Prioritising your security work using MITRE ATT&CK

hey wow thanks thanks for thanks for having me telling um so let's let's kick it off um so first first thing is who am I uh my name is Flores Ladon I'm a strategist at Splunk and I've been working in security for over 15 years started as a pen tester for consulting firm and I was like okay I can do that so I can do defense right um well that became difficult so I joined the large bank and became their first uh one of their first Defenders setting up IDs and that kind of stuff and build a fair shock and and started really really getting into defense and defense is hard in some ways harder

because you need to be structured so uh yeah my biggest success is I switched to another company now and I no longer have to wear a suit so I'm really happy on that part the real question is why listen to me and I'm I'm good at failing I failed a lot um I failed building a shock three times and if if miter attack and and prioritizing your work is something you already know at least be entertained in my failures and and beyond that we'll see what what happened so the first time I built the shock I forgot the people we forgot that we didn't have proper stuffing we didn't have rosters we didn't have shifts we

didn't have motivated people because they came from all other network monitoring stuff they came from the cash counting Security Site they get from physical security and then the second time we said okay we'll hire people we'll do it again and we failed again because we forgot about the processes we didn't have a mandate people came to us why are you why are you unplugging my PC well it's for the viruses yeah sure but I can still keep working go away okay lesson learned we needed a mandate a mission a vision we need to keep having budget and and we needed time to figure out what we had to do because one of the things we did we tried to implement

everything we try to implement all the use cases we could find and that had its own problems but the third time actually we figured out what we had to do we figured out how to train the people and we figured out the process we needed to keep running and that time we actually succeeded and the question is how do you know what you need to do because we started using security Frameworks because there was so much work coming at us what what do we need to manage how do you use those Frameworks we started reading all of them and that wasn't a success we implemented some controls but we couldn't do everything and we started mapping actors threads

skill change making our own Freedom works and that got us further but the real question always was how do we know what controls we actually need and that's what this slide is getting into so but before we go into uh into uh how to do this let's go into the history of security Frameworks first because we have two type of framework we've got the management Frameworks and these are this is for information security managers it's lots of policy for Access Control it's lots of of iso 27 or 2001 um 47001 and it's it's you've got the song says 20 you've got all these controls and there are a lot of work to implement but they don't tell you

anything about monitoring they don't tell you anything about how to deal what use cases should be where Etc so we move Beyond there security detection Frameworks are a subset of that it doesn't tell you how to protect everything but it will tell you how to start building your detections and the first thing we started out with uh was uh actually some of them you might know but the first one we started out with uh was the UDA Loop so the UDA Loop is written by John Boyd and John Boyd was a fighter pilot in the Korean War and he wrote a book called A discourse of winning and losing and it was aimed at a couple of strategies

mainly at observe what are you seeing Orient or am I in John's case in relation to the plane in a cyber defense in relation to the attack what's happening where we should be aware of all those surroundings based on that make a decision on how you're going to go forward decide and then do it Act it's great it's really reopened this was one of the first Frameworks we encountered in cyber security it told us how to act rational it didn't tell us what to do so we had something else Lockheed Martin of course came along with the Cyber kill chain and for those of you who didn't know the Cyber kill chain was built as a response

to the RSA attack and in that case look at Martin was attacked by means of compromise to the RSA token uh they got hacked and the attackers got away with their IP and IP is critical for these companies because these are their inventions this is National Security this is going to be the next future of tech that the future Wars will be fought with so that was critical critical and the good thing they did they started making this high level framework and said were they focused on recon weaponization delivery exploitation Etc so these high-level categories that we could at least start grouping our use cases in because at that time I had multiple Rules running multiple systems

running and I didn't make a distinction if it was an antivirus rule or a knit rule or any other detection so making that distinction and making this framework in a strategic way helped us to at least start splitting out those use cases these are there's one problem uh the first thing of course weaponization it's a nice step any attacker does it uh but there's it's I haven't seen anyone write a defense against that you can't write a detection against something an attacker prefers on his own PC so it starts it starts to crumble a bit there the other pattern we're seeing here is that these were all based on intelligence and I was working or sorry

in all military applications So based on the confidentiality of the information keeping it secret I was working in finance my goal was mainly keeping it in integer keeping it uh as it is make sure nothing gets changed because if somebody changes information for a bank that could be have a bigger consequences than leaking information luckily we had some influx in in 2013 Katie Nichols one of the first speakers came forth with the miter framework and the miter attack framework took part of the look at Martin kill chain and post compromise started building out the tactics that are beneath that so that helped us focusing to the next set of granularity which is great and everybody's working now with the micro

Tech framework um for the ones of you who don't know I'll go over briefly but the micro attack framework 12th technique 12 tactics over 500 techniques this is an old slide of mine I think a couple of years ago I wrote 257 we're now at 573 from the top of my head it's expanded to techniques sub techniques so that's great and the first thing you do is you have if you get a framework like this which tells you what everything you can do is you implement all the use cases right no no because what you do if you build this really really great complex machine you enable all the use cases out of the box

for any security tool you have you get overwhelmed you get thousands of alerts and if you get thousands of alerts you get thousands of incidents to handle you get thousands of things to investigate and you can't do that remember an average stock analyst can investigate 8 to 16 alerts a day so you need to have an incredible team to manage that the other thing is that you're managing people and these people get overwhelmed we're trying to hire the people who are in this room here we're trying to hire the digital detectives we're trying to hire the Cyber professionals people who are interested in puzzling solving a puzzle or a repetitive puzzle a non-repetitive puzzle and if you give people who like

puzzling repetitive work alert after alert day after day day after day they will leave it's a terrible job so we didn't only need to get rid of the alerts we need to make sure we have the right alerts which were worth following up so yeah and that's that's the thing that we do we need to look at as well so of the use cases and techniques uh implementing all of them is an all-you-can-eat buffet you can't eat everything on that menu it doesn't make sense it doesn't give you it doesn't give you a good time and by the way you might not even like fish so it's the same with use cases if you are protecting an organization and you

know you're not running Windows then stop focusing on the Windows detections now this is a simple example but it continues and it works out for every subset in that attack figure out what you need to do because bigger is not always better the real goal is tailoring these use cases get the suit that fits not the biggest suit so now we come to a choice the Paradox of choices which detection should you choose the most popular ones I mean everybody's going off the log for GA exploits that was hot still hot everybody has it in their demos sure go for that one maybe you should use the ones for the data sources you already have you might

already have network data let's start with those because that's at least something we can do or the ones your CC will appreciate I mean everybody like us is trying to make a career right being the be in the Limelight um or we'll do something else we'll use a structured approach based on research and common knowledge so and that's that's that's a better way of to communicate of what you're doing because if you start focusing on the highlights you're going to keep running so you need to get some kind of structure in now there's a couple of ways to prioritize that you can focus on the brand new threats everything coming out you can focus on that

um secondly you can focus by technique so for example there's a technique which two 200 fret groups are using well that's the one I should be focusing on first that also has a merit at least better than focus on the new shiny threat which just came up yesterday um and later is a look at industry mapping and that's the real part where you start tailoring what you're doing to who you are and who you need to be protecting if you work in finance you should be afraid of the group's targeting Finance um and then the fourth one is take a look at the techniques seen in the wild if you can split down to that level

focus on which techniques have been observed and there's a great project which we'll go into which is a Mitra uh Ingenuity adversary sightings project and we'll dive into that a bit lastly top attacks which which is a new methodology from for Mitra and anything you can find for third parties that's also a solution I would not really recommend that to just get a top top hits and start start writing detections for that so for the first methodology the brand new critical threats and and the problem is some threats just come out of nowhere so you need to focus on those if log for Shell comes out if half new comes out there was no warning there was not a lot

you could do about it except start running so at some point you're always at the mercy of force of going into defense for whatever comes up and you can follow your threat fenders from the from those um I work for a company who has a threat fee who has a threat feed a threat post you can Implement automatically or manually to get those detections running now if the firefighting part is done and you get back to your normal work you can start thinking about popularity which threats are the most popular so what should I be implementing focusing on malicious file we've seen that the most maybe focusing on spear fishing um so this helps this is a broad net

you're casting there and what you get from that is is a good result but it's not tailored to what you can be doing best the second thing is that the miter attack framework focuses on threat reports and it really provides a data set which is enriched with which apt groups go for what technology and where they've been observed if you work with the Mitra attack Explorer you can load layers in there you can view overlays for these threads so now you're starting diving into attackers in a general in a general way which attacker does what but it doesn't say how often this attack occurs so we're still doing a general filtering the second thing which which I think

starts to focus on who am I and what am I trying to protect take a look at industry mapping if you work in finance there are some Korean and North Korean actors who need to be watching out for they're not exactly for anymore if you work in the defense industry if you work in high tech other types of active Supply so figure out which groups are targeting your companies or the company in the sector you're working for actually and then it starts to get you more guidance on what to pick um the newest thing which which which I really enjoyed was a project running since 2019. the miter Ingenuity adversary sightings project it was a a list made with data from

amongst others red Cannery for those of you who don't know red Cannery runs on a sort of Open Source sandbox detectional attacks and they were able to collect over 6 million sightings of adversary Behavior it ran from April 2019 to July 2021 and in that time they got 1.1 million observed act techniques in the wild that's great we finally know what on average is coming in and is being exploited so we're getting a real feel of what attackers are doing in our environments um and we can go through the list and there's not going to be much surprises because this is again a general top list being used so if you have ever done attack response you'll find these top

listings there uh there's also stuff like living off the land on there there's legitimate files there's a bind assign binary execution it's the usual stuff um but what it does it allows you and it allowed my trip to get you a calculator and I invite everybody to play with that miter attack techniques calculator it allows you to fill out uh what defenses you have how well you're monitoring your network how well are you monitoring your endpoints how well are you monitoring your gateways your cloud services Etc and based on your own rating you get a list of customized attacks back so that's great now we have something that we can start working on based on the

data from there how do they calculate this uh what they do is they take a look at prevalence how much an attacker uses a specific miter attack over time they take a look at choke points and we'll get into choke points in a bit but it's a point where attacks converge uh we'll take a look at actionability there might be a very often used attack but it can't be detected upon so they also rate that part and that will give you a list of top techniques the cool thing is that with this list of top techniques we can start focusing on what's important to us but first take a look at the data there so if we take a look at the prevalence

we can see that attacks have been occurring uh over the almost two years that this project was running but what the prevalence also means is that if an attack has been popular in the last couple of months we're giving it a higher rating it's been given a higher rating than if it's been running two years ago because if it was really active two years ago it doesn't mean it still applies to us now and then the second thing is if you have your prevalence you know what's re what's been recently important you can also move on to the best place to start detecting take a look at choke points if you remember the Microtech Matrix you had

the the tactics in a vertical column the technique horizontal if you can imagine your attacker going through that they will make a chain of attacks now there are certain points in this in this Matrix where they will have no option they will go to fire one maybe two techniques in order to move further in their total attack these are what's called choke points so for example in this case process injection is somewhere is a choke point they will always use so if I monitor process injection I don't have to monitor create process with token or resource hijacking that much because process injection is the place it will always the attacker will always pass through I'm not saying don't do

anything I'm saying this is a very effective a technique to focus on because it's identified as a choke point here the second thing is actionability it's the opportunity for a Defender to detect or mitigate a technique based on the available analytics or controls so in simpler ways it can be separated into two in two categories detections or mitigations and based on publicly available resources on the amount of controls and detections we can calculate what's weighted more heavily or less heavily and there's a number of of uh of ways of doing that there's the miter cyber analytic response repository there's rule from elastic from Sigma Splunk has has their detections as well and with the ordinance controls and with those

there's also a calculator you can start using from the Ingenuity project to start calculating these uh the the uh the actionability of those now the first thing of course the methodology for priority prioritization and this is where Red Canary has given us a great view of what what's happening most often and if you start putting these all together it means that we're going to start with the miter framework we're going to add a point for every fret actor that uses a particular technique and then we subtract a point for every detection that's mapped to that technique and what comes out of that is a way to detection map so we've taken into account existing coverage where have we got rules now in

this case we've taken I've taken my own companies detections because I can't be running around with customer or any other company detection so this is what we develop and based on the rules we started to focus on the areas where risk is high and then on the opposite part of that using the Fret group data we add points for every threat group that use a particular technique and we subtract another point for what we have a detection mapped to that and what we get out of that is a map on what we need to prioritize and as you can see there's really a map there of what turns dark red is where we haven't got detections

but we're seeing it in the wild recently so we should be starting to focus our effort there really start building this one first this is what's critical for us there's one thing to consider um don't focus on it too much because attack coverage does not mean completeness so if a user develops a mechanism to see if a process has been injected uh and you know that you've got a detection on your EDR solution you might not have covered your server landscape because servers are not usually running EDR it comes back on performance it causes weird issues so if you're running EDR don't think you're fully protected you're protected on only your desktop landscapes so it focus it focuses on compliance but

you need to keep thinking about completeness is every detection running on my entire organization so there will be also refers or containers or endpoint clouds Etc and um for a conclusion your time is is limited so you need to figure out uh what brings you value don't don't be don't be the kid in the candy shop just because you get a tool just just because because you get a shiny EDR a shiny IDs a shiny xdr whatever comes out don't take the use cases for granted think if they're applicable it seems easy to turn them on but every tool every rule every detection you run needs to be maintained um use a structured approach you need to

run sometimes everybody needs to run for the next for the next uh for the next new threat coming out but at some point you need to sit back think about top down what's the work done and and don't start from scratch so don't start from scratch use miter you see a tech framework for uh for as much as you can coverage is not completeness if you only have a tool running on part of the organization focus on uh don't forget that other parts of your organization might still be applicable a tool like the magma security framework helps with that because it asks you to assess your coverage um and don't focus on detection and monitoring because security starts at

good security design you need prevention you need mitigation you need user training and uh and that's all crucial everything a proper sock and with that I see I've gone way way way too fast but thanks for listening to this extreme lightning talk uh there's a link here and the fqr code that it leads to our company's GitHub page where we describe how to do these detections how to calculate this and also run adversary calculations against the Mitra framework so thanks for that [Applause] you need really fast fast talk and there was a lot of links basically I think kind of like each of the slides if I would click the link would take me I

don't know Howard read or something like that of how to read probably and then a couple of hours to try to implement the other slides also somewhere on the behind the QR code or do you share them I think I share them with you guys I said is that option okay yeah because I know people have been asking an audience that all the slides shared it depends on a particular presenter if the slides are kind of things they want to share but I hope this one is uh yeah because it's like I was kind of like I couldn't can't take enough snapshots to find the URLs later so I was hoping we could share it

somewhere on the B-side space yeah I think it's very good because so it's something I definitely put into my reading list so do we have on the end of the first presentation some questions also do we have a microphone lady yes microphone lady is ready but I don't see any hands there is and yeah and as always the best question will get the possibility to get some merch from back there so please uh before your question if there is a next one wanting to ask question raise your hands so I or somebody can bring your mic your next mic is coming there so yeah so sorry please you started there talk about failure free time making sock uh what

was the time frame I mean the Cycles yeah the time the time frame was nine and a half years almost 10 about three years per person and and the first thing we did was a IDs solution and that that needed some assistance and then we started another antivirus tooling data loss prevention tooling and then you get overwhelmed because your day starts with five tools and the new technique came along called the scene and and that started helping so uh and and it is really a slow process and and nowadays there's better books to read there's a crafting the infrastructure book uh book which I which I really recommend there's a bunch of stuff to read when setting up a sock

uh and I'm happy for that because it means that people get uh used to the Frameworks and there's of course stuff like Mitra which is really really nice uh which I'm finally starting to like because it's no longer a review that you have to do everything which nobody can do it used to be an eternal Eternal project every day getting more micro detections in um and so yeah in in about uh three years we built the first environment and that crashed because for some reason we got a small business environment and you can't run a global bank with that uh the second thing we did was hire more people which is great but then suddenly

yeah I was 25 I had a team to manage which is also getting you into new problems there's a saying I wish you lots of lots of stuff and it's not it's it's not a compliment it's an insult and that turned out to be true because you needed to do a lot more uh so by the time we had that ready we were also almost three years later and we started again and the third shop we implemented was uh was the one with kept running we had we had rosters we had games we had uh Team outings because you need to keep yourself and people happy and interesting stuff like hackathon stuff like the social experience around that

was it was critical to keep the stock running and that's something I learned in the the three years before that um and then when I left I started with three people I was the fourth when I left I think we were 65 so that that shows a bit of the growth that of course every stock went through but I had the luxury of of growing with that and thanks I think next mic is already there yes yes thank you for the great talk my question is um is more towards the Splunk strategy because you have highlighted the importance of people and processes in socks so the question is um how to empower uh these core things

for sock with Splunk tools yeah um so great question I'm I I wasn't in in hours I originally had a demo planned uh but I'm not in a situation where I can do a demo here live but there is a an app used for guidance and learning called Security Essentials it contains the micro attack Explorer and it allows you not only to fuel the rules you have enabled that you're running it also allows you to view these attacks by attack group so in that tool we when we have an update we update the attack groups we update the prevalence as much as we can to reflect because it needs to be a small piece of software and then we

push that out to the app now the app will guide you so you can select the sector you're working in you can select the thread groups you're looking at and you can select the priority weight from the red Cannery research thanks any more questions because uh and uh yeah did you see somebody okay yeah I told you this was going to be a talk about me failing and this is me failing to have a 45 minute talk in 45 minutes so you probably try to out to me in speed talking yeah is Splunk now protected from spare fishing attachments that was one of the techniques you had in red uh a Splunk protected yeah I think you had a slide about your

yeah oh no so what we see is that we are we have been focusing our last attacks from when we made that uh that uh analysis that we started focusing a lot of attacks on spearfishing analysis as well so the new detection we've written out are grouped in what we call an analytic story and that story was around spear fishing and fishing so that's how we we our research Team figures out what to do and that's also how we started the idea of matching this and weighing this around I think there was a question there somewhere

so I have a following question that once you have set up your like major attack monitoring tool so to speak your detections and we all know that talk is a continuous process so you have to keep track of the detections you already have detections you need to implement and detection that may not longer be as relevant yeah how do you keep track of those and how do you continuously do that okay that's a good that's a cool question so there's two things you need to monitor when working in a sock firstly and primarily is instant life cycle if it if an alert goes off someone needs to pick it up it needs to be investigated and closed and not be lying

around that's what we call the instant life cycle the second one is a use case or detection life cycle that needs to be a continuous proven and it starts with hunting it starts with research it starts with news whatever you can get your input on on the new Skype type of threads so you need to take that information let's say there's a new new TTP there's a new ioc Etc you start developing or searching in your in your environment where can I find evidence for this where can I find this data am I finding it in the right places can I refine this search can I exclude the stuff which is false positive and you

might for this manual work get a result that's great you've now found this needle in the haystack based on that you don't want to be doing the same work every day because of course smart people in the stock no repetitive work so you're going to take that search you're going to put it into a detection into an alert you're going to make it sure it runs regularly it's going to keep running and it's not going to be perfect the world changes you might have made it a mistake which you haven't seen over the last time you were searching it starts triggering too positive but also false positives so you need to start tuning you get back to tuning you get to

back to refining you might even get back to hunting because you need to improve something again and at that point you need to decide am I keeping this use case or am I throwing this away so that's the use case of a life cycle A Life That's a life cycle of a use case and with that life cycle you need to determine at what point that use case needs to be phased out so that's the second process running and together the first process make sure everything gets handled the second process make sure that everything you're optimizing keeps being optimized because you're right it never stops it never stops tuning it never stops refining it never stops

improving and it'll suck so as I understood correctly one process for managing and individual detection life cycle and separate process for managing the all the detection life cycles continuously um now there's there's an entire well there's multiple ways to skin a cat I'm not going to tell you how to run your shock but I can tell you how I did it we had uh one process running to make sure instance gets handled in a good way we had another process running which makes sure that every two and a half weeks we had a review of a set of use cases because every use cases we analyzed if they were handled correctly or not we took that

information we took that together with the true false positive rates and we figured out what we need what we needed to start tuning so that was the second process where we used to take a chunk of use cases each time and refine those and there we figure out if we still wanted them if we need to improve them or discard them thank you sir you're welcome any next tense or do I get also a question like if I wanted actually to ask one question uh myself also namely you have been in different sizes of socks starting from whatever three persons or 265 and and so on and probably the kind of like let's say the

conceptual level you are working on this is different like if you have one I.T guy you are probably just watching that people's passwords are kind of like uh somewhat strong and if you have 65 people you probably can do a lot of things but do you see some kind of a size of sock or security team we're actually going deeper into the Mitra attack Matrix is actually relevant where you have P how much people do you need to make this actually graspable it's it's interesting it was a I did a presentation recently with a slide focusing on the sizes of shock teams compared to their organizations it appears that there's a large number of smaller organizations who just have

one or two people running and then you're usually in firefighting mode you can't run a sock you can maybe prevent the worst and accept the risk that something bad happens on the rest larger organizations get a chance to grow onto Free People for People maybe even five and with that amount of monitoring you can do daily work day monitoring you can't do 24 7. um at that level is the first level where you can start to take a break take a breather take a step back and start focusing on what you need to be doing because that's the first level where you can step out of firefighting mode and you can start a structured approach

um it used to be that this was the minimum level for a shock what we're seeing now more and more that people are automating their work away and I'm really happy with that because my Mantra is don't have smart people do repetitive work so automate away the boring stuff and we're seeing that if more gets automated people get in the luxury of working on their own strategy of working on their own uh on their own priorities and that's where this comes into play now looking at the the rest of the the socks if you're looking to the larger corporations multiple thousands of users then you get stocks spending into 20 people or sometimes even more now those

stocks certainly have their own entire security organization surrounding that that might have separate use case teams next to the operations teams which is interesting because you get competitive one team wants to create alerts and the other team wants as little alerts as possible so if now just create a conflict in your shock um but with that and those are the customers which which I see most working most of the time with the miter attack framework and those were also the ones two years ago three years ago which tried to implement all the use cases so 20 up yeah 20 up and then there were some The Gardener The Gardener research had some outliers uh one company

reported 10 000 stock analysts which I don't think is true but who knows minions minions probably yeah uh any questions from the audience because I have one more and and I'm not competing for the merge just um uh my uh second question is that I think you mentioned possibly in talk but maybe yesterday when we were talking uh that you kind of created let's say not similar or your own framework yeah before the Metra attack uh how do you now compare that to today's life and Mitra what do you need to and I don't know how much different it was do you feel it it was going to be inferior or was it just going in

different the strategical direction or and what what was it is it still somewhere available it's still available is still available payments Association don't try to read it as another miter attack it is not it's not a comprehensive lexicon of every attack technique observed of every tactic observed what it is it is a framework to start monitoring your Effectiveness as a sock so it it asks you for every use case you're running why are you running this what business purpose what higher category so for example if you're running a rule for DDOS why are you running that you need to protect your company you need to protect your company for downtime you want you need to keep sales running now

if that's an important thing of your business then yes do those use cases if it's not don't do them there's companies who don't care about their website going down because they deliver water if they deliver water they care about water quality not about a website then the second thing is that framework also helps you calculate the weight of the use cases or the Texans you're running and that's the last slide ahead if you think you're protected because you have an EDR and the EDR is only running on 10 systems on 10 systems of your thousand people organization you are not being protected you're protected not even you're protected a tenth of a percent and lots of organizations make

the mistake saying if I have a tool somewhere even if I don't manage it even if it costs only half of my organization it's perfect but there's a lot of work which can be done and that's the difference between the micro framework and the big lexicon that's my term and coming back my first question would be would the magma be actually something to start if you are like a sock of three persons or small so before you're kind of like graduate the larger guys playground so yeah because I kind of like I hear the word use case and it's probably much more related to what people in smaller companies are dealing than with all of the threat actors who

are probably not looking for a small guy so much no no use cases are the most abuse term and security there's a use case which could be a reason for acquiring a product there's a use case which somebody says no I need to have my business running but there's also the one as a stock on the list you talk on a use case you talk about the detection rule so it's a really abused term if you're running free people in a small organization I would focus on a proper management of an EDR Solution that's about the most you can do you might be able to do some fishing if you're lucky and some antivirus and

that's that's usually quite the limit that you have to do because if you're free persons you're mostly also managing the firewalls or routers you're also mostly managing the windows servers so you see that with the size that small don't start if you get into five five peer Persian stocks 10 person socks then you get this luxury to start thinking of who am I what am I trying to defend and how to approach that whichever framework you choose great do you have more questions from the audience

I think of no then first thank you to you there is a goodie bag for you but I do need to thanks but you also need to pick one of the questions not not mine but from the audience yeah which which might have been kind of like the yeah and then we need to remember who asked that no I think the the last question we had on how do you how do you tune it how do you manage the life cycle of a detection I've thought what a really good question because it's some something most people don't think about and they just keep running after the detection so somebody's been thinking about how do I manage this uh at a

constructive way before I need to start running again I miss my other parties so to this man over there I think of the yellow shirt congratulations okay thank you very much thank you [Applause]