How threat intelligence became key to Microsoft's computer security

John Lambert Microsoft global head of threat intel and security research credit: Microsoft and Shutterstock
John Lambert Microsoft global head of threat intel and security research credit: Microsoft and Shutterstock

Microsoft global head of threat intel and security research John Lambert charts the tech giant's transformation into a cybersecurity superpower.

Probably anyone who has ever used Microsoft software, which is pretty much everyone, is familiar with the message. After one of the tech giant's software programs crashes, for example Office or Windows, the system asks you to send a report about the fault back to the company. For years, these reports helped Microsoft fix thousands of software bugs, but only in 2007 did the company realize that the billion reports received every month also have great value in the field of security. The first to recognize this was John Lambert.

It all began when a customer reported a cyberattack. After Microsoft investigated the matter, they found that it was zero-day attack, the most sophisticated type of attack, which exploits an unknown defect in the software to penetrate inside.

Obsession for analyzing crash reports

At the same time Lambert, a cybersecurity expert, and other engineers at Microsoft, began identifying a pattern of attacks on other computers. All the crashes were connected to the same type of attack and Lambert understood that there was something concealed here that could help detect cyberattacks at an early stage. In the following months he became obsessed with analyzing crash reports.

"The thing about zero-day attacks is that the attackers cannot try them before using them, and they don't always work," Lambert tells "Globes." "It is possible that the weakness was in the French version of Windows and the attacker tried to attack the English version, or they expected a user to open a document in a 32-bit version of Office and in fact he used the 64-bit version. These things sometimes cause the operating system to crash, and through these crashes it is possible to detect disguised attacks."

Lambert's obsession with analyzing crash reports paid off a year later, in 2008, when he used them to uncover one of the most serious vulnerabilities ever in Windows. Taking advantage of the weakness revealed by Lambert, it was possible for hackers to see all the files the user had on the computer, take a picture of the screen and basically do whatever they wanted on any computer running Windows. The weakness was so serious that Microsoft decided to break from the routine of releasing security updates on a Tuesday once every two weeks, and immediately released an urgent patch called MS08-067. Within a week, about 400 million computer users worldwide had already installed it.

The story, which can be considered a great success for Microsoft and Lambert became a kind of cybersecurity legend at the tech giant but it did not end well. In December 2008, two months after the security update, a new virus called "Conficker" attacked millions of computers that had not installed the update in time. By exploiting a vulnerability, the virus managed to breach the computers of the German Army, British Royal Navy, the Houston Court system, an a hospital in Sheffield in the UK, among many others. To date "Conficker" was one of the most lethal viruses.

Lambert, who is today global head of threat intel and security research at Microsoft came into the field almost out of a sense of destiny. "After studying at university, I worked at IBM and as somebody new there, when it was decided which area each person would work on for the release of the next version of the software, I was given the last pick. The area no one wanted was security. It wasn't a feature, it was something we had to do in the product, but I fell in love with the field," he chuckles.

After three years with IBM, he moved to Microsoft in 2000, and has been there since. Today Microsoft is a major security power with 8,500 security employees in 77 countries, including large activities in Israel that are led by Michal Braverman-Blumenstyk, CVP at Microsoft Corp., GM of Israel R&D Center, and CTO of Microsoft Security.

Lambert himself manages hundreds of security personnel, some of them in Microsoft Israel's R&D Center.

But back in Lambert's early days at Microsoft, things were very different. At that time Microsoft had a problematic image in everything regarding security, with a range of security worms (programs carrying malware codes) penetrating the defenses of Windows and embarrassing the tech giant. "At every security conference there were jokes at Microsoft's expense," Lambert admits.

Lambert and others understood that something had to change and they passed on the message to the top. The highest you can go in the form of the legendary Bill Gates. "I was in a meeting where we explained to Bill Gates that security is this huge thing, and we needed the entire company to get involved in it. Not just specific teams, we told Bill "you need to write a memorandum about it the way you did with the Internet in the 1990s," Lambert recalls.

Gates understood the need to change priorities

Gates did indeed send out an email in January 2002 to all employees with the subject line of Trustworthy Computing. The email become iconic with Gates insisting that security took priority over adding new features to software. This was a revolutionary approach. "Ultimately," wrote Gates, "the software needs to be secure, mainly so that the customer won't need to worry about it."

Following the email, Microsoft established a "Trustworthy Computing" group, which Lambert was part for a decade. The aim of the group was to toughen up the company's products by identifying and dealing with security vulnerabilities. "One of our roles was to conduct final security checks before sending out the product," Lambert recounts. "This was a new procedure at Microsoft and the company wasn't used to external teams coming and deciding whether the product could be sent out. The first time that I undertook the procedure, the managers had decided that they were sending out the product on Friday, even though they had failed the final check. I raised this all the way up to Gates and he instructed them to keep back the product. After that everybody on the management chain understood that there was something real here and they fell into line."

In 2014, Lambert was handed a new mission at Microsoft. He was chosen to found Microsoft's Threat Intelligence Center (MSTIC), a position he held until last June, prior to his current position to which additional areas of responsibility have been added. The cybersecurity threat intelligence team was born after the company moved from managing its own servers to servers in the public cloud, which companies like Microsoft and AWS operate.

Microsoft quickly discovered that this shift complicates lives in terms of security. "When the customers moved to the cloud, they brought with them their enemies who tried to attack them there," explains Lambert. "And suddenly, we needed a group to focus on those enemies and would try to monitor them and disturb them even before they attacked."

In the cybersecurity intelligence center, which was defined in the past as a type of elite unit within Microsoft, they track assailants from the whole world. This could be a gang of hackers from Russia, wanting to conduct ransomware attacks for money, or attackers identified with the government in Iran, trying to hit strategic economic targets. Among other things, they tell customers that they are being targeted by hackers.

"We want to know what the focus of the opponent is and what sectors they attack and what types of organizations. This is critical information to know how to defend," Lambert explains. "After we understand the tools and the tactics and what malware they are using and if they are working to destroy, to steal information, or to spy, we allocate a name to it on the table of elements as if it were mercury or polonium."

Iranian attack on Israel and the US

In October last year, Microsoft's cybersecurity intelligence center reported hackers related to Iran who attacked 250 Office 365 customers, with a focus on companies developing defense equipment in Israel and the US, ports in the Persian Gulf and Middle East shipping companies. The attackers used the password spraying method, an attempt to penetrate a major number of accounts at the same time by using popular passwords. "In at least 20 cases it succeeded," Microsoft reported.

When you look at the activities of hackers identified with Iran, would you describe them as sophisticated?

"Much of what we see is tactical or operational sophistication. They don't use new zero-day attacks that link five vulnerabilities together, but we see that they are trying to use a lot of muscle and act quickly. To enter the network before those protecting it understand what happened and how to respond to it.

"But with all due respect to Iran, the biggest and most powerful event of the year in terms of cybersecurity has undoubtedly been the war between Russia and Ukraine. A report published by Microsoft in April, two months after the Russian invasion of Ukraine, described six state players associated with Russia who conducted more than 237 cyberattack campaigns against Ukraine in order to destroy and gather intelligence. These attacks often complemented what was happening in the conventional warfare, in what Microsoft defined as 'hybrid warfare.'"

For example on March 1, at the same time as launching a missile at the TV tower in Kiev, a Russian player opened a cyberattack against another media body - the biggest Ukrainian broadcasting company At the time that Russian forces surrounded Mariopol, many Ukrainians received emails from a Russian player posing as a resident of the city and apparently blaming the Ukrainian government for neglecting its citizens.

"At the beginning of January, before the outbreak of the war, we saw a wave of attacks designed to create fear by defacing websites, or leaking gigabytes of information about residents. After the outbreak of the war, Russian use of cyberattacks became more tactical, like attacks on security cameras in the field to would give the attackers visuals of what was happening in the street," Lambert explains.

"Cyber doesn't wear army boots or capture land"

"Nevertheless, those who expected cyber would be an important part of a Russian victory in Ukraine were wrong. Russia did not win as easily as it thought, and cyber was less dominant in the battles than first estimated. "Cyber doesn't wear military boots. It's an element that can give an advantage in the right situation, but it won't capture land," remarks Lambert.

Perhaps we exaggerated Russia's cyber capabilities, and they are less powerful than we thought? <p"There was a lot of help and assistance that Microsoft and others provided Ukraine. From an early stage, we gave Ukraine threat alerts. At first, we wondered how we could contact a media organization in Ukraine or an organization that deals with natural resources in the middle of the war. We thought that the chance of us reaching them was maybe 10%, but in practice 90% of the time we were able to contact them, give them the information directly and see how they took the information and use it to repel the attackers from their network. This happened daily.

"Many of the Russian groups have not used zero-day attacks in order to penetrate networks but use vulnerabilities for which updates have not been installed. We used technology from a company called RiskIQ, which we acquired (last year for more than $500 million) to scan the Ukrainian government's network from the outside, and see what vulnerabilities attackers could see. The government then went ahead and closed up the breaches. Even if hackers are sophisticated, they still have limitations."

John Lambert, raised in Louisiana and graduated in 1997 from Tulane University, New Orleans with a B.Sc in Computer Science.

Professional: After three years at IBM, joined Microsoft in 2000. Worked for 10 years in the "Trustworthy Computer" team to improve product security and in 2014 set up the Microsoft Threat Intelligence Center (MSTIC). Today he is global head of threat intel and security research.

Something Extra: He likes outdoor trips and is an active tweeter with 44,500 followers on Twitter.

Published by Globes, Israel business news - en.globes.co.il - on September 1, 2022.

© Copyright of Globes Publisher Itonut (1983) Ltd., 2022.

John Lambert Microsoft global head of threat intel and security research credit: Microsoft and Shutterstock
John Lambert Microsoft global head of threat intel and security research credit: Microsoft and Shutterstock
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018