Brett Leatherman, assistant director of the FBI’s Cyber Division: Welcome back to Ahead of the Threat. I’m Brett Leatherman, assistant director for the FBI Cyber Division. Later in the episode, I sit down with Sherrod DeGrippo, deputy CISO [chief information security officer] at Microsoft.

Microsoft processes over 100 trillion security signals a day, and what Sherrod’s teams keep finding is that attacks succeeding at scale aren’t necessarily novel. They succeed when the basic controls are missing or inconsistently applied.

Ninety-seven percent of identity attacks are password spray or brute force attacks, the least sophisticated attack types targeting the most basic gap. We get into why closing the gap between what’s in your security policy and what’s actually enforced in production is the single highest leverage thing that most organizations can do right now. And what secure-by-default looks like when you’re defending at that kind of scale.

That conversation is coming up next. But first, the news. I’ve got Maeve Healy with me. Maeve helped build Operation Winter SHIELD from the ground up and also manages our Global Partnership Program, overseeing the FBI’s cyber assistant legal attaché stationed all around the world. Maeve, welcome to the show.

Maeve Healy, FBI program manager, Global Partnership Program, Cyber Division: Thank you so much for having me, Brett. Happy to be here.

Leatherman: Great. So, before we get in the news, give folks a sense of the ALAT [assistant legal attaché] program and how those positions around the world shape our ability to respond to cyber threats. Which, of course, don’t stop at, country borders. They’re border agnostic. And so, how do we leverage those positions to help inform our work?

Healy: Yeah, absolutely. It’s a great question. Our cyber assistant legal attachés are, I think, one of our best force multipliers when it comes to ensuring that we have global visibility and, frankly, shared connectivity across not only those international law enforcement and intelligence partners, but across industry as well. So, we currently have 22 assistant legal attachés that are stationed across 20 countries.

It really does span the entirety of the globe. So, we have coverage in South America, Europe, the Middle East, and Asia, right? All those places that would make sense where we’re seeing a lot of partner capability, but also a real hotspot of the threats that we’re working together. These ALATs are often cyber trained specifically. So, they have some of that technical background.

They have that investigative background. And they are really, truly embedded hand-in-hand with our international partners. So, a lot of that international coordination that you see across disruption efforts, across real-time intelligence sharing, that is often made possible because of that close proximity and working relationship that so many of our ALATs enjoy with some of our best partners overseas.

Leatherman: Yeah. That’s great. And I think it’s important there … it’s engagement with our intelligence and law enforcement partners, to help us understand what’s happening in Europe, South America, and beyond, at speed and scale, because we know … cyber operates at speed and scale. But those relationships … over the last five to 10 years have dramatically increased our ability to work with partners and to trust them in ways that law enforcement needs to trust international partners.

So much so that we have started, I guess, cohort two of something we’re calling “Leadership in Cyber.” And as part of that, we’ve brought in international partners and industry partners, as well as those members of the USIC [United States Intelligence Community] here and domestic law enforcement to really help build the future generation of cyber leaders.

Can you talk a little bit about that, and what went into the effort of standing that up and exactly what it means to kind of the international leadership cadre in the years to come?

Healy: Yeah, absolutely. I’ll be honest, we stole the idea from some of our counterparts here at the FBI’s counterterrorism and counterintelligence divisions. But I think it speaks to the success of the model. Thus, we felt it was really a critical time to have that cyber equivalency, kind of like you mentioned, right? The goal of the Leadership in Cyber program is really targeting up-and-coming leaders.

I think, you know, we’ll see a lot, and I think some of the new stories that we’ll discuss, a lot of this is based on building trust long before you need it. And so, the program is really designed to start to identify that talent, that personality, that ambition that we see within the global workforce today and figure out how we can start to build connections among them, build that trust early so that when we see those folks kind of climb the ranks in their respective agencies, we have this really strong, almost impenetrable network of key leaders that have shared experiences, that have worked on cases together, right, that have sat in the same room and that have tackled some of these really difficult questions that we’re all trying to tackle in silos.

And, you know, Brett, you know better than anyone else that’s just never going to work, right? We have to solve these problems jointly. And so being able to bring in our USG [United States Government] counterparts, our industry counterparts, across both the incident response and threat intelligence pieces of those companies, right.

Looking at FVEY and non-FVEY, because we see the global reach and we see that we have to expand that network that gets to work side-by-side with us. And so, bringing those folks into a room all together across various conference style events that are also being hosted by our partners.

So, it’s not a sole FBI-hosted program, it’s actually a really shared joint venture where we are seeing, again, all of those perspectives come to play and start to inform how we collectively, as a community, start to take those discussions and actually apply them to real cases and real operations and real investigative and intelligence outcomes. And so, we’re hugely excited. Last year, like you mentioned, was our first cohort, really big success.

We’ve actually already seen some promotions from last year’s cohort, which is the whole point. Right. So that’s really encouraging to see. We just kicked off our first event for the 2026 cohort that was hosted in Dallas last week. I think we have a really strong group. Once again, lots of interesting perspectives and experiences. And so, I’m really excited to see where the program goes.

We will convene our next event coming up in Sydney in just a couple of weeks, and then we’ll bring the whole group together in June, over in the U.K. I think there’s just so much potential there. I think we’re really excited to see what comes of it.

Leatherman: Yeah, that’s great and I’m excited about having seen the promotions amongst industry and international partners over the past year with the prior cohort. And this cohort looks to be really good as well. And I think what I love about the program is it’s not just about the FBI building our future leaders. It’s about all of us together looking for those future cyber leaders who will help us, kind of lead that next generation of, you know, cyber fight that we need to continue to scale, that we need to continue to act much more quickly, agilely, and really, in those close partnerships.

And these leaders are going to help do that.

So let’s pivot into our first story of the day, which is Operation Lightning. That is the takedown of the SocksEscort proxy botnet. And this really gets into the international partnerships that we were talking about. On March 12, the FBI, in coordination with Europol and law enforcement partners in eight countries, announced Operation Lightning.

SocksEscort was a criminal residential proxy service that had been operating since approximately 2009. Here’s how it worked: SocksEscort infected home and small business routers with malware called AVrecon. Once infected, those routers became part of a botnet. SocksEscort then sold access to those compromised devices so that cybercriminals could route their traffic through somebody’s living room in suburban Ohio instead of wherever, you know, the adversary was actually sitting.

It’s the same concept that we had talked about in Episode Two with the IPIDEA network that Google disrupted, but SocksEscort had been at it for over 16 years. The numbers here are significant. Since 2020, SocksEscort offered access to approximately 369,000 compromised IP addresses across 163 countries.

As of February, they still had about 8,000 active infected routers, with 2,500 right here in the United States. Authorities across the globe seized 34 domains, 23 servers in seven countries, and froze $3.5 million in cryptocurrency.

The FBI also released a FLASH with indicators of compromise and technical details on the AVrecon malware, so that defenders listening to the podcast today and beyond can hunt for it throughout their own environments. And it’s not just about the fraud. The proxy infrastructure was used to facilitate ransomware, DDoS [distributed denial of Service] attacks, and in some cases, the distribution of child sexual abuse material.

One victim in New York lost $1 million in cryptocurrency through an account takeover routed through SocksEscort. A manufacturing business in Pennsylvania was defrauded of $700,000. U.S service members with military credit cards were hit for $100,000. So, Maeve, the operation spanned 163 countries. I mean, tremendous span of control when it comes to doing an operation like this.

That kind of coordination doesn’t just happen by accident. So, talk about what goes into making an operation like this work from a global partnership standpoint.

Healy; Yeah. You know, I think this operation is really interesting. Again, just continuing on that role that we’re seeing, that close coordination play when it comes to our forward deployed assets, like our cyber ALATs. You know, this operation involved multiple countries, many of which we currently have cyber ALATs deployed. Right? Germany, France, Europol, etc.

What’s also interesting, though, is we’re seeing countries where we don’t have cyber ALATs here, right? Austria, Bulgaria, Hungary. These equally just really impactful, European in this case, partners.

And I think that speaks to not only just this rise in capability and frankly, proactivity and aggression that we’re seeing our partners take. And I think, you know, that’s something that we love to see. I think it’s showing that there is absolutely an appetite for increasing this footprint.

I don’t foresee us shrinking the impact, right, that our international partners are having. That’s only going to grow. We, as a community, are going to become more sophisticated. We are going to adopt new technologies. We are going to be more creative in the way that we’re approaching countering the adversary. And so, all of these perspectives are going to be increasingly important.

And so, I think, you know, when we here in FBI Cyber Division look at how we expand that footprint, this is excellent data for us, that there are still so many partners where we could really elevate, and they have so much to bring to the table. And so, we are constantly finding ways to expand what that looks like, you know, to expand that resourcing that’s available.

To your point, I’m sure when you read about these in the news, right, it’s a huge win and it seems probably like it happened overnight. There is extensive, extensive work that goes in on the back end for something to be this successful at such scale, right? And so, there is months and months of coordination and calls and test runs. Right?

And legal process and intelligence sharing that goes into making an operation like this a success. And so much of that is based on trusted partnerships. Right? It’s very difficult for someone to enter a months-long planning process, kind of mid phase. Right?

And to expect that you’re going to enjoy that same level of trust. That comes from this on-the-ground work that we are pushing our ALATs to do, and so many of them just do of their own volition because they love the work.

And so, anywhere from leveraging partner authorities where the FBI may not have the same right. Looking at things like threat intel holdings, what do we have vice what do our partners have, right? How do we share that at speed? How do we take disruption opportunities like this and then see follow-on investigative actions that our partners can take, right?

Targeting some of those adversaries that are overseas. Right? All of these things sort of mesh and then sort of branch out from each other. And so, if you think about that, if you think about the impact that one, three, five cyber ALATs can have, and then you start to scale that, you’re really packing an incredibly impactful and robust, just bench of, you know, again, this sort of defensive community that I think, you know, should make the adversary really worried and really I think gives me a lot of hope for the future in terms of if we can continue to scale—we’re seeing our adversaries do it, right— if we on the other side can continue this and can continue to sort of broaden this network. You know, I think that’s a really good sign for us.

Leatherman: Yeah, that’s right. And I would also add that we also have foreign partners sitting with us here in the United States. So, it’s incredibly important to have that bilateral relationship. And all of this is empowered by those partners who sit here either with FBI Cyber Division or in embassies in the United States here, who are very focused on the cyber mission.

The other thing this touches on is Operation Winter SHIELD, which you have helped roll out for FBI Cyber. And every one of these devices were impacted because they were either vulnerable, they had vulnerabilities that had already been patched, or they were end-of-life.

And talk a little bit about, kind of the FBI’s guidance through Operation Winter SHIELD and how it really applies to the defensive side of the equation here.

Healy: Yeah, for sure. And I’m so glad you brought that up. And I think, you know, specifically talking about the role that our ALATs have globally from an investigative standpoint, they have an equal role in operations like Winter SHIELD, right? This is a global campaign that we are pushing. There are global victims, as you mentioned, Brett, these are not just U.S.-based victims. Right?

So, this is something that is having global impact. And so, our ALATs have been really formative in helping kind of push this narrative. To your point, right, this is an operation. This was … this was an intrusion where we saw specific targeting of home office routers. Right? All of our access points were largely residential. And I think the key thing about Winter SHIELD is that we are trying to specifically break down that information barrier for smaller and medium sized businesses, right?

But also, just for your regular at home citizens. They are absolutely a key entry point for the adversary. And so, Winter SHIELD, I think is so unique in that it is looking to empower the audience, right? Like, we’re really looking to sort of shift the narrative and framework on the victims to say, “You’re not just a victim, you are an equal part in the defense. You are an equal part with law enforcement and intelligence and industry. Right? Like we want you on that front line with us because you not only have unique visibility, but you are also often that first line of defense.”

And so, Winter SHIELD has been really kind of hitting that topic of, right, encouraging people to make sure that they’re tracking the lifecycles of these devices. Not only track them, but have a plan in place for when it’s time to retire that outdated hardware.

Make sure that you’re updating it regularly. Right? Like recommendations that we see in Winter SHIELD really are targeting that cadre of user so that we can shrink that attack surface. And again, we’re using things like, not only our 56 field offices who have been incredibly active in pushing the Winter SHIELD messaging, but also that forward deployed overseas element.

So, we can have this global reach through both FBI assets, but also through our partners. Right? This podcast is a great example. We’ve had excellent representation across industry because they are also pushing this message. I think it’s a really … a really great show of unified messaging across the community that I think, from a victim standpoint. can be really reassuring and can actually be really comforting because as we know, there’s a ton of information out there and you have information overload.

And so, I think Winter SHIELD does a great job of distilling some of these recommendations into practical, digestible, sort of implementable formats for your average everyday, right, just owner of a very basic home office router.

Leatherman: Yeah. And for those looking for more, of course, fbi.gov/wintershield is where you can learn a little bit more on that.

Now the second story, we’ll move on to is one that we won’t spend too much time on because they’ve got, these are cases pending before the federal courts, but it should also get the attention of every executive, I think, and general counsel listening to the podcast.

On March 13, DOJ [Department of Justice] announced charges against an individual who is a former ransomware negotiator at an incident response firm. This person was charged with conspiracy to commit extortion for his alleged role as an affiliate of the BlackCat ransomware group, also known as ALPHV.

According to the indictment, this person allegedly conducted ransomware attacks while simultaneously being assigned by his employer to negotiate ransoms on behalf of the very companies he and his coconspirators had attacked.

Now, two of this person’s coconspirators have already been charged and have pled guilty in federal court. Ryan Goldberg, a former incident response manager at a incident response company, and Kevin Martin, also a former employee, each pled guilty in December to conspiracy to obstruct commerce by extortion. They each face up to 20 years in prison.

Across the attacks attributed to this group, six victims paid ransoms totaling more than $75 million. The FBI Miami Field Office led the investigation.

So, let’s think about what this means. These were cybersecurity professionals. They had training. They had credentials. They had trusted access. They came in kind of in a victim’s darkest moment to conduct these ransom negotiations. According to the prosecutors, they used that access and that expertise to commit the very crimes they were hired to stop.

The U.S. attorney in the Southern District of Florida said it plainly: “Ransomware is not just a foreign threat. It can come from inside our own borders as well.”

So, Maeve, this goes right to the heart of something that Winter SHIELD really does address, which is third-party risk and incident response plan integrity. When the person you’re trusting with access during your worst day is the one who put you there in your worst day, what does that tell us about how organizations need to approach the vetting of those that are in their incident response plan and their incident response partners?

Healy: Yeah, absolutely. And it’s actually funny. You know, so, Brett, you and I were just down in Dallas for, as I mentioned, the Leadership in Cyber North American regional. And you sat down and I thought you had a very, really interesting, really candid discussion with Eric Bowerman, the current CISO of the Dallas-Fort Worth Airport. And you all talked about this.

You talked about the way that A) business … We are in an era where businesses are scaling, right. There is incentive financially, from a resource standpoint, to outsource a lot of these specific skill sets. And so, this is a normal business practice that we’re seeing.

Something that Eric said that I thought … it really resonated as he said, you know, he’s working on pushing this culture of third-party risk management holistically across an enterprise, right?

In this case, for him, the Dallas-Fort Worth airport. You know, it’s not just managing third-party risk in your IT branch, right? He really approached it as, “We need to be looking at this as an entity, right, across our hiring branches, across our physical security branches, of course, our IT and our OT. Right?” That is something that companies, I think, can be using broad scale to really kind of hit that.

I also think he talked a lot—and we’ve hit it already. He talked a lot about building trust. You know, something that Winter SHIELD is going to hit on is managing that third-party risk, but also regularly exercising that incident response plan with your stakeholders. Right? Build that trust before you need it. Build that muscle memory before you need it.

I think the other thing too is, you know, Winter SHIELD is really geared towards transparency. Right? So, we, the FBI, and our partners that are conducting Winter SHIELD with us, we want to be transparent and communicative with the public, with victims. Right? And so, I think A) Using Winter SHIELD to get a real insight into how the FBI and our partners are looking at what we’ve seen historically. Right?

What is our operational insight into what adversaries are targeting and how, again, we can sort of share that to break down that information barrier? I also think you look at this case, right? You look at DigitalMint—one of the IR [incident response] firms—I think their response upon being notified of the investigation was exactly right. Right? We saw them immediately suspend access for these individuals.

We also saw them immediately put some new guardrails in place to make sure that their negotiations are properly audited and logged. Right? And so, again, I think the beauty of Winter SHIELD is we are trying to push this narrative because we really are trying to help folks get ahead of the threat, if I may. Right? We want this guidance to be out there before you need it.

And so, those guardrails are excellent. Right? And that’s really great. And that was a great response to an unfortunate incident. But we would love it if more folks have those types of controls in place in the first place. Right? And that’s the beauty of Winter SHIELD: is trying to push that as much as we can.

Leatherman: Yeah. And the relationships in place like that, having that relationship with your local FBI field office, incredibly important. We don’t have a financial stake in the outcome of ransomware negotiations. We want to help you and we want to pursue the bad actors. So, have that relationship, build it into your incident response plan, and engage law enforcement early. We really are there to help.

Alright, moving on to story three: Microsoft Threat Intelligence—of course, we’ve got one of the deputy CISOs coming up next—released a blog post titled, “AI is Tradecraft.” So, last story here today. On March 6, Microsoft Threat Intelligence published this blog. And this one really matters because we continue to talk about AI [artificial intelligence], but it’s not a theoretical forecast in this case.

It’s based on what Microsoft is observing right now across their signals kind of intelligence platform that they run, what they see, the telemetry across their ecosystem. The headline is that AI is no longer experimental for threat actors. It’s becoming standard tradecraft to use it.

And Microsoft documented how threat actors are using GenAI to draft phishing lures, translate content into multiple languages for global campaigns, summarize stolen data, debug malware, and scaffold attack infrastructure.

For most actors, AI is functioning as a force multiplier. It reduces friction, it accelerates execution, while the human operator still controls the targeting and objectives. The blog specifically highlighted North Korean groups that Microsoft tracks as Jasper Sleet and Coral Sleet. These DPRK [Democratic People’s Republic of Korea] actors are using AI for identity fabrication to create convincing fake personas to get hired into remote IT positions, and for social engineering at scale.

We’ve talked about DPRK IT workers, previously with Mike Machtinger in Episode Two. This is an example of artificial intelligence augmenting what they’re doing. Microsoft also documented something we should all pay attention to, that threat actors are actively trying to jailbreak AI safety controls. They’re reframing prompts, chaining instructions across multiple interactions, and using role-based techniques to get models to produce restricted content.

And then there’s a piece that I think is forward looking and really important. Microsoft observed early experimentation with agentic AI by threat actors, where AI models support iterative decision making and task execution during the operation itself. This is still early, but I think it’s going to get here before we know it. Reliability is the constraint right now, but it won’t be for very long.

So, Maeve, from a global intelligence perspective, what are our teams seeing that kind of maps to what Microsoft published here in the way of artificial intelligence?

Healy: Yeah, I mean, I think the blog really hit the nail on the head as Microsoft always does, right? They’re calling out a lot of really key trends that we are equally seeing. You know, Brett, you hit on, kind of, this integration and proliferation of synthetic content. Right. So that deep fake era of imagery, right, of backgrounds of likeness, etc.

I think you’re also seeing, again, to your point, these actors trying to leverage maybe some of those gaps in a lot of those large-language models. Right? Reframing prompts, to your point. We’re also seeing sort of this experimentation with can we use AI to generate some of that malicious code faster, right? And more effectively. So, what we’re seeing is that scale and speed of execution, which again, is something that on the law enforcement side, right, that can be difficult for us.

We notoriously have been known to struggle with how to move at speed, particularly commensurate to what we’re seeing on the actor side. Right? You know, we are also, from a defense standpoint, looking at IP theft and looking at how we protect this kind of free space to advance the development of AI technology. And, you know, I think we’re talking about how AI is really enabling the execution of a lot of these intrusions and attacks, but the entry point is still the same. Right?

And so, again, you know, I come back to the importance of a lot of the guardrails that we’re laying out in Winter SHIELD. Right? Like a lot of that low hanging-fruit in terms of entry point and vulnerabilities that are being exploited, are there whether AI is in the picture or not. Right?

And so, I think it’s just so equally important to remember that we are facing adversaries that are not following rule of law, right? They don’t have policy guardrails in place. They don’t have legal oversight, right, that a lot of us are familiar with dealing with within government. And so, we have to make it as hard as possible on that battle landscape so that we can get advantages where maybe they are previously used to having.

And so, anything that we—and when I say, “we,” I mean us in a defensive community. But again, just your average day-to-day citizen, right, your small and medium businesses, that equal part of the fight in solidifying that wall. Right? Keeping the adversaries at bay, forcing them to generate some of these more sophisticated techniques. Right? That takes time, that takes money, that takes a larger workforce.

So, we have to push them to equally innovate, because that’s, I think, how we sort of level that playing field. And so, again, looking at how Winter SHIELD helps set that level from the beginning so that, yes, we’re seeing a lot of innovative tech when it comes to the use of AI, but if we can make that entry point even smaller, right?

Maybe that takes some of that pressure off of us when it comes to fighting with, innovating at speed and scale in the way that we’re seeing. And, you know, I think, again, looking at how we become practical and applicable in some of these recommendations, right? We’re never going to have the same workforce.

We’re not going to have the same scale that, particularly when you look at DPRK, right? We won’t be able to match that. And so, we have to look at other avenues. And that’s why I’m just I’m so proud of Winter SHIELD, I think it’s such a creative approach that the Bureau and our partners are taking, and I think it’s something we maybe haven’t necessarily delved into in the past, but I think it’s a new way at looking at the threat really comprehensively, right, not just from an investigative standpoint, but kind of across all avenues that are available to us.

Leatherman: Yeah, that’s exactly right. And, listen, I think, the director was up on the Hill today and really highlighted our work on Operation Winter SHIELD to help folks understand that this is the way to move the needle.

I talked to Amy, CISO of AWS [Amazon Web Services] last week and AWS saw that when actors used artificial intelligence to target organizations, that the fundamentals were in place, the actor simply moved on. And that just demonstrates why it’s so important.

So, Maeve, thank you for joining today. Really appreciate the work that you do, that all of the Global Partnership Program and our Cyber ALATs do to keep the nation safe. Thank you for really spearheading our work to roll out Operation Winter SHIELD. And it was really great having you here today.

Healy: Absolutely. Brett, thanks so much for having me. This was great.

Leatherman: Yep. So, three stories this week. We took down a criminal proxy network that weaponized 360,000 home routers across 163 countries. We held accountable cybersecurity professionals who use their trusted access to attack the very companies they were hired to protect. And we saw new research confirming that AI is transitioning from an experiment to standard tradecraft for threat actors, including North Korean groups fabricating identities at scale.

The common thread: the FBI and our international partners and the private sector are on the offense and defense. And the fundamentals in Operation Winter SHIELD really do matter.

Our next guest sees this threat landscape from the center of one of the largest defender ecosystems in the world.

My conversation with Sherrod DeGrippo at Microsoft is next.

______________

Leatherman: I’m excited to welcome Sherrod DeGrippo. Sherrod is Microsoft’s deputy chief Information security officer and general manager for customer security. She is formerly director of threat intelligence strategy at Microsoft, where she led Microsoft’s threat intelligence communication and customer-facing security programs.

Prior to joining Microsoft, Sherrod worked at Proofpoint as VP of threat research and detection. She led red team services at Nexium, served as a senior solutions engineer at Symantec, a senior security consultant at Secureworks, and a senior network security analyst at the National Nuclear Security Administration, where she helped protect the technology systems supporting the nation’s nuclear weapons stockpile. Pretty important role.

Sherrod hosts the “Microsoft Threat Intelligence” podcast, now in its third season. In February of this year, she published a blog post on the Microsoft Security blog titled “The Security Implementation Gap: Why Microsoft Is Supporting Operation Winter Shield,” which anchors our conversation today. So, Sherrod, welcome to the program.

Sherrod DeGrippo, Microsoft’s deputy chief Information security officer and general manager for customer security: Thanks for having me. It’s good to see you, Brett.

Leatherman: Good to see you. I think it’s important for folks to know kind of what Microsoft does in this space: both threat intelligence as well as the threat landscape to mitigate threats to industry critical infrastructure and others. Can you kind of tell us what your teams do from day to day?

DeGrippo: Sure. One of the things that I sort of, tongue-in-cheek, always tell people is, “Don’t listen to a threat landscape discussion without demanding to know where the data is coming from first.” And so, I’ll start there.

Microsoft has a pretty big presence. You might have heard of us. We have about 1.5 billion endpoints globally. And so, that gives us a significant amount of security signal as well as from a variety of cross-platform indicators: cloud, email, web, search engine, browser: you name it, we get security signal from it. So, when we look at that signal, it helps us build a picture of what’s happening on the threat landscape. And, you track threat actors, I’m sure, in your role, Brett. We want to track them as well.

And ultimately, as the title of the podcast indicates, we want to get ahead of the threat using the telemetry that we have. A day looks like, you know, embedding in with one of our teams that focuses on a particular region: China, Russia, North Korea, Iran. Or they might be a crime-focused group. And just saying a lot of times to them, “What’s going on out there? What’s happening, what are the threat actors doing?

“What’s the movement on the landscape?” And understanding what the next moves are and where we need to think about, you know, increasing security controls, letting our customers know these are the threats that are happening. So, it’s almost a daily desk kind of what’s happening, what’s happening, and what are we doing about it motion.

Leatherman: Yeah. The telemetry has got to be tremendous. And so, I can’t imagine that you have any one team responsible for any of that. In fact, I know that our teams work regularly with Microsoft Threat Intelligence and incident response teams, related to both cybercrime and the nation-state threat. Can you kind of talk through how you guys track threat actors across those two different ecosystems?

DeGrippo: Sure. I think, you know, it’s my assertion—maybe I’ll be wrong, maybe other analysts will come at me and let me know what they think. And Brett, I’m interested to see what you think. But historically, we don’t really see a lot of overlap of threat actors going from the nation-state side to, you know, doing crime. Occasionally we’ll see that with a group kind of referred to as Rom Com or some of the others that are … in operational roles for their government.

And then at night they do a little crime—on the side. That’s not really that common for us. We tend to see either one or the other, and you’re executing on objectives based on whether you’re financially motivated or doing espionage and disruption. Based on nation-state tasking.

I am kind of known for loving crime. I think, you know, crime actors are really interesting. And I think that part of the reason for that is I think that they have a creative leeway that a lot of the nation’s monster-threat actors don’t.

If you’re doing financially motivated and you get caught, a lot of times that’s the point. You want to be noisy, you want to get attention. You want to get ransom paid. So, a lot of times those threat actors can be big and creative and interesting. And I’ll ask you, Brett, what kinds of actors do you think are the most interesting to track?

Leatherman: Yeah, well, I enjoy, I mean, both. Like, I’ve got cybercrime teams who are really there to understand what the ransomware actors are doing; the criminal extortion groups are doing. And then I’ve got the teams that work all nation-states.
Certainly, the most sophisticated actors are the nation-states, in particular the PRC [People’s Republic of China]. They’re what I would term an on-peer competitor to us and really invest in resources when it comes to hacking supply chains or getting into critical infrastructure.

But there’s, like you said, there’s interesting things to both groups. And I think to your point, the national security side of the house, the nation-state hackers, their goal is not to be loud and proud with what they do. Their goal is espionage, pre-positioning capability on critical infrastructure. And I think that’s important. That’s a different objective than the criminal groups that are really loud and proud of in what they do, because they have to be. At whatever point they launch the ransomware attacks, their goal is to get paid.

And so, the more impact they can have, you know, the more likely they are to get paid more quickly. And so, if you look at the “one-to-many” problem, which is targeting underlying ecosystems of health care or others, the goal is to get in, be loud, disrupt and get paid. So, I think all of it is incredibly interesting. They’re using a lot of tools: generative AI, agenetic AI, and other things to scale in and speed up the way they do those operations. But what’s interesting, too, is that regardless of the level of sophistication, they all still use exploits in support of the fundamentals. Meaning, they don’t want to … they don’t want to launch their most sophisticated tools.

They really start to focus on, “How can we get in in a way that doesn’t cause us to expend the more sophisticated tools?” Your blog post on Winter SHIELD—something that really struck me there was you said, this is not a knowledge problem. It’s a … it’s an execution-and-follow-through problem. And we’re talking about the 10 controls that organizations can employ to stop both sets of actors more effectively.

Unpack that for us: What are you seeing at Microsoft that made you kind of add that statement in there?

DeGrippo: Well, I think, said another way: We all know what to do; we just need to get on with it. When it comes to security, I think practitioners understand where their gaps are, but they run into a variety of blockers—whether it’s resource constraints, budget constraints, personnel constraints. Rarely do we have a situation where someone says, “I just really don’t know any possible way to solve this technical security problem.”

We all know the best practices. And one of the things that I think that’s so important and different about the Operation Winter SHIELD effort is the focus on, “Let’s just get to the practice of security, the process of security, and try to break through as much as we can when it comes to those blockers.” It’s not easy.

I’m not saying that … people aren’t implementing things and they should just, you know … it’s not that hard. It’s hard. But the reason that it’s hard are things that all of us can work on and focus on, because most of us know what to do.

Leatherman: Yeah, we do know what to do. And part of the commentary I get is we launched this operation is, “Hey, these are 10 really important controls, but we’ve heard this before. These are things that don’t come as a surprise to us.” Yet the FBI, who has cyberteams who do incident response 365 days a year across the United States, much like Microsoft does, in 99.9% of the incidents that we respond to, one … at least one of these controls were implicated in the exploitation.

So, I guess my response to that is we’re still not doing good enough to increase fundamental resilience. Do you see it as that way? What’s your perspective?

DeGrippo: Things are moving so fast, especially in the AI reality. I frequently say that the “A” in AI is really meant to stand for “Accelerated.” It makes things go so much faster. So, we have a lot more to do. And, the backlog continues to increase for every enterprise that’s out there. But I would say putting that time and energy and effort into it really does bring the results. You really do reap the rewards of what you sow when it comes to security preparation.

I get asked a lot—because I focus so much on financially motivated and I’m looking at the ransomware economy all the time. The ecosystem is fascinating to me—And I’ll get people saying, you know, “Well, if we end up in a ransomware situation, should we pay the ransom?” And my response to that is always the same, which is, “You should already know the answer to that.”

If you’ve thought about this at all, you need to know the answer, not … whether or not you should. That should already have been worked out. There should be a consistent, clear playbook of how you respond to each different type of incident. Knowing what you’ll do, knowing who will make the decision, knowing if they want to put money into it, how much that’s going to be.

Who is the lead person? Who is the decision-maker? All of those things are much more important, really, than the way that you operate during the event is, “Did we already pre-decide how it’s going to go?”

Leatherman: Yeah, I think what’s important there is that you’re moving outside just the CISO’s [chief information security officer] role in defending the organization when you do that. You’re starting to say, “Okay, if we’re going to make a decision in advance, if we would be willing to pay a ransom or not,” that involves potentially the board of directors, the C-suite executives, inside counsel, outside counsel.

And so, what conversations are we having in advance of a breach that allows us to start to set our mindset to get to that point where we know what our right and left boundaries are in responding to a breach? I mean, having an incident response plan isn’t just for the technical folks. It’s developing an incident response plan that brings everybody together and everybody knows what their role is in the enterprise when it comes to external communications.

Ransom: do we pay? Do we not pay? Who engages law enforcement and what information do we share? Do you guys see in your engagements with industry that those response plans are in place? Do you find that there’s a lot of work to do there? I know we have a perspective on that.

DeGrippo: This is something I think about quite a lot, because I’m talking about it so much with security leaders and practitioners. So, I would say it’s about half and half. However, I’m very close with our incident response function, sometimes referred to as DART. I love to be able to hang out with incident responders. They have a lot of energy.

They really kind of … I imagine them like dropping out of a helicopter and rappelling down walls and like, swarming.

Leatherman: The Cyber Ninjas of today, yes.

DeGrippo: They’re just very intense. And I love that energy, because in intelligence, we have more of a rigorous, disciplined, longer-term-horizons sort of attitude. So, it’s fun to hang out with incident responders.

But what I’ve heard from our DART team is that it is a world of difference when responding to an extortion or ransomware event at an organization that has already made those decisions, because the pressure is there, but it’s not pressure in the same way as trying to make those decisions when your operation is completely shut down.

Leatherman: Yeah, that … that matters. Time matters, both, in containment in eradication activity, and in ensuring that you’re communicating with downstream stakeholders or third parties who may be at risk as well.

In the FBI … I’m a 22-year agent in the FBI, and I have worked almost every discipline that the FBI works—violent crime, public corruption—and one thing we do really well when there’s a high-risk scenario, even if it’s high risk—meaning a high-risk arrest that is unlikely to result in, you know, significant impact—is we train, and we train, and we train.

And then, before we engage in a high-risk operation, we really start to tabletop what that looks like so that we can understand any weakness in those plans. We work with the on-scene commander. We work with crisis negotiators. We work with the tactical elements, so that anybody can raise what those gaps are and highlight those in a way that helps us change course and minimize risk.

I think that’s an area that we don’t see happening a lot in industry, when it comes to incident response plans. They’re not necessarily testing the incident response plans. Or if they do test those, they’re happening only with the network defenders. And I think there’s a lot of opportunity to test that with a lot of stakeholders, whether it’s annually or biannually, to close those same risks that could have tremendous impact, even if unlikely, to an organization.

DeGrippo: I think that’s super important. I think it should be looked at somewhat like a fire drill, and you should be able to go into the executive offices of your CFO [chief financial officer] … everyone, and say, “Look, this week we are operating at this drill level, and you’re involved.” And bring them in as a partner and let them see what things look like from behind the scenes.

I’ll tell a quick story. Brett, you and I were talking before about how I worked at NNSA [National Nuclear Security Administration], and one of the things at NNSA was that you had to be fire suppressant certified to work in the building. And so, every quarter, they would get a galvanized steel tub and set it on fire in the parking lot, and you would stand in line and they would hand you a fire extinguisher, and you would pull the pin, and you would put the fire out. And there would be a line of 10 or 15 people, that would then, you know, put the fire out. They would light it, they put the fire out.

I was, I guess, 22 or 23—that was my first time ever using a fire extinguisher. So, you better believe when a bacon fire started in my kitchen, in my apartment, like two years later, I was like, “I know how to do this.” It didn’t get to that point, but I really want people to understand if you’ve never used a fire extinguisher before, it is scary to use a fire extinguisher the first time.

If you have never been under ransom before: it is scary to be under ransom the first time. So, the closer you can get your playbooks and drills and tabletops to be like a real ransomware event and get used to them, the happier you’re going to be with the way that that incident gets resolved.

Leatherman: Everybody’s got a plan until they get punched in the face, I think.

DeGrippo: Yes, that’s the famous quote.

Leatherman: And then all of a sudden things become really, really, really real. And then how are you going to react in that regard? So, what do you recommend to organizations as far as who they bring in to those discussions, who they bring in to ensuring the incident response plan includes their equities? And then how do they … who do they bring into the tabletop exercises?

DeGrippo: So, I think you should really think about stakeholders across, because we have operators in our enterprises that are at the executive level, and then we have individuals that are at practitioner, highly technical level. You want them to feel … very comfortable interacting with each other. You want them to have this common, shared mission that we are an incident response team, regardless of what our particular role is in that incident at the moment.

We’re all doing this together as one. Being under pressure with people who have a different title than you, who have different reporting levels than you, who you’ve never spent any colleague-time with, it makes it harder. And so, getting your incident response practitioners, your threat intelligence analysts, your security operations practitioners—getting them comfortable sitting next to your CFO and having them feel, “Okay, this person is on this duty with me. We’re in this fight together. I’m not afraid to bring things up to them. I’m not afraid to ask questions of them.”

That’s one of the things that I think in incidents can be catastrophic is the people have never met each other before. They don’t work together. They’re now dependent on each other. And there’s a whole host of professional difficulties that crop up.

Leatherman: Yeah … crisis is not the time to earn trust, it’s the time to spend trust—I’ve heard before. And that’s incredibly important because that the prerequisite to that is you have to earn that trust in advance. You have to know folks. You have to understand how they … what their functions are, how they react under pressure. And I think it’s a culture.

I think the organizations that we see who are most successful here recognize that cyber risk is business risk. And it’s not just a risk that the network defenders have to deal with, but that everybody is responsible for.

You mentioned in the blog the idea of security by default, that the fastest way to close the implementation gaps is to reduce the number of decisions defenders must make under pressure. And we know that those time frames are compressing significantly.

I saw a industry report that said artificial intelligence is now causing commands in sending packets and other things at like 100 times a second faster than what a human can do. So, we’re moving into this era where we have humans defending against the agentic threat landscape.

You know, when you’re talking about reducing the number of decisions that defenders have to make, are there some practical ways that we can start to approach that in the community?

DeGrippo: Yeah, that’s an interesting forward-looking thing to think about. It makes me, nervous, interested, curious, how we will navigate the AI realities that are coming at us. But yes, I do think that making decisions when you’re not under pressure tends to result in better outcomes. And having defenders really think about, “If this happens …” whatever, you know, that may be.

As an example, something I think about, is maybe you have an agent that doesn’t have any malicious tendencies, but a threat actor compromises that agent and then it changes what those tendencies are. How do you deal with that? How do you get an agent out of your environment? Make that decision now. Have that playbook ready. Have an artificial intelligence bill of materials.

What AI models, agents, and vendors are within your environment, that if they have some kind of security incident, you’re able to quickly know, “Are we impacted? What do we need to do? Is this a situation where we need to turn it off, where we need to patch, where we need to change configurations?” Making those decisions ahead of time really helps.

And then I think, you know, secure-by-design, secure-by-default, and secure operations. Thinking about that is always going to be … an easy shortcut to making the right decisions when you’re deploying new technology or you’re looking at how your existing technology will interact with something that’s new.

Leatherman: I think that’s a good point. Vendors, I think, need to understand the secured … secure-by-design principle, because the same devices often that are being used in very large corporations are being used in very small corporations as well. Small mom-and-pop shops that run the economy for a small town in Middle America. And so, how do we make those more secure by default in a way that reduces risk there?

And I think the idea that we kind of all come together and provide the strengths that we do and vendors clearly developing more secure software is important, in turning some of those security controls on by default is probably the right mindset we should take. Is that where you see it as well?

DeGrippo: It is. And, you know, since I came to Microsoft, I sort of took on a personal crusade. I took on a personal crusade. I don’t want to use the word “vendetta,” but I did take on a mission that I was going to connect with and influence software developers. At Microsoft, we have quite a few.

And to me, vulnerabilities are in software. And if we can get into the software developers’ habits, minds, practice, then we can change the vulnerability picture on the landscape. And I worked with MSRC—the Microsoft Security Response Center; they’re incredible—to put together a program for our software developers where they come spend the whole day with me.

I give them breakfast, lunch, and a happy hour, in partnership with my MSRC talented team. And I lead them through the threat landscape, and I walk them through breaches, and I walk them through incidents, and I say, “The developer in this instance did this, and the threat actor took advantage of it here.”

And things like test tenants, things like over-permissioned apps, things like allowing accounts to just hang around forever that you were using for demos, not having code hygiene, not doing code review.

And with the accelerated speed of software that’s being written today, because of AI, that is even more important than it ever has been before. So, getting close to your developers is huge because they come from a different world than security.

Leatherman: And you give them the real-life scenarios: “If we don’t pay attention to how we code, or where we get some of our code from and implement in our solutions, this is what could happen.” And I think that’s where some of the FBI’s voice comes in, is we see … we often see things post exploitation. We see the impact.

And folks want to understand what happened there. And the reality is, you know, in this case, 10 things … we can do 10 things better. But to your point, we can code a lot better if we know what the potential impact was. So, that’s fascinating that you bring them together. That’s not something that I had heard before. I’m sure it has a real world impact on the way that they develop code.

DeGrippo: It’s been … I will say, if you’re a security threat intelligence; if you live in this world that you and I live in, go meet some software developers because they are like a different species in some ways. Their world … I feel security has this, “Look at the thing and find what’s bad about it.”

But in software developer land, it’s this, “I want to build this feature and get it to as many people as possible, and I want everyone to use my software, and I want to do a great job at what I release, and I want to have a product that everyone loves.”

And then we’ve got security standing over in the corner, like in shadowed in darkness going, “I will destroy. I will destroy what you have created.” And so, when you bring those mindsets together, I learned so much that I didn’t know.

And, you know, I could see on their faces I would say terms that to me are everyday terms like, “Oh, here’s your indicators.”

“What’s that?” I’m like, “You guys don’t know what indicators are?” “Nope.” “These are indicators of compromise. You know, you know what I mean?” “No.” And so, record scratch. “Okay, let’s stop the workshop. Let me walk you through these security and intelligence terms that you don’t know.”

And I use real world incidents of incidents that had actually happened that were able to be traced back to the code.

And so, it’s been very impactful. I’ve done that with 600 developers at Microsoft now, and I’d love to present it for every developer in the company.

Leatherman: I feel like it should be a one-week boot camp as opposed to a one-day seminar. At this point, there’s enough material out there, I think to fill an entire week.

DeGrippo:It is. I think talking about threat actors’ psychology, what threat actors do, how they operate, and getting that point of view into the minds of our software developers and our engineers, it does impacts the way that they do things.

Leatherman: You mentioned bringing real-life scenarios to the forefront for them. You know, for our listeners, Luma was a massive malware-as-a-service platform. Anyone could subscribe to it. I think it was, you know, roughly $250 or so a month, and it harvested passwords, banking credentials, crypto wallet keys—all kinds of information from infected devices—and then fed them directly into the criminal marketplace.

Microsoft had visibility into that. The FBI was tracking the groups using those. We attributed approximately 10 million infections to Luma globally. We identified at least 1.7 million instances of credential theft with Luma. It was really the go-to tool for many of the more prolific ransomware and criminal groups.

The FBI Dallas Field Office opened a case on it and worked with Microsoft, and other providers who had that unique threat intelligence, to look at a disruption operation against it.

And I think that’s a place that we all want to be. Those of us who have the capability, either through law enforcement or using our platforms or using civil litigation. We call them joint sequence operations, where we sequence together our authorities and capabilities to remove adversary access to victim systems. We executed in an operation that had law enforcement work that technically disrupted the actors.

But at the same time, Microsoft, was able to also take down infrastructure and, I believe, engage in civil litigation … that also impacted the group. Now, listen, some of these … some of these operations are not permanent, like the groups will reconstitute. But my perspective on that is we give victims relief for at least a period of time when we do that, and we do impose costs on the actors by doing it.

But kind of talk through the unique … having that perspective and what Microsoft does with law enforcement, to share threat intelligence. How important is that? How do we do it? And, what is Microsoft’s perspective on contributing to those kinds of disruptions?

DeGrippo: Microsoft is heavily oriented towards threat disruption, and we have a variety of levers to be able to do that. I sometimes refer to them as hammers. We have a variety of levers and hammers to do that with. Obviously, we have products that sit within the cloud, within individual hosts, things like defender and all of these products where we can do detection engineering to block threat.

That’s a great hammer that we use all of the time. Another lever that we have is the ability to do criminal referrals through our digital crimes unit. The DCU is just very cool. I love when I get to interact with them. They’re super smart. And they work with our Microsoft Threat Intelligence analysts to understand what we see on the landscape.

And I work with them quite a bit to understand what’s going on over there. And I said, “How do you decide what’s going to get a criminal referral, what’s going to get action?” And they said, “You know, really it’s threat intelligence analysts come to us and say, ‘This is big enough to really do something, and we could have an impact here.’”

And everyone sort of advocates for their particular piece of the landscape that makes the most sense to disrupt. Loomis Dealer is a really great story. It was, I think, 2,300 malicious domains that were seized, almost 400,000 Windows infections in about 60 days. So, this was big malware-as-a-service.

And we partner with law enforcement agencies, like the FBI, to get legal means to be able to bring some of this infrastructure down.

I completely agree, it might pop up again later, but that’s the reality. Security is a process, not a product. Security is not some end state, that one day we’re going to say, “Oh, we’re done. We secured it, it’s over. I can go on a nice vacation and not ever have to think about this again.” That’s not real.

Security is a process. Just like technology is constantly evolving, we must constantly evolve security around it. So, when we take out, something like Lumma Stealer, I celebrate that.

And we all do, because now we say, “If you want to do this, now you have cost. And we’ve developed our own playbook internally to be able to do it again faster and more effectively. So, you might pop back up, but we’ll take you back down and we’ll do it quicker, and we’ll do it with the tools in place, and we’ll do it with the expertise in place to make it even faster next time.”

Leatherman: Yeah, that’s exactly right. And, we learn just as the actors learn and we become more efficient and effective often at continuing those disruptions and contesting them in their own space. And that’s the goal.

For those organizations who don’t connect with the FBI but have unique threat intelligence to share, what are your thoughts on kind of where they sit?

The reason I ask is we do these joint sequence operations all the time, and I can’t think of one operation that we’ve conducted that hasn’t somehow been empowered by industry. Now, sometimes it’s empowered through the companies who view the adversaries across their ecosystem like Microsoft, like Google, like AWS, like those who have really unique visibility.

Other times, it’s a victim that was compromised by an actor that we haven’t seen before, and by quickly engaging the FBI and sharing that critical cyber intelligence, we can both help warn the sector where appropriate, and move upstream against the bad actors.

For somebody who’s worked with law enforcement now for a while, what are your thoughts on how organizations should approach that?

DeGrippo: Well, what I would love is if I could have a call to action to those that have visibility and have threat intelligence and have signal coming in from security, to come along for the fight and look at ways to impose cost and understand we can do something. And if you have information and telemetry, get into the sharing groups, help get that done.

Think about your platform. And I’m talking here to, you know, enterprise: your platform should never be used for abuse. It should never be used for malicious activity, and it should never be subject to malicious activity. So, think of yourselves as a global abuse mitigation capability. Think of yourself as, “We do this to make sure that our legitimate paying customers and users have access to what they’ve paid for.”

Ultimately, that’s what I’m here to do. Whether I’m protecting government data, financial data, text messages, or online shopping—those things are all important to me, and they all need to be secure, and they all need to be free from abuse when they’re on a platform that I can help with at Microsoft, which is a lot. I think that our partnership with law enforcement, including the FBI, is part of that global aspect of abuse mitigation is when we see our services and products being used for malicious purposes, we want to stop that.

We don’t want our customers subject to it and we don’t want our platforms used for it. And I think everyone could hopefully take that point of view and join that fight.

Leatherman: I think the goal is to protect these ecosystems that you guys run that power the internet, power productivity, power ingenuity across …

DeGrippo: I need to watch my streaming services safely.

Leatherman: That’s right, that’s right.

DeGrippo: I need online shop safely. I want …

Leatherman: Uninterrupted.

DeGrippo: Uninterrupted. I want to transact with a sense of confidence. And I want everyone globally to have the right to use technology with a sense of confidence.

Leatherman: That’s right. Yeah, I think that’s exactly spot on. We all contribute in ways that can meaningfully secure our economy and in so doing, our national security. I would add that we know and we have put out there publicly, that nation-states are using industry to serve as access brokers to U.S. networks. And so, we already know that foreign actors—Russia, China, in particular—are leveraging industry, to target us.

So, we have to take that same approach to defend national security. And, we can do it … do that in a way that prioritizes customer privacy, and really allows us to share information about the threat actors themselves and how they’re targeting downstream customers at Microsoft or elsewhere. So we can … we can prioritize privacy and customer protections while also pursuing those threat actors.

But, you know, I think we’ve seen that between our organizations, we’ve gotten really good at that.

DeGrippo: I think so, too. I constantly have top of mind the software supply chain. And I think we’ve seen just recently with a variety of vulnerabilities that have come out threat actors are absolutely attacking the software supply chain. They’re trying to get into the code base so that when software is downloaded or updated, they have a specific malicious capability, a backdoor, access, telemetry, whatever it may be, because, hey, it’s a lot easier to put it into the software supply chain or in the services supply chain than to go compromise those 50 targets.

Leatherman: Sherrod, we’ve seen that, right? That’s the one-to-many problem that we face right now, which is the software-based supply chain environment. And one of the controls that we talk about in Operation Winter SHIELD is the importance of managing third-party risk—and it’s really understanding the vendors in the third parties who either have access to your networks, or have access to your data, or both.

And how do we start to frame conversations with them to better improve their cybersecurity, which in turn improves our cybersecurity? So, that third-party risk, I think, is a key tenet of protection. More and more people are using third parties to do different things in their environments.

DeGrippo: It’s true. And that really is a huge theme for my role at Microsoft. And all of Microsoft really is, look, we’re an incredibly important foundation of the global digital function. And with that comes an incredible amount of responsibility, and our CISO talks about it all the time. Microsoft has to be secure because we are part of that software supply chain.

We’re a massive part of it; a uniquely huge part of it. And we want to make sure that we, you know, take that duty seriously.

Leatherman: Yeah, absolutely. What … So, for a CEO, or an executive, or an attorney who sits in the inside counsel’s office, you’re hearing this third-party risk issue that we’re flagging here today. What kind of conversations do you take back on Monday, to have with your network defense teams? Where do they even start to broach this issue?

DeGrippo: I like to take things from an approach of what is interesting, because I think people follow through more on what they’re interested in. And so, I would say, whatever your particular specialty is—whether you’re chief legal counsel or you’re, you know, the financial officer, or revenue officer, whatever that may be—think about if your most important vendor disappeared tomorrow.

You can’t get into your CRM, you can’t get into your HR management platform, you can’t get into the top four SaaS services that you use. How does that impact you and who are you calling? And then start walking through how to create tabletops for that.

I also am a big believer in having strong partnerships with your vendor. Pick someone at your vendor, become friends with them. Have them on text. Be able to get ahold of them. And I do things like making lists of … or I suggest things like making lists of your most important vendors, creating news alerts for them, knowing who is in their executive suite. Watch their information come up if there’s news about them. Obviously, tracking CVEs that have to do with them.

But get to know your vendors deeply, intimately, relationship connection because that will potentially be the difference of if your operation can continue or not.

Leatherman: To that point, creating those news alerts, I mean, it’s all about finding those vulnerabilities as quickly as you can when they’re disclosed. Right? Within those third parties. Because we know the bad actors are looking for publication of CVEs [Common Vulnerabilities and Exposures]. Like to know when somebody comes vulnerable. And now we’re in a race to defend. Either the bad guys are going to start automated scanning to find when … find where these environments are vulnerable and to try to get in or as defenders, we’re going to quickly start to mitigate based on what we see.

But again, it’s a timing thing. There’s a race at this point where we have to focus on beating the adversary to it. How do we approach that in the age of AI? I know on one of the podcasts of yours I listen to, you said, AI … adversaries are starting to use AI in ways that we’re using AI.

So, initially it’s, you know, to help with language and how we craft phishing emails. But increasingly, I think we’re going to see them automate the kill chain and how they start to escalate privilege, move laterally, exploit those CVE environments. You know, that’s AI speed against a human defense speed scenario. How do we start to defend leveraging AI in meaningful ways?

DeGrippo: The era of AI is so full of speculation. I love to think about it. I worry sometimes that we get ahead of ourselves on things. But what the true reality on the ground is today is we do see threat actors using it, to create code, to make things better and faster, to scale, again to accelerate.

It makes sense that they would do that. An easy flow that somebody could think of—this is, you know, very intuitive if you’re in this space—create an agent, watch CVE releases, find that code in the wild, try to create exploits for it; essentially automating the vulnerability and exploit timeline; like accelerating it super, super fast. I think threat actors likely have already started putting into place things like that.

How do we get ahead of it? We have to fight fire with fire. You, as a security practitioner, to be candid, you can make fun of the AI hype all you want. It’s here. And it does things. You have to understand how to use it.

And what I challenge people to do, both in my professional life and in my personal life, they probably … my non-tech friends don’t love it. But I will sometimes say … you know someone will have a problem, they’re going through this, they’re dealing with this issue. I say you’re thinking with the old part of your brain, you need to think with AI. How are you going to do this without your labor, with minimizing your personal labor as much as possible, through automation, through synthesis, through acceleration that the AI can give you.

Whether you’re planning a kid’s birthday party and you’re stressed out, or if you have a massive spreadsheet of CVE that you need to stack rank for priority. You need to start integrating AI to make things go faster for yourself.

Leatherman: It’s an automation-in-an-organization problem. And one thing I know I’ve said on this podcast before is the other area folks can leverage is to understand what they don’t currently understand. That might be a lot of what we’re talking about today or what we’ve listed in Winter SHIELD, is concepts that are just foreign to them, and AI can really help distill what really matters there.

You can actually take the information that we’re talking about today—the transcript here, or the information published on Winter SHIELD, your blog post—drop it into a commercial artificial intelligence program and say, “I am a general counsel. What do I need to know here? What conversations should I start having with my team to understand this?”

I think that’s a good start. There’s, I think, 20% of boards roughly have a cybersecurity advisor with them. That’s 80% of boards … the way I look at it … that’s 80% of boards that don’t. And so, until we start to close that gap, how can board members start to get themselves a little more smart on the cyber-risk environment?

This is one easy way to do that. If you want to know how to frame conversations around living-off-the-land attacks, or end-of-life devices, or creating a vulnerability management program. That’s a good place to start. It gives you pretty good information to start those conversations.

DeGrippo: I completely agree, and I think we have to look at it as a tool. And we have to say, “I have this incredible tool with agenetic AI or with generative AI. What can I do to make my life easier?”

You know, you mentioned a couple of examples about learning things and what I think is so great is I learned this from newsletter that Satya [Nadella, Mircosoft CEO] put out at work actually, is I go to the AI and I say, “Can you make me a podcast that I can listen to about this topic while I’m, you know, walking the dog” or whatever it may be?

It doesn’t necessarily have to be something that you just sit there and read pages and pages of text. It can absolutely be something that teaches you, via the method that you’re most comfortable with. The other thing I want to mention about AI—it changes the past in some ways. Meaning, breaches of the past now have new utility.

So, if I breached 20 ters [terabytes] of data from a communications organization—email, client files—previously, it was very hard to go through that programmatically. Looking for sentiment in emails, looking for username and password pairs. Can’t really write in regex [regular expression] for that.

You can now feed that into an LM [language model] and say, “Find me every time someone is talking about a username or password. Find me every time someone is talking about mergers and acquisitions.” So, old breaches now have different meaning.

And I think that if you’re really thinking in the new AI world, you have to start thinking about those kinds of things. “What does this mean for today that it didn’t necessarily mean for the past?”

Leatherman: No, it’s a great point. We can take that older data and see how it trends to the present to start to see how we might better defend today. Especially you could do it in your own environment to see what kind of attacks are we seeing; what anomalies are we seeing? What have we seen over the last five years?

How is it changing? And then how do we craft our defenses as a result of that? I know we’re winding down here. Question to you about on prem [on premises] versus cloud. And I know it’s not a versus—I know it’s a on prem and cloud. You know, a lot of organizations are moving to the cloud from on premises environments.

But is it really that different in how we approach security? Again, we’re talking to end-of-life devices, vulnerability management. We’re talking about credential … protecting credentials and identity and access management, securing the human. We’ve got these recommendations on how organizations defend themselves. Logically, folks are going to ask how does that different from on premises versus cloud.

Do you see a difference there?

DeGrippo: I absolutely do, and I … Wow, this could be a whole topic for a podcast; you just gave me an idea. Generally, what I see and what I think is best practice is to move as much as you possibly can to the cloud, because that gives you this sort of collective capability to secure. Your vendors should be doing some kind of CI/CD [Continuous Integration and Continuous Delivery] patching, getting you where you need to be all the time.

And that gives you some peace of mind. It gives you someone else in the fight with you. It gives you, I think, a capability that on prem doesn’t really come with. But let’s talk reality. Reality is just about every large enterprise today has moved everything to the cloud that they possibly can without inflicting terror in their executives.

Most organizations, what’s left on prem, is the hardest, oldest, most difficult to secure environments that they have. Because if it was easy, they would have moved it to the cloud already. So, that to me is the warning. That is the urgent concern. Protect your on prem, because we absolutely see threat actors pivoting on prem to cloud and cloud to on prem.

If you have a hybrid environment, which almost everyone does to some degree, make sure that you’re taking care and feeding of that on prem the best you possibly can. And thinking of really big scenarios, catastrophic scenarios to be table topping out what could potentially happen. Everybody’s in hybrid environment. What you have left on prem is probably your highest risk factor.

Leatherman: Yeah, that’s incredibly insightful because it is the hard decision. It’s the hard decisions you have to make on prem that really can have the most impact, and you’re right, you probably haven’t moved the difficult things up there. I think of critical infrastructure who are operating very old environments, operational technology that can have real world impact.

And that’s where these controls really come into play. Like, when you go to the cloud, you have tremendous threat intelligence from all the major providers. If you’re on one of the major providers, you bring, you know … that the telemetry that you talked about and the threat teams, you talked about, you’re applying that threat intelligence to the customer environments in defending them.

When you’re on premises, you don’t have that, but you still have to be very vigilant in how you defend those systems. So, very, very tough environment probably to sit in for most organizations. But incredibly important. I would … I would offer that that the 10 controls in Operation Winter SHIELD are very important to those on premises as well as the cloud environments.

Sherrod, I’ll give you the last word. So, I know we’re winding down, and, I really appreciate you coming on the show today. Given kind of what we’ve talked about today, thinking through the audience members and kind of how they approach what it is that we talked about today, what are your thoughts on kind of where we’re going, and how they should begin to prepare to defend their environments in the coming days, months, years?

DeGrippo: Well, you know, I’m going to go for a take; I’m going to go for an opinion. And that is kind of going back to what I was saying earlier: cozy up, to recruit, conscript the developers and software engineers in your organization because they are terraforming the battlefield that you’re going to have to fight on.

They are building you the higher ground, or they’re building you the mud as an incident responder, as a defender—where would you rather go up against the threat actor? Get them on your side, make them understand how much impact they have, not just on the security of the software, but if there is an incident due to any reason, even an insider threat …

“This software is perfect, but we have an insider threat.” They have built that battle ground for you. Make them your friend. Get close with them. Help them understand how impactful their work is because someday you’re going to be the one dealing with what they did, and you want them to have given you the best advantage that they can.

Leatherman: So, I hear you saying build coalitions, even where maybe there are nontraditional partnerships—there may be. And that is going to ultimately increase resilience organizationally for any enterprise. So, that’s incredible perspective.

Sherrod DeGrippo, thank you so much. Sherrod is Microsoft’s deputy chief information security officer and general manager for customer security. My name is Brett Leatherman, assistant director for FBI Cyber Division. If you want to hear more about Winter SHIELD, I would encourage you to read Sherrod’s blog at Microsoft and kind of her perspective on Operation Winter SHIELD, as well as fbi.gov/wintershield.

Thanks for joining us. And together let’s stay ahead of the threat.

DeGrippo: Thanks so much Brett. Loved it.