揭秘微软威胁情报中心(MSTIC)

  • A+
所属分类:安全闲碎

本文是XXX对微软MSTIC创始人和微软DSC部门负责人的采访,字幕使用腾讯云语音识别提取,然后通过谷歌翻译成中文。(未进行人工校对!)


本文信息量巨大,大家要坐稳了!


揭秘微软威胁情报中心(MSTIC)


谁是Microsoft Threat Intelligence Center(MSTIC)?

微软威胁情报中心 (MSTIC) 团队的成员专注于监控各种威胁:一组人负责代号锶 (Strontium) 的俄罗斯黑客,另一组监视代号锌 (Zinc) 的朝鲜黑客,还有一组跟踪代号钬 (Holmium) 的伊朗黑客。MSTIC 跟踪的黑客国家队不计其数,其中有代号的就超过 110 个。

    

MSTIC 团队招募了曾在米德堡等地工作过的前间谍和政府情报人员,将其在美国国家安全局和美国网络司令部的工作经验直接转化进他们在微软的工作角色中。


... ...


谁是Microsoft Digital Security Unit(DSU)?

克里斯汀-弗林-古德温:谢谢你邀请我来到这里。我很高兴能参加。我是克里斯汀-弗林-古德温,我是微软负责网络安全的助理总法律顾问,我管理着一个名为数字安全部的团队,我们研究全球网络安全法的先进问题,以及研究来自主要民族国家行为者的威胁,如俄罗斯、XXX、伊朗和朝鲜,并寻找方法来帮助为我们的客户和世界带来背景和对这些民族国家攻击原因的更多了解。


... ...


Cristin Flynn Goodwin: Thank you for having me here. I'm thrilled to participate. I'm Cristin Flynn Goodwin I'm Microsoft's assistant general counsel for cybersecurity and I run a team called the digital security unit, where we look at advanced issues in cybersecurity law worldwide, as well as looking at the threats that come from major nation state actors, like Russia, XXX, Iran, and North Korea, and look for ways to help bring context, greater understanding as to why those nation states attack to our customers and to the world.


***********************************中文************** ****************************

[0:0.000,0:30.280] 我们现在都可以度过一个真正的假期,幸运的是我们公主邮轮在旧金山有支持,每天 99 美元起,公主可以带你去墨西哥的海滩,热带地区夏威夷、阿拉斯加的冰川或加利福尼亚海岸没错,每天只需 99 美元 搭乘加利福尼亚的游轮 致电 1800 公主访问公主 dot、com 或联系您的旅行顾问今天条款和限制适用情感定价于 11 月 30 日结束2021 芯片植根于英国注册表,预订前请咨询 CDC 网站 www、dot、CDC dot gov。

[0:34.140,0:57.220] 欢迎来到斯皮克问我的名字是安德鲁·哈蒙德博士在华盛顿国际间谍博物馆的历史馆馆长每周斯皮克问通过为您带来与间谍的深入对话来探索情报和间谍活动的世界间谍大师情报官员和作家。

[0:57.220,1:9.100] 我们探索隐藏在日常生活表面之下的世界的秘密贸易工艺和技术的故事,欢迎收看本周的秒杀问答集。

[1:9.120,1:13.220] 微软威胁情报中心内部。

[1:13.380,1:20.460] 从您的 Visa 卡到您的 Outlook 帐户,从您注入车辆的汽油到您的操作系统。

[1:20.460,1:23.200] 一场网络斗争正在上演。

[1:23.200,1:24.680] 在我们身边。

[1:24.680,1:32.100] 在这一集中,我与微软威胁追踪情报中心的创始人约翰兰伯特进行了交谈。

[1:32.340,1:38.500] 该部门追踪世界上最危险的网络罪犯和国家附属黑客。

[1:38.520,1:43.620] 我还与数字安全部门的负责人 Christine Godwin 进行了交谈。

[1:43.620,1:49.040] 她帮助向政府提供安全支持,并与约翰的团队密切合作。

[1:49.240,1:57.400] 微软拥有数十亿客户,为数以百万计的企业提供服务,并且与美国政府的几乎每个部门都有合作。

[1:57.400,2:10.160] 说这可能与信息和情报有关,就像说在 1986 年首次上市时购买微软股票可能是个好主意。

[2:10.160,2:15.660] 今年夏天的 PS 价值为 2 万亿美元。

[2:16.640,2:34.960] 好吧,我很高兴能和昨天谈论雾,我想知道刚刚开始,你能告诉我们的听众更多关于它是什么以及它的作用吗并且只是帮助我们为我们分解它,你在做什么,你在哪里。

[2:34.960,3:1.080] 是的,当然这么想,我的名字是约翰兰伯特 我经营着微软威胁情报中心 我二十年前在微软开始从事安全工作,在我职业生涯的早期,我们经历了互联网蠕虫时代呼叫,嗯,嗯,红色的冲击波代码以及诸如此类的东西你们中的一些人可能在观众中记得,那些是利用 Microsoft 产品中的漏洞的蠕虫。

[3:1.080,3:2.460] 还有。

[3:2.460,3:23.920] 在那之后,我花了大约十年的时间研究代码质量或提高 Microsoft 产品的安全性,使其免受此类攻击的影响,而这让我知道这些攻击的幕后黑手是谁,我们通常称之为零日攻击攻击零日漏洞利用,这是漏洞利用,并且没有可用的补丁。

[3:23.920,3:30.700] 这通常会导致网络间谍活动、民族国家攻击者和网络犯罪集团的世界。

[3:30.700,3:44.760] 今天,我管理着微软威胁情报中心,有时也被称为 mystic,这是一群拥有网络安全技能的分析师和工程师,所以这些人知道如何进行逆向工程。

[3:44.760,3:51.560] 进行恶意软件分析,了解民族国家支持的威胁组织如何进行黑客攻击。

[3:51.560,4:5.100] 并了解他们用来瞄准受害者并利用他们的技术,然后使用我们在 Microsoft 拥有的数据和资源进行跟踪,了解他们在做什么并破坏这些攻击保护客户。

[4:5.980,4:25.020] 相信他们你想加入一个肯定的治疗杜,嗯,克里斯汀弗林古德曼我是微软数字安全部门的总经理和副总法律顾问,所以我的团队与约翰合作由一组网络安全律师和一组威胁上下文分析师组成。

[4:25.020,4:57.020] 我在 Microsoft 工作了大约 15 年 我在 2000 年初搬到华盛顿特区时进入了安全领域 我离开了位于其中一号塔 85 楼的合法工作世界贸易中心并帮助 MCI 世通建立了他们的网络安全实践


refront,所以我花了很多时间在 dc 帮助制定第一个保护网络空间的国家战略和最初的国土安全法案。

[4:57.020,5:20.220] 曾在其他电信公司担任过一些运营角色,从事国家安全应急工作和总统咨询委员会的工作,所以我从 2006 年初就加入了微软,我非常喜欢参与其中在具有九点十一背景的安全社区中,我是一个生活者,我会留下来。

[5:20.220,6:20.520] 而且,嗯,当你把高级持续威胁和网络威胁情报这些术语与总顾问放在一起时,完全诚实听起来有点像一场噩梦,不是因为嗯,一个在 Microsoft 最酷的事情之一是我们正在寻找所有工具来追捕影响我们客户的攻击者,因此如果这些工具之一利用法律系统以及我们可以通过以下方式共享信息的方式与政府签订的合同是世界各地的合作伙伴,那么让我们去做吧,让我们找到继续保持创造性和创新性的方法,因为这些攻击这些高级持续威胁会伤害或伤害客户,所以是的,律师的权力,这不是一件坏事,约翰你正在考虑微软拥有的超能力是什么,我想知道你是否知道每个人都喜欢听到超能力,你能告诉我们更多关于。

[6:20.520,6:25.340] 微软拥有的超级大国,以及你的创始乳香。

[6:25.960,6:55.440] 是的,所以人们经常认为攻击者在这个领域拥有所有优势,但现实是防御者,我们有很多事情要做,微软是你知道唯一的公司之一只有拥有我们操作系统的平台公司、拥有 azure 的云公司和企业公司,所以将这三件事结合在一起,它使我们能够了解全球端点上正在发生的事情。

[6:55.440,7:24.740] 要知道发生了什么,当攻击者攻击我们的云客户和那些企业客户时,客户往往是这些攻击者的目标,所以如果您想知道这些客户的情况攻击者你必须了解受害者的情况,这三件事的交叉点确实让我们有机会对此采取行动,你知道我们在 Microsoft 有很多产品和服务'能够干预和破坏。

[7:24.740,8:3.620] 我们有一个防病毒 Windows Defender,它运行在世界各地的数亿台计算机上,它也是我们拥有的电子邮件保护产品的一部分,许多客户在本地运行,所以一旦我们得到定位在这些攻击之一上,这是一个了不起的工具,可以在遥测中获取数据,也可以破坏发生在数亿台计算机上的此类攻击或您拥有的东西,因此能够获取我们拥有的情报,然后将其转化为我们的电子邮件产品平台、云平台、我们拥有的端点产品消耗的信号是一些能够做事的超级大国。

[8:4.300,8:31.220] 在部分超级大国以及微软有眼有耳的情况下,你知道世界各地的计算机和数字以及数百个产品的软件形式像你说的数以百万计的人,我想知道你是否可以更多地解开遥测,因为我发现它很有趣,只是说到进攻防守,你就变成了一些被视为的东西。

[8:31.220,8:39.740] 一层楼的弱点在重新利用它,然后聚合起来,将它变成一种防御形式,你能不能多谈谈这一点。

[8:40.560,9:34.420] 是的,一种思考方式是,如果您是 Office 365 或 azure 的客户,您将通过 Microsoft 的服务使用该产品或服务向 azure 发送信息您正在通过 azure 的防火墙及其前门服务将恶意电子邮件发送到收件箱 您正在通过保护层,该服务具有这些保护层是我们能够放入的检测点能够识别恶意代码网络钓鱼尝试的检测控制,我们通过跟踪这些参与者识别的东西,攻击者必须通过这些层来追踪我们服务中的受害者,这是我们如何能够去拥有的一个例子这种可见性是因为他们正在通过我们的云服务尝试接触这些客户。

[9:34.980,9:58.040] 所以这就像当你在你的计算机上收到一条错误消息告诉你发生了一些事情然后它询问你是否希望将该信息发送回开发该软件的人就像那个,但是如果你把所有这些汇总起来


一起形成,然后你可以,你可以开始寻找模式并检测谁在做这种类型的事情是对的。

[9:58.360,10:9.980] 没错,如果您了解如何从安全角度看待数据,您还可以经常学习、学习实际上是变相攻击的东西。

[10:9.980,10:16.440] 了解什么是攻击和什么不是攻击之间的区别,这就是我们试图做的。

[10:16.940,10:55.480] 我觉得很有趣的另一件事是帮助我们了解神秘主义者在微软中扮演的角色,例如,这是特别调查办公室,我们可以考虑他们在哪里在美国情报机构的角色内,但你知道微软和 800 万平方英尺、50,000 名员工、一个万亿美元的公司帮助我们了解组织的神秘之处,你知道它在哪里,你知道是的,只是让我们更好地了解您的单位。

[10:56.320,11:20.500] 好的,是的,所以一种思考神秘主义的方式是在微软,我们相信安全是一项团队运动,所以我的团队稍后会描述我们坐在一起工作Microsoft 周围的所有其他安全团队都将提供保护和破坏威胁 我为什么以我的方式创建团队的论文背后的部分是典型的方法。

[11:20.500,11:35.980] 将安全团队嵌入到我们的产品和服务中,我们绝对拥有 azure,有一个 azure 安全团队,我们有办公室 365 有办公室 365 安全团队和所以我知道我们需要一个专注于对手的团队。

[11:35.980,12:5.940] 无论对手在完成攻击后攻击你之前去哪里,你都需要在他们的整个生命周期中一直跟随他们并研究他们,演员研究我们,他们研究我们的客户,他们研究我们的技术,所以我们回过头来研究,通过了解他们在整个生命周期中所做的事情,您可能会看到他们在发动攻击之前就已经出现并能够破坏它,或者您可能会了解他们要追求的目标接下来,这是拥有一个专注于团队的一部分。

[12:5.940,12:22.320] 威胁情报专注于对手,然后使用它并以这种团队方式与 Microsoft 的所有其他安全团队合作,获取我们对他们的了解,然后进行破坏和干预,当您命名这些客户时,保护您的客户。

[12:22.400,13:22.880] 然后我们发展了这个概念,以获取威胁情报并构建威胁上下文,这就是我的数字安全部门团队的用武之地,因为约翰是了解它是谁的专家攻击背后以及他们如何执行攻击,我的团队将查看原因、攻击动机是什么以及谁是受害者,这样我们就可以了解攻击的整体视图,以便我们知道就是这样民族国家演员,他们有地缘政治动机,即将进行双边谈判,或者你知道这是俄罗斯对乌克兰,乌克兰即将迎来一个重要的假期,所以我们将看到俄罗斯人追求,嗯,乌克兰的一些基础设施并创造生活很难进入假期周末,所以我们正在研究攻击的原因以及受害者是谁,以便我们可以将信息分享回客户和世界,以帮助真正理解为什么这些是这些的宏观观点cks 发生。

[13:23.880,14:6.240] 哇,这在间谍博物馆很有趣,你知道我们研究了人们从事间谍活动的一些动机,有一个首字母缩略词老鼠金钱意识形态,胁迫,自我,有没有类似的东西人们做这种事情的原因,比如金钱,显然你知道勒索软件曾经的意识形态,也许你知道试图击败自由民主或其他什么,然后你知道我猜你认识的一些人,嗯,只是想看看世界上有些人只是因为坏事而烧毁,我记得当我在雅虎获得第一个电子邮件帐户时,有人说你需要小心病毒,我就像哇。

[14:6.240,15:6.700] 他们就像是的,有这些病毒,我想但是他们为什么要这样做,因为他们只是这样做,我无法理解它,但是是的,我的意思是,这是另一种人,因为他们只是想具有破坏性,所以请帮助我们更多地了解您如何筛选、分析和分类所有这些不同的动机,克里斯汀确定,所以有不同层次的攻击者,对吧你有那些用雅虎账户和垃圾邮件骚扰人们的活动家,还有很多网络犯罪活动勒索软件,这些是攻击活动的大类别,我们关注的是领域的尖端,那就是民族国家和平,因为你往往会看到


当民族国家投入资金和资源来开发新的策略和新技术来追捕目标时,它就会进入生态系统,其他人会效仿 ray 为什么在新的东西运作良好的情况下重新发明它,所以当我们看到民族国家,这真的是约翰团队的才华,他们是五岁的专家。

[15:6.700,15:16.160] 这些民族国家行为者的大海捞针在数据中我们看到的原因和受害者空间就是那个。

[15:16.160,15:46.520] 这些是情报任务,就像过去的五天对五天,你有一个目标、一个收集和一个任务,现在我们可以通过数字和远程方式完成所有这些,它完全改变了游戏,所以你会看到是否有即将举行的关于主要条约的谈判,或者是否有 G7 会议,或者是否有像编码这样的地缘政治问题,你会看到国家针对健康信息,或者他们正在追求。

[15:46.520,16:10.380] 病毒信息或者它与政府重要的问题有关,这就是为什么我们现在在受害者领域看到这么多智囊团和政策机构如此迷人的原因是因为情报收集政府的优先事项是针对其他政府要做什么,所以他们试图获得这些信息,这是一个非常迷人的空间。

[16:10.380,16:55.940] 我真的不想马上回到进攻和防守上来,但你知道你在那里提到了地缘政治,我的意思是这听起来我不知道这听起来真的很吸引你有像约翰这样有技能的人,然后听起来像你,你知道你有一个专注于地缘政治的团队,你知道你提到你正在乌克兰选举之后创造人等等,然后告诉我们一点关于这一点的更多信息,您现在是否正在招聘具有国际关系博士学位的人,因为我在 Mark giselle 上,我的老板会听这个,所以申请是开放的,所以是的,所以我们一直在招聘威胁背景.

[16:55.940,17:35.460] 专家们,所以我们看到的是一系列情报背景,嗯,你在像 mystic 这样的团队中分析数据的经验,技术信息,以及对政治的深刻理解一个特定的国家和地区,他们的政治利益和影响他们的势力范围,然后是语言技能 了解不仅能够阅读当地语言的政治和技术以及包装工俚语,而且能够帮助我们将其置于语境中是非常重要的因此,我们将这些技能用于支持。

[17:35.460,17:49.320] 这个神秘组织现在我们追踪我们所说的四大攻击来自俄罗斯、XXX、伊朗或朝鲜,所以我们拥有所有这些领域的地缘政治英特尔和语言专家,我们'一直在扩大。

[17:50.020,17:56.540] 哇,这太吸引人了,我只想回到进攻和防守约翰,你能不能。

[17:56.540,18:24.280] 帮助我们多了解一点,并随意使用任何你想尝试帮助我们理解的运动来帮助我们理解它可能是网球,你知道你有防守球员和进攻球员,或者你知道足球足球不管怎样,嗯,帮助我们理解进攻防守的动态,也许做到这一点的最好方法是给我们举个太阳风的例子,或者其他的东西,给我们一个例子来让你的心保持不变。

[18:25.020,19:4.500] 是的,就像克里斯汀提到的一种思考我的团队的方式是你认识一群计算机科学家,他们了解这些攻击,通过阅读经济学家了解世界,我们知道我们需要更深入对地缘政治的理解比这更重要,这就是为什么与基督徒的伙伴关系对我们来说如此重要,以了解为什么会发生这些攻击并将其背景化,我们发现的一个攻击示例是在今年早些时候有一个基于演员的在我们的电子邮件产品 Microsoft Exchange 有漏洞利用的XXX,我们通过对这一行为的跟踪发现或他们有这些漏洞利用。

[19:4.500,19:52.120] 他们针对的是新的漏洞,我们与微软的安全团队合作,确保他们拥有理解它们的技术数据,以便他们可以修补它们,全球其他安全组织也发现还有其他安全公司在保护他们的客户,这些公司看到针对他们的攻击速度,其他安全公司也发送该信息,以及 Microsoft 响应设备,就像所有 Microsoft 响应人员都必须在何时使用石板和 DNA危机刚好发生,我们经常一起工作,所以我们知道我们知道如何去做,我们知道它是如何工作的,为此你知道,微软努力推出补丁进行交换,我们发现的一件事是


在。

[19:52.120,20:15.480] 有很多客户,尤其是中小型企业,他们没有更新他们的交换产品,这些产品是他们自己在现场运行的产品,这不同于办公室三六十五它由 Microsoft 运行,不受此漏洞的影响,因此我们需要为多年前停止支持的 Exchange 版本发布补丁。

[20:15.480,21:15.880] 他们可以只应用精确的修复,所以产品团队最终发布了我认为二十多个不同版本的交换补丁来支持他们,然后我们还推出了一键式工具,可以为没有 IT 人员甚至打补丁的客户减轻这种利用,如果这一步对他们来说太难或太复杂,这是一个单击工具,您可以围绕它下载它会减轻,嗯这些,这些补丁,这些漏洞,如果我在他们的约翰那里得到了关于那个一键工具的很酷的事情之一就是那个,我们当时正在与白宫合作,他们真的专注于我们如何帮助将简单的工具交到真正不了解交换的复杂性的中小型企业手中,因为如果他们在安装后没有更新它,嗯,他们真的不会有能力做了很多繁重的工程,所以白宫之间非常酷的伙伴关系。

[21:15.880,21:29.140] 参与这个非常特别的响应的团队是我们提出一个非常简单易用的技术解决方案来帮助解决真正复杂的问题的能力。

[21:30.180,22:13.120] 然后最后一个评论是,虽然最初这些漏洞由一个组掌握,但我们称铪为我们跟踪的每个组,我们从元素周期表中分配一个名称,攻击这真的开始看到和收集,这就是进攻和防御的本质是由模仿者进行的,因此随着有关漏洞的信息公开,他们对补丁进行逆向工程,他们开始看到网络犯罪集团有时进行其他国家的模仿攻击想要快速使用这些关闭窗口的状态组,他们在世界补丁之前对漏洞利用进行了关闭,而实际上是大部分攻击量所在的那些模仿攻击集。

[22:13.120,22:44.180] 这就是如果赎金是游戏开始使用它,如果其他一些可以超过防御者的数量指标攻击开始发生怎么办,所以虽然我们最初处于这种猫捉老鼠的境地与我们之前谈到的进行低速和缓慢攻击的这些民族国家集团的比赛我们看到的模仿者的衍生攻击实际上是大部分数量和伤害发生的地方,这就是我们每天都在参加的比赛以确保客户保持领先。

[22:44.280,23:20.320] 每天都在不断地进行猫捉老鼠的游戏真的很有趣,我想知道你是否可以多谈谈这一切如何像你提到的不同演员一样kristen so 俄罗斯 XXX 伊朗 和 朝鲜 为什么神秘地看着它们就像是在与政府合作实际观察它们,或者只是你坐在那里,看着微软的产品,这就是大多数攻击来自或帮助我们理解那种矩阵。

[23:20.420,23:28.260] 考虑这个问题的一个简单方法是我们查看客户使用我们的产品的位置,并查看针对他们的攻击。

[23:28.440,23:38.660] 当客户从本地迁移到我们的云服务时,他们可以看到攻击者。

[23:38.660,23:59.420] 他们带来了他们的对手,当他们从他们的城堡墙转移到微软运营的云服务时,他们的对手并没有失去对他们的兴趣,对手说好的,让我们去理解如何在那里攻击它们,这让您知道我们跟踪来自 20 多个不同国家的 70 多个不同威胁组。

[23:59.420,24:24.720] 在我的团队中,这表明微软拥有广泛的全球客户群,以及追随他们的威胁团体的多样性,所以在某种程度上,这是对客户的攻击决定了我们为什么将重点放在我们关注的地方以及那些紧随其后的攻击才是真正推动交易量成为优先事项的原因,您可以说出它。

[24:24.920,25:14.640] 所以一旦约翰的团队确定了攻击状态,那么我的团队就会参与进来,我们将看看我们如何通知我们的客户我们与神秘主义者合作做的一件事就是监督我们的民族国家通知流程,所以我们现在跟踪数据,这是一件很棒的事情


关于这个工具和神秘主义者获得的遥测数据,我们可以创建自己的攻击数据库并了解攻击量的情况,因此回到 2018 年 8 月,我们开始保留我们已经保存的数据通知了超过 43,000 名客户,或者有针对性的攻击者破坏了来自我们跟踪的国家行为者之一的攻击,这是我们能够使用数据返回保存的地方。

[25:14.640,25:31.900] 大多数攻击来自俄罗斯、XXX、伊朗或朝鲜的四大攻击者,因为在约翰看到的 70 个主要攻击者和 20 个国家中,它确实将自己缩减为一个少数国家重复。

[25:31.900,26:8.060] 这听起来像是一个电话,你真的不希望你知道你正在被这个星球上一些最老练的黑客攻击,他们得到了俄罗斯政府的支持,你知道我不会去的,这肯定会影响我的星期四,你如何通知他们并帮助我们了解是的,我们不会出现在你家门口,但我们会弄清楚如何取得联系,因此对于消费者帐户,我们看到许多国家针对消费者、消费者帐户的数据活动,因为当然这些是我们的人可能拥有的。

[26:8.060,26:59.340] 地缘政治角色,但他们也有个人账户,因此会向我们太多的消费者账户提供电子通知,或者我们将在被攻击的企业客户的个人资料中使用二级或三级联系信息联系每个企业客户都告诉我们他们希望我们在发生危机时与谁合作,所以会联系那个人,如果我们认为由于妥协而无法通过电子邮件联系他们,我们会打电话给他们并想办法获得一个人在打电话,有几次人们不相信我们,我们不得不回电说不,我们是微软,我们打电话将帮助他们验证我们是谁我们可以进行这种对话,因为最重要的部分是让我们付出。

[26:59.340,27:11.700] 他们可以用来帮助保护自己的受害者信息,以便他们可以识别攻击或采取一些保护措施,因为我们不想看到攻击的重复。

[27:12.200,27:22.500] 我要补充的部分内容是这些通知非常有价值,攻击者可以改变他们的攻击方式,他们可以提出新技术。

[27:22.500,28:1.060] 他们可以转向新的方法,但他们对目标的兴趣通常是常青的,他们会回来的,所以这些通知经常变成与这些组织合作的基础反复成为目标,从威胁情报的角度来看,这是非常有价值的,因为我们知道攻击者可能会回到那里,如果我们与该组织有关系,并且他们能够在发生这种情况时联系我的团队成员或克里斯汀团队的成员,我们有机会了解下一次攻击的新攻击,并且通常会使用我们从中获得的洞察力。

[28:1.060,28:10.840] Spider 转过头来,了解更多关于攻击者目前的活动范围,因此它是工具包中的另一个工具,来自这个非常有价值的程序。

[28:10.960,28:12.180] 哇。

[28:12.240,28:48.960] 大约一个月前,我们有国家反情报和安全中心的代理主任在穗问,他说在事件发生后人们正在与他们联系寻找建议,你知道帮助他,就像为小企业主的客户,为那些在外面听这个播客的冰冷的人提供帮助,是的,他们应该与你取得联系,因为有办法做到这一点,或者像休斯·肯尼迪那样做通过跟踪对手或者是的,帮助我们更多地了解这一点。

[28:50.120,28:57.740] 是的,也许有几种方法可以回答这个问题,我们有什么定期沟通渠道。

[28:57.740,29:23.360] 网络安全行业、那些公司、主要平台提供商你认为嘿你以某种方式与微软竞争的人显然不与他们交谈或与他们合作或与他们合作我想你会发现很多从事安全工作的人,你知道安全融入了他们的血液,他们都面临着共同的对手,我们都从自己的角度看待对手,我会告诉你跟踪的分析师。

[29:23.360,29:49.720] 来自任何国家的其他威胁组织,他们都彼此认识,他们都互相交谈,我们有合作的方式,你们知道跨国家的竞争线等等,所以这是如果人们在 Microsoft 产品或服务中发现漏洞,我们会调用一个程序


d cvd 这实际上是与 Microsoft 协调以告诉我们这些漏洞,以便我们可以在我们的产品中修复它们。

[29:49.720,30:10.960] 让客户意识到他们,并以一种协调的方式做到这一点,尽量减少我们谈到的这些模仿攻击的危害,所以这是另一个非常重要的程序,我们有这些方法我们与人们接触,我们产品的任何客户尤其是我们的安全产品的客户,这些产品构建在返回 Microsoft 的飞行路径中。

[30:11.640,30:45.360] 这是最传统的途径,我也鼓励美国政府的任何听众联系主要协调中心,如果有什么事情让 sisa 和国土安全部在那里帮助民事机构方面的协调,显然 adi 和英特尔领域的其他机构有自己的网络协调能力,因此在联邦政府内部进行报告时,他们将使用传统渠道能够接触到就像他们做的那样真的很棒。

[30:45.360,31:25.260] 你知道约翰提出了协调漏洞披露,我们喜欢它,如果有人发现漏洞然后他们报告它,当他们向我们报告漏洞时,我们已经向 NSA 表示感谢然后我们可以去修复,我们给予他们信任并协调我们在那里的回应我们过去也曾与 gchq 合作过,因此我们喜欢将报告发送到我们的传统渠道和支持机制来帮助我们和那些投资于美国联邦政府的日常安全响应,其他国家的数据,如何与我们取得联系。

[31:25.960,31:47.020] 我想了解一下你之前克里斯汀所说的关于游戏改变给我的事情,这就像飞机发明的蒂米一样迷人,这意味着平民可以站在前线因为飞机可以绕过地面前线,在我看来是网络时代的。

[31:47.060,31:54.720] 每个公民,每个人都有一部 iPhone,每个人都以某种方式连接到互联网。

[31:54.720,32:9.840] 你比冷战时期更了解那里和游戏,也许你说你是一家开发先进航空技术的公司,然后肯定有人会试图窃取你的蓝图什么的,但现在。

[32:9.840,32:39.960] 是的,似乎越来越多的人发现自己处于这种持续斗争的前线,所以我想我想我只是想知道你是否对此有任何想法,因为你知道信息 SEC信息安全过去主要像你说的间谍对间谍,你知道它会被锁在华盛顿的俄罗斯大使馆它会被锁在国务院,但现在它已经在那里了,更多的人参与其中帮助我们理解。

[32:39.960,33:40.260] 是的,只是你对你提到的克里斯托游戏中的这种变化的看法,很明显,政府正在花费数十亿美元用于网络攻击能力,因此传统的内部四堵墙俄罗斯或XXX的情报机构,你知道这并没有改变,这只是游戏的一部分,其中一项重大变化是纳入了一个社区或一个社区的发展,我们称之为私营部门的攻击性演员。”看到较小的国家没有必要的工具来进行自己的监视操作或受监视的信息探索,他们将与这些公司签订合同以向他们提供服务,并且最近对该领域给予了很多关注,即使是最近就在 9 月 14 日,Apple 正在推出更新。

[33:40.260,33:57.080] 或者 NSA 集团正在使用的一个漏洞,一家总部位于以色列的公司,其 pegasus 软件参与了对人权工作者记者的监视,关于这一点已经发表了很多,他们参与了诉讼.

[33:57.080,34:13.900] 什么是 APP 漏洞,他们也利用了他们的漏洞,我们促成了那起诉讼,并在去年 12 月提交了一份法庭之友简报,现在谈论这些类型的公司所犯下的危害,嗯,我们看到我认为是。

[34:13.900,35:14.220] 9 月 15 日,美国起诉或与几名曾是美国情报界成员的人达成了谈判协议,然后前往阿联酋的公司工作,违反了他们保护我们的义务信息,所以这是一个引人入胜的空间,你会看到资金的增长进入这个创造工具和技术,可以增强一个国家的能力或执法能力,因为执法现在正在进入曾经属于互联网的领域


智能空间,因此迫使我们不得不考虑,微软真正倾向于关于网络和平以及政府行为规范和网络空间中的适当行为以及这些技术在不受控制时可能造成的危害的全球对话,因为这是一回事如果你看到一个非常小的用途,一个主要国家对另一个主要国家,但是当有一个广阔的市场时。

[35:14.220,35:22.280] 因为它和风险投资开始进入它确实改变了空间的基调和基调,所以这是我们关注的一个领域。

[35:22.280,35:50.020] 我只想补充说克里斯蒂安,你知道很多我们谈到的针对复杂组织的攻击,你知道我们有很多消费者也不得不担心网络威胁,进入您收件箱的任何内容都是网络钓鱼邮件,嗯,这是您应该或不应该点击的东西,而且您认识的每个人如今都必须拥有所有这些不同网站的密码,每个人都讨厌必须管理所有这些密码唯一真正喜欢密码或罪犯的人。

[35:50.020,36:16.620] 所以因为人们如果密码复杂到足以确保安全,你就不会记住它,如果它简单到可以记住它就不安全,所以你必须有解决方案只是这些日常问题,就在本周,我们发布了一些新功能,允许人们不再拥有 Microsoft 帐户的密码,您可以使用手机或手机本身的安全贴花地图来批准登录到您的帐户。

[36:16.620,36:31.060] 这只是比人们必须记住另一个密码更安全的基础,他们可能会在十几个其他网站上重复使用,如果这些网站中的任何一个被黑客入侵,你知道你的主要帐户现在很容易受到攻击,所以这样的解决方案就可以了。

[36:31.060,36:47.160] 对日常主要街道用户来说有点容易,每个华尔街用户在这个意义上仍然是主要街道客户,我们都有我们使用的个人帐户,这些非常重要对我们而言,提供适用于该领域的解决方案也非常重要。

[36:48.560,37:30.600] 我的意思是,在我看来,你知道这几乎就像呼吁整个社会的方法一样,我只是想知道你显然知道你知道你们正在做上帝的工作,还有其他机构参与其中,你知道外面有人试图保护街上的公众,你知道他已经离开了他的事业,但是我们如何走向舞台,或者是我们应该去的地方每个人在某种程度上都是网络公民,她在尽自己的一份力量确保网络安全和美国及其盟国都是它所需要的。

[37:31.320,38:4.580] 地缘政治领域肯定正在采取行动和反应,认识到这一难题是正确的,你会看到巴黎呼吁以及认识到这一问题的国家和商业签署方所产生的巨大能量网络空间行为规范的需求,以及政府如何需要克制和最大限度地减少影响,所以绝对,微软一直处于这些对话的最前沿,我知道我们计划在你看到的同时也在那里。

[38:4.580,38:46.300] 政府对进攻能力领域的重大投资,我们在XXX看到,它于 9 月第一次生效,其中一些新的漏洞报告对XXX公司的法律义务,所以你看到XXX想要更多漏洞信息,所以如果你正在考虑建立进攻能力和防守需求之间的平衡,嗯,它确实突出了约翰的团队正在做的重要工作,以及产品和服务,我们有Microsoft 威胁专家服务和我们提供的其他工具是因为。

[38:46.300,39:13.620] 政府希望扩大他们的观察能力,而不必从情报收集的角度对人们造成伤害,但与此同时,正如约翰所说,我完全同意,这些是影响人们的攻击,在某个时候必须在这个问题上有一些国际缓和,在此之前,微软将处于中间状态,并试图在我们可以的情况下引导对话。

[39:14.480,39:29.140] 一个有点有趣的问题是,Apple 是否有一个类似于 mystic 的部门,它从所有 mac 的所有操作系统和软件中收集数据。

[39:29.440,39:45.060] 我真的很难评论他们的所作所为,他们当然有安全人员来应对漏洞,他们受到克里斯汀之前提到的一些攻击者的影响,而且他们拥有网络级别那边我们知道一些


安全人员是的。

[39:45.160,40:9.880] 我觉得很有趣的另一件事是,如果你看一下智能的历史,你就会知道过去 100 年来,系统中最关键的节点的位置经常是一个成为攻击焦点的地方,所以我在想像菲尔·贝艾姆斯罗伯特·汉森这样的人,你知道的。

[40:9.880,40:36.220] 我的意思是,你不能制造一些这样的东西,几乎没有负责运行俄罗斯反情报的人恰好是俄罗斯特工,所以我想这是一个冗长的方式说年轻人必须运行你自己的反情报行动来确保错误和其他为你工作的人你知道你正在建立你的物理基础设施,以确保这一切都是安全的。

[40:37.460,41:5.160] 是的,也许是解决这个问题的一种方法,正如你所知,如果你是一名处理任何类型数据的员工,你必须通过筛选才能成为微软员工在这些流程中,我们在 Microsoft 有一个相当严格的流程,当涉及到数据访问规则时,这些控制和规则的一部分是技术控制,这些控制的一部分是调查人员之间的职责分离。

[41:5.160,41:31.880] A 可以做,然后可以根据调查采取哪些行动,我们与法律团队成员一起决定,有时根据我们的调查结果决定采取正确的行动方案拥有和跨角色和职责的部门之间的伙伴关系是我们如何确保我们履行义务的一部分,我们已经让客户努力确保他们的安全并试图给对手带来挫折。

[41:32.600,42:5.880] 所有这些基本上都是我们所谓的内部威胁计划的重要元素,所以我们嗯,你知道我们没有像奥尔德里奇艾姆斯那样的问题,而且,嗯,你了解反情报类型的行动,比如你必须了解金菲尔比的世界,但绝对内部威胁是私营部门的一个问题,我们非常重视,所以约翰描述的所有要素和其他因素对于我们如何看待这些风险至关重要。

[42:6.560,42:29.940] 我在网上某处读到,你有一些人曾经作为团队的一部分在情报界工作,你知道他们在整个安全领域都有所传播,所以我想知道这是否只是一个案例已经申请并且他们碰巧在情报界,或者如果这些是您正在寻找的技能组合或您正在积极寻找的人类型。

[42:30.060,43:30.540] 我会说我团队中的很多人并不是来自技术背景,他们来自事件响应,从业者世界非常有帮助,就我自己而言,我从未工作过对于我工作过的任何政府,我都获得了计算机科学学位,大学以外在 IBM 工作,我在那里从事安全工作,因为作为新人,我最后选择了从事什么工作,但没有人愿意从事安全工作,所以我爱上了它的攻击防御猫和老鼠,完美需要我刚融入我的血液的所有东西,然后当我来到微软时开始安全并了解技术和我们的客户,然后思考攻击如何表现那,这就是我们寻找的DNA,那种激情,那种以团队方式工作的能力,在整个公司和我有一百个惊人的幕后故事,就是这样。

[43:30.540,43:55.460] 与其他拥有目标组织和政府的公司合作,这些公司真正帮助我们把这张图放在一起,每天都在解决这个问题,所以你知道你可能会想,哦,你希望每个人都专业地做过这件事之前对于政府来说不是那么多,我会说那些调查本能中的本能,你知道技术海盗有点,那些是我们寻找那种激情的东西。

[43:57.440,44:31.120] 现在我确实从情报界招聘,因为我经常需要的技能集需要大量的经验来解析情报大量不同的数据集,然后提出一个叙述并将其与地缘政治通常是一种最好在情报空间内磨练的技能,因为据我们所知,我们的威胁背景和分析团队是世界上唯一的,因此我们正在借鉴那些以前属于政府领域的技能.

[44:31.180,44:59.420] 思考我们如何模仿这些技能,这就是我们想要学习的东西,这不是一个智能空间,而是我们如何写作,我们如何沟通以及我们如何与世界沟通,这就是我在招聘时真正需要的技能类型


是写作经验,所以我们也研究了具有很多写作背景的人。

[44:59.420,45:55.840] 我的意思是一件有趣的事情,它让我印象深刻,因为它只是基于我们的对话,因为必须进行翻译的级别,以便从零到一形成一幅图片,你'重新审视特定的演员或国家,然后那可能是,嗯,你知道我们在谈论不同的语言,就像你说的克里斯汀韩语普通话等等,然后,这必须被翻译成一种你知道不可避免地会压缩的叙述和编辑、选择和特权,某些类型的信息,所以我想在整个过程中,他们只是帮助我了解信息如何从你的团队约翰传递给基督徒,反之亦然或传递给公司,是的,所以你可以认为我们。

[45:55.840,46:0.760] 接近自上而下和自下而上自下而上构建的空间可能会装箱。

[46:0.760,47:1.220] 我们的跟踪工作帮助我们了解正在发生的攻击,嗯,他们试图猜测 Microsoft 客户的密码,试图发送恶意网络钓鱼邮件或恶意软件发送,然后我们由于跟踪工作,我们已经对可能背后的组织有所了解,我们提前发现了该活动,然后谁是受害组织,我们是否对他们可能成为目标的原因有所了解在某些情况下,从历史或基于传统的地缘政治目的,这是完全显而易见的,在其他情况下,不清楚为什么将它们作为目标,需要做一些工作才能理解哦,那是供应链中某物的一些默默无闻的公司,那么这可能是原因为什么和把那张照片放在一起,特别是为什么这为什么现在可能正在发生的事情发生在这个时间点,这就是与克里斯汀的团队合作的地方,他们看到了一切我们发现和揭露的攻击。

[47:1.220,47:21.520] 在我们进行技术工作时,他们在那里帮助缩小,因为了解攻击是我们必须同时做的一件事,如果你还没有并且我的团队通常专注于这些技术,但基督徒似乎在那里采取行动,这意味着什么,画面发生了什么以及接下来会发生什么。

[47:21.820,47:24.560] 那么你对那个十字架有什么想法吗?

[47:24.580,47:55.600] 我想补充一点,当我们在太阳风袭击中时,例如回想一下今年 12 月约翰的球队正在做一些精彩的奥运会级别的体操来通过数据定义,攻击者是如何得到的从这个内部环境到这个受害者,然后我的人会退后一步,看着所有的受害者说哇,你知道这里真正关注 IT 部门,这个 nobelium 演员在追求什么。

[47:55.600,48:27.660] 我们如何谈论这个,你可以在博客中看到,微软正在发布一个我们与世界分享的地方,就像你知道的,我不记得我的领导 IT 领域的受害者百分比,但我们按国家/地区按部门划分,以便人们可以了解 nobelium 追求的是什么,原因和地点等等,这真的很有趣,所以这就是我们要做的做的是一旦他们发现大海捞针会记录它并运行它,看看它会把我们带到哪里。

[48:27.660,49:28.120] 哇,我也想知道的一件事,约翰你知道,因为你每周都在关注这些演员,这些怎么样,你知道对于那些可能是冷战冷战操作系统的锄头的人,帮助他们了解您的信息安全环境,我们经常在报纸上听到他们隶属于或有联系,说是 s ver 或XXX情报机构代理机构可能会通过一个例子帮助我们理解像附属意味着什么,这是否意味着他们看起来相反,或者这是否意味着它基本上是一个代理并且他们正在运行一个程序并且你知道它有点关闭书上有书,或者是别的什么,等等,这些人从哪里获得他们所需要的技能,就像你知道的那样,有没有像俄罗斯的黑黑客情报课程之类的,或者你只知道它只是一些东西吗?

[49:28.120,49:47.380] 他们正在接受,嗯,是的,只是对这个世界不太熟悉的辅助听众,只是了解外面的这些危险演员,我会说这真的不一样毫无疑问,其中一些人是政府雇员,他们朝九晚五工作。

[49:47.380,50:9.140] 您可以对攻击进行所谓的生活模式分析,并了解一周中哪几天发生这种情况,什么时间发生


哪一天,哪个时区,这是发生的,你知道这不是归因,所以不要认为它和那个是一回事,但它是一个数据点,你可以告诉克里斯汀有时在某些假期,国定假日,没有人表明有那天没有攻击。

[50:9.140,50:40.200] 他们似乎在下午 5 点之后就被淘汰了,或者你有什么,所以其中一些告诉你,对于其中一些人来说,这是朝九晚五的工作,对于其他情况,这似乎是一份夜间工作,所以他们有一份白天的工作,晚上他们的黑客技能被用于致富的目的,他们用它去黑客公司来丰富他们和他们的黑客团队,所以它确实在全球范围内有所不同,我们正在做的很多事情试图做。

[50:40.200,50:46.280] 如果你仔细想想,是从一个演员的角度来跟踪演员的。

[50:46.280,50:51.520] 攻击者的攻击有四个不同的组成部分,一个是攻击者所追求的。

[50:51.520,51:18.740] 第二个是受害者追求的目标是他们用来进行攻击的基础设施、IP 地址和服务器以及他们使用的所有内容,最后一个组件是功能的作用他们有什么恶意软件他们有零日,什么是工具和那些技术,这四个这四个组件,你一起看它们并通过许多不同的攻击分析它们你会觉得还可以,这就是演员的能力.

[51:18.740,51:40.600] 然后一旦我们理解得足够好,我们就会从元素周期表中给他们一个名字为了跟踪他们的活动,我们对这个参与者如何操作该人背后的人的理解的成熟度通常是不必要的。

[51:40.600,52:16.200] 他们是否穿制服打领带,他们是否坐在地下室,您通常不需要知道这一步,以便继续跟踪他们的活动并保护客户,真正重要的是当然要跟踪他们的活动,然后我们经常会经常跟踪一个演员和其他一些权威,有时是美国政府或其他人,他们会起诉他们将要做什么进一步的步骤,然后说嘿,我们看到并观察到的对这个实体的攻击,他们将进行这种级别的归因,然后有时这就是这些事情的联系方式。

[52:16.580,52:55.920] 这是一个非常重要的观点,因为 John 提出的区别在于,Microsoft 需要有关活动组和参与者的足够信息才能保护我们的客户,而如果您正在进入为了将某人绳之以法而将执法空间归因于一个人通常不是商业市场空间需要的东西,因此这确实需要属于政府领域,因此政府需要关注在那种级别的归因上并使用他们的法律工具来实现这一点,这不是微软正在推动的事情。

[52:55.920,53:16.700] 当然,嗯,这不是我们需要帮助保护我们的客户的东西,所以有了像舒适熊这样的东西,你只是在看他们在做什么,你在做什么不一定要说这是谁的眼睛,或者你知道有没有俄罗斯情报,这对政府来说是正确的。

[53:16.840,53:38.640] 好吧,为了回馈一个需要传票权力和法律当局才能获得我们不需要的信息的个人,以便做约翰斯顿所说的事情关于编写帮助我们与客户合作的保护措施,以便最好将这些法律权力交由政府掌握。

[53:38.640,53:50.040] 我只想回到你在我去约翰那里的那一刻提到的事情,你讲了幕后的精彩故事,你能不能与尖峰听众分享一个,我的意思是。

[53:50.040,53:59.560] 也许去年发生在太阳风上的一个例子是你知道火我真的是第一家公司。

[53:59.560,54:17.980] 为了打破这次攻击的故事,我们了解到他们被攻击是因为那里的人联系了我的团队成员,以帮助调查他们为什么要这样做没有一家公司可以单独做到这一点。

[54:17.980,55:18.280] 我团队的那些新人,其中一些是那里的前雇员,他们有信任关系,在危机中你会打电话给你信任的人,这会发生就像我说的竞争线,因为你现在相信那个人微软能做什么,我们可以采取他们看到的攻击的特定元素吗?在网络安全中,你知道你没有看到一切


不能保证你看到一切你有足够的谦逊知道这一点,所以你想总是尝试把大局做好,因为如果你补救并试图阻止攻击,而你只做了一部分,攻击者仍然在那里您希望收集尽可能多的信息以取得成功,他们可以利用他们在本地看到的信息并与 Microsoft 合作以及我们在全球范围内看到的信息,并尝试更好地了解正在发生的事情,然后将这些信息交还给他们,以便他们能够更好地保护发生在他们身上的事情以及我很早就在那里的那种伙伴关系,当这种情况发生时,来回。

[55:18.280,55:56.580] 这发生在公司和组织之间的多层次互动中,因为我们正在确定这一点,然后我们的团队一起工作,他们的出色工作来确定,这是太阳风软件问题,这就是他们进入的方式,这意味着这个问题有多广泛,是专门为他们量身定制的,还是这种访问方法适用于所有 Solar winds 客户?它去了哪里,这才是我们真正可以工作的地方与他们一起尝试了解,这有什么广度,这意味着什么以及那个兔子洞到底能走多远,你知道我会这么说。

[55:56.580,56:28.080] 在那一集发生的那几个月里,你知道,这是我可以脱掉睡衣的那一天,你知道吗,这就是你知道的每一天每天的时刻都在做这件事,但这些事件是这个领域的人们准备好的,这就是他们在这里要做的事情,我只是你知道我可以告诉你微软有很多很棒的人,我们做,但与其他公司和组织的伙伴关系非常重要,这是其中的一部分。

[56:28.960,57:3.260] 我要补充的一件事是,当您查看其他组织或其他部门时,他们会谈论您知道行业和团体安全自称为社区,因此当您看到像太阳风这样的事件,你知道所有人都在甲板上,所以很酷的是约翰是对的,你知道当你穿着睡衣两天没有离开你的键盘,你已经筋疲力尽了,你知道如果你拿起电话给另一家公司的人打电话,他们也在做同样的事情,所以你知道重点是。

[57:3.540,57:28.840] 保护客户,了解事件应对危机如此深刻以至于你几乎没有注意到它,直到你坐起来并意识到当你认为是九点时天已经黑了'时钟,我记得在火灾发生前与凯文曼迪的一次谈话我穿这是几周你知道在这一切开始之后几周你知道我告诉他们当他们伸出援手帮助我团队中的人时,他们工作了.

[57:28.840,57:51.580] Fireeye 的违规行为就好像是他们自己的违规行为一样,他们感受到了那种程度的个人参与、承诺和对它的兴趣,他们在晚上和周末工作,试图为此尽他们所能,我只是认为这种使命感在网络安全领域很常见,人们可能不会感到惊讶,这非常重要。

[57:52.340,58:13.160] 我们都不得不把这件事告诉全世界 我想约翰可能还记得这个数字 我想当我们完成这件事的时候大概有 32 或 33 个博客,你知道沟通真的很害怕在我们看来,因为这是一个如此重大的事件,而这种合作是我们应对方式的重要组成部分。

[58:13.200,58:20.560] 我想要我听到的东西,我不想把话放在你的嘴里,但我听到的东西之一就是。

[58:20.560,58:23.520] 就像你的团队成员一样,in.

[58:23.520,59:11.160] 他们有点欣赏和享受拦截攻击防守方的游戏,你知道伴随着它是一个动态和流动的领域带来的智力刺激,但也有一种潜在的搜索搜索感,有一种潜在的使命感和服务感,你知道我没有因为这么说而得到微软的报酬,但我不知道,这就是我正在接受的东西,而且你知道我们经常听到就像那种心态和情报界,肯定是政府他们没有得到很好的报酬,你知道,但他们可以得到很好的好处,但他们有这种使命感,但我从你那里听到的是因为还有使命感和错误感。

[59:11.320,59:40.760] 是的,我的意思是在网络安全领域,你知道有一个好人,有一个坏人,响应者和防御者觉得这是我们的角色,去尝试解开和破坏它并保护客户,让他们过上自己的生活和业务,您知道追求智能


实际练习,在那里它让这些人打勾,你知道这是调查难题的一部分,当他们获得突破时,这是令人兴奋的。

[59:40.760,59:53.780] 你知道,即使突破意味着看看其他人正在发生的所有这些对我们来说可能是糟糕的一天的坏事,这也是我们准备好并追求的每一个一天,然后我们就可以做点什么了。

[59:54.900,60:55.380] 但是我们为所有这些团队感到非常自豪,这是微软安全响应中心,是防御团队,是参与的各个产品团队,是的,有一种巨大的社区意识和巨大的意义事实上,我们都在执行这项任务,我们不会停止,直到我们消除了威胁,而且当我们在 Solar 获胜期间进行日常通话时,我们的高管们会直接上到最高层,我从未想过我”与我们的高级领导团队通话连续两天都戴着棒球帽和同样的羊毛,但你知道这是因为我们都在,整个公司都在,所以当你知道一个事件是如此重要以至于它要求每个人都尽其所能,但约翰的团队和这里所有安全团队的惊人之处在于他们每天都这样做 我的意思是不管事件是什么他们仍在带来努力和精力的水平,所以这是一个有幸作为律师与他们一起工作,现在处于威胁环境中。

[60:55.380,61:0.060] 因为没有比这更好的地方让你一直回复了。

[61:0.980,61:38.040] 我的意思是一件非常有趣的事情,也有类似的信息,嗯,有情报,我曾经想过的事情之一让我沉迷于蒂米,如果你知道信息,这有点老套各种不同的原因,但我想我想说的是什么。

[61:38.200,62:6.460] 当它是关于石油的时候感觉如何,它是关于你知道美国政府是关于军队的,但现在它是关于那种一些责任或一些责任的信息责任已经被推到了拥有专业知识能够处理其中一些问题的公司身上,我只是想知道您是否曾经考虑过您正在做的事情的方式,您可能不久前就知道了。

[62:6.460,63:5.280] 这是政府的领域,但现在作为一家公司,你知道是的,我不知道任何想法我只想说这个世界一直是公私合作的你可能会说,即使是像你所说的石油,可能每个国家都有公私公司为此负责,当然每个人的信息对他们自己都很重要,他们应该能够保护,他们应该有隐私权,就是这样重要的是,我们作为捍卫者努力工作,以确保他们能够在面对追求他们所拥有的东西的非常老练的人时做到这一点,你知道是否有一件事我猜你知道你的听众应该知道,是吗?没有一家公司可以单独完成,每个人都需要履行自己的责任水平 对他们设定很高的期望并意识到什么是利害攸关的,但这是在公共和私人领域的合作,你知道而在行业内,这正是这方面的重要组成部分。

[63:6.060,63:48.860] 我想说的是,由于大流行,我们看到了非常大的数字化转型浪潮,因为人们不得不将生活转移到在家工作,这意味着很多人在域和他们可能从未想过会立即经历的领域,因此数字化转变将继续对迁移到云施加压力,坦率地说,这很棒,因为我们看到民族国家攻击,因为我们在云中看到它们,你知道,如果你从内部的角度考虑安全问题,我只能通过你的窗户看到发生了什么,当你进入云中时,你关上百叶窗我看不到你的房子里面。

[63:48.860,64:29.420] 至少是公寓经理,所以随着世界进入云计算,我们了解正在进入并影响我们客户的攻击类型,我们看到的数字只会增加但这并不是一件坏事,因为这意味着我们实际上正在确定一直存在的问题,正如约翰所说的那样,因此数字化转型的重要性在于它为威胁带来了更多的透明度帮助世界各地的客户了解为什么利用安全技术对于他们想要的生活方式如此重要


他们的数字生活向前发展。

[64:29.700,64:56.460] 而且我知道我们必须尽快结束,所以我想知道你是否有任何想法可以让尖峰提问的听众留在我们身边,或者你会鼓励他们做任何事情是他们应该阅读的东西或他们应该做的事情,除了下载更新之外,您还知道打开双因素识别和交叉手指他们还应该做什么或应该去哪里获取更多信息。

[64:56.460,65:29.920] 是的,我的意思是我想说,虽然这些攻击在那里看起来势不可挡,但现实是每个人都可以采取一些措施来保护自己,你在那里提到的一些步骤减少了 99%您将看到的攻击,并且您知道打开多因素身份验证的简单操作,不仅为您的主要电子邮件,而且为您使用对您很重要的其他帐户的其他服务,这是最重要的行为之一关键步骤,我们看到您知道 99% 的密码攻击类型。

[65:29.920,65:46.440] 停止对抗那些已经做过这些事情的人,即使你已经做到了,也可能有你认识的人还没有采取这一步,但可能需要你的经验,帮助请注意,它没有搞砸任何事情,您实际上可以做到,这些事情是每个人都可以采取的步骤。

[65:47.460,66:47.940] 是的,我能得到一个阿门,因为网络卫生不是我们听说的一个话题,它是如此重要,这是我们都必须做的饮食和锻炼,这很容易谈论关于你知道这个先进的东西或这个令人难以置信的漏洞,但真正重要的是饮食和锻炼,它是强密码,它是补丁,你知道摆脱所有这些,真正让攻击者为他们所追求的目标而努力,确保您没有在您的个人帐户中启用邮件转发 更改您的密码 尽管密码列出了所有卫生问题 它在个人层面很重要,在企业层面很重要,对于我们不得不这样做的 43,000 人过去三年的谈话强调它是一个改变游戏规则的人,所以是的,我知道你正在寻找前进的道路,学习信息,我们发布了很多博客和很多关于所有很棒的东西的技术数据.

[66:47.940,67:5.140] 我们的产品和服务可以让网络健康,你知道这真的是确保我们不必给你打电话的最重要的事情,非常感谢你的时间,太棒了,和你说话 ethan 是的,非常感谢你的时间,我真的很感激。

[67:5.720,67:10.340] 非常感谢,这很好,谢谢,谢谢约翰,谢谢。

[67:10.440,67:27.980] 国际间谍博物馆是一个完整的五点一三非营利组织,如果您想向博物馆捐款,或者如果您是当地人并想在博物馆做志愿者,请访问我们的网站:间谍博物馆 dot org 了解更多信息。

[67:28.200,68:28.536] 我们现在都可以度过一个真正的假期了,我们很幸运公主邮轮在旧金山有一个港口,每天 99 美元起,公主可以带你去墨西哥的海滩,热带地区夏威夷、阿拉斯加的冰川或加利福尼亚海岸,没错,每天只需 99 美元 搭乘加利福尼亚的游轮 致电 1800 公主访问公主 dot,com 或联系您的旅行顾问 今天条款和限制适用情感定价 11 月结束2021 年第 30 个芯片在预订前在英国登记处咨询 CDC 网站 www、dot、CDC dot amigos 器官和麦当劳之家电子邮件 Jose rizal in san Luis potosi 参数像电晕太阳当地常规赛一样开采整个团队高超音速 Cristina bolsa de艾尔和爱抚很快代表爸爸。


************************************结尾************* ****************************




***********************************英文**************************************

[0:0.000,0:30.280]  We could all use a real vacation right about now lucky for us princess cruises has support right here in sf starting at 99 dollars per day, princess can take you to the beaches of Mexico, the tropics of Hawaii, the glaciers of Alaska or along the California coast that's right, just 99 dollars per day set sail with California's cruise line call one eight hundred princess visit princess dot, com or contact your travel advisor today terms and restrictions apply emotional pricing ends november thirtieth 2021 chips are rooted in British registry before booking consult the CDC website at www, dot, CDC dot gov. 

[0:34.140,0:57.220]  Welcome to spike asked my name is Dr Andrew Hammond historian curator here at the international spy museum in Washington dc every week spike asked explores a world of intelligence and espionage by bringing you in-depth conversations with spies spy masters intelligence officers and authors. 

[0:57.220,1:9.100]  We explore the stories secrets trade craft and technology of a world that looms beneath the surface of everyday life, welcome to this week's episode of spike asked. 

[1:9.120,1:13.220]  Inside Microsoft's threat intelligence center. 

[1:13.380,1:20.460]  From your Visa card to your Outlook account from the gas you pump into your vehicle to your operating system. 

[1:20.460,1:23.200]  A cyber struggle is taking place. 

[1:23.200,1:24.680]  All around us. 

[1:24.680,1:32.100]  In this episode I spoke to the founder of Microsoft's threat hunting intelligence center John lambert. 

[1:32.340,1:38.500]  This unit tracks the world's most dangerous cyber criminals and state affiliated hackers. 

[1:38.520,1:43.620]  I also spoke to the head of the digital security unit Christine godwin. 

[1:43.620,1:49.040]  She helps provide security support to governments and works closely with John's team. 

[1:49.240,1:57.400]  Microsoft has billions of customers serves millions of businesses and works with almost every department of the US government. 

[1:57.400,2:10.160]  To say it might have something to do with information and intelligence would be like saying perhaps it would have been a good idea to buy Microsoft shares when it first went public in 1986. 

[2:10.160,2:15.660]  PS this summer is valued at two trillion dollars. 

[2:16.640,2:34.960]  Okay, well I'm absolutely thrilled to be speaking to yesterday about misty and I wonder just to start off, can you just tell our listeners a little bit more about what it is and what it does and and just help us break it down for us, what are you doing and where are you. 

[2:34.960,3:1.080]  Yeah sure think so, my name is John lambert I run the Microsoft threat intelligence center I started at Microsoft twenty years ago in security early on in my career, we had the era of Internet worms as we call, um, um's blaster code red and things like that some of you may remember in the audience and those were worms that were exploiting vulnerabilities in Microsoft products. 

[3:1.080,3:2.460]  And. 

[3:2.460,3:23.920]  I spent about ten years after that working on essentially code quality or improving the security of Microsoft products from attacks like that and what that LED me to was who was behind these attacks that we often call zero day attacks zero day exploits which are exploits for vulnerabilities and there is no patch available. 

[3:23.920,3:30.700]  And that often lead to the world of cyber espionage and nation state attackers and cyber crime groups. 

[3:30.700,3:44.760]  Today I run the Microsoft threat intelligence center sometimes called mystic and that is a group of analysts and engineers that have the skill sets of cyber security so these are individuals that know how to reverse engineer. 

[3:44.760,3:51.560]  That do malware analysis that understand how nation states state sponsored threat groups hack. 

[3:51.560,4:5.100]  And understand the techniques that they use to go target victims and exploit them and then use the data and resources we have at Microsoft to put tracking in place understand what they're doing and disrupt those attacks to protect customers. 

[4:5.980,4:25.020]  Trust them do you want to join a sure cure Du, um, kristen Flynn goodman I'm the general manager and associate general counsel of Microsoft digital security unit, so my team works in partnership with John both with a team of cybersecurity lawyers as well as a group of threat context analysts. 

[4:25.020,4:57.020]  I've been at Microsoft for about fifteen years I came into the security space in early 2000 when I moved here, Washington dc I left a legal job on the eighty fifth floor of tower one of the world trade center and helped M C I worldcom build up their cybersecurity practice at a time when obviously there was so much happening and nine eleven was really in the forefront, so I spent a lot of time in dc helping with the first national strategy to secure cyberspace and the original homeland security act. 

[4:57.020,5:20.220]  Spent time in some operational roles for other telecommunications companies doing national security emergency response work and presidential advisory committee engagements things like that and so I've been Microsoft since early 2006 and I absolutely love being a part of the security community with a nine eleven background, I'm a lifer, I'm here to stay. 

[5:20.220,6:20.520]  And, um I must have done that when you put the terms advanced persistent threats and cyber threat intelligence alongside general counsel it sounds like a bit of a nightmare to be completely honest, no because um, one of the coolest things about being here at Microsoft is that we're looking at all tools to go after the attackers who are impacting our customers and so if one of those tools is leveraging the legal system and the way in which we can share information through contracts with governments are partners around the world then let's do it, let's find ways to continue to be creative and innovative, because these attacks these advanced persistent threats harm or customers, so yeah power to the lawyer, that's not a bad thing and John you were thinking about what's the superpower that Microsoft has and I wonder if you know everybody loves to hear about superpowers, could you tell us a little bit more about. 

[6:20.520,6:25.340]  The superpower that Microsoft has and and and your founding mastic. 

[6:25.960,6:55.440]  Yeah sure so people often think the attackers have all the advantages in this space, but the reality is defenders, we have a lot going for us, Microsoft is you know the only company are one of the only companies that is a platform company with our operating systems, a cloud company with azure and an enterprise company, so the combination of those three things together, it gives us the ability to understand what's going on on endpoints all over the globe. 

[6:55.440,7:24.740]  To know what's going on, when customer when attackers come after our cloud customers and those enterprise customers, those are often in the crosshairs of these attackers and so if you want to know what's going on with these attackers you have to understand what's going on with the victims and that intersection across all of those three things really gives us the opportunity that we have to go do something about it, you know we have the products and services at Microsoft a lot of how we're able to intervene and disrupt. 

[7:24.740,8:3.620]  We have an antivirus Windows defender that runs on hundreds of millions of computers around the world and also it's part of the email protection product that we have and lots of customers running on premises, so once we get sited on one of these attacks that's an amazing tool to get data in telemetry and also to disrupt those kind of attacks happening on hundreds of millions of computers or what have you and so the ability to take that intelligence we have and then turn it back into signal that is consumed by our email product platform, the cloud platform, the endpoint products that we have those are some of the superpowers that were able to go do stuff with. 

[8:4.300,8:31.220]  In part of the super powers as well as the Microsoft has eyes and ears, you know all over the world in the form of its of its software of its products on a computers and numbers and the hundreds of millions like you say and I wonder if you could just unpack telemetry a little bit more because I found it quite interesting, just speaking about attacking defense you turn something that was seen as. 

[8:31.220,8:39.740]  A floor of weakness singin' in re-harnessed it and then aggregated to turn it into a form of defense, can you talk a little bit more about that. 

[8:40.560,9:34.420]  Yeah one way to think about it is if you're a customer of office three sixty five or azure you're going through the service at Microsoft to use that product or service to send information to azure you're going through azure's fire walls and its front door services to go deliver a malicious email to an inbox you're going through the layers of protection that the service has those layers of protections are instrumentation points that we are able to go put in detective controls that are able to recognize malicious code phishing attempts, things that we identify through tracking these actors and the attackers have to go through those layers to go after the victims in our services and that's an example of how we're able to go have that visibility because they're going through our cloud services to try to reach those customers. 

[9:34.980,9:58.040]  So it's like when you get an error message on your computer telling you that something's happened and then it asks if you want that that information to get sent back to the people that have developed the software it's like that, but if you aggregate all of that information together, then you can, you can start to find patterns and detect who's doing this type of stuff is that right. 

[9:58.360,10:9.980]  That's right and and if you understand how to look at data from a security perspective you can also often learn, learn things that are actually an attack in disguise. 

[10:9.980,10:16.440]  And understanding the difference between what's an attack and what's not that's that's what we try to do. 

[10:16.940,10:55.480]  One of the other things that I find quite interesting is help us understand the role that mystic plays within Microsoft so say for example, it's the um office of special investigations and we can think about where they are within the role of the us intelligence agencies or something, but you know Microsoft and 8 million square feet, 50,000 employees, a trillion Dollar company help us understand like where is mystic in relation to the organization and you know where is it housed and you know yeah just give us a better understanding of of your unit. 

[10:56.320,11:20.500]  Okay, yeah, so one way to think about mystic is at Microsoft, we believe that security is a team sport and so my team which I'll describe in a second where we sit we work with all of the other security teams around Microsoft to go deliver protection and disrupt threats the part of the thesis behind why I created my team the way I did was a typical approaches. 

[11:20.500,11:35.980]  To have security teams embedded in our products and services, and we absolutely have that we have azure, there's an azure security team, we have office three sixty five there's an office three sixty five security team and so on I knew we needed a team focused on the adversary. 

[11:35.980,12:5.940]  Wherever the adversary went before they ever attacked you after they were done attacking you need to follow them all the way through their life cycle and study them, actors study us, they study our customers, they study our technology so we study back and by understanding what they're doing through their full life cycle, you may see them coming before they've ever launched their attack and able to disrupt that or you may understand what who they're gonna go after next and so that was part of having a team that was focused on. 

[12:5.940,12:22.320]  Threat intelligence focused on the adversary, and then using that and working with all the other security teams across Microsoft in that team way to take what we're learning about them and then go disrupt and intervene and protect as your customers when those customers you name it. 

[12:22.400,13:22.880]  And so then we evolve that concept to take the threat intelligence and build out a threat context and so that's where my team in the digital security unit comes in because John is expert at looking at who is it behind the attack and how are they executing the attack and my team will look at why, what are the motivations for the attack are and who are the victims so that way we can understand the holistic view of the attack so that we know it is this nation state actor and they are geopolitically motivated, there's a bilateral negotiation coming up or you know it's Russia v Ukraine there's a big Ukrainian holiday coming up so we're gonna watch the Russians go after, um, some infrastructure in the Ukraine and make life difficult heading into a holiday weekend so we're looking at the why of the attack and who the victims are so that we can then go share information back to customers and to the world to help really understand that the macro view of why are these attacks happen. 

[13:23.880,14:6.240]  Wow, that's fascinating here at the spy museum, you know we look at some of the motivations that people have for spying and there's an acronym mice money ideology, coercion, ego, is there something similar for the reasons why people do this stuff like money, obviously you know ransomware ever ideology, maybe you're you know trying to defeat liberal democracy or something, and then the you know I guess some people you know, um, just want to see the world burn some people just do for badness, I remember when I got my first email account with Yahoo and someone said you need to be careful of viruses and I was like whoa. 

[14:6.240,15:6.700]  And they're like yeah there's these viruses and I'm like but why do they do it like they just do it because they just do it I I couldn't get my head around it, but yeah I mean that's another one people just do it because they just want to be destructive, so help us understand a little bit more about how you sift through and analyze and categorize all of those various motivations, kristen sure so there's different tiers of attackers right you've got the activists the types that are harassing people with their Yahoo accounts and spam and a lot of cyber criminal activity ransomware, those are big categories of attack activity where we're focusing on is the pointy end of the sphere, and that's the nation state peace because you tend to see that when nation states are investing money and resources to develop new tactics and new techniques to go after targets then that gets out into the ecosystem and others will follow ray why re-invent something new when it works so well, so when we're looking at nation states and that's really the brilliance of John's team is that they're experts at five. 

[15:6.700,15:16.160]  The needles in the haystacks of these nation state actors amongst the data what we see in the why and the victim space is that. 

[15:16.160,15:46.520]  These are intelligence tasking's just like in the good old five versus five days where you'd have a target and a collection and a mission, now we can do that all digitally and remotely, it's completely changed the game and so you'll see if there's an upcoming negotiation about a major treaty or if there's a G7 meeting or if there's a geopolitical issue like coded you'll see nation states targeting health information or they're going after. 

[15:46.520,16:10.380]  Virus information or it's related to an issue of importance to a government so that's why what's so fascinating is that we see so many think tanks and policy shops in the victim space right now is because the intelligence collection priorities of governments is aimed at what's the other government go do and so they're trying to gain access to that information, it's a really fascinating space. 

[16:10.380,16:55.940]  It really isn't I want to get back to offense and defense in a second, but you know you mentioned geopolitics there I mean it sounds like I don't know it sounds like really fascinating you've got people like John with his skill set and then it sounds like you, you know you have a team that's boned up on geopolitics, you know you mentioned you're creating people following elections in Ukraine and so forth and tell us a little bit more about that about, are you recruiting now, people with international relations PhD's because I'm on the Mark giselle and my boss is going to listen to this so so the applications are open, so yeah so we've been hiring threat context. 

[16:55.940,17:35.460]  Experts, so what we look at is a range of intelligence background, um, your experience in and analyzing data from teams like mystic a technical information being comfortable with that and a deep understanding of the politics of a particular country and region, their political interests and influences their sphere of influence and then language skills it's really important to understand not only being able to read political and technical and packer slang in local language, but to be able to then help us contextualize that and so we bring those those skills in to support. 

[17:35.460,17:49.320]  The mystic organization right now we track what we call the big four most attacks come from Russia XXX Iran or north Korea, so we've got geopolitical Intel and language experts for all of those domains, we're always expanding. 

[17:50.020,17:56.540]  Wow, that's that's fascinating and I just want to go back to offense and defense John, can you just. 

[17:56.540,18:24.280]  Help us understand that a little bit more and feel free to use whatever sport you wish to try to help us understand it could be tennis, you know you get defensive players and offensive players or you know soccer football whatever, um help us understand that offense defense kind of dynamic and maybe the best way to do this is to give us like an example of Solar winds or um something else, give us an example to hang your heart on. 

[18:25.020,19:4.500]  Yeah sure so like kristen mentioned one way to think about my team is you know a bunch of computer scientists that understand these attacks that understand the world by reading the economist and we know that we need a deeper understanding of geopolitics than that and that's that's an example of why the partnership with Christians seems so important to us to know why these attacks are happening and contextualize them, an example of an attack that we identified was earlier in the year there was an actor based in XXX that had exploits for Microsoft exchange which is our email product, we discovered through our tracking of this act or that they had these exploits. 

[19:4.500,19:52.120]  And they were for vulnerabilities that were new and we worked with the security teams at Microsoft to ensure they had the technical data to understand them so they could patch them, other security organizations around the globe also discover that there are other security companies that are protecting their customers that see attacks against them velocity and others that also send in that information as well, and the Microsoft response apparatus, which is like there's a slate and DNA that all Microsoft responders have to just when a crisis happens to just mobilize and we worked together often so we know we know how to do it, we know how it works and for that you know, Microsoft worked to put out patches for exchange and one of the things we found was that. 

[19:52.120,20:15.480]  There are a lot of customers, especially in small and medium business who had not been updating their exchange products and these are products that they run on premises themselves, which is different than say office three sixty five which is run by Microsoft and was not affected by this vulnerability, so we needed to put patches out for versions of exchange that we had stopped supporting years ago. 

[20:15.480,21:15.880]  That they could just apply that pinpoint fix for so the product team ultimately put out I think patches for over twenty different versions of exchange to support them, and then we also put out one click tools that would mitigate this exploit for customers that didn't didn't have the it staff to even put on patches, if that step was too hard for them or too complex, this was a one click tool you could download around it would mitigate, um these, these patches, these these exploits and if I get out in their John one of the cool things about that that one click tool was that um, we were partnering with the white house at that point in time they were really focused on how do we help get simple tools into the hands of small and medium sized businesses that really don't understand that the complexities of exchange because if they hadn't updated it since they installed it, um, they really weren't going to be well equipped to do a lot of heavy engineering and so that was the really cool partnership between the white house. 

[21:15.880,21:29.140]  And and the the teams involved in this really extraordinary response was our ability to to come up with a technical solution that was really simple and easy to use to help address something that was really complicated. 

[21:30.180,22:13.120]  And then one final a comment on that is while originally these exploits were in the hands of a group, we called hafnium every group that we track we assign a name from the element periodic table, the attacks that really really started to see and gather and this is the nature of offense and defense were performed by copycats and so as the information about the vulnerabilities becomes public they reverse engineer patches they you start to see these copycat attacks by cyber crime groups sometimes other nation state groups that want to quickly use these the closing window that they have on on exploits before the world patches and it's really that those copycat set of attacks where most of the volume is. 

[22:13.120,22:44.180]  And that's the race to what if a ransom were game starts using it, what if some other volume metric attack starts happening that can outpace defenders, so while we are initially in this sort of cat and mouse game against these nation state groups that are doing low and slow attacks that we talked about earlier the derivative attacks that we see by copycats is really where most of the volume and harm takes place, and that is the race that we're in every day to make sure customers stay ahead. 

[22:44.280,23:20.320]  It's really fascinating that it's a constant cat and mouse game every day and I wonder if you could just talk a little bit more about how all this shakes out in terms of like the different actors that you mentioned kristen so Russia XXX Iran and north Korea and why is mystic looking at them is that like a tasking the in partnership with the government of actually to look at them or is that just you're sitting, looking at Microsoft products and that's where most of the attacks are coming from or help help us understand that kind of like matrix. 

[23:20.420,23:28.260]  A simple way to think about this is we look at where our products are used by customers and we look at attacks against them. 

[23:28.440,23:38.660]  As customers move from on premises where they were the ones that had visibility into their attackers as they move from on premises to our cloud services. 

[23:38.660,23:59.420]  They brought their adversaries with them, their adversaries didn't lose interest in them when they move from their you know their castle walls into a cloud service that Microsoft operates the adversary said okay well let's go understand how to attack them there and that brought you know we track over seventy different threat groups from over twenty different countries. 

[23:59.420,24:24.720]  A in my team, that's a sign of really the broad global customer set that Microsoft has and the diversity of threat groups that are out there that are coming after them and so in a way, it's the attacks on customers that decide why we focus where we focus and those attacks that are coming after them is is really what's driving the volume the priority and you name it. 

[24:24.920,25:14.640]  And so once John's teams identified the attacking states right then my team will get involved and we'll look at how are we notifying our customers one of the things that we do in partnership with mystic is oversee our nation state notification process, so we track data now that's one of the great things about the instrumentation of this and the telemetry that the mystic gets is that we're then able to create our own database of the attacks and understand what the volume looks like, so going back to august of 2018 we started keeping data we've notified over 43,000 customers either a targeted attacker compromised attack from one of the nation state actors that we track that's where we're able to using data come back to save. 

[25:14.640,25:31.900]  The majority of attacks are coming from the big four from Russia XXX Iran or north Korea because out of the seventy major attackers and the twenty countries that John sees by volume, it really whittled itself down to a small number of countries on repeat. 

[25:31.900,26:8.060]  And that sounds like a phone call you really don't want you know you're you're being attacked by some of the most sophisticated hackers on the planet who are backed up by the Russian government, you know I'm not it's going it's going to take the edge off of my thursday that's for sure, how do you notify them and help us understand that yeah we won't show up at your door but we'll figure out how to get in touch, so for consumer accounts we see a lot of nations data activity against consumers, consumer accounts because of course those are our people that may have. 

[26:8.060,26:59.340]  Geopolitical roles but they have personal accounts too, so will provide electronic notifications to too many of our consumer accounts or we will use the secondary or Tertiary contact information in profiles for our enterprise customers that are attacked will contact every enterprise customer tells us who they want us to work with in the event of a crisis, so will contact that person, if we believe that we cannot contact them by email because of compromise, we will call them and find a way to get a human on the phone, there has been a small number of times when people didn't believe us we've had to call back and say no really, we are Microsoft and we're calling will help them validate who we are so that we can have that conversation because the most important part is for us to give. 

[26:59.340,27:11.700]  The victim information that they can use to help protect themselves so they can either identify the attack or or put some protections into place because what we don't want to see is a repeat of the attack. 

[27:12.200,27:22.500]  Part of what I was just going to add with what these notifications that's very valuable is an attacker can change up how they attack they can come up with new techniques. 

[27:22.500,28:1.060]  They can move on to new methods, but the interest they have in their targets is often evergreen they're gonna come back and so these notifications are often turned into a basis for partnership with these organizations that are repeatedly targeted and that's very valuable from a threat intelligence perspective because we know the attackers will probably come back there and if we have a relationship with that organization and they're able to contact members of my team or members on kristen's team when that's happening, we have an opportunity to understand about the new attack the next attack and often will use that those insights that we get from that to go. 

[28:1.060,28:10.840]  Spider out pivot around and find out more about the breadth of what the attacker is up to now, so it's yet another tool in the toolkit that comes from this very valuable program. 

[28:10.960,28:12.180]  Wow. 

[28:12.240,28:48.960]  A few like maybe a month ago or so we had the acting director from the national counterintelligence and security center on spike asked and he was saying that after the episode people were getting in contact with them looking for advice and you know help him for you like for customers for small business owners for people in the icy out there listening to this podcast and yes should should they get in touch with you as there are a way to do that or like a Hughes Kennedy doing something separate by tracking the adversaries or yeah help us understand that a little bit more. 

[28:50.120,28:57.740]  Yeah, maybe a couple of ways to answer this, what is we do have regular communication paths with. 

[28:57.740,29:23.360]  The cyber security industry, those companies, the major platform providers people you think hey you compete with Microsoft in some way shape or form clearly don't talk to them or cooperate with them or work with them and I think you'd find that a lot of people that work security, you know security gets in their blood, they all face common adversaries, we all see the adversary from our own perspective and I will tell you the analysts that track. 

[29:23.360,29:49.720]  The other threat groups from whatever country they all know each other, they all talk to each other and we have ways that we collaborate across you know lines of competition across countries and so on, so that is there if people find vulnerabilities in a Microsoft product or service, there's a program we have called cvd which is really about coordinating with Microsoft to tell us about those vulnerabilities so that we can fix them in our products. 

[29:49.720,30:10.960]  Make customers aware of them and do that in a coordinated way that tries to minimize the harm from these copycat attacks that we talked about so that's another very important program that we have those are some of the ways that we reach out to people, anybody that's a customer of our products are especially a customer of our security products that builds in a flight path back to Microsoft. 

[30:11.640,30:45.360]  That's the most traditional path, I'd also encourage for any of your listeners that are in the us government to contact the major coordination centers if there's something that's kicking sisa and the department of homeland security is there to help coordinate on the civilian agency side, obviously the adi and the other agencies in the Intel space have their own cyber coordination capabilities and so that's where reporting inside the federal government they'll use their traditional channels to be able to reach out just like they do it's really terrific. 

[30:45.360,31:25.260]  You know John brought up coordinated vulnerability disclosure, we love it, if somebody finds a vulnerability and then they report it and we've given credit to the NSA when they've reported vulnerabilities to us that we can then go and repair and we we give them credit and coordinate our response there we've done that in the past with gchq as well and so we love getting reports into our traditional channels and support mechanisms to help us and that those who are invested in the day-to-day of security response for the US federal government, other countries data, how to get in touch with us too. 

[31:25.960,31:47.020]  I want to pick up on something you said earlier kristen about the game changing to me that this is like so fascinating like timmy with the invention of the aircraft, it meant that civilians could be on the front lines because aircraft can bypass the front line on the ground and it seems to me in the cyber era the. 

[31:47.060,31:54.720]  Every citizen everybody with an iPhone everybody that's connected to the Internet in one way or another is. 

[31:54.720,32:9.840]  You know there and the game much more than they used to be like in the cold war, maybe you say you were a corporation that was developing advanced aeronautics, then sure people could try to steal your blueprints or something, but now. 

[32:9.840,32:39.960]  Yeah it seems that more people are finding themselves on the front lines of this kind of ongoing struggle, so I guess I guess I just wondered if you had any thoughts on that because you know like info SEC information security used to predominantly like you say spy against spy, you know it would be locked up in the Russian embassy in dc it would be locked up in the state department but now it's out there the lines of battle a broader more people are involved and help us understand. 

[32:39.960,33:40.260]  Yeah, just your thoughts on on this change in the game that you mentioned christo, sure well obviously governments are spending billions of dollars in cyber offensive capabilities right so that traditional inside inside the four walls of an intelligence agency in Russia or XXX, you know that hasn't changed that's that's just a part of the game one of the big things that's changed has been the inclusion of a community or growth of a community that we call private sector offensive actors you're seeing smaller countries that don't have the tools necessarily to do their own surveillance operations or information exploration under monitoring, they will contract with these companies to provide them services and there's been a lot of attention being paid to this space recently even as recent as as september fourteenth Apple was pushing out an update. 

[33:40.260,33:57.080]  Or a vulnerability that was being used by the NSA group an Israeli based company that's pegasus software has been involved in surveillance of human rights workers journalists there's lots that's been published about this and they are involved in litigation. 

[33:57.080,34:13.900]  With what's APP for vulnerability that they had also leveraged their and we contributed to that lawsuit and filed an amicus brief back in December of last year, now talking about the harms that these types of companies perpetrate, um, we saw I think it was. 

[34:13.900,35:14.220]  September fifteenth the us indicted or had reached a negotiation agreement with several individuals who had been a part of the US intelligence community and then had gone to work for companies in the UAE violating their obligations to protect us information, so it's a fascinating space right you're seeing the growth of money coming into this creating tools and technologies that can enhance a country's capability or law enforcement capability because law enforcement now is moving into the domain that had been that of the intelligence space, so is forcing us to have to think about and Microsoft is really leaning into the global conversation about cyber peace and the norms of government behavior and appropriate behavior in cyberspace and the harms that these technologies can can create when unchecked because it's one thing if you're seeing a very small use, one major country against another major country, but when there's a broad market. 

[35:14.220,35:22.280]  For it and venture capital starts coming in it really changes the tone and tenor of the space and so that's an area of concern for us. 

[35:22.280,35:50.020]  I was just gonna add Christian that you know a lot of what we've talked about attacks against sophisticated organizations and you know we have a lot of consumers that have to worry about cyber threats as well, anything that comes into your inbox is a phishing mail, um, it's something you should or shouldn't click on and everybody you know you have to have a password for all these different websites these days, everybody hates having to manage all these passwords are the only people that really like passwords or criminals. 

[35:50.020,36:16.620]  And so because people if the passwords complicated enough to be secure you're not going to remember it, if it's simple enough to remember it's not going to be secure and so you have to have solutions for just these everyday problems and just this week we release some new features that allow people to just not have passwords anymore for their Microsoft accounts you can use secure applique map on your phone or your phone itself to approve log ins to your account. 

[36:16.620,36:31.060]  And that's just a much more secure basis than people having to remember yet another password, they're probably gonna reuse on a dozen other sites and if any of those sites get hacked you know your your main account is now vulnerable, so solutions like that that make it. 

[36:31.060,36:47.160]  Kind of easy for sort of everyday main street users and everybody every wall street user is still a main street customer in that sense right, we all have our personal accounts that we use and those are very important to us providing solutions that work there too is very important. 

[36:48.560,37:30.600]  I mean, it seems to me that you know it's almost like calling for a whole of society approach and I just wondered you know obviously you know you guys are doing the lord's work, and there's other agencies that are involved and you know there's people out there that are trying to protect just Joe q public on the street, you know he's gone about his business, but how do we get towards the stage, or is that somewhere we should go where we have everybody been at some level a cyber citizen who's her doing their good part to make sure that cybersecurity and the United States are and its Allied countries is all it needs to be. 

[37:31.320,38:4.580]  Well there's certainly an action and reaction going on in the geopolitical space recognizing this conundrum right, you see that the Paris call and the tremendous energy that's come up with the countries and commercial signatories that are recognizing the need for norms of behavior in cyberspace and how governments need to exercise restraint and minimize impact so absolutely, Microsoft has been at the forefront of those conversations and I know we plan on being there at the same time you're seeing. 

[38:4.580,38:46.300]  Major investment from governments coming into the offensive capability space and we saw in XXX, it went into effect september first some of their new vulnerability reporting legal obligations for Chinese companies so you're seeing XXX wanting more vulnerability information so so that's where if you're thinking about the balance of building offensive capabilities and the need for defense, um, it really highlights the important work that John's team is doing the average a lunt side and the products and services, we have the Microsoft threat expert service and other tools that we're bringing to the table because. 

[38:46.300,39:13.620]  Money is coming in governments want to expand their ability to see and not have to put people in harm's way from an intelligence collection perspective but at the same time as John said and I completely agree, these are attacks that impact people and at some point there will have to be some international detente on on that issue and until that happens, Microsoft will be in the middle and trying to lead that conversation where we can. 

[39:14.480,39:29.140]  And a slightly playful question does Apple have a similar unit to mystic that's gathering in data from all the macs in all of the owes all of their operating systems and software. 

[39:29.440,39:45.060]  It's really hard for me to comment about what they do they certainly have security people they respond to vulnerabilities, they are affected by some of the same attackers that you kristen talked about earlier and they have cyber ranks over there we know some of the security folks yeah. 

[39:45.160,40:9.880]  One of the other things that I find quite interesting is you know if you look at the history of intelligence over say the past 100 years quite often the places the nodes in the system that are most critical are a place that is the focus of attacks, so I'm thinking of people like Phil bay ames Robert Hansen you know. 

[40:9.880,40:36.220]  I mean, you couldn't make some of this stuff, hardly the person who's responsible for running Russian counter intelligence just so happens to be a Russian agent, so I I guess that's a long-winded way of saying the youth have to run your own kind of counter intelligence operation to make sure that mistake and other people that work for you that you know you're building your physical infrastructure to make sure that's all secure and that's all safe. 

[40:37.460,41:5.160]  Yeah, maybe a way to address that as you know to become a Microsoft employee you go through screenings obviously if you're an employee that handles any kind of data that is classified you have to go through those processes, we have a fairly rigorous process at Microsoft when it comes to rules around access to data and part of those controls and rules are technical controls, part of those controls are a separation of duties between what investigators. 

[41:5.160,41:31.880]  A can do, and then what actions can be taken based on the investigation and we work with members in the legal team to decide, sometimes the right course of action to take based on what findings that we have and that partnership kind of across the divisions across the roles and responsibilities are a part of how we make sure that we're honoring the obligations that we've made the customers working to keep them safe and trying to give adversary setbacks. 

[41:32.600,42:5.880]  All of those are important elements of basically what we call our insider threat program and so we're um, you know we don't have the same issues like aldrich ames and and, um, you know the counter intelligence types of operations like that where you've got to know the Kim philby's of the world, but absolutely insider threat is an issue in the private sector and one that we take very seriously, so all the elements that John described and others are essential to how we think about those risks. 

[42:6.560,42:29.940]  And I read somewhere online that you have people that used to be in the intelligence community as part of the team and you know they circulate throughout the security world, so I wondered if it was just a case of have applied and they happened to be in the intelligence community or if those are skill sets that you're that you're looking for or types of people that you are actively seeking out. 

[42:30.060,43:30.540]  I'll say not exactly a lot of the folks that are in my team come from a technology background, they come from incident response that practitioner a world is very helpful, speaking for myself I never worked for any government I worked I got a computer science degree went to work at IBM outside of college I fell into security there because as the new person I got the last pick of what to work on what did nobody want to work on security so and I fell in love with it attack defense cat and mouse, the perfection required all of that stuff I just got into my blood, and then when I came to Microsoft started in security and understanding the technology and our customers and then thinking of how attacks manifest on that, that's that's the DNA that we look for that passion that that ability to work work in a team way across the company and across as much as I have a hundred stories of amazing behind the scenes stuff, it is what is this. 

[43:30.540,43:55.460]  Work with other companies with target organizations and governments that really help us put this picture together and work this problem every single day, so you know you might think, oh you want everybody that has done this professionally before for government not not so much I would say that that instinct in those investigative instincts, you know that technological pirate a bit, those are the things that we look for that passion. 

[43:57.440,44:31.120]  Now I do hire out of the intelligence community because the skill sets that I often need require a lot of experience in parsing intelligence lots of disparate data sets and then coming up with a narrative and marrying that to the geopolitical often is a skill that is best honed inside the intelligence space because as far as we know our threat context and analysis team is the only one in the world and so we're drawing from those skills which has previously been the domain of government. 

[44:31.180,44:59.420]  To to think about how do we how do we mimic those skills and so that's what we're trying to learn is not not to be an intelligence space, but how do we write, how do we communicate and how we then communicate to the world and so that's really the types of skills that I'm looking for when I'm hiring is the writing experience, so we've also looked at people with a lot of writing backgrounds too. 

[44:59.420,45:55.840]  I mean one of the interesting things that strikes me as just based on our conversation as the levels of a translation that have to take place so to go from zeros and ones into forming a picture where you're looking at specific actors or countries and then that could be, um, you know we're talking about different languages like you said kristen Korean Mandarin and so forth, and then, that has to be translated into a narrative which inevitably you know compresses and edits and selects and privileges, certain types of information, so I guess just across that whole kind of pana play they're just help me understand how information gets passed off from your team John over to Christians and vice versa or out to the company, yeah sure so you could think we. 

[45:55.840,46:0.760]  Approach the space built top-down and bottom-up bottom-up might bin. 

[46:0.760,47:1.220]  Our tracking work helps us understand attacks are taking place, um, they're trying to guess the passwords of a customer at Microsoft are trying to deliver a malicious phishing mail or malware delivery and from there we already have some understanding of what group may be behind it because of the tracking work, we did ahead of time to discover that activity in the first place, and then who is the victim organization and do we have some understanding of why they may be targeted in some cases it's completely obvious from history or based on traditional geopolitical purposes, in other cases it's not clear why they're targeted and it takes some work to understand oh that's some obscure company in the supply chain of something something then that's potentially the reason why and pulling that picture together especially with the why this why now perhaps what is going on that this is happening at this point in time, that's where working with kristen's team and they see all the attacks that we discover and uncover. 

[47:1.220,47:21.520]  And they are there helping zoom out while we're working the technical because knowing about the attack is one thing we have to do something about it at the same time, if you haven't already and my team is often focused on those technicals but Christians seem is there to go take the pieces of okay, what does that mean, what does the picture going on with that and what does that mean it's going to happen next. 

[47:21.820,47:24.560]  Do you have any thoughts on that cross then. 

[47:24.580,47:55.600]  I'd add to that when we were in the Solar winds attack for example thinking back to this December John's team is doing some brilliant Olympic level gymnastics to go through data define, how did the attacker get from this on premise environment into into this victim and my folks would then step back and look at all of the victims to say wow, look you know there's a real focus on the it sector here, what is this nobelium actor going after. 

[47:55.600,48:27.660]  And how do we talk about that and you could see that in the blogs that Microsoft was releasing a where we were sharing with the world like look you know I don't remember off the top of my head the percentage of victims that were in the it space, but we were breaking out by country by by by sector so that people could understand what was nobelium going after why and where and so that was really interesting and so so that's what we'll do is once they've found that needle in the haystack will record it and run with it and see where it takes us. 

[48:27.660,49:28.120]  Wow, and one of the things that I was wondering as well, John you know given that you're kind of Zeroing in on these actors on a daily weekly basis, how are these, you know for people out there that are maybe a hoe running cold war a cold war operating system, help them understanding you information security kind of environment, we often hear in the newspapers that they're affiliated or linked to say the s ver or a Chinese intelligence agencies may be through an example, help us understand that like what does affiliated mean, does it mean that they look the other way, or does it mean that it's basically a proxy and they're running a program and you know it's kind of off the books but kind of on the books or or is it something else and wait, where are these people getting the skill set that they go to like you know, is there like a Russian intelligence course for black hackers or something or you know it just is it just something. 

[49:28.120,49:47.380]  That they're they're picking up, um, yeah just helper listeners that are kind of not as familiar with this world just understand these dangerous actors that are out there I would say it really varies you know no doubt some of these people are government employees, they work nine to five and. 

[49:47.380,50:9.140]  You can conduct what's called a pattern of life analysis of the attacks and go what days of the week is this occurring, what time of day, what time zones, is this occurring you know it's not attribution so don't think it's the same thing as that but it's a data point and you can tell as kristen talked about earlier sometimes on certain holidays, national holidays, nobody showed there's no attacks that day. 

[50:9.140,50:40.200]  They seem to knock out after five PM or what have you so some of this tells you this is a nine to five job for some of these folks for other cases it seems to be a nighttime job so they have a daytime job and at night their hacking skills are put to effort for enrichment purposes and they use that to go hack companies to enrich them and their group of hackers so it really does vary across the globe, a lot of what we're trying to do. 

[50:40.200,50:46.280]  Is track an actor from the perspective of if you think about. 

[50:46.280,50:51.520]  An actor an attack having four different components, one is what is the attacker after. 

[50:51.520,51:18.740]  The second is what victims are they going after another is the infrastructure they use to conduct their attack, the IP addresses and servers and all of that that they use and then the last component is what capabilities do they have what malware do they have zero days, what are the tools and those techniques, those four those four components, you look at them together and analyze them across many different attacks you get a sense of okay, this is the capabilities of an actor. 

[51:18.740,51:40.600]  And then once we understand that well enough we will assign them a name from the periodic table will have a nobelium or we'll have a strontium or a thallium or what have you and that's really reflecting the maturity of understanding that we have on how this actor operates the who that person is behind that group often is not necessary in order to track their activity. 

[51:40.600,52:16.200]  Do they wear a uniform do they wear a tie, are they sitting in a basement, you often don't need to necessarily know that step in order to continue to track their activity and to defend customers, what's really important is tracking their activity of course, and then it is it is often a frequent that we will track an actor and some other authority, sometimes the United States government or someone else, they'll be an indictment what they will go that further step and say hey this attack on this entity which we saw and observed they will do that level of attribution on and then that's sometimes how these things are linked. 

[52:16.580,52:55.920]  And that's a really important point right because what John is drawing a distinction in is that Microsoft needs enough information about activity groups and actors to be able to protect our customers whereas a if you're moving into that law enforcement space attribution down to a person for the purpose of bringing someone to justice is not generally something that the commercial market space needs and so that's really something that needs to be in the domain of the government and and so governments need to be focused on that level of attribution and using their legal tools to make that happen, that is not something that Microsoft is pushing into. 

[52:55.920,53:16.700]  Because of course, um that is not something that we need to help protect our customers, so with something like cozy bear you're just you're looking at what they're doing you're not necessarily trying to say this is who this eyes or you know there are Russian intelligence or not that's something for the government is that correct. 

[53:16.840,53:38.640]  Well, in order to attribute back to an individual that requires subpoena powers and legal authorities to be able to gain access to information that we don't need in order to do the things that Johnston was talking about writing the protections that help us with our customers so those legal authorities are best left in the hands of governments. 

[53:38.640,53:50.040]  And I just want to go back to something you mentioned the minute I go there for John, you said amazing stories behind the scenes, can you share one with the spike asked listeners sure I mean. 

[53:50.040,53:59.560]  Maybe one example from this last year that happened with Solar winds was you know fire I was really the first company. 

[53:59.560,54:17.980]  To break the story on this attack with on their attack, we learned that they were attacked because individuals there reached out to members of my team to help investigate why would they do that part of this goes to no one company can do this alone. 

[54:17.980,55:18.280]  And those individuals new folks from my team, some of them were former employees from over there they had trust relationships and in a crisis you're going to call people that you trust and that's going to happen across like I said lines of competition because you trust that person right now what can Microsoft, do we can take the specific elements of the attack that they were seeing and in cybersecurity you know you're not seeing everything you cannot guarantee your seeing everything you have enough humility to know that so you want to always try to get the bigger picture right because if you remediate and tried to block an attack and you've only done part of it, the attacker is still there so you want to gather as much information as you can in order to be successful and they can take what they're seeing locally and work with Microsoft and what we're seeing globally and try to get a better sense of what's going on, and then hand them that information back so that they can go better protect what's happening to them and that kind of partnership I was there early, when that was happening, the back and forth. 

[55:18.280,55:56.580]  That's happening across the multiple levels of interactions between the companies and organizations as we're identifying this and then our teams working together and their brilliant work to identify hey, it's the Solar winds software that has a problem, that's how they got in and what does that mean how broad is that problem was it something very tailored just for them or was that method of access happening to all customers of Solar winds and where did that go and that's really where we could work with them and try to understand, what's the breadth of this, what does that mean and how far does that rabbit hole go down, you know I would say that. 

[55:56.580,56:28.080]  That several months while that episode was going on I sort of measured the day by you know, was this a day I could get out of my pajamas or not you know, that's how busy you know every moment of every day was working this thing, but those events are what people in this space are ready for that's what they are here to do and again I just you know as much as I can tell you Microsoft has a lot of great people, we do but it is those partnerships with other companies and organizations that's so vital that's part of this. 

[56:28.960,57:3.260]  One of the things I add is that when you look at other other organizations or other um sectors, they'll talk about you know industries and groups security calls itself a community and so when you see an incident like Solar winds, you know it's all hands on deck and so that's the cool thing is John's right, you know when you've been in your pajamas for two days and you haven't left your keyboard and you're exhausted, you know that if you pick up the phone and call somebody in another company they're doing the same, and so you know that that focus on. 

[57:3.540,57:28.840]  Protecting the customers, understanding the incident responding to the crisis that runs so deep that a you sort of don't notice it until you sit up and realize it's dark out when you thought it was nine o'clock, and I remember a conversation with Kevin mandy ahead of a fire I wear this was several weeks you know several weeks after it had all started and you know I told them when they reached out to help for people in my team, they worked. 

[57:28.840,57:51.580]  Fireeye's breach as if it was their own, they felt that level of personal involvement and commitment and interest to it and they work nights and weekends to try to pull a what they could together for it I just think that kind of sense of mission is something people would probably not be surprised to find is common in the cybersecurity space, it's just very important. 

[57:52.340,58:13.160]  And we all had to tell the world about it I think John might remember the number I think it was like 32 or 33 blogs by the time we had finished the incident and you know communications was really frightened in our minds because it was such a big big incident and that collaboration was such a huge part of how we responded. 

[58:13.200,58:20.560]  I wanted the things that I'm hearing and I don't want to put words in your mouth, but one of the things that I'm hearing is that. 

[58:20.560,58:23.520]  Like members of your team, the in. 

[58:23.520,59:11.160]  They kind of appreciate and enjoy the game of blocking attacks a defending people you know the the intellectual stimulation that comes along with it being a dynamic and fluid field but there's also an underlying sense of search of search, there's an underlying sense of mission and of service and you know I haven't been paid by Microsoft for saying that but I don't know, that's something that I'm picking up is that and and we you know we often hear of like that kind of mentality and the intelligence community, sure it's the government they don't get paid well you know but they could get good benefits, but they have this sense of mission, but what I'm hearing from you is as there's also a sense of mission and mistake. 

[59:11.320,59:40.760]  That's right, I mean in cybersecurity, you know there's a good guy, there's a bad guy and and the responders and defenders feel like that's our role there to go out and try to unravel and disrupt this and protect customers so they go about their lives and their business and you know that the pursuit that the hunting the intellectual exercise that in there it makes these people tick you know it is part of that investigative puzzle and when they get a breakthrough, it is thrilling. 

[59:40.760,59:53.780]  You know, and even when the breakthrough means look at all this bad stuff that's happening for everybody else that might be a bad day for us, that is something we're ready for and pursue every single day and then we can go do something about it. 

[59:54.900,60:55.380]  But we're so proud of all these teams right it's the Microsoft security response center it's the defender teams it's the individual product teams that are involved, yeah there's a huge sense of community and a huge sense of the fact that we are all on this mission and we're not going to stop until we have remediated the threat and that goes right up to the top with our execs right when we were having daily calls during Solar wins I never thought I'd be on a call with our senior leadership team were in a baseball hat and the same fleece two days in a row, but you know it was because we were all in and the whole company was and so that's really exciting when you know that an incident is so important that it requires everybody to bring their best, but the amazing thing about John's team and all the security teams here is that they do that every day I mean it doesn't matter what the incident is they're still bringing that level of effort and energy and so it's been a privilege to work with them as a lawyer and now in the threat context. 

[60:55.380,61:0.060]  Because there's no better place to be your responded all the time. 

[61:0.980,61:38.040]  I mean one of the things that are faint quite interesting as well as with like information, um, with intelligence, one of the things that I've that I've thought about in indulge me and timmy, if information you know, and this is kind of a little bit of a cliche, but if information is the new oil than America as the Saudi Arabia of that kind of game and because of its corporations because of its universities because of a whole variety of different reasons, but I guess what I'm trying to say as. 

[61:38.200,62:6.460]  How does that feel where when it was about oil, it was about you know the us government was about the military but now that it's about information that that kind of some of the onus or some of the responsibility has been pushed onto corporations that have the expertise to be able to deal with some of this I just I just wondered if if you have ever thought about that the way that you're doing something that you know maybe not long ago. 

[62:6.460,63:5.280]  It was the domain of the government, but now as a as a corporation and you know yeah I don't know any thoughts I would just say that this world has always been a publicprivate partnership anything that you could probably say even oil like you talk about there's probably publicprivate companies going back in every country responsible for that and certainly everybody's information is important to themselves and they should be able to protect and they should have a right to privacy on it and it's it's important that we work hard as defenders to make sure they're able to do that against the face of very sophisticated people pursuing what they have, and you know if there's if there's one thing I guess you know your listeners should know, is there is no one company that can do it alone, everybody needs to do their level of responsibility set very high expectations for them and be aware of what's at stake but it is that working together across public and private you know and within the industry that is just such an important part about this. 

[63:6.060,63:48.860]  I'd ad that we saw a really big wave of digital transformation because of the pandemic as people had to shift their lives to working from home and that meant a lot of people moved to cloud services in domains and in areas where they probably never thought they were going through right away, so that digital shift is going to continue to put pressure on the migration to the cloud and frankly that's wonderful because we see nation state attacks because we see them in the cloud, you know if you're thinking about security from an on premises perspective I can only see what goes on through your window, and you close your blinds I can't see inside your house when you come into the cloud where the. 

[63:48.860,64:29.420]  At least the condo manager so we have a sense of the types of attacks that are coming in and impacting our customer as the world moves into the cloud, the numbers that we see are only going to go up but that's not a bad thing because what that means is that we're actually identifying the issues that were there all along, you know as John had said and so the importance of digital transformation is that it brings more transparency to the threats that are out there and helps customers in the world understand why leveraging security technology is so essential to the foundation of how they want to live their digital lives going forward. 

[64:29.700,64:56.460]  And I know that we have to wrap up soon, so I just wondered if you could if you had any thoughts to leave spike asked listeners with us or anything that you would encourage them to do it could be something they should read or something they should do you know other than downloading the updates a turning on two factor identification and crossing their fingers what else should they do or where should they go for more information. 

[64:56.460,65:29.920]  Yeah I mean I would say, while these attacks can seem overwhelming there the reality is there are steps everybody can take to protect themselves and some of the steps you mentioned there cut down on 99% of the attacks that you're going to see and you know the the simple act of turning on multifactor authentication not just for your primary email, but for the other services that you use the other accounts that are important to you, that is one of the most critical steps and we see you know 99% of the kinds of you know password attacks. 

[65:29.920,65:46.440]  Just stop working against people that have gone and done those things and even if you've done it there's probably somebody you know that hasn't taken that step yet that probably needs your experience, help to note it didn't mess anything up and you can actually do it, those kind of things are steps that everybody can take. 

[65:47.460,66:47.940]  Yeah, can I get an amen because cyber hygiene is not a topic that we hear about it is so essential, it's the diet and exercise that we all have to do, it's it's so easy to talk about you know this advance thing or this incredible exploit, but really what matters is the diet and exercise it's the strong passwords it's the patching, you know get rid of all of that and really make the attackers work for what they're going after, make sure that you don't have mail forwarding enabled in your personal accounts change your passwords though password list all of that hygiene matters it matters at the individual level, it matters at the enterprise level and for the 43,000 people that we've had to talk to in the past three years to highlight that it's a game changer, so yeah I know you're looking for ways to go go, learn information, we published a lot of blogs and a lot of technical data about all of the awesome things. 

[66:47.940,67:5.140]  Our products and services can do but get cyber healthy, you know that's really the most important thing to make sure that we don't have to call you well, thanks ever so much for your time, it's been fantastic, speaking to you ethan yeah thanks ever so much for your time I really appreciate it. 

[67:5.720,67:10.340]  Thanks a bunch and that was fine, thank you, thanks John, thank you. 

[67:10.440,67:27.980]  The international spy museum is a full five o one c three Nonprofit if you want to donate to the museum or if you're local and would like to volunteer at the museum, please visit our website at spy museum dot org for more information. 

[67:28.200,68:28.536]  We could all use a real vacation right about now lucky for us princess cruises has a port right here in sf starting at 99 dollars per day, princess can take you to the beaches of Mexico, the tropics of Hawaii, the glaciers of Alaska or along the California coast that's right, just 99 dollars per day set sail with California's cruise line call one eight hundred princess visit princess dot, com or contact your travel advisor today terms and restrictions apply emotional pricing ends november thirtieth 2021 chips are rooted in British registry before booking consult the CDC website at www, dot, CDC dot amigos organ and McDonald's homes email Jose rizal in san Luis potosi parameter to mine like a corona sun local regular season the whole team hypersonic Cristina bolsa de aire and fondles soon to represent pa. 


************************************end****************************************


音频网址:https://dm4p36fbs3hl0.cloudfront.net/v2/variant/63258347-useast1c4f6cce1175463aee02aa9b73955c1bc.mp3


往期精选


围观

威胁猎杀实战(六):横向移动攻击检测


热文

全球“三大”入侵分析模型


热文

实战化ATT&CK:威胁情报


原文始发于微信公众号(天御攻防实验室):揭秘微软威胁情报中心(MSTIC)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: