wanna go run this query. If I run this, I feel like I'm gonna get a ton of results. What do I do from there?Emily Hacker: (25:33)That's a good question. So this is an advanced hunting query, which can be used in the Microsoft Security portal. And it's written in advanced hunting query language. So if a customer has access to that portal, they can just copy and paste and search, but you're right. It is written fairly generically to a point where if you don't have, you know, advanced hunting, you can still read this and search and whatever methodology, whatever, you know, searching capabilities you do have, you would just have to probably rewrite it. But what this one is doing the top one, 'cause I, I have two of them written here. The first one is looking specifically at the email itself. So that rejects that's written there is the, um, site.google.com.Emily Hacker: (26:16)All of the emails that we have seen associated with this have matched on that rejects. There was this morning, like I said, I was talking to a different team that was also looking into this and I'm trying to identify if she found, um, a third pattern, if she did, I will update the, um, AHQ and we have, we can post AHQ publicly on the Microsoft advanced hunting query, get hub repo, which means that customers can find them if we, if we change them later and I'll be doing that if that's the case, but point being this rejects, basically it takes the very long, full URL of this site.google.com and matches on the parts that are fairly specific to this email.Emily Hacker: (27:02)So they all contain, you know, some of them contain ID, some of them don't, but they all contain that like nine characters, they all contain view. It's just certain parts of the URL that we're seeing consistently. And that's definitely not by itself going to bubble up just the right emails, which is why have it joined on the email events there. And from there, the, I have instructed the users to replace the following query with the subject line generated by their own contacts, their own websites contact submission form. What I have in there are just a few sample subject lines. So if your website contact form generates the subject line of contact us or new submission or contact form, then those will work. But if the website con-, you know, contact form, I've seen a bunch of different subject lines. Then what this does is that it'll join the two. So that it's only gonna bubble up emails that have that sites.google.com with that specific pattern and a subject line relating to the contact form. Emily Hacker: (28:02)And given the searching that I've done, that should really narrow it down. I don't think there's going to be a ton in the way of other contact emails that are using sites.google.com that are showing up for these people. I wouldn't be surprised if this did return one email and it turned out to be a malicious email related to this campaign. But if the contact form generates its own subject line per what the user inputs on the website, then, you know, the screenshots that are in the blog may help with that, but it might be more difficult to find in that case. There's a second advanced hunting query there, which we'll find on the endpoint.Natalia Godyla: (28:37)And I know we're just about at time here, but one quick question on endpoint security. So if a customer is using Microsoft Defender for endpoint, will it identify and stop IcedID?Emily Hacker: (28:49)Yes, it will. The IcedID payload in this case, we're seeing Defender detecting it and blocking it. And that was what, one of the things I was talking about earlier is that Defender is actually doing such a good job. That it's a little bit difficult for me to see what's, uh, gonna happen next because I'm limited to, um, seeing kind of what is happening on customer boxes. And so, because our products are doing such a good job of blocking this, it means that I don't have a great view of what the attacker was going to do next because they can't, 'cause we're blocking it. So it's of mostly a win, but it's stopping me from seeing if they are planning on doing, you know, ransomware or whatever, but I'd rather not know if it means that our customers are protected from this.Nic Fillingham: (29:32)Well, Emily Hacker, thank you so much for your time. Thanks to you and Justin for, for working on this. Um, we'd love to have you back again on Security Unlocked to learn more about some of the great work you're doing.Emily Hacker: (29:41)Definitely, thank you so much for having me.Natalia Godyla: (29:47)Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.Nic Fillingham: (29:54)And don't forget to tweet us @msftsecurity or email us at securityunlockedatmicrosoft.com, with topics you'd like to hear on a future episode. Until then, stay safe.Natalia Godyla: (30:05)Stay secure.