A logo with accompanying text "Listen on Spotify"A logo with accompanying text "Listen on Apple Podcasts"
Spiral Now, Not Later: Rethinking Ransomware Readiness
Season Two
· Episode
11

Spiral Now, Not Later: Rethinking Ransomware Readiness

In this episode, host Raghu Nandakumara sits down with Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, to explore the evolving landscape of cyber threats and the importance of resilience in the face of ransomware. They discuss the changing tactics of threat actors, the critical role of Zero Trust in modern cybersecurity, and the growing influence of AI on both cyber defense and offense. Sherrod also shares insights into balancing objective and subjective assessments in security, emphasizing the need for strong foundational practices and operational resilience.

Transcript

00:05 Raghu Nandakumara  

Welcome to The Segment: A Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara, head of industry solutions at Illumio, the Zero Trust Segmentation company. Today, I'm joined by Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft.  

Sherrod was selected as Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Previously, she was VP of threat research and detection at Proofpoint, where she led a global team of threat researchers, malware reverse engineers and threat intelligence analysts. Her career in cybersecurity spans 19 years, with prior roles including leading red team services at Nexum, Senior Solutions Engineer for Symantec, senior security consultant for SecureWorks, and senior network security analyst for the National Nuclear Security Administration.  

In this conversation, she stresses the significance of ransomware resilience and covering security basics, as well as the impact of AI on both attackers and defenders. The conversation highlights the need for actionable threat intelligence and the human element of security.  

But before we get into the episode, a word from Illumio: [insert ad spot]

Sherrod, firstly, before we get into the conversation, it's so exciting to be able to speak to you today. And it's funny, it was just a complete coincidence. I was listening to some of your recent podcast episodes in sort of prep for this, and I just so, just last week, I decided to relisten to the Lazarus Heist podcast that the BBC made, which I'm sure you're very familiar with. So I thought those were, it was like, that's a coincidence. And as a result of listening to that for the last two nights, I've put on the interview and then fallen asleep to it. So it says more about either I'm tired of the film or it wasn't as good, but, anyway, it's a real pleasure to be able to speak to you. So thank you for joining us.  

02:14 Sherrod DeGrippo

Thank you. Thank you for having me. I think you know, as evidenced by your media consumption, North Korea is really getting in the game. They're getting on the board in ways that we have not seen before. In the past couple of months, North Korea's scoring some points.

02:28 Raghu Nandakumara

Absolutely, and I'd love to sort of discuss that at some point in our conversation today. But as kind of is, I guess, the norm with these podcasts is, let's kind of rewind the tape and take us back to where it all began for you in your career to sort of ultimately to what you do in your role today.

02:48 Sherrod DeGrippo

Sure. So, I mean, I think it started when I was 14. Really, I was 14. This was in the early 90s, and I read because I was, you know, a very cool early teen, I read the magazine Thrasher, Thrasher Magazine, which was a skateboard magazine. And one month, in the back of Thrasher Magazine, there was a little ad, and it said, call the Thrasher BBS (bulletin board system), and it had a phone number. And I, you know, went to my dad, who was a major hardcore computer, supercomputer dork. And I said, "Dad, I want to call this BBS. What do I do?" And he said, "Well, you know, I have a modem, and we can set you up, and we'll get you to be able to call the BBS." And I remember very vividly I was using a BitFax bit modem, which was the app, or the application on Windows 3.1, and I remember very vividly him saying, "I'm going to turn off ANSI. You don't need that." So essentially, he took graphic viewing away from me very early, like, you know, he's like, my 14-year-old daughter does not need to see these images. And I just I called the Thrasher BBS, and was on, day in, day out. And then, about a month later, my dad screamed, "Sherrod." I was like, "Oh, I'm in trouble." I had ran up a $300 phone bill. For the youths listening, we used to have to pay for long-distance phone calls, and Thrasher BBS was not local to me, so it cost money per minute. And my dad didn't like that, so that kind of got me into freaking, actually; I consider myself a freaker first, which meant that, you know, I had a lineman's handset. I did things like beige boxing, and I met a lot of people who were very excited to show me a lot of things. And I ended up just, you know, when I was in college, I worked at the mall, and I didn't make enough money, and I saw a poster on campus that said, "Come work at AT&T." And so when I was in college, I started working at AT&T. And from there, I just kind of kept getting tech jobs, until I went to work at an ISP early. My career, probably from 2000 to 2001, and that ISP got hacked. One of the clients of the ISP got hacked, and they said, we want you to fix this. You know, it was a data center. So I pulled all their one use, all their servers, stacked them up in a table in a conference room, tracked it out on a whiteboard, and was like, I'm going to work. I'm going to do this work. You know, it wasn't even called incident response then. And it was a PHP BB installation that was vulnerable, that was hacked by, quote, hacking team. They put up a bunch of MP3s playing in the background or maybe even just wave files. Like it was very primitive. And that was the point where I was like, I want to do security. I want to secure things. I want to learn how all of this works. I want to hack things. I want to secure things. And shortly after that, I got my first real security job, working for the National Nuclear Security Administration, part of the Department of Energy. And that started my network security obsession. I'm obsessed with network security. And I just, you know, did that for quite a while. And not too long, but then after that, I went and worked at vendors. So I have committed the past 18 years of my career to security vendors, Symantec, SecureWorks, Nexum Proofpoint and now Microsoft. I love the vendor space.

06:19 Raghu Nandakumara

Amazing. I mean, that's quite a story from Thrasher magazine to the head of threat intel strategy at Microsoft. That's probably a career path, or even a life path, you would never have been able to map out in, if you'd been asked back then in the early 90s.  

06:37 Sherrod DeGrippo

BBSs and IRC shaped me. BBSs IRC and Live Journal. Those are my origin foundations, for sure. That I think a part of it was because when I was growing up, even from a very young age, my father always would say, "Anything you need to learn, there's a book, and you get the book, and you learn it from the book, and you can do anything." And when he bought me my first car, he bought me the Chilton's manual that went with my car, and he said, "You have a car, and now you have the book that goes with the car, and you can fix the car." And so I sort of took that with me. Of anything you need to learn, there's an IRC channel that you can get in. Someone will help you or point you to something. And I still really believe that. Anything you need to learn, you can find the book, you can find the person, you can find the resource, and you can learn it, and you can do it.

07:30 Raghu Nandakumara

I guess, replace IRC channels now with Reddit that you have, yeah, you have your source of information, right, or knowledge. So, so you spoke about that incident. You're working at the ISP; one of your clients got hacked. You essentially took their entire infrastructure out of their rack, put it on a table, and said, I'm going to figure this out. Step through that process and sort of talk to us about like, what did you as you were doing this, what did you discover about sort of the nature of the attackers, the behavior, their motivations.  

08:06 Sherrod DeGrippo

Yeah. And I think that was a really pivotal moment for me as well. So I worked at this ISP that was a very early redundant cloud capability. We had offices in the bottom, and the data center was in the second floor. And so I hated going up there because it was freezing, right? If you've ever been in a data center, you're just, you know, everyone who works in a data center has a coat at their desk that they put on when they go up to the data center. Same with me. And I also didn't like going up there because I'm a bit. I don't like racking, and I don't like putting things in racks. I find it cumbersome and unpleasant. Once they're in there, I'm good to go. But I don't like putting servers into racks. So, you know, I go up, I know I'm going to have to take, this customer has three 1Us, which, you know, at the time, was quite a deployment, right. In the early 2000s, having three 1Us in a data center that was redundant. It's amazing. So I had to take all those out. I had a cart. Anyone who's worked in data centers has done this. If you've ever worked on raised floor, you know what I'm talking about. Take the cart. You take a drill; you unscrew out of the rack. You pull these giant, long servers that are very, very unwieldy to pull out. You hope you don't drop them, and you stack them up on a cart, take the cart down in the elevator, you put them on your desk or in an office. If you ever see someone with 1Us on their desk, they're in trouble. They got bad problems. So, and that was me. I had a conference room, and I said, "Okay, I'm going to figure this out." So I hooked everything back up to monitors and started kind of looking at logs, which I think is a superpower that most incident responders are really, really good at today. They understand the logs that matter. And I started seeing that, you know, this is a small business, and at the time it was a big, big web presence for such a small business. And I thought, wow, this business is quite advanced. They've got phpBB for their customers to ask questions, and they've got all these manual pages and all these things. And I started looking through it, and I immediately saw that this version of phpBB was old. And I was like, "Oh, this is really old." And there were a couple of files you could replace in phpBB that would allow it to continue operating but would give you the splash screen. And that's what this, you know, I don't even want to call them a threat actor. They were, like, probably a group of teenagers, I believe. You know, I can't do full attribution on it, but I think they were Iranian. Had put up, you know, "You've been hacked by the hacking team." Music playing in the background, GIFs floating all over the place, and they had something that's very dear to my heart to this day, which is a shouts and greets at the end. At the bottom, there's shouts and greets and a bunch of like hacker handles. Which, at that time, it was very common when you would deface any kind of website you would put like, thanks to the other hackers that carried you on your way. I'm a big believer in shouts and greets. I consider that a foundational life philosophy — thank the people that helped you get there. Not necessarily when hacking, don't do that. But yeah, so I learned really that the motivations of adversarial groups or adversarial people aren't something that you will necessarily ever be able to truly understand. I sort of say, you know, a lot of people will say, “Why did the threat actor do this? What is their aim? What is their motivation?” And truly, my response to that a lot of times is we never know the truth of a threat actor's heart, right? And I think that you can speculate, you can guess, but ultimately, we don't know. Is this person doing this because they're trying to support their family? Is it because they're with BEC (business email compromise) and pig butchering? Is it because they're in a human trafficking situation and they're afraid for their life? Is it because they're truly a bad person and they want to hurt others? Do they want just money, and they're wild and crazy? You can never really know that. And I think in this instance, I think, you know, it was just some a little bit of fun in an open, open directory of phpBB that they found and went for it.

12:28 Raghu Nandakumara

I think that story at so many levels I can associate with. Let's just talking about, sort of working in a data center and a raised floor. I absolutely, that takes me back into early days of my career, and you talk about sort of taking things out of racks, etc. That sort of just hoping not to drop anything onto your feet more than anything, right? It was a real fear or real worry.  

12:52 Sherrod DeGrippo

Or have to use the giant suction cups to pull the tiles.  

12:55 Raghu Nandakumara

Oh, yeah, I've done that. Just sat around a data centers, my feet dangling into the void below, while sort of configuring, configuring things in the racks. And the example you gave of sort of these potentially script kiddies essentially exploiting a vulnerability, right? And in this case, in php. And just going to one of the other podcasts, I think you were a guest on recently, and what you said was 98% of intrusions can be addressed by basic security practices, right? And I'd say patching is one of those essential security practices. And my perspective here is that when I kind of, when I sit back, and I look at why attacks are successful, it's I feel time and again, attackers ultimately exploit negligence in one or more of these security practices to propagate. So, in your opinion, do you feel that we give enough importance to these, to the basics, or are we a, as a discipline, are we too caught up in the in what's the new shiny toy? What's the new shiny capability? And we've lost sight of the basics, or maybe the basics are too boring.

14:10 Sherrod DeGrippo

I love the basics. I'm a believer in the basics because I sort of was raised in the Bruce Schneier, Ed Skoudis School of Security. I believe in the basics because security is very much something that people with anxiety are drawn to.

And if you can get your basics down, you usually feel a little better. And I think, honestly, what it comes down to is not enough organizations have enough anxiety. I think there's not enough worry, and there's not enough productive clinical anxiety, professionally in the industry. I do think we get distracted by shiny toys and we see the basics as being boring. But there is, I think, a completeness, satisfaction in feeling like I know that we have a complete, you know, asset inventory. For example, find those people and get them on your team who have that need to get those things completed, and to feel very strongly that they have them. I think also, you know, we don't think enough about that 2% of things that can't be necessarily done with the basics and how we're going to handle those. To me, I think one of the things that we're really missing in security, particularly with the current ransomware epidemic, is not even table-topping, but like pre-decision making. If we come under ransom, are we going to pay? And a lot of people start spiraling, and it's like, wait, do you want to be spiraling now? Or do you want to be spiraling when we're actually under ransom? Let's spiral now. Let's do that worry now so that if something happens in the future, we're ready for that. I think we don't do enough of that. I would like to see a lot more, you know, decisions made ahead of time and put down on paper, so that executives and technical leaders and security subject matter experts are already literally on the same page by the time something happens, which is something that in a lot of incidents I have not felt was happening.

16:21 Raghu Nandakumara

So, a couple of things that I'm going to come back onto, the lack of anxiety point you made in a second. But let's just talk about the ransomware question, right? And to sort of paraphrase Shakespeare, ransomware: to pay or not to pay, that is the question.  

I love it. I love it.  

Yes, we'll use that in the social cuts. I mean, now and then, we get asked to comment on, let's say, some new bit of, like, pick a government across the world saying, “Hey, we want to make ransomware payments illegal, right? And what are your thoughts?” And sort of like the comment is, well, okay, it's that'll be, that'll be great, right? Because of what ransomware, what ransomware potentially fuels, etc. But if you think about from a practical perspective, that may not be possible for every organization, because it's a choice between paying and potentially sort of being back in business, operational sooner rather than later, or just saying, "Well, actually, I can't, I can't afford to pay, but equally, I don't have the skills to recover properly." So where do you sit on that? Because I don't think it's an easy, binary decision.  

17:38 Sherrod DeGrippo

No, it is definitely not an easy decision. I think that's why I'm a big believer in ransomware resilience planning. And Microsoft released a fantastic guide to ransomware resilience that organizations can look at to kind of build their resilience as well as assess their resilience to ransomware. My question when people say, "Make ransomware payments illegal." My immediate question to that is, and what is the punishment for violating? So the organization's been ransomed, they pay to get out of ransom, and now we're going to punish them, I assume, with a fine. And at that point, it again becomes a risk calculation with just another nexus than you had before. The risk calculation is now against paying the threat actors and getting your data back, and against having to pay a fine to the government for that. I don't know that that's necessarily going to be a super successful and happy deterrent. I think that, as technologists, we have to do a lot more work. I don't think that anyone's coming to save us on a lot of these. I think that we have to make the technology and the organizations and the people resilient to ransomware. We can't just say like, well, there will be laws and statutes and some sort of ransomware superhero is going to descend and fix it all. It's a very complex problem, as you said, and I don't know that I necessarily have the answers, other than working on becoming more resilient and prepared for those things to happen. You know, focus a lot on crime and my work and they operate by different rules than I think most people really understand.

19:17 Raghu Nandakumara

So you've mentioned the word resiliency, just multiple times in that in that response, and it's resiliency, operation, resilience, cyber resilience, and it's so topical these days. I think now it's kind of like cyber conferences have gone from being focused on like Zero Trust to AI, and now it's all about resilience. But I want to tie that to something else you said about a lack of anxiety. How do you drive a culture of better ransomware resilience if the level of anxiety is not where it should be to drive improvement in the basics? Because I feel that those two are interconnected.

20:03 Sherrod DeGrippo

I think so too. And I have a very controversial hot take on that one.  

20:07 Raghu Nandakumara

I'd want to hear it. That's what we're here for.  

20:10 Sherrod DeGrippo

You know, I really think, you know, there's always these debates, you know, on social media and industry about passion. I'm not interested in that. I'm interested about, do you have a calling for this. And does doing security work result in your soul feeling a decompression, a relaxation? Is securing something a spiritual comfort for you? If it is, those are the people that we want in the industry. Because those people relentlessly pursue efficacy, and those are the people that we have to count on and depend on, because this is not a 9-to-5 job. As much as we want to talk about work-life balance and like, don't burn yourself out, sure. But that's not the world that we live in. Ransomware happens 24 hours a day. We don't have enough people to work 24 hours, all of these things. So I think we've got to get the right people in the right places, and that is where we can heighten some of that concern. I come from the era of security vendor FUD, fear, uncertainty, and doubt. That was for a decade, that was the marketing plan. I don't think that it worked. If it did work, we'd be in a more secure place than we are. But I do think that there is an element of risk evaluation and risk understanding that we as security professionals need to embody and internalize and then evangelize outwardly to our non-security colleagues. And I think that we can do that by speaking that language. I am a practitioner, something called neurolinguistic programming, which talks about how to talk to people. You appeal to the sense that they are most connected with. Is it hearing? Is it seeing? Is it seeing? Is it feeling? Is it experiencing? You have to talk to people in their language and at their level and help them understand what those risks are. Going back to resiliency. Being resilient. We've moved to that language because we are looking at the inevitable now. We've gone from stop the breach, stop the attack, before it happens to be okay when it does. And I think that that's a much more realistic picture. I don't think it's pessimistic. I think it's realistic. And you should feel better the more resilient you become, because these things are, I think at this point inevitable.

22:44 Raghu Nandakumara

So I want to come back to the to the assume breach, sort of mentality, and the when not if. Because I think it ties, not nicely, into sort of taking a Zero Trust approach to building your security controls. But before we go there, going back you again, another term that you mentioned is, is efficacy, right? And I absolutely agree. I think I've, I've only been on the vendor side for just under five years now, and before that. Thank you. Thank you. It's great. It's great to be here. I should have come earlier, I enjoy it. Come this side earlier. But absolutely right. I completely agree, and sort of that the FUD-focused marketing that existed, but my perspective as I came in onto the vendor side was that there could be so much done in sort of taking a much more value-based, efficacy-based approach to marketing. But it's but it's hard, because we're used to saying, "We're better, we're faster, we're stronger, we're more secure." But it's really hard for us to put a where we make you. Let's pick a number, 50% more secure. That's a pretty good number, right? I know we'd like to say 95%, but I'd say even 50% more secure is a good number. But why is it so hard for in the security space to be quantitative about how effective a control is, a practice is, a process is? To sort of get further validation and justification for being able to do more of it.  

24:14 Sherrod DeGrippo

Yeah, I think that's part of what I take personally as a person. I want to be an effective person. I want my technology to be effective for me, and I want to be an effective person. And I think that's really hard to measure, and I love things that are very hard to put metrics on. So that's part of the reason I'm attracted to security is that that is full of subjectivity. It's full of gray areas. It's full of like squishy middles that we have to kind of grapple with and figure out, and that's, I think a lot of people feel the same way, like, that's why they're in security. Measuring efficacy is incredibly hard. So I come from, you know, network security and email security for many years, and FNFP is our bread and butter, right? False negative, false positive. Yeah, those are the things that dictate our choices and how we make decisions, and it is very data driven, even though I don't believe in a wholly data driven approach every single time in security. In the FNFP world, you're looking at those numbers hour by hour. And I do think that we need to get very objective where we can, and that's hard, like, there's a book called How to Measure Anything, which allows for metrics, and there's that saying of you know, you can't manage what you can't measure. I think those things are really true. But I also think alongside objective measurement in security, we have to help our leaders understand the subjectivity aspect of it, and the decision-making and the human aspect of a lot of it. Social engineering is something that is very difficult to measure. For example, this breach happened what percentage of it was caused by social engineering? That's very, very difficult to nail down. But if we can have that objective numbering, that objective data side by side with subjective decision making information, I think that we give ourselves as security professionals, but also our leaders that aren't necessarily knee deep in this space all the time, a better way forward to understanding how important it is and generating some of that anxiety that we're kind of hoping to get from people that are making the choices,

26:26 Raghu Nandakumara

yeah, I like how that's expressed, about being able to really bring the subjective and objective much closer together, and really finding that intersection Where the one data from one can inform the perception of the other, right, and vice versa, to provide that greater picture. So let's kind of move on. And let's talk about, and the other thing that you spoke about earlier is logs. Like trawling through logs. Great. It's amazing what you can find in there, right? And I just as you said that I was thinking about, I think that’s just sort of how the function of the SOC has evolved, right? Threat hunting evolved is that it's just sort of the advancement in essentially analyzing logs, and that's kind of, sort of the progress, and even what we see today within inverted commas, sort of AI-powered tools, is just getting better at log analysis. So as you have, and I know you've spent many years looking at logs from various threat actors, what have you noticed as you've been doing this, what have you noticed in the like, what are the clear indicators of that evolution that you have seen?

27:45 Sherrod DeGrippo

Yeah, I think that that's really, it's really clear. So my earliest, maybe not earliest, but one of my early passions for logs was I ran a web server, and I would tail the weblogs to watch access. So it was a very low traffic website situation. But when I would have that open and running, I could watch as people hit the website, which, if you've never done that before, watching logs in real-time. It gives you a different perception of our digital world, in my opinion. It's showing human activity, right going to website displayed as machine data, which is the log entry. So I think there's something really special about that. It turns a log from sort of this static record into like a living, breathing, evolving thing in front of your eyes. Threat actors today go so quickly that they know that logs are their enemy, and so they look at the time that they can save, especially like a threat actors in the crime space, typically. So like, if you think of an Octo Tempest threat actor, a big time ransomware actor, they move so fast. It's that dwell time from entry and access to ransom that keeps getting smaller and smaller and smaller, which reduces, frankly, the amount of logs that are created. And these threat actors, I think, are deliberate in that. They want to reduce the amount of log entries, which is, I think, potentially partly responsible for the recent, you know, over the past year or two, the explosion in popularity of living off the land. You can hide in those logs when you're in existing tool sets that are already resident in that host. So I think logs will always be super important, because logs, in a lot of ways, symbolically represent time. And the fewer logs you can have, and the faster you can go, the more successful you can be as a threat actor. Going back to efficacy, we as defenders have an efficacy focus. Threat actors have an efficacy focus, and we are slot car racing side by side, trying to be more effective than they are, and hoping that we have, you know, a five-second head start to be able to be more effective.

30:27 Raghu Nandakumara

It's basically an F1 race today. It's drive to survive, right?  

30:36 Sherrod DeGrippo

Drive to survive. Yes, that's what security is. We are drive to survive here in InfoSec.

30:42 Raghu Nandakumara

I like that. I could absolutely appreciate the joy of looking at web server logs, and then when you combine those with proxy logs and firewall logs and load balancer logs and identity logs, and you're able to build a picture. That, like in my early days on the sort of the practitioner side, that was so exciting to be able to do that out of college and bring it all together. I was like, oh my god! Like, I could sort of see what's happening here, but just for this data. So you spent, you spoke about living off the land, and about sort of how threat actors really want to generate as few signals as possible, or the fewer signals the better, right? Because more signals mean more chance of detection, etc. And then we kind of, tying it back to what you said, is that really, that attack, that compromise is inevitable, so we need to design for that. From your perspective, right? Because I often think of sort of taking a Zero Trust approach is really reducing what's available on the land to live off. One way to think about it, with sort of the interest in Zero Trust and real Zero Trust projects out there. I think I know Microsoft has got a sort of a fairly; it's like significant play in the Zero Trust ecosystem. Like, what's your perspective on that as a threat intelligence expert about how Zero Trust is sort of improving security, measurably improving security.

32:07 Sherrod DeGrippo

I think the best thing that the Zero Trust concept has done over the past few years is resonate so strongly with executive leaders. I think that most practitioners, Zero Trust to them are a lot of things that they've been doing every day. There are a lot of basic things. There are a lot of combinations of best practices. Or when I first started, like post hardening, you know, things, things like that, that practitioners are really familiar with. But Zero Trust has allowed us to communicate in the same language with executives, decision-makers, and even people that aren't necessarily in technical roles, it's allowed them to understand like, "Oh, that's bad" or "Oh, this is a way to make sure that we don't end up with the wrong people in the wrong places." This is an encompassing concept for best practices around identity and access management. Like those are things that I think in security, we have struggled. We have wanted to use jargon; we have wanted to have our own nomenclature. We've wanted to have our own separate super-secret language. And Zero Trust has really allowed us to hit a point of commune with leaders and decision makers and people outside of that and get them on the same page as us. Which I think is one of the best things that we could have done.  

33:30 Raghu Nandakumara

Yeah, I think that's that's so important right, particularly now, that the importance of cyber has to be communicated not just to the security function in the organization, but across functions and up to the to the highest levels. Having an approach that allows you to communicate that effectively is such a boon. It's a massive blessing to align everything else. And are you seeing this sort of day to day in customers that you speak to, peers, etc.?

34:06 Sherrod DeGrippo

Yes, I think a lot of customers that I speak to are absolutely on a Zero Trust journey. And they phrase it that way, you know. They say, you know, a year ago we decided, or two years ago, we decided that by, you know, 2026 we were going to feel that we fully implemented Zero Trust in every corner of the organization. And I think it's brought a lot of weight and gravity to the security focus. I think it allows, it allows a reasoning for people to do things and say, "Well, this is part of Zero Trust, so we need to get it done." And we didn't always have that handle before. We didn't always have that, like unifying focus that I think that we have today, which has worked. And frankly, I also think that the ransomware epidemic has brought a lot of you know, it's bittersweet, but it has brought a lot of focus and attention to organizations that may not have been really thinking about Zero Trust, or may not have been thinking about securing their organization. They see ransomware, and it, again, inspires that anxiety, yeah, and it causes movement, which I think is what we want.  

35:20 Raghu Nandakumara

I mean, I was actually going to mention that it adds to the anxiety. But you, you beat me to it. So again, right, going back to sort of your day job of essentially monitoring threat actors, right, understanding their behaviors over time, as you've seen organizations improve their their security capabilities, and potentially go on that Zero Trust sort of journey. Have you noticed a real shift in the sort of the I was going to say, the techniques and procedures adopted by threat actors? Because I'd say that and please correct me if I'm wrong, that the tactics, ultimately tactics, sort of are those high-level tactics and those, those are consistent, right? They attacker has to go through them, but how they execute those will change over time. Have you seen a real shift in those techniques and procedures?

36:11 Sherrod DeGrippo

I think that we will always see threat actors shift and evolve. You know, they are looking for efficacy again, like we are. So, whatever tools they can pull into their arsenal to get to the objective that they want to get to, they will. There's always, interestingly, since I've been watching the threat landscape closely, there are always like these trendy, you know, oh, everyone's doing this right now, like MFA, bypass, attacker in the middle phishing is hugely popular right now. I think part of the reason for the popularity of it is, we operate especially when it comes to the crime landscape, financially motivated threat actors, they operate as an ecosystem. So it's not some ransomware group that's like, “Oh, I gotta make an attacker in the middle phish kit now. I gotta put up these pages. I gotta buy… “No, they just go. They find a provider. They pay them. They get that tool from the provider. They leverage it in combination with tools from other providers, infrastructure, code, any of these services that they may have purchased, and they pull all of those pieces together, and that gets them to the ransomware end goal. So as that ecosystem evolves, and as new players come into the ecosystem, and we're talking about organized crime, as the new players come in, new trends emerge. And I think it's my assessment that the reason those trends emerged is because threat actors, some are better at marketing than others. Some within the ecosystem do things like, quite literally, sales. They will make a sale on, we have a threat actor, Storm 1101, that runs this thing called Naked pages, which is an attacker in the middle MFA phish kit. They will tell you, if you're already a customer, you can get a discount. They will do live customer service for you. They will have specials, they had a New Year special at the beginning of this year. They will thank their customers for being loyal customers. Just like you would imagine a small local business would do. So I think some of the trends are born, quite frankly, out of the marketing prowess of some within the ecosystem. If you're better at marketing and selling your tool, it's highly likely that that tool is going to become more popular. So attack on the middle phish kits, living off the land, things which aren't necessarily tied to the ecosystem, but they're tied to forums, and people talking about what works, and people having these different tactics that they share. Things like that. And then we always see current event, social engineering. I guarantee you, whatever big event is happening in the world at that time, whether it's an election, a natural disaster, a holiday season, the threat actors know that it will psychologically resonate, and they use it for social engineering.  

39:08 Raghu Nandakumara

And so we see a technique or a procedure associated with that that kind of makes it on onto our list, right?

39:14 Sherrod DeGrippo

So we need a top 10 TTPs trend list, like, every quarter.  

39:19 Raghu Nandakumara

Yeah, I think so! Maybe it's something that you fit for you to host on your on your very successful podcast. Maybe that's an idea. But I want to bring it back to one thing is that have we as defenders been successful in forcing attackers to retire techniques and procedures and made them essentially pretty much guaranteed to fail, and forced them to do something different.

39:49 Sherrod DeGrippo

Yes, 100%. All the listeners are like, I'm going to fight her. So, when is last time you dealt with a rootkit? When is the last time you got an individual ransomware attempt against a consumer? When is the last time you dealt with an exploit kit for a browser vault? I mean, they happen still, but we have reduced attack surface. When's last time malicious documents with macros were successful? Microsoft turned that off two years ago, three years ago. The attack surface is being reduced. But just because we continually reduce the attack surface doesn't mean that the threat actors aren't still creative. And that's again, part of the drive to survive F1 situation that we're in. It's going to be an escalation and evolution forever. That's one of the reasons I love security is because it is subjective. And I'm going to say something again, I know I'm a hot take. I'm a hot take, girl. Security is a feeling. Do you feel secure? Are you secure? It's impossible. It's impossible to say, “Yes, we are secure.” If your CISO comes to you and says, "Is this organization secure?" Come on!

41:12 Raghu Nandakumara

Oh 100%.

41:15 Sherrod DeGrippo

Yeah. So it's like, you know, we're in the feelings business, as much as a lot of people don't want to admit that security is the feelings business. And we use every technical tool that we have available to us to make that feeling true to make that feeling effective. But ultimately, are we secure? It's subjective. It's a guess.  

41:43 Raghu Nandakumara

I like that a lot. Security: We're in the feelings business. I like, that's a good tip. We should use that to market help fill some of this cybersecurity skills, skills shortage. I just got to come back and say, when's the last time you heard someone use a rootkit or exploit a browser vulnerability? And I'm only going to answer this because I listened to, I think it was the last but one Microsoft tech intelligent podcast, you were talking about some North Korean threat actors that had brought some of those back.  

42:17 Sherrod DeGrippo

Yes! We were all like, what? They're chaining browser vaults, they've got zero days, and they're exploiting chain browser like, what? And I think that was, it was so cool because we were like, "Oh, we have not seen this. We have not seen this in a long time, folks, this is vintage." And I think it's true. We don't see that stuff as much anymore. And when we do, it's, it's a big pop on the landscape. Like, whoa, this is news.

42:44 Raghu Nandakumara

Nice, so let's change task slightly before we wrap, right? Of course, my producers have said, “Hey, if you don't talk about AI, artificial intelligence, we're not going to be able, the social algos will just, like, just sort of demote this. So I'm just saying those a few times, but I want to ask you something in the context of, and I know you've got a really interesting take on artificial, the A in AI being for accelerating versus artificial. But there was the World Economic Forum, I think I'm going to say, within the last 12 months, had sort of done a survey of security leaders, and the question was who do you think AI in cyber is benefiting, right? And I think the data was something like that somewhere around 55 to 60% said it's benefiting attackers more than defenders. Somewhere around sort of 25 to 30% said it's benefiting the defenders and whatever. The remainder said it's equal, right. From where you are, how do you see the use of AI in cyber today? Right? Who do you see it benefiting? What do you see it enabling? And do you feel concerned about it, either on the defender or attacker side?

43:59 Sherrod DeGrippo

I am an AI believer. I use it every day. I am, you know, I dropped like a streaming subscription so I could switch it for ChatGPT paid. I love AI and the opportunities that are in front of us with it. But it is a tool, and so it almost can be analogous, in some ways, to some of that living off the land stuff that we've talked about. This is a tool available to everyone. You can use it for good. You can use it for evil. You can skip it, not use it at all, which I think some threat actors also are still at that stage. We've seen threat actors at Microsoft leveraging it. We put out an intelligence report about North Korea, Russia, China, and Iran's use of AI. I think it's something that's going to continue to develop. We aren't seeing major leveraging by threat actors today to do novel things. And I think that's comforting in some ways, because it means security foundations are solid, right? The basics are still working. And again, going back to acceleration, that's where I get nervous. We're taking something that can make threat actors faster, allow them to scale, allow them to do things within a scope that we had not previously seen. It's an enabling tool. An example that I always use with that is we've seen data breaches for years. We've seen data breaches available to download for years now. You can put that breach data into an LLM and start asking the LLM questions about that breach data, which is something that you can't do with a Regex. I don't care what kind of Regex wizard you are, and I've met them all. I live my life among Regex wizards. You cannot ask a Regex for sentiment. You cannot ask a Regex to find every instance of a female employee and a male employee having inappropriate conversations. You can't ask a Regex to tell you to find all the insider trading happening in these communications. It's taking things to the level where threat actors are becoming almost like superhuman if they're thinking about doing things like this. So it accelerates that capability. It makes them faster. It gives them the ability to ransom an organization, pull down those files, look through those files, find incriminating and extortionable information within minutes, and then go back and say, "Actually, we said a million. Now we're at two."

46:37 Raghu Nandakumara

I think it's bringing it's enabling or accelerating, bringing together the subjectivity of that and the objective. If the regex is kind of that, that objective approach. The subjective is what you described, right? The things that it can't do, but AI can do.  

46:58 Sherrod DeGrippo

And it can do it instantly. There's not even any wait time. There's no processing time. It happens in seconds. And you know, threat actors traditionally will do what it takes to get what they want. And they're not going to typically go above and beyond that. But once they figure that out, and they figure out they can do it faster and more effectively, that will kind of crack things open I think.

47:29 Raghu Nandakumara

So as we wrap up, I'm conscious that you have elsewhere to be soon. Give us one more hot take. So into the future of threat intel.  

47:43 Sherrod DeGrippo

The future of threat intel? I think the future of threat intel continues to become more and more actionable and continues to have direct correlation to the efficacy of a security posture of an organization. That's where the future has to be. That's where we have to go, is it makes a security posture more effective or makes those leaders better able to make informed decisions.  

48:13 Raghu Nandakumara

Sherrod, thank you so much. That has been a super exciting conversation. I really appreciate you making the time to be with us today.

48:21 Sherrod DeGrippo

I really enjoyed it, Raghu. Thanks for having me!