Do not underestimate your risk of nation state network intrusion.
—Fanta Orr
Microsoft Threat Intelligence
Microsoft Threat Intelligence
Get insights straight from the experts on the Microsoft Threat Intelligence Podcast. Listen now.
Putting cyber threat intelligence into geopolitical context
When she was young, Fanta Orr never imagined she would have a cybersecurity career. Instead, she found her path in public service, where she spent nearly 14 years looking at security through a geopolitical lens. When a friend told her about a new type of position opening at Microsoft in 2019, she leaped at the chance to embrace a new challenge.
“The job focused on the confluence of cyber threat and geopolitical intelligence analysis,” Fanta says. “That was the start of my cybersecurity journey. I jumped into the cybersecurity deep end here at Microsoft and am so glad I did.”
Fanta thanks Tom Burt, CVP of Customer Security and Trust, and Cristin Goodwin, former head of Microsoft’s Digital Security Unit, for taking a chance on her as the company’s first threat context analyst, a role with an aspirational goal but no clear roadmap or established processes to achieve it in the beginning. “Cristin, my subsequent teammates, and I all built the plane while flying. It was a scary but exhilarating experience.”
Fanta notes that her work tracking nation state actors benefits those outside the government sector. Nation state actors don’t just target government organizations, she cautions. In fact, she observes, non-governmental organizations, think tanks, educational institutions, and consultancies are among the most frequently targeted sectors of the economy.
Now a director of intelligence analysis for the Microsoft Threat Analysis Center (MTAC), Fanta and her team conduct strategic analysis of nation state cyber threat activity; essentially placing cyber threat intelligence in geopolitical context to uncover the possible “why” behind the activity.
By identifying and communicating out the “why” of a particular threat actor campaign, Fanta explains, we can better prepare and protect customers who might be vulnerable targets. For example, in the run-up to Russia’s full-scale invasion of Ukraine in 2022, our Microsoft Threat intelligence team identified Ukrainian customers at risk for cyberattack in the event of conflict escalation, based on the sectors that a nation at war would want to hit to weaken its adversary and the locations of unpatched and vulnerable systems. Establishing that monitoring practice and tipping our Ukrainian partners to vulnerabilities in advance helped threat hunting teams harden vulnerabilities, spot anomalous activity, and push product protections faster.
Unpacking the potential “whys” behind nation state intrusions involves bringing what we know about geopolitical developments, history, foreign policy goals, and current events to discussions of cyber tactics, techniques, and procedures (TTPs), and victimology. A typical day for Fanta includes following the latest international and cybersecurity news and reviewing the latest Microsoft Threat Intelligence findings with her threat-hunting colleagues, who bring different perspectives to their investigations.
Recently, Fanta and her team have been observing a rapid evolution of cyberwarfare tactics on the battlefields of Ukraine (for additional insight on hybrid warfare trends emerging from Ukraine, see 7 emerging hybrid warfare trends from Russia’s cyber war.
“This is the first time we’ve seen the deployment of cyberattacks as part of broader warfighting on this scale,” she says, “and we didn’t anticipate how big a role nonstate actors—cyber volunteers, hacktivists, and the private sector—would play in this conflict.”
To illustrate, Fanta shares how new partnerships between public and private entities have helped Ukraine defend its networks and information spaces. By hunting for threat activity, writing code to fortify security products, and blogging to raise awareness about malicious incidents of compromise (IOCs) and tactics, techniques, and procedures (TTPs), the collective efforts of Ukrainian cybersecurity professionals and international public and private communities have made work harder for threat actors attacking Ukrainian networks.
“They say many hands make light work. In this case, it has been many hands on keyboard.”
Fanta notes that her work tracking nation state actors benefits those outside the government sector. Nation state actors don’t just target government organizations, she cautions. In fact, she observes, non-governmental organizations, think tanks, educational institutions, and consultancies are among the most frequently targeted sectors of the economy.
“To customers in industries outside of government, do not underestimate your risk of nation state network intrusion.”
Related articles
7 emerging hybrid warfare trends from Russia’s cyber war
What can be expected from the second year of Russia’s hybrid war in Ukraine.
The cyber and influence operations of the war in Ukraine’s digital battlefield
Microsoft threat intelligence examines a year of cyber and influence operations in Ukraine, uncovers new trends in cyber threats, and what to expect as the war enters its second year.
Defending Ukraine: Early Lessons from the Cyber War
The latest findings in our ongoing threat intelligence efforts in the war between Russia and Ukraine, and a series of conclusions from its first four months reinforces the need for ongoing and new investments in technology, data, and partnerships to support governments, companies, NGOs, and universities.
Follow Microsoft