Podcasts
The Microsoft Threat Intelligence Podcast
Ep 24
The Microsoft Threat Intelligence Podcast 7.31.24
Ep 24 | 7.31.24

Behind the Scenes at Blue Hat IL: Security Advancements and Challenges

Show Notes
Transcript

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] Hey, welcome to the Microsoft Threat Intelligence Podcast. I am here at Blue Hat Israel in Tel Aviv, learning all kinds of cool things from threat researchers, vulnerability researchers, intel analysts, and I am joined currently by Igal Lytzki and Din Serussi. Welcome, guys.

Din Serussi: Hello, hello.

Igal Lytzki: Hello, thank you for having us.

Sherrod DeGrippo: Thanks for coming by. So you guys just got off stage. How do you feel it went?

Din Serussi: Kind of excited, to be honest. Yeah, it was an amazing experience for both of us.

Igal Lytzki: Yeah, so for me, it was like the first experience; and the crowd was amazing; and the whole setup was amazing, and I feel like it's one kind of the opportunities that you need to take and, like, try to express yourself and show the knowledge that you have and give other people in the community, like, be blessed with this kind of knowledge.

Sherrod DeGrippo: So tell me, the name of your talk was Trapped in the Net?

Din Serussi: Yeah, that's correct. Trapped in the Net, Advanced Phishing and Evasion Techniques.

Sherrod DeGrippo: All right. So what are the advanced phishing and evasion techniques?

Din Serussi: So we try to showcase past-year threats in the email landscape. So one that really stood out is the QR phishing that started to go up, like, in the late of 2023. And nowadays, we see that threat actors, actually, not only embed the QR code in the email itself, but actually take it to different kinds of file types. So as we said in the talk, we saw it in PDF files, in HTML files, in Word documents, and also, some cases that they take the QR code and try to invert or flip the color of the QR code and mess up with some QR extraction libraries.

Sherrod DeGrippo: That's fascinating. You know I love email. We talked last night at the cocktail hour how much I love email detection. Din, what else do we know about email?

Din Serussi: So basically, I think that I'm in love with the email security industry.

Sherrod DeGrippo: Oh, no, wow.

Din Serussi: Yeah, yeah, I am, I am.

Sherrod DeGrippo: That's so gross.

Din Serussi: Because it's always changing. Like, you start your day, and you don't know what to expect. It's always evolving, all the evasion techniques that they're using, and something that really stands out, it's like the custom-made captures that are now being used by threat actors. So in the past, we were seeing things like the text-based captures and the Google recapture and H captures. But those days, we are seeing more and more user interaction evasions, like pressing and holding a button, moving it around, some click-required phishing. And those are just evolving, and it really raises the question, what is going to come next? And it's always a cat and a mouse game trying to track those.

Sherrod DeGrippo: Are you a cat or a mouse?

Din Serussi: It depends on how you're looking at it. So if we're looking from a defender's side, I'm the cat chasing the mice.

Sherrod DeGrippo: You're the mouse getting -- trying to chase cheese.

Din Serussi: Yeah, or we are the cats chasing the bad guys.

Sherrod DeGrippo: Yeah, okay.

Din Serussi: It really depends.

Sherrod DeGrippo: What do you feel like, Igal? Are you a cat or a mouse?

Igal Lytzki: I feel like I'm mostly a cat, because I'm always up to looking what they are doing and trying to catch them, and it really feels like being the cat role in this, you know, situation. But yeah, in some cases, you also feel like the mouse, but it really depends on how, like, threat actors are actually looking at things that we are blocking in the right way, and then they actually try to bypass us. So in this situation, like, it's the opposite, that we are the mouse, and they are the cat.

Sherrod DeGrippo: So anything that we should be looking out for coming up? Like when people see your presentation, I'm sure they kind of panic. What's the best thing people can do, organizations can do, to protect themselves from this stuff?

Igal Lytzki: So I think that as we showcased, like the key takeaways that we wanted our audience to know is that the first, it's not enough, those days, to just educate the employees. You have to be equipped with an email security solution that will actually scan them, whether it's going to be a credit card, some impersonation attempts, or business email compromise. Also, make sure to run some annual penetration testing, find the weak spots, and make sure you are running a simulation with all the evasion techniques. So I think the best way those days for organizations that try to protect their end users is actually monitoring the inbox activities, both for suspicious login and inbox rules that can be created by attackers, like find anomalies in the work hours, the subnets that the login came from, the locations, and many other variants that can change in the login parameters.

Sherrod DeGrippo: So Igal, you had a section there about nation-states, you know, state-sponsored threats coming through email. What does that look like right now?

Igal Lytzki: Yeah, so there are some nation-states that are actually using phishing as one of their attacking vectors. There is not only zero-day exploits involved in nation-states. So some of those threats are actually trying to be smart and using some compromised mailboxes that they lay their hands on it, and then they try to send over phishing emails to known contacts of those mailboxes. And the one we talked in the presentation was actually Mango Sandstorm that takes those kind of compromised mailboxes and sending over RMM tools, such as SkinConnect and Antera Agent.

Sherrod DeGrippo: Tell us what RMM means.

Igal Lytzki: So RMM stands for Remote Monitoring and Management Tools, which basically can be considered as a grayware because you don't really know. It's supposed to be a good software because, as the name says, it's supposed to be used by administrators controlling over the organization, and those actors are actually taking those softwares and implementing their own attacks in order to infect their victims and actually take control over their computers, and this makes it a little bit tricky to detect because it's like trying to detect any disk or something like this. It's not a trojan malware or a RAT or something like this. So you cannot flag it as a certain RAT family or a malware family. You need, actually, to check if the connection that being outbound from the RMM tool is legit or not.

Sherrod DeGrippo: And I saw, too, you guys were talking about the threat actor will get inside those email boxes and start creating rules. What does that do?

Igal Lytzki: So, actually, threat actors, when they do the right thing, and before they try to conduct a phishing email from a compromised mailbox, they sometimes actually create inbox rules, which we know from our work life that is something that keeps our mailbox organized and clean. But those threat actors actually take those rules and set up some conditions that maybe helps them out when conducting the phishing campaign. So an example for an inbox rule can be looking for phishing or bounceback-related keywords in the subject, and then they will move it to some default folder that nobody knows about it, for example, RSS feeds, and mark it as read, which basically if we try to translate this, the attacker before sending a phishing campaign from the compromised mailbox, he will make sure that if there is a security vendor standing between him and the victim and some kind of alert will bounce back from the security vendor, it will move automatically to the folder, and the compromised user won't notice that something suspicious is occurring on his mailbox.

Sherrod DeGrippo: Got it. That sounds really dangerous. It's not? It's not dangerous?

Igal Lytzki: Yeah, yeah, it's like totally dangerous. It's totally dangerous because monitoring over such things is really like picking a needle. You really need to find those actions that, I don't know, raise your spider sense. So yeah, these kinds of actions are hard to monitor, but once you lay your hand on them, this can be like a jackpot of understanding that this is a compromised mailbox.

Sherrod DeGrippo: I love it. Thanks, you guys. I really appreciate seeing you. It was great meeting you. Thanks for coming on the podcast.

Igal Lytzki: Thank you for having us.

Din Serussi: Thank you for having us. [ Music ]

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I have a peanut gallery in the studio with me of Benjamin Delpy and David Weston just laughing and carrying on in the background, so they're very helpful. But my guest is someone that I have known for like many years.

Gadi Evron: Many a year. Many a year.

Sherrod DeGrippo: It's Gadi Evron, and Gadi runs one of my favorite conferences of all time.

Gadi Evron: I think I'm actually kind of retired now.

Sherrod DeGrippo: No, you retired from that? You just did one.

Gadi Evron: Well, I wasn't the one leading it. Honestly, I see success as being able to actually have somebody else carry on.

Sherrod DeGrippo: But I loved it, a conference on defense. It's fantastic. It's where I have recruited so many people to hire.

Gadi Evron: There you go.

Sherrod DeGrippo: I have met so many cool people that I adore. So I feel like you left a really fantastic legacy with that conference.

Gadi Evron: Thank you. I appreciate that. I think that it's a community effort.

Sherrod DeGrippo: Yeah.

Gadi Evron: Meaning it took the community to make it happen. I think, originally, the way it started, was I was traveling for various reasons from business to business.

Sherrod DeGrippo: Yeah.

Gadi Evron: And as I was meeting people, they were always complaining about conferences, whether it's about all the vendors taking over or putting the attacker on a pedestal or having to hide defensive talks as being offensive talks in order to get accepted. We had, from the other side of this, a lot of closed trust group conferences where you can't talk at banks. It can't be public. And people need information on what they're facing, so we figured let's do a public conference, and we created two tracks. One is the philosophy track because we talk a lot. We didn't know who will submit what, but we wanted to push the art into science. We always say we do science and security, but we keep reinventing the wheel, and we figured let's try that out, and we did. And Sounil Yu led that track.

Sherrod DeGrippo: Love him.

Gadi Evron: Yeah.

Sherrod DeGrippo: A sweetheart.

Gadi Evron: Yeah, led that track, and then there was the ops track, or hunting track, where people shared -- and we didn't look for a zero date or something necessarily new, but rather, something where you would come and speak as if you're speaking to your closest colleague. No introductions, no let's learn what HTTP is, and then they're able to walk away 20 minutes later able to replicate this at home.

Sherrod DeGrippo: I love that.

Gadi Evron: In their own organizations. And lastly, we actually put it all on YouTube, most of it on YouTube, so people can actually get this and use it.

Sherrod DeGrippo: One of the things that I love about a conference on defense is that you have a very committed philosophy that I adopted from you and also share, which is glorify defenders. So tell me a little bit about, like, why that's so important to you.

Gadi Evron: So I didn't mention that Mike Johnson is the one who's leading that track. I'm not sure who led it this year. Steve, the one who was actually taking it over and pushing forward with a lot of other people. But the reason we glorify defense is because nobody else does. We act -- yes, a new zero day in a Jeep is so cool for 15 minutes, but then what do we do about it? How do we push what we do forward to be one step ahead? And going to listen to yet another zero-day discovered in a toaster just doesn't cut it.

Sherrod DeGrippo: You don't love a toaster zero day? It'll burn your bread.

Gadi Evron: Yep, yep, and then it will ask, what is my purpose? You pass butter. But Rick and Morty joke, not really funny, but I tried. I do try so hard.

Sherrod DeGrippo: I got it.

Gadi Evron: I know you did.

Sherrod DeGrippo: What are you working on lately?

Gadi Evron: I actually took the leap. I am in a new startup once again.

Sherrod DeGrippo: Oh.

Gadi Evron: Vendor land, pushing against the odds.

Sherrod DeGrippo: But you're always vendor land.

Gadi Evron: Struggling.

Sherrod DeGrippo: You're vendor land like me, usually, aren't you?

Gadi Evron: Oh, I move around. Like I was a CISO. I was with Citibank for a while. I was even in a VC before doing this. CISO in residence, I helped them create a CISO community.

Sherrod DeGrippo: Okay.

Gadi Evron: So that was kind of fun. But yeah, I'm back and doing startups. I'm doing AI security with blockchain. No, no, no. I'm kidding. I'm kidding. No blockchain.

Sherrod DeGrippo: Only AI security?

Gadi Evron: As everybody else does, yes.

Sherrod DeGrippo: Is AI going to take over Skynet style?

Gadi Evron: I really hope so.

Sherrod DeGrippo: You hope so?

Gadi Evron: Absolutely.

Sherrod DeGrippo: Have you seen those movies?

Gadi Evron: Have you seen our politicians?

Sherrod DeGrippo: Oh, okay. That's hot. That was a spicy take.

Gadi Evron: Right?

Sherrod DeGrippo: That was a Gadi Evron spicy take.

Gadi Evron: I, for one, accept our new robotic overlords.

Sherrod DeGrippo: Oh, no. So what do you think the biggest concern with AI is now from a security perspective?

Gadi Evron: First, I think there is a lot of confusion, which makes sense with so much hype and so much investment and us only learning what it means. But I feel like a lot of the organizations out there are just trying to use it and running into a wall. Well, in the vendor land, we have way too many, which is always interesting. And at the same time, everybody is going for what we've done in the 90s, meaning let's do visibility. Let's do detection. Let's do governance. Let's try to catch the evil LLM with a regular expression. And my view is that it's actually about what the business needs.

Sherrod DeGrippo: Yeah.

Gadi Evron: So I'm taking it more to the direction of you now have LLM running. Awesome. It's internal to the organization, so it's about your institutional knowledge. But an intern working in marketing can ask anything the CEO would and get the same answer, such as about layoffs or sales next quarter. So I would like to introduce identity and access management, bring you an answer that makes sense to only your need to know. But then, because we have the power of LLMs, actually shape that answer so you actually get value instead of just hearing no. Becoming the partner of know, k-n-o-w, rather than n-o.

Sherrod DeGrippo: I love that.

Gadi Evron: Thank you.

Sherrod DeGrippo: That sounds really cool. So I think identity and access management style thinking around AI is smart. It's the basics. I think responsible -- like responsible use of AI is going to be a lot bigger, I think, than people even realize. Let me ask you something. Are you using AI tools in your daily personal life?

Gadi Evron: Not really.

Sherrod DeGrippo: No?

Gadi Evron: I do love them, but I don't find too much usage.

Sherrod DeGrippo: Okay, and are you hoping that that will change?

Gadi Evron: I believe it already has. I am using it without knowing.

Sherrod DeGrippo: Okay.

Gadi Evron: One of the largest challenges when you talk about detection and AI right now, I can't believe I'm speaking so much about AI, so buzzwordy. So one of the biggest challenges right now is all these people doing DLP or firewalls trying to detect everything with regular expressions is ridiculous on its own. But then what's really interesting is a lot of these engines are actually now embedded, and I don't see how we can reverse engineer Word or thousands and thousands of other applications every day to be able to do half of a job to begin with. So I'm calling on the industry to do better.

Sherrod DeGrippo: It's our problem. It's our problem.

Gadi Evron: You have been inspiring with how you've been using the platform that you built really hard, based on your actual know-how, to get out there and make a difference. I look from the side. I haven't seen you in a long while. But from a friend, I now actually look up to you.

Sherrod DeGrippo: Oh, Gadi. Geez Louise.

Gadi Evron: Well, and what's with your priorities? I've been talking to you now for a few minutes. I haven't seen a dog picture yet. What's wrong with you?

Sherrod DeGrippo: Oh, I have so many dog pics. Look, let's get a live reaction of Gadi Evron looking at my dog.

Gadi Evron: I'm just saying, wrong priorities.

Sherrod DeGrippo: I know.

Gadi Evron: Several minutes discussion. No dogs. So what's wrong with you?

Sherrod DeGrippo: Okay, wait. Here. You ready? Three, two, one. It's Boris. He's so cute.

Gadi Evron: Yeah, Boris is really cute.

Sherrod DeGrippo: I'm going to show David Wesson. Look, yeah. Have you been to Blue Hat, Illinois -- Blue Hat Illinois, whoops.

Gadi Evron: I have, yeah, absolutely.

Sherrod DeGrippo: Have you been to Blue Hat, Israel before?

Gadi Evron: I have. I think it's one of the best-run and most-fun conferences around. It's literally built about the community and how to have fun while teaching people and growing. So I truly appreciate this incarnation.

Sherrod DeGrippo: This is my first time, and it's been fantastic, and I want to send super props to Ida, Etai [assumed spelling], and that whole team that makes this thing happen. It's absolutely incredible, and I want to invite everyone listening. Next time, come on out to Blue Hat Israel and check it out. Gadi, it was so cool to see you. I just ran into you.

Gadi Evron: You call me fat?

Sherrod DeGrippo: No. What?

Gadi Evron: No. What? What?

Sherrod DeGrippo: But you are very tall.

Gadi Evron: I am. That is true.

Sherrod DeGrippo: It was great to see you. It was great to just randomly run into you.

Gadi Evron: Randomly, and you're like, Gadi, where did you come from?

Sherrod DeGrippo: Yeah.

Gadi Evron: I'm like, yes, absolutely. It is really good to see you as well.

Sherrod DeGrippo: Thanks for coming on the podcast. We'll see you soon.

Gadi Evron: Thank you for having me. [ Music ]

Sherrod DeGrippo: I'm here at Blue Hat Israel on the Microsoft Threat Intelligence podcast. I am joined by Israel Gubi and Amitai Ben-Shushan to talk about Democracy Hacked, Iranian Cyber Attacks Against Municipal Elections. That's intense. Why don't you give me an idea on what your talk was about?

Speaker 1: What we talked about is a coordinated effort by several actors targeting municipalities in Israel before the municipal elections. And, more specifically, a deep dive into a use case of two Iranian actors that we call Scarred Manticore and Void Manticore.

Sherrod DeGrippo: And what are they doing?

Speaker 1: So, Scarred Manticore is responsible for initial access and long-term collection and espionage, and Void Manticore is responsible for a disruptive operation, deployment of wipers, and stuff like that. They are correlated to Microsoft Storm 842 and Storm 861.

Sherrod DeGrippo: I am so impressed that you know Storm numbers. That's amazing. The Storm numbers are the hardest to remember.

Speaker 1: Those are the only Storms I know.

Sherrod DeGrippo: Those are the only Storms you know in the presentation.

Speaker 1: Yes, we had them in the presentation, so we remember them.

Sherrod DeGrippo: So tell me, what are those threat actor groups doing in terms of the election part? How does that work?

Speaker 1: Yes. In our case that we talked about, it was against a municipality in Israel that they tried to distract the systems of the municipality, even though in Israel the municipality itself is not a part of the process of the voting. But we think it is part of, like, destroying the image of the municipality, and also, maybe they didn't know that they're not part of the process because to be sincere, I didn't know it as well, that they're not part of the voting process.

Sherrod DeGrippo: So what tactics are they using to get in? Is this like malware phishing? Like how is that working?

Speaker 1: They entered the network through a one-day vulnerability in Microsoft SharePoint server, and then there was an espionage for a very long time in their network. And in the end, yes, there were a couple of malware wipers that were utilized against the municipality.

Sherrod DeGrippo: So, why do you think that they would deploy a wiper against a municipality? What is the goal there, disruption?

Speaker 1: So, yeah, I think it's part of. -- well, obviously, it's important to put it in the larger context of Iranian cyberattacks against Israel in the context of the Israel-Hamas War, because it's part of a much-larger effort against different sectors in Israel. And as we said in the talk, this is both opportunistic and targeted, because municipalities have been targeted for quite a while, and according to what we've seen, they utilize the access that they already had to just like cause mayhem and disruption just before the elections, probably to hurt the credibility of the municipality, maybe to affect voters and stuff like that, and then they also leak some of the information online. Generally, we've seen a variety of Iranian actors leaking information from a lot of organizations in Israel, but a lot of it from municipalities.

Sherrod DeGrippo: So, from what you've seen with this particular attack with this actor, what do you think they might be doing next?

Speaker 1: So, those are two actors. One of them is more espionage-oriented, and I think that we'll keep on seeing them searching for long-term access to organizations, high-value targets, telecom, government, those kinds of stuff. As for VoidManticore, which is the one that carried out the destructive attacks, honestly, I don't know. We've mostly seen them in the context of the disruptive attack. We haven't seen them before in our telemetry. They did the same thing in Albania, like the combination between those two groups, but I do expect it to happen again in the future, like the specific collaboration. I don't know what each of them is going to do on its own, but I suspect that we might see this sort of collaboration happening again. We've seen Skynet fall not only in Israel, but in other countries as well, and like it was in other countries like Oman or Iraq. It's not only Israel that they want to attack. They are very sophisticated, and they are the threat actor that the Iranians will use for the high-value victims. We call Iranian actors Manticores. That's our naming convention. So people start using Manticore.

Sherrod DeGrippo: No, you have to use Sandstorm. It's only Sandstorm and it has to be --

Speaker 1: Or Sandstorm.

Sherrod DeGrippo: -- a flavor. It has to be Mint Sandstorm, Peach Sandstorm. I know. I know.

Speaker 1: Thank you.

Sherrod DeGrippo: Have a great Blue Hat, and I hope to hear more from you about this cool threat actor hitting elections. Oh my gosh, that's stressful. [ Music ] I am still here at the Blue Hat Israel Conference in Tel Aviv. I am joined by Gal and Jonathan, and they created one of the incredible challenges at the conference. Gal, tell me a little bit about the challenge and how it's going so far.

Gal Niv: Okay. So the challenge we wrote is a web-free challenge. It's basically a smart contract over the Ethereum blockchain network, in which you have to find a logical vulnerability to obtain more money from a currency, a token that we created for the challenge.

Sherrod DeGrippo: Is it a real cryptocurrency that you made?

Gal Niv: So what's cool about, like, the blockchain technology is that you can, like, implement a certain interface and create your own token. That's how, like, new tokens, like, always get produced, like all the Dogecoins and all those. So we created a Blue Hat IL token for the challenge.

Sherrod DeGrippo: Oh, that's so cool. How do you think people are doing so far? Are they having a hard time? Are they doing good?

Jonathan Jacobi: Yeah, I think they're doing pretty good.

Sherrod DeGrippo: Do you think it was too easy or too hard?

Jonathan Jacobi: I think it's fine, but honestly, I don't know if Gal would agree, but I think more people solved it than we expected. I don't know. Maybe you expected it to be solved that much. So maybe a little bit. Maybe a little bit. Some people solved it quickly, and I did not expect that. But yeah, I guess people are better than you expect.

Sherrod DeGrippo: Have you tried any of the challenges yourselves, any of the others?

Jonathan Jacobi: Yeah, we did. We actually play-tested one of the challenges before it got released by one of the other co-founding members of -- like co-hosting of the Blue Hat team, and I don't -- it's like it was a Blue GPT won.

Sherrod DeGrippo: Was it hard?

Jonathan Jacobi: I mean, it was fine. It was very fun, and also, the concept behind it was pretty much similar, right? So you don't have to understand all the LLMs logic and like go into details with AI. It's more about understanding the core concepts and then just pursuing to solve a logic challenge.

Gal Niv: You just have to understand the concepts behind it, not the internals themselves.

Sherrod DeGrippo: Cool, and so tell me what you think about Blue Hat. Have you been here before? This is your first one. No, you've been before, right, Jonathan.

Jonathan Jacobi: Yeah, I've been here. I think I started -- my first year was 2018 when I -- yeah, my first year was 2018, and since then I've been here a couple of times. I also helped organize the 2019 one.

Sherrod DeGrippo: What do you love about it? Why do you keep coming back?

Jonathan Jacobi: I think it's the most hipster kind of --

Sherrod DeGrippo: It's the most hipster?

Jonathan Jacobi: It is. It's most special. Like it's not like a fluff -- too much with fluff. You have -- it's all about the tech itself. It's all about the actual stuff, not everything around it, and the themes themselves also represent that, as you can see here.

Sherrod DeGrippo: Gal, what about you? Have you been before?

Gal Niv: Yeah, I've been attending since 2018. Jonathan has been co-hosting it for a few years. So he knows like the internals of the conference. I've been attending, like, as a regular guest, I'd say.

Sherrod DeGrippo: A special VIP guest.

Gal Niv: No, just as a normal plebe person, and it was super-fun. I mean, you meet here all kind of -- so Jonathan called them hipsters before, but it's more of like the --

Jonathan Jacobi: In a good way. In a good way.

Gal Niv: The people in Israel, which are around like the hacking community or like into cyber security, and it's like very fun, like to meet all those people. It's like it became this gathering where you meet people that you haven't met for a long time.

Sherrod DeGrippo: Are you a hipster?

Gal Niv: Some people would say. Would you say I'm a hipster?

Sherrod DeGrippo: I mean, the beard is killer. Like, yeah, I think you could qualify as hipster.

Gal Niv: Okay.

Jonathan Jacobi: I would say, too. I would say not a hipster, not a typical hipster, but he has his special personality. It's a good thing. I like -- I love him, so it's good.

Sherrod DeGrippo: The listeners that can't see this beard are really missing out. It's epic.

Jonathan Jacobi: Yeah, he's like a Gandalf.

Sherrod DeGrippo: It's like a -- it's like a Gandalf. It's like a young Gandalf. It's like a Gandalf early days beard.

Gal Niv: Yeah.

Sherrod DeGrippo: Jonathan, what about you? Are you a hipster?

Jonathan Jacobi: No.

Sherrod DeGrippo: No, but you just said it's more hipsters, but you don't include yourself?

Jonathan Jacobi: No, but I think hipster is like -- okay, so I think it's --

Sherrod DeGrippo: Here we go.

Jonathan Jacobi: No, let me get out of it, okay? I've got this.

Sherrod DeGrippo: The whole day --

Jonathan Jacobi: So sure, I think when I mean hipster, I mean like there's two definitions, okay? There's like the classical definition of hipster, and there's like the, the essence of hipster, which is taking a niche and being, like, very good with your niche. So I think what I meant here was, like, everyone here is super into the internals and they have their niche and stuff like that.

Sherrod DeGrippo: Yeah.

Jonathan Jacobi: So it's like, in that sense, I am a cybersecurity hipster, but in the normal sense, I wouldn't say that.

Sherrod DeGrippo: Well, guys, thank you so much for joining me. Thank you for doing a challenge and offering that to the Blue Hat community. I know they really appreciated it, and I hope to see you guys next year.

Jonathan Jacobi: Thank you for having us.

Sherrod DeGrippo: Thanks, guys. [ Music ] I am here on the Microsoft Threat Intelligence Podcast, and we are at Blue Hat Israel, and we are with the one, the only, the producer, the show runner, the executive genius behind Blue Hat Israel, Ida Vass. How are you now?

Ida Vass: Now? I'm blushing.

Sherrod DeGrippo: So we're on the middle of day two. How tired are you? You're so tired.

Ida Vass: Tired as hell.

Sherrod DeGrippo: And tell me what keeps you inspired to keep going.

Ida Vass: First of all, the community, the community members, they became my friends. I feel part of the community, and I want to wow them every year.

Sherrod DeGrippo: What do you think of the level of production that goes into Blue Hat that you put in? Like, this is a conference unlike any other. Blue Hat Israel is unique. So what is it that you're able to do to make it unique?

Ida Vass: Try to push the limits every year to do something else different, unique. Try to listen to the community, what they want, what they love, what they less adore at the conference and make it better.

Sherrod DeGrippo: And how many years have you been doing this now?

Ida Vass: I began on 2017.

Sherrod DeGrippo: Okay. So that is your seventh time?

Ida Vass: The seventh time. Eight if you count 2021, that we have the COVID.

Sherrod DeGrippo: Okay, and are you planning to just keep doing it forever?

Ida Vass: Wow. I don't know how to answer that.

Sherrod DeGrippo: I think people will be pretty upset if you stop.

Ida Vass: I don't know. I think the difficult part is after the Blue Hat Conference is done, you have a void.

Sherrod DeGrippo: No.

Ida Vass: Because you finished your job for this year.

Sherrod DeGrippo: Yeah.

Ida Vass: But then you're trying to start, like, thinking, what is next? Where I can push the limits even more. What can I do better? How can I change the theme, bring something new, something edgy? And I think this challenge, in my eyes, is the most important one for me, and this makes me drive every year to come up with something new.

Sherrod DeGrippo: So if we were trying to get more people international to come to Blue Hat Israel, because there is quite an international contingent, which I've been hanging out with the Americans because I know them all pretty much. But I guess my question is, why should somebody come to Blue Hat Israel?

Ida Vass: First of all, this is a very unique conference at this community. Like we are very different. We are very edgy. We have the brightest minds here in Israel, and just to get to come, get the vibe from the little thing like the graphics and to the biggest things like the challenges, the activities, the makers, the talks. Everything is connected, everything. And I think it's very unique, and you don't have it in other conferences.

Sherrod DeGrippo: No. The level of, like, theme and production and design and experience focused is unlike any conference I've ever been to before. Even some of the really, really, big conferences don't have this level of intentionality around what the experience can be for attendees. And it can be whatever you make it, right? Like you can sit in talks the whole time or you can do the maker station or you can be -- I see people out in the main area and it's like, oh, they are here for challenges. And I see them in a group with their friends, and they've got computers and phones and notebooks and they're going from station to station to station. Really like --

Ida Vass: Check the bags and look for the posters. You can see groups of posters in the bags. It's funny.

Sherrod DeGrippo: Yeah. Like there's people that are here to dominate the challenges, which I think is so cool. You know, or you can sit and listen to talks or you can do what I like to do, which is like grab a taco because you have these amazing -- the food here is -- there's things that everyone's like, oh my God, the food at the conference is so good. I got a chicken taco, and I just kind of sit out in one of the lounge areas, and people just come up and are like, hey, what do you do? Who are you? Let me introduce you to this person. So all these connections are made that I don't think anyone would make anywhere else.

Ida Vass: Exactly. The mingling.

Sherrod DeGrippo: The mingling is really there.

Ida Vass: Yeah.

Sherrod DeGrippo: And you go until 10?

Ida Vass: Until 10, 11.

Sherrod DeGrippo: Oh my gosh. How do you have the energy?

Ida Vass: Adrenaline.

Sherrod DeGrippo: I saw you earlier. I was like, what are you doing now? And you said, "Having a coffee."

Ida Vass: Yeah. So a lot of coffee.

Sherrod DeGrippo: Yeah.

Ida Vass: A lot of coffee. Yeah. I even did a practice.

Sherrod DeGrippo: What do you mean?

Ida Vass: This morning, I went to do like -- to run a little bit.

Sherrod DeGrippo: Okay, to get pumped?

Ida Vass: Yeah.

Sherrod DeGrippo: Yeah, and then, so help me understand tomorrow, when Blue Hat Israel is in the books for 2024, what do you get to do like tomorrow?

Ida Vass: First of all, let's talk about tonight.

Sherrod DeGrippo: Oh gosh.

Ida Vass: Because this place needs to be empty.

Sherrod DeGrippo: Be torn down. Okay.

Ida Vass: Until 12 a.m.

Sherrod DeGrippo: Okay.

Ida Voas: So we do have a long night tonight, but afterwards, I'm working on even more events for smaller communities that I run, and maybe we are trying to get Blue Hat Nights --

Sherrod DeGrippo: Yes.

Ida Vass: -- at the end of June.

Sherrod DeGrippo: Tell me about Blue Hat Nights.

Ida Vass: It's a much smaller event, just one main keynote. We have the theme, "Always," and it's at the Microsoft offices in Herzliya on the rooftop. It's an evening -- so doors open are -- at 7 p.m. One keynote, we do always a Q&A session at the end. That is not happening here, and participants, we have like 400, something like that.

Sherrod DeGrippo: So that's 400 at Blue Hat --

Ida Vass: Nights.

Sherrod DeGrippo: -- Nights, and how many are here at Blue Hat Israel, the main event?

Ida Vass: We are almost reaching 3,000 for both days.

Sherrod DeGrippo: So both days total is about 3,000?

Ida Vass: Around, yeah.

Sherrod DeGrippo: And you know everyone's name, and everyone knows you.

Ida Vass: Most of them, yeah.

Sherrod DeGrippo: You know everyone. I see, like everyone here, I feel like you know everyone here.

Ida Vass: It's Israel. We are like a small -- no, a big family. Everybody knows everybody.

Sherrod DeGrippo: Yeah, I can tell the community here is like super close. They all seem to know each other. I see people walking in the door, and immediately they're like, oh, hey. Like they already know everyone the second they get in.

Ida Vass: Blue Hat IL is the place to be.

Sherrod DeGrippo: Blue Hat IL is the place to be. You heard it directly from Ida. She would know, and I agree. Thanks for joining us, and thanks for everything you do for the community. It's amazing, 10 out of 10. I cannot believe it, and you have personally been so kind and so helpful organizing everything for me and helping everyone get here, and we really appreciate you.

Ida Vass: Thank you.

Sherrod DeGrippo: Thanks for coming.

Ida Vass: And I'm looking for the next year.

Sherrod DeGrippo: Ready for next year. Oh, my gosh. Take a break first. [ Music ] Welcome to the Microsoft Threat Intelligence Podcast. We are still working with Blue Hat Israel, and I am joined by Wolf Goerlich, the keynote speaker for day two at Blue Hat Israel, strategist, hacker, well-known advisor, and Wolf, how are you doing?

Wolf Goerlich: Hey, I'm doing great. I am all fired up. Blue Hat was a blast and so good to talk to you.

Sherrod DeGrippo: I had a really good time at Blue Hat, and I met so many people that I never thought I would ever, like, meet in person because they live across the globe. So that was kind of cool. You did the keynote on day two. Tell me how it went.

Wolf Goerlich: I hope it went well. I had so much fun putting this together because, you know, oftentimes people are like, oh, will you please, like, try and scare people or remind people that breaches are bad?

Sherrod DeGrippo: Oh, no.

Wolf Goerlich: We get asked this all the time. Like can you shake up the room? And it was so refreshing, your team reached out and they're like, hey, we all know it sucks. We know bad things are happening, but can you tell us what's going well, what's going great? And so I had a copy of the schedule. I went through all the abstracts, created a giant mind map because I'm a geek, and I was like, what is all the research going on? What are people talking about? What's cool? What's interesting? And I distilled that into a few different topic areas, and it was so much fun to highlight some of the areas that we've gotten better at as well as set the groundwork for the fantastic, talented researchers and people who are out there who are like, yeah, yeah, yeah. Now, Wolf said the -- so let's go deep dive for the next 50 minutes about this topic.

Sherrod DeGrippo: So one of the things that they have at Blue Hat Israel that I've never really seen in the past is there's the main presentation room, which has the stage and the audience is in there, and because there's thousands of people at Blue Hat Israel, they can't fit everyone in that room, so you can actually go out into a other open space with, like, a bar and food and couches, and you put on headphones and you watch on a big screen. And that's where I was when you were doing your presentation, when you were doing your keynote on day two, and it was so fun because I could watch everyone else watching you at the same time, and I could see people's reactions when you would mention something. People would be like, yeah, like, a lot of the things hadn't dawned on them. So what do you think, like, we've done right? Like, what's working? I know what I feel is working. What do you think is working?

Wolf Goerlich: Well, now I want to hear what you think is working, though. Start there.

Sherrod DeGrippo: Well, I feel like we never hear anything about exploit kits really anymore. We don't hear about root kits anymore. We don't really hear about browser vulnerabilities anymore. I mean, there is so much code being written and pushed day in/day out from every corner of the earth. We've kind of eliminated a couple of, I don't know, classic vintage categories of insecurity, such as, like, exploit kits. It's not really on the radar anymore, and I think that's an indicator that we're doing well.

Wolf Goerlich: One-hundred percent, and I think related to that, you know, I got to bring back some of my old favorite talking points. One of them is the Ultron rule, right? Like, Ultron from the Avengers, if you remember, the super-smart AI, super-advanced robot that goes crazy, and if you think about the entire plot of why it goes crazy, it was because it was plugged into the Internet. It browsed Reddit. It decided you no longer needed to exist. It tried to take over the world. But I used to use it as an example because, years ago, you would plug in a Windows computer and in 20 minutes it would be infected. There's all sorts of advice, like, don't plug it in until you do all these things. And then, like, you know, less than a decade ago with IoT, SANS Institute repeated some of those studies, and they found if you plugged in a typical IoT device, within two minutes it was compromised because there was constant scanning, constant exploitation going on, and there's a lot of low-level network-level vulnerabilities, and I do think you're right. I think we don't give ourself enough credit for the tremendous advancements that have happened in hardening your OS, hardening your network stack, hardening your devices, right? Good, good, solid controls that we've seen, so that was one area that I highlighted. And isn't it nice that we can just get a computer and use it now? These are good times.

Sherrod DeGrippo: Yeah, and about, I don't know, a couple of days ago, I guess, I bought -- I went a little wild, and I went to the Apple store, and I bought an iPhone, iPad watch.

Wolf Goerlich: Nice.

Sherrod DeGrippo: And, yeah, like, all in one go. The person helping me, I'm sure, was exhausted with me by the end of it. But really, other than the - I mean, it did take some time to download updates. But other than sit and download updates, I feel like systems are generally secure. Like, if you're using most computers as intended, they're generally secure. There's things you need to do to get there, but I feel like those olden days of even 10 years ago when people would say, oh, out of the box, you're in trouble, or there was these -- you know, the browser wars. That was a real thing for those of you who were maybe not in the game back then. Browser wars was real. That was a thing. There were lawsuits. It was a big deal, and a lot of the advances that we have gotten in secure browser technology are because of the browser wars.

Wolf Goerlich: And it's funny you mention that. You know, I remember, like, the three things you used to see on every website. Please sign my guestbook. Here's a web ring.

Sherrod DeGrippo: Yeah, sign the guestbook, web ring.

Wolf Goerlich: You're right, and then the third was this site best viewed under Browser X.

Sherrod DeGrippo: Yes. It was partisan.

Wolf Goerlich: It was a mess, yeah. But also related to that, now, there was some really great content at Blue Hat IL around, you know, where the attackers have moved. They've moved into browser code, and there's -- and, obviously, every time we get better, the criminals get better, right? The product people get to say, if I build a better mousetrap, the world will beat a path to our door. Security people, unfortunately, get to say, if I build a better mousetrap, I breed better mice.

Sherrod DeGrippo: Yes, every time.

Wolf Goerlich: And that's where we --

Sherrod DeGrippo: They are. The mice are evolving. They're getting little mouse armor. They have tiny little mouse swords, and at some point, they'll probably have some sort of mouse ballistics that they can deploy. Because, yeah, I do feel that we are continually, to use that analogy, we are building better mousetraps day in/day out, but the mice are arming up.

Wolf Goerlich: Absolutely.

Sherrod DeGrippo: Just alongside us.

Wolf Goerlich: But, you know, if you think to that browser side, what were we doing? We're browsing a website, and one of the stats I found, and I've forgotten this. I don't even remember this side. Remember when we used to be, like, afraid to use, like, hotel Wi-Fi and airport Wi-Fi?

Sherrod DeGrippo: Don't connect to the public Wi-Fi.

Wolf Goerlich: And there was the wall of sheep that was really hot. I know people still do that. But it was really hot back then because, like, 40% of websites were encrypted around 2010. And today, it's pretty much all. I mean, certainly, you can find unencrypted websites, and if you're not rotating keys and everything, shame on you. And we can have that conversation. But nearly every website we talk to is encrypted. So now we've got end-to-end protection. We've got better OSs. We've got, you know, better standards in our browsers. We've got standards bodies that are taking into account encryption. And, of course, that means with end-to-end protection, they are going to attack us on the ends, not in the middle. So we know where the mice are going, at least, which can also help us.

Sherrod DeGrippo: Well, I mean, totally, and you narrow the paths that they can take, right? You kind of direct some of that focus for all of the different path options that you cut off for threat actors. You know what's left in a lot of ways. One of the things, speaking of browsers, that I think is, you know, huge, that kind of happened and we didn't talk about it enough, Google discontinued their URL shortener, go.gl, about, I don't know, two or three years ago, and threat actors were going wild with that URL shortener. Bitly has kind of fallen off, I think, in a lot of ways, too, in terms of being leveraged by threat actors. Those shorteners were a path to kind of a black hole, and we always tell people, oh, check your URL, check your URL. Well, checking the URL does nothing if it's a shortener. So I think, like, the click-type attack chains and things like that have gotten somewhat better.

Wolf Goerlich: Yeah. Yeah, this idea that we're just doing waterhole attacks and whatnot have definitely decreased. So I think all that was good. The other thing that I highlighted, because I think this is -- there's an interesting trend which those of us who've been doing this for a while notice, and those of us who are brand new haven't been through it a few times. And one of those trends are everything we talked about, those advancements, they come because we build some technology, and then we deploy it, and then the security researchers find out what's wrong with it, and then the CISOs panic, and then we fix it. And there's this, like, hype-to-panic cycle, I used to call it, between when developers would build things and when CISOs would panic about it. I used to, back in the day, go to dev conferences to figure out what my colleagues would be talking about on the CISO and the hacker and the B-side circuit two years from now. It was great.

Sherrod DeGrippo: Yeah. That's something that, coming to work at Microsoft, which is, you know, this is a software development company. We develop and release software here at Microsoft. I mean, that is job -- like, that is what we do. And sitting more side-by-side with developers, I have learned how different they think from security professionals, which is not a bad thing. In fact, I believe it's probably a lot healthier. A lot of times when you talk to a developer or a software engineer who identifies as a software engineer and say, yeah, I'm a developer or I'm a coder, they want to build beautiful things that people use.

Wolf Goerlich: Absolutely.

Sherrod DeGrippo: They love it. They want to build this great, wonderful thing, and once they build it, they want people to use it. And for any, like, you know, engineering leaders listening out there, the two things that will crush the morale of your development teams is they don't get to release, and they don't have users. That is morale destruction for engineering teams. Then in security, we're like, I want to destroy something and see what's inside. Like, we're the kind of people who, like, the engineers are, like, lifting up the side of the chicken to see all the eggs and like, oh, those eggs are doing great. The security people come in and are like, let's break these eggs immediately. Let's smash them right now and see what's in there. And I think that that's why those relationships are so important. I think maybe we have on the security side, maybe a little more neurotic pieces of our brain. And the engineers are, like, developing and releasing all these beautiful things. And we're like, let's crush them, but that said, I do think that there's a lot of developers now who think about security first a lot of times, and it's good to see. That's new.

Wolf Goerlich: There are, and we've seen such a rise in, you know, security tracks at dev conferences. We've such a rise of the security mindset being associated with clean code and that whole movement. But one of the things that I highlighted at the keynote stage was this idea that we tend to repeat history. Like, every time we have a new innovation, the developers tend to bring in a lot of the same mistakes that previous generations had. So when we went to hypervisors, we had default creds and we could do, you know, escapes. We went to the cloud, I remember early days, people escaping out of the cloud and trying to get into bare metal and everything. We went to containers, oh, my God. Kubernetes and Docker was a mess. It still kind of is a mess.

Sherrod DeGrippo: And there's a whole security discipline around Kubernetes.

Wolf Goerlich: Oh, absolutely.

Sherrod DeGrippo: Like, there are specialists that just do security for that.

Wolf Goerlich: So one of the things, the anecdotes I was sharing was, now that we're moving into generative AI, now we're moving to LLMs, researchers need to try all these old attacks. Like, can you do a SQL injection on an LLM? And I highlighted a story about how to get SUID or how to get root with SUID on an instance of Linux that's hosting an LLM. And you would be like, wait a minute, that's like a 1990s style attack. Who's doing that, right?

Sherrod DeGrippo: Yeah.

Wolf Goerlich: So one of the, like, remaining end calls to action is, you know, we need to be watching these innovations. Because every time there's an innovation, the earlier we're looking at it and the sooner we're testing some of these old-school techniques, hey, you can make a whole career out of that, to your point about Kubernetes. Some of the people, the first people were like, hey, can I steal a secret on environmental variables out of Kubernetes? Are still going around like, oh, you don't know who I am? Google me, right?

Sherrod DeGrippo: Yeah.

Wolf Goerlich: So, you can make a whole career out of that from security research, and from the defense side, you can really get ahead of hardening your environment if you look at some of these new innovations with some of the old lenses and attack models.

Sherrod DeGrippo: And I think that AI is going to be the battleground where that's going to happen. I am talking to a lot of people at work all the time that are doing AI jailbreaks, that are doing prompt injection, that are doing, you know, malicious prompt engineering. The AI Red Team is always, you know, I'm in a chat group at work where the AI Red Team is posting like, look at this crazy thing, look at this crazy thing, and it kind of reminds me of, honestly, the -- it reminds me a little bit of the early days of ransomware because people are finding things that are making them stop and go, what? What? What is this? And I think that that is where researchers, analysts, engineers, are going to have to really all come together to figure out what those next steps are for securing AI, making it safe, things like that.

Wolf Goerlich: One-hundred percent, and I had such good conversation at Blue Hat IL about that. Also, a lot of folks who talked to me there reached out to me and were like, hey, can I get you a coffee? Can I, you know, connect with you afterwards? So I had a lot of great conversations with people who were like, hey, what about this? What about that? Can we talk afterwards? And I'm so excited because there's such an energy in the Blue Hat IL community about, well, this is a problem. Let's build something. Let's tackle it. Let's figure it out. Let's brainstorm it, right? What are we going to do next? And coming out of that, I was just so excited. I'm looking forward to some future conversations around not only Gen AI, but across the entire stack and how to improve it.

Sherrod DeGrippo: I think that we're going to see a lot coming up. And I think that the Blue Hat audiences, whether they attend IL, the Redmond Blue Hat, or Blue Hat India, which also just happened, I think that we're going to see a lot of great research out of those analysts and researchers. Well, thank you so much for joining me. It's great to talk to you, and I hope we get to talk again soon.

Wolf Goerlich: Yeah, good catching up and good seeing you out in Israel. [ Music ]

Sherrod DeGrippo: Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more and subscribe on your favorite podcast app. [ Music ]

The Microsoft Threat Intelligence Podcast
Podcast Info
HOST(S):
Sherrod DeGrippo
Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, is a frequently cited threat intelligence expert with a 19-year career leading global threat research and analyst teams. She was named Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Sherrod has provided expert commentary for BBC News, Wall Street Journal, CNN, and New York Times and has presented extensively at conferences including Black Hat, RSA Conference, RMISC, SleuthCon, and others.
Schedule: Bi-Weekly
Credits: Executive Producer is Bruce Bracken, Producer is Rob Petrillo, Production Manager is Max Solomon, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft