Modern Cyber with Jeremy Snyder - Episode
25

Dirk Schrader of Netwrix

In this episode of Modern Cyber, host Jeremy Snyder talks with Dirk Schrader, VP of Security Research at Netwrix, and a seasoned expert with over 25 years in IT security. The conversation starts with the intriguing parallels between anti-submarine warfare and identity threat detection, exploring how tactics used to track submarines can inform cybersecurity strategies. Dirk also shares his insights on the importance of collaboration in cybersecurity, the challenges of detecting sophisticated threats, and the evolving landscape of cyber resilience.

Watch Now
Dirk Schrader of Netwrix

Podcast Transcript

Jeremy Snyder (00:02.894)
All right, welcome back to another episode of Modern Cyber. I'm delighted to be joined today by Dirk Schrader, the VP of Security Research at Netwrix. Dirk has another title as well, Resident Ciso for EMEA. Dirk is a 25 -year veteran in IT security. He works to advance cyber resilience as a modern approach for tackling cyber threats. And we're gonna be talking about that in today's episode as well as some other things. But as the VP of Security Research, Dirk is working on focus research for specific industries like healthcare, energy, or finance.

Now these are all critical industries, but as anybody in our audience knows, these are all industries that are also under regular attack. If we've got enough time, we'll try to get into some of those areas as well. But Dirk really has a long background to hold certifications like CISSP from ISC2 and CISM from ISACA. Dirk, thank you so much for taking the time to join us today on Modern Cyber.

Dirk Schrader (00:55.798)
Thank you for having me Jeremy. Pleasure to be

Jeremy Snyder (00:59.135)
Awesome. I want to start with something that I know you kind of sent over in advance of today's conversation. And, you know, it was about submarines and identities. And I've got a little note here that basically hunting for foreign submarines and malicious actors in Active Directory are pretty similar. What do mean by

Dirk Schrader (01:17.562)
Well, the anti -submarine warfare, and the way it's called, the sort of field of tracking down a foreign submarine in your waters, whether it's coastal, whether it's your operational area, how they call it. And from an anti -submarine warfare tactics and procedures and strategy point of view, what you find in

is so much similar to how we do it in AD, our identity threat detection and response, because number one, your adversary is going the extra lengths to hide himself. He looks for every new point or possibility to hide its own existence in your infrastructure or in your waters. So

the idea of comparing the two things, of finding the similarities was sort of obvious to me when I was at some point in time, back in time, watching the good old movie, Hung for Red October one more time, and it was like, hey, what is that about? How do you find that? How do you make sure that you know it's there? How do you track the movement? How do you deter? How do you, and this was

How long we have the same questions? Yeah, so the similarities are much more about How can we make sure that we know the enemy is within our Realms whether it's water or infrastructure Do we know where he is hiding ie in deep water in shallow waters? beneath a ship or

Jeremy Snyder (02:58.463)
Yep. Yep.

Dirk Schrader (03:08.846)
disguising himself as a bin line user or something like that. So there are a couple of things to really look into it and to look into when talking about the ASV tactics, reading books about it. And the one thing that was really striking for me was the point where when you look

Jeremy Snyder (03:26.216)
Yeah.

Dirk Schrader (03:37.784)
sort of the strategy definition of how a... The strategy definition in ASWs and the strategy definition in ITDR, from an ASW perspective, it's about know your adversary, the paths they take by monitoring choke points, shipyards and harbors, talk about transparent oceans,

on the ITDR side, it's be up to par with the TTPs of the various threat actors and their campaigns and know yourself. So there is a similarity. You have to know yourself, know what you're doing, know your infrastructure, know your environment in the same way as you have to know your environment in the sea. And then we're talking about sensing and knowing where your adversary starts from.

There are interesting similarities and the matter of fact is these guys in the military, in the Navy, they are actually doing it since probably 120 years. So there's a lot of experience on their side of how specific tactics or sort of coordinated approaches work better than others.

Jeremy Snyder (05:00.847)
Yeah, so I'm curious just to try to understand that in a little bit more detail to kind of highlight this parallel. When I think about submarine hunting, let's take the hunt for red October. You know, it's a hunt that travels from one location to another. And I guess this is part of your point, because when you start with like, let's say open waters, international waters, you don't have good sensors in place, right? Because I guess nobody is allowed to have good sensors in place.

But as it starts to get into the rivers, if I remember right, I think they go into the St. Lawrence Seaway heading up across the US -Canada border. It's been a while since I saw the movie, but there you start to have sensors and you start to have more kind of telemetry and more observability about all the actions and more monitoring of what's going on in the environment. And I guess if we apply that parallel to, let's say, an identity environment, we can think about the broader internet where

Dirk Schrader (05:37.732)
Mm -hmm.

Jeremy Snyder (05:57.252)
we may not have sensors and we're not getting data back, but once something kind of enters our active directory domain or leverages one of our identity principles, then we start to have that telemetry data. Is that one way to think about

Dirk Schrader (06:14.09)
In part, partially, yes. The thing is, you're pointing at one interesting sort of differentiator. For us as private organizations, or even as citizens, it's quite kind of difficult to have sensors in the open internet. Our open sea is deregulated, it's completely out of reach for us.

We might have chances to engage with large infrastructure internet service providers, tier one service providers who have the capability to actually monitor traffic to have sensors in place. For the anti -submarine warfare tactics, putting sensors out in the open sea, it's doable. mean, the SOSOS network is a good example for that.

In mentioning the strategies, as I mentioned them, talking about the choke points, there is one saying in the strategies which talks about the so -called GI -UK gap, Greenland -Iceland -UK gap. So that's strats from Greenland to Iceland to UK where you have this, where

Jeremy Snyder (07:31.339)
Okay. Okay.

Dirk Schrader (07:41.11)
adversary, the Russian submarines, the Soviet Union submarines, had to pass that gap, either between Greenland and Iceland or Iceland and UK, to really say, now there is a point for us to monitor. In our terms, that's the egress and ingress point. But we can't do it in egress, ingress points in larger networks where we are connected to. We can only do it on our ends, in our sort

infrastructure we have control of. The point is that in this to stick with the similarities and to pick up what you mentioned about that St. Lawrence stream where they were coming into the sort of coastal areas hiding that big submarine. These egress and ingress points and this sort of sensing and monitoring in our environment.

having control of that, that's the part of making sure that we know what's going on internally in our infrastructure. The idea of sensing and monitoring beyond our egress ingress point, beyond our sort of control points we have because we own the infrastructure is the part of cooperation, the part of saying, hey,

in having a sonar station on the UK side of things, on the Iceland side of things, on the Greenland side of things, listening into the waters. That's a part of cooperation. I mean, if we cooperate with our tier one providers, with our security service providers, that's a different story. That's where we can sort of leverage.

our own capabilities, our own sensing and monitoring, and their capabilities.

Jeremy Snyder (09:42.271)
But that's something that doesn't happen very much in the enterprise, right? Like you don't see enterprises cooperating with each other to share telemetry data necessarily about like, you know, we're seeing these attempted penetrations from this threat actor or that threat actor, right? You see individual research organizations, you know, government to government sharing, that happens for sure. But on a corporation level, you know, I don't see it. How do you think, like, should we be sharing?

Dirk Schrader (10:10.744)
I think we should. I was the first one to subscribe to that simply because in that sense, we need to sort of shift in our own perception about cyber security. We are not alone in that field. It can happen to me, it can happen to you that we are under attack, that we get breached and something like that. And we have this sort of tendency to go

victim shaming, to blame the victim for of for lacking behind in their readiness and their preparedness because it was happening to them. on the other hand, we were always talking about, well, there is a sophisticated threat actor. I know that this notion is already sort of getting a little bit of, let's say, a bad taste to it because everything is

sophisticated that actor now, whatever happens to an organization, it seems to be an excuse now. Coming back to the point sharing information, sharing telemetry, it's really vital because it helps us to fine tune our own sensors, to fine tune our own monitoring.

And if we do that, overall, we will reduce the likelihood for our sector, for our industries, for our countries to really, on the private sector part, to be precise here, to really reduce the likelihood of getting breached. Because if we are now sharing, and I'm doing this frequently on Twitter, for example,

Sorry, I'm old. Still calling Twitter. Every time I get on my personal emails, every time I get a phishing attempt, I'm sharing that. Hey, look out, this is something you might get as well. Make sure you don't fall victim to it. And we should do this in the same way on the enterprise level because it helps us to get better. It helps us to be more proactive

Jeremy Snyder (12:08.462)
Yeah, yeah, me too.

Dirk Schrader (12:35.962)
in detecting a threat and being prepared for a threat. If we want to increase our preparedness, if we want to increase our readiness, that cooperation point of view, that sharing of telemetry, we have seen that be cautious about that. This is a big leap

Jeremy Snyder (12:53.998)
Interesting. There was something recently that there was a recent case of a North Korean having been hired by another firm in the cybersecurity space. And a couple of years ago, had a job candidate that we strongly suspected in the end was a North Korean as well. We've published that on our own blog. But one of the things that came out of that was that there

these kind of so -called laptop mules or IT mules who were receiving the laptops for these remote workers, plugging them into their home networks, and then the remote workers are kind of using a VPN or a remote desktop tool to connect in and do their work there. And somebody suggested crowdsourcing a list of these addresses. And so you would know as a company, if you've hired somebody and then you're told to ship a laptop to one of these addresses, maybe think twice.

So maybe some of these initiatives are starting to get some ideas and some traction behind them. That's a really interesting way to think about it. When you think about, sorry, go ahead.

Dirk Schrader (14:00.922)
I was, when this sort of story broke, the few days ago about that hacker or sort of North Korean adversary, cyberadversary mimicking or trying to pretend to be a alleged worker for a company. It

Ay.

Dirk Schrader (14:34.404)
How do we prevent this from happening in the first place would be the obvious question, but you can't prevent that. See, how much of a background check do you want to do? So this idea of looking at the various attack stages, attack paths, the sort of individual steps that need to sort of fall in line, that the attack in itself is successful. That's the part.

talking about this sort of where do we ship the equipment to it is certainly one point. The other point might be to say, hey, why don't you at least once before you start working for us come by, pass by? We want to see you in person.

Jeremy Snyder (15:23.094)
Yep. Yep.

Dirk Schrader (15:28.302)
Don't let us go on a tangent on remote work and coming back to office and all this stuff. I love my remote work and everything is fine and we can manage that. But as a risk, it is a question of preparedness. It is a question of information sharing in the same way as with other things. And so the idea you had in terms of, hey, let's crowdsource

Jeremy Snyder (15:33.708)
Yeah, yeah.

Dirk Schrader (15:56.747)
this kind of addresses or make sure that more people know about this sort of attack pass in detail. That's an interesting one. That's the way we need to take, the pass we need to take.

Jeremy Snyder (16:06.73)
Yeah, yeah, yeah, yeah, yeah. No, look, it makes a ton of sense. I wanna come back to the anti -submarine warfare, ASW, for a second, because there was one other aspect that I wanted to try to understand, what are the parallels, and that's on evasion. So, you know, I think we're all probably somewhat familiar with submarine stuff from the movies, like, drop a depth charge, go silent, turn off the engines.

Dirk Schrader (16:34.884)
Mm

Jeremy Snyder (16:35.679)
you know, all of these different things that a submarine might do. I guess it's probably similar on the identity side for threat actors who are using identity as one of the main, let's say, attack techniques that they're trying to launch against your organization. What are the parallels that you see there?

Dirk Schrader (16:53.754)
I mean, when we're talking about sort of the stealth idea of a submarine, I mean, being as silent as possible over the sort of history of time, no, not history of time, sorry, my German thinking kicks in. Sorry for that. When we talk about the history, the evolution of antisubmarine warfare or submarines in itself, now we had

Jeremy Snyder (17:15.527)
Yeah, yeah, yeah.

Dirk Schrader (17:23.726)
diesel engines powering a battery so that the submerged travel is operated by batteries. The batteries didn't last long. Moving over to nuclear propulsion, was sort of limited to a very small number of countries being able to really achieve that. Nowadays we're talking about fuel cell technology, which is

very long period of time where a non -nuclear submarine can be submerged, stay underwater. Next to that we're talking about hull demagnetization, so that magnetic sensors are useless.

there are a lot of things that they are doing. I even we're talking about shipyards and harbors being put underneath the surface so that you can't guess anymore when a submarine is going offshore, leaving port. There are a couple of things, these nations, and there are 42 nations around the world at the moment that have submarines.

Jeremy Snyder (18:31.27)
Yep. Yeah.

Dirk Schrader (18:42.49)
probably 40, 42, something like that, they do a lot of things to really sort of overcome that detection capabilities of others. On the other hand, if we look at the AD part of things, what happens is, and there's a sort of, a little bit of a different in the starting point. Yes, of course, your AD,

Jeremy Snyder (18:44.987)
Okay.

Dirk Schrader (19:08.726)
account that has been taken over by the attacker is originally yours. You don't own these foreign submarines. So the starting point is different, but the sort of commonality is about control. Your adversary is in control of the submarine and the hacker, once he has compromised the account, is in control of the account.

When you control something, you try to obfuscate it to make sure it can't be easily detected that you're taking control of it for your own gains, but to the damage of others. So from an account perspective, the specific Microsoft AD account

Jeremy Snyder (19:48.51)
Mmm, yeah.

Dirk Schrader (20:01.016)
the specific way of hiding your existence, either doing it low and slow, making sure that you use the one account, you're compromised, create another account which is then sort of hidden somewhere, and you leave the compromised account aside and don't touch it anymore because you know that this one is monitored, but maybe the other one not.

These are the things that happen. So the tactics of obfuscation might be sort of from a technicality different, but the question is of control and of how do you sense that. And the sensing part always starts with knowing what is normal.

Jeremy Snyder (20:48.274)
Mmm.

Dirk Schrader (20:55.642)
if you want to differentiate and say okay this is something I haven't seen before this is a noise a wave a

a lock entry, a sort of reflection on the surface of the sea I haven't seen before. And you might laugh at reflection on the sea I haven't seen before because there are a lot of reflections on the sea surface, as you can imagine. But actually these things are useful in this sort

Jeremy Snyder (21:29.793)
Yeah,

Dirk Schrader (21:38.478)
technologies used in the anti -submarine warfare in the modern world, they talk about enhanced seabed -to -space sensing. So they are talking about sensing that is not limited to the actual environment, not to the sea, not to the subsurface sea, underwater. It's also surface sensing, it's space sensing. And from our point of view, coming back to that, or sort of rounding it up with the sensing part of it,

If we don't know what is normal in our environment, because our sensing is not telling it is, if we don't control that in the sense of we distinct from normal to unusual to suspicious behavior, we will end up being totally out of control, or in a total loss of control, that's a better way to phrase

because our adversaries will take advantage of our inability to distinct.

Jeremy Snyder (22:45.418)
Yeah, but along those lines, I want to get your feedback on something. So, you know, a couple of years ago, I was working with a company that had a 24 seven sock for managed detection and response capabilities and worked with customers around the world. And one of the things that I pretty consistently heard was, you know, a lot of their focus was on establishing what looks like normal. And a lot of the automatically generated, let's say, tickets or alerts came off of things that

unusual or abnormal or out of the normal band. And when I talked to individuals who worked on those teams, one of the things I pretty consistently heard was that it was an over 90 % false positive rate, right? Because basically by definition, the first time you see anything, it will also trigger an alert, right? So the first time I move into a new location, my telco provider changes my IP address.

Like all of those are examples of, you let's say the first time and something is now not quote unquote normal. So I worry about kind of algorithms and approaches that are based on basically anomaly detection. Like if it's kind of general anomaly detection, I just think you're, you have the risk of flooding a team with way too many alerts. So how do you solve that problem in the identity space?

Dirk Schrader (24:10.122)
Using your example, mean, now as sort of the worker that is sort of generating that false positive because he gets a new IP address from where he logs into corporate devices. Well, the missing information for the IT team investigating that is, okay, that person is traveling. So is that a missing piece in your sensing, in

sort of control of it. How do you enable sort of the cooperation between HR, authorizing the travel? I guess there are processes behind and the IT guys so that they can see, hey, this guy is probably traveling from the US to France or to Germany and probably he will log into our...

our infrastructure from an IP address that is in Germany or France. On the other hand, if I was mentioning it, sort of what is regular, what is unusual. So getting a new IP address might be something that is unusual and what is suspicious. If we are talking about sort of these single indicators,

that were used to create a false positive. Hey, there was a new IP address that has been never assigned to this guy. What's going on in here? Hmm. Yeah.

That's a question for the SOC itself in terms of is your sensing, is your monitoring really thought through? Do you really need to have more indicators to raise an alert? Is it an early warning saying, hey, this is something where we would consider this as unusual, so we sort of increase the threshold for this specific account?

Dirk Schrader (26:16.92)
whatever happens next, we have an extra strong sort of watch for it, which is sort of similar to ASW tactics. If the intelligence is delivering new information about, they've sort of started researching about...

Again, talking about collaboration, if ASV is getting the intelligence information from Navy intelligence about, hey, country XYZ has started to build a new submarine. Okay, where? What do you expect from a timeline? When do you expect it to make its maiden voyage? Can we have satellite imagery from that place? Can we watch out? Can we place something?

in the area to follow the tracks of it, all these kind of things. mean, in our case, if we have an initial indicator, what is our reaction? What is the thing we do from an automatic point of view, from a machine learning point of view, so to speak. And by the way, machine learning in ASW is also a hot topic. They are interested

coordinating between UAVs, so Unmanned Aerial Vehicles, to UAVs, Unmanned Undersea Vehicles, all kinds of automatically, individually operating sensors vehicles so that they can get a larger picture of it.

In our case, if we have these sort of sensing capabilities, and I'm sort of far -fetching here, I guess, when we take this and say, okay, let's make sure that we have some early information from HR that we are interested in sort of hiring a person, that we are looking at this person from a, in sort

Dirk Schrader (28:38.234)
hiring it for the sales department or for even for our IT security department, trying to sort of combine the the topics we just discussed. What else can we do here? What else can we take as signals to avoid hiring a North Korean hacker? A couple of things might be coming to our minds. But on the other hand, if we're talking about regular users,

What are these ideas of join us, move us, leave us when we're talking about HR part? How do we coordinate between what's going on in the HR part and going on in our AD? What do we make sure that people moving around in the department, and I guess both of us, we have done this in our histories, in our appointments that we have sort of accumulated privileges over time.

being sort of in the sales and the marketing and the technical department and getting more and more things and getting more and more access to various services provided by the company. How do we make sure that this is kept under control? that sensing controlling environment, making sure that talking from an AD part of things, you have control over the privilege.

Jeremy Snyder (29:51.987)
Yeah.

Dirk Schrader (30:04.48)
in the ASW side of things, using that term, control over the privilege, what kind of privilege, i .e. is that foreign submarine free to move around? Interestingly, one element in the ASW tactics is to let your adversary know that you know he is there.

Yeah, okay, we found you. Ping. No, one ping only. So this specific kind of tactic, letting the enemy know that it has been found, that's an interesting one that, how do we use that in IT security? I didn't found a way

Jeremy Snyder (30:34.522)
Yep, yep, yep.

Dirk Schrader (30:56.514)
What would be a similarity in AD, in identity threat detection and response to really let the adversary know, hey, forgot whatever you had in mind to do, we know that you're there?

Jeremy Snyder (31:11.545)
Yeah, it's interesting because it's actually the opposite of what we're told as cyber practitioners. It's like, if you find a threat actor in your environment, you absolutely do not tell them. In fact, maybe you block them immediately. That might be your approach. Or maybe you want to observe them and basically, let's say, separate some areas so that you limit the damage that they can do. And you want to see what they're trying to

Dirk Schrader (31:35.886)
Yeah, that's the part. In our case, what we say is build fences around him. Make sure you follow him, but don't let him know that the person or the adversary is there. In essence, the whole thing comes with the idea of will you be able, if you let your adversary know that you have detected its existence,

Jeremy Snyder (31:46.073)
Yep, yep.

Dirk Schrader (32:05.784)
will you be able to continue tracking him? the ASW tactics, the idea of letting the enemy know is to deter him and so, please, your mission is over.

Jeremy Snyder (32:09.077)
Mm, yep, yeah,

Jeremy Snyder (32:16.45)
Yeah, yeah, yeah.

Jeremy Snyder (32:30.254)
Yeah, yeah, yeah.

Dirk Schrader (32:31.202)
You can leave. We are still tracking you. can leave. Don't bother our your resources and our resources. Well, OK, keeping in a foreign submarine in in the operational area is a huge investment for and for our country. different story on our side. I think the the idea of. Of letting the adversary know that it has been detected is.

Jeremy Snyder (32:43.47)
Yeah. And there's also, you

Dirk Schrader (32:59.898)
Also tricky for us as we are talking about digital sort of.

Dirk Schrader (33:11.224)
Artifacts of something happening. There is no direct interaction If I send a ping to a foreign submarine, they can hear it. Now. I know that the submarine is human operated inside of it so it's That was the one thing that was really caught my eye in terms of the difference and I'm still grappling to What do we make out of that now? in in mission and obstacles

Jeremy Snyder (33:13.878)
Yeah. Yeah.

Jeremy Snyder (33:33.676)
Yeah, yeah.

Dirk Schrader (33:37.082)
They have a large area to cover. We have a high number of identities. They have a noisy ever -changing environment. Talking about changes. Does our environment, our infrastructure look the same any next day? No, it doesn't. We have changes, changes, everything. In our case, stealth operations capability is fished, socially engineered, disguised, masqueraded, compromised.

they were talking about friend or foe and we are talking about third -party risk. So the obstacles and the mission is very much similar. We have some technicalities that are different, but it is worth to go through it and listen to them and, as I've mentioned, read to them. And you can even go to very old books from the 1930s and 1920s.

Jeremy Snyder (34:10.08)
Yep. Yep. Yeah.

Dirk Schrader (34:35.908)
talking about strange intelligence, memories of a naval secret service, where they talk about anti -submarine warfare tactics. it might not be that you get this sort of, this is the brilliant idea I get from that, but it helps you to...

to look at your own architecture of doing things, how you chain your things, how you orchestrate your things, and helps you to sort of reevaluate that, which is an interesting, for me, interesting sort of training aspect.

Jeremy Snyder (35:19.474)
Yeah, for sure, for sure. We're running a little bit short of time, so I want to move into a couple rapid fire topics. we'll go like kind of quick, but I do want to call out two quick things. One, just remember for our audience, pings actually, the word ping actually comes from the submarine space, right? So this thing that we use every day in IT that's coming from submarines as well. And I think, one of the, that's right, exactly. And all right, but moving on.

Dirk Schrader (35:36.314)
truth.

Dirk Schrader (35:41.924)
Send me a ping, dude.

Jeremy Snyder (35:47.387)
We've been talking about identity. We've been talking about Active Directory as this kind of parallel hunting ground looking for threat actors. Best practices, recommendations quickly for the audience. What log should you turn on for your Active Directory environment? Is it everything or is it, you know, certain logs and certain action logging is more useful than other?

Dirk Schrader (36:08.474)
I mean, we can go into specifics, so event IDs, everything in the 427 group or something like that. Anything that is a change to AD, creating a user, enabling a user, disabling a user, adding a user to the domain admin group, password changes or password research, these are the things you are really, really interested in. Mostly in terms

Jeremy Snyder (36:35.057)
Okay, great.

Dirk Schrader (36:38.594)
Why did they happen? If they happen out of the blue, if there is no context to it, then there is from unusual to suspicious.

Jeremy Snyder (36:49.615)
Yep. Great. And if you're walking into a brownfield environment, meaning the AD is already live, it's been in use for some time, what are your first kind of set of actions as you, as a practitioner and somebody who's responsible for that going forward, what are you going to do? Do you mostly focus on making sure the configuration is right, the logging is turned on, and then focus on that point forward? Or is there value in spending some time to look

threats that might already be in the environment.

Dirk Schrader (37:23.098)
I would start from a different perspective. First of all, yes, the changes that happen are crucial. But before that, knowing my environment is about privilege control. So if I go in and have a brownfield starting point of an existing AD that has been around for, let's say, five to 10 years, what is my setup?

What is the privilege situation? How many accounts exist that are actually domain admins, either locally or in the network? Can I get this whole thing to a just -in -time, just -enough setup? terms of I get this specifically administrative privileges, I get them only just -in -time. And for regular users, is it just enough privilege for

And then I am going to monitor for changes from that reduced attack surface.

Jeremy Snyder (38:28.791)
Yeah. Okay. Great. Great point. Do you think that it's similar, like, let's say the tactics and the methodologies for how you approach either threat hunting or, let's say, turning on the right telemetry, pretty much the same for other identity providers? Like nowadays, it's pretty much always AD or Google Workspace, or let's say in the directory that comes with

I rarely see anything else anymore. I know LDAP is still a thing, but I pretty much never see it in an organization as the main identity store. Is it pretty similar for Google? And also for AD, is it the same if it's on -prem versus in the kind Microsoft 365 environment?

Dirk Schrader (39:12.922)
Yes and yes. In parts, it's a little bit worse if we are talking about the cloud environment. There was an interesting research done by Microsoft, I guess it was in 2023. Let me come back to that. First two to Google Workspace Directory. In the end, whether you have your AD or Google Workspace Directory, we are talking about

rights given to someone. You're allowed to do this in your electronic environment, in your digital environment. So yes, the tactics of privilege escalation, the tactics of obfuscation, taking over accounts, compromising accounts by phishing or something like that is the similar thing. And in the same way, your defense tactics and your defense strategy by keeping control of what is there is similar.

Coming back to that Microsoft report, that was really an interesting one because one key finding of that report, and we might be able to share the link in that, is that only 1 % of the assigned privileges in the cloud infrastructure, privileges assigned to a user in the cloud infrastructure, is only used.

1%. So there

Jeremy Snyder (40:42.539)
Yeah, so they have 99 % privileges that they don't need and shouldn't have basically.

Dirk Schrader (40:48.524)
Yeah, come on. Yes, when you use the cloud infrastructure, when you use Azure ID, AD or something like that, there's a lot of things you can do wrong. So you have to have that control. And the same way that there was a research we did, hybrid security research between on -prem and cloud security to a little bit of a comparison there.

Jeremy Snyder (41:04.125)
Yeah, yeah, that's a great point.

Dirk Schrader (41:16.186)
recently in its fourth iteration that addresses the same topic. So might be another one to share.

Jeremy Snyder (41:25.221)
I think a link to their research to sorry to your research will be a great a great thing for the show notes We'll be sure to get that over in there. We're out of time for today's episode I've really enjoyed this comparison in the parallel between anti submarine warfare and kind of identity Threat hunting I guess is maybe the right way to say it or maybe just making sure that you're monitoring your threat your identity environments for threats

Dirk Schrader, thank you so much for taking the time. For people who want to learn more about the work and the research that you and your team are doing, we'll have that one link in the show note, but where else should they go check you out or where can they follow

Dirk Schrader (42:01.498)
Probably within the block space of networks .com, that's probably the best way. Other than that, I'm hoping to sort of go public with the research in the healthcare infrastructure side of things, a long -term research where we were monitoring connected devices over a period of 24 months.

Jeremy Snyder (42:30.313)
interesting. Yeah, well, we'll have that to look forward to and we'll be sure that we get that shared as well when it comes out. And for now, for Dirk Schrader, thank you again for taking the time and on behalf of the whole team over here at Modern Cyber, thanks for joining us. Just remember rate, review, like, subscribe, all that good stuff, and we will talk to you on the next episode. Bye

Dirk Schrader (42:30.522)
It's going to be an interesting one.

Dirk Schrader (42:53.636)
Thank you, bye.

Discover all of your APIs today

If you can't see it, you can't secure it. Let FireTail find and inventory all of the APIs across your organization. Start a free trial now.
Start Trial

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!