BSidesATL 2018 - Dear Blue Team: Proactive Steps to Supercharge your IR (Joe Gray)

so welcome to dear blue team basically this is advice for your nan de forensics people from the lives of someone who does forensics so before I get started the thoughts and opinions I express today our mind and our IBOs the reason I say this as I'm a senior security architect at idea I've been assistant administrator a security engineer consultant I do some Incident Response as well when the 2017 derbycon social engineering capture-the-flag so I'm out from blood this year at Def Con but we'll see I write blogs I have a podcast advanced persistent security and Helio Gracie said you either win or even learned in Brazilian Jujitsu I learned a lot because I basically tap out online so

but I've not tried in a while later so it's okay but that just proves I do things besides the computer stuff I guess so why this topic and why this talk so in the process of taking stands forensics 508 that corresponds to the GCF babe it's the advanced incident response digital forensics and threat hunting class I was being very academic and I was using Bloom's taxonomy and I was reflecting and synthesizing the data that had been presented to me and I'm like why aren't we doing this so this talk is basically the outcome of the thoughts of my own reflection of the 508 course so before we get started we're gonna drop a little baseline knowledge

to try to make sure that everyone's on the same wavelength we can get into the more advanced ideas so basically what is DF by r it's digital forensics and incident response digital forensics basically that's the technical aspect of reconstructing what happened Incident Response is the actions of the business including digital forensics and other aspects such as PR HR accounting etc so incident response and incident handling that's another term that is sometimes used interchangeably in to some degree they are the same but there are many differences so basically I went to the sans website the internet storm center and found basically the fact that is that handling as the logistics communications coordination of planning functions or the incident the response

is supposed to be more of the technical side as well and here in the bottom we have the sans incident response process sometimes referred to as a the spaces are preparation identification containment eradication recovery lessons learning so the majority of your time unless you're getting hit all the time we spend and the preparation phase everything that we do for security until an incident occurs as part of the preparation phase of Incident Response so when you're when you're configuring your firewall or configure your systems to pull a GPO and tests those are all parts of the preparation phase and basically this talk focuses a lot on that preparation phase because there are a lot of things

we can do that we just aren't that would make life a lot easier whenever we're in later phases such as containment eradication and so on so with that being said we always hear buzzwords now I like to play buzzword bingo to pair with it and you play the drinking game I'm sorry you may be drunk by default but basically we hear about threat intelligence sometimes cyber threat intelligence so take another drink for the word cyber we might say that CGI but basically you know where does it where does it fit into the equation is it a consumable or is it a deliverable of the incident response and forensics processes anyone anyone is it is it a consumable or a deliverable yes

correct so basically it's just something you have to keep in mind you can use that threat intelligence to do better assessment via forensics or threat lunching or whatever or you may be collecting artifacts based on something that you put together and you may come across and say you know what this might be worth sharing and then you go from there so understanding that forensics and threat intelligence are not the same they it's a symbiotic relationship where one feeds the other and then at the bottom of course I've kind of very spoiled that so we know that threads holders can trigger the Dieker process and vice versa deep here can produce threat intelligence so getting into the

forensics perspective so we have types of forensics with whenever I heard forensics for the first time all I thought was file system for instance I didn't even think about the networking side it's like oh man it's just going to be taken the entire disk imager they go in and scrape it and see what I can find and to some degree that's true but that's mostly file system forensics that's completely ignoring the fact that we have Network and memory forensics as well and actually with this presentation it's gonna focus more on the memory forensic side but do you want to play with some tools you can use sift in terms of the operating system it includes most of the tools that I've

listed here under all aspects except for like red line and ftk imager because those are Windows based and then that sift I use is is bun two you can also use remnants which is built on reverse engineering malware you can actually install sift on top of room mix and remix on top of septic want to do that as well there's another one came the computer aided an investigative network environment I've never really played with it but I know of its existence to some degree Kali has some of the tools but I don't think it's really looking at it from the perspective of I want to do incident response and I want to do forensics to

get information it's more of them I have this memory image that I was able to snag during a pin test let's see if I can throw a mini cats on and then mercenary Linux it used to be a thing I'm not sure if it is their websites very fake I've reached out and I've heard anything but they used to be a district solely for threat hunting so speaking about threat hunting tools and techniques I'm sorry for any vendors here but I'm gonna I'm gonna dispel some snake a little for you for a moment a threat them team is nothing more than proactive forensics you're going in you're collecting everything you're basically doing a forensics investigation but you don't know what

you're looking for quite yet you could be specifically looking for specific indicators of compromised based on intelligence or you just may be looking for the purpose of looking in terms of benefits it can certainly make your innocent response to process faster it can make it easier to analyze and honestly it's taken a lot of time the con to this is it's actually expensive and it's not something I would actually recommend hiring a consultant to do solely on the fact of its based upon normalcy a consultant in a saying 24-hour engagement is not going to be able to get in your network and understand what is considered to be able to find anything of value within that

timeframe sure they may find some things and if you have a very sophisticated team they may find it a little bit more than others but if you have the capability doing it internally as far security but with that being said there's a certain level of maturity if you don't have an incident response team or an incident response plan you have no business even thinking about the red bunting honestly you can have a lot bigger things to worry about if in terms of the critical security controls I don't have a scent but I would say if you're not meeting the first five then at least half of the remaining 15 you're probably not ready you're not tall enough to ride the ride

to do threat on to so on the fact that this is this is icing on the cake type stuff if you don't have an inventory of your authorized an unconference hardware and software well what's the point right it's all in vain because you don't know if the system's valid or not if they supposed to be on the network or you may have an overzealous executive that bought some internet of things whiz-bang doohickey to connect to his Amazon echo in his office and he happens to have a corner office next to the street and attackers can walk by and exploit a signal right if you don't have the inventory how are you going to do this so so something to

keep in mind is it's not it's not something that the company is going to do right out the gate so looking at the difference within digital forensics really there are a few prerequisites the biggest prerequisite is an incident that that's pretty much it it's reactive in nature and you're gonna find it either be a monitoring or my personal favorite the feds are going to knock on your door and say yeah when your IP addresses and trying to infect us with malware and it's not the phone call you get from the Microsoft's that says that all them hours are trying to infect our servers and they need you to log in they're not gonna ask to log in if they're if

they're going to log in they're going to show you something in writing signed by a judge that's going say yeah we're logging out it's not going to be like give me her passwords to be like give me your password but whatever we look at it from the perspective when we're doing forensics we're trying to get things up and running and return to normal as quickly as possible because at the end of the day anyone here that works in forensics anyone here who has taken a sans for some I'm the forensic pipeline can tell you that they heavily advocate take the time evaluate the atmosphere and determine what's going on collect all the intelligence get everything you

can well the business people are going to disagree time is money they want it back up and running quickly so many times you're going to lose a lot of valuable intelligence for that reason on the flipside to threat hunting again maturity size capabilities if you don't have a dedicated incident response team you may not want to look at it but it is proactive again as I said earlier it is based around what is normal and you could consume that threat intelligence and go looking for something specific for example want to cry shell-shocked CBE by 2018 1:06 for one purely kidding not yes I just got my first TV this last week so that's this evening network but

anyway we're gonna try to identify anomalies based on that but again we keep going back to this whole was and the other thing is we're not basing this on the time objective with red hunting that's another reason by having a consultant doing it's probably not a good idea but guys yeah but it gets old you can pay them 24 out you can say you've got 24 hours pentester here's the scope and more than likely they're going to gain access again they may be able to do this with threatening but they're not going to have the requisite knowledge to be able to get really in the weeds like you need them to so before we get into

the fun part listen listen to I'll just going to give you the standard forensics talk right now right so we always hear log everything do it verbose do remote blog protect your logs logs are going to make you a break here that's just the real life matter you can have you can have a really cool timeline you can have really cool memory images but you're gonna need some logs too so it's worth having that and then we say inventory everything what does that entail okay well that means that we know what hardware what software we have on the network okay cool if you want to do that in an automated manner there's PowerShell script called con something actually

it will actually use PowerShell and WMI to a chair game that Bose would write it back to which is pretty cool but we completely forget the whole hashing things right but I'll give in to that you didn't have some sort of downtime you might want your own an MCP server you may just want to use time tightness gov or Microsoft or whomever but if you've got multiple locations if you're a global company or you're across several time zones you need to set a standard time zone for all logs you don't want to have to be doing the math in your head about okay this is this happened in Atlanta but the time is yeah yeah you don't want to do that math time

again time is money but with the baseline so I'm going to get into that that's kind of the meat potatoes in this so again with the soft soft skills you kind of got to take into account who do you want them to notify how do you want them to notify you I'll give you a hint if someone's clicked to fish you probably don't want the notification to meet via email so no the fact that you should probably make the assumption that your email system has been compromised and the attacker can read every single thing that comes across that's where things like slack Mastodon texting signal app wicker things like that carrier pigeons smoke signals Morse

codes Campbell's soup cans on a wire anything face to face just have a way to report it and the thing is and this is where as an industry we fail our constituents that the non tech people of our organizations we expect them to know everything about security well maybe not everything but enough to where man that user was so stupid they didn't even do anything no the user may be stupid I mean deny that there were stupid people out there I've met a few of my day myself everybody the reality is we need to tell them exactly what we want them to do how we want them to do it I always think back to when I was in the military next

to every single phone because they called a bomb threat worksheet and it was a list of questions that you asked such as where is the bomb why are you doing this what will detonate it'll be detonating based on a time okay why can't we not put these kinds of worksheets next to computers I'm all for using whatever color network it what you want but I'm a huge fan of using the same color consistently throughout your organization I think of how would I explain this to my mom if I say unplug the network cable every single cables going to get unplug from the back of that machine if I say I'm like the yellow cable and the network cable is

yellow it's going to get a plugged in nothing else so that's a reason to have that same color everywhere so you could say you know lady who works in the call center who's worked here for 40 years who still has a flip phone and absolutely despises technology if something happens unplug the yellow cable or better yet take scissors that just cut it it's okay we'll get a new one but with that you know we need to know from from a perspective of incident response what actions do you want them to take the right I can't tell you the right answer but if the right answer varies from organization to organization do you want them to power it off send it

into hibernation mode reboot it disconnect it from the network disconnected from power what do you want them to do and it all depends on what your defined responses in your incident response playbook for later back to the whole maturity thing so I don't want to do things that can disrupt the chain of custody you want to do things that could absolutely put your belly up in court like if you have a compromised account disable the account don't change the password if you do that then now I'm non-repudiation is out the window if someone maliciously did something within your organization you've given them a way to weasel out of it in court if you get infected with read somewhere

that came across any section that was hanging out on the public Internet not behind a VPN on a VM that had the administrator account with a four character password not let this ever happen I said I admit stupid people right don't delete the VM before the incident responder gets there yep yeah but respect the chain of custody that's the one thing it's one of many things but it's the main thing that you can put a hacker or an instant responder right beside the lawyer and you'll both understand you do the same thing with the cop they understand that process because it's a defined process that we stole from law enforcement they have it defined way they collect the evidence

they put it in the bag they have their gloves on they seal the bag they sign it they date it they pass it to the next person the next person signs respect that because if you have to go to court you're going to need so now that we're out of the standard forensics well it's talked about some cool stuff like memory analysis there are several tools you can use to acquire this ftk imager is one if you use Google rapid response or a recall which is a fork of volatility you can do it that way if response and then maybe it has the intelligent response Mir in terms of assessing volatility and recall from the command line and then

you've got a red line which is a product from fire I as well or maybe a fire item but there's a tricky piece to it you want to use a version before 1.20 they did away with the malware risk index in version 1.2 zero to make it load faster but that's one of the most useful things in my opinion so I'm using version one four and if you want to play with it which I'll show you I've got a demo for it coming up the one percent why it's valuable and possibly go with that version but basically what are we trying to do with memory forensics we want to know what's running on the live system

there are some things that may have not made its way to logs yet so there may be things that may never make its way to ores we I mean with the memory image you can basically run netstat if you want to that's something you might not be able to do me along connects spend a lot of time doing a lot of regular expressions to parse that you can use it to replace a lot of your sysinternals tools like pokémon proc dump those are all plugins that you can use within volatility that will basically do everything sysinternals will different I've got a I've got a close friend that doesn't want to malware analysis I'm like have

you been grabbing your memory images can I could I get a few to play with like I don't take memory images like you sysinternals like you're doing this in the VM right yeah why don't you pause it and steal the memory and it doing soon he started to and then he started playing with volatility and like his processes basically went from like a nine-hour process to about five so it helped him out breed tremendously because he wasn't scrambling to find out everything he was able to perfect all the artifacts more rapidly but you can also use the cross-reference with other analysis methods such as the network of the file system if you if you look at

like net scan which is the volatility plug-in for networking it's basically net stat you can look at that and say well this host was going to to this IP address and we have let's look at the network logs okay we've got a packet capture let's take a look let's go carving through that and see what we can find but something that I mean it is putting two and two together it's using all your own resources in a man volatility could even create a timeline and then basically you adventure your files in some timeline now you see what's going on from the memory perspective and the file system perspective you or not relying solely on the file system before the timeline

Lucas again some things will not make its way to the file system in terms of creating artifacts and then of course we can use it for malware registry analysis a good key for the registry analysis piece so if you know a specific registry key you can actually query it in volatility and it will actually give you the registry key creation date and when I took the course I did on demand and Rob Lee taught the course and he's like this right here is a trigger a registry key creation date of most adversaries out there cannot modify it the adversary's out there that kid you're not even another in your network so don't even worry about it

so you know if you want to if you want to take a drink that's I think you started at nation-states not sure but some of the capabilities of volatility so we can dump passwords in hashes you could run me me catch you can do a hash dump if you want to pass the hash or whatever you can do it rode processes there are a lot of really cool stuff like the PS scan of PS total all of that fun stuff with PS mobile it will actually create a dot file that you can convert to a an image like a PNG and whatever you view it it will actually color go to the processes that you

should look at more thoroughly so again making more efficient use of your time dll you can actually carve those out upload it to virustotal okay yep it's got the signature or uploaded to virus so no one ever seen it okay let's get a hashes but in into a thread the gate key that's when things were really installed mal finding mount Mouse's proc those are going to review several of the other plug-ins for ristic lee and give you a false sense does it meet the check is it consistent and basically if you see a lot of pulses it's probably worth taking a closer look at so with this valuable analysis we should get a sample with each update so

effectively what I've just said is every single computer on your network you need to get a memory image of every computer with every update yeah storage is money I see Brian back there kind of Turner bread cause he's like I'm and everyone is trying to cost me a lot of money but why don't you like have a golden image for one like the standard image for your eights hire an organization that you maintain version control on and you update why don't you press play on it and get a memory image of that you not to do every single host and then use templates internet has some software than IT dozen ITF stuff that accounting doesn't and so on get an

image of each of those templates executed after the memory store it off to the side you do an update to the image same thing I'll tell you why in a moment but anyway we have a thing called prefetch you came with XP and basically we're just trying to find out how to start applications faster so it's a cache of sorts but it's not a cache the next slides about it the cache but basically if you don't see the prefetch there's one of two things that's happened it's not configured before it's been delete knowing this now if I were ever to know room like go total blackout and start doing like malicious things for money as soon

as I buy prefetches went bye-bye straight-up prefetch and the ship cache which is right here the application compatibility captions I said there's a cache on the next slide so basically this we're gonna find the full path the standard information and everything about it by any process of execution flags or anything along those lines we're gonna find it right here okay this is only the tip of the iceberg but when we're talking about processes we talk about hashing we talk about the baseline side okay well we need to know what software is installed at which version yeah that's great what's the hash of it what happens would someone trojans SVC host what happens when they trojan another vital dll or

file for the operating system it's gonna show the right version but it's the hash they're just creating the need of file integrity monitoring if you do this several ways I'm a huge fan of just doing a for loop to finding a bunch of vials who won the ashes for catching them save it to a flat file okay whenever you're running through things and okay these hashes don't match go ahead and do a fuzzy hash using SSD which is a byte by byte passion to see exactly what changed it's basically it's basically a cryptographic tip don't work to your advantage immensely no one's in your registry you know the hash of your registry you know the values compare it often

sometimes things hang out there though we don't want hanging out but how are we going to know it's there if we're not monitoring you know just policy like you could very easily use regular expressions I'm a huge fan of using regular expressions to parse out whatever I want so it's there we know what it is we know what expression we're looking for simple script do it check it does it match yes okay good no notify me so with those baselines those memory baselines I talked about volatility has three plugins for this we have the process is certain service and the driver so we have that memory image that we got with the goal in the image and

now we have an effective machine we're not scrambling to find and don't get most to compare this to we already have the image so we can actually compare these to memory images in volatility and it will actually give us the output in a meaningful way so and this goes back to what I was saying about time is money storage is money so if you're doing it on every single photo that's gonna take a lot of time if you're doing a manual scripted find a way you know you'll always hear from people that in the program if you do it once do it if you do it twice okay you do it three times prescriptive you do it four times

automated so keep that in mind so demo here for a Ram capturer but I've got another slide after this so I'm going to go ahead and go to the slide and come back and do all the divots at once so I'm not gonna get too heavy into the network forensic side but just take pcaps as often as possible again you're gonna take up space as well so I mean I wish I was starting a storage business because I could probably make some serious cash if I were pushing this really hard but integrate with your sin you can get things like net flow if flow is gonna give you the metadata ray a lot of like what NSA likes to collect about

people like they don't know what you were talking about they just never - for how long and when and like so on NetFlow is going to give you the same thing as well as bytes of bits per second how many total so forth and so on logs I can't state how important days those are fuller billing data if you're not maintaining a former ability management program you probably want to go back to that because you're about to start creating some incidents for yourself anyway so and it's loading you fruit for the most part but you can actually carve packet captures and that's what I'm going to show you with Network minor as well you can do it with Wireshark but I

think of things from the perspective I'm trying to do it in the most efficient way possible and I mean you could run regular expressions expressions through Wireshark but network miner is just going to dump it for you right right then and down so let me shift this over for the demo piece

so if we want to take an image of RAM I'm just going to show how we would wait to do it I'm not going to actually do them as this machine has 12 gigs of RAM and that's going to create a cupcake file so probably not worth it but anyway we just go here and we could say capture memory give it a path there's the file name do we want a page file that we want an 8 in one file that's all on us but it's not to be given true light meeting is free I don't like to advocate for things that you actually have to pay for in my talks because I mean I'm not a

sales person so I have no reason to so if you want to start getting a memory image to play with this is where I'm going to get so from here we have Network minor so I apologize I can't zoom in with this but I'm just going to load a pcap all the way to couple so right here it's an SMB buddy transfer notice I have plenty installed right here but it's not running right then but not running so here we can actually see all the situational information such as the IDS that IP address is communicating in the capture we can find out things about the Mac the vendor sent received so forth and so on we can even go over

here look at some parameters so we might be able to get some data out of that sometimes you'll even come across some credentials that were passed in plaintext session IDs and the such but then like right here we've got five interesting so with this we do a few things so we can calculate the hashes so if we think this is malicious we need to calculate the hashes go to virustotal go to threat crowd threat minor TX the x-force exchange and whatever else check and see if it's there alternatively we can also put it in an our own grant Tilton speed we could evoke with the folder so if we want to upload the file itself to virus so go

wherever right there's the way or I mean doing it with this is safe it may not be safe elsewhere but we can just open the file

this file doesn't want to open today it's okay what's gonna happens they're all gonna open at the same time but there is so I just opened putty that I had carved out so I open the executable but it already had my configuration file so we can do this from a different perspective I'm going to pull up a different packet capture so let's take a look look at neutrino its next lick hit alright this is a lot busier in terms of connections so here you're going to want to look at things like internal and external connections do we have a reason to talk to these IPS does it make sense to communicate on these ports pretty

standard analysis would go look at the parameters as well so here we're seeing an HTTP only flag was said okay we all know all that you can parse through it if you'd like sessions as well here's a credential that was passed but then here are some files and I'm not about to open these sorry I value this machine a little bit but anyway I would say take a look at the size I always started the largest file one of my way down so it's a shockwave file and yes if you upload it or the flash to virustotal it will say yes this is malware so you have a packet capture something you suspect to be malware this is an easy way to be

able to get it and do more rapid analysis this does not take the place of Wireshark if you have the time to do Wireshark go for it if you're having to do it on the budget whether that budget be time or skill network miners good network miners free you can get a paid version they'll send you a license key on thumb drive for $1,300 so I mentioned redline so I'm just going to move in a previous analysis here

what happened five years let me just do this so it says it s about man's so I'm going to send as many at the analysis file not sure but anyway how do we want to do this do we want to start a collection I always just say full line response on a memory image so right here we have the MRI the malware risk index it looks this is read this immediately gives you something to look to a little bit of context so you can start looking for an event before and after associated pins parents the children in terms of events and hits as well so you can see where I've obtained you want to use this

version and not the newer version just solely so you can get this red bubble basically but you can find out other things linked so we take note that this is pit 6404 we can look here at the process hierarchy and we just go searching for 6404 and we're going to look for it in the pit there it is okay so we see that it came from PS exact it also spawned and they called spinlock dot exe the spawns been locked again nothing could possibly be fishy about this right and his PS execs should always be spinning weird executables that you don't know about right I mean it happens to me all the time at least at least

three times on Tuesdays twice on server I think it takes Saturday off but anyway we can also see here svchost.exe well hold on a minute SBC host does an existent deal host in the directory it's in windows system32 this is in a child directory of that hmm I bet that played into the MRI score but it's definitely something worth looking at in terms of what's going on here and then through a little bit further analysis which we can take a look at some details so we can even find out if there are any switches with it like SVC those for example should always have the the - cave switch this may not have that and right here we see that it doesn't

have that within the arguments so we see the parent is PS exec what else is going on here is there any duplicates no you just go through is it communicating on any courts why yes it is it's connected to that's actually trying to do broadcast connection on port 80 [Music] don't really connect up to a lot of internal hosts on port 80 right what's their web servers oh my god someone's gonna get dot 255 to a web server right anyway find out some stuff with the strings events anything with a registry key yeah that if there's anything and normal not everything's gonna happen it's just it's there if you want to use it so it's

definitely worth looking at so close that and here I have this is sip and I've already mounted this raw memory image so here we'll just uh

we'll say that we've got that bottle and see here what do we want to do don't want some passwords passwords just meet me cats I'm trying to go with the quicker plugins as opposed to the ones

yeah summation races now we're holding in cats if you make any money off of a share with me though look there's some passwords we've got a direct line with maybe cats so let's take a look and see what's going on from the network perspective right okay so basically we're gonna run that stat see almost identical the next step we can even go further and start ripping things out as well that's the beauty of doing this in Linux for f-e graphic you can you send Hawk whatever unsure as to why something showing low display okay and then here I'll show you the output of mouth line so basically this card's it out and you're able to look at some

of the Assembly of the file headers within the binaries themselves so MZ that tells you it's a portable executable right so Windows it's definitely worth looking at SVC host okay dot exe it's definitely something worth looking at and look it spit 6404 again this is all something we would have already been cued in on hit 6404 from looking back red light so when you're doing this you can easily correct for that hit or write to a file and then do the print analysis later well so we have here well you can actually take the hibernation memory image here and use image copy to create a regular memory image for analysis but in volatility another thing so I'm gonna do an image

input this one does take a while

so with this one is going to find some information about the KD BG is going to give us things such as the operating system service pack version and these are things that we actually have to define I've already done an export profile command so that it's loading there's a variable for volatility and I don't have to type it - profile equals every single time but that's basically pretty much everything with that Carol's going to stop this and we'll we'll take a look at the PS total thing here so [Music]

so this is a PNG file notice all the red highlighted stuff all stuff to look at

so right there there's another task host to look at RDP clip these are all just things to look at there's various color codes for various types of things I'm not over well versed in the color codes but they do exist if there's something you're interested in you can certainly take a look at it this doesn't to my knowledge this does not come native to sift if you take a stance course you'll get this version but I think you can also download it from there to get up as well so I'm moving back to the rest of the presentation

so we already covered the network forensics we've got the the demo piece so you went in here who knows Adrian Sanabria can get a good kick out of this because he can see clearly now the rain is gone ironically what we don't know about this is an InfoSec world in April in Orlando there's a vendor there that had a howl he would perch on your hand and he was doing his impression of the howl but we cropped the owl out because well that's just not controversial so with that being said the only contact me here's my contact information I've got that again at the end so I won't stay on the slide too long I got a few other things for you I

want to bring some awareness to my mentorship program that I've put together in partnership with a peerless call through the happy glass Brian Austin and I have basically identified that academia does great things certifications do great things but we still have companies looking for people with 8 to 14 years experience with the theory or they want you to have it's an entry-level job that requires the CISSP I'm not going to go and down that rabbit border but anyway basically what we're working on doing is we are assigning mentors to mentees based on what you are passionate about and it's going to allow you to basically work with someone who knows what they're doing to give you

reading assignments writing assignments learning based exercises labs and then ultimately a thing called the range and its operating on what I call it five by five model five levels of difficulty five roles the roles big garden attack monitor respond animals the difficulties single system three to five systems small office/home office homogeneous enterprise heterogeneous enterprise so you can actually get legit experience and after someone comes in an emerging system if you are in the if you're learning contesting or hacking in general you will go in and try to weasel your way into what someone has hardened at the conclusion of it all of them are going to basically be on the call together and say this is what I learned

everyone's going to produce a report as well I mean we're not looking for like hundred pages with words but something because let's face it it doesn't matter what you do within this industry you write reports even if you're a stock analyst you write a stock shift report so it'll be as appropriate there's the contact information for it here's my other funding speaking engagements how much faster on purpose since I am in Atlanta at the Baltic returns to Atlantis September 13 and 14 if you want to get in for free here's coupon code absorb it there's as many as we want

and then back to the slide any questions

all righty [Applause]