Security Unlocked

Share

Enterprise Resiliency: Breakfast of Champions

Ep. 15

Prior to the pandemic, workdays used to look a whole lot different. If you had a break, you could take a walk to stretch your legs, shake the hands of your co-workers, or get some 1-on-1 face time with the boss. Ahh... those were the days. That close contact we once had is now something that many of us yearn for as we’ve had to abruptly lift and shift from living in our office to working from our home. But communicating and socializing aren’t the only things that were easier back then. The walls of your office have expanded, and with them, the boundaries of your security protocols. Small in-office tasks like patching a server have now become multi-step processes that require remote management, remote updates, and remote administrative control. With that comes the prioritization of resilience and what it means for enterprises, customers, and security teams alike. That’s where remote enterprise resiliency comes into play.  


Today on the pod, we explore the final chapter of the MDDR. Irfan Mirza, Director of Enterprise Continuity and Resilience at Microsoft, wraps up the observations from the report by giving hosts Nic Fillingham and Natalya Godyla the rundown on enterprise resiliency and discusses how we can ensure the highest levels of security while working from home. Irfan explains the Zero trust model and how Microsoft is working to extend security benefits to your kitchen or home office, or...  that make-shift workspace in your closet.  


In the second segment, Andrew Paverd, Senior Researcher on the Microsoft Security Response Center Team and jack of all trades, stops by… and we’re not convinced he’s fully human. He’s here to tell us about the many hats he wears, from safe systems programming to leveraging AI to help with processes within the MSRC, and shares how he has to think like a hacker to prevent attacks. Spoiler alert: he’s a big follower of Murphy’s Law.   


In This Episode, You Will Learn:  

• How classical security models are being challenged 

• What the Zero Trust Model is and how it works  

• The three critical areas of resilience: extending the enterprise boundary, prioritizing resilient performance, and validating the resilience of our human infrastructure.  

• How hackers approach our systems and technologies 

 

Some Questions We Ask: 

• How has security changed as a product of the pandemic? 

• Do we feel like we have secured the remote workforce? 

• What frameworks exist to put a metric around where an organization is in terms of its resiliency? 

• What is Control Flow Guard (CFG) and Control-Flow Integrity? 

• What’s the next stage for the Rust programming language?  


Resources: 

Microsoft Digital Defense Report: 

https://www.microsoft.com/en-us/security/business/security-intelligence-report 


Irfan’s LinkedIn 

https://www.linkedin.com/in/irfanmirzausa/ 


Andrew’s LinkedIn 

https://www.linkedin.com/in/andrewpaverd/ 


Nic’s LinkedIn    

https://www.linkedin.com/in/nicfill/    


Natalia’s LinkedIn    

https://www.linkedin.com/in/nataliagodyla/    


Microsoft Security Blog:     

https://www.microsoft.com/security/blog/   


Related:

Security Unlocked: CISO Series with Bret Arsenault

https://SecurityUnlockedCISOSeries.com


Transcript

(Full transcript can be found at https://aka.ms/SecurityUnlockedEp15)


Nic Fillingham:

Hello, and welcome to Security Unlocked, a new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nic Fillingham.


Natalia Godyla:

And I'm Natalia Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.


Nic Fillingham:

And profile some of the fascinating people working on artificial intelligence in Microsoft Security.


Natalia Godyla:

And now let's unlock the pod. Hi Nic, I have big news.


Nic Fillingham:

Big news. Tell me a big news.


Natalia Godyla:

I got a cat. Last night at 8:00 PM, I got a cat.


Nic Fillingham:

Did it come via Amazon Prime drone?


Natalia Godyla:

No.


Nic Fillingham:

Just, that was a very specific time. Like 8:00 PM last night is not usually the time I would associate people getting cats. Tell me how you got your cat.


Natalia Godyla:

It was a lot more conventional. So I had an appointment at the shelter and found a picture of this cat with really nubby legs and immediately-


Nic Fillingham:

(laughs).


Natalia Godyla:

... fell in love obviously. And they actually responded to us and we went and saw the cat, got the cat. The cat is now ours.


Nic Fillingham:

That's awesome. Is the cat's name nubby.


Natalia Godyla:

It's not, but it is on the list of potential name changes. So right now the cat's name is tipper. We're definitely nervous about why the cat was named tipper.


Nic Fillingham:

(laughs).


Natalia Godyla:

We're hiding all of the glass things for right now.


Nic Fillingham:

How do we get to see the cat? Is there, will there be Instagram? Will there be Twitter photos? This is the most important question.


Natalia Godyla:

Wow. I haven't planned that yet.


Nic Fillingham:

You think about that and I'll, uh, I'll start announcing the first guest on this episode.


Natalia Godyla:

(laughs).


Nic Fillingham:

On today's episode, we speak with Irfan Mirza, who is wrapping up our coverage of the Microsoft Digital Defense Report with a conversation about enterprise resiliency. Now, this is really all of the chapters that are in the MDDR, the nation state actors, the increase in cyber crime sophistication, business email compromise that you've heard us talk about on the podcast, all gets sort of wrapped up in a nice little bow in this conversation where we talk about all right, what does it mean, what does it mean for customers? What does it mean for enterprises? What does it mean for security teams? And so we talk about enterprise resiliency. And we actually recorded this interview in late 2020, but here we are, you know, two months later and those findings are just as relevant, just as important. It's a great conversation. And after that, we speak with-


Natalia Godyla:

Andrew Paverd. So he is a senior researcher on the Microsoft Security Response Center team. And his work is well, well, he does a ton of things. I honestly don't know how he has time to pull all of this off. So he does everything from safe systems programming to leveraging AI, to help with processes within MSRC, the Microsoft Security Response Center. And I just recall one of the quotes that he said from our conversation was hackers don't respect your assumptions, or something to that effect, but it's such a succinct way of describing how hackers approach our systems and technology. So another really great conversation with a, a super intelligent researcher here at Microsoft.


Nic Fillingham:

On with the pod.


Natalia Godyla:

On with the pod. Today, we're joined by Irfan Mirza, Director of Enterprise Continuity and Resilience, and we'll be discussing the Microsoft Digital Defense Report and more specifically enterprise resilience. So thank you for being on the show today, Irfan.


Irfan Mirza:

Thanks so much glad to be here. And hope we have a, a great discussion about this. This is such an important topic now.


Natalia Godyla:

Yes, absolutely. And we have been incrementally working through the Microsoft Digital Defense Report, both Nic and I have read it and have had some fantastic conversations with experts. So really looking forward to hearing about the summation around resilience and how that theme is pulled together throughout the report. So let's start it off by just hearing a little bit more about yourself. So can you tell us about your day-to-day? What is your role at Microsoft?


Irfan Mirza:

Well, I lead the enterprise continuity and resilience team and we kind of provide governance overall at the enterprise. We orchestrate sort of all of the, the risk mitigations. We go and uncover what the gaps are, in our enterprise resilience story, we try to measure the effectiveness of what we're doing. We focus on preparedness, meaning that the company's ready and, you know, our critical processes and services are always on the ready. It's a broad space because it spans a very, very large global enterprise. And it's a very deep space because we have to be experts in so many areas. So it's a fun space by saying that.


Natalia Godyla:

Great. And it's really appropriate today then we're talking about the MDDR and enterprise resilience. So let's start at a high level. So can you talk a little bit about just how security has changed as a product of the pandemic? Why is resilience so important now?


Irfan Mirza:

Yeah, it's a great question. A lot of customers are asking that, our field is asking that question, people within the company are asking. Look, we've been 11 months under this pandemic. Maybe, you know, in some places like China, they've been going through it for a little bit longer than us, you know, a couple of months more. What we're finding after having sort of tried to stay resilient through this pandemic, uh, one obviously is on the human side, everyone's doing as much as we possibly can there. But the other part of it is on the enterprise side. What is it that we're having to think about as we think of security and as we think of enterprise resilience?


Irfan Mirza:

There are a couple of big things that I think I would note, one is that, look, when this pandemic hit us, our workforce lifted and shifted. I mean, by that, I mean that we, we, we got up out of our offices and we all left. I mean, we took our laptops and whatever we could home. And we started working remotely. It was a massive, massive lift and shift of personnel, right? We got dispersed. Everybody went to their own homes and most of us have not been back to the office. And it's not just at Microsoft, even, even a lot of our customers and our partners have not gone back to the office at all, right? So that, that's a prolong snow day, if you want to call it that.


Irfan Mirza:

The other thing that happened is our workload went with us. Wasn't just that, "Hey, you know, I'm taking a few days off, I'm going away or going on vacation and, and I'll be checking email periodically." No, I actually took our work with us and we started doing it remotely. So what that's done is it's created sort of a, a need to go back and look at what we thought was our corporate security boundary or perimeter.


Irfan Mirza:

You know, in the classical model, we used to think of the corporation and its facilities as the, the area that we had to go and secure. But now in this dispersed workforce model, we have to think about my kitchen as part of that corporate perimeter. And all of a sudden we have to ensure that, that my kitchen is as secure as the corporate network or as the facilities or the office that I was working from. That paradigm is completely different than anything we'd thought about before.


Nic Fillingham:

And so Irfan, in the MDDR, uh, this section, um, and if you've got the report open, you're playing along at home, I believe it's page 71. This enterprise resiliency is sort of a wrap-up of, of a lot of the observations that are in the MDDR report. It's not a new section. It's as you're getting towards the end of the report, you're looking for, okay, now what does this mean to me? I'm a CSO. I need to make new security policies, security decisions for my organization. This concept of enterprise resiliency is sort of a wrap up of everything that we've seen across cyber crime, across the nation state, et cetera, et cetera. Is that, is that accurate? Is that a good way to sort of read that section in the report?


Irfan Mirza:

Yeah. It is really the, the way to think of it, right.? It's sort of like a, the conclusion, so what, or why is this relevant to me and what can I do about it? When you think about the report and the way that it's structured, look, we, you know, the report goes into great detail about cyber crime as you called out Nic. And then it talks about nation state threats.


Irfan Mirza:

These are newer things to us. We've certainly seen them on the rise, actors that are well-trained, they're well-funded they play a long game, not necessarily a short game, they're looking, they're watching and they're waiting, they're waiting for us to make mistakes or to have gaps, they look for changes in tactics, either ours, uh, they themselves are quite agile, right?


Irfan Mirza:

So when you think about the environment in which we have to think about resilience, and we have to think about security, that environment itself has got new vectors or new threats that are, that are impacting it, right? In addition to that, our workforce has now dispersed, right? We're all over the, all over the globe. We see emerging threats that are, that are, non-classical like ransomware. We see attacks on supply chain. We continue to see malware and malware growing, right?


Irfan Mirza:

And, and so when you think about that, you have to think if I need to secure now my, my dispersed corporate assets and resources, my people, the workload, the data, the services and the processes that are all there, what are the, the sort of three big things I would need to think about? And so this report sort of encapsulates all, all of that. It gives the details of what, what's happening. And, and then page 71 is you say that resilience piece sort of comes back and says, "Look, your security boundaries extended. Like it or not, it is extended at this point. You've got to think beyond that on-site perimeter that we were thinking about before."


Irfan Mirza:

So we have to start thinking differently. And th- there's three critical areas that are sort of called out, acknowledging the security boundary has increased, thinking about resilience and performance, and then validating the resilience of our human infrastructure. This is like new ideas, but these are all becoming imperatives for us. We're having to do this now, whether we like it or not.


Irfan Mirza:

And so this report sort of gives our customers, and, and it's a reflection of what we're doing in the company. It's an open and honest conversation about how we propose to tackle these challenges that we're facing.


Nic Fillingham:

And so Irfan if we can move on to that critical area, number two, that prioritizing resilient performance. When I say the word performance and resilient performance, is that scoped down just to sort of IT infrastructure, or does that go all the way through to the humans, the actual people in the organization and, um, how they are performing their own tasks, their own jobs and the tasks that are part of their, their job and et cetera, et cetera? What's the, I guess what's the scope of that area too?


Irfan Mirza:

As we were thinking about resilience, as you know, shortly after we dispersed the workforce, we started thinking about, about what should be included in our classical understanding of resilience. But when you think about, about typical IT services and online services, and so on, a lot of that work is already being done with the life site reviews that we do and people are paying very close attention to service performance. We have SLAs, we have obligations, we have commitments that we've made that our services will be performing to a certain degree, but there are also business processes that are associated with these services very closely.


Irfan Mirza:

When you think about all of the processes that are involved and services that are involved from the time a customer thinks of buying Office, uh, 365, as an example, to the time that they provision their first mailbox, or they receive their first email, there are dozens of process, business processes.


Irfan Mirza:

Every single service in that chain could be working to 100% efficiency. And yet if the business processes, aren't there, for instance, to process the deal, to process the contract, to process, uh, the customer's payment or, uh, acknowledge receipt of the payment in order to be able to provision the service, all of these processes, all of a sudden have to, we have to make sure that they're also performing.


Irfan Mirza:

So when we start thinking about resilience, up to now, business continuity has focused on, are you ready? Are you prepared? Are your dependencies mapped? Have you, have you done a business impact analysis? Are you validating and testing your preparedness? You know, are you calling down your call tree for instance? But I think where we're going now with true enterprise resilience, especially in this sort of modern


Irfan Mirza:

... day, we're, we're looking at performance, right? What, what is your preparedness resulting in? So if you stop and you think about a child at school, they get homework. Well, the homework really, they bring it home. They do it. They take it back to the teacher. They get graded on it. That's wonderful. This means that the child is ready. But at some point in time, the class or the teacher is going to give them a test, and that test is going to be the measure of performance, right?


Irfan Mirza:

So we need to start thinking of resilience and continuity in the same way. We're prepared. We've done all our homework. Now let's go and see how many outages did you have? How critical were the outages? How long did they last? How many of them were repeat outages? How many of the repeat outages were for services that are supposed to have zero downtown, like services that are always supposed to on like your DNS service or your identity auth- authentication service, right? So, when you start thinking about, uh, resilience from that perspective, now you've got a new set of data that you have to go and capture, or data that you're capturing, you have to now have to have insights from it. You've got to be able to correlate your preparedness, meaning the homework that you've done with your actual performance, your outage and your, and your gap information. All right?


Irfan Mirza:

So that, that's what prioritizing resilient performance is all about. It's about taking realtime enterprise preparedness and mapping it to real time enterprise performance. That tells you if your preparedness is good enough or not, or what it is that you need to do. There's a loop here, a feedback loop that has to be closed. You can't just say that, well, you know, we've done all the exercises theoretically. We're good and we're ready to take on any sort of a crisis or, or, or disaster. Yeah, that's fine. Can we compare it to realtime what you're doing? Can we break glass and see what that looks like? Can we shut you down and or shut down parts of your operation as in the event of an earthquake for instance, or a hurricane wiping out, uh, access to a data center, right? Can we do those things and still be resilient when that happens? So this is what performance and resilience come together in that space.


Natalia Godyla:

So am I right in understanding that beyond, like you said, the theoretical where you think about the policies that you should have in place, and the frameworks that you should have in place, you have the analytics on, you know, the state of, the state of how performant your systems are to date. And then in addition, is there now the need for some sort of stress testing? Like actually figuring out whether an additional load on a system would cause it to break, to not be resilient? Is that now part of the new approach to resilience?


Irfan Mirza:

Yeah. There are, there are several, several things to do here, right? You absolutely said it. There's a stress test. Actually, this pandemic has, is already a stress test in and of itself, right? It's stressing us in a many ways. It's stressing, obviously the psyche and, and, you know, our whole psychology, and our ability to sustain in quarantine, in isolated, in insulated environments and so on. But it's also testing our ability to do the things that we just so, uh, so much took for granted, like the ability to patch a server that's sitting under my desk in the office whenever I needed to, right? That server now has to become a managed item that somebody can manage remotely, patch remotely, update remotely when needed, control administrative access and privileges remotely. But yes, for resilience, I think we need to now collect all of the data that we have been collecting or looking at and saying, can we start to create those correlations between our preparedness and between our real performance?


Irfan Mirza:

But there's another area that this dovetails into which is that of human resilience, right? We talked a little bit earlier about, you know, sort of the whole world enduring this hardship. We need to first and foremost look at our suppliers, subcontractors, people that we're critically dependent on. What is their resilience look like? That's another aspect that we have to go back. In the areas where we have large human resources or, or workforces that are working on our behalf, we need to make sure that they're staying resilient, right?


Irfan Mirza:

We talked on a lot about work/life balance before. Now I think the new buzzword in HR conference rooms is going to be work/life integration. It's completely integrated, and so we need to start thinking about the impact that would have. Are we tracking attrition of our employees, of certain demographics within the employees? Are we looking at disengagement? People just sort of, "Yeah, I'm working from home, but I'm not really being fully engaged." Right? The hallway conversations we used to have are no longer there. And we need to start thinking, are people divesting? Our resources, are they divesting in the workplace? Are they divesting in their, in their work or work/life commitment? These measures are all now having to be sort of like...


Irfan Mirza:

We used to rely on intuition, a look, a hallway gaze, look at the, the snap in somebody's walk as they walked away from you or out of your office. We don't have that anymore. Everybody's relatively stagnant. We're, we're, we're seated. We don't get to see body language that much. We don't get to read that. There's a whole new set of dynamics that are coming into play, and I think smart corporations and smart companies will start looking at this as a very important area to pay attention to.


Nic Fillingham:

How are we measuring that? What tools or sort of techniques, or, or sort of frameworks exist to actually put a metric around this stuff, and determine sort of where, where an organization is in terms of their level of resiliency?


Irfan Mirza:

This question is actually the whole reason why we brought this enterprise resilience sort of a conclusion to this fourth chapter, and, and, you know, the summation of this, of this report.


Irfan Mirza:

What we're doing now is we're saying, look. Things that used to be fundamentally within the domain of IT departments, or used to be fundamentally with, within the domain of live site, or used to be fundamentally in the domain of human resource departments are now all floating up to be corporate imperatives, to be enterprise imperatives. I think the thinking here is that we need to make sure that the data that we've been collecting about, as an example to answer your question, attrition, right? A certain demographic. Millennials, uh, changing jobs, leaving the company, just to pick an example more than anything else. This is no longer just data that the HR Department is interested in, or that recruiting would be interested in, or, or retention would be interested. This is data that's about to significantly impact the enterprise, and it needs to be brought into the enterprise purview.


Irfan Mirza:

Our classical and traditional models of looking at things in silos don't allow us to do that. What we're recommending is that we need to have a broader perspective and try to drive insights from this that do tell a more comprehensive story about our ent- enterprise resilience. That story needs to include the resilience of our services, our business processes, our suppliers, our human capital, our infrastructure, our extended security boundary, our data protection, uh, prevention of data loss, our intrusion detection. I mean, there's such a broad area that we have to cover. That's we're saying. And, and as we implement this new sort of zero trust model, I think the, the effectiveness of that model, how much progress we're making is becoming an enterprise priority, not just something that the IT department is going to go around on it's own.


Nic Fillingham:

Irfan, I wonder if I could put you on the spot, and were there any interesting bits of data that you saw in those first couple months of the shift to remote work where like, yeah, the number of unique devices on the Microsoft corporate network quadrupled in 48 hours. Like any, anything like that? I'd just wondering what, what little stats you may have in hand.


Irfan Mirza:

Yeah. The number of devices and sort of the flavors of devices, we've always anticipated that that's going to be varied. We're cognizant of that. Look, we have, you know, people have PCs. They have MACs. They have Linux machines, and, and they have service o- operating software. There's a lot of different flavors. And, and it's not just the device and the OS that matters, it's also what applications you're running. Some applications we can certify or trust, and others perhaps we can't, or that we still haven't gotten around to, to verifying, right? And all of these sit, and they all perform various functions including intruding and potentially exfiltrating data and Spyware and Malware and all of that. So when you think about that, we've always anticipated it.


Irfan Mirza:

But the one thing that, that we were extremely worried about, and I think a lot of our Enterprise customers were worried about, is the performance of the workforce. What we found very early on in, in the, in the lift and shift phase was that we needed to have a way of measuring is our, our built processes working? Are we checking in the same amount of code as we were before? And we noted a couple of interesting things. We looked at our, our VPN usage and said, what are those numbers look like? Are they going up and down?


Irfan Mirza:

And I think what we found is that initially, the effect was quite comparable to what we had, uh, when we experienced snow days. Schools are shut down. People don't go to work. They're slipping and sliding over here. We're just not prepared for snow weather in, in this state like some of the others. So what happened is, we saw that we were, we were sort of seeing the same level of productivity as snow days. We say that we had the same level of VPN usage as snow days, and we were worried because that, you know, when, when it snows, people usually take the day off, and then they go skiing.


Irfan Mirza:

So what happened? Well, after about a week things started picking back up. People got tired of sort of playing snow day and decided that, you know what? It's time to, to dig in, and human nature, I think, kicked in, the integrity of the workforce kicked in. And sure enough, productivity went up, VPN usage went up, our number of sessions, the duration of sessions. Meetings became shorter.


Nic Fillingham:

Can I tell you hallelujah? (laughs)


Irfan Mirza:

(laughs)


Nic Fillingham:

That's one of the, that's one of the great-


Irfan Mirza:

Absolutely.


Nic Fillingham:

... upsides, isn't it? To this, this new culture of remote work is that we're all meeting for, for less amount of time, which I think, I think is fantastic.


Irfan Mirza:

Look, you know, in times of crisis, whether it's a natural disaster, or a pandemic, or, or a manmade situation such as a war or a civil war, or whatever, I, I think what happens is the amount of resources that you are customarily used to having access to gets limited. The way in which you work shifts. It changes. And so the, the true test of resilience, I think, is when you are able to adapt to those changes gracefully without requiring significant new investment and you're able to still meet and fulfill your customer obligations, your operational expectations. That really is.


Irfan Mirza:

So what you learn in times of hardship are to sort of live, you know, more spartan-like. And that spartan-ism, if there's such a word as that, that's what allows you to stay resilient, to say what are the core things that I need in order to stay up and running? And those fundamental areas become the areas of great investment, the areas that you watch over more carefully, the areas that you measure the performance of, the areas that you look for patterns and, and trends in to try to predict what's happening, right?


Irfan Mirza:

So that is something that carries over from experiences of being in the front lines of a, uh, a war or, or from being, uh, you know, in the midst of a hurricane trying to recover a data center, or an earthquake, or any other, uh, type of power outage, right? These are all the sort of key scenarios that we would be going to look at. And that's one of the things they all have in common. It's really that you don't have the resources or access to the resources that you thought you did, and now you've got to be able to do some things slightly differently.


Natalia Godyla:

Thank you for joining us on the podcast today. It's been great to get your perspective on enterprise resilience. Really fascinating stuff. So, thank you.


Irfan Mirza:

Thank you, Natalia. And, and thank you, Nick. It's been a great conversation. As I look back at this discussion that we had, I feel even, even stronger now that the recommendations that we're making, and the guidance that we're giving our customers and sharing our experiences, becomes really, really important. I think this is something that we're learning as we're going along. We're learning on the journey. We're uncovering things that we didn't know. We're looking at data in a different way. We're, we're trying to figure out how do we sustain ourselves,


Nic Fillingham:

... not just through this pandemic, but also beyond that. And I think the, whatever it is that we're learning, it becomes really important to share. And for our customers and people who are listening to this podcast to share back with us what they've learned, I think that becomes incredibly important because as much as we like to tell people what we're doing, we also want to know what, what people are doing. And so learning that I think will be a great, great experience for us to have as well. So thank you so much for enabling this conversation.


Natalia Godyla:

And now let's meet an expert from the Microsoft security team to learn more about the diverse backgrounds and experiences of the humans creating AI and tech at Microsoft. Welcome back to another episode of Security Unlocked. We are sitting with Andrew Paverd today, senior researcher at Microsoft. Welcome to the show, Andrew.


Andrew Paverd:

Thanks very much. And thanks for having me.


Natalia Godyla:

Oh, we're really excited to chat with you today. So I'm just doing a little research on your background and looks like you've had a really varied experience in terms of security domains consulting for mobile device security. I saw some research on system security. And it looks like now you're focused on confidential computing at Microsoft. So let's start there. Can you talk a little bit about what a day in the life of Andrew looks like at Microsoft?


Andrew Paverd:

Absolutely. I think I have one of the most fascinating roles at Microsoft. On a day-to-day basis, I'm a researcher in the confidential computing group at the Microsoft Research Lab in Cambridge, but I also work very closely with the Microsoft Security Response Center, the MSRC. And so these are the folks who, who are dealing with the frontline incidents and responding to reported vulnerabilities at Microsoft. But I work more on the research side of things. So how do we bridge the gap between research and what's really happening on the, on the front lines? And so I, I think my position is quite unique. It's, it's hard to describe in any other way than that, other than to say, I work on research problems that are relevant to Microsoft security.


Natalia Godyla:

And what are some of those research problems that you're focused on?


Andrew Paverd:

Oh, so it's actually been a really interesting journey since I joined Microsoft two years ago now. My background, as you mentioned, was actually more in systems security. So I had, I previously worked with technologies like trusted execution environments, but since joining Microsoft, I've worked on two really, really interesting projects. The, the first has been around what we call safe systems programming languages.


Andrew Paverd:

So to give a bit more detail about it in the security response center, we've looked at the different vulnerabilities that Microsoft has, has patched and addressed over the years and seen some really interesting statistics that something like 70% of those vulnerabilities for the pa- past decade have been caused by a class of vulnerability called memory corruption. And so the, the question around this is how do we try and solve the root cause of problem? How do we address, uh, memory corruption bugs in a durable way?


Andrew Paverd:

And so people have been looking at both within Microsoft and more broadly at how we could do this by transitioning to a, a different programming paradigm, a more secure programming language, perhaps. So if you think of a lot of software being written in C and C++ this is potentially a, a cause of, of memory corruption bugs. So we were looking at what can we do about changing to safer programming languages for, for systems software. So you might've heard about new languages that have emerged like the Rust programming language. Part of this project was investigating how far we can go with languages like Rust and, and what do we need to do to enable the use of Rust at Microsoft.


Natalia Godyla:

And what was your role with Rust? Is this just the language that you had determined was a safe buyable option, or were you part of potentially producing that language or evolving it to a place that could be safer?


Andrew Paverd:

That's an excellent question. So in, in fact it, it was a bit of both first determining is this a suitable language? Trying to define the evaluation criteria of how we would determine that. But then also once we'd found Rust to be a language that we decided we could potentially run with, there was an element of what do we need to do to bring this up to, let's say to be usable within Microsoft. And actually I, I did quite a bit of work on, on this. We realized that, uh, some Microsoft security technologies that are available in our Microsoft compilers weren't yet available in the Rust compiler. One in particular is, is called control flow guard. It's a Windows security technology and this wasn't available in Rust.


Andrew Paverd:

And so the team I, I work with looked at this and said, okay, we'd like to have this implemented, but nobody was available to implement it at the time. So I said, all right, let me do a prototype implementation and, uh, contributed this to the open source project. And in the end, I ended up following through with that. And so I've, I've been essentially maintaining the, the Microsoft control flow guide implementation for the, the Rust compiler. So really an example of Microsoft contributing to this open source language that, that we hope to be using further.


Nic Fillingham:

Andrew, could you speak a little bit more to control flow guard and control flow integrity? What is that? I know a little bit about it, but I'd love to, for our audience to sort of like expand upon that idea.


Andrew Paverd:

Absolutely. So this is actually an, an example of a technology that goes back to a collaboration between the MSRC, the, the security response center and, and Microsoft Research. This technology control flow guard is really intended to enforce a property that we call control flow integrity. And that simply means that if you think of a program, the control flow of a program jumps through two different functions. And ideally what you want in a well-behaved program is that the control always follows a well-defined paths.


Andrew Paverd:

So for example, you start executing a function at the beginning of the function, rather than halfway through. If for example, you could start executing a function halfway through this leads to all kinds of possible attacks. And so what control flow guard does is it checks whenever your, your program's going to do a bronch, whenever it's going to jump to a different place in the code, it checks that that jump is a valid call target, that you're actually jumping to the correct place. And this is not the attacker trying to compromise your program and launch one of many different types of attacks.


Nic Fillingham:

And so how do you do that? What's the process by which you do en- ensure that control flow?


Andrew Paverd:

Oh, this is really interesting. So this is a technology that's supported by Windows, at the moment it's only available on, on Microsoft Windows. And it works in conjunction between both the compiler and the operating system. So the compiler, when you compile your program gives you a list of the valid code targets. It says, "All right, here are the places in the program where you should be allowed to jump to." And then as the program gets loaded, the, the operating system loads, this list into a highly optimized form so that when the program is running it can do this check really, really quickly to say, is this jump that I'm about to do actually allowed? And so it's this combination of the Windows operating system, plus the compiler instrumentation that, that really make this possible.


Andrew Paverd:

Now this is quite widely used in Windows. Um, we want in fact as much Microsoft software as possible to use this. And so it's really critical that we enable it in any sort of programming language that we want to use.


Nic Fillingham:

How do you protect that list though? So now you, isn't that now a target for potential attackers?


Andrew Paverd:

Absolutely. Yeah. And, and it becomes a bit of a race to, to-


Nic Fillingham:

Cat and mouse.


Andrew Paverd:

... protect different-


Natalia Godyla:

(laughs).


Andrew Paverd:

A bit of, a bit of a cat, cat and mouse game. But at least the nice thing is because list is in one place, we can protect that area of memory to a much greater degree than, than the rest of the program.


Natalia Godyla:

So just taking a step back, can you talk a little bit about your path to security? What roles have you had? What brought you to security? What's informing your role today?


Andrew Paverd:

It's an interesting story of how I ended up working in security. It was when I was applying for PhD programs, I had written a PhD research proposal about a topic I thought was very interesting at the time on mobile cloud computing. And I still think that's a hugely interesting topic. And what happened was I sent this research proposal to an academic at the University of Oxford, where I, I was looking to study, and I didn't hear anything for, for a while.


Andrew Paverd:

And then, a fe- a few days later I got an email back from a completely different academic saying, "This is a very interesting topic. I have a project that's quite similar, but looking at this from a security perspective, would you be interested in doing a PhD in security on, on this topic?" And, so this was my very mind-blowing experience for me. I hadn't considered security in that way before, but I, I took a course on security and found that this was something I was, I was really interested in and ended up accepting the, the PhD offer and did a PhD in system security. And that's really how I got into security. And as they say, the rest is history.


Natalia Godyla:

Is there particular part of security, particular domain within security that is most near and dear to your heart?


Andrew Paverd:

Oh, that's a good question.


Natalia Godyla:

(laughs).


Andrew Paverd:

I think, I, I think for me, security it- itself is such a broad field that we need to ensure that we have security at, at all levels of the stack, at all, places within the chain, in that it's really going to be the weakest link that an attacker will, will go for. And so I've actually changed field perhaps three times so far. This is what keeps it interesting. My PhD work was around trusted computing. And then as I said, I, since joining Microsoft, I've been largely working in both safe systems programming languages and more recently AI and security. And so I think that's what makes security interesting. The, the fact that it's never the same thing two days in a row.


Natalia Godyla:

I think you hit on the secret phrase for this show. So AI and security. Can you talk a little bit about what you've been doing in AI and security within Microsoft?


Andrew Paverd:

Certainly. So about a year ago, as many people in the industry realized that AI is being very widely used and is having great results in so many different products and services, but that there is a risk that AI algorithms and systems themselves may be attacked. For example, I, I know you had some, some guests on your podcast previously, including Ram Shankar Siva Kumar who discussed the Adversarial ML Threat Matrix. And this is primarily the area that I've been working in for the past year. Looking at how AI systems can be, can be attacked from a security or a privacy perspective in collaboration with researchers, from MSR, Cambridge.


Natalia Godyla:

What are you most passionate about? What's next for a couple of these projects? Like with Rust, is there a desire to make that ubiquitously beyond Microsoft? What's the next stage?


Andrew Paverd:

Ab- absolutely.


Natalia Godyla:

Lots of questions. (laughs).


Andrew Paverd:

Yeah. There's a lot of interest in this. So, um, personally, I'm, I'm not working on the SSPL project myself, or I'm, I'm not working on the safe systems programming languages project myself any further, but I know that there's a lot of interest within Microsoft. And so hopefully we'll see some exciting things e- emerging in that space. But I think my focus is really going to be more on the, both the security of AI, and now we're also exploring different areas where we can use AI for security. This is in collaboration, more with the security response center. So looking into different ways that we can automate different processes and use AI for different types of, of analysis. So certainly a lot more to, to come in that space.


Nic Fillingham:

I wanted to come back to Rust for, for a second there, Andrew. So you talked about how the Rust programming language was specifically designed for, correct me on taxonomy, memory integrity. Is that correct?


Andrew Paverd:

For, for memory safety, yeah.


Nic Fillingham:

Memory safety. Got it. What's happening on sort of


Nic Fillingham:

... and sort of the, the flip side of that coin in terms of instead of having to choose a programming language that has memory safety as sort of a core tenet. What's happening with the operating system to ensure that languages that maybe don't have memory safety sort of front and center can be safer to use, and aren't threats or risks to memory integrity are, are sort of mitigated. So what's happening on the operating system side, is that what Control Flow Guard is designed to do? Or are there other things happening to ensure that memory safety is, is not just the responsibility of the programming language?


Andrew Paverd:

Oh, it's, that's an excellent question. So Control Flow Guard certainly helps. It helps to mitigate exploits once there's been an, an initial memory safety violation. But I think that there's a lot of interesting work going on both in the product space, and also in the research space about how do we minimize the amount of software that, that we have to trust. If you accept that software is going to have to bugs, it's going to have vulnerabilities. What we'd like to do, is we'd like to trust as little software as possible.


Andrew Paverd:

And so there's a really interesting effort which is now available in, in Azure under the, the heading of Confidential Computing. Which is this idea that you want to run your security sensitive workloads in a hardware enforced trusted execution environment. So you actually want to take the operating system completely out of what we call the trusted computing base. So that even if there are vulnerabilities in, in the OS, they don't affect your security sensitive workloads. So I think that there's this, this great trend towards confidential computing around compartmentalizing and segmenting the software systems that we're going to be running.


Andrew Paverd:

So removing the operating system from the trusted computing. And, and indeed taking this further, there's already something available in Azure, you can look up Azure Confidential Computing. But there's a lot of research coming in from the, the academic side of things about new technologies and new ways of, of enforcing separation and compartmentalization. And so I think it's part of this full story of, of security that we'll need memory safe programming languages. We'll need compartmentalization techniques, some of which, uh, rely on new hardware features. And we need to put all of this together to really build a, a secure ecosystem.


Nic Fillingham:

I only heard of Confidential Computing recently. I'm sure it's not a new concept. But for me as a sort of a productized thing, I only sort of recently stumbled upon it. I did not realize that there was this gap, there was this delta in terms of data being encrypted at rest, data being encrypted in transit. But then while the data itself was being processed or transformed, that that was a, was a gap. Is that the core idea around Confidential Computing to ensure that at no stage the data is not encrypted? Is, is that sort of what it is?


Andrew Paverd:

Absolutely. And it's one of the key pieces. So we call that isolated execution in the sense that the data is running in a, a trusted environment where only the code within that environment can access that data. So if you think about the hypervisor and the operation system, all of those can be outside of the trusted environment. We don't need to trust those for the correct computation of, of that data. And as soon as that data leaves this trusted environment, for example if it's written out of the CPU into the DRAM, then it gets automatically encrypted.


Andrew Paverd:

And so we have that really, really strong guarantee that only our code is gonna be touching our data. And the second part of this, and this is the really important part, is a, a protocol called remote attestation where this trusted environment can prove to a remote party, for example the, the customer, exactly what code is going to be running over that data. So you have a, a very high degree of assurance of, "This is exactly the code that's gonna be running over my data. And no other code will, will have access to it."


Andrew Paverd:

And the incredibly interesting thing is then, what can we build with these trusted execution environment? What can we build with Confidential Computing? And to bring this back to the, the keyword of your podcast, we're very much looking at confidential machine learning. How do we run machine learning and AI workloads within these trusted execution environments? And, and that unlocks a whole lot of new potential.


Nic Fillingham:

Andrew, do you have any advice for people that are m- maybe still studying or thinking about studying? Uh, I see so you, your initial degree was in, not in computer engineering, was it?


Andrew Paverd:

No. I, I actually did electrical engineering. And then electrical and computer engineering. And by the time I did a PhD, they put me in a computer science department, even though-


Nic Fillingham:

(laughs).


Andrew Paverd:

... I was doing software engineering.


Nic Fillingham:

Yeah. I, so I wonder if folks out there that, that don't have a software or a computer engineering degree, maybe they have a, a different engineering focus or a mathematics focus. Any advice on when and how to consider computer engineering, or sort of the computing field?


Andrew Paverd:

Yeah. Uh, absolutely. Uh, I think, eh, in particular if we're talking about security, I'd say have a look at security. It's often said that people who come with the best security mindsets haven't necessarily gone through the traditional programs. Uh, of course it's fantastic if you can do a, a computer science degree. But if you're coming at this from another area, another, another aspect, you bring a unique perspective to the world of cyber security. And so I would say, have a look at security. See if it's something that, that interests you. You, you might find like I did that it's a completely fascinating topic.


Andrew Paverd:

And the from there, it would just be a question of seeing where your skills and expertise could best fit in to the broad picture of security. We desperately need people working in this field from all different disciplines, bringing a diversity of thought to the field. And so I, I'd highly encourage people to have a look at this.


Natalia Godyla:

And you made a, quite a hard turn into security through the PhD suggestion. It, like you said, it was one course and then you were off. So, uh, what do you think from your background prepared you to make that kind of transition? And maybe there's something there that could inform others along the way.


Andrew Paverd:

I think, yes, it, it's a question of looking at, uh, of understanding the system in as much detail as you possibly can. And then trying to think like, like an attacker. Trying to think about what could go wrong in this system? And as we know, attackers won't respect our assumptions. They will use a system in a different way in which it was designed. And that ability to, to think out of the box, which, which comes from understanding how the system works. And then really just a, a curiosity about security. They call it the security mindset, of perhaps being a little bit cautious and cynical. To say-


Natalia Godyla:

(laughs).


Andrew Paverd:

... "Well, this can go wrong, so it probably will go wrong." But I think that's, that's the best way into it.


Natalia Godyla:

Must be a strong follower of Murphy's Law.


Andrew Paverd:

Oh, yes.


Natalia Godyla:

(laughs).


Nic Fillingham:

What are you watching? What are you binging? What are you reading? Either of those questions, or anything along in that flavor.


Andrew Paverd:

I'll, I'll have to admit, I'm a, I'm a big fan of Star Trek. So I've been watching the new Star Trek Discovery series on, on Netflix. That's, that's great fun. And I've recently been reading a, a really in- interesting book called Atomic Habits. About how we can make some small changes, and, uh, how these can, can help us to build larger habits and, and propagate through.


Nic Fillingham:

That's fascinating. So that's as in looking at trying to learn from how atoms and atomic models work, and seeing if we can apply that to like human behavior?


Andrew Paverd:

Uh, no. It's just the-


Nic Fillingham:

Oh, (laughs).


Andrew Paverd:

... title of the book.


Natalia Godyla:

(laughs).


Nic Fillingham:

You, you had me there.


Natalia Godyla:

Gotcha, Nick.


Nic Fillingham:

I was like, "Wow-"


Natalia Godyla:

(laughs).


Nic Fillingham:

" ... that sounds fascinating." Like, "Nope, nope. Just marketing." Marketing for the win. Have you always been Star Trek? Are you, if, if you had to choose team Star Trek or team Star Wars, or, or another? You, it would be Star Trek?


Andrew Paverd:

I think so. Yeah.


Nic Fillingham:

Yeah, me too. I'm, I'm team Star Trek. Which m- may lose us a lot of subscribers, including Natalia.


Andrew Paverd:

(laughs).


Nic Fillingham:

Natalia has her hands over her mouth here. And she's, "Oh my gosh." Favorite Star Trek show or-


Andrew Paverd:

I, I have to say, it, it would've been the first one I watched, Deep Space Nine.


Nic Fillingham:

I love Deep Space Nine. I whispered that. Maybe that-


Natalia Godyla:

(laughs).


Nic Fillingham:

... it's Deep Space Nine's great. Yep. All right, cool. All right, Andrew, you're allowed back on the podcast. That's good.


Andrew Paverd:

Thanks.


Natalia Godyla:

You're allowed back, but I-


Nic Fillingham:

(laughs).


Natalia Godyla:

... (laughs).


Andrew Paverd:

(laughs).


Nic Fillingham:

Sort of before we close, Andrew, is there anything you'd like to plug? I know you have a, you have a blog. I know you work on a lot of other sorta projects and groups. Anything you'd like to, uh, plug to the listeners?


Andrew Paverd:

Absolutely, yeah. Um, we are actually hiring. Eh, well, the team I work with in Cambridge is, is hiring. So if you're interested in privacy preserving machine learning, please do have a look at the website, careers.microsoft.com. And submit an application to, to join our team.


Natalia Godyla:

That sounds fascinating. Thank you.


Nic Fillingham:

And can we follow along on your journey and all the great things you're working at, at your website?


Andrew Paverd:

Eh, absolutely, yeah. And if you follow along the, the Twitter feeds of both Microsoft Research Cambridge, and the Microsoft Security Response Center, we'll, we'll make sure to tweet about any of the, the new work that's coming out.


Nic Fillingham:

That's great. Well, Andrew Paverd, thank you so much for joining us on the Security Unlocked Podcast. We'd love to have you come back and talk about some of the projects you're working on in a deep-dive section on a future episode.


Andrew Paverd:

Thanks very much for having me.


Natalia Godyla:

Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.


Nic Fillingham:

And don't forget to tweet @MSFTSecurity. Or email us at securityunlocked@microsoft.com with topics you'd like to hear on a future episode. Until then, stay safe.


Natalia Godyla:

Stay secure.

More Episodes

6/2/2021

Pearls of Wisdom in the Security Signals Report

Ep. 30
It’s our 30thepisode! And in keeping with the traditional anniversary gift guide, the 30thanniversary means a gift of pearls.Sofrom us to you, dear listener, we’ve got an episode with somepearlsofwisdom!On today’s episode, hostsNic FillinghamandNataliaGodylabringback returning champion,Nazmus Sakib, to take us through the newSecurity Signals Report. Sakib walks us through why the reportwasdoneand then helps us understand the findings and what they mean for security.In This Episode You Will Learn:How pervasive firmware is in our everyday livesWhy many people were vulnerable to firmware attacksHow companies are spending the money they allocate towards digitalprotectionSome Questions We Ask:What was the hypothesis going into the Security Signals Report?How do we protect ourselves from vulnerabilities that don’t exist yet?Wereany of the findings from the report unexpected?ResourcesNazmusSakib’sLinkedIn:https://www.linkedin.com/in/nazmus-sakib-5aa8a6123/Security Signals Report:https://www.microsoft.com/security/blog/2021/03/30/new-security-signals-study-shows-firmware-attacks-on-the-rise-heres-how-microsoft-is-working-to-help-eliminate-this-entire-class-of-threats/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/26/2021

Securing Hybrid Work: Venki Krishnababu, lululemon

Ep. 29
On this week’s Security Unlocked we’re featuring for the second and finaltime,a special crossover episode of our sister-podcast, Security Unlocked: CISO Series with Bret Arsenault.Lululemon has been on the forefront of athleisure wear since its founding in 1998,but while many of its customers look atitexclusively as a fashionbrand,ata deeper level thisfashion empire is bolstered by a well thought out and maintained digital infrastructure that relies on ahard workingteam to run it.On today’s episode, Microsoft CISO Bret Arsenault sits down with VenkiKrishnababu, SVP of Global Technology Services at Lululemon.Theydiscuss the waysin whichtechnology plays into the brand, how Venkileada seamless transition into the remote work caused by the pandemic, and how he’s using the experiences of the past year to influence future growth in the company.In This Episode You Will Learn:Why Venkifeels sopassionatelyabout leading withempathyWhy Venki saw moving to remote work as only the tip of the iceberg; and how he handled whatlaidbelow.Specific tools and practices that haveleadto Venki’ssuccessSome Questions We Ask:What is the biggest lesson learned during the pandemic?How doesone facilitate effective management during this time?Howdoes Lululemonviewthe future of in-person versus remote work?Resources:VenkiKrishnababu’sLinkedIn:https://www.linkedin.com/in/vkrishnababu/Brett Arsenault’s LinkedIn:https://www.linkedin.com/in/bret-arsenault-97593b60/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.com
5/19/2021

Contact Us; Phish You!

Ep. 28
Threat actors arepeskyand, once again,they’reup to no good.A newmethodologyhas schemers compromising onlineformswhere userssubmittheir information like their names, email addresses,and, depending on the type of site, some queries relating totheir life.This new methodindicatesthat the attackers have figured out away around the CAPTCHA’s that have been making us all provewe’renot robotsbyidentifyingfire hydrantssince 1997.Andwhat’smore,we’renot quite surehowthey’vedone it.In this episode, hosts NataliaGodylaand Nic Fillingham sit down with Microsoftthreat analyst, Emily Hacker, to discuss what’s going on behind the scenes as Microsoft begins todigintothis new threat and sort through how best to stop it.In This Episode You Will Learn:Why this attack seems to be more effective against specificprofessionals.Why this new method of attack has a high rate ofsuccess.How to better prepare yourself for this method of attackSome Questions We Ask:What is the endgame for these attacks?What are we doing to protect againstIceIDin these attacks?Are we in need of a more advanced replacementforCAPTCHA?Resources:Emily Hacker:https://www.linkedin.com/in/emilydhacker/Investigating a Unique ‘Form’ of Email Delivery forIcedIDMalwarehttps://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/Nic Fillingham’sLinkedIn:https://www.linkedin.com/in/nicfill/NataliaGodyla’sLinkedIn:https://www.linkedin.com/in/nataliagodyla/Microsoft Security Blog:https://www.microsoft.com/security/blog/Related:Security Unlocked: CISO Series with Bret Arsenaulthttps://SecurityUnlockedCISOSeries.comTranscript[Full transcript can be found athttps://aka.ms/SecurityUnlockedEp26]Nic Fillingham: (00:08)Hello and welcome to Security Unlocked, a new podcast from Microsoft where we unlock insights from the latest in news and research from across Microsoft security, engineering and operations teams. I'm Nick Fillingham.Natalia Godyla: (00:20)And I'm Natalia Godyla. In each episode we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research, and data science.Nic Fillingham: (00:30)And profile some of the fascinating people working on artificial intelligence in Microsoft Security.Natalia Godyla: (00:36)And now, let's unlock the pod.Nic Fillingham: (00:40)Hello, the internet. Hello, listeners. Welcome to episode 28 of Security Unlocked. Nic and Natalia back with you once again for a, a regular, uh, episode of the podcast. Natalia, how are you?Natalia Godyla: (00:50)Hi, Nic. I'm doing well. I'm stoked to have Emily Hacker, a threat analyst at Microsoft back on the show today.Nic Fillingham: (00:58)Yes, Emily is back on the podcast discussing a blog that she co-authored with Justin Carroll, another return champ here on the podcast, called Investigating a Unique Form of Email Delivery for IcedID Malware, the emphasis is on form was, uh, due to the sort of word play there. That's from April 9th. Natalia, TLDR, here. What's, what's Emily talking about in this blog?Natalia Godyla: (01:19)In this blog she's talking about how attackers are delivering IcedID malware through websites contact submission forms by impersonating artists who claim that the companies use their artwork illegally. It's a new take targeting the person managing the submission form.Nic Fillingham: (01:34)Yeah, it's fascinating. The attackers here don't need to go and, you know, buy or steal email lists. They don't need to spin up, uh, you know, any e- email infrastructure or get access to botnets. They're, they're really just finding websites that have a contact as form. Many do, and they are evading CAPTCHA here, and we talk about that with, with, with, uh, Emily about they're somehow getting around the, the CAPTCHA technology to try and weed out automation. But they are getting around that which sort of an interesting part of the conversation.Nic Fillingham: (02:03)Before we get into that conversation, though, a reminder to Security Unlock listeners that we have a new podcast. We just launched a new podcast in partnership with the CyberWire. It is Security Unlocked: CISO Series with Bret Arsenault. Bret Arsenault is the chief information security officer, the CISO, for Microsoft, and we've partnered with him and his team, uh, as well as the CyberWire, to create a brand new podcast series where Bret gets to chat with security and technology leaders at Microsoft as well as some of his CISO peers across the industry. Fantastic conversations into some of the biggest challenges in cyber security today, some of the strategies that these big, big organizations are, are undertaking, including Microsoft, and some practical guidance that really is gonna mirror the things that are being done by security teams here at Microsoft and are some of Microsoft's biggest customers.Nic Fillingham: (02:52)So, I urge you all to, uh, go check that one out. You can find it at the CyberWire. You can also go to www.securityunlockedcisoseries.com, and that's CISO as in C-I-S-O. CISO or CISO, if you're across the pond, securityunlockedcisoseries.com, but for now, on with the pod.Natalia Godyla: (03:12)On with the pod.Nic Fillingham: (03:18)Welcome back to the Security Unlocked Podcast. Emily Hacker, thanks for joining us.Emily Hacker: (03:22)Thank you for having me again.Nic Fillingham: (03:24)Emily, you are, uh, coming back to the podcast. You're a returning champion. Uh, this is, I think your, your second appearance and you're here-Emily Hacker: (03:30)Yes, it is.Nic Fillingham: (03:30)... on behalf of your colleague, uh, Justin Carroll, who has, has also been on multiple times. The two of you collaborated on a blog post from April the 9th, 2021, called Investigating a Unique Form-Emily Hacker: (03:43)(laughs)Nic Fillingham: (03:43)... in, uh, "Form", of email delivery for IcedID malware. The form bit is a pun, is a play on words.Emily Hacker: (03:51)Mm-hmm (affirmative).Nic Fillingham: (03:51)I- is it not?Emily Hacker: (03:53)Oh, it definitely is. Yeah.Nic Fillingham: (03:54)(laughs) I'm glad I picked up on that, which is a, you know, fascinating, uh, campaign that you've uncovered, the two of you uncovered and you wrote about it on the blog post. Before we jump into that, quick recap, please, if you could just reintroduce yourself to the audience. Uh, what, what do you do? What's your day-to-day look like? Who do you work with?Emily Hacker: (04:09)Yeah, definitely. So, I am a threat intelligence analyst, and I'm on the Threat Intelligence Global Engagement and Response team here at Microsoft. And, I am specifically focused on mostly email-based threats, and, as you mentioned on this blog I collaborate with my coworker, Justin Carroll, who is more specifically focused on end-point threats, which is why we collaborated on this particular blog and the particular investigation, because it has both aspects. So, I spend a lot of my time investigating both credential phishing, but also malicious emails that are delivering malware, such as the ones in this case. And also business email, compromise type scam emails.Nic Fillingham: (04:48)Got it. And so readers of the Microsoft Security Blog, listeners of Security Unlocked Podcast will know that on a regular basis, your team, and then other, uh, threat intelligence teams from across Microsoft, will publish their findings of, of new campaigns and new techniques on the blog. And then we, we try and bring those authors onto the podcast to tell us about what they found that's what's happened in this blog. Um, the two of you uncovered a new, a unique way of attackers to deliver the IcedID malware. Can you walk us through this, this campaign and this technique that you, you both uncovered?Emily Hacker: (05:21)Yeah, definitely. So this one was really fun because as I mentioned, it evolved both email and endpoint. So this one was, as you mentioned, it was delivering IcedID. So we initially found the IcedID on the endpoint and looking at how this was getting onto various endpoints. We identified that it was coming from Outlook, which means it's coming from email. So we can't see too much in terms of the email itself from the endpoint, we can just see that it came from Outlook, but given the network connections that the affected machines were making directly after accessing Outlook, I was able to find the emails in our system that contains emails that have been submitted by user 'cause either reported to junk or reported as phish or reported as a false positive, if they think it's not a phish. And so that's where I was actually able to see the email itself and determined that there was some nefarious activity going on here.Emily Hacker: (06:20)So the emails in this case were really interesting in that they're not actually the attacker sending an email to a victim, which is what we normally see. So normally the attacker will either, you know, compromise a bunch of senders and send out emails that way, which is what we've seen a lot in a lot of other malware or they'll create their own attacker infrastructure and send emails directly that way. In this case, the attackers were abusing the contact forms on the websites. So if you are visiting a company's website and you're trying to contact them a lot of times, they're not going to just have a page where they offer up their emails or their phone numbers. And you have to fill in that form, which feels like it goes into the void sometimes. And you don't actually know who it went to in this case, the, the attackers were abusing hundreds of these contact forms, not just targeting any specific company.Emily Hacker: (07:08)And another thing that was unique about this is that for some of the affected companies that we had observed, I went and looked at their websites and their contact form does require a CAPTCHA. So it does appear that the attackers in this case have automated the filling out of these contact forms. And that they've automated a way around these CAPTCHAs, just given the, the sheer volume of these emails I'm seeing. This is a good way of doing this because for the attacker, this is a much more high fidelity method of contacting these companies because they don't have to worry about having an incorrect email address if they have gotten a list off of like Pastebin or a list, you know, they purchased a list perhaps from another criminal. Emily Hacker: (07:52)A lot of times in those cases, if they're emailing directly, there's gonna be some, some false emails in those lists that just don't get delivered. With the contact form, they're designed to be delivered. So it's gonna give the attacker a higher chance of success in terms of being delivered to a real inbox.Natalia Godyla: (08:11)And so when we, we talk about the progression of the attack, they're automating this process of submitting to these contact forms. What are they submitting in the form? What is the, and what is the end goal? So there's malware somewhere in their-Emily Hacker: (08:27)Mh-mm-hmm (affirmative).Natalia Godyla: (08:27)... response. What next?Emily Hacker: (08:29)Yeah. It's a really good question. So the emails or rather the contact form submissions themselves, they're all containing a, a lore. So the contents themselves are lore that the attacker is pretending to be a, um, artist, a photographer, and illustrator, something along those lines. There's a handful of different jobs that they're pretending to be. And they are claiming that the company that they are contacting has used an image that belongs to the artist, illustrator, photographer on their website without permission. And so the attacker is saying, "You used my art without permission. I'm going to sue you if you don't take this down, if you wanna know what aren't talking about, click on this link and it'll show you the exact art that I'm talking about or the exact photo." What have you, all of the emails were virtually identical in terms of the content and the lore.Emily Hacker: (09:21)The attacker was using a bunch of different fake emails. So when you fill out a contact form, you have to put your email so the, the company can contact you, I guess, in reply, if they need to. And the attackers, almost every single email that I looked at had a different fake attacker email, but they did all follow a really consistent pattern in terms of the, the name, Mel and variations on that name. So they had like Melanie, I saw like Molina, like I said, there was hundreds of them. So the email would be Mel and then something relating to photography or illustration or art, just to add a little bit more credence, I think to their, to their lore. It made it look like the email address was actually associated with a real photographer. The, the attacker had no need to actually register or create any of those emails because they weren't sending from those emails. They were sending from the contact form. So it made it a lot easier for the attacker to appear legitimate without having to go through the trouble of creating legitimate emails. Emily Hacker: (10:16)And then the, um, the email itself from the recipients view would appear other than the fact that it felt fishy, at least to me, but, you know, I literally do this for a living. So maybe just everything feels fishy to me. Other than that, the email itself is going to appear totally legitimate because since it's coming through the contact form, it's not going to be from an email address. They don't recognize because a lot of times these contact forms are set up in a way where it'll send from the recipient's domain. So for example, a contact form, I don't know if this is how this works, but just as an example at Microsoft might actually send from Microsoft.com or the other large percentage of these that I saw were sent from the contact form hosting provider. So there are a lot of providers that host is kind of content for companies. And so the emails would be coming from those known email addresses and the emails themselves are gonna contain all of the expected fields, all in all. It's basically a legitimate email other than the fact that it's malicious.Nic Fillingham: (11:17)And, and just reading through the sample email that you, that you have in the blog post here, like sort of grammatically speaking it's, it reads very legitimately like, the-Emily Hacker: (11:26)Mh-mm-hmm (affirmative).Nic Fillingham: (11:27)... you know, the s- the, the grammar and the spelling is, it's colloquial, but it's, but it seems, you know, pretty legitimate. The idea of a photographer, a freelance photographer, stumbling upon their images being used without permission. You know, you hear stories of that happening. That seems to be somewhat plausible, not knowing how to contact the, the infringing organization. And then therefore going to the generic contact us form like this all, this all seems quite plausible. Emily Hacker: (11:52)And, definitely. And it's als one of those situations where even though, like I said, I do this for a living, so I read this and I was like, there's no way that's legit. But if my job was to be responsible for that email inbox, where stuff like this came in, it would be hard for me to weigh the consequences of like, is it more likely that this is like a malicious email? Or is it yeah. Is it possible that this is legit? And if I ignore it, my company is gonna get sued. Like, I feel like that kind of would give the recipient that, that weird spot of being like, "I don't want to infect the company with malware, or, you know, I don't wanna click on a phishing link if that's what this is, but also if I don't and then we get sued, is it my fault?"Emily Hacker: (12:33)I just, I, I feel for the recipient. So I, I understand why people would be clicking on this one and infecting themselves. And speaking of clicking on that is the other thing that's included in this email. So that was the last bit of this email that turns us from just being weird/legitimate, to totally malicious. All of the emails contain a link. And, um, the links themselves are also abusing legitimate infrastructure. So that's, uh, the next bit of abused, legitimate infrastructure that just adds that next bit of like believability if that's a word to this campaign.Nic Fillingham: (13:05)It is a word.Emily Hacker: (13:06)Okay, good believability. Is that the, the links, you know, we're, if you don't work insecurity, and even if you do work in security, we're all kind of trained like, "Oh, check the links, hover over the links and make sure it's going somewhere that you expect and make sure it's not going to like bad site dot bad, dot bad or something," you know, but these don't do that. All of the emails contained a sites.google.comm link. And I've looked at literally hundreds of these, and they all contain, um, a different URL, but the same sites.google.com domain. If you click on the link, when you receive the email, it'll take you actually to a legitimate Google authentication page that'll ask you to log in with your Google credentials, which again, every step along the way of this, of the email portion of this, of this attack, the attacker just took extra steps to make it seem as real as possible, or to almost like every piece of security advice. Emily Hacker: (14:01)I feel like they did that thing. So it seemed more legitimate because it's not a phishing page. It's not like a fake Google page that's stealing your credentials. It's a real where you would log in with your real Google credentials. Another thing that this does outside of just adding an air of legitimacy to the emails, it also can make it difficult for some security automation products. So a product that would be looking at emails and detonating the link to see if they're malicious and this case, it would detonate the link and it would land on, you know, a real Google authentication page. And in some cases it may not be able to authenticate. And then it would just mark these as good, because it would see what it expected to see. So, outside of just seeming legit, it also makes, you know, security products make this think it's more legit as well. But from there, the, uh, user would be redirected through a series of attacker own domains and would eventually download a zip file, which if they unzipped, they would find the IcedID payload.Emily Hacker: (15:06)So in this case, it's delivering IcedID, although this technique could be used to deliver other stuff as well, but it's not necessarily surprising that it's delivering IcedID right now, because pretty much everything I feel like I'm seeing lately as I study. And I don't think I'm alone in that there's murmurings that IcedID might be replacing Emotets now that you Emotet has been taken down in terms of being, you know, the annoyingly present malware. (laughs) So this is just one of many delivery methods that we've seen for IcedID malware lately. It's certainly in my opinion, one of the more interesting ones, because in the past, we've seen IcedID delivered a lot via email, but, um, just delivered via, you know, the normal type of malicious email if you will, with a compromised email sending with a, a zip attachment, this is much more interesting.Emily Hacker: (15:56)But in this case, if the user downloaded the payload, the payload would actually do many things. So in this case, it was looking for machine information. It was looking to see what kind of security tools were in place to see what kind of antivirus the machine was running. It was getting IP and system information. It was getting, you know, domain information and also looking to access credentials that might be stored in your browser. And on top of that, it was also dropping Cobalt Strike, which is another fun tool that we see used in every single incident lately. It feels like, um, which means that this can give attacker full control of a compromised device.Natalia Godyla: (16:38)So, what are we doing to help protect customers against IcedID? In the blog you stated that we are partnering with a couple of organizations, as well as working with Google.Emily Hacker: (16:52)Yes. So we have notified Google of this activity because it is obviously abusing some of their infrastructure in terms of the sites at Google.com. And they seem to be doing a pretty good job in terms of finding these and taking them down pretty quickly. A lot of times that I'll see new emails come in, I'll go to, you know, click on the link and see what it's doing. And the site will already be taken down, which is good. However, the thing about security is that a lot of times we were playing Catch Up or like, Whack-A-Mole, where they're always just gonna be a step ahead of us because we can't pre block everything that they're going to do. So this is still, um, something that we're also trying to keep an eye on from, from the delivery side as well. Emily Hacker: (17:34)Um, one thing to note is that since these are coming from legitimate emails that are expected is that I have seen a fair bit like, uh, a few of these, uh, actually, um, where the, the customers have their environment configured in a way where even if we mark it as phish, it still ends up delivered. So they have a, what is like a mail flow rule that might be like allow anything from our contact form, which makes sense, because they wouldn't wanna be blocking legitimate requests from co- from customers in their contact form. So with that in mind, we also wanna be looking at this from the endpoint. And so we have also written a few rules to identify the behaviors associated with the particular IcedID campaign. Emily Hacker: (18:16)And it will notify users if the, the behaviors are seen on their machine, just in case, you know, they have a mail flow rule that has allowed the email through, or just in case the attackers change their tactics in the email, and it didn't hit on our rule anymore or something, and a couple slipped through. Then we would still identify this on the endpoint and not to mention those behaviors that the rules are hitting on are before the actual IcedID payload is delivered. So if everything went wrong in the email got delivered and Google hadn't taken the site down yet, and the behavioral rule missed, then the payload itself is detected as I study by our antivirus. So there's a lot in the way of protections going in place for this campaign.Nic Fillingham: (18:55)Emily, I, I wanna be sort of pretty clear here with, with folks listening to the podcast. So, you know, you've, you've mentioned the, the sites.google.com a, a couple of times, and really, you're not, you're not saying that Google has been compromised or the infrastructure is compromised simply that these attackers have, uh, have come up with a, a, you know, pretty potentially clever way of evading some of the detections that Google, uh, undoubtedly runs to abuse their, their hosting services, but they could just evasively has been targeting OneDrive or-Emily Hacker: (19:25)Mh-mm-hmm (affirmative).Nic Fillingham: (19:25)... some other cloud storage.Emily Hacker: (19:25)That's correct. And we do see, you know, attackers abusing our own infrastructure. We've seen them abusing OneDrive, we've seen them abusing SharePoint. And at Microsoft, we have teams, including my team devoted to finding when that's occurring and remediating it. And I'm sure that Google does too. And like I said, they're doing a pretty done a good job of it. By the time I get to a lot of these sites, they're already down. But as I mentioned, security is, is a game of Whack-A-Mole. And so for, from Google point of view, I don't envy the position they're in because I've seen, like I mentioned hundreds upon hundreds of these emails and each one is a using a unique link. So they can't just outright block this from occurring because the attacker will just go and create another one.Natalia Godyla: (20:05)So I have a question that's related to our earlier discussion. You, you mentioned that they're evading the CAPTCHA. I thought that the CAPTCHA was one of the mechanisms in place to reduce spam. Emily Hacker: (20:19)Mh-mm-hmm (affirmative).Natalia Godyla: (20:19)So how is it doing that? Does this also indicate that we're coming to a point where we need to have to evolve the mechanisms on the forms to be a little bit more sophisticated than CAPTCHA?Emily Hacker: (20:33)I'm not entirely sure how the attackers are doing this because I don't know what automation they're using. So I can't see from their end, how they're evading the CAPTCHA. I can just see that some of the websites that I know that they have abused have a CAPTCHA in place. I'm not entirely sure.Nic Fillingham: (20:52)Emily is that possible do you think that one of the reasons why CAPTCHA is being invaded. And we talked earlier about how the, sort of the grammar of these mails is actually quite sophisticated. Is it possible? This is, this is a hands on keyboard manual attack? That there's actually not a lot of automation or maybe any automation. And so this is actually humans or a human going through, and they're evading CAPTCHA because they're actually humans and not an automated script?Emily Hacker: (21:17)There was another blog that was released about a similar campaign that was using the abusing of the contact forms and actually using a very similar lore with the illustrators and the, the legal Gotcha type thing and using sites.google.com. That was actually, it was very well written and it was released by Cisco Talos at the end of last year, um, at the end of 2020. So I focused a lot on the email side of this and what the emails themselves looked like and how we could stop these emails from happening. And then also what was happening upon clicks over that, like I said, we could see what was happening on the endpoint and get these to stop. Emily Hacker: (21:55)This blog actually focused a lot more on the technical aspect of what was being delivered, but also how it was being delivered. And one thing that they noted here was that they were able to see that the submissions were performed in an automated mechanism. So Cisco Talos was able to see that these are indeed automated. I suspected that they were automated based on the sheer volume, but I Talos is very good. They're very good intelligence organization. And I felt confident upon reading their blog that this was indeed automated, how it's being captured though, I still don't know.Natalia Godyla: (22:35)What's next for your research on IcedID? Does this round out your team's efforts in understanding this particular threat, or are, are you now continuing to review the emails, understand more of the attack?Emily Hacker: (22:52)So this is certainly not the end for IcedID. Through their Microsoft Security Intelligence, Twitter account. I put out my team and I put out a tweet just a couple of weeks ago, about four different IcedID campaigns that we were seeing all at the same time. I do believe this was one of them. They don't even seem related. There was one that was emails that contained, um, zip files. There was one that contained emails that contained password protected zip files that was targeting specifically Italian companies. There was this one, and then there was one that was, um, pretending to be Zoom actually. And that was even a couple of weeks ago. So there's gonna be more since then. So it's something that, like I mentioned briefly earlier, IcedID almost feels to be kind of, it feels a little bit like people are calling it like a, the next wave of replacement after Emotech are taken down. Emily Hacker: (23:43)And I don't know necessarily that that's true. I don't know that this will be the new Emotech so to speak, Emotech was Emotech And IcedID is IcedID but it does certainly feel like I've been seeing it a lot more lately. A lot of different attackers seem to be using it and therefore it's being delivered in different ways. So I think that it's gonna be one that my team is tracking for awhile, just by nature of different attackers using it, different delivery mechanisms. And it'll be, it'll be fun to see where this goes.Nic Fillingham: (24:13)What is it about this campaign or about this particular technique that makes it your Moby Dick-Emily Hacker: (24:17)(laughs) Nic Fillingham: (24:17)... if I may use the analogy.Emily Hacker: (24:20)I don't know. I've been thinking about that. And I think it has to do with the fact that it is so, like, it just feels like a low blow. I don't know. I think that's literally it like they're abusing the company's infrastructure. They're sending it to like people whose job is to make sure that their companies are okay. They're sending a fake legal threat. They're using legit Google sites. They're using a legit Google authentication, and then they're downloading IcedID. Like, can you at least have the decency, descend to crappy like unprotected zip attachment so that-Nic Fillingham: (24:49)(laughs)Emily Hacker: (24:49)... we at least know you're malicious, like, come on. It's just for some reason it, I don't know if it's just 'cause it's different or if it's because I'm thinking back to like my day before security. And I, if I saw this email as this one that I would fall for, like maybe. And so I think that there's just something about that and about the, the fact that it's making it harder to, to fully scope and to really block, because we don't want to block legitimate contact emails from being delivered to these companies. And obviously they don't want that either. So I think that's it.Nic Fillingham: (25:22)What is your guidance to customers? You know, I'm a security person working at my company and I wanna go run this query. If I run this, I feel like I'm gonna get a ton of results. What do I do from there?Emily Hacker: (25:33)That's a good question. So this is an advanced hunting query, which can be used in the Microsoft Security portal. And it's written in advanced hunting query language. So if a customer has access to that portal, they can just copy and paste and search, but you're right. It is written fairly generically to a point where if you don't have, you know, advanced hunting, you can still read this and search and whatever methodology, whatever, you know, searching capabilities you do have, you would just have to probably rewrite it. But what this one is doing the top one, 'cause I, I have two of them written here. The first one is looking specifically at the email itself. So that rejects that's written there is the, um, site.google.com.Emily Hacker: (26:16)All of the emails that we have seen associated with this have matched on that rejects. There was this morning, like I said, I was talking to a different team that was also looking into this and I'm trying to identify if she found, um, a third pattern, if she did, I will update the, um, AHQ and we have, we can post AHQ publicly on the Microsoft advanced hunting query, get hub repo, which means that customers can find them if we, if we change them later and I'll be doing that if that's the case, but point being this rejects, basically it takes the very long, full URL of this site.google.com and matches on the parts that are fairly specific to this email.Emily Hacker: (27:02)So they all contain, you know, some of them contain ID, some of them don't, but they all contain that like nine characters, they all contain view. It's just certain parts of the URL that we're seeing consistently. And that's definitely not by itself going to bubble up just the right emails, which is why have it joined on the email events there. And from there, the, I have instructed the users to replace the following query with the subject line generated by their own contacts, their own websites contact submission form. What I have in there are just a few sample subject lines. So if your website contact form generates the subject line of contact us or new submission or contact form, then those will work. But if the website con-, you know, contact form, I've seen a bunch of different subject lines. Then what this does is that it'll join the two. So that it's only gonna bubble up emails that have that sites.google.com with that specific pattern and a subject line relating to the contact form. Emily Hacker: (28:02)And given the searching that I've done, that should really narrow it down. I don't think there's going to be a ton in the way of other contact emails that are using sites.google.com that are showing up for these people. I wouldn't be surprised if this did return one email and it turned out to be a malicious email related to this campaign. But if the contact form generates its own subject line per what the user inputs on the website, then, you know, the screenshots that are in the blog may help with that, but it might be more difficult to find in that case. There's a second advanced hunting query there, which we'll find on the endpoint.Natalia Godyla: (28:37)And I know we're just about at time here, but one quick question on endpoint security. So if a customer is using Microsoft Defender for endpoint, will it identify and stop IcedID?Emily Hacker: (28:49)Yes, it will. The IcedID payload in this case, we're seeing Defender detecting it and blocking it. And that was what, one of the things I was talking about earlier is that Defender is actually doing such a good job. That it's a little bit difficult for me to see what's, uh, gonna happen next because I'm limited to, um, seeing kind of what is happening on customer boxes. And so, because our products are doing such a good job of blocking this, it means that I don't have a great view of what the attacker was going to do next because they can't, 'cause we're blocking it. So it's of mostly a win, but it's stopping me from seeing if they are planning on doing, you know, ransomware or whatever, but I'd rather not know if it means that our customers are protected from this.Nic Fillingham: (29:32)Well, Emily Hacker, thank you so much for your time. Thanks to you and Justin for, for working on this. Um, we'd love to have you back again on Security Unlocked to learn more about some of the great work you're doing.Emily Hacker: (29:41)Definitely, thank you so much for having me.Natalia Godyla: (29:47)Well, we had a great time unlocking insights into security, from research to artificial intelligence. Keep an eye out for our next episode.Nic Fillingham: (29:54)And don't forget to tweet us @msftsecurity or email us at securityunlockedatmicrosoft.com, with topics you'd like to hear on a future episode. Until then, stay safe.Natalia Godyla: (30:05)Stay secure.