Drop It Like It's Qbot (Remix): Detecting initial execution earlier with OSINT

everybody good afternoon hell so before I get started first of all I want to give give Round of Applause to everybody who's been working really hard at volunteering today for this conference it is one of my favorites and I'm so happy to be back and everybody who's been volunteering and helping out thank you so much all right so first of all I'm going to tell you the talk is not about cuot talk is not about cubot it was going to be about cuot more but it is going to be about cubot a little bit less than I had anticipated which is always fun a little bit about me before we dig into the content said my name is

Steph I'm IR sorry intelligence Analyst at Red Canary I've been there for about a year and a half on the CTI team it's been fantastic before that I spent two years doing digital forensics and inant response at Na and and uh before that I actually was here in Augusta so five years ago I was at my very first P sides as a volunteer and I was about to graduate from the school of computer and cyber Sciences for JA so if we've got some other students and folks that are in here shout out it's awesome hanging there and it's a really wonderful program so I'm very happy with folks I've seen here already so um and with

that was in Clinical Psychology which is interesting and fun and has helped me in my CTI work but not in the way that you might think uh I'm happy to answer questions about that afterwards we turn kind of curious and fun fact I've had to admit that my favorite hobby is actually just learning new things uh right now I'm studying French please don't try to speak French to me quite yet I'm working on it with the owl The Owl and I are making progress but it's it's going it's going to take a while all right so bottom line up front because I want youall to see the cake before we bake the cake initial execution techniques are really really

frequently changed in today's threat landscape because they're cheap right you know if you think of the Pyramid of pain changing a loader script is easy super easy and adversaries take advantage of that to try and evade detection as often and as successfully as possible but you can track of the initial execution techniques and you can keep track of the changes they can absolutely pay off earlier detection gives you time to respond IR taught me that having more time to or as much time to respond as you can like every minute is a wonderful thing and it also lets you stop follow on activity hopefully before it starts right that's the ideal that's what we're striving for we know the adversaries are

going to try and evil onto US your machines and it's our job to detect it and stop it as quickly as possible so if we can stop it before it even starts delivering malware that is that is the best it's a really good feeling too and you can use open source intelligence to help you with this it's I'm in kind of a privileged position as a CTI Merit I get to do this full time I know that's not the case for a lot of folks a lot of teams but you can take adantage of the really really awesome Defenders that are working in the space and sharing information and kind of expand your team in a way once you find sources that you

really trust all right so uh I want to talk a little bit about of where in the execution chain we're talking about especially for folks who might be a little bit newer to cyber security so first thing you've got initial access initial access techniques have changed in some ways over time there's only so many ways that the bad guys can reach out to victim systems right there's only so many points of contact you can have you've got different kinds of fishing you've got SEO poisoning it's gotten a lot more popular you have USB threats um somebody let's see uh whoever can tell me the first USB based threat off the top of their head gets the give away for

today yes USB killer right like like like the actual like of malware like it's delivered via USB oh I think I think you were next yes all right St that it is there are a lot of good choices so you have won a bash bunny uh USB P Price all right there are lots of good choices raspberry Robin I'm a fan I'm not a fan but that's another one uh and actually has been an issue's an issue again so most s on the USBs after initial access you have what we're talking about you've got that initial execution you've got the first behaviors that happen on a system and that's when you're going to see your Crypts and your

droppers and your loers so this is what we're talking about this is where I'm hoping to help encourage folks to pay extra close attention to the very first set of behaviors that they see so we can intervene in this space before other things happen before we have persistence creation before lateral movement starts in your network before they can set up C2 Communications or reach out to additional remote resources and pull down more payloads because like I said if you can intervene here if you can stop it here none of none of the rest can happen great that's what we want to do so for part one I new bird cluster to talk about so at Red Canary we have bird clusters Red

Canary so we'll have color bird uh and this is actually brand brand new like just the last week or so so I want to use it as an example for one single loader one single piece of string delivering multiple payloads let talk about datab first because it's going to start with danot databot is an infos stealer that Pro Point reported on named in 2018 and it's been around since then it's been fairly active although it did drop off a little bit in activity this summer which is interesting and come back to that there are several different delivery methods that it uses uh fishing is very popular as well as um having it in craft games and craft code and so

what will happen with this like a lot of fishes is you'll have the fishing site you'll have the lure unless you interact with the lure you'll get a zip archive with a VBS script loader okay so one big shout out to security.net it's really hard on the endpoint side to get like pictures and stuff of the the lures the actual fishing Pages because right here we sit kind of behind in Point Security Solutions and do meat stuff with the data that comes in so here's kind of what it looks like so you've got this money unclaimed or property unclaimed you have several layers of user interaction to into a false sense of security and then eventually you

download your report with your unclaimed property or unclaimed money and that gives you a malicious zip with a VDS inside and it has the same name so you'll have this very sus directory and you'll get a zip with the username so it won't say username the actual usern name this is all aned data and then you'll have a BPS file with the same name and uh you get W script executing from that very very sus directory and then databot goes on to uh use more of these scripts so you get up Neons you have MS binaries that are created on this and then those MSI binaries execute commands and shenanigames inum you don't have to remember all this

I just want to have this there to kind of show you what the VDS script looks like um this is from virus total it is from the Enterprise version of virus total so this is from the content section but there are so many open source sandboxes that you can go to find similar data and to take a look at the actual script so the way it looks is you've got a bunch of junk comments bulk it out some levation and then you got PL text commands depending on the version of Bot you'll have different PL Tex commands luring sometimes they're upated sometimes they're not so in September like last month September we had some activity we saw

this pior we saw a fishing L with a zip archive that contains a BPS script okay all right we have food detection analytics for that we have good detection analytics for w script executing from a very suspect directory this is a very familiar looking uh naming convention and the VPS letter script it was all Jun comments in text so the payload was not data bot it was dirt gate uh which was surprising we hadn't seen this kind of these points of activity these initial execution we anything other than dat to that point so darkgate surprise surprise darkgate darkgate is like the new hotness right now y'all I will talk about D gate more than once today uh so

it's a very popular malware as service voter started getting offer on cyber crime forums this past summer and it's got a lot of really neat built-in features which is why the bad guys like it you know they're looking for currently something that does a lot of uh built-in automated evil one of their favorite payloads has been taken off Market as we'll talk about in a bit and one of the key features of D gate and being able to tell whether or not you've got early D gate execution is you'll see W script spawning this really interesting command that will include renamed Pearl and renamed Auto it being created on the system so uh just kind of

wet dark gate looks like is very initially so I thought that was weird and I wanted to figure out what had happened I had all these competing theories you know very T foil had I'm sure sure that yall who have been in this place where you see something you're not expecting the theories can get crazy in like did the databot for actors like create dark are they the same people I've never seen them in the room at the same time together and so the best place to start is looking at the data where does it start uh we have an awesome analyst for our team Tony lbert who um has brought us all into the concept of the cotton ey

Joe theory of malware analysis where did it come from from where did it go so we've got to start with where did it come from in October we saw that zip BBS naming convention and it was definitely databot so this is absolutely a databot payload that was ultimately delivered by what I'm going to say is a script that was written to uh download and continue execute additional payloads so you've got this 253 Ming Convention of bra thers June same thing 253 is data B August it obiously changed a little bit so still such directory still got the username but now we've just got this 153 naming convention that's not a big change but it is a change and it's a

change that can be useful can be leveraged for more information this is still theot by the way absolutely still it was delivered after this thing this loader continued to deliver its payloads so like I said we get to September we see this same pattern we see this1 and it is absolutely dirt gate uh since dirt gate is the new hotness there's a lot of really really good information sharing right off the bat so we were able to keep track of of what uh domains were associated Associated activity so can very reliably say the payload that was going to be delivered from this this L was going to be dgate and same thing in fact every uh piece of

dgate malware for dgate payload that we saw in September have this1 Ming convention and it wasn't just that too so like I said remember I mentioned that the scripts look the same like really the same like really lot the same even the same you got the jum comments you gotex demands but they led to different payloads and all of that says to me and said to us at Red Canary this is something that's independent of the payload this is something that you can attach a payload to and it will deliver the payload for you so just real quick clustering methodology uh so to create a cluster and this is the whole like threat naming and clustering is a big

thing first of all we prefer for there to be no known Community name as you know there are a lot of community names available to use and threat names are all about categorizing Behavior it's all about coming up with a short hand so when you're speaking to somebody else you can say oh I saw D gate and they know oh here's what dirt gate does that's what it looks like so if we can go ahead and use somebody else from that that's good we're communicating effectively which is the whole point of naming the threats is to categorize that behavior if we see unique commonalities across multiple incidents and I don't like to say ideally multiple

environments because that's not great but it does create a pattern one-offs can't be trapped but patterns can and we kind of create this stage criteria for what we would say you know these qualities we'll check these box this activity is this threat we will give it a cluster name we'll give it a color in a bird and that gives us this time around saffron Starling uh so saffron Starling as we're tracking it is this ZIP archive that's got the BBS Lo in it it's got those uh that SS directory really interesting B creation the VBS trip has those common patterns there will then be an outbound net P to pull down FAL payloads and so

far so far we've only seen made thought and thir G but the nice thing about it is now we're tracking it now it's on our radar is something that is distinct from these threats so if we only see it get to the point of file creation we can still track it we don't have to be like well we don't know what it was going to be was it going to beot was it going to be dark gate we don't know we can track it really precisely which is fun for us uh I want to of course give some mitigation strategies this one I'm going to come back to you more than once because this is so neat so one way to

mitigate these loaders that love to exploit script execution is to create a GOP that will only let certain scripts open and execute automatically and it will not let the others that are more high risk execute automatically it will have them open in like for example notepad as text files so and this VBS script is downloaded and you have GPO in place where scripts for most users TT files the end that's it you you've done it you cut it off at that place of initial execution uh there are detailed steps I will make sure that everybody has access to this link We included it in the blog on earlier this year you will will need to test this but think

about it consider if every user in your environment needs to be a to open and execute every kind of script that there is wsf BS you really need to be able to do that one thing think about and I also want to give you a detection opportunity that will work for multiple threats as well so this is very broad Strokes pseudo analytic code um so looking W script or C script executing from that appd directory and you can actually need even more distinctive you can have the zip file and the BDS file together because that is the pattern that we have seen other threats used uh especially if it goes on to do more stuff from that

directory if there are additional Neons or child processes ORS that is probably going to be worth a look in your environment so again like I said you're going to need to take a look at your own environment Tes see how you feel about it but it's it's an option it's good to have options so for stop startling FAL thoughts and kind of takeaways from this section first of all don't make assumptions it's so hard to do and you know we talk a lot and think a lot about our I especially as analysts and as investigators in this field you know we can only operate out of our own perspective the more we can be aware of

how that changes how things the more we can kind of I want say d above it but we can work with it instead of having a judgment really common especially in the industry and just look at all the execution as one monolithic piece of software this is all been B this is all dark but if you can kind of peel away sometimes you can find certain circumstances these examples where they which just nice give this a little bit more discreet tracking and being able to do that that being able to detect Behavior early and being able to hopefully shut it down as quickly as possible helps prevent that payload execution or even at F delivery

which is great that gives you faster detection and it gives you broader coverage so now let's say you got these saffron Sterling uh detectors in your environment these rules yeah you might also have data B dgate detectors but if you've got saffron Sterling you've got more coverage so the same thing is going to set off your rules for a bunch of different threats and the more analytics you can get to PR the more chances you have of catching that true evil and making sure analysts who are very busy and have alert fatigue are able to get eyes on things you really want them to get eyes on which brings us to part two which is

going to be more about keot and this is the slide that I have created when I first gave this talk uh which has been ret all new examples for multiple reasons and then about a month ago this happened there was a multinational or multi multinational law effort to shut Down cuot AKA blackbot AKA plip bot infrastructure so part of cubots infrastructure was that it had a botn net of infected systems that was being used primarily as C2 uh infrastructure so those were shut down and it's actually been fairly successful as far as I know I don't believe that we have seen I know we have not seen any active cuot since that wasn't a previous

infection uh so that's been impressive but it did change the direction of the talk just a little bit so as I was kind of thinking about what am I going to talk about can't talk about ta 570 andot and ta 577 decided to hook me up with a topic and with a lot to talk about so I have been updating this presentation down to Wi like yesterday because it has been a busy season ta 577 is back from vacation let's talk about them so ta 577 is an initial access broker and now Weare distribution group and uh they by proof Point initially and they're going to make into prolic fishing campaigns now I'm talking about hundreds and thousands of emails

going out on a major campaign day it is unreal the amount of activity that these jerks can generate with one of their campaigns uh when they were more active earlier this year and doing a lot of Cub distribution they were known as letters affiliate so these folks have been around for a long time they were initially also known as TR because they use letter pairs in their malware configurations you actually go in and start breaking down the you have these campaign I values a lot of different types OFW so they're thought of things like uh like I said trbd I think aa1 is one of the current uh campaign identifiers and I favorite cuot love

cuot cuot was their bread and butter October was like ta 577 cubot month you know they come back on vacation getting ready for the holidays money it's just absolutely and they've also delivered other things so that's that's the thing about these actors they' delivered iighting before they've delivered M buas I do not know if I'm saying at night and they delivered as well and so we all kind of knew that they weren't just going to not do anything anymore because especially this ta has used Other M families before one thing about this te is that they operate in Cycles so like I said this chart this is cuot activity um so this is a combination of cuot ta 570 and

ta 577 activity inary over uh the last couple of years and like I said you have these really intense months usually big campaigns and then they would take a little break for a little while I think it's pretty common across the industry sometimes we'll see less activity the summer or over certain holidays um and CFI no different the difference about this particular ta is that they do development Cycles uh C 570 and 577 here to do uh development cycles and test different initial execution techniques to see which will be the most useful in the next big campaign has a really really great white paper that they put out in early this year about that topic fantastic and they

make these changes really fast because they have them because they do these step Cycles they've got backup ideas and they're using scripts which like I said are cheap and easy to change and it's surprising how much tweaking a few things here and there can really make it hard for products and for vendors to keep track of who's doing what with these loaders but say that it sounds very Bleak you can detect and track these loaders before the payload P promise we did it with cubot which was great we got to the point where we were working with different books o we were able to identify ta 570 and 577 really quickly before anything else was able to

happen and the nice thing like I said when you get these prolific adversaries you get Defenders who love to make them have a bad day and the more of a pain in the adversary is the more people light and just ruing whatever they can for them so just in the last couple of weeks and I will have more links I have had help from all of these folks who offer their information for free online uh the Cur of Intel theme is fantastic for this team is fantastic I know the bird site is a controversial thing but so many malware researchers and CTI analysts are still really active there uh love DF report I'm on abuse like daily they're

wonderful and the people who help contribute to those resources are fantastic analysts and then of course F proof Point who originally discovered these actors and kept up with them it's wonderful so like I said once you get an idea of who you might want to have on your team so to speak who you trust then you can use their Intel and you can just run with it and so when on September 22nd uh D to Telecom put out this notice that they had seen a new ta 577 campaign launching a dgate campaign like I said y'all dgate is the new hotness I think there's as far as I know five or six current ongoing campaigns

using dark gate as their favorite payad right now um so first Telecom does wonderful work C fantastic and so the researchers who had previously worked with cubot in d577 started really digging into it D Telecom shared details of the activity that they had seen so they shared some of the initial files that been created they shared the initial downloader command and they shared as you can see this is the same darkart gate loader or a similar Dart gate loader that we saw before in C reading Pearl and a it and I really want to focus on remember as early as we can that first child creation and the initial downloader so on September 26th the loader we're just going to call

the loader for right now dropped ice ID the next few slides that I'm going to click through are going to be information from proxy life's GitHub repost proxy life is an amazing member of the blam team and they have been keeping up with this threat actor for years and they do they do all this malware analysis they share it they update it like to the hour they put it in GitHub rep they put it on Twitter and I absolutely trust their analysis and we use it really heavily because it's like having somebody who's 100% dedicated to ruing this thre actor's day on the team already fantastic so so a look at the GitHub repo and what's going to happen

as we go through the slides you'll see a few of these things are everything that we've already seen this loader do as the slides progress I'm going to highlight in B So based on the go Telecom data that was shared we've already seen this uh admin appd folder being used we've seen curl with this weird officiation in it we've seen this combination of uh reaching out to an IP address with this uh strange three letter identifier token maybe in the URL and so this is kind of where we're starting with ice ID two days later we've got I ID again same loader so now we've got okay we've got a few more things we've got some of the original

Dart gate deutche Telecom s information along with the previous iced ID loader so again we've got this really interesting p F link initial file creation the command has mixed case um we've got these Echo and pain commands they're showing up they love that folder so much that directory they love it and they love run D 32 and they have since before this campaign love it when Distributing so you start seeing the the Ping that you executed October 1st now we switched payloads on October the 1st and look at everything that we had already seen this loader do by the time we get to the next payload everything that that loader did on the first had already been publicly

shared so again It's Tricky you've got more office station things are a little bit different but it makes it trackable and I'm sure those of you that are rinded are seeing maybe some slightly rle opportunities for especially it comes to things like valry man they can be a little tricky to maintain over time but it's a place to start and sometimes they can actually last Welling which is fantastic October 3rd we have the third payload of this campaign and it is peabot peabot is very similar to kot um and again new payload we've seen we've seen these things we've seen this same kind of command being executed and then P down pad now admittedly on the fourth it did change a

little bit more dramatically which is going to happen the thing about this they accur again is they're very Savvy this is their job is this distribution and then they sell initial access to wherever they're able to get into um so they're they're going to change things more dramatically as their lurs as their fishes become less sucessful over time but still details you still got that same directory with the same weird PDF link file they're still doing weird stuff with for butex and you still got this log file I actually used that a couple of slides earlier and there's more people about again it got a little bit more obscure this was really interesting it switch to

JavaScript instead of uh the PDF do link file to execute the initial voer but there's still patterns and so if you're still looking for um suspicious dlls or run DL 32 execution there are still opportunities to catch this loader before it delivers e so like I said this is kind of summing up all of the things that we have seen in this campaign which has delivered so many payloads there are still themes there are still patterns you've got that directory my God I love that directory so much this is a great directory to keep an eye out for weird things executing from it especially if you think that this particular threat actor might be one of more concerned in your

organization orc previously because they love to reuse it um you've got a lot ofand ustation Pace carrots P Echo command they're using C.C which they have also used to got in previous as well got rund deal 32 execution I said they and there's more so these opportunities are there and I didn't do any big fancy analysis to find this out I'm just a nerd and I just went and looked at what the loaders look like in a REO because this is like a new thing as to talk about how early can we get how far apart can we get the payload from the first thing that happens on the system so the payload becomes a nonissue it's the best

feeling when you see like that initial pfl file downloaded and we see it and nothing else happens it's just it's so good it's so awesome I would like this for all of us I would like for this to be the case for as many for this Bings as possible so um I don't want to just leave you with kind of ideas for potential rules or detections or things you could look for for this because we're in the middle of the campaign I don't want to give you detection opportunities that have been protested I am going to give you mitigation ideas remember that GPO I mentioned about not letting evil scripts execute in your environment it works for this too which

is wonderful so again like I said consider it think about gpos can be kind of abstract but something to consider and somebody pointed this out to me after I gave to talk the first time wscript.exe is actually in Microsoft recommended block rules so you want to go take a look at uh some of the block rules suggested judicious use of them can be extremely useful depends on your work depends on what you're doing but again if you can just have the thing not work that's ideal all right so final thoughts for c577 and for this section uh like I said this actor does like to change their ttps and it can be daily um really

intense keop campaigns like the on we had earlier this year with a one note fun Fe they were changing TTP sometimes within hours of each other uh but if you follow trusted Community sources you have a huge Advantage because you already know these researchers you know I know that as soon as577 starts up shenanigans that proxy life and you know all these other researchers are going to be on it dog on it and they're going to get that information out publicly availably as soon as they can because this is their passion and I'm so for it and that initial access detection like I've been saying it reduces your risk it keeps the payload getting on the

system in a perfect world and also like I said additional mitigation strategies can help um since script execution has been so very popular as a initial access or initial execution method um it's it's worth considering how you can reduce strip impacts in your environment Poss all right as we come to the end of our time together what are our key takeaways you already know we did the bottom line up front but let's go over again as you've seen initial execution techniques are very frequently changed and updated because it's cheap and easy for adversaries to do that change the script just a little bit enough to throw us off but if you can get into the Leeds

and track these initial execution techniques track these loaders and separate them from your payloads it can pay off you can have more detection time which is invaluable you can potentially stop follow on activity before it starts and the thing that I really want to bring home is that you can you yes you here today can use open source intelligence to help you do this you don't need big fancy tools you don't need to have you know you don't need to be the secret SL channels that all the malware analysts are in or on the super secret industry Discord all of this information that I've shared with you today is it's it's out there it's being

shared I don't want to just say that and then not tell you what some of my favorite resources are so uh I have a list on Twitter like I said I'll make sure the slide is available I'll make sure the list is available a lot of the researchers and analysts I've mentioned already have 're they're already all this think about um I know Google is not o but uh your trusted favorite trust and uh find us find some many strings I've had really good luck um we had a Cryptor earlier this year I figure out was a cter because I was just Googling weird strings and found some awesome sandbox information that was available so

searchs can be helpful love virus total virus is a huge help especially if you do not your own dedicated MW analysis team or you want to see what other people are seeing it's very useful for that love of use. like I said I'm on their sites on almost a daily basis Jo sbox and a bunch of other publicly available sboxes are fantastic two thumbs up for cyber Chef um if you haven't had a chance to play with it before you can if you want to do some of this um analysis yourself um you can get into it and there's just there's a ton more options but it it really if you're able to kind of find

your own favorite sources like I said it just gives you so much bang for your buck in your investigations it's almost like you grown your team with these experts and open in which is it's just it's a win it's a win for all of us and that comes to the uh last of the content I have for you today and we have time for questions I would love to take questions yes

mayly psychology that's a good question so the question is for things like mixed case use is that something that you can use to discern if the commands you're looking at or the loaders you're looking had our specific threat after like7 it's true so the thing about mix case and those kinds of text obervation techniques is you really can't do any kind of attribution it's a cue but for example like I said R Robin also uses mixed case and they're associated with evil Court um so unfortunately that's not as good of an indicator for specific attribution but it is going to tell you that it's evil I have not seen very many legitimate admins decide to use the lot

of CAS yeah I here and there but it's an easy easy way for to try a

section away f that that can happen so the question is um you know if you've got somebody who got developers that're using Easter eggs or using terms that they're very fond of or references they're very fond of are they kind of sitting their hat a little bit it has happened um sandor is a great book they hav yet there has actors that have used very specific recurring references in their code that has absolutely uh we the flag to eventually let Defenders know exactly do work um so yeah it does it absolutely does happen um writes code people have people make typos that are consistent people have their favorite way of you know putting different functions

together and you can absolutely start to feel those apart if you get enough access to

dat yeah absolutely any other questions yes that

yes so the question is will instituting GPO policy to block things like you said W script in particular CA a lot of problems or BBS could poten cause a lot of problems in I the answer is yes it could it absolutely could which is why you have to very carefully test that before r l it out this will not work for all scripts and all environments especially if you do have a lot of folks that are doing legitimate of work um but for those cases where you maybe you do have a whole SWA of users that adult and you can create a policy for them if they're not anywhere near any of the environments so it will require a lot of

testing you're absolutely right it it will create good problems Tes befor yes do you know why they're so this works do you know why they're so aggressive in October just the sheer Spike that they hit and then it dramatically drops off a cliff do you have any insight into why that is the case I have speculations as to why that is the case um so I'm not sure if that feed will come through but the question is why October or why is there this dramatic increase in October and why does it drop off so significantly um I think that it's because everybody's back from vacation uh and some places have different vacation mons than other

places some countries have vacation later in the summer um my hypothesis is that they uh come back from vacation do a de cycle get ready run everything in October and then they have a month or two to work the access that they've gained in the metime so this big campaign they get it's almost like a campaign they all these leads and then they follow up on the leads the next month or two until it's

time right to support maintenance cycle maybe um it's just it always kind of blows my mind how closely some of me and how professionally organized some of these groups are um yes in the back for those who are interested in entering a career in malware and intelligence anal what like pathway would you recommend for entering the field that's a good question so uh the question is about what pathway would I recommend for entering the field for you said notw analysis specifically um that's a tricky one because there's I'm going to do it it depends I know I'm an Intel person I had to say at least once um it it really does it does depend

it depends on what you're interested in so do you want to do like exclusively blue team work do you want to do a little bit of kind of analysis to help develop renting tools those pathways are going to look really different so that would be kind of the first place I would start is do you want to do red team blue team team and then just doing your best to take advantage of free resources that are available um I like I said c is fantastic and you can there's some really good fores available for cyers Chef um some are available kind ofline uh I knowk defense is a really excellent cyh course haven't taken that yet

Cy um and so that would be my first recommendation and then after that it's just a matter of finding good opportunities and the thing about this field that I've noticed is everybody's path into it is different and that's wonderful makes it stressful when you're trying to figure out where is my path how do I get in there um but fact that everybody has kind of a different journey into cyber security is lovely it gives us a lot of different perspectives it makes it harder you have to kind of have that internal momentum and push yourself forward but if you can do that um it's you can kind of take your own way and figure out what you want to do

what you like to do awesome thank you yeah you're welcome good question any other questions