Black Hat USA 2024 | Sherrod De Grippo | Microsoft

theCUBE.net

Clips
News
More from Black Hat USA 2024

Sherrod DeGrippo

Director, Threat Intelligence Strategy

Microsoft

Three insights you might have missed from Black Hat USA

The growing threat of cybersecurity attacks along the increasingly complex AI landscape reflects one reason Black Hat USA 2024 is one of the biggest cybersecurity conferences of the year.With 17.8 million phishing emails in the last six months — 62% of which bypassed existing domain barriers — it’s easy to see why robust, versatile cybersecurity and risk management solutions are more crucial than ever.“I think the next five years, and then the next 10 to 20, will be a reset for security,” said John Furrier, executive analyst at theCUBE Research. He added that generative AI could be an opportunity to solve data security problems at scale

AI’s role in defending against global threats: insights from Microsoft

Justice never sleeps, and the same goes for cybersecurity teams facing more threats than ever before.Because threat actors are working around the clock, cybersecurity teams have to do the same, which is why Sherrod DeGrippo (pictured), director of threat intelligence strategy at Microsoft Corp., describes the vocation as a “calling.”Sherrod DeGrippo of Microsoft talks about what AI means for cybersecurity.“Across public sector, whether it’s state, local, federal or governments in other countries globally, we want to partner with them to give them the intelligence that they need so that they can help us understand their views as well,” she said

play_circle_outline Collaboration with public sector partners in addressing cybersecurity threats.

play_circle_outline North Korean threat actors targeting cryptocurrency and espionage activities.

play_circle_outline Use of AI by threat actors for faster operations, not necessarily creating new malware.

Info
Transcript

Sherrod De Grippo | Microsoft

Sherrod DeGrippo

Director, Threat Intelligence Strategy Microsoft

Microsoft's Director of Threat Intelligence Strategy emphasizes the importance of vigilance in the face of evolving cyber threats. AI plays a key role in accelerating these threats, with North Korea focusing on stealing cryptocurrency. Despite challenges in attribution, collaboration with public sector partners is crucial. Sherrod advises those entering the cybersecurity field to have a genuine interest and be fully committed. She hopes for progress in disrupting cybercrime actors. These insights shed light on the ongoing efforts to combat cyber threats effec... Read more

explore Keep Exploring

What organizations does the company partner with in the public sector to share information and intelligence? add

What countries face significant threat from North Korea in terms of cryptocurrency theft and cyber attacks? add

What is the perspective on threat actors using LLMs for research and crafting materials, rather than creating malware? add

bolt Powered by CUBE AI

Sherrod De Grippo | Microsoft

search

>> Good afternoon cybersecurity fans and welcome back to fabulous Las Vegas, Nevada. We are midway through our two days of coverage here at Black Hat. Very exciting. My name's Savannah Peterson. You're watching theCUBE. I am thrilled about this next segment because not only does she have the best nails of anyone on the show, she's also a brilliant, multi-decade cybersecurity professional. Sherrod, thank you so much for being here with us.

Sherrod DeGrippo

>> Thanks for having me, Savannah. It's great to see you.

>> It's going to be a blast. Okay, we are going to dig in, but before we get into the nuts and bolts of the threat landscape, this is your 17th Black Hat.

Sherrod DeGrippo

>> Yeah.

>> I'm curious because I think you're our most venerable Black Hat guest. How has this community and the conversations you have evolved over the last 20 years?

Sherrod DeGrippo

>> Well, I think as an example, in 2004, which is my first Black Hat, there was a lot more really chaotic drops. The bug bounty realities that we live in today did not exist. It was much more... Quite frankly, there were a lot of instances where people quit their jobs and then walked on stage the next moment because they wanted to release a bomb. Yes. It was very common.

>> Oh my God.

Sherrod DeGrippo

>> Yeah.

>> Bold.

Sherrod DeGrippo

>> Right. Because if you work at a technology company that says, "You will not be releasing this information on stage at this big event, this big newsworthy event," and a lot of researchers said, "You know what? I'm going to quit and I'm going to go do it on stage." And that's how that goes. And it happened many times.

>> Oh my goodness.

Sherrod DeGrippo

>> Black Hat has a deep chaos DNA.

>> It's almost like a little rebel DNA in there.

Sherrod DeGrippo

>> A hundred percent.

>> Like a sharing DNA. What I'm hearing from that is making things open source or just making sure everyone has the greatest protection they have, which is so cool. And that's a big part of your job

Sherrod DeGrippo

>> Yes.

>> So tell us a little bit about what you do at Microsoft.

Sherrod DeGrippo

>> I am Microsoft's Director of Threat Intelligence Strategy, which means really I look at the threat landscape and try to understand what threat actors are doing moment by moment. And threat landscape never sleeps and neither do we. So I sort of really talk about what threat actors do day in, day out with obviously the goal of making that information actionable for organizations to be able to better protect themselves. So intelligence leads to detection, and I look at what's happening every day that we need to detect.

>> I can imagine there's more happening every day than ever.

Sherrod DeGrippo

>> I'm so tired.

>> I was going to say, you look great for not sleeping. I was literally going to bring that up. How do you keep up? I imagine a lot of what you do is not just offensive, but offensive and an anticipatory. How do you manage that?

Sherrod DeGrippo

>> Microsoft has an incredible team of threat researchers, intelligence analysts. I love, love, love the teams that we have. And we have specialists, we have language specialists, we have culture specialists, we have malware, reverse engineers, intelligence analysts with incredible backgrounds, all day being obsessed with what's happening on the threat landscape and obsessed with what threat actors are doing. And that's really the only way to do it is to lose a little sleep and try to make up with that with some balance. But the teams at Microsoft are a hundred percent committed. We have a follow-the-sun model. We're working literally around the clock.

>> I mean, I can imagine. And you have so many end-user customers who really depend on that security in such a way. I can only imagine the sense of duty and pressure that your team feels.

Sherrod DeGrippo

>> I think that's absolutely right. That's a very accurate characterization. My experience, I've been doing the same work for 20 years and in tech for 26, and the thing that I find really binds all of us together is quite frankly, a deep hatred of threat actors and wanting to shut them down. And I think that that's one of the big drivers for many researchers and analysts. They want to see threat actors disrupted, and we try to do as much of that as we possibly can through all of the avenues that are available to us, not just working with law enforcement, which a lot of people associate with disruption, but also putting protections in the vast, vast deployment of Microsoft products that are out there. It can be an incredible blow. When you're locked out of Microsoft, you're really locked out of the world, and so I think a lot of the analysts really take that to heart. They take it very seriously.

>> Absolutely. And I mean, I'm just thinking of all the edge devices Microsoft is a part of, and everything else.

Sherrod DeGrippo

>> And we have a cloud too. You might've heard of it.

>> A couple of times.

Sherrod DeGrippo

>> We have some edge, we have some cloud, whatever you need.

>> Yeah. But point being, there's people trying to... Especially being a big brand like Microsoft, I can imagine you are under threat even more so than certain companies, given that everyone runs off your platform.

Sherrod DeGrippo

>> A hundred percent. And I think that we've seen on the threat landscape that even in 2018 with SolarWinds, we've seen threat actors decide they want to get into the software supply chain, they want to access cloud software services that give them that launching pad into those downstream organizations that they're looking to pull intelligence from. So absolutely, Microsoft thinks about that. We're constantly battling that, thinking about where we lie in a threat actor's target-

>> Priority list.

Sherrod DeGrippo

>> Priority list.

>> I would imagine .

Sherrod DeGrippo

>> We're at the top.

>> Yeah, I was going to say, you are definitely A-list, VIP.

Sherrod DeGrippo

>> And we act like it. We know it, and it's very much part of the culture and conversations internally that we're target number one for many espionage organizations, crime organizations, you name it. And we need to make sure that we've shored up every defense that we can for that.

>> How does that... I mean, what a job, first of all.

Sherrod DeGrippo

>> Yeah, it's weird.

>> Congrats to you and the team. But you're factoring in a lot. I think we think of digital risk sometimes as like, "Oh, is someone going to fish my email or start texting me on my cell phone?" Or something much more rudimentary than that. But what you're talking about is actually a very big geopolitical concern as well. How much are you interfacing with foreign governments? I know it's not just law enforcement, but I can imagine there's a lot of cross-collaboration. How much of your job is that?

Sherrod DeGrippo

>> Public sector is a very important partner for us. We really try to reach out to... Obviously CISA, that's our partner in many, many different respects. But across public sector, whether it's state, local, federal, or governments in other countries globally, we want to partner with them to give them the intelligence that they need so that they can help us understand their views as well. The public sector has incredible amounts of data, signals and information to share with us, a ton. But there's always going to be something that they don't have, and that's where we like to come together, fill those gaps where we can. But in the end, the ultimate goal is always to shut threat actors down from doing damage and harm to really the global footprint, regardless of who you are, customer or not.

>> How do you have the confidence to have actually shut a threat actor down?

Sherrod DeGrippo

>> Oh, you can't actually shut down any threat actors permanently, it's just not possible. I think that that's a great controversy that people talk about a lot is a take down effort or an arrest.

>> That's what I'm curious about. Yeah.

Sherrod DeGrippo

>> Oh, yeah. I think that's something that's very controversial in the practitioner space, which is, "Oh, Cubot got a take down," or, "This threat actor got an arrest. That's it." No, it's not. We should celebrate it and enjoy it and love those moments and enjoy that collaboration with all the partners that put really hard work into it. But the reality is the threat landscape will move and it will keep going, and it's immortal. It's never ending. So threat actors regroup, they change, they come back with new TTPs, they do a prison sentence and come back out and say, "I've got new ideas." And that's just part of the reality that we deal with. So that's kind of where that concept of imposed cost comes from. It's just part of imposing cost. You can't really end it, but you can make it really hard.

>> Well, and everyone's going to copycat when there's that visibility-

Sherrod DeGrippo

>> Of course....

>> too. I mean, it makes a lot of sense. You recently published a lot about the threats that come out of North Korea.

Sherrod DeGrippo

>> Yes.

>> Tell us a little bit about that.

Sherrod DeGrippo

>> North Korea is a landscape that's really quite different from any other that we deal with in terms of nation-sponsored threat. They are under significant sanctions, as you probably are aware, and they're a very isolated culture. And they really focus a lot on stealing cryptocurrency, and we don't really see that level of cryptocurrency obsession from Russia, China, Iran. But recently, we did publish some briefs on two North Korea-based threat actors. The first one is Onyx Sleet. They're leveraging vulnerabilities in TeamViewer to be able to deploy malware and spy on interests within the United States, India and South Korea. So as you might expect. And we've also published some information, and we'll be talking about this at Black Hat, we have a session about this particular threat actor, Moonstone Sleet, which don't you love that name?

>> I actually do.

Sherrod DeGrippo

>> It's really good. Moonstone Sleet is a threat actor that is focused on espionage, and they went so far in creating their espionage background to create a video game where you can drive a tank and creating a fake video game publishing company so that they could make connections with technologists in the United States and further these personas that they are part of a video game production company.

>> I love that you just brought that up. Moonstone, wow, how deep on a few different levels. I think that sometimes people underestimate the patience of security threats and the ability... You mentioned the software supply chain. I think that's such an important call-out. It's not just one attack, it's not just a DDoS take down. It's none of this anymore. It's far more elaborate and intricate than that. I mean, putting up a fake Shell company to then network. The elaborate nature. So how do you identify that threat? How do you know?

Sherrod DeGrippo

>> Well, so we look at all the signals that Microsoft has access to, particularly through the security products that we deploy out to customers. And we see activity, and again, we work to share signals and IOCs with our public sector partners, confirm attribution as much as we can with them and use the trade craft that we need to use in order to do that work. Many of our analysts are classically trained either from the large government intelligence community or have a really deep enterprise threat hunting background, and they're really fascinating. You'll get to meet some of them here at Black Hat. We have a large contingent from our Mystic program, from our GHOST program. Yeah. They're here to hang.

>> All the VIPs.

Sherrod DeGrippo

>> They're my VIPs.

>> Yeah.

Sherrod DeGrippo

>> The Mystic team, they're my VIPs.

>> Well, shout out to the Mystic team.

Sherrod DeGrippo

>> I love them. Yes.

>> Yeah. They're your allies. They're in the trenches with you.

Sherrod DeGrippo

>> 100%.

>> How has the technological shift that we're experiencing right now in AI exacerbated your efforts? Has it made it harder? Is it more complex?

Sherrod DeGrippo

>> That's a great question. Yes.

>> I can imagine.

Sherrod DeGrippo

>> We released in February a really nicely detailed report focused on, again, China, Russia, North Korea and Iran threat actors and what they're using LLMs for. And we do see threat actors using LLMs primarily in the same way that you or I might use an LLM, research, helping to write something better, helping to craft written materials, craft phishing emails. We aren't seeing them use it to create malware in any capacity beyond the ways that they were creating malware before.

>> Interesting.

Sherrod DeGrippo

>> I think from the perspective that I look at it, from a threat perspective, AI is a couple of things. First, to me, that A actually stands for acceleration. It makes things go faster. It's not really intelligence, artificial or not, it's something that speeds things up. It allows you to do things more quickly, and the threat actors know that, and they love using that. As an example, what if you took a large, multi-terabyte breaches, you took that breach data and you fed it into an LLM. Now you can start asking questions in natural language. Show me all of the files where there's a lawsuit. Show me all of the instances between an executive at the company talking about acquisitions. These are things that you can't write a regex for. You can only do that in natural language. So these are the kinds of things that we'll likely be seeing and expecting. That said, AI is in many ways just another interface to data, just like the command line or a GUI. An LLM really is an interface that you're using to get to the data. And so we have to keep in mind that interfaces are tools and tools can be leveraged for good or evil.

>> Well said. You're just full of soundbites.

Sherrod DeGrippo

>> I'm a soundbite queen.

>> You are. Clearly, we have the right person on here for the soundbites. I love it. You mentioned the cryptocurrency piece from North Korea, and I think that's really interesting, especially with the state of the market this week. It's a bit of an adventure. Do you notice similar trends, not necessarily in crypto, but focused trends in some of these smaller nations when we're doing threat analysis?

Sherrod DeGrippo

>> Well, we don't necessarily watch the financial markets, but we do try to track North Korea's totals if we can. We try to see how much they're able to steal from various organizations. Now what we typically see is not necessarily stealing from an individual, but stealing by getting into exchanges. So if they can get into the currency exchange, they're then able to siphon that money off for themselves. We also see them looking for credential pairs within anything associated with cryptocurrency, such as message boards or places where people post articles about cryptocurrency. If there's a login there, they do tend to try to steal those with the hope that they can steal either wallet addresses or username and password credentials to get into other accounts and start looking through those to maybe transfer currency out.

>> Yeah. Wow. It's kind of fascinating. I didn't even think-

Sherrod DeGrippo

>> It's fascinating.

>> And it makes sense too. I mean, to hack NYSE or NASDAQ instead of some of these other avenues, it's wild.

Sherrod DeGrippo

>> It's wild. And I think with cryptocurrency specifically, it really is in many ways almost designed from the ground up to facilitate some of these more illegal or espionage-focused capabilities, or excuse me, nation-state-focused capabilities because it by nature is untraceable yet tracked. So we can see them stealing it, but we don't know where it's going, what they're doing-

>> And what happens next.

Sherrod DeGrippo

>> Yes, yes. And so we can see them really also focused on targeting those exchanges.

>> Oh, yeah. That's crazy. Because you can see the cryptographic exchange. I hadn't even thought about that. It just ends up in the abyss essentially.

Sherrod DeGrippo

>> And there's also nothing you can do in many ways. So we're talking about North Korea, which is not going to play with any kind of DOJ focus, which we were able to do with Moonstone Sleet. We did have really great DOJ partnership there. But will those actors come to justice? Unlikely.

>> I'm curious because... And I think that's a great point. I'm curious, so cyber security getting a lot of attention right now for obvious reasons, and rightfully so. Not only just because past events, but AI and everything that's going on in the landscape. What's your advice for someone interested in getting into cyber right now?

Sherrod DeGrippo

>> Oh, wow. I've been asked this question for many, many years and it's always sort of different depending on how the day's going for me.

>> I love that.

Sherrod DeGrippo

>> How the day's going depends on whether or not you should make a career change. I think that you should really think about, do you have the interest? Does it make you genuinely interested? Because if you don't have a deep interest for it, it will grind you into the ground. You have to get up every morning and be like, "This is what I want to know about. This is what I really, really want to spend my time doing today," because incidents are brutal.

>> Oh, God, yeah.

Sherrod DeGrippo

>> It's a 24/7 nightmare many times when you're involved in an incident or you're an incident responder.

>> Absolutely.

Sherrod DeGrippo

>> And security doesn't stop. And so you have to kind of say, "I'm doing it either because I have a deep interest in it." Or like I see very often in my colleagues at Microsoft, they feel that it's a calling. They're called to that work. If you don't have the calling, it's going to be a rough time. So really soul search.

>> I think that's great advice. And what I heard from our entire discussion from the beginning is the passion.

Sherrod DeGrippo

>> You've got to love it.

>> From your team, from anyone else who's... And the passion's on the other side too. It's on the nefarious side as well. So you've got to match that intensity. Man, that's wild. All right, so I know you're from Atlanta.

Sherrod DeGrippo

>> I am.

>> Is there anyone you'd like to give a shout-out to in Atlanta right now?

Sherrod DeGrippo

>> I would like to give a shout-out to Boris Karloff, my rescue dog.

>> Yes.

Sherrod DeGrippo

>> My five-year-old rescue dog. I love you.

>> Yes. I hope Boris is watching right now.

Sherrod DeGrippo

>> I do put TV on for him whenever I leave.

>> That's so cute. You're going to have to put the interview on and take a picture.

Sherrod DeGrippo

>> I will put this on a loop and he will just have me on the TV whenever I leave. Yeah. He's with the babysitter. He's with the babysitter. But yeah, Boris Karloff, sweet angel. Adopt a rescue dog.

>> Love that. Adopt. Don't shop, y'all. All right, last question for you, Sherrod, because this has been absolutely fantastic. When we have you back on the show, because you are a sound bike queen-

Sherrod DeGrippo

>> I'd love to....

>> and we are definitely going to have you back on the show. What do you hope to be able to say, let's say at next Black Hat, that you can't say today?

Sherrod DeGrippo

>> Would I be able to say that... I think I would love to say... We talked a lot about nation-sponsored threats. I'm a crime girl. That's really where my focus and interest lies. I will always track nation-sponsored threat, but crime is what I get up in the morning for. And I would love to be able to say that we've really made progress in finding individuals and bringing those individuals out of the ecosystem in terms of crime and getting them either completely disrupted in terms of their technology, or individually, they face justice. I would love to see some crime actors face justice in a year from now.

>> I love it folks. We're looking for justice at next Black Hat. Sherrod, thank you so much for being here on the show.

Sherrod DeGrippo

>> Thanks for having me. It was great.

>> This is such a joy. And thank all of you for tuning in to our two fantastic days of coverage here in fabulous Las Vegas, Nevada. We're at Black Hat. My name's Savannah Peterson. You're watching theCUBE, the leading source for cybersecurity news.