Honeypot Boo Boo: Better Breach Detection with Deception Technology

okay let's slide into the three of hour with Honeypot boo boo better breach detection with deception Inception by Justin Varner Justin you can take it over awesome thank you so much appreciate everyone being here uh I'm excited to talk to you all about a new way of looking at breach detection uh through deception Inception which is a lot of word smithing but I'll get to what all that means as we work through the presentation a little bit about myself I'm a thanks Canary authorized partner so thanks Canary is a company based in Cape Town South Africa they've been working on this platform and this product for about seven years I believe so much in it that I'm willing to talk

on their behalf I'm not actually a thanks Canary employee uh but I represent them at these talks and um various events uh I'm kind of hard to find in general but you can locate me on Twitter and feel free to drop any questions in the Q&A as we move along and I'm happy to answer some stuff on Discord as well so with that let's kick things off so it helps to First Define what a honey pot is or Honey Trap so Honey Trap really can be a honey pot and or honey token and I'll talk about what these mean uh further along and these are are really security mechanisms designed to entice adversaries to make mistakes and

tell you that they're in your network and that they're up to no good this is a component of a larger discipline known as deception technology the great thing about deception technology is the better at being a trickster you are uh the more success you'll have in thoring your adversaries and the whole idea of honey traps is we want to produce higher Fidelity alert less of a volume because we only want to know at that point in time when we've been breached we don't want to know hundreds of days in the future and you know after Untold damage has been done the reason we need this ultimately is because we need to lower our mean time

to detect incidents as well as remediate we need to ensure that incidents don't become complete catastrophes which is what the current kind of model um has led to and we need to help our security analysts um because if you look at laundry room Viking or in this case this is a metaphor for the delus of problems that security analysts have to deal with and I feel for them you know the at the current rate they're going to be looking at tickets and triaging and sounds like a great idea on paper uh but ultimately it's not sustainable you know there's there's too much burnout in the industry there are too many analysts that end up uh leaving security they get burned out

you know we need to help them in whatever way we can we need to arm them with the tools and the resources to be more effective ultimately so let's talk about the section technology and why this is a solution to you know um a new way and a new paradigm shift in uh how how we look at breaches well if you just look at the past 10 years going back to Snowden with the NSA you know all the surveillance and monitoring and of the greatest spy agency in the world the NSA wasn't helpful at all you know he managed to rumage through the crown jewels and run off with you know tons of tons of data

and they were none the wiser and then if you start looking through from 2013 on breach after breach you can go back to solar winds you know I tell people we all a lot of us have a case of post-traumatic solar winds disorder because everything now that we do is centered around third- party risk supply chain you know we're only as secure as our weakest um vendor and so that's the effects are still being felt today you know years later and then if you even look back to last year with um colonal pipelines that was a pretty startling situation because that was a convergence of physical and digital where pipelines are actually shut down and that caused delay to fuel

um stations you know on the east coast of the United States and that has very real world effects so clearly what we're doing isn't working and we need a new model that's focused around deception putting High Fidelity low volume alerts in the hands of our analysts so that we can stop breaches in real time and if you really want to look at what the financial impact is you you need to only go back to uh our friend Jimmy McMillan who ran for president in 2012 his whole campaign was built on the idea of the price of rent being too damn high and while he was right the price of cyber crime is even higher there was an

estimate that it cost the global economy $6 trillion in 2021 and estimated to cost $10.5 trillion in 2025 which is obscene about every 39 seconds a business is breached and in 2021 there were roughly 847 th000 cyber complains f with the FBI and up until now there wasn't a solution but I hope to provide one here to you today and another alarming statistic in addition to the cost is the amount of time so the meantime to detection based off the IBM threat report was 212 days and in that amount of time it allows for some obscenely large breaches to occur and if you look at some of the largest breaches of all time based off the

number of Records you can go back to 2020 with Cam 4 which was a naughty streaming site uh and there was some almost 11 billion accounts which is interesting because there's only seven and a half billion humans on on planet Earth which tells you there were multiple people that didn't want to be known that they had this uh service you can go back to Yahoo you know most people had Yahoo sports or fantasy or Finance they got breached multiple times three billion accounts which is also an insane insane amount of records and and then you can go to 2018 ADH r that was India's attempt to do digital identity and they wanted to place everything in

kind of one identification system so your dri's license your retirement uh you know your banking and the problem is you don't want to advertise to hackers to come you know breach the system prove that it's uh unhackable because it took about two hours before um you know every citizen in India was affected so it's too long and it's it's too too widespread with the impact of their current rate so now I want to talk to you more about you know Canary and this whole idea of canary a code mine or coal mine uh what's neat with canaries is they can be deployed in kind of any number of manners and they manifest in two forms

so you've got your Canary Birds these are your honey Poots as you traditionally know them and a honey pot can be any device or system that appears to be legitimate running real services and they can be anything from a smart fridge to a dumb coffee machine or anything in between you've also got Canary tokens and these are associated traditionally with honey tokens and these can be anything from AWS keys that you drop on people's machines Google Documents PDF files QR codes I'm going to go through an example of every type of token in the subsequent slides to show you how you may want to deploy this and these are just some ideas again back to the original idea of deception

technology creativity is the name of the game the more creative you are the more success Ste have at detecting breaches and we use these canaries as part of our early warning breach detection system rather than 212 days from now we want to know you know 12 seconds from now that we're actually being breached so that we can mitigate the impact and so let's first talk talk about our Canary Birds now a lot of Enterprises that are over 10 years old rely on Windows and the Enterprise They rely specifically on active directory active directory is a way to centry manage users machines passwords files uh and it runs on a series of what are called domain

controllers and these are very attractive to adversaries because if you can compromise a domain controller in a lot of cases you can take over the entire company you can read emails log into any machine dump credentials so on and so forth so the idea here is we can create a bird or a device that looks acts and trps like a domain controller designed to learn an adversary and so this is what a command would look like when you're running end map end map's a classic port and service enumeration tool and what I'm doing here in this command is I'm just doing an MF scan against common Windows domain controller ports that you would see to

show you how how authentic these Services actually look to an adversary that would try this so if you go down um a few lines for example to Port 22 which is typically SSH you can see the version it thinks that it's Windows like a real Windows to main controller you can go down even to say Port 80 and that's where you would normally see Windows internet Information Services hosted and if you were to navigate to this IP address at for 80 it would actually show you the is screen and it would ask you for credentials and it would capture them as well and then you can even go down to you start looking at the

authentication pieces like 88 and 389 you can see here that you can actually customize your domain to be as realistic as possible and convincing as possible so you see here when I connect on 389 it says connected to domain 80. things.com this could very easily be ad. besides aw.com or customize to your particular company and brand and even though it's a terrible idea to run SQL Server a lot on De Bank controller a lot of people do it and so if you were to do that it even tells you things down here if you look at Port 1433 tells you the service build of um of SQL Server the service pack the version everything like it's very

convincing you'd be hard pressed to tell the difference and so this is what an adversary sees and then this is what we see as Defender ERS you don't need to let up your own Christmas tree this year because right here you've got all kinds of alerts that are firing and lighting lighting up uh your dashboard what's cool with Canary is not only do you get these alerts in your central um console you also get them in slack or page Duty or SMS you can send them to any number of thirdparty end points and you can automate a lot of this with for example a a tool like times which is a a really great sore platform that I highly

recommend but in any case what happens when you scan is not only do you get a notification that there's been Port enumeration uh but you also get any attempts to interrogate these services so if somebody tries to log in over FTP it captures the username and password and similarly with you know Ms SQL which is what I show over here or sorry um HTTP you you can see here it's actually capturing in the alert on the right side the username and the password and it's also capturing the user agent and we're going to see here why this is important because over time we're going to be building this forensic trail with the idea of De anonymizing the adversary and

so this is actually a great forensic tool in addition to a real-time breach detection system and even if we internally don't have the tools to forensically determine an adversary we'll have have so much data that we can pass off to a third party uh provider to assist them that we'll be well on our way and so this is what a new honey pot or bird looks like but one of the problems with this you might have guessed it for the technical people this domain control is so realistic that it may actually interact with your current environment so I wanted to show you an example of a non- Windows domain controller system in the event that you want to deploy

another type of personality and you can customize this any way you like but here's an example of jumla and jumla is a classic vulnerable content management system it's a great Target for adversaries because there's usually going to be some issues with it so you can deploy a canary bird running jumla you visit the site it looks exactly like a unconfigured version of Doom jumla there's username and password fields and what happens is when the adversary enters username fog horn password Leghorn as you see on the right side it captures a bunch of information for us forensically like I had mentioned so you start to get stuff like the user agent and this is really helpful because you

can start to narrow this down it's telling me I'm on a Mac we know that okay and I'm using Mozilla well and I'm coming from Richmond there's only so many of these MAC machines in Richmond running Mozilla and all this data actually is anonymous or not anonymously it's uploaded services like the valve Hardware index and Nvidia and so all this stuff is kind of out there and you can see how you can quickly start to De anonymize the pool of um potential um you know people that this could be so I did also want to mention though so those are traditionally um this is the new sorry this is the new type of like Honeypot

which is called a production Honeypot where this is very applicable to you as an organization as a person but you can actually go back in time about 20 years to what honeypots used to look like and these used to just passively sit on the internet and collect intelligence and it wasn't necessarily interesting to you as an individual but it was interesting to figure out what was happening in the broader internet and you can actually use this to figure out what's what's happening if you're interested in traditional threat intelligence there's a great service called grey noise and what grey noise does is it does meta threat intelligence and so what it does is it looks at things that it knows are

deterministically scanning the internet like show in or recorded future or you have content delivery networks Amazon IPS it takes all that stuff it says don't worry about that let's focus on who may be targeting you individually and so you can use that data in conjunction with with your production Honeypot data to get external threat intelligence mat to internal intelligence you can figure out things like is there a larger threat campaign happening you know are these just Chinese botn Nets or is there a determined adversary from China targeting me as an individual so I wanted to mention this because it's a great free service great tool and it really helps augment the capabilities of of uh of canary and there's also another

integration natively built in called run zero this is um HD Moore started this company he's the crater met exploit epic Legend in Austin and this goes together with Canary like Shaq and brooken backboards and if you don't believe me just wait for the next slide but what's great about this is you can create Canary alerts from your tokens you can map the public IPS automatically to assets and you can start to correlate assets with tags to figure out hey do you have a machine that's communicating over tour that's unusual you should probably investigate that or do you have a um device that has a log 4J vulnerability that you didn't know about and it's also firing alerts well that's

a probably a good indicator that you should investigate because these Canary alerts are High Fidelity they're worth investigating in any case and it automatically creates all the information you need tells you um and enriches the content as you can see so you use canary run zero goes together well I mean you just look back at Shaquille O'Neal and here's a couple examples of him just destroying backboards so they go together like spaghetti and meatball trust me now that we've talked about birds I'm going to start to dig into the tokens and all the tokens all the way down and give you an example starting with the Recon tokens rest in peace Chris Farley so the first Recon token is is the

domain name system token or deceive nosy strangers if you want to figure out when people are snooping around like Snoop Dog you can use these DNS tokens because all these are are simple pointers so you can create a DNS token and map it to what's called a dark Network segment and that's exactly what it sounds like it's an area or a network that isn't typically used for anything and so if you get an alert for someone trying to resolve a domain to an IP in that dark Network there's a good chance that they're um snooping around they up to no good and so we can have this fire and alert and automatically tell us that

there's enumeration happening one important point if you can see underneath the dog of binoculars there's an alert that says this random string of name. canary token.com if you pay for the service you can customize this domain to be you know your actual brand domain to make it look as convincing as possible um because you don't want to just tell an adversary hey I use deception technology you should know that U but this is the free service that you can go to ker tokens. org and one other um important point so this isn't going to tell me my IP or the IP of an adversary it will tell me the IP of the DNS server used to resolve the query but

even with that you can see here it knew that this result was coming from Richmond where I'm located and that's a great piece a forensic detail even though I don't know the IP of the hosts I know that they resolved using a DNS server in Richmond so that's sort Scarrow down the potential suspect their pool of suspects it's a great token and it can be used for other things too like wrapping Linux processes um and so on and so forth now I love this particular token this is a web redirect token this is probably my favorite Recon token and this is pretty simple you create a c name or like a mapping for example um

thanks. when the adversary visits that site it will quickly grab a bunch of information from the browser and then send them to another legitimate site for example this token maps to bsides Austin in the process though this is grabbing a ton of useful information so if you see on the right side in the alert um I'm starting to get not only the user agent again but if you look further down it even tells me that I'm running a Mac M1 and that also further Narrows down the pool because there aren't that many m1s out there especially in Richmond because of supply chain issues and so how many M1 Maxs do you have enrichment well that's great information for a forensit

company what's also cool too is you can see at the bottom there's a map with a bunch of different um red you know um indic ators there's a geom map created anytime this alert fires so why this is helpful as you might imagine is you can figure out if these alerts are part of a larger campaign or if they are random and there's not a bigger picture here to a narrative to start to construct and that can help you in your your threat intelligence in starting to figure out are you being targeted or is these just are these just scanners and dots just hitting hitting these tokens so it's really useful forensic information and I'd like to there's also

another great token here that's worth mentioning this is a clone website token uh what's great about this is you can take this token which generates like five lines of JavaScript you can embed it and off tocate it because you don't necessarily want an adversary to start inspecting your your web pages and finding this code on there but the idea is if your website is cloned and then it's redeployed on another domain it'll automatically fire an alert so you can start to figure out okay maybe there's a fishing campaign underway you know maybe there's there's no good reason why anyone would necessarily be copying say bsides austin.com and then redeploying on bides austin.org for example and so

that could be indicative of a of a larger um campaign and so you're going to grab a lot of useful information here and again you can see the different alert types you have your console you've got slack down here um page of Duty jira any number of endpoints so that you're immediately alerted when uh when things are arai okay I talked about Recon we can focus now on the application programming interface tokens or Bert Macklin would tell you alert protect investigate and he knows what's up let's talk about some API specific tokens these are the first is that I love this is probably my favorite token of all is the Amazon web services token and you can

create actual AWS keys and you can automate deployment on endpoints automatically so you could deploy them every single machine in your Enterprise on your Macs your windows and the idea is you create a unique memo and make sure one important thing about these tokens when you create a token don't just say t test or this is a token you want this to be descriptive because you want people to know uh or you want to know exactly where this token is and when it's firing and and what's happening here and so use a unique memo there's like a uh a script on the GitHub Canary utilities uh page where you can actually um generate this but this is a

very high fidelity signal and a lot of times what happens is adversaries they might grab these a s keys from Suzie Q's laptop in marketing but they're not going to use them on her machine they're going to take them and mistaken to use them on their own machine and in the process they're going to reveal a bunch of information like the command they ran it actually tells you list buckets in addition to my IP and you know my geolocation you're starting to build more and more of a constructing of a forensic Trail so this is really helpful and they might think to the king of the castle but King of the cloud but they're not and then similarly there's another

type of Amazon uh token here simple storage service it's raw bucket storage it's been around forever people have inadvertently put sensitive information on buckets before Amazon opted you in you know to security and so this became an attractive Target for adversaries and so what you can do is you can create an entire token bucket that's illegitimate and when something is intera when it's interacted with even if it's just a list buckets or you want to you know for example when you get a set of AWS Keys you want to typically know what buckets exist and just listenting those buckets will fire an alert and it'll in the process grab the user agent so it knows

here that I'm running this on the Linux AWS SDK Bodo 3 so that's another p piece of information I was actually running this within uh Mac on my M1 but you know that this helps to capture your agent it also tells you the exact type of requests and URI so if you try to locate something within the bucket say here's the bucket slash data it would tell you exactly what your um uniform resource indicator it went to and and the user account associated with it so you can see here you can actually create token credentials like AWS keys and map them to token buckets and start to build this detailed forensic Trail which is really

helpful there's a lot going on in this slide so just take it all in but one of the one of the tokens that I love here is the slack token because you can get super meta with this and you can drop slack tokens in public slack channels so that people that come in try to read your slacks and they slip in they should go back to Myspace or something like that but you can see here when you run a curl command with the token the bogus token you know all it tells you is missing scope doesn't have permissions whatever but it fires an alert and it immediately tells you someone snooping around you know often times or nowadays

I would say slack is becoming the epicenter business if you can get access to a slack tenant uh that's invaluably more you know important then email because so much of business runs through slack or teams and whatnot so we can use this this to our advantage and know that adversaries when they get access to Slack are going to start enumerating through and they're going to be looking for certain strings like slack tokens and we can give them a stone cold stuner and then there's another API token this is the most recent um or relatively recent one it came out in October of 2021 this is for kubernetes also known as K8 because if you notice

there's K8 letters s Get It K8 and kubernetes is a platform for managing like hundreds and thousands of container containerized applications and what's a container you guess it it's a self-contained application environment independent of operating system Hardware it just runs Dockers an example of um you know a container um platform and so on and we can drop in a similar way to these AWS Keys we can create kubernetes config files which are very attractive can drop them on every single laptop and when this kubernetes config files accessed it'll it'll tell us um the actual user agent run again this is really helpful to help narrow down the trail of potential suspects if we notice here that they're running it from an M1

Mac uh Cube cuddle which is like the kubernetes um command line tool again that starts to build a forensic Trail for us and tells me well in this case I was using a VPN IP but normally tell me the IP the region the city all of these things even if you like to know if it's a tour exit note again this is helpful for trying to figure out if your machines might be compromised that's another great API token and then the most recent one is really helpful if you have Windows machines in your environment I highly recommend that you check out the suspicious command token and what this allows you to do is wrap any Windows

command in a token so for example who am I or netsat or any number of commands that you wouldn't typically see executed on say a sales machine you can token this so if um you know Jim Way's machine gets compromised and somebody starts running who am I oh you're going to fire an alert because Jim Le would never do that um uh for example and so this is great and you can bet it in in the registry so it's nearly impossible to just know that these commands are token unless you're investigating the registry but you guessed it you can also wrap regedit in there and so you can token the process in which to read the registry and the

idea here with any of these tokens is we're building layers and layers of tokens building a web deception you know deception Inception the more tokens you lay the higher likelihood an adversary is going to trip over one and then another and another and so on and so forth okay so now that I talked about API tokens I want to talk about specifically mobile tokens there tokens here that you can actually put on your own mobile device and I highly recommend you do because these are really helpful to know if your phone's been compromised for example there's a token for wire guard wire guard is a newer VPN protocol that that's kind of come along to

supplant openvpn and you can use their wire guard VPN token uh as an indicator for when your phone might be compromised if you look at what happened last year with Pegasus uh from the NSO group this really Insidious spyware that got on people's um phones and they didn't even know it unless you did deep forensics you know how would you know if your iPhone that ipone well one of the ways you can do this is you create this wire guard VPN token and use an attractive name like uh Enterprise VPN or production VPN and if an adversary gets on your phone starts rummaging around and activates that VPN it's going to fire an alert and you know

that you wouldn't do it because it's a bogus VPN so this gives you a pretty clear High Fidelity signal that your phone's been compromised in which case you can toss it get yourself a rotary phone or at the very least start doing some forensics and figure out just you know you know how bad things are so I highly recommend this you can go create your own right now you know Canary h.org and feel free to scan this with your own mobile phone or not it's not a trap but um you can use QR codes um as tokens and these are really helpful uh because a lot of um you know adversaries that are you just kind of snooping around like

maybe they're in the office and they're looking for guest Wi-Fi and you put out a code that says you know guest Wi-Fi scan this code but you don't actually use guest Wi-Fi or if you do you push it out securely using some kind of endpoint management tool like jam well when the moment they scan it you can do things like Rick roll them you can send them to any number of sites or put them in a loop uh and completely confuse and and um and frustrate them uh there's another great use case for these tokens if you drop them in every single um mailbox and there's actually like a Gmail token and an Office 365

token to do this you can sort of subtly drop these tokens make them unread and if an adversary comes across a message that says OCTA device enrollment code Duo device enrollment code or so on they'll open this up they'll scan with their phone boom fires an alert you're going to know pretty quickly uh that they're that they're up to no good this is a great and also if you're if you're curious and you don't want to scan it may you SC this code this just takes you to a randomized uh URL and Canary tokens with some movie quotes So you can trust me or you cannot but this is a great code and now after this if you look at

this too long by the way you might hallucinate but this at this point in the process we are if we're in toe-to-toe with an adversary and we're engaging in psychological warfare we want to let them know that we know that they're in our Network and so this is where it starts to to get really um really creative and you could start to engage in all kinds of psychological warfare just to throw them off and and maybe shape the direction of their trajectory of where they're going in life and I'll show you an example so we can use databases right and what's cool about this is we can token a database we could also put tokens inside the database going back to

the exhibit meme of um you know layering in like inside of stuff you know we could have like this looks like a seemingly legitimate database we could have in here a string of another token like a DNS token or a URL and then they could start hitting a bunch of tokens but what's neat about this is when you create the database any simple action like importing the database and running commands against it is going to fire the alert and it's going to give us information about okay and maybe maybe we want to embed a message that says you know we know that you're here you should leave you can get creative you know this is database example here is just a bunch

of nonsense but you could very easily use it to encode a message or send send something to the adversary to let them know that you're on to them this is a really great uh token another one of my favorite tokens you know is the Google Document or the word doc or any kind of document the idea here is to make conspiracy tanu question is reality and you could put something in the title or the heading like hey this is the um this is the executive compensation plan or the earnings for spectus report or um the FTX um you know Fallout whatever make it attractive so that when they open this they or they want to open this document

but in the document you could totally throw a curveball and you could drop in something about about operation Northwoods or MK Ultra something that may actually educate them to the point where they reconsider um a career in Petty um cyber crime and being a scumbag and you know trying to compromise your your network in the first place you can get super creative here and again you can embed tokens within tokens you might just leave them down a path of of reconciliation so there's a lot of potential here and and similar to Google Docs you can spread some bull sheets or or sorry you can spread some spreadsheets be it Google spreadsheets or Microsoft or whatnot and if there's

any other DB Cooper fans out there message me uh because we should talk this is a really fascinating unsolved case the only successful skyjacking in American history and we can use this intriguing bit of information to Allure in our adversary is and maybe educate them about it um you know there's but it doesn't have to be anything this can be complete nonsense that or it can be something meaningful in this case every single field maps to some particular um known fact about this case like the like DB Cooper jumped out of a airplane with 200 Grand he may be alive he may not be but $100 million that's probably enough to convince a an adversary to stop um you know trying to

oper un istically scam people you never know could lead them down a path of uh of uh you know of a whole new career and now that we know a lot of these tokens and birds let's talk about the ultimate sort of subtitle in this and how you're going to layer together your multiple multiple levels of deception to create Inception and here's a here's one example out of a zillion and this is where the creativ comes in let's say you've got an adversary he pops a web server and this web server could be a bird or it could be a regular system that has like Canary tokens running on it so let's just say it is a bird well

that's going to fire an alert and it's going to go to your Le n that's see that's funny because Le Nim and then security incident event management okay if you're if you're a security nerd you get this but that First Alert is going to fire a full log file to your sim and this is a good opportunity to tell people that in no way am I advocating for breach detection or Canary to replace your classical um preventative controls and your forensics controls you still should use a SIM you still should use endpoint logging you still should get Telemetry data and use something like liit Charlie to ingest all of this but you also that's not an effective a Sim is not

effective for real-time breach detection then that's that's really the use case we're trying to solve here is we want to know exactly when we been breach but we want a forensic Trail and so the great way to do that is to send that to your sim and so this is how you do it you know you send your first alert let's say that we have actually tokened on the bird a process like netstat I kind of mentioned that earlier well net stat when you fire or when they run net setat sends another alert builds the trail then maybe they start running inmap because situational awareness usually necessitates using something like nmap to do enumeration figure out what

systems are out there ports and so on I showed you earlier how useful a tool can be boom fires another alert maybe end map we have them lure them into a Windows machine that's also a bird there happens to be a file server running on Port 445 how convenient that file server also happens to have a document and that document you got AWS credentials which give you access to an S3 bucket boom boom boom all the while you're building this Trail and you might not know who know who they are but you're going to have enough information to send to a third party to figure this out pretty pretty conclusively and so the more layers the better the more creativity

the better this is a lot of fun and this is an attempt for Defenders to get back you know um an attempt to to have an idea of when their network has been compromised because this is a cat and mouse game but I've seen four or five companies n you know avoid catastrophic breaches I've seen pentest companies fail within seven minutes red teams like I believe in this sincerely which is why I speak on behalf of thans canary because I have seen it personally make such a huge difference and save countless amounts of Heartache time money you name it um and so that that is why I believe a lot in this and why you should continue to explore it

and so with that I wanted to thank you all so much for for being here really enjoyed delivering the talk and please send any questions my way or find me on Twitter or or message me thank you thank you so much Justin great talk um everyone please uh keep the conversation going over in the channel that's set aside uh just for this talk in Discord um we will take a break and at the top of the hour we will introduce you to the next speaker enjoy your break we'll see you soon thanks Justin thank you byby