The Segment: A Zero Trust Leadership Podcast

Spiral Now, Not Later: Rethinking Ransomware Readiness with Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft

Episode Summary

In this episode, host Raghu Nandakumara sits down with Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, to explore the evolving landscape of cyber threats and the importance of resilience in the face of ransomware. They discuss the changing tactics of threat actors, the critical role of Zero Trust in modern cybersecurity, and the growing influence of AI on both cyber defense and offense. Sherrod also shares insights into balancing objective and subjective assessments in security, emphasizing the need for strong foundational practices and operational resilience.

Episode Notes

In this episode, host Raghu Nandakumara sits down with Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft, to explore the evolving landscape of cyber threats and the importance of resilience in the face of ransomware. They discuss the changing tactics of threat actors, the critical role of Zero Trust in modern cybersecurity, and the growing influence of AI on both cyber defense and offense. Sherrod also shares insights into balancing objective and subjective assessments in security, emphasizing the need for strong foundational practices and operational resilience.

--------

“Pre-decision making. If we come under ransom, are we going to pay? A lot of people start spiraling and it's like, wait, do you want to be spiraling now or do you want to be spiraling when we're actually under ransom? Let's spiral now. Let's do that worrying now, so that if something happens in the future, we're ready for that.”

--------

Time Stamps 

(04:53) Sherrod's career journey

(16:15) Importance of basic security practices in ransomware resilience

(18:37) Ransomware: To pay or not to pay?

(22:08) Building a culture of ransomware resilience

(26:19) Subjectivity of security

(29:51) Evolution of threat actors

(34:13) Zero Trust's impact on security

(46:04) Role of AI in cybersecurity

(49:49) Future of threat intelligence

 --------

Sponsor

Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company. 

Learn more at illumio.com.

Illumio World Tour 

--------

Links

Connect with Sherrod on LinkedIn

Episode Transcription

0:00:03.8 Sherrod DeGrippo: Pre-decision making. If we come under ransom, are we gonna pay? And a lot of people start spiraling. And it's like, wait, do you wanna be spiraling now? Or do you wanna be spiraling when we're actually under ransom? Let's spiral now.

 

0:00:19.7 Sherrod DeGrippo: Let's do that worry now. So that if something happens in the future, we're ready for that.

 

0:00:24.6 Raghu Nandakumara: Welcome to the segment, a Zero Trust Leadership Podcast. I'm your host, Raghu Nandakumara Head of Industry Solutions at Illumio, the Zero Trust Segmentation Company. Today, I'm joined by Sherrod DeGrippo, the Director of Threat Intelligence Strategy at Microsoft.

 

0:00:41.9 Raghu Nandakumara: Sherrod was selected as Cybersecurity Woman of the Year in 2022 and Cybersecurity PR Spokesperson of the Year for 2021. Previously, she was VP of Threat Research and Detection at Proofpoint, where she led a global team of threat researchers, malware reverse engineers, and threat intelligence analysts. Her career in cybersecurity spans 19 years, with prior roles including leading Red Team Services at Nexum, Senior Solutions Engineer for Symantec, Senior Security Consultant for SecureWorks, and Senior Network Security Analyst for the National Nuclear Security Administration.

 

0:01:19.5 Raghu Nandakumara: In this conversation, she stresses the significance of ransomware resilience and covering security basics, as well as the impact of AI on both attackers and defenders. The conversation highlights the need for actionable threat intelligence and the human element of security. But before we get into the episode, a word from Illumio.

 

0:01:40.2 Speaker 3: Illumio is hitting the road with our first ever Illumio World Tour, bringing you three cybersecurity education summits this November and February. Whether you're in New York, London, or Sydney, join us for exclusive hands-on learning and expert insights into Zero Trust segmentation. Don't miss this chance to transform your security strategy.

 

0:02:00.6 Speaker 3: Check out the link in our show notes to register or find a city near you.

 

0:02:07.3 Raghu Nandakumara: Sherrod, firstly, before we get into the conversation, it's so exciting to be able to speak to you today. And it's funny, it was just a complete coincidence. I was listening to some of your recent podcast episodes in sort of prep for this.

 

0:02:25.5 Raghu Nandakumara: And just last week, I decided to re-listen to the Lazarus Heist podcast that the BBC made, which I'm sure you're very familiar with. So I thought those were, it was like, that's a coincidence. And as a result of listening to that, for the last two nights, I've put on the interview and then fallen asleep to it.

 

0:02:45.0 Raghu Nandakumara: So it says more about either I'm tired or the film wasn't as good. But anyway, it's a real pleasure to be able to speak to you. So thank you for joining us.

 

0:02:54.6 Sherrod DeGrippo: Thank you. Thank you for having me. I think, as evidenced by your media consumption, North Korea is really getting in the game.

 

0:03:06.4 Sherrod DeGrippo: They're getting on the board in ways that we have not seen before. In the past couple of months, North Korea is scoring some points.

 

0:03:10.5 Raghu Nandakumara: Absolutely. And I'd love to sort of discuss that at some point in our conversation today. But as kind of is, I guess, the norm with these podcasts is, let's kind of rewind the tape and take us back to where it all began for you in your career to sort of ultimately to what you do in your role today.

 

0:03:28.0 Sherrod DeGrippo: Sure. So, I mean, I think it started when I was 14. Really?

 

0:03:35.1 Sherrod DeGrippo: I was 14. This was in the early '90s. And I read 'cause I was, very cool early teen.

 

0:03:43.5 Sherrod DeGrippo: I read the magazine Thrasher, Thrasher magazine, which was a skateboard magazine. And one month in the back of Thrasher magazine, there was a little ad and it said, call the Thrasher BBS. And it had a phone number.

 

0:03:54.9 Sherrod DeGrippo: And I, went to my dad, who was a major hardcore computer, supercomputer dork. And I said, dad, I wanna call this BBS. What do I do?

 

0:04:05.5 Sherrod DeGrippo: And he said, well, I have a modem and we can set you up and we'll get you to be able to call the BBS. And I remember very vividly, I was using BidFax bit modem, which was the app or the application on Windows 3.1. And I remember very vividly him saying, I'm gonna turn off ANSI. You don't need that.

 

0:04:30.3 Sherrod DeGrippo: So essentially, he took graphic viewing away from me very early. Like, he's like, my 14-year-old daughter does not need to see these images. And I just, I called the Thrasher BBS and was on day in, day out.

 

0:04:37.8 Sherrod DeGrippo: And then about a month later, my dad screamed, Sherrod. And I was like, oh, I'm in trouble. I run up a $300 phone bill.

 

0:04:53.4 Sherrod DeGrippo: For the youth listening, we used to have to pay for long distance phone calls. And that Thrasher BBS was not local to me. So it costs money per minute.

 

0:05:03.0 Sherrod DeGrippo: And my dad didn't like that. So that kind of got me into freaking. Actually, I consider myself a freaker first, which meant that I had a lineman's handset.

 

0:05:10.4 Sherrod DeGrippo: I did things like beige boxing. And I met a lot of people who were very excited to show me a lot of things. And I ended up just...

 

0:05:19.7 Sherrod DeGrippo: When I was in college, I worked at the mall, and I didn't make enough money. And I saw a poster on campus that said, Come work at AT&T. And so when I was in college, I started working at AT&T.

 

0:05:41.2 Sherrod DeGrippo: And from there, I just kept getting tech jobs until I went to work at an ISP early in my career, probably in 2002, 2001. And that ISP got hacked. One of the clients of the ISP got hacked.

 

0:05:47.7 Sherrod DeGrippo: And they said, We want you to fix this. It was a data center. So I pulled all their one use, all their servers, stack them up in a table in a conference room, tracked it out on a whiteboard and was like, I'm gonna work.

 

0:06:02.0 Sherrod DeGrippo: I'm gonna do this work. It wasn't even called incident response then. And it was a PHP BB installation that was vulnerable.

 

0:06:09.1 Sherrod DeGrippo: That was hacked by a quote, hacking team. They put up a bunch of MP3s playing in the background, or maybe even just WAV files. It was very primitive.

 

0:06:19.1 Sherrod DeGrippo: And that was the point where I was like, I wanna do security. I wanna secure things. I wanna learn how all this works.

 

0:06:27.8 Sherrod DeGrippo: I wanna hack things. I wanna secure things. And shortly after that, I got my first real security job working for the National Nuclear Security Administration, part of the Department of Energy.

 

0:06:37.1 Sherrod DeGrippo: And that started my network security obsession. I'm obsessed with network security. And I just did that for quite a while.

 

0:06:47.0 Sherrod DeGrippo: And not too long. But then after that, I went and worked at vendors. So I have committed the past 18 years of my career to security vendors, Symantec, SecureWorks, Nexum, Proofpoint, and now Microsoft. I love the vendor space.

 

0:07:05.8 Raghu Nandakumara: Amazing. I mean, that's quite a story from Thrasher Magazine to head of threat intel strategy at Microsoft. That's probably a career path or even a life path you would never have been able to map out if you'd been asked back then in the early '90s.

 

0:07:17.9 Sherrod DeGrippo: BBSes and IRC shaped me. BBSes, IRC, and LiveJournal. Those are my origin foundations, for sure.

 

0:07:26.1 Sherrod DeGrippo: That's, I think a part of it was 'cause when I was growing up, even from a very young age, my father always would say, anything you need to learn, there's a book. And you get the book, and you learn it from the book, and you can do anything. And when he bought me my first car, he bought me the Chilton's manual that went with my car.

 

0:07:46.0 Sherrod DeGrippo: And he said, you have a car. Now you have the book that goes with the car and you can fix the car. And so I sort of took that with me of anything you need to learn, there's an IRC channel that you can get in and someone will help you or point you to something.

 

0:08:03.9 Sherrod DeGrippo: And I still really believe that. Anything you need to learn, you can find the book, you can find the person, you can find the resource, and you can learn it and you can do it.

 

0:08:13.4 Raghu Nandakumara: I guess replace IRC channels now with Reddit, if you have your source of information. Or source of knowledge. So you spoke about that incident, you're working at the ISP, one of your clients got hacked, you essentially took their entire infrastructure out of their rack, put it on a table and said, I'm gonna figure this out.

 

0:08:33.5 Raghu Nandakumara: Step through that process and sort of talk to us about, as you were doing this, what did you discover about sort of the nature of the attackers, the behavior, their motivations?

 

0:08:50.6 Sherrod DeGrippo: Yeah. And I think that was a really pivotal moment for me as well. So I worked at this ISP that was a very early redundant cloud capability. We had offices in the bottom and the data center was in the second floor.

 

0:09:01.4 Sherrod DeGrippo: And so I hated going up there 'cause it was freezing. If you've ever been in a data center, you're just, everyone who works in data center has a coat at their desk that they put on when they go up to the data center. Same with me.

 

0:09:14.1 Sherrod DeGrippo: And I also didn't like going up there 'cause I don't like racking. I don't like putting things in racks. I find it cumbersome and unpleasant.

 

0:09:24.2 Sherrod DeGrippo: Once they're in there, I'm good to go. But I don't like putting servers in racks. So, I go up, I know I'm gonna have to take...

 

0:09:33.4 Sherrod DeGrippo: This customer has three 1Us, which at the time was quite a deployment. In the early 2000s, having three 1Us in a data center that was redundant is amazing. So I had to take all those out.

 

0:09:42.8 Sherrod DeGrippo: I had a cart. Anyone who's worked in data center has done this. If you've ever worked on raised floor, you know what I'm talking about.

 

0:09:51.2 Sherrod DeGrippo: Take the cart, you take a drill, you unscrew out of the rack, you pull these giant, long servers that are very, very unwieldy to pull out. You hope you don't drop them and you stack them up in a cart. Take the cart down in the elevator, you put them on your desk or in an office.

 

0:10:07.3 Sherrod DeGrippo: If you ever see someone with one-use on their desk, they're in trouble. They've got bad problems. And that was me.

 

0:10:17.8 Sherrod DeGrippo: I had a conference room and I said, Okay, I'm gonna figure this out. So I hooked everything back up to monitors and started looking at logs, which I think is a superpower that most incident responders are really, really good at today. They understand the logs that matter.

 

0:10:34.0 Sherrod DeGrippo: And I started seeing that this is a small business. And at the time, it was a big, big web presence for such a small business. And I thought, Wow, this business is quite advanced.

 

0:10:47.3 Sherrod DeGrippo: They've got PHP BB for their customers to ask questions. And they've got all these manual pages and all these things. And I started looking through it.

 

0:10:55.7 Sherrod DeGrippo: And I immediately saw that this version of PHP BB was old. And I was like, Oh, this is really old. And there were a couple of files you could replace in PHP BB that would allow it to continue operating but would give you the splash screen.

 

0:11:09.4 Sherrod DeGrippo: And that's what this... I don't wanna call them a threat actor. They're probably a group of teenagers, I believe.

 

0:11:17.4 Sherrod DeGrippo: I can't do full attribution. But I think they were Iranian... Had put up, you've been hacked by hacking team, music playing in the background, gifts floating all over the place. And they had something that's very dear to my heart to this day, which is a shouts and greets at the end. At the bottom, there's shouts and greets and a bunch of hacker handles, which at that time, it was very common when you would deface any kind of website, you would put thanks to the other hackers that carried you on your way. I'm a big believer in shouts and greets.

 

0:11:57.1 Sherrod DeGrippo: I consider that a foundational life philosophy. Thank the people that helped you get there. Not necessarily when hacking, don't do that.

 

0:12:02.4 Sherrod DeGrippo: But yeah, so I learned really that the motivations of adversarial groups or adversarial people aren't something that you will necessarily ever be able to truly understand. I sort of say, a lot of people will say, why did the threat actor do this? What is their aim? What is their motivation? And truly, my response to that a lot of times is we never know the truth of a threat actor's heart. And I think that you can speculate, you can guess.

 

0:12:39.2 Sherrod DeGrippo: But ultimately, we don't know, is this person doing this 'cause they're trying to support their family? Is it 'cause they're like with BEC and pig butchering? Is it 'cause they're in a human trafficking situation and they're afraid for their life?

 

0:12:51.0 Sherrod DeGrippo: Is it 'cause they're truly a bad person and they wanna hurt others? Do they want just money and they're wild and crazy? You can never really know that.

 

0:13:01.1 Sherrod DeGrippo: And I think in this instance, I think it was just a little bit of fun in an open directory of PHP BB that they found and went for it.

 

0:13:07.5 Raghu Nandakumara: I think that story has so many levels I can associate with. Just talking about working in a data center on a raised floor, absolutely. That takes me back into the early days of my career.

 

0:13:21.1 Raghu Nandakumara: And you talk about taking things out of racks, et cetera. Yeah. That the, the sort of Just hoping not to drop anything onto your feet more than anything. It was a real fear, a real worry.

 

0:13:31.5 Sherrod DeGrippo: Or have to use the giant suction cups to pull the tiles.

 

0:13:38.8 Raghu Nandakumara: Oh, yeah. I've done that. I just sat around a data center with my feet dangling into the void below while sort of configuring things in the racks.

 

0:13:46.3 Raghu Nandakumara: And the example you gave of these potentially script kiddies essentially exploiting a vulnerability in this case, in PHP. And just gonna one of the other podcasts I think you were a guest on recently. What you said was 98% of intrusions can be addressed by basic security practices.

 

0:14:09.2 Raghu Nandakumara: And I'd say patching is a is one of those essential security practices. And my perspective here is that when I sit back and I look at why attacks are successful, I feel time and again attackers ultimately exploit a negligence in one or more of these security practices to propagate. So in your opinion, do you feel that we give enough importance to the basics?

 

0:14:35.5 Raghu Nandakumara: Or are we as a discipline, are we too caught up in what's the new shiny toy? What's the new shiny capability? And we've lost sight of the basics or maybe the basics are too boring.

 

0:14:49.4 Sherrod DeGrippo: I love the basics. I'm a believer in the basics 'cause I sort of was raised in like the Bruce Schneier, Ed Skoudis school of security. I believe in the basics 'cause security is very much something that people with anxiety are drawn to.

 

0:15:09.0 Sherrod DeGrippo: And if you can get your basics down, you usually feel a little better. And I think honestly, what it comes down to is not enough organizations have enough anxiety. I think there's not enough worry and there's not enough productive, clinical anxiety professionally in the industry.

 

0:15:27.9 Sherrod DeGrippo: I do think we get distracted by shiny toys and we see the basics as being boring. But there is, I think, a completeness satisfaction in feeling like I know that we have a complete asset inventory, for example. Find those people and get them on your team who have that need to get those things completed and feel very strongly that they have them.

 

0:15:56.7 Sherrod DeGrippo: I think also, we don't think enough about that 2% of things that can't be necessarily done with the basics and how we're gonna handle those. To me, I think one of the things that we're really missing in security, particularly with the current ransomware epidemic, is not even tabletopping, but pre-decision making. If we come under ransom, are we gonna pay?

 

0:16:23.6 Sherrod DeGrippo: And a lot of people start spiraling and it's like, wait, do you wanna be spiraling now or do you wanna be spiraling when we're actually under ransom? Let's spiral now. Let's do that worry now so that if something happens in the future, we're ready for that.

 

0:16:42.7 Sherrod DeGrippo: I think we don't do enough of that. I would like to see a lot more decisions made ahead of time and put down on paper so that executives and technical leaders and security subject matter experts are already literally on the same page by the time something happens, which is something that in a lot of incidents I have not felt was happening.

 

0:17:02.9 Raghu Nandakumara: So a couple of things. I wanna come back onto the lack of anxiety point you made in a second. Let's just talk about the ransomware question.

 

0:17:15.3 Raghu Nandakumara: And to sort of paraphrase Shakespeare, ransomware, to pay or not to pay, that is the question.

 

0:17:19.5 Sherrod DeGrippo: I love it. I love it.

 

0:17:22.4 Raghu Nandakumara: That's... Yes. We'll use that in the social cuts. They... Now and then, we get asked to comment on, let's say, some new bit of...

 

0:17:43.2 Raghu Nandakumara: Pick a government across the world saying, hey, we wanna make ransomware payments illegal. And what are your thoughts? And the comment is, well, okay, that would be great because of what ransomware potentially fuels, et cetera.

 

0:17:55.7 Raghu Nandakumara: But if you think from a practical perspective, that may not be possible for every organization 'cause it's a choice between paying and potentially being back in business operational sooner rather than later, or just saying, well, actually, I can't afford to pay, but equally, I don't have the skills to recover properly. So where do you sit on that? Because I don't think it's an easy binary decision.

 

0:18:18.7 Sherrod DeGrippo: No, it is definitely not an easy decision. I think that's why I'm a big believer in ransomware resilience planning. And Microsoft released a fantastic guide to ransomware resilience that organizations can look at to build their resilience as well as assess their resilience to ransomware.

 

0:18:37.1 Sherrod DeGrippo: My question when people say make ransomware payments illegal, my immediate question to that is, and what is the punishment for violating? So the organization's been ransomed, they pay to get out of ransom, and now we're gonna punish them, I assume, with a fine. And at that point, it again becomes a risk calculation with just another nexus than you had before.

 

0:19:04.2 Sherrod DeGrippo: The risk calculation is now against paying the threat actors and getting your data back and against having to pay a fine to the government for that. I don't know that that's necessarily gonna be a super successful and happy deterrent. I think that as technologists, we have to do a lot more work.

 

0:19:23.2 Sherrod DeGrippo: I don't think that anyone's coming to save us on a lot of these. I think that we have to make the technology and the organizations and the people resilient to ransomware. We can't just say, well, there will be laws and statutes and some sort of ransomware superhero is gonna descend and fix it all.

 

0:19:43.4 Sherrod DeGrippo: It's a very complex problem, as you said, and I don't know that I necessarily have the answers other than working on becoming more resilient and prepared for those things to happen.

 

0:19:51.0 Sherrod DeGrippo: Focus a lot on crime and in my work, and they operate by different rules than I think most people really understand.

 

0:20:00.2 Raghu Nandakumara: So you've mentioned the word resiliency just multiple times in that response. And it's resiliency, operational resilience, cyber resilience is so topical these days. I think now it's kind of like cyber conferences have gone from being focused on like zero trust to AI and now it's all about resilience. But I wanna tie that to something else you said about a lack of anxiety. How do you drive a culture of better ransomware resilience if the level of anxiety is not where it should be to drive improvements and in the basics? 'Cause I feel that those two are interconnected.

 

0:20:42.6 Sherrod DeGrippo: I think so too. And I have a very controversial hot take on that one.

 

0:20:46.7 Raghu Nandakumara: I want to hear it [laughter] That's what we're here for.

 

0:20:51.1 Sherrod DeGrippo: I really think there's always these debates on social media and the industry about passion. I'm not interested in that. I'm interested in about do you have a calling for this? And does doing security work result in your soul feeling a decompression, a relaxation? Is securing something a spiritual comfort for you? If it is, those are the people that we want in the industry because those people relentlessly pursue efficacy. And those are the people that we have to count on and depend on because this is not a nine to five job. As much as we wanna talk about work-life balance, and like don't burn yourself out. Sure. But that's not the world that we live in. Ransomware happens 24 hours a day, we don't have enough people to work 24 hours. All of these things. So I think we've gotta get the right people in the right places, and that is where we can heighten some of that concern.

 

0:21:56.1 Sherrod DeGrippo: I come from the era of security vendor fud, fear, uncertainty, and doubt. That was for a decade that was the marketing plan. I don't think that it worked. If it did work, we'd be in a more secure place than we are. But I do think that there is an element of risk evaluation and risk understanding that we as security professionals need to embody and internalize and then evangelize outwardly to our non-security colleagues. And I think that we can do that by speaking that language. I am a practitioner of something called neurolinguistic programming [laughter], which talks about how to talk to people. You appeal to the sense that they are most connected with. Is it hearing, is it seeing, is it feeling, is it experiencing? You have to talk to people in their language and at their level and help them understand what those risks are. Going back to resiliency, being resilient we've moved to that language because we are looking at the inevitable now. We've gone from stop the breach, stop the attack before it happens to be okay when it does. And I think that that's a much more realistic picture. I don't think it's pessimistic I think it's realistic. And you should feel better the more resilient you become, because these things are, I think at this point, inevitable.

 

0:23:23.6 Raghu Nandakumara: So I wanna come back to the assumed breach sort of mentality and that the when, not if, because I think it ties nicely into sort of taking a zero trust approach to building your security controls. But before we go there, going back, you again, another term that you mentioned is efficacy. And I absolutely agree. I think I've only been on the vendor side for just under five years now. And before that I was on the... Thank you. Thank you. It's great. It's great to be here. I should have come, enjoy, come this side earlier, but absolutely right. I completely agree in sort of that the FUD focused marketing that existed. And my perspective is I came in onto the vendor side was that there could be so much done in sort of taking a much more value based efficacy based approach to marketing.

 

0:24:14.4 Raghu Nandakumara: But it's hard because we're used to saying we're better, we're faster, we're stronger, we're more secure, but it's really hard for us to put a... Let's pick a number. 50% more secure. That's a pretty good number. I know we'd like to say 95%, but I'd say even 50% more secure is a good number. But why is it so hard for in the security space to be quantitative about how effective a control is a practice is, a process is to sort of get further validation and justification for being able to do more of it.

 

0:24:55.5 Sherrod DeGrippo: Yeah, I think that's part of what I take personally as a person. I wanna be an effective person. I want my technology to be effective for me, and I wanna be an effective person. And I think that's really hard to measure. And I love things that are very hard to put metrics on. So that's part of the reason I'm attracted to securities that it's full of subjectivity. It's full of gray areas, it's full of like squishy middles that we have to kind of grapple with and figure out. And that's I think a lot of people feel the same way. Like that's why they're in security. Measuring efficacy is incredibly hard. So I come from network security and email security for many years, and FNFP is our bread and butter, False negative, false positive. Those are the things that dictate our choices and how we make decisions.

 

0:25:44.0 Sherrod DeGrippo: And it is very data-driven, even though I don't believe in a wholly data-driven approach every single time in security. In the FNFP world, you're looking at those numbers hour by hour. And I do think that we need to get very objective where we can, and that's hard. Like there's a book called How to Measure Anything, which allows for metrics. And there's that saying of, you can't manage what you can't measure. I think those things are really true. But I also think alongside objective measurement in security, we have to help our leaders understand the subjectivity aspect of it and the decision making and the human aspect of a lot of it. Social engineering is something that is very difficult to measure. For example, this breach happened, what percentage of it was caused by social engineering? That's very, very difficult to nail down. But if we can have that objective numbering that objective data side by side with subjective decision making information, I think that we give ourselves as security professionals, but also our leaders that aren't necessarily knee deep in this space all the time, a better way forward to understanding how important it is and generating some of that anxiety that we're kind of hoping to get from people that are making the choices.

 

0:27:05.8 Raghu Nandakumara: Yeah. I like how that's expressed about being able to really bring the subjective and objective much closer together and really finding that intersection where the one data from one can inform the perception of the other. And vice versa to provide that greater picture. So let's kind of move on. And let's talk about, and the other thing that you spoke about earlier is logs like trolling through logs, like great. It's amazing what you can find in there. And I was just as you said that I was thinking about, I think that just sort of how, like the function of the so has evolved. Threat hunting evolved is is that it's just sort of the advancement in essentially analyzing logs and that's kind of, sort of the progress. And even what we see today with in inverted commas, sort of AI powered tools is just getting better at log analysis. So as you have, and I know you've spent many years looking at logs from various threat actors. As you've been doing this, what have you noticed in the... What are the clear indicators of that evolution that you have seen?

 

0:28:26.2 Sherrod DeGrippo: Yeah, I think that that's really, it's really clear. So my earliest, maybe not earliest, but one of my early passions for logs was I ran a web server and I would tail the web logs to watch access. So it was a very low traffic [laughter] website situation. But when I would have that open and running, I could watch as people hit the website, which if you've never done that before, watching logs in real time, it gives you a different perception of our digital world in my opinion. It's showing human activity, Going to a website displayed as machine data, which is the log entry. So I think there's something really special about that. It turns a log from sort of this static record into like a living, breathing, evolving thing in front of your eyes. Threat actors today go so quickly that they know that logs are their enemy, and so they look at the time that they can save, especially like threat actors in the crime space, typically.

 

0:29:39.7 Sherrod DeGrippo: So like if you think of an Octo tempest threat actor, a big time ransomware actor, they move so fast. It's that dwell time from entry and access to ransom that keeps getting smaller and smaller and smaller, which reduces frankly the amount of logs that are created. And these threat actors, I think are deliberate in that they want to reduce the amount of log entries, which is I think potentially partly responsible for the recent, over the past year or two, the explosion in popularity of living off the land. You can hide in those logs when you're in existing tool sets that are already resident in that host. So I think logs will always be super important because logs in a lot of ways symbolically represent time and the fewer logs you can have, and the faster you can go, the more successful you can be as a threat actor. Going back to efficacy, we as defenders have an efficacy focus. Threat actors have an efficacy focus. And we are slot car racing side by side trying to be more effective than they are and hoping that we have a five second head start to be able to be more effective.

 

0:31:06.3 Raghu Nandakumara: I mean, it's basically an F1 race today, isn't it, [laughter], that's really what it is.

 

0:31:12.1 Sherrod DeGrippo: I love F1.

 

0:31:13.3 Raghu Nandakumara: It's F1, it's drive to survive and...

 

0:31:14.0 Sherrod DeGrippo: Drive to survive. Yes. That's what security is. We are drive to survive here in InfoSec.

 

0:31:22.2 Raghu Nandakumara: I like that. I could absolutely appreciate the joy of looking at web server logs and then when you combine those with proxy logs and firewall logs and load balancer logs and identity logs, and you are able to build a picture that, like in my early days on sort of the practitioner side, that was so exciting to be able to do that outta college and bring it all together. I was like, oh my God. Like I could sort of see what's happening here, but just for this data. So you spoke about living off the land, and about sort of how threat actors really wanna generate as few signals as possible or the fewer signals the better. Because more signals means more chance of detection, et cetera. And then we are kind of tying it back to what you said is that really that attack, that compromise is inevitable. So we need to design for that.

 

0:32:14.4 Raghu Nandakumara: From your perspective. 'Cause I often think of sort of taking a zero trust approach is really reducing what's available of the land to live off, one way to think about it with sort of the interest in Zero Trust and sort of real zero trust projects out there. And I know Microsoft has got a sort of a fairly like, significant play in the zero trust ecosystem. Like what's your perspective on that as a threat intelligence expert about how Zero Trust is sort of improving security, measurably improving security?

 

0:32:47.2 Sherrod DeGrippo: I think the best thing that the Zero Trust concept has done over the past few years is resonate so strongly with executive leaders. I think that most practitioners, zero trust to them are a lot of things that they've been doing every day. There are a lot of basic things, there are a lot of combinations of best practices or when I first started, like host hardening, things like that that practitioners are really familiar with. But Zero Trust has allowed us to communicate in the same language with executives decision makers, and even people that aren't necessarily in technical roles. It's allowed them to understand like, oh, that's bad. Or Oh, this is a way to make sure that we don't end up with the wrong people in the wrong places. This is an encompassing concept for best practices around identity and access management. Like those are things that I think in security we have struggled, we have wanted to use jargon, we have wanted to have our own nomenclature. We've wanted to have our own separate super secret language and Zero Trust has really allowed us to hit a point of commune with leaders and decision makers and people outside of that and get them on the same page as us, which I think is one of the best things that we could have done.

 

0:34:09.0 Raghu Nandakumara: Yeah, I think that's so important. Particularly now that the importance of cyber has to be communicated not just to the security function in the organization, but across functions and up to the highest levels that having an approach that allows you to communicate that effectively is such a boon. And it's a massive blessing to align everything else to. And are you seeing this sort of day to day in customers that you speak to, peers, et cetera?

 

0:34:46.2 Sherrod DeGrippo: Yes. I think a lot of customers that I speak to are absolutely on a Zero Trust journey, and they phrase it that way, they say, a year ago we decided, or two years ago, we decided that by 2026, we were going to feel that we've fully implemented Zero Trust in every corner of the organization. And I think it's brought a lot of weight and gravity to the security focus. I think it allows a reasoning for people to do things and say, well, this is part of Zero Trust, so we need to get it done. And we didn't always have that handle before. We didn't always have that like, unifying focus that I think that we have today, which has worked. And frankly I also think that the ransomware epidemic has brought a lot of, it's bittersweet, but it has brought a lot of focus and attention to organizations that may not have been really thinking about Zero Trust or may not have been thinking about securing their organization. They see ransomware and it again inspires that anxiety. And it causes movement, which I think is what we want.

 

0:36:00.9 Raghu Nandakumara: I mean, I was actually gonna mention that, that it adds to the anxiety, but you beat me to it [laughter] So again, going go back to sort of your day job of essentially monitoring threat actors. Understanding their behaviors over time as you've seen organizations improve their security capabilities and potentially go on that zero trust sort of journey have you noticed a real shift in the sort of the... I was gonna say the techniques and procedures adopted by threat actors? 'Cause I'd say that the, and please correct me if I'm wrong, that that tactics, ultimately tactics sort of are those high level tactics and those are consistent. The attacker has to go through them, but how they execute those will change over time. Have you seen a real shift in those techniques and procedures?

 

0:36:51.8 Sherrod DeGrippo: I think that we will always see threat actors shift and evolve. They are looking for efficacy again, like we are. So whatever tools they can pull into their arsenal to get to the objective that they wanna get to, they will. There's always interestingly, since I've been watching the threat landscape closely, there are always like these trendy [laughter], oh, everyone's doing this right now. Like MFA bypass attacker in the middle of phishing is hugely popular right now. I think part of the reason for the popularity of it is we operate, especially when it comes to the crime landscape, financially motivated threat actors, they operate as an ecosystem. So it's not some ransomware group that's like, oh, I gotta make an attacker in the middle fish kit now. I gotta put up these pages, I gotta buy Infras. No, they just go, they find a provider, they pay them, they get that tool from the provider, they leverage it in combination with tools from other providers, infrastructure, code, any of these services that they may have purchased, and they pull all of those pieces together and that gets them to the ransomware end goal. So as that ecosystem evolves and as new players come into the ecosystem and we're talking about organized crime.

 

0:38:13.8 Sherrod DeGrippo: As the new players come in, new trends emerge. And I think it's my assessment that the reason those trends emerge is because threat actors, some are better at marketing than others. Some within the ecosystem do things like, quite literally, sales. They will make a sale on, we have a threat actor Storm-1101 that runs this thing called Naked Pages, which is an attacker-in-the-middle MFA Phish kit. They will tell you if you're already a customer, you can get a discount. They will do live customer service for you. They will have specials. They had a new year special at the beginning of this year. They will thank their customers for being loyal customers, just like you would imagine a small local business would do. So I think some of the trends are born, quite frankly, out of the marketing prowess of some within the ecosystem.

 

0:39:08.4 Sherrod DeGrippo: If you're better at marketing and selling your tool, it's highly likely that that tool is going to become more popular. So attacker-in-the-middle phish kits living off the land things which aren't necessarily tied to the ecosystem, but they're tied to forums and people talking about what works and people having these different tactics that they share, things like that. And then we always see current event social engineering. I guarantee you, whatever big event is happening in the world at that time, whether it's an election, a natural disaster, a holiday season, the threat actors know that it will psychologically resonate and they use it for social engineering.

 

0:39:45.2 Raghu Nandakumara: And so we see a technique or a procedure associated with that, that kind of makes it onto our list.

 

0:39:54.3 Sherrod DeGrippo: Yep. We need a top 10 TTPs trend list like every quarter.

 

0:39:58.2 S21: Yeah. I think so. Maybe it's something for you to host on your very successful podcast. Maybe that's an idea. But I got it. I wanna bring it back to one thing is that, have we as defenders been successful in forcing attackers to retire techniques and procedures and made them essentially pretty much guaranteed to fail and force them to do something different?

 

0:40:29.0 Sherrod DeGrippo: Yes, 100%. All the listeners are like, I'm gonna fight her. So when is the last time you dealt with a rootkit? When is the last time you got an individual ransomware attempt against a consumer? When is the last time you dealt with an exploit kit for a browser vuln? They happen still, but we have reduced attack surface. When's the last time malicious documents with macros were successful? Microsoft turned that off two years ago, three years ago. The attack surface is being reduced, but just because we continually reduce the attack surface doesn't mean that the threat actors aren't still creative. And that's, again, part of the drive to survive F1 situation that we're in. It's going to be an escalation and evolution forever. That's one of the reasons that I love security is because it is subjective. And I'm gonna say something, again, I know I'm a hot take. I'm a hot take girl. Security is a feeling. Do you feel secure? Are you secure? It's impossible. It's impossible to say yes, we are secure. If your CISO comes to you and says, is this organization secure?

 

0:41:49.2 Raghu Nandakumara: Yeah.

 

0:41:52.8 Sherrod DeGrippo: Come on.

 

0:41:52.9 Raghu Nandakumara: Oh, 100%. I'll give you a badge for it.

 

0:41:53.5 Sherrod DeGrippo: Yeah. So it's like we're in the feelings business. As much as a lot of people don't wanna admit that, security is the feelings business. And we use every technical tool that we have a available to us to make that feeling true, to make that feeling effective. But ultimately, are we secure? It's subjective. It's a guess.

 

0:42:22.0 Raghu Nandakumara: I like that a lot. Security, we're in the feelings business. That's a good... We should use that to market and try and fill some of the cybersecurity spot.

 

0:42:32.2 Sherrod DeGrippo: Maybe more people like us.

 

0:42:33.5 Raghu Nandakumara: Yeah, exactly. It might help fill some of this cybersecurity skills, skills shortage. I'm just gonna come back and say, when's the last time you heard someone use a rootkit or exploit a browser vulnerability? And I'm only gonna answer this 'cause I listened to, I think it was the last but one Microsoft tech intelligent podcast. You're talking about some North Korean threat actors that had brought some of those back to...

 

0:42:55.8 Sherrod DeGrippo: And we were all like, what? They're chaining browser vuln. They've got zero days and they're exploiting chained browser... Like what? And I think that was... It was so cool 'cause we were like, oh, we have not seen this. We have not seen this in a long time, folks. This is vintage. And I think it's true. We don't see that stuff as much anymore. And when we do, it's a big pop on the landscape. Like, whoa, this is news.

 

0:43:22.6 Raghu Nandakumara: Nice. So let's change tack slightly before we wrap. Right. And of course, my producers have said, Hey, if you don't talk about AI, Artificial Intelligence, we're not gonna be able, like the social algos will just sort of demote this. So I'm just saying those a few times, but I wanna ask you something in the context of, and I know you've got a really interesting take on artificial, the A in AI being for accelerating versus artificial. But there was... The World Economic Forum I think I'm gonna say within the last 12 months had sort of done a survey of security leaders. And the question was like, who do you think AI in cyber is benefiting? And I think the data was something like... Somewhere around 55% to 60% said, it's benefiting attackers more than defenders. Somewhere around sort of 25% to 30% said it's benefiting the defenders. And whatever the remainder said, it's equal. From where you are and how do you see the use of AI in cyber today? Who do you see it benefiting? What do you see it enabling, and do you feel concerned about it either on the defender or attacker side?

 

0:44:39.4 Sherrod DeGrippo: I am an AI believer. I use it every day. I dropped like a streaming subscription so I could switch it for ChatGPT paid. I love AI and the opportunities that are in front of us with it. But it is a tool, and so it almost can be analogous in some ways to some of that living off the land stuff that we've talked about. This is a tool available to everyone. You can use it for good, you can use it for evil. You can skip it and not use it at all, which I think some threat actors also are still at that stage. We've seen threat actors at Microsoft leveraging it. We put out an intelligence report about the North Korea, Russia, China and Iran's use of AI. I think it's something that's going to continue to develop. We aren't seeing major leveraging by threat actors today to do novel things. And I think that's comforting in some ways, 'cause it means security foundations are solid. The basics are still working.

 

0:45:40.2 Sherrod DeGrippo: And again, going back to acceleration, that's where I get nervous. We're taking something that can make threat actors faster, allow them to scale, allow them to do things within a scope that we had not previously seen. It's an enabling tool. An example that I always use with that is we've seen data breaches for years. We've seen data breaches available to download for years. Now, you can put that breach data into an LLM and start asking the LM questions about that breach data, which is something that you can't do with a Regex. I don't care what kind of Regex wizard you are, and I've met them all. I live my life among Regex wizards. You cannot ask a Regex for sentiment. You cannot ask a Regex to find every instance of a female employee and a male employee having inappropriate conversations. You can't ask a Regex to tell you find all the insider trading happening in these communications. It's taking things to the level where threat actors are becoming almost like super human if they're thinking about doing things like this. So it accelerates that capability. It makes them faster, it gives them the ability to ransom an organization, pull down those files, look through those files, find incriminating and extortionable information within minutes, and then go back and say, actually we said a million, now we're at two.

 

0:47:14.3 Raghu Nandakumara: I think it's bringing, it's enabling or accelerating bringing together the subjectivity of that and the objectivity. If the regex is kind of that objective approach, the subjective is what you all described. The things that it can't do, but AI can do.

 

0:47:36.2 Sherrod DeGrippo: And it can do it instantly.

 

0:47:39.1 Raghu Nandakumara: Yes. Yes.

 

0:47:40.2 Sherrod DeGrippo: There's not even any wait time, there's no processing time. It happens in seconds. And threat actors traditionally will do what it takes to get what they want. And they're not going to typically go above and beyond that, but once they figure that out and they figure out they can do it faster and more effectively, that will kind of crack things open, I think.

 

0:48:10.5 Raghu Nandakumara: So as we wrap up, 'cause I'm conscious that you have elsewhere to be soon. Give us one more hot take. So into the future of threat intel, look like?

 

0:48:23.9 Sherrod DeGrippo: The future of threat intel? I think the future of threat intel continues to become more and more actionable and continues to have direct correlation to the efficacy of a security posture of an organization. That's where the future has to be. That's where we have to go is, it makes a security posture more effective or makes those leaders better able to make informed decisions.

 

0:48:52.4 Raghu Nandakumara: Sherrod, thank you so much. That has been super exciting conversation. I really appreciate you making the time to be with us today. Thank you.

 

0:49:00.5 Sherrod DeGrippo: I really enjoyed it, Raghu. Thanks for having me.

 

0:49:05.1 Raghu Nandakumara: Thanks for tuning in to this week's episode of The Segment. For even more information and Zero Trust resources, check out our website at illumio.com. You can also connect with us on LinkedIn and Twitter, @illumio. And if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host Raghu Nandakumara, and we'll be back soon.