Microsoft Threat Intelligence Podcast

Octo Tempest Threat Actor Profile

Nov 1, 2023

The podcast discusses the activities and tactics of a threat actor called Octo Tempest, such as SIM swapping, SMS phishing, and living off the land. It highlights their bespoke and persistent nature, as well as the importance of separating high-privileged accounts. Other topics include assuming compromised passwords, testing security controls, and the need for help desk protocol.

46:15

Creator website

AI Summary

AI Chapters

Episode notes

Podcast summary created with Snipd AI

Quick takeaways

Octo Tempest is a financially motivated threat actor that employs advanced techniques like sim swapping and SMS phishing to avoid detection and execute engagements quickly.

Organizations should implement strict protocols for help desk operations and assume that passwords are already compromised, focusing on strong multi-factor authentication measures and red team exercises to enhance security.

Deep dives

Octo Tempest: A Fast and Persistent Threat Actor

The blog discusses the threat actor Octo Tempest, whose advanced and persistent tactics make them financially motivated and a major concern. They use re-imagined techniques and exploit weaknesses in organizations, particularly through social engineering. Octo Tempest progressively advances its motives, targets, and techniques, continuously upskilling their craft. They employ tactics like sim swapping, SMS phishing, and live off the land techniques to avoid detection. Octo Tempest executes their engagements quickly, often shifting tactics and persistence mechanisms within minutes. Their goal is financial gain, with ransomware and extortion being their primary methods. They modify security measures, sabotage defenses, and are adept at adapting to an organization's specific environment. Their dwell time in victim environments is notably low, and their use of legitimate software and tools makes them harder to detect. Organizations should focus on strict controls for highly privileged users, separate privileged and user accounts, and assume that passwords are already compromised. Red teaming exercises that simulate Octo Tempest's tactics and incorporate their tools and techniques are recommended for organizations to enhance their security posture.

Introduction

2min

Octo Tempest: Tactics and Techniques

15min

Octo Tempest: Tactics and Characteristics

15min

Importance of Help Desk Protocol and Stringent Controls for Highly Privileged Users

4min

Separating High-Level Permissions Accounts from Normal User Accounts

7min

Assuming Compromised First Factor and Leveraging Access Management Gaps

2min

On this week's episode of The Microsoft Threat Intelligence Podcast, Sherrod DeGrippo is joined by Microsoft threat research experts to talk about the activities of a threat actor known as Octo Tempest (which overlaps with research associated with 0ktapus, Scattered Spider, and UNC3944) and the blog released by Microsoft threat intelligence and Microsoft incident response groups. The discussion covers various tactics, techniques, and procedures Octo Tempest employs, such as SIM swapping, SMS phishing, and living off the land rather than using traditional malware. Octo Tempest is portrayed as a highly bespoke and hands-on threat actor, often engaged in "keyboard-to-keyboard combat" and showing extreme persistence even after being detected.

In this episode you’ll learn:

Techniques used to modify email rules and evade defensive tools
The contrast between tailored attacks and automated targeted threat actors
Why organizations should separate high-privileged accounts from normal user accounts

Some questions we ask:

Is there an end game for OctoTempest, and is it always ransomware?
What is the importance of assuming the first-factor password is already compromised?
How can organizations test controls and alerting for their security posture?

Resources:

View Sherrod DeGrippo on LinkedIn

https://aka.ms/octo-tempest

Related Microsoft Podcasts:

Discover and follow other Microsoft podcasts at microsoft.com/podcasts

Get the latest threat intelligence insights and guidance at Microsoft Security Insider

The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of The CyberWire Network.

Get the Snipd
podcast app

Unlock the knowledge in podcasts with the podcast player of the future.

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Save any
moment

Hear something you like? Tap your headphones to save it with AI-generated key takeaways

Share
& Export

Send highlights to Twitter, WhatsApp or export them to Notion, Readwise & more

AI-powered
podcast player

Listen to all your favourite podcasts with AI-powered features

Discover
highlights

Listen to the best highlights from the podcasts you love and dive into the full episode

Microsoft Threat Intelligence Podcast

Octo Tempest Threat Actor Profile

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Octo Tempest: A Fast and Persistent Threat Actor

The Importance of Strong Help Desk Protocols

Defense in Depth and Assuming Compromised Passwords

The Value of Red Teaming and Keeping Security Measures Updated

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights

Microsoft Threat Intelligence Podcast

Octo Tempest Threat Actor Profile

Podcast summary created with Snipd AI

Quick takeaways

Deep dives

Octo Tempest: A Fast and Persistent Threat Actor

The Importance of Strong Help Desk Protocols

Defense in Depth and Assuming Compromised Passwords

The Value of Red Teaming and Keeping Security Measures Updated

Get the Snipdpodcast app

AI-poweredpodcast player

Discoverhighlights

Save anymoment

Share& Export

AI-poweredpodcast player

Discoverhighlights

Get the Snipd
podcast app

AI-powered
podcast player

Discover
highlights

Save any
moment

Share
& Export

AI-powered
podcast player

Discover
highlights