Patrick Moubarak / Stephane Asselin - Disrupting the Adversary - Defending Against Identity Attacks

Sorry, you were all encouraged to stay four as well. Strongly encouraged to stay for as well. Um anyway, so we'll get going with our last talk. So we have uh Patrick and Stefan on defending against identity attacks.

Audio go. Thank you very much. Awesome. Well, thank you for staying. Been a good event so far. Round of applause again for the volunteers. I think that was really good, really well put together. Thank you. Thank you for having us. We are the last session before happy hour and the prizes. So, uh we'll try to be entertaining. We only have 368 slides, so it should be awesome. Um no, so um Patrick and I are working on the engineering side. I manage the whole country for engineering. I've been specializing in identity management and identity privilege access and all that for more than 10 years. Um, I I'm based in Ottawa, but I cover the whole country

and and Patrick is the technical guy that knows a lot more. I'm just I just look pretty. Um, what we want to talk about today and actually before I go into the slides, some of you that were here last year, um, I also talked about the identity journey and where to start and what to look for. But I need to ask all of you and and if you're shy, you don't have to answer or if you don't want to answer, you don't have to. But how many of you people since last year have started to think about the identity piece of your environment? So having the same level of awareness and visibility that you have for endpoints but having

it for the users and the user behaviors. So who has that in place are strongly looking at it or have started to at least deploy something. Awesome. So what we want to talk about today, I'm going to give you a little bit of a stats because we have a team that does a lot of threat hunting and look at this day in day out. So we look at three things when we put our metrics together. And our global threat report is free. You can go get it. It's all free. We put it on the web for uh for the CISA, for the uh the US government, for the Canadian government as well. We give those stats away. We

want to we want to show them what the trends are, what's going on. So we look at three things, right? We look at the bad people, the volume of attacks that they do on the actual environments that we can see, but also on the dark web. So we have teams that are doing dark web recon non-stop 247. So we look at the quantity of attacks that are happening every single day and we quantify that and we build reports based on that based by month and we look at the speed that they do it. So the breakout time which I'm going to talk about the stats that we gather in just a few minutes. How long does it takes to establish

breakout? How long does it take to go from a single endpoint to establish a lateral movement where you're going to get a lot more juicy information, privilege access, and then be able to do bad stuff like happened last week at some places, right? And then we're going to talk about the sophistication. How complex is it to run those attacks? You know, is it a two-step process? Is it a 48st step process? Do they need to lay dormant in the environment for three four months to actually gather intel and then run their exploit which is more and more what we're seeing when we're using valid identities. So those are all the metrics that we actually look at when we

uh when we put together our reports, right? Number-wise, you know, I don't want to talk about numbers because it's it's private information, but we wanted to show you percentage. And what we're seeing is both the nation state actors and the e-crime actors. So nation state are going to be what we seeing mostly most active today are going to be Russia, China, and North Korea. Uh and a little bit of Iran, but that's a different story. It's more e-rime. And then we have the e-crime actors are in it for the money. some sort of monet monetization of the environment. They're going to apply some ransomware. They're going to ask you for stuff. They're going to sell your IP to your

competitor, so on and so forth. So, that's been increasing a lot, but in the last year, it's been just rampant, right? And we've seen it with the scattered spider, which Patrick is going to talk about in a few slides, uh, that we're seeing that they're running an active campaign. That's a nation state actor that comes from Russia and it's they're doing a lot of damage. So, we're going to talk about that in in just a few seconds. So the stats that we gather again it's for a bit over 40,000 organizations that we gather this information. So those are live stats. We were at 98 minutes of breakout time. So again establishing lateral movement in 2021 to 84 minutes

last year and now we're down to 79 minutes. We actually released new stats uh in August. So just a little bit over a month ago. Right. So the time it takes for average time it takes for a bad guy to establish lateral movement is down to under 90 minutes, right? It's down to less than an hour and a half. So it doesn't give you a lot of reaction time. So you have to have the right process and people and technology in place to be able to react faster than this. That's the key takeaway here. If you're still going by it takes me a day, it takes me two days to react or it takes me a day

just even to be aware of it, you're missing the boat. They've done a lot of damage since then. And that's what we want to make sure we look at and we you understand from a from a time perspective for breakout time. So 80% of the things the breaches have one thing in common and that's not coming from us that's coming from Gartner. And what do you think that is? That's the MITER attack framework which uh you've seen in the much better deck before us. But what do you think that there what's the the biggest rule that we see today? What's the trend that Gartner is saying? Let's see. It was it was up to December last year, but it's

even more true today. Anybody compromise? Yeah. Valid identity, credential compromise. Ken Ken is cheating because Ken knew this before the talk, but thank you, Ken. Right. Exactly. He knew, right? Valid accounts. So, using valid accounts. So, the bad guys are actually using valid accounts before they start whatever they need to start. where it is initial access where they're going to use domain accounts, local accounts where they actually establish and and actually get their payload on the box. They're using valid accounts and then they do a pivot escalation. That's where the lateral movement stage happens. Again, valid accounts. So, if you're only looking at your host from a anti virus perspective or edr perspective, you're blind to this. And that's the

part that we need to make sure everybody needs to make sure that they look at what are they what are your valid users doing, right? I like Patrick. Patrick's a good guy, but if he's looking at my finance server on the weekend after hours, shouldn't happen even if he has proper credentials. So we need to be able to see that and organization are not there yet and we're trying to see how we can help to get them there. Right? Whatever solution you're looking at, you need to be able to see what behaviors the users is doing. And if he's doing something he's not supposed to do on a region, a location, a machine he's not supposed to go at at this time

of day within the week or wherever the weekend, you need to be able to see that. And a lot of organization are there not there yet and would like to, you know, whoever you're looking at, you need to be able to accelerate that process. Still something that that a lot of organization are blind to. So again, what I was saying before, right, from an execution standpoint, that's where the uh EDR and nextgen EV go. And I think we're pretty good there, right? We're pretty good at seeing, you know, if a process execute and is potentially malicious, you'll see it. You have the right tools, at least most of the people have the right tool to be

able to see it and block it. That's good. But then if you're the bad guys are actually starting with credential access, you know, we saw a lot of uh you know, recently I'm not going to name names, but you'll go into a few examples, but it's where people are going to abuse some stuff that's already on the web, right, for like a Microsoft Office portal or like an Amazon page or a Google page. And if they're able to subdue that information from the users, they're not even knocking at the front door. They're using valid accounts and then they're just stealing that. And then that's where they start. So if you can't go beyond the execution of the

process, you're blind to the rest of that chain. And that's what we need to make sure that that you understand and you're able to have something in place to uh to account for that. And with that, I'm actually going to pass it over to Patrick. Thank you, Stefan. So yeah, to to sum it up, so we're we're talking about valid credentials, right? So we're talking about credential access. And this is something that we we talked about. I think you heard a lot of MITER today and MFA and different topics, but this is something that we talked about. Do we need to do privilege escalation to accomplish our mission, right? As an attacker, as an adversary. So when a red

team exercise is ongoing and we get initial access from a regular user perspective, one of the next steps we want to typically do is get privilege escalation to get access as admin or system or domain admin privileges. Right? So we see adversaries moving the trend towards accelerating that process. So the third metric that we track is sophistication of attack right. So how is the adversary going to be able to accelerate the speed and the volume of attacks with more sophisticated tools right? So whether they start from thirdparty vulnerable software these are like publicly exposed remote access gateways uh weaponizing known vulnerabilities or exploit proof of concept code. uh whether it's cloud-based attack right that's a very

very common topic that we see all the time and it's trending very upwards right if we can access your cloud-based resources I can pivot from there as well into your private information your private data your customer information and I can also in some cases even pivot to on-prem access because sometimes we're syncing those directory services from the identity perspective between the cloud identity providers and the on-prem identity providers and the third one is identity based bypass. So why do we call it a bypass? Right? So we're trying to move away from just credentials. So sometimes we get API tokens, sometimes we get access to to systems that are already privileged and have access to private data, but also

sometimes they're going after sophisticated fishing attack techniques where we're going directly after the admins of uh of the environment, right? So we can call into help desk and ask them to kindly reset our password. So there's a lot of tools in the attackers tool belt where they are spoofing your your caller ID, right? So they just go on social media, LinkedIn, Facebook, whatever it is, find your name, find your phone number, your email address, call into help desk. They can even spoof your voice, right? With AI. So, they either spoof the caller ID, that's the easy first step, spoof the voice, ask help desk nicely to reset my password because I'm locked out and I'm traveling

and I'm in a conference and I need access to my my email, right? So, here I go. I just resetted my Microsoft 365 account and help desk is actually falling victim to this in some of the cases, right? So, we've seen scenarios where this is happening more and more. So, this is a very very uh strong trend. We've seen another identity based attack and this is more on the traditional front right like we talk about NLM uh hashes in active directory in domain controllers or kerber roasting attacks and these are legacy protocols we call them legacy because these protocols were created before the cloud world right these protocols are active directory on-prem servers domain controllers every

single enterprise customer we work with probably 99% of them are still running an on-prem active directory although they're in a cloud first movement digital transformation projects ongoing all the time, they're still vulnerable to such attacks, right? Because if I can get access to your domain controller, I can definitely uh attack it via like a domain joint endpoint, whether it's a Windows workstation, I can attack it via other uh applications. So, we can mimic um you know legitimate user credentials by passing uh these attacks and getting access to to privileged accounts as well. um these attacks are skyrocketing and they're going after end users but they're also going after directly after admin accounts or service accounts that

have like password never expires right so if you have your traditional service on-prem service accounts in your active directory they may have had their last time password reset was like 13 years ago and we see this all the time in customer environments so adversaries know this they figured this out and we we've seen like uh vice spider is one of the adversaries we track so this is an e-com time group and they're responsible for 27% of all attack techniques. So what we see in the in the industry as um and this correlates with other industry vendors as well in our threat intelligence is adversaries are starting to specialize, right? So there's like the initial access brokers, there's the

the e-crime actors, there's the ransomware affiliates that deploy the ransomware in the environment. It's a complex uh system that they're running, but these operators are all specialized. So some uh spider groups which are e-rime activi like e-rime hacking groups they do specialize just in identity based attacks right so they're they have the developers they have the coders that know how to work around active directory those traditional legacy systems how to weaponize new vulnerabilities and new cvees and every time there's a new um you know protocol vulnerability by the time it gets acknowledged and fixed sometimes it's a road map of a year and a half and we've seen this in some KB articles where the actual

changes to implementation to certain of these protocols is actually on a on a schedule, right? It's on a timeline where the vendor pushed out a registry key to say this is going to be now optionally in audit mode or block mode and then they're going to be enforcing it slowly across time because they're breaking legacy applications when they change these protocols all of a sudden. So you want to make sure that your environment is patched, but you also want to make sure that you're implementing robust measures in place. So and I call this the traditional identity approach to the next section because I I'm going to talk about a little bit about different identity solutions out there today on

the market. Not naming any companies necessarily, but just naming the technologies that we've given to customers as an industry. So traditionally, we started with I need to give my users access to an application, right? So I need a way to authenticate, validate their credentials. It started with all started with username, password, right? So we started with directory services whether it's on-prem or cloud-based. It's a story as old as I validate this employee. I give them credentials. Now they have an email mailbox, they have access to maybe a web server like like an internal SharePoint internet website, etc. When we started doing that in a cloud world, we started running into issues. Do we start fresh?

Do we migrate everybody? Do we go hybrid? Right. And we we do still have to live with legacy applications and legacy systems. So all we're doing is basically giving you access to to data. We're kind of validating who you are. We're giving you a password and then we have minimal controls in place, right? Like we have password complexity, maybe password rotation in place and that's pretty much it. But once you authenticate, you're in, right? So we just trust that you are who who you say you are. So then we moved on to the next problem is are you who who you say you are right as an end user you're claiming to be uh Patrick right but are you who

you say you are so let's let's challenge you let's give you this nice little tool called two-factor authentication or multiffactor authentication so something you have something you know something you are right we can do multiple factors we can put certificates on your computer we can give you a token can have you enter a passcode so we started developing these new methods and then there's a wide variety of them, right? So depending on your MFA vendor um and you could have multiple MFA vendors, we've ran into this in multiple customer environments where they had like three four different MFA vendors typically in companies that have multiple subsidiaries or multiple IT departments and they're not necessarily putting

strong measures in place because not all MFA is created equal, right? Not all methods deliver the same end result. So you heard today from other vendors as well talking about fishing resistant MFA. How do you make sure you know the person is who they say they are and they actually own that token or that physical um key, right? So now we have new protocols in place like 502 tokens or security keys or biometric protocols. You have a little fingerprint scanner on your computer whether it's a Windows or a Mac, right? You have these extra verification steps. So this is a a new attack vector, right? If I just did a push MFA, attackers can easily try to to

bypass that, right? So one of the things we see in multiple customer environments is we're doing this application based push uh notification, right? So I go log into a website, I need to authenticate the MFA. Well, what happens if an attacker does that at 3:00 a.m. and your user clicks I approve? or even if they don't click I approve, are you actually following up to see, you know, did this attack lead somewhere? Was it an actual attack? Was it a mistake? Was it any, you know, was it a misconfiguration in the system? Most companies aren't necessarily putting the controls in place or looking at their audit logs to a certain extent, right? So, we just

implement MFA and we think, you know, 98% of the problem is fixed or whatever percentage of the problem is fixed. I I solved most of the problem right there. But this is not the story is not done at MFA right there's um you know SIM swapping attacks there's MFA fatigue we can do advanced fishing uh some of the most uh public breaches uh when so so when Solar Winds hit uh one of a very very respected vendor on the market actually detected the very first sign of attack is when a end user had a second phone registered to their account. So the attackers were able to log into the portal and try to register a second MFA

device and that triggered internal processes to validate with the users's manager is this actually the user and they got a new device and do they need to register a second phone and have the application based MFA. So if you don't have those controls in place today, your end user could go and change phones and register a new app without having a human check their identity, right? How do you know this is actually the end user or an attacker that these are the kind of problems we're trying to solve um today. So another industry solution was to look at privilege accounts, right? So if if I can I get access root or system or domain admin, right? these are like more

sensitive accounts or service accounts. So we started doing like privilege access management. So controlling putting controls around just privilege accounts and seeing where they're going and then rotating maybe their passwords or password vaulting or making sure their passwords are encrypted. But this is like looking at the problem maybe partially, right? We're just looking at some critical accounts in the environment. We're not looking at the whole uh problem as holistically as as we can. So we're not looking at end users. We're looking only at privileged admins right? So why is this still an issue? Because identity threats have become mainstream today, right? So we started talking about this problem many many years ago in the industry. The trend was uh you

know we can weaponize a vulnerability, we can try to break in the front door, but now we can just walk in with a valid credential. And this has been an upward rising trend for many years, but it certainly has been a topic of conversation like very recently on the news. And one of the adversaries, we call them scattered spider. They are very very sophisticated and very smart at how they do their fishing attacks. So they literally just call in the help desk and pretend to be the admin and you know pretend to have lost their phone or need to reset their password and their MFA and they actually were able to convince like one of the biggest

gambling companies in the world to actually fall victim to that. So when Scatter Spider was able to do that, they threatened with ransomware but they their modus of operation is not really deploying ransomware typically. So when the victim refused to pay they gave them time actually to pay a ransom without actually encrypting and then they adopted another uh ransomware as a service which we call alphas spider. So, Alphas Spider is Alph which is another ransomware group and they have a Linux VM that you can deploy in an environment, give it credentials. So, you can give it custom credentials. It will go find all your VMware ESXi servers and it will encrypt all your VMs basically. So, this is like a VMware

ransomware operation. So, once they deploy that, then the company has no choice, right? The environment is owned. So adversaries are getting smarter. They're getting smarter with identity. They're getting smarter with cloud as well, right? They will find a way through the door. They'll find a door somewhere. And they've become faster as well. So Stefan presented the 79 minute time. The 79 minutes is the average breakout time for e-rime groups as far as crowdstrike telemetry threat intelligence has tracked it in the first six month of 2023. We just released that number. So think about it. That's the average. We've seen attacks as fast as 15 minutes, right? So, if the adversary has domain admin or system admin or root

credentials in the environment, they're not stalling, right? They're going to go in, they know which customer they hit because they've done their research. They know what access they have because they they've seen the credential work. They're using legitimate tools, remote desktop, PowerShell. They have cobalt strike beacons in place so they can evade firewall detection. They can encrypt their C2 channels. They've set up new domains, new website, new S3 buckets, legitimate tools to siphon the data. And then as soon as they steal the data, then they hit you with the ransomware, right, for impact. So they've become faster and faster and automated a lot of that process. This is another example from our threat hunting report. So I'm not

going to go through all the steps of the miter attack and all the exploitation tools. I'm sure like you guys have heard a lot of tools and GitHub repos today. So I'm just going to mention like cross check we track scatter spider because of the nature of social engineering attacks that they do right. It's very hard to defend against social engineering attacks. This is not like a software problem. This is a human problem at the core, right? We need to validate the identity of the person resetting their password before actually resetting their password. Right? Those self-service tools to reset your passwords have to be gated behind some kind of human validation. So we started we keep track

of adversaries. We're now at 200 plus adversaries. So these are distinct attacking groups or organizations. These could be different transformer groups or ransomware operators that have specialty. And last year we added 33 of those. So, Scatter Spider is one of the biggest ones that's on the market today, like doing a lot of damage and buzzing in the news because they've they've done oil and gas industry attacks very recently. Now, they're doing gambling attacks. They've been making the news and they don't care, you know, they're just after the money. So, and a quick side note on this, like in this attack, they deployed actually lock bit black, right? that did not deploy Alv ransomware. So it they're

actually opportunistic. They're not loyal to one ransomware um you know software. Basically they can deploy different ransomware types depending on the customer environment and what would benefit them the most or make them the most money because the payout actually depends on you know how much they encrypt and how quickly they encrypt and which customer they're hitting. Like if they're hitting a Linux environment, there's Linux variants of lockbit block as well. If they're hitting a VMware environment, there's VMware um of V ransomware which is different. So it's much easier to go that way. Any questions? All right, moving on to the path forward. So this is just a quick framework that we try to establish at

Crowdstrike to help customers adopt identity solutions that are uh or identity best practices on the market. So we have quoted Gartner uh report and Gartner actually mentioned that this is not from crowdstrike. Gartner said the advanced adversary is actually going after your identity infrastructure itself not just after you know your data or encrypt or encryption or vulnerabilities. So what we suggest as framework to customers and they can work through their way through this is to start by monitoring the identity environment right we want to see all the adversary attack path we want to proactively control. So we want to be able to do real time automated response and then we also want to not be too

annoying to the end user, right? So we want to be able to based on the monitoring and the response available, we want to be able to do it with conditional access rules that make sense when needed based on the risk factors. So based on the behavior, so whether it's access from new geoloccation, access from a new endpoint that you've never used before, right? moving laterally across five different servers which you've never touched before. As an end user, your behavior it's easily baseline. So we suggest customers baseline the end user behavior, understand how end users authenticate, which systems they use and that baselining process could take anywhere between like one to three weeks in customer environments and they can do it

themselves. try to understand how users behave, what services they have access to, but also as soon as they deviate from that, maybe you want to challenge them more, right? Maybe you want to MFA them a second time. Maybe you want to enforce some policy, maybe want to lock them out completely or force them to reset their password. So, in order to continuously monitor the environment, that's the first step. You want to be able to look at all identity sources, right? So whether this is onrem or cloud inside or outside the network, whether you're doing a hybrid deployment and you're syncing or synchronizing your data, um we want to be able to baseline all entities. Don't just focus on

privileged accounts, right? Initial access could start from a regular user account or you could have regular user accounts that are overprivileged like they're able to reset somebody else's password or they have access to systems they shouldn't have access to and then understand their behavior. So when you do that you can identify risks in your environment and those risks could be the use of unmanaged assets. So who here controls every single asset in their environment? Who knows every single computer connecting to your network? Do you allow third parties to VPN in directly or to access cloud services? Right? So you cannot control everything. Right? We can't control every single assets. We have to be able to control

the user behavior and the user activity. Um, we should also be able to audit the actual passwords being used, right? So, everybody, you know, typically goes around and says, "Okay, we have 90 days. You have to change your password." Well, are they just putting a one at the end or a two and a three and then just keep going, right? So if they find a way to use the company name and then they use the same password on their personal account and that password gets breached, do you know about it? Right? So would just say like company1 123 dollar sign. Okay, perfect. Then company 1224 dollar sign and then you keep going. Users do this all the time. Everybody knows this.

So are we able to uh to drill down and see which service accounts are sharing passwords as well? because sometimes you know the the previous IT staff maybe have created 15 service accounts with the same password and you don't even know and they were created 10 years ago and never changed. So we don't want to break any apps. We just let them run but that password could be compromised as well. Right? So you're sharing passwords, you're sharing compromised passwords, they could be shared between regular user accounts and privileged accounts. And this is the stuff that we identify in customer environments in customer engagements all the time that they don't know about because they they don't go that deep in their audits,

right? It they don't like it's not a compliance checkbox. So you don't have to do it necessarily every time. So when you do your your evaluations, you want to be able to understand that uh risk factor. Uh is there any stealthy privileges or legacy protocols running in your environment? That's most likely the case. Everybody still has old applications that they have to maintain, operate, and they still have to run in the environment. So you're still using maybe NLM v1 or SMB unencrypted, right? You're not not every application is using SMB3.1 with like, you know, certificate signing protocols. So you're just using legacy protocols that are in clear where we can attack the authentication protocol itself as red

teamers and find out what's going on and then capture password hashes, reuse that hash somewhere else. In order to control your users, first you need to be able to detect their activity, baseline it. You need to be able to understand anomalies and then lock down their access, right? So you want to lock down their access via conditional access policies, but you also want to be able to do that across all data stores, all identity stores, right? Whether on prem or online or cloud access. So you're going to be able to extend MFA, right? So MFA is a good tool. It's a great tool in our tool belt. It's not bulletproof. We want to be able to actually extend it across

different applications that don't support it, right? We want to be able to lock down remote access. So, RDP, VPN, you know, access to web applications. Want to be able to lock those down. Make sure they're only from, you know, authorized IP addresses or privileged uh sessions or at least be able to MFA them, right? Um, we want to be able to force a password reset and be able to to detect stale accounts. So if somebody doesn't like if you create a user account and it's not been used for more than 90 days, right? This typically is not somebody that still have has their job. Maybe they they left the company, maybe it's an old IT staff. Are you

doing that regular check and that regular cleanup, right? And block legacy protocols, of course, if possible. Um on the response side, we want to be able to do this in real time. This is very crucial, right? We want to selectively enforce policies and apply MFA based on risk factors, not just based on, you know, MFA everywhere. Want to be able to apply um extending MFA to legacy protocols if possible and apply this to remote access tools. Some of the most abused remote access tools, right? Like file shares, PSX, remote desktop. These are adversary adversaries love those, right? because it's so easy to abuse in an internal environment and typically we don't have controls over them. If we're allowed to RDP to a

server, we're allowed to do anything we want on that server. So, we want to be able to stop attackers and block lateral movement by doing the risk based response. So um be before I conclude the session and let you go to your next uh social gathering and maybe give some good prizes just want to extend this topic a little further and look forward ahead right don't think of this as just a username password problem right don't think of only MFA as the end outcome of this conversation this is a conversation that is actually around APIs around cloud access tokens around different sessions it could be around kerburous tickets or NLM hash passwords, right? It's not just about a username password.

It's not about end users alone. This is about authentication in general, right? And attackers have figured this out and that's why they keep coming back through different doors into environments, right? They if they can't get in via remote desktop, they're going to hit the cloud environment. If they can't get in via cloud, they're going to hit a partner that has a VPN access to your environment, right? So, supply chain attacks. Um, and this is a quick suggested next step um for you as a takeaway. So, I'll stop here and uh I'll take questions if you guys have any. Uh, Stefan is also here to answer any questions. Key point I have here is I just woke up the Thank you. The key

takeaway is is we're looking to all of you as security professionals to think about users behavior the same way that you've been thinking about your machines for a while, right? And we're we're trying to like I'm doing user groups across the country. I'm trying to encourage people whatever you go for you have to start that analysis. If you haven't looked at that for your environment, it's the trust but verify statement. It's not when you give credentials once that you're good to go. You always have to have that constant journey and the identity journey is going to take you whatever time it takes but you got to start the first couple of steps needs to be I will trust I will

give my users access but I will challenge them to any resource they try to access and whatever you go with you have to be able to have that mentality right always challenge that the users is trying to do something and maybe what he's trying to do is correct in this context but if he's he's trying to draw outside those lines you need to be able to see that and you need to be able to gain that visibility and then you'll be able to take actions for that. So that's you know you can come see us, you can come see anybody but the whole goal is make sure you start your identity journey with being able to challenge

your users on what they're doing. If you can't see it, you'll be blind to it and you'll be like MGM, right? So thank you. We we'll take questions if you have any questions. Great presentation. This might be an out of box question. So when you start talking about credential harvest like advice credentials to actually attack on so how would you go by like saving fishing attacks that are made of instead of attacking apple.com like instead of like L instead of L and that credentials how as a company should be approached to these blown website or and how should we like educate our customers to identify these spoof website? Well, the spoof website is going to be through your security

program, right? That's the so multiple part to his question. One of them was how do we help our users understand that and that that they're being fished, right? To be able to see that it's all about I think everybody should have a security campaign in place where you test your users very regularly. It's going to piss them off, but uh you know, you have to do it. Send them every month. Like we do it multiple times a month. We're a security company, different context, but at least once a month, send a fishing campaign and educate them, but don't blame them or don't send an email to their managers that they missed or they failed. Say,

"Okay, well, this time it wasn't great, but here's why. Here's what you can do better next time." Encourage them to do it for their colleagues and get that program in place inside your own organization. That's the first part. And the second part to the question, sorry, I do typo squad. Oh, the domain typo squatting. come in typo squatting there's solutions in place either if it's email there's the email companies here and they I'm not going to talk for them but they have solutions for that if you actually want to look at what's going on you going to have some deep web dark web tools that going to help you do that so you can actually detect that so

when people are trying to use it you can actually avoid it right so I don't want to name software but you know a lot of companies can actually do that and detect that information yeah any other