Silly Sit-Downs with Rohan (SSD-06): An interview with Shashank Mangal, Security Researcher at Microsoft
Hello everyone, hope you are having a good time and enjoying your life. I, Rohan Singh, welcome you again to the new edition of Silly Sit-Downs(SSD) with Rohan — an interview series with industry professionals irrespective of their genre; the purpose of these interviews is to have insightful conversations, understand people better and get rich perspicuity into career and community.
Today, we have Shashank Mangal, a Security Researcher at Microsoft. His expertise lies in identifying and mitigating threats, vulnerabilities, incidents, and bugs, ensuring the security of essential systems and safeguarding products used by millions of users. Shashank has exemplary knowledge and skills in cyber security, design security architecture and offensive security. This comprehensive understanding allows him to approach security challenges from multiple angles, providing effective solutions. More than just a cybersecurity expert, Shashank is also a passionate motorcyclist with several years of experience under his belt.
I would like to thank Shashank Mangal for taking out time from his schedule for this interview :)
Rohan: Hi Shashank, thanks for joining SSD with Rohan, I really appreciate it. I would like you to briefly introduce yourself.
Shashank: Hi Rohan, thanks for the invitation. I’m Shashank, I’ve been associated with Microsoft for 4 years in threat and vulnerability management as a Security Researcher where we secure our internal servers and internal customers from the latest (known or unknown) vulnerabilities coming out there by analyzing them to avoid getting compromised.
Rohan: Since you’ve mentioned vulnerabilities, I want to know more about it. What is your approach to fixing those, how many do you get in a single day or like your day-to-day?
Shashank: First and foremost, we must understand the problem statements on what created the need to have a threat and vulnerability profile in an organization. There are hundreds of vulnerabilities which get discovered every month, by individual researchers as well as big organizations. Upon release of a vulnerability, the affected product owners (usually) swiftly move to release the patch for the vulnerability. However, the problem arises when the patch is already released, but customers don’t apply the patches on their affected host. This is what a Threat and Vulnerability Management team do at its core. We help customers prioritize and patch their assets to minimize their risk of being compromised. There are other added layers on top of as well, like categorizing vulnerability, analyzing the vulnerability, and performing backend analysis on which vulnerability needs to be prioritized. This solely depends on the organization and the type of servers you manage.
On a typical day, we actually don’t manage each vulnerability specifically because we have a whole bunch of automation created on our cloud with monitoring systems, which analyze all the software periodically and scan the whole system to pull up the list of all the install software, binaries version and libraries files and other dependencies along with OS information, OS patches, Antimalware details and running state of the host. All this data gets uploaded to our servers. By using our automation system, we perform analysis to identify affecting vulnerabilities and create an action item for the service owners to patch those assets.
Rohan: The entire process you mentioned, was it for MS Azure or some other famous MS products?
Shashank: I can’t provide you with all the details but can give you the upper level of what teams we provide security. We have 3 main customers:
- Xbox including the main team, partner teams, and gaming studios.
- Windows Core OS
- Some parts of Azure
At Microsoft more than 95% of our apps, and servers are deployed in Azure, we do have some physical machines left, but they are more or less legacy and we are working on migrating them as well. So yeah, we do provide security to Azure, but we only have a limited number of services.
Rohan: Security to Xbox, Azure, OS, and partners sounds very cool[chuckles].
Rohan: Moving ahead — If someone exploited the system externally and reported it to your team or reported it as a vulnerability. How do you approach it? What verifications are done from your side?
Shashank: Let’s break this question into two parts — somebody reports a vulnerability and somebody compromises us.
There are 3 ways by which a person finds a vulnerability to go through it —
- The first one is reporting it to the Microsoft Security Researcher Center or MSRC that’s a regular way.
- Selling it on the black market
- Disclosing it to the public via social media, security forums etc
The second and third are considered illegal and could cause a lot of damage to organizations.
For the first one, when a researcher reports a vulnerability to MSRC. MSRC starts an investigation by the details provided by the researcher along with PoC (Proof of Concept).
MSRC receives a high number of benign vulnerability reports, which could be from script kiddies who sometimes see the feature as a vulnerability and report it. Hence we do have a huge number of FALSE POSITIVE thus PoC of every report is not possible and that’s when they reach us and we try to replicate vulnerabilities. There are certain vulnerabilities which are even above our calibre. For instance, a vulnerability related to internal Windows components could require a different set of skills. So, in cases of possible TRUE POSITIVE, we reach out to the product owner directly for confirmation. If it is false, we mark it as FALSE POSITIVE and move on. However, in TRUE POSITIVE we proceed further with the next steps, confirming with the researcher and asking him to sign the NDA, assigning the development team to start working on the patch, and finally releasing it on regular patch Tuesdays (in case of non-critical level vulnerabilities). For High to Critical vulnerabilities like WannaCry, we might release patches as before the patch Tuesday.
Now the case of what if we are compromised. This is where most of our work comes in. Let’s understand this by assuming our security team got reported with an alert about being compromised. The first step is to reduce the footprint or blast radius and limit the damage. Identify the patient zero and disconnect it from the others. This phase is handled by the Incident Response Team.
The second phase is the identification, verification and eradication of compromised servers. This phase is handled by another team which investigates the attack by getting to the crux of the issue and performing RCA using logs, studying behaviour patterns.
Rohan: And what suite of tools and tech stacks are used by employees to perform all of these?
Shashank: MS has developed a couple of really good tools which assist us by doing a lot of heavy lifting and are open to the public. One of those tools is Sentinel then Defender Endpoint for log collection and analysis. We don’t use a lot of tools because most of the work revolves around the approach a researcher takes. Let’s say in the case of a phishing attack, we try to find the source of the email, who opened it, whether there might be any other account that has been compromised, and what credentials have been opened to an attacker.
Rohan: Attackers constantly innovate and develop new techniques. Do you believe the increasing sophistication of cyberattacks makes it impossible for any organization to be truly secure?
Shashank: I’ve always been an offensive guy but after joining MS I worked in defense a lot. Explaining with an example of a pyramid where at the top we have script-kiddies — who have basic cyber skills; what they do is find the exploit scripts or use already discovered vulnerabilities and try to compromise systems using those. They download the script and use it to compromise, which could create quite a havoc it’s like handing a gun to an irresponsible kid. Most of these attacks get filtered out by automation.
Then comes professional actors who are skilled and keep the ability to compromise multiple systems. They might have different day jobs though as a hobby they pursue this at night. Depending on the skill level, they can be detected by security operations teams or threat hunting teams, some of them can breach into systems nonetheless.
The majority of the attacks are from these two.
At the top of the pyramid, we have the most sophisticated, you may call them elite hackers, or professional hacking groups. Some of these groups are individually run, whereas some are state-sponsored. State-sponsored ones are hazardous as with these a country can attack a different country by using a mask of a third country to complement the collapse, war and economic crisis. The first country let’s call them Wakanda (from The Marvel) attacks the second country, say the Republic of Wadiya (from The Dictator) by entering into the system of a third country which is Lilliput (from Gulliver’s Travel). Wakanda uses the servers which are deployed in Lilliput to attack Wadiya. Upon analyzing Wadiya would find clues like logs, messages, fake code comments etc and patterns which lead to Lilliput creating conflicts b/w these two and Wakanda keeps itself out of the equation.
Rohan: It’s “doosre ke kandhe pe bandook rakh ke chalana” (scapegoating).
Shashank: Correct. That’s why I said they are hazardous because they don’t have budget constraints, this is the day job, they have all the time, are backed by the state, have an abundance of sources and information (via intelligence agencies), have big teams of sophisticated with multiple skilled hackers like someone is good in electronics or industrial equipment or something else. Microsoft is one of the biggest targets because almost every second country's government, govt authorities, projects, departments etc MIGHT use Windows or if not then the base or backend MIGHT BE Windows. As an engineer in the Windows department, we have to be very secure and vigilant when it comes to servers which release patches, or else we are mature enough to assume undesirable consequences.
Rohan: That’s scary, it would simply cripple the entire country in a few. If there is a simple bot which is just pinging, it can bring a detrimental tsunami in the world economy.
Shashank: As Windows updates are now turned on by default, with simple and KB-sized bots, used by the attacker’s central server, released through a compromised patch. If gets downloaded on let’s say 1 million systems can compromise these systems instantaneously. Then the attacker can use these bots for whatever they designed the bots to do. You can do the maths now. And believe me, that’s a very basic example. That’s why MS has enabled DDoS protection for external or internet-faced servers therefore this doesn’t happen, but different types of attacks can happen for instance compromising share market servers and putting lag in price updating.
Rohan: Cloud & Security. How do you see it?
Shashank: Cloud + Security, that’s an interesting question. From any organisational standpoint who are seeking internet-based solutions get attracted towards the cloud because of the flexibility provided by the cloud. Security is as old as the first walls built around settlements. Decades ago physical servers were reliant but now most of the applications are moving towards the cloud to leverage different solutions like Kubernetes, a very good example of scaling up and down based on requirements. Security as in whole has been bundled as a package along with the basic solutions. Customers can further go for enterprise or bigger solutions. Now, security is a shared commitment, it needs to be shared b/w provider and vendor. In Azure, we have a term for this — Shared Solutions where there are some parts of security which come down to us — Azure owners however certain part goes to the customer. Therefore when you think about cloud and security, it goes like parallel rails of a railway track or perway for the smooth functioning of trains i.e. organizations here. I personally think that security researchers need to develop cloud skills on the cloud side and cloud engineering people need to develop skills in security to provide and architect solutions to the threats which are targeting clouds.
Rohan: I agree with you, organizations must opt for cloud and security in parallel not as two different facets. I watched this talk in Google Cloud Next’23 where the speaker mentioned the loss of $7 Trillion in global revenue due to cyber-attacks and the amount they spent on cyber security solutions is just 3% of the loss.
Shashank: Answer in one word — mindset.
I’m not trying to be controversial here but it’s purely subjective, not presenting my team or MS outlook.
The mindset is the biggest reason when it comes to these impacts. Whenever a solution is deployed security is always the last in the queue, not for all organizations but yes, there are. As a human, we don’t think of a worse-case or worst-worst-case scenario. Usually, it is always a rosy picture. For example, in the case of small organizations instead of proactively assessing their security posture and vulnerabilities to prevent breaches, they passively wonder who might target them and why. And that’s exactly where you have lost the battle. You might be not the target but just caught in between. You also come under that net. In the event of a security breach within a small organization, where an attacker gains access to user information, such as credentials, there is a heightened risk. People tend to keep the same or similar passwords across various websites or applications. When compromised, credentials obtained from a small entity might hold the key to much larger targets, such as financial institutions or influential individuals.
Rohan: Irrespective of your organization’s size, a better security posture must be your KPI.
Shashank: And benchmark too. You have to incorporate security in your solution designing process not as an aftermath. They don’t take security as a benchmark. They don’t think of security in their design process.
So mindset was one reason, and the second is people's unawareness about security implications. In 2020, according to Verizon Data Breach Investigations Report, 22% of all initial access attacks or data breaches happened through phishing emails.
Rohan: Nooooo…
Shashank: Yes, somebody out there crafts a basic email and catches a big fish. Clicking links in the email redirects you to fake lookalike websites, downloads some applications and whatnot leaving you and your organization compromised. Most of the elite hackers' first action is to use a phishing method in order to compromise an enterprise, they don’t target firewalls or routers directly, they target employees especially non-IT. They fully understand people who have designed the backend systems might be smarter than non-IT folks. Teaching security to everyone is as important as wearing a helmet and riding jacket while riding a motorcycle.
Rohan: Was there a situation in your career when you had to wake up in the middle of the night or cancel your trip due to some unintended emergency?
Shashank: Luckily as of now. no, I have not had any chance to deal in such a way, and I hope not in the near future.
Rohan: One last question; what are the upcoming trends that you’re excited about in cyber security?
Shashank: The major trend that I’m very excited about is indeed AI. Although I’m a bit scared too as it will give a lot of power to script-kiddies, actually not only script-kiddies to an elite hacker because it would automate numerous processes for them (if necessary computing power is available). You can leverage AI to strengthen the defence, however, because AI is only as smart as the data which is already public as of now. We might have feature advancement where times come when AI is already smart enough to generate its own details which are not in public or data which it has not read. We must have to create initial and stronger boundaries. It is a coin with 2 facets.
I will be working with a lot of logs; there are a lot of false positive alerts as well which come in like someone from the non-tech department let’s say the accounts team is trying to open Powershell which might be supposed to be a red flag. However, it might turn out that there might have been some issue with that particular computer and the admin professional is fixing the computer and has opened Powershell to patch or upgrade the computer but by default, it’s an alert, a false positive alert. The current verification process is manual and might be lengthy due to analysing logs, understanding behaviour etc. With the integration of AI we can automate the entire process of filtering out a lot of false positives and an engineer can focus on true positive cases complements to more security. Microsoft has already launched a product called Security Copilot which gives customers prompts on security solutions or security suggestions. It would be great to see how it matures.
Rohan: Thanks Shashank, it was great talking to you. Goodbye!
Shashank: It was great chatting about security. Good day, bye.
Follow and subscribe to my medium space to stay tuned for interviews. Very soon, I’ll be publishing the HashiCorp blogs with collaboration.
To know more about me, check my website. Till then have a good day and Sayonara!!!
