Drop It Like It's Qbot: Detecting Initial Execution Earlier with OSINT

all right I'm gonna go ahead and get started uh this is our final track two presentation of the day and I think it's going to be an excellent one uh we've got Miss Steph Rand and she is going to present Drop It Like It's cubot detecting initial execution earlier with ENT thank you thank you I appreciate it hi everybody good afternoon so before I get started first of all I want to give let's give a round of applause to everybody who's been working really hard and volunteering today for this conference this is one of my favorites and I'm so happy to be back and everybody who's been volunteering and helping out thank you so much all right

so first of all I'm going to tell you the talk is not about cubot talk is not about cubot it was going to be about cubot more but it is going to be about cubot a little bit less than I had anticipated which is always fun a little bit about me before we dig into the content I said my name is Step uh I'm an IR or sorry an intelligence Analyst at Red Canary I've been there for about a year and a half on the CTI team which has been fantastic before that I spent two years doing digital forensics an incident response at mandiant and uh before that I actually was here in Augusta so five years ago I

was at my very first Ides as a volunteer uh and I was about to graduate from the school of computer and cyber Sciences gojs so if we've got some other students and folks that are in here shout out it's awesome hanging there and it's a really wonderful program so I'm very happy to folks that I've seen here already so um and uh before that I was in Clinical Psychology which is interesting and fun and has helped me in my CTI work but not in the way that you might think uh and I'm happy to answer questions about that afterwards folks are usually kind of curious and fun fact I've had to admit that my favorite hobby

is actually just learning new things uh right now I'm studying French please don't try to speak French to me quite yet I'm working on it with the owl The Owl and I are making progress but it's it's gonna it's going to take a while all right so bottom line up front because I want you all to see the cake before we bake the cake initial execution techniques are really really frequently changed in today's threat landscape because they're cheap right you know if you think of the Pyramid of pain changing a loader script is easy super easy and adversaries take advantage of that to try and evade detection as often and as successfully as possible but if you can keep track of

the in initial execution techniques and you can keep track of the changes they can absolutely pay off earlier detection gives you time to respond IR taught me that having the more time to or as much time to respond as you can like every every minute is a wonderful thing and it also lets you stop follow on activity hopefully before it starts right that's the ideal that's what we're striving for we know the adversaries are going to try and put evil onto user machines and it's our job to detect it and stop it as quickly as possible so if we can stop it before it even starts delivering malware that is that is the best it's a really good feeling

too and you can use open source intelligence to help you with this it's I'm in kind of a privileged position as a CTI nerd I get to do this full-time I know that's not the case for a lot of folks a lot of teams but you can take advantage of the really really awesome Defenders that are working in the space and sharing information and kind of expand your team in a way once you find sources that you really trust all right so uh I want to talk a little bit about sort of where in the execution chain we're talking about especially for folks who might be a little bit newer to cyber security so first thing you've got initial access

initial access techniques have changed in some ways over time but there's only so many ways that the bad guys can reach out to victim systems right there's only so many points of contact that you can have you've got different kinds of fishing you've got SEO poisoning it's gotten a lot more popular you have USB threats um somebody let's see uh whoever can tell me the first USB based threat off the top of their head gets the giveaway for today yes like like like the actual like a piece of malware like it's delivered via USB I think I think you were next yes all right sta is there are a lot of good choices so you have won a bash bunny uh USB pin

testing device all right there are lots of good choices Rasberry Robin I'm a fan I'm not a fan but that's another one uh Andromeda actually has been an issue gam has been an issue again so don't sleep on the USBs after initial access you have what we're talking about you've got that initial execution you've got the first behaviors that happen on a system and that's when you're going to see your cryptors and your droppers and your loaders so this is what we're talking about this is where I'm hoping to help encourage folks to pay extra close attention to the very first set of behaviors that they see so we can intervene in this space before other

things happen before we have persistence creation before lateral movement starts in your network before they can set up C2 Communications or reach out to additional remote resources and pull down more payloads because like I said if you can intervene here if you can stop it here none of none of the rest can happen which is really great that's what we want to do so for part one I have a brand new bird cluster to talk about so at Red Canary we have bird clusters Red Canary so we'll have color bird uh and this is actually brand brand new like just the last week or so so I want to use it as an example for one single

loader one single piece of scripting delivering multiple payloads let's talk about danot first because it's going to start with databot danot is an info stealer that proof Point reported on and named in 2018 and it's been around since then it's been fairly active although it did drop off off a little bit in activity this summer which is interesting and we'll come back to that there are several different delivery methods that it uses uh fishing is very popular as well as uh having it in cracked games and cracked code and so what will happen with this like a lot of fishes is you'll have the fishing site you'll have the lur once you interact with the lur

you'll get a zip archive with a VBS script loader okay so want big shout out to security.net it's really hard on the endpoint side to get like pictures and stuff of the the lures and the actual fishing Pages uh because Red Canary we sit kind of uh behind endpoint Security Solutions and do neat stuff with the data that comes in so here's kind of what it looks like so you've got this money unclaimed or property unclaimed you have several layers of user interaction to L them into a false sense of security and then eventually you download your report with your unclaimed property or your unclaimed money and that gives you a malicious zip with a

VBS inside and it has the same name so you'll have this very sus directory and you'll get a zip with the username so it won't say username it'll be the actual username this is all anonymized data and then you'll have a VBS file with the same name and uh you get W script executing from that very very sus directory and then Dana goes on to uh use more W script so you get outbound netc cons you have MSI binaries that are created on disk and then those MSI binaries execute MSI exit commands and shenanigans inum you don't have to remember all this I just want to have this there to kind of show you what the VBS script looks

like um this is from virus total uh it is from the Enterprise version of virus total so this is from the content section but there are so many open- Source sandboxes that you can go to find similar data and to take a look at the actual script so the way it looks is you've got a bunch of junk comments to kind of bulk it out provide some level of obfuscation and then you've got plain text commands depending on the version of databot you'll have different PL text commands lurking sometimes they're obfuscated sometimes they're not so in September like last month September we had some activity we saw this Behavior we saw a fishing lur with

a zip archive that contains a VPS script okay all right we have good detection analytics for that we have good detection analytics for uh W script executing from a VAR suspect directory this is a very familiar looking uh naming convention and the VBS letterer script it was all junk comics and in PL text so the payload was not Dana bot it was dark gate uh which was surprising we hadn't seen this kind of these these points of activity these initial execution we hadn't seen it with anything other than Dana bot up to that point so dark gate surprise surprise dark gate dark gate is like the new hotness right now y'all I will talk about darkgate more than once today uh

so it's a very popular malware as a service loader it started getting offered on cyber crime forums this past summer and it's got a lot of really neat built-in features which is why the bad guys like it you know they're looking for currently something that does a lot of uh built-in automated evil because one of their favorite payloads has been taken off the market as we'll talk about in a bit and one of the key features of dark gate and being able to tell whether or not you've got early darkgate execution is you'll see W script spawning this really interesting command that will include renamed curl and renamed autoit being created on the system so uh just kind of what dark gate

looks like is very initially so I thought that was weird and I wanted to figure out what had happened I had all these competing theories you know you could get very tin foil hat I'm sure that y'all who have been in this place where you see something you're not expecting the theories can get crazy I'm like did the danot actors like create dgate are they the same people I've never seen them in the room at the same time together and so best place to start is looking at the data where does it start uh we have an awesome analyst on our team uh Tony Lambert who uh has brought us all into the concept of the

cotton ey Joe theory of malware analysis where did it come from where did it go so we've got to start with where did it come from in October we saw that zip VBS naming convention and it was definitely databot so this is absolutely a databot payload that was ultimately delivered by what I'm going to say is a script that was written to uh download and continue executing additional payloads so you've got this 253 naming Convention of random characters June same thing 253 is databot August in August it changed a little bit so still Suess directory still got the username but now we've just got this3 naming convention that's not a big change but it is a change and it's a

change that can be useful can be leveraged for more information this is still Dana bot by the way absolutely still databot that was delivered after this thing this loader continued to deliver its payloads so like I said we get to September we see the same pattern we see this1 and it is absolutely dark gate uh since dark gate is the new hotness there was a lot of really really good information sharing right off the bat so we were able to keep track of kind of what uh domains were associated what IPS were associated with dark gate activity so can very reliably say the payload that was going to be delivered from this this loader was going to be darkgate and

same thing in fact every uh piece of darkgate malware or darkgate payload that we saw in September had this1 name and Convention and it wasn't just that too so like I said remember I mentioned that the scripts look the same like really the same like really a lot the same these are not the same you got the junk comments you've got PL text commands but they led to different payloads and all of that says to me and said to us at Red Canary this is something that's independent of the payload this is something that you could attach a payload to and it will deliver the payload for you so just real quick Red Canary clustering

methodology uh so to create a cluster at Red Canary and this is a whole talk on on its own like threat naming and clustering is a big thing first of all we prefer for there to be know known Community name as you know there are a lot of community names available to use and threat names are all about categorizing Behavior it's all about coming up with a shorthand so when you're speaking to somebody else you can say oh I saw Dart gate and they know oh here's what dgate does that's what it looks like so if we can go ahead and use somebody else's term for that that's good we're communicating effectively which is the whole point of naming the

threats is to categorize that behavior if we see unique commonalities across multiple incidents and I don't like to say ideally multiple environments because that's not great but it does create a pattern one-offs can't be tracked but patterns can and we kind of uh create this distinct criteria for what we would say you know these qualities we'll check these boxes this activity is this thread we will give it a cluster uh name we'll give it a color and a bird and that gives us this time around saffron Starling uh so saffron Starling as we're tracking it is this ZIP archive that's got the VBS loader in it it's got those uh that sus directory really interesting

file creation the VBS script has those common patterns there will then be an outbound netcon to pull down additional payloads and so far so far we've only seen Dana bot and dark gate but the nice thing about it is now we're tracking it now it's on our radar is something that is distinct from these threats so if we only see it get to the point of file creation we can still track it we don't have to be like well we don't know what it was going to be was it going to be danab bot was it going to be Dart gate we don't know we can track it really precisely which is fun for us uh and I want to of course give some

mitigation Str iies this one I'm going to come back to more than once because this is so neat so one way to mitigate these loaders that love to exploit script execution is to create a GP that will only let certain scripts open and execute automatically and it will not let the others that are more high-risk execute automatically it will have them open in than for exle notepad as text files so if this VBS script gets downloaded and you have a GP in place where VBS scripts for most users open as text files the end that's it you you've done it you've cut it off at that place of initial execution uh there are detailed steps I will make sure that everybody

has access to this link We included it in a blog on Bo loader earlier this year you will need to test this but think about it consider if every user in your environment needs to be able to open and execute every kind of script that there is wsf BBS do they really need to be able to do that one thing to kind of think about and I also want to give you a detection opportunity that will work for multiple threats as well so this is very broad Strokes pseudo analytic code um so looking for wscript or cscript executing from that app data directory and you can actually make it even more distinctive you can have the zip file

and the BBS file together because that is a pattern that we have seen other threats use uh especially if it goes on to do more stuff from that directory if there are additional netc cons or child processes or file mods that is probably going to be worth a look in your environment so again like I said you're going to need to take a look at your own environment do some Road testing see how you feel about it but it's it's an option it's good to have options so for saffron Starling final thoughts and kind of takeaways from this section first of all don't make assumptions it's so hard to do and you know we talk a lot

and think a lot about our biases especially as analysts and as investigators in this field you know we can only operate out of our own perspective the more we can be aware of how that changes how we view things the more we can kind of I don't want to say rise above it but we can work with it instead of having it CAU our judgment it's really common especially in the industry to just look at all the execution as one monolithic piece of software this is all databot this is all dark gate but if you can kind of peel it away sometimes you can find in certain circumstances these examples where it splits apart which is nice gives us a

little bit more discreet tracking and being able to do that being able to detect Behavior early and being able to hopefully shut it down as quickly as possible helps PR prent that payload execution or even that payload delivery which is great that gives you faster detection and it gives you broader coverage so now let's say you've got these saffron Sterling uh detectors in your environment these rules yeah you might also have databot dgate detectors but if you've got saffron Sterling you've got more coverage so the same thing is going to set off your rules for a bunch of different threats and the more analytics you can get to fire the more chances you have of catching that true evil and

making sure your analysts who are very busy and who have alert fatigue are able to get eyes on the things you really want them to get eyes on which brings us to part two was going to be more about cubot this is the slide that I had created when I first gave this talk uh which has been retooled with all new examples for multiple reasons and then about a month ago this happened there was a multinational or multi yeah multinational law effort to shut Down cubot AKA clack bot AKA pink slip bot infrastructure so part of cuot infrastructure was that it had a botn net of infected systems that was being used primarily as C2 uh infrastructure

so those were shut down and it's actually been fairly successful as far as I know I don't believe that we have seen and we have not seen any active cuot since that wasn't a previous infection uh so that's been impressive but it did change the direction of the talk just a little bit so as I was kind of thinking about what am I going to talk about can't talk about ta 570 and cubot and ta 577 decided to hook me up with a topic and with a lot to talk about so I have been updating this presentation down to the wire like yesterday because it has been a busy season ta 577 is back from vacation

let's talk about them bless their hearts so ta 577 is an initial access broker and malware distribution group and uh they were named by proof Point initially and they're really big into prolific fishing campaigns now I'm talking about hundreds and thousands of emails going out on a major campaign day it is unreal the amount of activity that these jerks can generate with one of their campaigns uh when they were more active earlier this year and doing a lot of cubot distribution they were known as the letters affiliate so these folks have been around for a long time they were initially also known as TR because they use letter pairs in their malware configuration so if you actually go in

and start breaking down the malware you have these campaign ID values in a lot of different types of malware so there's F of things like uh like I said TR BB I think aa1 is one of the current uh campaign identifiers historically they favored cubot loved cubot cubot was their bread and butter October was like ta 577 cubop month you know they'd come back from vacation getting ready for the holidays got to make money it's just absolutely a nightmare and they've also delivered other things so that's that's the thing about these thir actors they've delivered deled IID before they've delivered Matt and buas I do not know if I'm saying that right and they've delivered ERS sniff as well and so we

all kind of knew that they weren't just gonna not do anything anymore because especially this ta has used other malware families before one thing about this ta is that they operate in Cycles so like I said this chart this is cubot activity um so this is a combination of cubot ta 570 and ta 577 activity observed at Red Canary over uh the last couple of years and like I said you'd have these really intense months these really big campaigns and then they would take a little break for a little while I think it's pretty common across the industry sometimes we'll see less activity in the summer or over certain holidays um and ta 577 is no different

the difference about this particular ta is that they do develop M Cycles uh ta 570 and 577 appear to do uh development cycles and test different initial execution techniques to see which will be the most useful in the next big campaign uh proof Point has a really really great white paper that they put out in uh earlier this year about that topic it's fantastic and they make these changes really fast because they have them because they do these Dev Cycles they've got backup ideas and they're using scripts which like I said are cheap and easy to change and it's surprising how much tweaking a few things here and there can really make it hard for products and

for Defenders to keep track of who is doing what with these loaders but I say that it sounds very Bleak you can detect and track these loaders before the payload can't promise we did it with cubot which was great we got to the point where we were working with different folks we were using ENT we were able to identify ta 570 and 577 lowers really quickly before anything else was able to happen and the nice thing like I said when you get these prolific adversaries you get Defenders who love to make them have a bad day and the more of a pain the adversary is the more people delight and just ruining whatever they can for

them so just in the last couple of weeks and I will have more links I have had help from all of these folks who offer their information for free online uh the curated Intel team is fantastic crypto lus team is fantastic I know the bird site is a controversial thing but so many malware researchers and CTI analysts are still really active there uh love DFI report I'm on abuse. resources like daily they're wonderful and the people who help contribute to those resources are fantastic fantastic analysts and then of course vendor teams uh folks like proof Point who've originally discovered these actors and kept up with them it's wonderful so like I said once you get an

idea of who you might want to have on your team so to speak who you trust then you can use their Intel and you can just run with it and so when on September 22nd uh d a telecom CT put out this notice that they had seen a new ta 577 campaign launching a dgate campaign woo like I said y'all dark gate is the new hotness I think there's as far as I know five or six current ongoing campaigns using darkgate as their favorite payload right now um so we saw this deuts Telecom does wonderful work their CTI team is fantastic and so the researchers who had previously worked with cubot n 577 started really digging into it th of

Telecom shared details of the activity that they had seen so they shared some of the initial files that had been created they shared the initial downloader command and they shared as you can see this is the same Dart gate loader or a similar Dart gate loader that we saw before you've got renamed curl and renamed Auto it and I really want to focus on remember going as early as we can that first file creation and the initial download loader so on September 26th the loader we're just going to call it the loader for right now dropped iced ID the next few slides that I'm going to click through are going to be information from proxy life's GitHub

repos proxy life is an amazing member of the cryp lus team and they have been keeping up with this threat actor for years and they do they do all this malware analysis they share it they update it like to the hour they put it in their GitHub repo they put it on Twitter and I absolutely trust their analysis and we use it really heavily because it's like having somebody who's 100% dedicated to ruining this threat actor day on the team already it's fantastic so took a look at the GitHub repo and what's G to happen as we go through the slides you'll see a few of these things are in bold everything that we have already seen this loader do as

this slides progress I'm going to highlight in bold So based on the Deutsche Telecom data that was shared we've already seen this uh admin app data local temp folder being used we've seen curl with this weird obfuscation in it we've seen this combination of uh reaching out to an IP address with this uh strange three-letter identifier token maybe in the URL and so this is kind of where we're starting with iced ID two days later we've got iced ID again same loader so now we've got okay we've got a few more things we've got some of the original dgate Deutsche Telecom seert information along with the previous iced ID loader so again we've got this really

interesting pdf. link initial file creation the command has mixed case um we've got these Echo and ping commands that are showing up they love that folder so much that directory they love it and they love run d32 and they have since before this campaign they loved it when they were Distributing cubot too so you start seeing the the Ping P is getting executed October 1st now we've switched payloads on October the 1 and look at everything that we had already seen this loader do by the time we get to the next payload everything that that loader did on the first had already been publicly shared so again It's Tricky you've got more obus things are a little bit

different but it makes it trackable and I'm sure those of you that are rulem minded are seeing maybe some slightly brittle opportunities granted especially when it comes to things like file names or string matching Rex patterns they can be a little tricky to maintain over time but it's a place to start and sometimes can actually last a lot longer than you think they will which is fantastic October 3rd we have the third payload of this campaign and it is peabot peabot is very similar to cubot um and again new payload but we've seen we've seen these things we've seen this same kind of command being executed to then pull down these payloads now admittedly on the fourth it did change a

little bit more dramatically which is GNA happen the thing about this threat actor again is they're very Savvy this is their job is this distribution and then they sell initial access to wherever they're able to get into um so they're they're going to change things more dramatically as their lurs as their fishes become less successful over time but there's still details you've still got that same directory with the same weird pdf. link file they're still doing weird stuff with 1 g.exe and you've still got this uh log file they actually used that a couple of slides earlier and October 5th there's more peabot again it got a little bit more obscure this one is really interesting

they switched to Java Script instead of uh the pdf. link file to execute the initial loader but there's still patterns and so if you're still looking for um suspicious dlls or run dll 32 execution there's still opportunities to catch this loader before it delivers gabot so like I said this is kind of summing up all of the things that we have seen in this campaign which has delivered so many payloads there are still themes there are still patterns you've got that directory my God they love that directory so much this is a great directory to keep an eye out for weird things executing from it especially if you think that this particular threat actor might be

one of more concern to your organization or if you've seen them previously because they love to reuse it um you've got a lot of command line obfuscation mixed case carrots got these random ping and Echo commands they're using curl. exe which they have also used to load uh cubot in previous uh campaigns as well got rund deal all 32 execution like I said they love rund de32 and there's there's more so these opportunities are there and I didn't do any big fan analysis to find this out I'm just a nerd and I just went and looked at what the loaders look like in the repo because this is like my new thing is to talk about how early can we get how far

apart can we get the payload from the first thing that happens on the system so the payload becomes a non-issue it's the best feeling when you see like that initial pdf. link file get downloaded and we see it and nothing else happens it's just it's so good it's so awesome I would like this for all of us I like this be the case for or possible so um I don't want to dis with kind of ideas foral and things you could look for for this because we're in the middle of the campaign I don't want to give you detection opportunities that have been Road tested I am going to give you mitigation ideas remember that G I

mentioned about not letting evil scripts execute in your environment it works for this too which is wonderful so again like I said consider it think about it on OG gpos can be kind of abstract but something to consider and somebody pointed this out to me after I gave the talk the first time W script. exe is actually in Microsoft's recommended block rules so you want to go take a look at uh some of the block rules that they have suggested judicious use of them can be extremely useful depends on your org depends on what doing but again if you can just have the thing not work that's ideal all right so final thoughts for ta

577 and for this section uh like I said this threat actor does like to change their ttps and it can be daily um really intense cubot campaigns like the one we had earlier this year with all the one note Fund in February they were changing TTP sometimes within hours of each other uh but if you follow trusted Community sources you have a huge Advantage because you already know these researchers you know I know that as soon as ta 577 starts up shenanigans that proxy life and you know all these other researchers are going to be on it dog on it and they're going to get that information out publicly availably as soon as they can because this is their

passion and I'm so grateful for it and that initial access detection like I've been saying it reduces your risk it keeps the payload from even getting onto the system in a perfect world and also like I said additional mitigation strategies can help um since script execution has been so very popular as a uh initial access or initial execution method um it's it's worth considering how you can reduce uh script impacts in your environment if possible all right as we come to the end of our time together what are our key takeaways you already know because we did the bottom line up front but let's go over them again as you've seen initial execution techniques are very frequently changed

and updated because it's cheap and easy for adversaries to do that to change their script just a little bit enough to throw us off but if you can get into the weeds and track these initial execution techniques track these loaders and separate them from their payloads it can pay off you can have more detection time which is invaluable you can potentially stop follow on activity before it starts and the thing that I really want to bring home is that you can you yes you here today can use open source intelligence to help you do this you don't need big fancy tools you don't need to have you know spec you don't need to be in like the secret slack

channels that all the malware analysts are in or on the super secret industry Discord all of this information that I've shared with you today is it's it's out there it's being shared I don't want to just say that and then not tell you what some of my favorite resources are so uh I have a list on Twitter like I said I'll make sure the slide is available I'll make sure the list is available a lot of the researchers and analysts I've mentioned already have uh they're they're already on the list so something to think about um I know Google is not ENT but uh your trusted favorite trust in search engine can um find initially find some of these

strings I've had really good luck um we had a Cryptor earlier this year that I was able to figure out was a crypter because I was just Googling weird strings and found some awesome sandbox information that was available so search can be helpful love virus total virus total is a huge help especially if you do not have your own dedicated malware analysis team or you want to see what other people are seeing it's very useful for that love abuse. CH like I said I'm on their sites on almost a daily basis Joe sandbox and a bunch of other publicly available sandboxes are fantastic two thumbs up for cyberchef um if you haven't had a chance to play with

it before you can if you want to do some of this um analysis yourself uh you can get into it and there's just there's a ton more options but it it really if you're able to kind of find your own favorite sources like I said it just gives you so much bang for your buck in your investigations it's almost like you've grown your team with these experts and pulled them in which is it's just it's a win it's a win for all of us and that comes to the uh last of the content I have for you today and we have time for questions and I would love to take questions yes

that's a good

question that's a good question so the question is for things like mixed case use is that something that you can use to discern if the commands you're looking at or the loaders you're looking at are a specific threat actor like ta 577 it's true so the thing about mixed case and those kinds of text obfuscation techniques is you really can't do any kind of attribution it's a cue but for example like I said raspberry Robin also uses mixed case and they're associated with evil courp um so unfortunately that's not as good of an indicator for specific attribution but it is going to tell you that it's evil I have not seen very many legitimate admins decide to

use a lot of mixed case like yeah typo here and there but it's an easy cheap and easy way for them to try and fool uh AV detection in particular without having to put forth a lot of

effort to be collaborate that that can happen so the question is um you know if you've got somebody if you've got developers that are using Easter eggs or using terms that they're very fond of or references they're very fond of are they kind of tipping their hat a little bit that has happened um sandworm is a great book if you haven't read it yet there have been threat actors that have used very specific recurring references in their code that has absolutely uh wave the flag to eventually let Defenders know exactly who's doing the work um so yeah it it does it absolutely does happen um like with anybody who writes code people have people make typos that

are consistent people have their favorite way of of you know putting different functions together uh and you can absolutely start to kind of peel those apart if you get enough access to enough

data yeah absolutely any other questions

yes possibly yes so the question is will instituting a DPO policy to block things like you said W script in particular cause a lot of problems in or VBS could potentially cause a lot of problems in it the answer is yes it could it absolutely could which is why you have to very carefully test that before rolling it out this will not work for all scripts in all environments especially if you do have a lot of folks that are doing legitimate Dev work um but for those cases where you you know maybe you do have a whole swath of users that don't and you can create a policy for them if they're not anywhere near

any of the dev environments so again it it will require a lot of testing you're absolutely right it it will create big problems if you don't uh don't road test it a bit beforehand yes do you know why they're so oh this works do you know why they're so aggressive in October just the sheer Spike that they hit and then it dramatically drops off a fliff do you have any into why that is the case I have speculations as to why that is the case I'd love to hear so I I'm not sure if that feed will come through but the question is why October why is there just dramatic increase in October and why does it drop off so

significantly um I think that it's because everybody's back from vacation uh and some places uh have different vacation months than other places some countries have vacation later in the summer um my hypothesis is that they uh come back from vacation do a Dev cycle get ready run everything in October and then they have a month or two to work the access that they've gained in the meantime so they do this big campaign they get it's almost like a marketing campaign they get all these leads and then they follow up on the leads over the next month or two uh until it's time to run another one right it's the support maintenance cycle baby um it's just it always kind of

blows my mind how closely some of the and how professionally organized some of these groups are um yes in the back for those who are interested in entering a career in malan intelligence analysis what like pathway would you recommend for entering the field good question so uh the question is about what pathway would I recommend for entering the field for you said malare analysis yes ma'am um that's a tricky one because I'm gonna do it it depends I know it really does it does depend it depends on what you're interested in so do you want to do like exclusively blue team work do you want to do a little bit of kind of analysis to help develop Red

Team Tools those pathways are going to look really different so that would be kind of the first place I would start is do you want to do red team blue team sub purple team and then just doing your best to take advantage of free resources that are available um I like I said uh cyers sha is fantastic and you can there's some really good courses available for cyberchef um some are available kind of free online uh I know applied Network defense is a really excellent cyberchef course you haven't taken that yet and you're interested in cyers Chef I hear it's fantastic um and so that would be my first recommendation and then after that it's just a matter of kind of finding

good opportunities and the thing about this field that I've noticed is everybody's path into it is different and that's wonderful it makes it stressful when you're trying to figure out where is my path how do I get in there um but the fact that everybody has kind of a different journey into cyber security is lovely it gives us a lot of perspectives makes it harder you have to kind of have that internal momentum and push yourself forward but if you can do that um it's you can kind of PVE your own way and figure out what you want to do what you like to do awesome thank you yeah you're welcome good question any other

questions thank you all so much it's been such a pleasure I hope you've had a wonderful day here at besides Augusta we have safe travels home y'all take care