0:00:03

Luke Connolly

Welcome to The Cyber Insider, the podcast that takes you behind the scenes of the cyber world with exclusive interviews, insights, and expert analysis. Tune in and stay ahead of the game. Welcome to the Cyber Insider Emsisoft's Podcast. All about cybersecurity. Your hosts today are Brett Callow, threat analyst here at Emsisoft, and I'm Luke, partner manager. We're very excited to have Sherrod  DeGrippo with us today.

0:00:29

Luke Connolly

Sherrod's previous employers include Proofpoint, SecureWorks and the National Nuclear Security Administration. And she's currently the Director of Threat Intelligence Strategy at Microsoft. She's based in Atlanta and is the proud parent of a dog called Boris Karloff. Welcome, Sherrod, and thanks for taking the time to join us today.

0:00:49

Sherrod DeGrippo

Thanks for having me, Luke. Thanks for having me, Brett. It's great to meet you guys.

0:00:52

Luke Connolly

Okay. I did a quick inventory of the Boris's that I can name off the top of my head, and I came up with Boris Johnson, Boris Yeltsin, Boris Becker, Boris Bassey, who's the Chess grandmaster, boris batnoff of Boris and Natasha Fame from the Flintstones. And I have to ask, how did your dog come by the name of Boris Karloff?

0:01:11

Sherrod DeGrippo

He was actually named Boris Karloff in the shelter that picked him up astray and I was his foster through the rescue organization that works with that shelter. They said his name is Boris Karloff. And I said, it sure is beautiful. He's a wonderful dog. He is a part Australian cattle dog and chow chow mix. So he has a really interesting, fun personality. He is just incredibly well behaved and incredibly sweet. And I'm very lucky to have found such a sweet, well behaved dog. And a not so fun fact about Boris is that he actually has been shot and has a tattoo.

0:01:50

Sherrod DeGrippo

So as a stray, he was shot and he has buckshot in him that is not affecting him. And he is fine now. And when he was neutered, he got a tattoo to indicate that he had been neutered, which is standard procedure. But I always say that Boris and I, between the two of us, have an average of one tattoo each.

0:02:09

Luke Connolly

And in my research, I would just like to add one more thing, is that I know that Boris likes to sleep in. He's been known to stay on the couch until noon, which is beyond sleeping in in my books, but to each his own.

0:02:21

Sherrod DeGrippo

Yeah, it's interesting. A lot of people say, oh, the dog woke me up at 07:00. A.m. Boris has never woken me up in the morning, not once.

0:02:28

Brett Callow

Good. Okay, to move on. Not everyone has a clear understanding of what Threat Intel actually is or even why it is. Can you explain and explain why it matters?

0:02:39

Sherrod DeGrippo

Yeah, I would love to. I'd love to talk about that. So I think that there's a lot of debate about this in the industry, and ultimately that is the question is, what really is the value? Why does Threat intelligence really matter? And first, I define threat intelligence really simply. A coworker and friend of mine, Christopher Glyor, gave me this definition very succinctly one day. He said, we talk about what threat actors do.

0:03:06

Sherrod DeGrippo

And to me, that's threat intelligence, that's really the foundation of what threat intelligence is, is what do threat actors do? And you can really get deep into that, and you can expand it, but ultimately, what are threat actors doing? That's the threat intelligence seed. That's the foundation. So the way I like to think about it as well, is let's say you have your home, right? And I come to you and I say, I can sell you a security system to protect your home, and I can make sure that nobody breaks into your house successfully.

0:03:39

Sherrod DeGrippo

A lot of people say, okay, that sounds pretty good. And I say, but I have an extra thing that I can add on for you. Every person that tries to break into your home, I can tell you their first name. Everybody says, oh, okay, that's kind of cool. I can tell you their height, weight, where they live and what model of car they drive. They say, wow, that sounds really cool. And I can tell you the model of flashlight and the type of lock picks that they're using to break into your home. They say, wow, this is really incredible. I want this information. This is fascinating.

0:04:11

Sherrod DeGrippo

I'm really going to need this. And so I can say, I can protect your home. No successful break ins. People say, yeah, it's good. And I say, everyone who tries to break into your home, I can tell you their hair color, their height, their weight, where they live, and I can tell you who else's home in your neighborhood they tried to break into in addition to yours. People get really excited by this idea.

0:04:33

Sherrod DeGrippo

They say, I want to know, are they breaking into rich people's houses, poor people's houses, big, small? I want to know all this. I say, great, but you're going to have the same efficacy of people breaking into your house either way. Now you're starting to talk about a maturity level, right? Like, if your protections are the same either way, why does intelligence matter? Well, intelligence matters from a large ecosystem that helps us design the locks and windows and security cameras and all of these systems. So threat intelligence really, really matters at threat intelligence, at protection vendors. So those of us that have that maturity to use it, it really matters for us.

0:05:09

Sherrod DeGrippo

And then there starts to be a difference curve. What can you really do actionably to better protect yourself with threat intelligence, which is sort of when does it go from really expensive in depth gossip to being something really useful and actionable that increases your security posture? And that's a different answer for every individual and every organization. But ultimately, these are all questions that we're talking about in the industry. As security programs and postures mature, we have to decide what the role of threat intelligence is at each organization, which is not the same. It's not one size fits all.

0:05:45

Luke Connolly

And is threat intelligence mainly for larger organizations? I mean, you gave a good profile there. But at what point should smaller, growing businesses look to leverage it? When and how does it start to add value to their security position?

0:06:01

Sherrod DeGrippo

That's a really good question. And I think organizations need to really sit down and take the questions that you just said and ask them amongst their security practitioners, their CISO and their CFO and kind of their legal department, and what do we really want to get out of this? But I think ultimately, organizations want threat intelligence because of their unique perspective on their own organization.

0:06:25

Sherrod DeGrippo

No threat intelligence provider will ever know more about your organization and how it operates than you. And so you kind of have to sit and be realistic and say, if I give my security operations teams a lot of information about attackers, threat actors, how they operate, what they do, are they equipped with the right tooling, mechanisms, permissions, and skill levels to be able to use that to better protect us? And in some cases, yes, and in some cases, no.

0:06:55

Sherrod DeGrippo

I think the thing that organizations need to start with is, will I use this intelligence immediately? And that really kind of is the window that I like to look at is can it make a difference for me today, or do I have to build a program over the next six months to really take advantage of it? You're probably not ready. Like, if I can give you IOCs and actor information and forensics about a piece of malware, and you say, yeah, my team could put this to use today to create better protections and detections within my environment, you're good to go. If you say, it would take us a couple of hours or days or weeks to really look at this and understand it and create something with it, then you need to start building your internal programs around how to use threat intelligence better.

0:07:38

Luke Connolly

I'll just point out you mentioned threat actor IOC indicators of compromise. They're basically little breadcrumbs that have been left behind if the threat actors gained access to a system and they've been mucking about.

0:07:48

Sherrod DeGrippo

Yeah, I love an IOC. I think IOC feeds get a bad rap because people see them as just kind of like a blast of information a lot of times. But if you're able to programmatically create detections and hunting out of an IOC feed, that's a really mature way to handle IOCs. And I think being able to manage that data is a really hard job, right, because you've got IOCs coming in from your own organization, and then you've got IOCs coming in from external threat intelligence and detection vendors. So you have to kind of differentiate normalize and hunt through these big disparate fields of data, which can be really hard for a lot of operations individuals. But if you get that downright, IOC is ultimately an atomic IOC.

0:08:32

Sherrod DeGrippo

Atomic indicators ultimately are like your most indicative piece that you can make attribution off of. So if you have them and have them programmed well, you're in a great place.

0:08:43

Brett Callow

I know your interest in threat actor psychology, how does that fit into threat intel?

0:08:49

Sherrod DeGrippo

So have you guys ever seen the Michael Mann movie Heat? So he did Miami Vice. That's the same director that did the Miami Vice series and the Miami Vice movies. I think if you haven't seen Heat or the Michael Mann Miami Vice movie, you should watch it because it's one of the best threat actor psychology examples I've ever seen. Another one that's a pretty good example of threat actor psychology is Beverly Hills Cop.

0:09:13

Sherrod DeGrippo

Axel Foley is the cop in that movie, but he's also kind of a threat actor because he's like going up to restaurant matri d's and be I'm, you know, the sausage king of Chicago, like Ferris Bueller. He's got these different personas that he uses and these different ways to kind of sneak into places in Heat. It's a classic heist movie where those guys are like, just one more know, this is going to be the last one, and then I'm out.

0:09:39

Sherrod DeGrippo

I think that that psychology really plays over into the cyber threat landscape, too. There are people that think about threat as threat actors and try to be successful. Whether their motivations are financial, they're working on behalf of a nation state in order to do espionage or exfiltration. Ultimately, there is a criminal and a threat actor psychology that comes into play to sort of understand what those objectives are, what the motives are, what's the working cadence, some crime where actors are I won't say lazy, but they like to take a vacation, right?

0:10:18

Sherrod DeGrippo

They like their time off. They take nice long summer holidays. It's a mindset that I think helps understand what threat actors might do or might want to do. And we can all kind of embody that, right? Anybody can sort of pick up a mindset of, if I wanted to steal money from bank accounts, what would I do and where would I start? And if you really take ten minutes, close your eyes, turn off your phone and start thinking, I want to do this, and there's plenty of criminal options, how would I do it? What would I do? If I told you you needed to come up with a million dollars in 30 days? Would you steal it from a bank?

0:10:58

Sherrod DeGrippo

Would you send malware out? Would you compromise a CFO? Would you use social engineering? Would you use a vulnerability and exploit it? How would you do that? And that's kind of that same mindset that the threat actors are dealing with is I've got this objective and I have to get it done in this amount of time? What are my routes to get there? How do I do it?

0:11:17

Brett Callow

If you want to steal a million dollars in 30 days, how would you do it?

0:11:23

Sherrod DeGrippo

I would never do that, Brett. I am the law abiding, total good kid. But I think if I were a threat actor, I would definitely, probably do malware into a lower level accounts payable, accounts receivable employee at a medium sized business invoicing fraud is one of my favorites. You just get into an approved vendor system at a medium sized business and just start sending invoices from various fake companies.

0:11:57

Sherrod DeGrippo

Get those invoices paid into a variety of compromised bank accounts that you're purely using for mule purposes and for money laundering. Get all of it. Sit into those bank accounts and then enjoy your million dollars that you need for charity for the dog rescue. That's what I would do.

0:12:17

Luke Connolly

How have you seen threat intelligence evolve over the years and what trends do you see shaping it in the future? I mean, we just recently interviewed Jackie Burns from chain analysis about the blockchain and using the blockchain to trace the money. So what have you seen in the past and how do you see threat intelligence evolving?

0:12:38

Sherrod DeGrippo

I think honestly, in the past there's been just sort of a gold rush of get as much intelligence as you can. And we've evolved now to the point where we're analyzing our ability as organizations to use that threat intelligence and what it's really getting for us. And I think that we're starting to see the value of where is the telemetry coming from? Whose signals are these? How vetted are they? How prone are they to FPS?

0:13:07

Sherrod DeGrippo

Where are we really going? And looking at that as an evaluation, I think in the early days of threat intel in the cyber landscape, probably, let's say the early days would be ten years ago. Threat intel has been around for a long time, but I think ten years ago is when it got to be more like an industry and not just something used in the public sector. People are now evaluating, can I really make use of this and what do I need to do with it? And am I equipped?

0:13:36

Sherrod DeGrippo

And that's where the tooling is starting to get evolved. That's where threat hunting is really starting to come into play. People are learning how to hunt in ways they never did before. It's funny that our industry has these alternate definitions for hunt and fish, but that essentially is kind of where defenders are really looking now is is my hunt time through threat intelligence information? Is knowing this information helping me improve the posture of my organization for their security program?

0:14:04

Brett Callow

What emerging trends do you find particularly concerning? What can organizations be doing to defend against them or to prepare to defend against them?

0:14:13

Sherrod DeGrippo

That's a good question. I think some of the trends that we're seeing that are a little concerning are sort of where AI will take us in terms of what threat actors will do. I agree that we don't really see a ton, a ton, a ton of that. It really is in that early experimental stage, I think, for threat actors, but I don't think it will stay that way for very long. I also think that from a trend perspective, we're starting to see CFOs get more in the driver's seat with security.

0:14:43

Sherrod DeGrippo

They're the financial leaders of the company, and they feel very much on the hook when it comes to data loss, breach, financial loss. They're getting into the conversations and making technology decisions in ways that, five or ten years ago, the CFO was not having meetings with the security vendors to understand how the products work, what kind of guarantees that company might have for them, what do the products really get them, what kind of reporting is coming out of it. You're seeing CFOs start to ask a lot more questions now. They're in the conversation more than they've ever been before. And I think also from a trend perspective, we can't let go of the realities that we're sort of constantly surrounded now.

0:15:25

Sherrod DeGrippo

Whether it's a traditional laptop, the cloud, an IoT device, or a mobile device, it's everywhere. My house is fully IoT, and it really stresses me out sometimes because I'm like, I can do so many things. I love this. And then I think, oh, my gosh, this is really potentially a big risk factor. So we're back to that kind of place of weighing convenience and security, which isn't a trend, it's a perennial favorite, but we're having to do that with so many new different platforms and devices than before.

0:15:57

Luke Connolly

We're speaking with Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. In the past, you've talked about social engineering as a TTP for our audience. TTP stands for Tactics, techniques, and procedures describing the methods that threat actors use when executing an attack. Can you talk a little bit about that, and in particular, why it matters?

0:16:21

Sherrod DeGrippo

Sure. I love social engineering. This is another plug for Beverly Hills Cop, the two movies that have some of the best real world examples of social engineering. I'll give you three. Here are my three favorite social engineering films to watch. Ghostbusters number one. Those guys are social engineers like crazy. Especially the scene in the mayor's office. Beverly Hills Cop. And don't tell mom the babysitter is dead. Teenagers are the ultimate social engineers.

0:16:47

Sherrod DeGrippo

They are so good at it, especially when they're trying to hide the fact that their babysitter died and they are covering so they can have a summer alone. I think that social engineering, of course, goes back to being a TTP. Like you said, Luke, that it's so human, right? It's a human connection. And then if you go to the threat actor psychology side of it, it creates this incredible world of imagination. So the question there is, if I told you, you could, for all intents and purposes in the digital world, become anyone you want.

0:17:23

Sherrod DeGrippo

So you can assume the identity of any person that you want, any person with email, any person with a login, like, who would you become? You might say I would become somebody that's on the billionaires list. I would become a lottery winner. I would become financial advisor at a big bank. Essentially, once you've got this new identity, you can walk into the virtual bank, right? You can log into someone's online banking.

0:17:53

Sherrod DeGrippo

You can walk into a virtual car dealership, or you can walk into a virtual CPA's office. You can start moving things around. You can start looking at data. You can start pulling money out as if you were that person. And so social engineering, in many ways, in the result of making the world believe that you are someone you're not or that you have some kind of capability or trait that you don't. And so it's sort of fun to imagine, like, who would you be? What would you do?

0:18:29

Sherrod DeGrippo

If you could talk to anyone as anyone else, including systems? What's the best thing to be? All right, you have to answer, Luke. Brett, what are you going to be?

0:18:40

Brett Callow

I actually don't have an answer for that.

0:18:43

Sherrod DeGrippo

I always sort of carry the story out that I would be like Taylor Swift or Beyonce's manager, so that I could just give my friends free concert tickets and then scoop off large percentages of ticket sales money and probably fight the ticket companies like Ticketmaster the way that Robert Smith from the Cure did with his recent I would, you know, get her email and say, look, you need to get these fees and fraud under control.

0:19:13

Sherrod DeGrippo

So I'd get money tickets for my friends and try to influence some of the way that ticket sales are done, because I've missed out on sold out shows myself.

0:19:23

Luke Connolly

I guess it's a question of are you looking for the financial gain or are you looking for some other sort of a gratification? I think of that DiCaprio, Tom Hanks movie where I can't remember the name of it, but he makes believe he's a yeah, he's a surgeon, he's an airplane pilot. He gets to do all the things that he wanted to do just to impress himself and his family. And that's in itself the end.

0:19:46

Sherrod DeGrippo

Absolutely. Catch me if you can is a great example. Luke that's a great social engineering, a great fraud kind of movie where somebody does all of these criminal things. You can see the psychology behind it. You can see how the social engineering works, and it's all in the real world. It's actually a lot easier to do most of that stuff in the digital world. I can go, let's say, into a system and create a lot of these identities. Maybe I could create someone into a pilot database or a surgery database. As an attending physician, it's actually easier today to do those things than it was when Frank Abendale Jr. was doing it in the movie.

0:20:26

Luke Connolly

And of course, this is somewhat topical. We're recording this in the last week of August in 2023, and Kevin Mitnick just passed away about a month or two ago. And he was really the godfather of social engineering.

0:20:40

Sherrod DeGrippo

Yeah, a lot of his legend as a hacker really comes from that initial social engineering capability. And he had such a history in the industry of knowing how to do that for good or for ill. He was very well known as being one of the top social engineers, especially one who gave away their secrets that we've ever seen.

0:21:02

Brett Callow

What's your most interesting war story or the most interesting case you've intended?

0:21:07

Sherrod DeGrippo

I don't know if it's the most interesting, but it was certainly one of the most I think Riveting was a situation where a threat actor sent some emails as if they were a person, the CEO's assistant, and said, I need you to go buy gift cards. Which is a very typical sort of threat fraud that we see a lot. Gift carding. If you get them on your phone, sometimes they'll say, hey, this is so and so. I need you to buy me gift cards of some kind.

0:21:34

Sherrod DeGrippo

So it was a threat like that. And what was interesting to me about the story is that we were also able to review the communication from various drugstores as this person went from drugstore to drugstore, trying to purchase large, large quantities of gift cards at once. And the drugstore employees were all saying, hey, I know you want to buy $5,000 worth of these gift cards, but I really think you're being scammed. And so we could see the communications where the employees of the store were trying so hard to tell this person, look, I'll sell you these gift cards, but I really don't want you. I really don't think you should. And in one case, a manager at the store was involved, and the manager said, I barred them from buying them here, but I know my coworker manager at another store down the street. They showed up there trying to buy the gift cards, and we keep telling them they can't buy the gift cards.

0:22:27

Sherrod DeGrippo

And so they actually called the police and said, can you please talk to this person and tell them we really think that they're under fraud? We really think that the person that they think is telling them to spend all this money on gift cards is not who they say they are. And so that was kind of where the incident information ended, was us watching all of these wonderful drugstore employees trying so hard to coordinate and help this person as they denied, to sell them these gift cards and finally having to call the police to hopefully lend some authority to stop spending this money.

0:23:04

Sherrod DeGrippo

Many stores actually now have instituted caps on how many gift cards you can buy at once just because the fraud is so terrible. But I thought it was a nice thing to see that all of these employees were sort of pulling their hair out going, how do we convince this customer that buying $5,000 worth of gift cards for your CEO's assistant is not a normal thing and this isn't really real, they're being defrauded.

0:23:27

Sherrod DeGrippo

And so it was sort of nice to know. One of the emails was like, I'm going to get manager approval to deny them to sell it. And the manager said, yes, don't sell it. So it was kind of nice to.

0:23:37

Luke Connolly

You mentioned AI and it's really been in the mainstream for about a year now. ChatGPT came out at the end of last year and we're seeing new AI tools and it's really being embraced on a day to day basis really quickly. It's been astounding. And I'll just mention that Microsoft, your employer, has been at the forefront of the technology with its massive investment in OpenAI, which is the company behind ChatGPT.

0:24:09

Luke Connolly

There's also been rumblings of the potential for AI to be used by the bad guys, either by creating malware itself or by generating convincing messages for use in social engineering and phishing attacks. How do you see AI technologies changing the landscape of threat intelligence and defense?

0:24:28

Sherrod DeGrippo

I am certainly not an AI expert. That's such a developing side of the world. That's not something that I'm 100% an expert in. I actually use Chat GPT so much, I really see the potential. And I think when you go back to the threat actor psychology side of things, right, they're open to using any tools that can help them. So whether that's AI or Tatchept or just automation or APIs, then Excel. We've seen threat actors leverage all kinds of productivity tools to keep their campaign straight, to keep their attack chain straight.

0:25:06

Sherrod DeGrippo

I think that essentially this will be another tool in the tool belt at some point. What exactly that will look like at mass scale, I don't think we've really seen that yet and I don't think that we can articulate even what those trends will be until we start seeing more evidence beyond some of the testing and sort of pioneering attempts that are out there.

0:25:31

Brett Callow

To wrap up a question that we ask everybody. If you were a legislator and it was your part to ban the payment of ransom demands, would you do it?

0:25:43

Sherrod DeGrippo

Wow, that's a great question. So to ban the power to pay ransom demands, that's a tough one. I think ultimately the thing that I would tell organization is know whether or not you will pay, what your plan is, who is authorized to say that you'll pay, who is authorized to increase it if you need to increase it. Not to be negative, but simply because if somebody says, oh my gosh, we have ransomware, are we going to pay?

0:26:13

Sherrod DeGrippo

Everyone in that trust circle already knows the answer, already knows how much they're planning to pay. The scariest thing that I can imagine really in this scenario is being under ransom and not knowing how you're going to handle getting out of it. So I say plan for the worst, hope for the best. With that, from a legislation perspective, that's not something I know a ton about. I know that it's talked about quite a bit.

0:26:36

Sherrod DeGrippo

I think ultimately when we look at policy, we've got to look to the organizations to set policies that mean that they're hardening their own organizations, hopefully to avoid a wreck somewhere of that at all.

0:26:49

Luke Connolly

And with that, I'd like to thank you, Sherrod, for joining us today. Your experience and insights have given us a very interesting discussion and I'd also like to thank our listeners for tuning in. Stay up to date on the latest in cybersecurity by subscribing to our podcast.

0:27:05

Sherrod DeGrippo

Thanks, Luke. Have a great flight, Brett.