Comprehensive Cross-Domain Enterprise Threat Exposure Analysis

like to invite onto the stage we bob fernelli and greg conte hello greg and bob hello thanks for be uh for having us here we really appreciate it ah absolute pleasure absolute pleasure so first time in delhi uh yes yes the trip was really easy yeah i can imagine i can imagine right and first class all the way i'm sure that's right i just felt like i walked out of my bedroom into the into the uh part of the conference it's great it's like living in the future isn't it so your talk is on comprehensive cross-domain enterprise threat exposure analysis which is a lot of words that i'm hoping you're going to explain in uh

short sentences that even i will understand uh so without further ado i'm going to ask you to bring your presentation up and uh take it away please gentlemen okay and can you see the presentation yes it's spot-on all right super so we have both both uh short sentences and pictures so it should be uh very uh go ahead as you say it's perfect for a next ciso like me well what we did is this is a research arc that we've been working on right and at first it gets really complex and we've been bob and i have been pulling on this you know kind of thread and digging into this subject to try and tighten it uh tighten it up

and as you go it becomes easier to understand so i think we put a bit of work into it i think we can convey it in an intuitive way uh and also a way that we think is uh can be extended mathematically and rigorously if people wanted to do that but it's it should be fun so i'll go ahead and get started please do thank you very much sure so um well first i i already mentioned thanks bob and i are very excited to be uh part of this um it's just a really cool opportunity and we appreciate you know being able to play a part in besides deli what we're trying to do is we we put a

lot of thought into like attack surface analysis and exposure of enterprises and you know a lot of what we see we think is too constrained it's too limited in terms of the perimeter and and what is being considered uh one or two dimensional kind of thinking so what we've tried to do in this talk is create a a thought framework for thinking both uh more broadly about what perimeter actually means and what can affect the enterprise as well as um thinking another dimension in terms of depth uh and and what we're considering it's just not all things with zeros and ones and and put that together in a way that can be used by people who are defending

uh enterprises or really defending just about anything uh and also for like red teamers right it can and and other people are in that uh you know ethical offensive mode um so with that uh we're that that's really like the the goal of what we're going to do so we'll go ahead and get started um no one actually reads the disclaimer slide so we thought we'd have some fun with it um to put a lot of effort into this slide but but the idea is uh that we're here just as individuals we're not representing or speaking for any of our current or past employers and uh bob would you like to introduce yourself sure so i'm bob finnelli uh principal with

capedian um i'm a computer scientist and security practitioner by trade with extensive experience both in the private sector and in the us army with service at united states cyber command and i'm greg conte um similar to bob i've been working in cyber security a long time like north of 20 years i have worked at united states military academy uh national security agency in usa as well as u.s cyber command and we recently were came together and formed a a company called competition okay so to frame the discussion it's always important to use star trek or science fiction analogies so uh before we get into this we understand this is a security conference and in a security conference you cannot

get star trek canon wrong so we've tried to get it right and uh because we know someone will say they were wrong the flux capacitor was inverted and not you know not the way you depicted and then we'll be called out in q a but seriously um so this is a a a battle uh where they're in a space anomaly captain kirk and mr spock are facing a sophisticated uh adversary in another ship sensors are down right so they don't know what's out there and they're in this anomaly and now they're trying to get into the head of their adversary he followed me this far he'll be back but from where from what direction and spock responds

he's intelligent but not experienced his pattern indicates two-dimensional thinking so they're on on the ship kirk then gives the order to go up in the z dimension uh 10 000 meters and to stand by photon torpedoes so the ship moves and of course it works so they come up right behind their adversary and uh they fire the photon torpedoes with the expected uh ending right but the idea here is they're facing an adversary that wasn't thinking in enough dimensions they were and they were victorious and i think that kind of same line of thought is very helpful as we think about our attack surface uh and how we link to other organizations how we can be approached

so that's really the premise of what we're talking about that defenders we think failed to consider the entire projection of their their organization in virtual and physical space and with that they have a constrained understanding of their attack surface um and attackers particularly the good ones the really good ones understand this and probe this this true attack uh surface looking for under protected areas looking often at gaps and seams to exploit so our you know our thesis was is it possible to create a framework that need enables like repeatable holistic analysis and that's what we tried to do who should care well there are literally armies operating in cyberspace we thought 10 years ago you know or 10 15 years ago that was

really beyond you know comprehension but it's a fact of the world today we think you know there's a lot of good work going attack surface analysis uh but we think it's a good start but we can extend that and it's it's frankly it's necessary and that everyone will benefit on the defense side with this deeper richer understanding and then with that that type of deeper richer understanding you can then uh prioritize your your uh your security investments security resources and controls uh more efficiently and appropriately people have done some interesting work uh and we just because we did do like a related work search we looked at what other people were saying we've got some interesting

ideas here uh we'll share the slides when this is done and we put links in here so if you're interested in uh you're kind of this pushing out of the attack surface these these are worth taking a look at but we think we've moved beyond what they show here again you see it's more of a two-dimensional kind of approach so this this idea of understanding the enterprise's threat the threat exposure its attack surface links to a lot of uh interesting areas and we've kind of explored those areas as part of the research that we're doing things like attack our ttps how defensive planning can take place analyzing your adversary things like attack graphs the military's

put a lot of thought into uh multi-domain operations uh that business best practices uh things like business continuity planning disaster recovery all play a part and then your your traditional infosec things like the cis top 20 number one steps number one and number two also play a role so what we've tried to do in the talk is kind of connect some of these dots as we go through um first as a start i thought it was interesting to take a look at how militaries think about like layered layers in terms of operations and offense and defense the us military uses the phrase operational domains things like sea land air and space and that's where battles are fought

conflict is waged and you know defense and offense takes place it's a way to think about it um but they've recently expanded their thinking so nato recognized cyberspace as a domain of operations it's man-made it cross-cuts all the traditional physical planes and there's also uh the electromagnetic spectrum which is similarly not obviously not man-made but it cross-cuts uh all the planes as well and there's discussion so this kind of is like a framework for how the military is thinking about it and uh contrast that to kind of traditional military uh this is a a depiction of a battle position in this center in the the center in the circle you see little uh little fighting vehicles

right and they're in a circle they're surrounded by a security perimeter they have anti-tank weapons the arrows that fan out are the that's like their area of responsibility that's what they can shoot at that's what they can hit they're designed to be uh overlapping and then there's various obstacles spread farther farther out but this is kind of like a two-dimensional two-dimensional thing uh but there's they've kind of moved beyond their their doctrine is evolving and i won't go into all the details of this but i want to highlight a couple of things one is across the top is like the major parts of the battlefield physically right and you know and that's where again competition takes place on conflict and

hopefully return to competition or even peace which you would like right so i wouldn't worry too much about that i put this slide up primarily to highlight this that now they're they're considering multiple planes at the same time things like space cyberspace electromagnetic spectrum uh the fl infra the information being uh space like social media all combined in parallel being considered for their operations and this is emerging in um informal written doc doctrine and here if you're interested in this type of thing we put a link and this is available for free online it's worth taking a look at again if this if you find this interesting um so bob i'll turn this over to you

great thanks greg so here's a question what happens when you fail to consider a dimension uh an example would be prisons they've been historically designed around walls and fences to counter a two-dimensional threat the idea that people can walk in or out or maybe vehicles drive in or out without control and smuggling contraband items into a prison is a dangerous both to the prisoners and to the staff and can be very profitable so perpetrators have moved into the third dimension to defeat these prison controls an example is there's been multiple instances where gangs have used drones to move contraband items into prisons and drop them off to the uh the uh inhabitants of those prisons

uh bbc had one story that uh recounted that there was a gang responsible for 55 different drone deliveries of over uh half a million british pounds worth of drugs and other contraband into uk prisons in 2016 and 2017. so the threat is real so attackers can and will combine multiple dimensions to penetrate defenses or to bypass them altogether attacks via cyberspace obviously are a way to defeat physical defenses but similarly attacks on information systems can be facilitated through physical vectors think of the classic tactic of the candy drop introducing malware through infected media that's left to be found or may be purchased by target staff members and used in a sensitive system to deliver the malware

to that system and think for a moment about your own footprint uh what's your organization's footprint or maybe your personal or your family's footprint and have you considered the complete footprint the complete exposure across all of the planes that we've discussed or does your pattern indicate two-dimensional thinking and so casting the problem as a graph can be helpful to think through all the dimensions a little bit more thoroughly and obviously drawing a picture can bring a whole new aspect to the problem solving that you wouldn't get through maybe other analysis techniques in this case the nodes of the graph represent informational and physical entities or objects this could include physical infrastructure computer hardware software information cyber personas

and and people and depending on your perspective a node could represent a single system or a person or an aggregation of many objects that together play a given role within your footprint at a very high level a node could be an entire corporation or an enterprise network or perhaps even something like an entire national telecommunications network

and you know a node could be an entire data center at a low low level a node could be a single server in a rack in that data center or the nodes could be the information resources within the data center aggregations of hardware software and information that serve various purposes

so no graph is uh is complete with just nodes we need links as well and the links of the graph represent the relationships between the nodes between all these entities that we're considering these could be things that you're more familiar with like communications paths but they could also be lines of influence they're not necessarily just network connections uh the links could exist on a single plane like a typical network communications or they could cross the planes like something like a human machine interaction it's also useful to consider the links as being either bi-directional or unidirectional some pairs of nodes may have a two-way interaction while in other cases really the only significant action may be influence of one node in

one direction only so these links are the ways that the nodes can have an effect on the others so take a single high-level node as an example call it acme corporation looking top down at uh the two-dimensional plane and zoomed out all the way all of the systems services personas and people that make up acne could be viewed as a single node however zooming in acme could resolve into successively smaller nodes representing business functions or network enclaves business units and into more detail until at the lowest level nodes could represent individual devices or individual people however think in multiple dimensions so rotating the perspective a little bit to reveal those dimensions we can see that the circle that represented acme

in the previous view was really just the end of a cylinder the objects and entities on the various planes work together and interact to make up the acme node the objects within acme can influence and communicate with each other um so it's possible you could create graphs of nodes and links within acme uh that that span the different layers and join them together in ways that may be useful uh if such a perspective was useful for the analysis and a link can be an aggregation of relationships or communications paths between elements that make up two nodes it's almost an analogous to a communications trunk or a multiplex connection that bears or potentially bears a variety of individual services in

circuits so this diagram depicts that a relationship exists between acme and a second example now to call it globex corporation and again so rotating that view a little bit to give us that multi-dimensional perspective we can see how the links may also be composed of subordinate links many of these would logically fall within a single layer like network connectivity but they can cross the layers as well for example a persona in one node may have influence over physical devices in an adjacent node and zooming in one could eventually reach a level where individual circuits or pairwise interactions become apparent and meaningful it's possible to look at the very big picture consider a depiction of the entire internet and

the ability to zoom into the right detail of level of detail um consider how each of the nodes on this very large picture is itself a major network and that each of these may contain multiple autonomous systems um in drilling down further this could reveal uh major networks sub-networks network segments and eventually getting down to individual network devices and looking at multiple multiple dimensions the hardware the information the personas the software or even the users that are present on those networks so but consider that depicting everything at a very detailed level may not be very useful it could really just overwhelm you with unnecessary detail so it's important to find that right level of abstraction

that best facilitates your analysis and objectives so don't just charge blindly down the rabbit hole so i'll go ahead and pick up here agreed on not charging blindly down the rabbit hole for those of you that have studied information visualization there's the concept of semantic zoom uh there's some interesting research papers on that i'd suggest them if you're if you find that interesting the idea is that depending on the level of zoom uh that varies the amount of detail you see in an intuitive way and that's kind of the approach we're taking here uh and also on the next set of slides we've had to fit them on slides we've had to do some scoping uh

scoping the problem and we didn't like draw every conceivable arrow for example we're just trying to give you the intuition of what we're talking about um so bob covered nodes and links but there are other attributes there are lots of interesting attributes actually one that as we were studying this degree of control i think is really essential particularly from the defender's perspective um and you know what how do you how do you describe the degree of control you have over any given uh link or node um well we we built this kind of this concept things you can touch right if you can walk in and punch it uh uh punch the person or um you know wipe the drive or turn off

the turn off the device or reboot the device yourself then you can touch it uh things you can control are farther out are things you have uh that maybe you can't touch but things like a distributed workforce remote employee devices things like that things that you i'm sorry remote employee devices provided by the employer that you can control those farther out there are things that you may have shared control uh contractors uh your company's social media presence so as like you're often times that blue circle you see the first two you notice right here that's often where we we stop a lot of our thinking when it comes to thinking about attack surface but we have to get push it farther out

things where you have shared control uh things where you have responsibility and uh maybe not control um third-party vendors come to mind um your company the the social media presence of company officers uh and even farther and and we we posit that this is the larger attack surface really is you really have to think about the things that can affect you and you have no control uh family members influencers fraudulent personas uh os and cloud vulnerabilities that type of thing so this larger circle is what we're saying we really need to put more thought into those three outer rings in particular uh and then there's everything else and because it's also like this can scope

into near infinite you know possibilities so we have to understand there are things out there that over which we have no control and have uh a modest to no ability to influence us so we just need to deliberately be conscious of what we're considering out of scope so this what we see here uh um what we see here that is just a graphic depiction i've taken the note and graph node and link uh examples uh that bob had kind of laid out uh and and created a larger example and then mapped over it uh spaces that hit areas of control and just as as a way to you know visually depict it and if we take that further we'll see

that um i've colored now all of those areas orange so all of these now i've covered colored as orange and i consider those we consider those as the the really the true attack surface this extended attack surface composed of these uh nodes and links uh that can can reach acme corporation we've also surrounded it with some the gray line that's farther out which we consider the footprint so the footprint is bigger than the attack surface that's the all the other data and things that like the projection of your of your enterprise in in cyberspace uh in other so but maybe not attackable or not it it can't have like the effects on your organization are minimal

to none um so if we go a little farther uh we can consider that there are vulnerabilities depicted with v's here uh at various points on your on your acme's perimeter vulnerabilities can also occur in the middle of links right uh consider an undersea cable we've heard stories about people suspicious activities surrounding undersea cables uh people have tapped of various types of communication lines uh all those lines of communication across all the planes all the layers can potentially be vulnerable there's a special class of vulnerability we consider a dependency right if you're dependent on a particular link or external node that's a means of attack as well i do you know think if a communication line goes down

if an undersea cable goes down and you're on an island you've got a problem or whatever right and then what attackers do is they traverse the links aiming for a specific vulnerability they'll pair it with an exploit to exploit that vulnerability to achieve some desired effect now this is the same chart i've seeded some different uh vulnerabilities and dependencies um and you can consider that a direct attack like i just showed previously right so you traverse the link the attack vector and uh exploit a vulnerability to cause some sort of facts that's really what we're thinking not like an effect is something you can cause it's it can be destruction or disruption or you know any any mutant deception any

myriad of a myriad number of effects you could cause and sophisticated attackers think that through very carefully uh but you could also have indirect attacks like on as i mentioned earlier if you're dependent on that link an attacker can exploit that vulnerability and cause a desired effect like disconnecting you from the network or slowing your traffic or whatever you can also have indirect attacks that are farther out there that you can chain a series of attacks to work through the network up to the perimeter so they can be farther out in the attack surface maybe outside what you would normally have considered as during your traditional attack surface analysis and that it could also come in from

other directions that these nodes are often interconnected if one of them say is a major cloud service provider or a provider of a certain accounting software or whatever that it can taking out that node can cause others that are dependent on it to have failures that then in turn uh impact you so there i think this is a useful way to think about it and also want to show a couple of special cases we've already discussed the dependency but there's also some of these links as bob mentioned can be one way information can leak across them if you've seen the crazy creativity surrounding side channels for example sound and light and heat and energy consumption

it's pretty amazing so it's useful like links don't have to be bidirectional and they can leak information deliberately or inadvertently there's also blind attacks there's a whole class of blind attacks where the attacker uh will can reach the destination cause something to happen but they don't get immediate feedback across that link right but they might look externally for effects that are caused did the web server go down maybe uh or is it slower those type things uh they have to go in from another angle to get that feedback now we'd like to extend the idea further we've talked about looking at this from multiple dimensions an important additional dimension is time this this attack cert extended attack

surface we're talking about across multiple dimensions changes very frequently it changes actually exceptionally rapidly if you consider that flipping one bit changes the state of the system this the state of this thing is just astronomical right but uh looking at like the bigger changes and the smaller changes uh that can occur both are relevant pardon me let me clear my throat okay um both are relevant uh big changes can be mergers and acquisitions all of a sudden you've got an entire new company connecting their graph to yours in a very intimate fashion right very tight fashion uh maybe your entire workforce shifts to work from home due to covet those are major changes in this attack

surface and there are also smaller changes you might patch an end point you might configure a fire poke hole in a firewall for a new third-party service the size of the change doesn't you know equate to the security implications just a small change can be very serious um for those of you who are interested in learning more i recommend rob joyce's usenix security talk uh where he talked about the patience of adversaries and they will monitor the attack surface over time waiting for the vulnerability that they need it might be the patching once a year or something like that

so just taking this a little further here's an attacker um the attacker uh wants to attack acme corporation and it caused some effects there and they they work through a calculus right what can they see but what can they see uh seeing something you know doesn't mean they can reach it um then they'll look at what is vulnerable what is exploitable across this whole set of links that we see here um what's the effect they want to uh achieve how uh how much work do they have to put in to do it and how valuable is the effect versus the risk so there's this entire calculus that takes place and i want to show next like this

traversing multiple well here we're considering multiple layers multiple links now i just want to show one potential multi uh layer attack so in this case maybe the attacker works through a particular persona he's able to infiltrate this other organization as a for you know gain some um privileged access for example uh and they're able to work through a persona uh go across and impact interact with a persona uh like a social media persona and another uh in acne corporation which then deceives the human in some way causing them to interact with another human and ultimately achieve the effects that they want so that's what we're trying to get us thinking in terms of multiple attacking across multiple layers here

and bringing let's see okay bob it's over to you right this is yes okay yes so thanks greg so this table is is really depicting uh representative examples of combinations of these different planes and the degrees of control that greg just mentioned um in a in a full analysis situation uh each of the cells in this table could easily involve uh research and brainstorming sessions that would fill a single cell with many very specific possibilities for your situation this is really just an idea of trying to say well what would an example of each of these be try to lay that out and thinking through many of these situations are going to be situationally dependent and and

i i'd say one example could be the monsoon in the south asia scenario this is something that would probably fall in the responsibility but not control area obviously one can't control the monsoon but if i'm responsible for some sort of security aspect or or operational aspect that could be affected by the weather i better be prepared for that because the monsoon happens and it's a predictable thing and obviously something that i should be prepared for so this was this is just really an example of those and you may be looking at this thinking wow there's many many very good examples or if you look at this table you say gee i never thought of that that's

probably something to consider and i would add that this we've created this specifically as a kind of easy to use tool in your own kind of risk analysis and assessment of your attack surface so creating a matrix like this i think is you think is a useful tool so thinking this this through and some of the so what would be to get better visibility analysis and be able to coordinate your your uh overall security effort um graphing this out thinking through these multiple dimensions can really help to identify the critical nodes uh the key links and perhaps uh different connected components or cut points uh in all of the dimensions to better identify your actual and complete attack surface

and from there to be able to implement a strategy for the monitoring for security controls configuration changes maybe architectural alterations to better treat your risk and to improve your overall security posture so it's not just the more familiar technical controls but security professionals really need to be thinking across all of the dimensions and come up with a comprehensive strategy consider more comprehensive threat intelligence more than just the network things but that could include the weather as given the previous example but also things like sharing the risk through insurance um cooperation with government and private sector uh partnerships or larger scale collective defense capabilities all of these can contribute to a better posture and will benefit from this

multi-dimensional analysis so um you know like the key takeaways right and we looked at this problem for quite a while um and we tried to distill down what we thought was most important to take away from this talk uh and we think that it's really important to push beyond your normal boundaries of of your you know thinking about the perimeter and then dimensions so thinking vertically across all the layers which we just described and then horizontally farther out thinking about things that can affect your enterprise whether or not you have control because you have some degree of control you might be able to control the effects even if you can't control the uh the entity that's causing or

trying to cause them and then you can use the results to inform your risk management discussions as bob mentioned your threat intelligence collection and ultimately uh architect more defensible systems so the takeaway here for me is do not inhale mountain dew in the middle of the talk uh sorry uh because the classic the the textbook way to deal with attack surfaces you want to reduce the attack surface you want to reduce the number of links to that outside world and all of a sudden but we've expanded it like an accordion you've seen that there's a lot of links and you want to just reduce your tax surface in general and we think this methodology that we're

suggesting here it's not just useful for enterprises you can think in terms of a city this way a critical infrastructure sector a nation using that kind of semantic zoom where you abstract appropriately and can move up and down fluidly that's i think quite powerful so we think this scales and also corporate ecosystems all the way from suppliers through the headquarters through to retail and ultimately your customers you can consider that whole ecosystem in your analysis and we think that would be very useful and what we've described uh would be helpful to that so if you're interested in this type of type of work we're going to obviously share the slides uh and bob and i have been doing some nearby

research which we think connects and is useful we did a talk at black hat usa this summer uh on uh attacking uh attacking and defending countries which i think connects well to this we've also looked at pressure points uh like so basically the tar how threat actors target in this kind of space that we're talking about a colleague of mine and i wrote a book called on cyber which digs deeply into a lot of related areas and we teach courses on military strategy and tactics for cyber security as well as information operations and influence operations at black hat there's i thought the work by risk iq and i we are not affiliated with them but their white papers and other

work was interesting so that's more information if you want to extend what we're talking about uh i think things like attack graphs and complex systems analysis and graph theory have a lot to that you could add some rigor to this and kind of it would work mathematically uh that there are people working on automated attack surface generation um and we think too that's useful not just from the uh defender's perspective but also put on your attacker hat right for the defender has access to certain amounts of information the attacker has a different set of information so their graphs those links that they would see are different but it's useful to perhaps flip those perspectives um you

know red teamers are good at that type of thing and uh yeah so though just some ideas for future work and with that i think we're happy to go to questions gentlemen thank you very much uh i rarely say this but i love that i really really liked it i have a few um folks don't forget to ask your questions in the youtube comments fields um sorry in the in the in the back house can we bring up that last slide again please can we can we re-share that last slide thank you uh no the the next one the the uh yeah perfect just so just so we know where to find you um so a few comments and a question so

the attack surface diagram i think that's one of the best ways i've seen of actually trying to really dig into where the vulnerabilities of your systems are or not in the system your organization your enterprise your your whatever it is um i loved the um uh the differentiation between you know the vulnerability and the dependencies and then the the exploits and the the the way that you're able to map those onto there and then abstract it out or abstract that out even further into the uh the matrix that helps um elaborate on those on the risks as a result um i mean we all know a risk register is one of the hardest things to

uh to write i think one of the best ones i read was attack by wild dogs um which was an interesting risk to put on the register possibly realistic i don't know um i did i didn't think so at the time so but you can really you've almost got an evidence chain of where those risks are coming from as a result of the the work that's carried out on the uh on the attack surface so that's something i'm certainly going to be um uh going to be looking into more and you know in some of your further reading my question is uh bob when was that photo taken uh for the uh the one we're looking at

that's a few years out of date right now absolutely you look um you look uh you look like a film star there actually my daughter took that photo um and uh so that's one of the reasons i really like it it was just a very off-the-cuff photo that uh that was as good as any professional could probably put together absolutely i'd recommend you change the camera on your laptop screen in that case [Laughter] joking joking don't insult the speakers they keep telling me that um we do have a question fantastic from uh samuel is that let me get that up on the screen for everybody to see thank you don't you think best security is attack and being on the war field uh

dark web is a good tactic could you restate the question please simon you might need to restate that one oh he said nice question um we'll give him just a just us a second to to come with that uh yes osama if you could restate that question slightly in the meantime um the other aspect that i thought was very interesting was you know how everything changes over time time and circumstances and i think so often uh risk registers are just you know once and done or once and done at least for 12 months and i think actually the the further work on automating some of this attack surface work etc is going to make a

it's potentially a game changer in our understanding of risk within organizations i think it'll tie to the you know the ability to automatically generate no it's all in the data right like what do you have access to what don't you have access to uh yeah can what can you automate what do you just not have the data or the the authority to access the data that you need so you're gonna have it's gonna limit i think they'll be like blind spots just because of you can't collect certain types of data what do you think bob yes and i i think the uh the mention that a risk register is a uh is a difficult beast to create

and maintain i would definitely agree with that and it takes a certain mindset to do that i think that there are people who are very good at that and um and can help expand the thinking of the technologists into uh more of these areas and thinking through the risks um both the effects and then the things that present risk the threats that are out there that uh that are very helpful um you mentioned a background as a ciso so certainly uh hopefully this talk resonates with that larger picture and uh and it's it's good for all of us both the the hands-on technologists the people who are dealing with risks and management i think through all of

these these factors together yeah yeah and i think too that i i mean i would not be surprised if we if we think that there are literally armies operating in in this world in cyberspace that what we're thinking their people probably mapped out a lot of this and have giant you know like attack you know war plans on the shelf well they have cheap they have cheap labor to do that right that's the thing you know they have a sheer vol well they have an army of people funnily enough it's clues in the name an army of people to do these things um and it's and it's a very sort of uh what military thing to do which is document

um so yes absolutely absolutely well we've come up onto time gentlemen thank you very much i will certainly be uh following up on this personally to look into more of the research and some of the further reading that you've suggested very much appreciated you get the massive virtual round of applause thank you very much like i said before one of the challenges of virtual conferences is you don't get the audience response but you get my response instead so thank you so much thank you for flying all this way