The First Step in Incident Response: Prepare

um the last thing here is don't forget about your Source net or load balancers if you have an organization that's large enough that you have load balancers or sourcenet so sourcenet for those that I'm trying to see if people know what I mean like where an incoming packet The Source address gets changed when it comes into your infrastructure that's Source we're all familiar with destination ning but that's Source nting um and that people do have that um it is not interesting or useful when your web server shows all connections coming from your load balancer if the log says they all came from 10.22.2 you're like oh yeah it's our load balancer of course they all came

from your load balancer so now you have to go back to the load balancer and say does the load balancer have logs and can you stitch them together with the web server logs because all you want to know is where did that user log in from that's all you want to know and now you have to put two pieces of data together and if they're not time sync or if there's not a unique identifier between the two it's difficult someone a lot of experience in this if the web servers are Linux you can use to rout back PS that canid on

window right right and even better hopefully the web server you can put in a custom log to log those headers right on the web server so you don't even have to look in two places so I had a slide that this used to be its own slide and it said avoid architectures that require Source but I was running I had to cut things so I had too many slides so it got cut but thank you for saying avoid architectures that avoid that that require this kind of stuff please um so what stuff should we log I don't need to go through all this these are just some ideas that you can look at if you have

these things and you're not logging stuff from them you probably should um they're kind of obvious the thing I will say here is try to log in multiple places again having something is better than nothing if if you're going to log in more places and one of them breaks and you don't notice it because you don't notice you don't look at your logs every day you have coverage now cuz probably an attack is going to cross two or three pieces of infrastructure if you lose one you're going to have logs from the other two hopefully um it also gives you a lot more confidence in your conclusions when you say yep it happened here and I saw it here lot better than

just it happened here and I don't have logs here it's a better con it gives a lot more confidence in your conclusion um so so that's always nice to have uh I mentioned these on a separate slide because I less often see logging here um and these are more interesting if you have in-house developed applications it's awesome if they your developers have really good logging transaction based logging with sources and destinations and users and who did what the thing that you'll have to know about that is you have to have somebody that can read those logs because an outsider won't have any idea how your application works or what those log lines mean so you would need access to

those smart people DNS logs are good most folks don't have them um what this can do is it allows you to figure out well who who looked up this IP again depending on your infrastructure you might say one of our clients went out to this bad IP on the internet well why and if you have a web filter you can find out if you don't have a web filter that becomes more difficult to find that out maybe you can find out what host it was but now you're still not sure because if that IP suspicious IP hosts like 400 websites you don't know which one they went to uh DNS log among other Technologies but a DNS log being a

pretty simple one can show you pretty easily that the user mistyped Bob's Pizza and then immediately realized that mped Bob's Pizza and typed it correctly the second time and then you can explain okay why did they visit that website it was a simple error simple MPE um so that's that so the beaver always says more logs we there so I think I've pushed this enough right more logs more logs more logs beavers love logs so let's get them what they want um the the last kind of log that we want more logs of is DHCP logs um a lot of folks have DHCP in their environment right but they don't have a log that shows at what time what Mac address was

using a certain IP and and I'll tell you the isps have that because that's what they have to give to law enforcement when they subpoena them all the time so in your own environment it's it's important to have that that's how you tie activity back to an actual machine or user without that you're guessing um so that's really important uh to have the the and what the beaver wants basically is he wants you to make log enabling um and testing part of your normal build process so if you have a build process that says when we put in a server we do bcde F should be ensure that logging is working and it's it's and on our CIS log server we're

receiving the logs and that all the fields are there and in your operational process is part of the things you check like is web server up yes the second check is are logs being sent to where they're supposed to be sent just uh what I like to say is just operationalize this it's not a security function to keep logs it's an operational function to keep logs it should be everybody's responsibility that owns systems to keep logs it's not Security's problem security just happens to be one of the big consumers of logs um so the Holy Grail wouldn't it be nice to just log all conversations on your network at all times just log like everything everywhere just gets written

to a huge sand because you PID a lot of money for this big sand you got to put some stuff on it you're going to just log everything forever so that when you have an incident you can just look back it sounds crazy I argue that it is not crazy and Cisco calls it net flow um Cisco calls it net flow now it's kind of a lot of people use it vendor agnostically IP fix or jlow or some other vendor terms for this of course I have over stated its capabilities it does not log the content of packets that would be insane what it but but what it does do is it says at this time this

host with this Source Port talk to this host on this destination port for this many btes or this many packets that is super super useful if you can have that throughout your environment and keep that for a month your incident handling is going to go like fast fast if you have good data in your in net flow um it's really really valuable I can't overstate it enough calling it maybe the Holy Grail is is too much but um really like net flow when we do a gig and I we and they have net flow it makes things go so much better provided that they're collecting it and keeping it you know again they may have turned off the

collector yesterday or whatever um so enough you so I've now talked it's now like I'm a half hour into this thing and I've talked about logs and so that's really I'm glad you guys spent like that much time sitting in here like turn on your logs um but it's the most important it is the most important preparation step for incident response that's why I spent the first half hour on it but enough about it the last thing maybe second to last thing I'll say about it no it's the last thing is time sync logs are very difficult to use to build a timeline when the times are all wrong so I'm like yeah I know it

sucks everybody's like that it's terrible um so a good incident responder when they gather logs will check the time on the source where the logs came from if they're not familiar that those servers are synced and if it's off by 10 minutes you can adjust the logs to be 10 minutes different hopefully not having to do that in your head you can actually put it into like an Excel if you're doing analysis in Excel um but it's sucks to have to do that and if you forget to check that they're off and you're trying to stitch together events from three or four different logs it's it is so hard to do that secondly I don't know how people operate it that

isn't time synced like not even security and I we see it it is not uncommon for people to have bad time on half of their devices it's it's incredible the other thing of course is time is what time zone it is um if you are a huge multinational and you have server systems all across the world with some kind of central repository you should probably just log everything in UTC there's no such thing as local time zone for a company like that if you're small it would confuse everybody at your like four person company if you logged in UTC so you probably keep it in the local time zone but you have to know that um

and and have some kind of an approach for that or at very least in all the logs have to have an offset in them so that you know the time zone because you might be trying to correlate events across time zones and uh again so that the time element of logs is super super important by the way you don't need a special GPS receiver and thousands of dollars worth of equipment to have time sync just use ntp from from the Internet it's good enough so I'm not telling you to spend this isn't that hard is what I'm trying to say uh of course I am not a lawyer so I'm not qualified to talk about any of

this but I'm going to anyway um these are some of my opinion if you're going to only focus on like a few legally things these are the things to focus on um have authority to monitor your network that seems obvious um have authority to ask questions of users I'll talk about that authority to inspect or seize things that seems easy except when it's a third party doing work for you it's unclear how many how much rights you have to their hardware and to have an eup an acceptable use policy um authority to monitor it seems pretty straightforward authority to ask questions of users I want to focus on for a second it is my opinion that a

mature incident response organization if you have some incident responders should have the power to call up users and just ask simple questions and and you they probably don't want to do that when someone's being targeted or when you think this person did bad things inside your organization because you don't want to tip them off I get that um but but it it should be the discretion of the incident responder to just call up and say did you visit a website like this yesterday and oh yeah it's was crazy I was looking for like the pizza place on my way home and by the mistake I went to the wrong thing done and if the evidence in your web

filter log supports that you're through incident done file it away if you don't make that phone call you have to draw conclusions from other systems maybe you have to do forensics and spend a bunch of money and effort to come to that conclusion that was not worthwhile so I there are some HR departments that don't like this they want their it security not to interact with people I I think it's fine to interact with them the other thing is um if there's an incident where you have like a you know a host has been boded or you think that somebody's um targeting you guys your your at your company and there was a particular user that may have opened a a

PDF to to infect themselves it's good to just ask them oh where did you get that from oh was my Gmail my personal mail I was reading my personal mail well that's a good thing to know because now you know that either it wasn't targeted or if it was the people who are targeting you know this person's personal email so that's a different kind of a thing to build from an incident interviewing people like that can really valuable to in in instant response I think um so have an AUP uh there's at least one case that I've heard of where um a user was doing something in their personal on company equipment company network but

using their personal email their web-based Yahoo mail or something and they got fired for what for the content of those emails and um that person then claimed that the company had no right to monitor that she had an expectation of privacy in those mails because it was her personal email and the court agreed with her um and the court agreed because she wasn't told that she had no expectation of privacy in her personal email so uh I have some language in the speaker notes to this if you download the presentation later it goes like this this is a sample AUP all use and content of companies computer systems or networks may be monitored that seems pretty simple everybody's a

has that in it I'm sure the next sentence users should have no expectation of privacy in their use of companies systems or networks we're telling them specifically you have no expectation of privacy comma including in personal use thereof so now you have explicitly said because most companies allow some personal use we're going to allow you to do personal things but you have no expectation of privacy in it we have full rights to monitor your personal stuff that's going to avoid that bad situation where somebody says I didn't know you were monitoring and the court agrees with them um the other thing that aops are good for is this whole third party thing and bring your own device so if you're bringing

your own laptop to work which or your own iPad or whatever have you signed something or has the company forced you to sign something that says they have the right to seize that from you some places that are mature have that some places that are immature don't and so it becomes a very uncomfortable situation like no it's mine you know I'm not going to let you look at it so you want to have those things um taken care of there is one more legality that's very um icky that we have have to talk about and and it's this um in what industry do we let this guy do stuff and not let that guy do stuff um unfortunately um p and for

those of you that don't know what pi stands for there nowadays it stands for professional investigator um it used to stand for private investigator or private eye like Magnum PI that's what pi means um nowadays they just have professionalized the term it's called a professional investigator in Michigan and in a number of other states but not all states there was a move of foot that said people doing computer forensics are not licensed currently because they weren't and they should be and so starting in 2008 in Michigan a PI license is required to perform computer forensics to used as evidence before a court board officer investigating committee that's what the law says um don't these links are in here so

you can look at them later I I realize they're too small to read um computer forensics that's its definition if I read it to you I'm just going to be reading when you're reading so um I'll just let you give you like 10 give you 10 seconds to read

that so you should all be frightened now of this law these talk these two um is a is a are links to um a talk by by a guy named Scott Molton um who runs a data recovery and forensics business in Georgia he got caught when Georgia's law one on the books and he found out about it when he was on the stand testifying about the forensic that he IL legally just did yes I have the next slide so sorry but yes um there are exemptions this is the most important one employees doing internal only work so if you're an employee of a company and you're doing forensics for that company internally only you don't have to be licensed this

is this the whole idea of licensure is if you're putting Services out there right um and also there's exemptions for law enforcement for attorneys for CPAs Etc do you know for a that does only owner so inv I don't know the answer to that I've tried to figure that out maybe Larry

does so consult your attorney about that I I've heard that and I've heard the opposite you're probably right I mean given your the matur of your

right I here's my note note there is no there does not seem to be an exemption for service providers this says an employee reimbursed on a salary basis so if you're doing forensics for a company and you are an employee employee of that company you're okay if you're a contractor of that company you're not an employee if you're a service provider hired to do it and you're doing forends for them you are doing a service a service that attorney said fine all right that's just saying right we brought that to him when he said that it doesn't apply so um to be clear incident response is not the same as forensics I'm not claiming that it is

what I'm saying is you have to be cognizant of this and cognizant of where that line is that that's what I'm saying um so that's it um I'm going to stop this is a really icky topic I don't like to talk about it but I feel like I'm doing a disservice if I don't include this in here um the last thing I will say is practicing forensics without a license in the state of Michigan is a felony plus they'll throw out all your evidence I mean that's the actual risk you go to testify they're going to say no it wasn't license evidence no good case dismissed and you just committed a felony um so okay thanks for providing us the

evidence for your case yeah I don't do forensics in the state of Michigan um because it would require a license so um incident response policy and process who makes what decisions these are the if you're not going to write a full incident response policy and process never going to get around to it these are like the four things um you know to look at who makes what decisions uh who needs to be involved how and when to involve law enforcement and what scenarios have legal implications the last thing you know is is this so when are you going to have to do a breach notific um depending on your industry what kind of data you have that's something that

you if you have pii you're going to want to know um and think about a little bit ahead of time when you're going to have to do breach notifications what who makes what decisions and who needs to be involved is important so that your management doesn't start clashing and yelling at each other when they're having a bad incident so you want to try and work out some of that documentation is important to have um Network diagrams and stuff an inventory of systems credentials like to be able to actually log into systems is important um especially this assume at least one key it person is not going to be there um that happens a lot if you just think of

your own organization how often are people on vacation or they're unavailable um and if an incident happens then and that's your networking Guru and you know your incident responder says I need a span port to mirror traffic between these two things please tell me where to plug in and you go oh the network gu is not here that's not a very I mean that's an answer but it's not a very good one so you you should be able to handle stuff like that have your documentation and credentials and if the incident is your file servers down where you have all your documentation it's going to be hard to get to it um so some more documentation you have

external contact lists service providers Etc circuit numbers someone wanted me to say circuit numbers if you ever call your ISP and you don't know your circuit number they'll probably hang up on you um internal contact lists are good to have you need to know how to get a hold of people in HR if you have remote sites where people do Hands-On work for you now because you don't have an IT person there and they need to plug something in you need to know who those people are um what I'll say about contact list is if your company has a disaster recovery process just use that so A good disaster recovery process has like a printed

sheet you can put in your wallet with everybody's like cell phone numbers or whatever because when the VoIP system at work goes down because it was part of the incident you can't use your internal phone system anymore so you're going to look up people's cell phone numbers on your little sheet so if your Dr process has one of those use that that is also your incident response contact list you don't need to rebuild it um so this is the second to last recommendation sufficient DHCP pools I've not seen this mentioned before which is why I wanted to include it I said earlier you should have dhtp logs so that you can tie a MAC address to an

IP at a certain time that's important but if you just make your TTP pools big enough so that you're not rotating addresses all the time on on on host man does that help um you can use the log later to make sure that you've got the right host but when you're trying to hunt down a host if your IP addresses are changing all the time and by all the time I mean every few minutes it makes tracking down that host really really difficult and you're going to waste a lot of time and resources you guys are all thinking this is insane who would do this I just did a gig at a place whose wired Network DCP Le time was two

minutes yeah they were really short of addresses and that was their solution and um it and you know DCP servers tend to try and provide the same address theirs didn't I don't know why like I don't know what technology they were using but um it was impossible to track host now um the other thing is they were trying to rely on the host name being registered in DNS of the current host it didn't work and I've never seen it work on an incident where we where you try and track down well what host is this based on the host name that's in DNS right now in Reverse DNS half the time it's wrong and I again I don't know why

that is if it's just often implemented incorrectly or it's unreliable I don't know so you want to be able to get to the MAC address and then the last thing there is once you have the MAC address can you track it back do you have something that ties that to a user so that you can go to that person and you know beat them about the head or whatever you need to do or seize the computer or whatever don't like use a bat on the wrong person make sure you've got the actual right person um so the last incident response preparation thing is practice uh in my opinion practicing is really really valuable Um this can be a tabletop five

minute practice in your own head this can be oh I've Built This Server let me look at the logs and think about what I might use these logs for practice um if you're handling a lot of incidents and you have a mature incident response process already you probably don't need to practice I mean if you're a full-time incident responder and this is what you do all day you don't you don't really need to practice if there's a type of incident you're worried about that you don't handle all the time maybe you need to practice that um what practice is going to uncover is where you're missing things so if your practice is a scenario or an actual incident you're going to

run through it and realize oops we don't have logging over here and so you're going to have some feedback to the it Ops to get logging fixed over there so that's why I think practice is really important and that's why we're going to do some practice so here's the

scenario so that could be a concern and this gets to you and you're the security person and they say somebody's reading my email um and you have a Exchange Server inside people using Outlook clients and you've also exposed Outlook web access to the internet like everyone does um so where do you look first these are Geron balls that they gave to me and I'll be throwing them at correct answers where do you look first where would you look first users password could be that is not where I would look first though anybody else want to is logs you're are you looking for a access so that's what I'm going for it might actually be wrong I said at the

beginning of this presentation I might be wrong so my answer in my world is um I'm going to talk to the user and try and figure out what's going on but I'm going to look in the OA logs AA most people expose it to the internet with just a username and password so you were right about the password part um so if you want to read somebody's email just guess their password and read their email via a that's the easiest way and so to me that's where you go and look for something like this so in my simple world let's say we go look there and we find that someone is actually logged into their email for Moa and we say to

the user do you use Outlook web access and they say what I just read my email on my laptop I don't know I've Outlook works so now you know that they don't use OA but someone logged into it and you find the source IP from where that login came what what is so I'm gonna ask the question differently what would I do with that Source IP next what's the next thing that I that you or I might do with that Source IP now that we have the source Mac address compare it with the MAC address so I think you've gone a couple steps too far we're on the internet so we can't get the MAC address sorry to be

clear this is an external attack so it's okay so who owns the source IP is a good answer but it's not the one I'm looking for because it's too easy glocation is also too easy so you you have your own logs and you have a source IP that logged into one user's account what now are you going to look for based on that Source IP yes I'm I'm too far to throw so pass that back um so what you want to do now this is getting into a little bit of how to do IR but if you get that IP I mean you're going to do a geolocation on it find out where it is that his correct

answer but but what you want to do now is okay what you're trying to scope you're trying to do is scope the incident is this attacking IP reading this one users's email or everybody's email so if you done search your logs based on that IP you're going to find out oh they're only reading Bob's mail or oh they're reading 10 people's mail reading 10 people's mail is a very different incident than reading Bob's mail because Bob's mail is probably his wife that's reading his email if it's 10 people's email somebody's going after your company right that is a very very different scenario and by the way that sort of thing if it's focused on one

user and they think they're being spied on the spouse is like the cause half the time so just keep that in your that's not a joke um everybody thinks their company is being attacked it's not actually their company so here's another practice next

one so this user thinks oh something happened and then it went away and it wasn't being remote controlled anymore so my question is a very specific question how can net flow help you this is an internal PC on your internal Network how can net flow help you with this what are you going to look for if you have net flow Dave Ken's IP Dave Kennedy's IP inbound connections to it inbound connections to it that's that is pretty much the answer I would you got to look for outbound as well because it could be an outbound remote control thing but inbounds what I'm going for and so what if you do see an inbound connection from

on uh to destination Port 5900 who knows what 59 VNC that's your remote control tool so this makes sense now right okay user says their machine was remote controlled for a few seconds and then it stopped and net flow shows us there was a VNC connection to it see how easy net flow makes this incident response thing um in my little world so now you're going to look for the source IP so here's some scenarios to run through that Source IP is a remote site on their wireless network it's your site it's your wireless network but it's like in another state do you have sufficient logging and data to tie that back to a user so that you know who that was so

you know who who to go hit with a bat um another one might be it comes back to your VPN pool do you have VPN logs to show who was using that address at that time from wherever on the internet so but let's say that it actually and this Happ this is like you know you'd bet 20 bucks that this is what it's going to be turns out your it people use VNC legitimately and they connected to the wrong machine and so you find out what it person it was and you call them again the importance of being able to just call people to dispel these incidents quickly and go uh Hey it guy uh Bob reports that his somebody

remote controlled his machine and netflow tells me it was you like an hour ago what's up with that and oh it was crazy man I was like not paying attention and I had so many phone calls I don't know what's going on Jane called and I had the like remote control hor machine to fix something and I typed the wrong IP once I realized I was on the wrong machine I stopped and then went and fixed Jane's issue done your your incident is now done okay um the other way to do that is to be insane and do full host forensics on that system because you think it's been boded because the Chinese are after you and

you spend a lot of money and a lot of time to realize that it was a VNC connection from your it guy um so that's why net flow is awesome um so here's here's the next one user calls the help desk oh my god I've been hacked I don't know why she's so happy about having been hacked but she is so she is so smiley that she got hacked she's so happy about it um so uh a user um reports I'll let you read it I don't I don't like to read things to you you can read it this is based on a true story from a long time ago though so okay you're so I'm you're

gonna have to be quiet now because they going to ruin the surprise um so the it goes the it local it person goes there and confirms like yep things are actually being typed in the keyboard buffer because whatever application we we switch to that's where the stuff is being typed and it's not random letters it's words it's just that the sentences don't make any sense they're just it's like random words being typed in so this is really weird so they're kind of standing around and we're on the phone like watching it and the unfortunately the word the word president and the word kill both appear in the same paragraph not next to each other in the same

paragraph of gibberish like random words so the the local management who is now involved and freaking out um says oh my God hackers are in our machine in our internal Network typing threats to the president let's call the Secret Service and and let me tell you if you call the Secret Service and tell them that they will come um they will come and they will take all your stuff um look before the Secret Service got there we figured it out and you were very close does anybody else have any ideas what what benign cause this could possibly be we had this and it was Dragon dra speech to text and the Word was bomb bomb okay so

isn't this funny FBI right FBI so we have almost the same story law enforcement getting called because someone had speech to text turned on and the microphone was open probably nobody even said bomb or president or whatever ambient noise and ambient words you know how well speech DET text works it picks up anything and makes words out of it that's what it was we just I don't know who figured it out we weren't there looking at it but some like can you look in your system tray and see if there's like a little microphone icon oh there is oh so um that did not stop the Secret Service from seizing that machine They seized it

anyway um but but anyway that was a funny incident that I thought I might tell you about I cannot I can't resist having a slide about incident response advice even though I told you this wasn't the the talk um have somebody in charge don't freak out don't let your management freak out and don't go too fast F firefighters follow this when they respond to a fire they don't freak out somebody's in charge they don't go too fast um and so these are kind of I mean if there is a non-technical incident responders guide that's it in my opinion um be flexible uh one of my colleagues recommend a small cach of Hardware if you're a big company this

could mean like a whole rack full of servers if you're really big if you're small this could mean an old laptop but a lot of times you want to say like oh we need to gather this data can we do this real quick and if you have a spare piece of Hardware you saved yourself four hours um so that's really nice to have be flexible you will go down paths with incident response for a day and have to abandon it because you run out of data and so you just have to not like get too sad about that and be flexible and change paths um I'm not going to talk about that takes too long I'm run out of time

so what I would like to do is at the beginning of the thing uh of my talk I said when if you had a bad incident try and remember something that you wish you would have done to make it go better does anybody have one I didn't cover so I covered like every possible bad thing yes um the dragon they had they made too many assumtions on the field would do and field went in and tried to install capture software on the device right so if you are going to do um if you are going to do host based forensics um if you think that an incident is leading that way or you guys just like to do it a lot or it's part of

your process you probably don't want to mess with the host too much right is the um I try and touch a host a little bit um because you you want to rely on the network stuff and you don't want to do the forensics because you have to hire a properly licensed person at least in this state to do that anyway um and it costs a lot of money so um but right especially if you think there are legal implications to this event you probably don't want to mess with the host too much so that's a good

one us yeah so um it is it is easier to manage an incident if you're there physically um I think I think everybody gets that it's easier to anything if you're there physically but you can literally look at the machine and see if there's a lot of hard drive activity if the hard drive is going like crazy with nothing's happening well maybe there is some aot on there rather than speech detex is turned on so those sort of things can be valuable any anything else I'm pretty much out of time how would you do that now with recent the last 10 years these processes are so powerful even if you take a 1% 2% out of the

process you notice changes yeah you're right I mean it's not a good indicator I'm just saying there are things when you're physically there where you can get a better feeling for things at least I think there are is that was that your question like how can you tell I mean who doesn't have a Windows machine whose disc churns incessantly when something is running right I hear my wife's Windows machine just she's not even at it and like I'm like what what is it doing over there um it's probably like an antivirus update so you can almost draw a conclusion I don't really know what it's doing but I can guess that something's being updated on that machine right now

that so that's the kind of conclusion I really was talking about you can't draw for sure conclusions about it you speak to some of

problem so um by the way the next speaker needs to bump me off are they here that's me because we're running out of time oh okay trying to be sensitive to your time um so if I were to do an incident response and they have nut flow I'm going to try and use that data or any other log data they have to figure out what's going on if you start to narrow on something and you want to actually find out who's talking about what I would try and get a packet capture um depending on the customer and the organization I might just say can you just give me a mirror report please and leave me alone and

I'll do it on my own laptop if it's at a remote site obviously that's not possible so so then we would need something locally to do it um and the reason I say this is there's going to be a network device in the path where you could probably do that and then pull that capture back but I find that most people aren't really good at doing that or they don't know how to do it or they're going to mess things up and then the DAT it'll take them four hours to give me a capture that's wrong anyway I've had that where they can't even write a filter correctly so um I tend again it depends on the organization if

it's a pretty mature organization and they're willing to give me some of their time I'm an outsider so they don't even want to spend time with me they just say go fix it I'm like well it's your network how do I don't even have credentials I need somebody to sit with me an internal person might have a different experience but um it totally depends on the people involved and the technology involved I have no problem doing captures on my own if I can get the data um but if it's a firewall and it's 200 miles away and if I can convince them to figure out how to do a capture on it awesome I'll do that too

did that address your question or yeah it seems you're I'm for every of data you can get yeah I mean net flow is so good because it's it's it's relatively light in in for the amount of value it gives you in my opinion because it's not capturing the content you're getting a lot of value out of a small amount of of uh of data all right it's time for you to kick me off thanks very

much