Knowing the Enemy: Creating a Cyber Threat Actor Attribution Program

the bides DC 2016 videos are brought to you by clearedjobs.net and cyers jobs.com tools for your next career move and antium Technologies focusing on Advanced cyber detection analysis and mitigation all right welcome everybody to bides my name is Jack Johnson I'm the manager of the mark monitor Security operation Center where I've been working since 2004 started off as a system engineer then became technical operations manager now I'm the manager AKA acting director whatever you want to call it so the the topic of my talk is knowing the enemy creating a cyber threat attribution program and I'll just give you a little bit of background uh our security operations center is kind of unique where we're not like a IDs ipf

type uh um uh shop we basically uh detect analyze and mitigate social engineering attacks fishing malware Vishing Etc over the course of my 12 years in the sock I think we've enforced on over 200,000 unique events so this is going to be the focus of my top topic today it's a sock with a social engineering aspect so prior to joining Mark monitor I was in the Navy I spent eight years in the Navy as a cryptologist so it's great that I followed the guy who just spoke and um I was a signant signals intelligence uh cryptologist and what we did was pretty much monitor uh signal Communications of third parties or people that we were interested in and I

had a specific uh specialty in Morse code which you see here uh after attending school in Fort devans Massachusetts where I learned moris code and that Worcester is spelled Worcester Shire I uh went to my first Duty station and when you get to your first Duty station in the Navy all the old school guys who are there they give you all these sea stories about how interesting the job is and how you'll come in work your 12h hour or eight hour shift every day and you're on this end receiving and recording and on the other end there's a forign adversary that's transmitting and when you do the job every day and you work the same schedule as this person

and what happens over time is that you basically create a Persona in your mind of this person and moris code has a rhythm to it and that's part of what makes you successful as a Mor Cod operator is that once you adjust to someone's Rhythm I can pretty much copy their code and have this conversation with you at the same time because your you know subconscious mind kind of takes over but then they also Juice you know try to make it more exciting and tell you these stories like you could tell if the guy's had a bad day if he was drunk before if he had an argument with his wife because he'll be distracted and his

code will be off I'm going to bring this in to the modern cyber security world and I like this quote because this quote kind of took me back to my military days of copy and moris cold and also into the work that we do in a mark monitor security operations center you know if you know yourself and you know your enemy if you know your enemy you know yourself you need not fear the result of 100 Battles because you can pretty much anticipate what they're going to do what we deal with is fishing and I say we did over 200,000 enforcements but the first thing I always ask a new analyst I always ask him what's a

fish and the answer is that you are the fish Fishers and social engineer attackers are after the information that you possess Point Blank the methods that they use to obtain that information varies depending on their attack pattern they involve different kind of fishing lures to trap the victim or trick them into divulging information the common LS today you have URLs PDF files that contain macros that uh install m whereare Word documents uh everyone knows about Adobe Flash more recently JavaScript has been involved with the locky um and other ransomware families PowerPoint presentations that enable macros zip files and just even more uh substantial damage is done by text files or text Communications which uh I'm going to speak to a little

bit moving forward so politicians are targeted this year email and this election is just the big Hot Topic right everybody's talking about everybody's emails getting hacked this was the email uh URL that was sent to the Democratic big wig guy that got his Gmail compromised and I don't know how well you can see it but it was a bitly opcat URL that was sent and if you look at the timeline on the bottom there was only two clicks on this URL the bit the shortener link so so this means that this was a very targeted attack they did their um you know operational Intelligence on this guy figured out his email communication patterns sent him a

link he clicked on it they got his credentials logged into his email and he was exposed but these type of very targeted attacks are very common here's another you know recent headline where uh a cable company they lost 440 million Eur off a email communication that contained nothing but text meaning that a thread actor after learning the communication habits of the CFO sent him a them a very convincing email which led them to authorize wire transfer for 440 million this always kind of freaks me out because if you sent me an email to ask me for ,000 bucks I would probably call you on the phone and ask what do you need it for but apparently in these type

of large organizations and large banking it it's common practice I I've G given this presentation many times um with a financial audience and they said it's just par for the course that millions and billions of dollars are just flying around so so the the uh cyber threat landscape has really evolved since I began working in um the sock uh PR predominantly in the past what we would see is that the uh social engineering attacks were very brand specific meaning they would say dear Bank user of this type of Bank update your account or dear subscriber to this service Etc we saw a shift around 2014 where they started pivoting based on our behaviors meaning today

most of your social networking sites you don't log in with an account that belongs to the social networking site you authenticate with an email account of your personal choice and a password of your personal choice so this goes for you know Facebook Twitter Etc Amazon so the social Engineers being very smart and persistent they realize that if they obtain your email credentials that that's the keys to the kingdom to everything you have in 2014 we detected eight Dropbox sites and you can see by 2015 it had went over to 50,000 and 2016 to these numbers are poor from this week over 100,000 but if you look at Google and this comprises the whole Google family this is your

Gmail Google Docs Google whatever you have it it it's over 350,000 and this you know we still have a couple two months left it's really grown tremendously and the politicians email that I it was a Gmail account that got compromised so the numbers are really growing and what I want to emphasize about this slide is that anyone who's doing incident response detection or prevention you have to look beyond your organization so if you work for company XYZ it's not sufficient to just look for threats that have their XYZ member you really have to look at your uh consumer base or um employees and look at all the information that they have and all the authentication and communication methods

that they have and try to get a hold of all the attacks that are coming in through those different vectors because their work email might be secure but many users check their social media accounts and personal email at work and they often reuse the same passwords there you have you know a flaw in the system so the way that we detect hundreds of thousands even millions of fishing fishing attacks is that we have internal data sources from our customer base as well as our own internal and these These are web log refers uh you have user submissions you have Network sensors AV um your AV logs email bounce backs because social Engineers attacks many times they'll have a drro list that

that's kind of old and what they'll do is they'll email the list and many of the uh users on the list have moved on and the messages will bounce so it's very important for it uh email administrators to kind of pay attention to those type of small you know little inous details that might just bypass them normally but there's a reason external data sources are very important when we first started the you know stood up the sock the challenge that we had was how are we going to detect social engineering attacks so many of our competitors they would crawl the web but what we decided to do was kind of flip the logic and partner with large email

providers and just taking their spam feeds so we would have the major email providers that you you know today that offer free email Services partnership with them they would send us millions and millions of uh URLs we would run them through an analysis system and then we would extract the fishing URLs today because of the problem has grown so much there's a lot more of you know open source intelligence feeds you have non-government organizations such as uh the apwg MOG Etc uh you have vendors that do email security or other type of security that will actually sell you feeds for a fee so it it's very uh important to try to expand your footprint as large as

possible so that you can have the widest net to catch all these social engineering attacks and also it's very important to be active in the in infoset community as well as your constituents because what we what we notice is that uh threat actors they don't just Target one organization what you'll you'll find is that you'll be part of a group of organizations that are being attacked simultaneous ly with your organization so you know a lot of socks they use a seam and they they have all these different tools that are submitting information but what I find when speaking to the analyst that there's so much information overload that they can't make sense of it so what

we do we don't use this methodology we actually extract the information categorize it and then we process it in a different way so that we can you know take it from being raw data to just simple information to intelligence cuz in my mind intelligence is the story behind what's going on so you know an the the end result after all this processing is that we extract the artifacts and we per you know we look through the emails uh we also do smishing attacks that are using voice over IP the JavaScript that are that's in part of the uh Ransom whereare um domains that are being registered domains are very useful to kind of expos in the footprint of the thread actor

because what we see in the CEO type scams or other scams they'll register a whole series of domains and they'll typically register the domain within 24 hours before they launch their attack so we have a a tool called ews early warning system and what it does it it monitors your Brand's name for lookalike domains so say I'll use Google Google with three O's would fire off and we would get the who is record and then we can then take the registrant and do a reversal on that and see all the other domains that they just recently registered then we'll alert everyone that hey you might have an attack coming soon so this is the kind of work that

we've been doing to kind of get ahead of the curve here's a tip that I'm going to give everybody in the audience when you have users that are using like a Microsoft Office type client or any type of client they'll off often forward you an email and say hey this is suspicious can you check it out the problem when they forward the email is that the headers are overwritten from the original message and now we just have a copy of their headers if you hit control or F it will take the message that is selected and pop open another window with it as an attachment so any user regardless of their technical sophistication or comfortability or whatever can do this

then they can forward you the information and you can then analyze the headers properly so I always try to make sure I put this out to the audience um malicious document analysis this this is definitely something that we find very useful there's a whole row of my sock team members and colleagues sitting there that's why I'm kind of nervous cuz they're staring at me but um it it's it's definitely a new art form and um I'm not going to reinvent the will uh Lenny Z zeltzer he's from SS he has a good uh cheat sheet that he put together and it has all the different tips and tricks for all the different types of

documents so whenever I'm talking to uh like Intel analysts I've seen this presentation many times where they say the who what when where how and why and they actually apply that to the threat actor what we did was kind of reverse the logic again and look at who's being targeted what's the method that they're targeting being targeted with when are the messages being received this is very important because what time the messages are being received will tell you two things it'll tell you one how much operational Intel the thread actor has because if they know your schedule that every Monday you show up at work at 9:00 a.m. versus 10 a.m. versus 8:00 a.m. and you receive

this message that has a sense of urgency that looks like it was waiting over the the weekend Etc they kind of have some kind of insight into your schedule or the person the victim schedule where the message are coming from it's very important how are the messes getting through you know most organizations have AV uh scrubbing their email uh all type of spam filters yet the messages are still coming through because the threat actors have some type of knowledge of how to circumvent the system and the last thing that I find very very very important to question is what are what are their intentions what's the endgame you know different the C CFO he can

authorize a wire transfer but what about an admin what about someone that security guard at the front desk if they're being targeted the endgame for all of those different individuals is totally different same goes for if you're a software developer is receiving a lot of social engineering attacks versus a system administrator these are people that have access to very critical systems so you know you colle collect all the information it's very important to conduct analysis so I'll just roll back to a couple years ago we were initially in our business detection and shutdown time is the two uh primary metrics that all customers are interested in how F how much can you detect how fast can you

detect and how fast can you shut it down so you know we've been doing this for a while and customers are never satisfied with status quo so a lot of smart customers are saying what else can you do for us what else can you get me what else can you get me so we started digging around and what we would find is Trace trace evidence that is Left Behind such as fish kit um The Domain registrations like I spoke to the who is records and what we started doing was actually picking through all of these different uh pieces of information and we would find that this fishing attack will ship the information to this email

address or this type of fishing attack will ship this email ship the collected information to a IRC form or all different kind of you know formats we began I started off just playing around and put it into a spreadsheet and what I noticed is that a a pattern just popped out apparent clear so then I spoke with another senior engineer I mean senior analyst that been working with me for about 10 years and I was like check this out I'm doing XYZ and this looks very interesting so we started you know just playing around seeing what we can do and and it was definitely something there perfect storm or the stars align properly I had two

analysts who changed the shift so I was working with them directly we hired an engineer who had a background in uh gaming because Gamers cheat a lot so this guy had a very very he had a very very good mindset of PHP PHP vulnerabilities and all kind of ausc and just crazy things that people do in the gaming word gaming world to kind of level themselves up what we did then was move from a spreadsheet to a database and then we began automating some of the uh collection of the information and we also started doing analysis on sites that fish that the Fishers and social Engineers were hacking into to see if there was a pattern there and of course

there were so what we would notice is that certain sites had common uh vulnerabilities so WordPress is very popular they pop those sites all day and what we would see is that this site would have a Char plugin this would have XYZ plugin and then we would notice that the brands that are being targeted matched up with the different vulnerabilities and then we started mapping them and we would say this is the same person this is the same person Etc and the reason why this was very possible is because human beings have behaviors and habits I like the classify them just for simply is like periods of activities and automation or the lack of automation is

a behavior so we wouldn't measure things like if we take a site offline how long would it take for it to come back online or would another site appear so for instance if we would see 50 fishing sites come up and we would take them down if they were back online in 5 minutes then the GU is monitoring and and automating the deployment because it's impossible to do that manually versus you know you take a site down and then 2 days later it comes back up or it repairs somewhere else also habits uh whenever you um malware binaries there's text Fields inside of them also fish kits so if you look at the raw text you'll see there there

speech patterns uh they'll they'll write things in their native tongue they'll use grammar mistakes they'll even just put weird things like six spaces or I was talking to someone else they told me that uh they had a guy he would just finish everything with six slashes or five slashes or something like that and these are all subconscious decisions that people make just like if you ever watch the poker Wars uh they all wear these weird disguises and do strange things because we all have a tail and what they try to do is OPC their tail by just behaving oddly because it's human human nature so we just applied the same concept to attributing attacks to

certain threat actors humans also have limitations and I divided these into two one is resources financial and operational Intel it limits their scope and ability uh today being a hacker has become very simple and you don't have to have technical ability and the reason for this is there there's commercial off-the-shelf services that provide you with remote access Trojans exploit kits Etc they're they're all just pay for Play services but the personal limitations or skill sets it's impossible if if everyone in here is Technical and in some way shape or form and we know you just cannot go from being interested in programming to an elite programmer in 6 months I don't care how many online muks you do it's

just impossible also we're limited by our imagination certain information in one person's hands is is much more lethal in someone else's hands based on their level of of imagination and I also find this true when you're working with your analysts and then lastly social their Social Circles will help them level up very quickly if they're if they meet the right person and this is true in any type of interaction with people so this is another aspect that we have to you know consider when we're doing our attribution so these are list of some resources and I kind of divided them from most severe to least severe so if if if your organization or someone that

you're working for is being targeted by xboy kits or Ras mass pass which is ransomware as a service malware as a service fishing as a service or even you're seeing bgp hijacking this is very sophisticated Elite status exploit kits and ransomware as a service and all these services are very expensive they can range from $10,000 a month that we've seen you know $50,000 for a quarter because the return on investment is so high and the criminals that are supplying the service control the entire infrastructure so it makes the mitigation process extremely difficult you know the the the middle tier is criminally owned where you'll have bulletproof hosting which is where they'll set up their infrastructure

overseas and it's not really bulletproof hosting is kind of like a a misnomer a myth it's not really bullet proof hosting is that the country where the hosting provider resides in has very loose laws and the hosting provider themselves has a very loose term of service so their customer base it it's for a criminal audience but when law enforcement or anyone contacts them they're say they're not breaking the law because this is this is within their terms of service so they don't have to take action and also they they may own the IP space uh criminal abuse this is what you'll see very very popular well they'll crack sites they'll register sites or install malware binaries on

free hosting sites uh or they'll just abuse terms of service so last year uh there was a company um that allowed free reg domain registrations for 30 days and they they just it just went crazy they're a subsidiary of two cows and it was just it was just out of control it was so bad that I can and everyone petition them to just stop the service so here here we go with strategic Partnerships I I use this this this slide this is from the movie Blow where Johnny Depp he was a marijuana trafficker and he end up getting caught with 500 lb of marijuana and he went to prison so while he was in prison he met

this guy Diego and Diego told him that he has a very good Vision he just has the wrong Vision instead of transporting marijuana he should get into the cocaine business because it's much more profitable yada y y he end up working for Pablo Escobar this applies to our cyber threat actors they're in these IRC groups underground forums dark web Etc they can be very successful at one type of attack where they can have a friend or associate that they meet that's doesn't have the skill set or the knowledge to P pour out the attack but they have the vision they combine and next you'll see you're thread actor that you've been tracking for 3 years years he'll just

level up and you'll be like wow I've never seen him doing all this kind of strange stuff you know he became way more sophisticated and it's also it's a definitely you know an indication that he's been talking to someone now I'm going to flip that coin in the infoset cybercity world we have to do the same thing there's definitely strength in number and strength in sharing the op you know open source intelligence feeds Etc you know they have missed the malware information sharing platforms Etc we all have to join together and start sharing And discussing these things as much as possible as much as you can to kind of make the community stronger because our adversaries are

definitely doing it so I work with law enforcement you know on the federal level local level Etc and one thing that they have to maintain we have to maintain a chain of evidence so there's not really much guidance I try to look for guidance before coming here today and I posted things and I send a lot of emails and they were like I had people who testified a lot of Trials and they're saying basically what you have to do is md5 everything that you obtain maintain a chain of custody and also Journal your activities what were you doing when you came across this how did you do it why did you do it Etc because

if you if you become uh part of a case and you're going to understand they're going to cross-examine you and ask you all this information they also suggested that in the course of of your analysis you might have to modify files such as you have a zip file you have to unzip it to see the contents once you unzip that file you also have to md5 all those subsequent files Etc um a a newer way that people are doing and it's I guess fancy slick they're using the blockchain to uh verify Integrity so there's some if you Google blockchain to uh ver authenticate documents Etc you'll find a bunch of Articles people are doing it I just

start saying it like the last couple months it's very important to maintain and you know collect all this information for the purpose of stopping the bad guys and the only way you can really stop them permanently is to take them offline there was a time where the Nigerian hackers had free reign to just do whatever they want contact everybody with romance scams BC scams 419 scams which actually comes from a a section of their legal code the time is no more and I wanted to show this share this with the audience they caught a whole ring of Nigerian scammers and they took the guy they they arrested him and you know they had profited upwards of $60 million so

times are definitely changing this is from August to 1st to bring all of this together and to have it really work after we did our initial research and you know prototyping we really really had to go to our upper management all the way up to the CEO to get authorization to continue we had to speak to our legal counsel to understand to explain to them what we were doing and also uh get feedback on boundaries and lines that we should not cross because once you get into this type of stuff the rabbit hole goes really really deep um you have to bring in the managers of the different departments within your organization or whoever you're working with and then you

have to work with the it Network and security people because they maintain the resources that we all use and you have to have them play ball with you or you will not get anywhere to make this type of program work first you need permission like I just spoke to you have to develop protocols so users have to know what to do where to what to do and and who to send the information to this is often confusing in many organizations where someone will say you'll speak to users and they'll say yeah I received these strengths messages all the time and you'll say what do you do with it's like I don't open them like all right good

you don't open them what do you do I delete them this is this is helping our adversaries stay in stealth mode because we have no idea the breadth of their attacks you need procedures processes and and you bring it all together you create a program my goal is to have all of my users all of my customers feed as much information anything think it's suspicious send it we'll take a look at it and process it and let you know and also part of that is feedback um without the feedback the the users they they feel like they're just sending the information into a black hole and this is from you know my personal interaction and speaking with

them so you want to enlist as many human sensors as possible because we have tons of users they're all using different apps and services and chat forms and more things than you can think of and they're receiving malicious content on all of these services so you have to connect the dots for instance we know of there's uh people who create fake LinkedIn profiles and then send friend requests to all of your you know masak employees or or we we have HR they receive uh job applications or uh resumés with macro viruses you know macro enable malware attachments you have to collect all of this to really address your you know threat landscape and the cool thing is that a human being

is much more intelligent than any machine learning or AI algorithm at at quickly disturbing patterns as humans we we can look at and identify patterns really quickly so by bringing everyone into the fold and you know with the overall goal of trying to collect this information you can really really get a good insight into your attack threshold this picture right here I wanted to bring this in because most it people or security people are introverts I'm an extrovert so I don't have a problem with talking with people however most end users look like my son Adam when they're coming to a security person to tell them about something suspicious they feel like he's going to

just chop them in half with a lightsaber or just dismiss them we really have to build Bridges with our end users and non Tey people for inance I I'm all for you know Brown Bag lunches where you invite someone from a different department someone from the payroll accounting department someone from the admin apartment because only by sharing information and making them feel comfortable with the topic will they been begin to understand that we're all part of the same team with the same overarching goal we have to make ourselves accessible I mean myself included I you know I manage the sock if I call a network engineer the first thing they tell me is the network is

fine or it's not their fault or the security guy is he didn't do it or he installed this and I'm like dude I'm not accusing you or something I'm trying to tell you I need your help so I'm a manager I've been doing this forever I can't imagine someone who barely you know has a good concept of Microsoft Word coming to tell you like I opened this document and I think something weird is going on most of the time they won't say anything because everyone's afraid of Darth Maul all right and any

questions go

ahead I'm glad you asked that question because I kind of felt like I went through too quick so what where my focus of my top is not really trying I don't care what their name is I want to know what they're doing and how they do it because the faster I understand their attack pattern we can we can mitigate quickly I'm going to go into a little story I wanted to save time so I can talk about your thing so we just recently had a very very good example of what you can do with this so we have a guy he's been fishing multiple customers for years right he uses a certain emails to collect the fishing form drop sites

you know collection point so we enumerated a bunch of them he was he was uh what kind of sites did he pop WordPress he he popped these WordPress sites so we were through investigation able to get access to the files that he left behind on the server one of these files contained a list of SMTP servers with username and passwords those smtv those passwords link directly to his personal email email accounts see how that works so not only do we know his whole it you know criminal infrastructure we actually know his his personal email accounts and you know we work with an an investigative firm they were able to log in and see all the transactions that he's been uh

performing he actually sells all the collected credentials for Bitcoin so that's the type of mitigation you can you know step your level up instead of like the wacka aspect of just shutting down sights shutting down sites what we want to do is take them offline and we've actually worked with law enforcement in South America where we attributed an individual and he he was prosecuted that was twice in South America we have a bunch of Nigerian cases going on so I I wasn't going to I glanced over it I meant so I'm glad you asked that question so that's where I'm going it's it's not really putting a face on a person or a name that's great

if you can get to that but more than likely because of the laws of their country you won't be able to perform an arrest but you can take them offline and if you make yourself and your organization a hard target they'll move on to a easier Target just like a bully a bully doesn't want anyone that's going to fight back or stand up to them so once you identify a hand and you are you're giving it a name like you see with CV number or common uh fire uh attributes how give any visions of how you want to share that organizations saying okay I'm seeing this particular hand involved with me and this is what they're doing and you

know kind of like again concept we see with um n NBD so yes we've done a lot of that so I'll give you an inance I was at a conference there was a guy he came up he's like I was looking for you so I'm like okay who are you he's like ah I'm from this Bank XYZ and I see you guys are being attacked by the same people that are attacking us so we spoke and we just set up a data exchange and this guy gave us so much insight into their operation that we really stepped our game up it I mean our learning curve went from here to there so he actually shared techniques of how

he was able to detect when they come online super fast we we incorporate that into our sock and and benefited everyone and also there was two other organizations that we had relationships with that we brought into the full and created you know a Sig a special interest group real quick with the email thread and we automated the process of sharing all the detections amongst them um we work with registar so like a registar that owns a a country a cctld country code registar that they put out it's like but shorter and what we do is we send them the false registrations or the lookalike domains for their you know ctld and they just take them offline

immediately so this is the this is what our goal is it's the incident response portion to shorten that window that they have to perform their illegal activity how link

Anis so we we do use Mal M we we don't use those PL those I have maltego account that I use sorry about that but um we have an automated system and a d a proprietary database that we built because our detections are so large that it you know it would be difficult to graphically visualize everything but once we find something of Interest then we'll pop it into Mao to take a closer look at it because you know on a day I think we detect over 1,500 unique fishing cases a day and we process probably 3 million URLs a day 30 million 15 million URLs a day that's my engineer he's going to keep me honest today

because I'll just say like 300 million but yeah like you know 30 million URL so it gets really difficult at that level to start trying to you know bring everything in so that's why our goal is to bring everything in normalize it into a database and then perform the analysis that's you know that's what I was alluding to in this the seam image with the basketball because you can become overwhelmed with the information any other questions

go ahead about

as so the relationship I'm glad you asked that um it it's it's about your ingame I I look at this as we're like a crime scene in investigator right so if you come into a crime scene you have the lead detective he comes through and he's like yeah bag it and tag it get some prints I want you to dust I want you to get this forensics team one person cannot be all things so for instance if you know I'll I'll ship I got to stop doing that I'll ship the URL attachments off you know the malicious attachments to one of my malware Engineers immediately where you know I'll have one of my pentest analysts take a look at the site I'll

ship something else off to someone else you know I'll have someone who has language skills take a look at this and translate so this is why we use custom uh platforms because there's no commercial you know uh software that will do what we're doing because our sock is unique where we're externally to the firewall we don't monitor anything inside the firewall we're out you know if this was a fortress we're outside with the bad guys taking them out before they can get into the fort that's how that's that's the difference between our sock and a traditional

sock I like questions give me another question go ahead to protect your personal brand I don't want to be a sales pitchy but you you you really need to monitor your your internet persona meaning you have to you have to know your domains and your your domain names you have to know your Affiliates that's very important because a lot of uh malicious activity can enter your network through your third parties as well you have to be aware if they receive a breach or if they have some type of vulnerability going on you know your Affiliates but it's just being aware you have to monitor for your domain names uh you know make sure that all your

employees have their safe browsing API enabled in their browsers this is very simple our company we're one of the primary uh suppliers of fishing and Mau URLs to uh Google and Microsoft for the safe browsing apis so it's it's just you know and education education education education well that's it so if anybody's interested and you have any questions that you come up with later you can email me or send me uh hit me up on Twitter and I'll respond and if people always ask me for the slides I don't I don't I don't think slides have context without the talk but I'll send you a pdf version if you want them that's it thank [Applause]

you