Open Source Your Incident Response - Donovan Farrow

It's a decently long leg here. So, thank you for helping me. So, this is the open source response. If you were here for that, you're at the right place. This we don't have ice cream here anywhere. Right. Next slide.

Uh my name is Donovan Pero. Um I'm CEO of a company called Alias Cyber Security. Um I've done uh qual qualifying myself over 350 pin tests, 220 instant response, 234 cases. I'm a certified expert witness in state federal court. Yes, I have uh been in the FBI, CIA, and Secret Service. Um I will never kill myself. I'm a very healthy young man. So, yeah. So, we doing a lot of that. I've worked uh I guess other stuff that was in the news. I I found one of the first in the Philippines, the company I worked for. I've worked for Las Vegas casino breaches. You guys will know which one of those are that you can

see me after class. Uh because they definitely got breached pretty hard. And I'll meet some newer stuff. It's kind of the older ones. Um and then uh yeah that's that's me. Um today we're talking about like um understanding the hack. This is just for people that might be kind of new. Um why do people do that? Well, you know the reasons. Uh insider threat. Those are actually one of my favorite cases because it's usually a um uh we'll say a malicious uh internal IT guy. Uh we had a few cases where we had to um he was running like a disability something for the state. So, what we didn't know was he had all the keys to

the kingdom and people were getting random harassment messages about how he was going to kill them. So, that was pretty wild. Um, and uh, he didn't have all the keys of the kingdom. So, what we did is we had to basically put our arms around this entire uh, Department of Government. And we found out this guy had a secondary line that he was uh, hosting uh, CP on that the state was paying for. So, that's child pornography. pretty wild. So what we did is we actually started uh kind of inside out. We did basically a scan on the outside, found out what internet connections were going through. We started like we kind of basically well we pin tested his environment so we

could get all the access. So we took all his passwords. We found uh basic we exploited his machine. So we reported his whole machine logged for about 24 hours so we could get all of his information about the network because they really didn't have any intelligence about Uh, the other one, ransomware. That's easy. It's money. Um, medical data. That one's pretty cool. Um, I see this a long time ago. I think the should um worst thing we ever did was put medical data electronic. Um, work the case. Awesome.

This is Joel. This is why he's awesome. [Music]

The worst part is I think his project the one that's here

[Music] everyone I Yeah. So, a lot of reasons. Credit card. Credit card data. I don't do this, but maybe you do. He had his iPhone set up when he go to the shower to play music, stuff like that. Well, they took some compromising information from his cell phone and tried to extort him uh for the I'm sorry, political reason. They tried to extort him. If you don't do this, we're going to expose you. I had another uh political one where someone was able to recover this person's medical data. they recovered it somehow and they tried to push him out of the race because the person went to counseling and stuff like that and they tried to they were going

to deem that he was unstable stuff like that. So they tried to extort him out of uh running a race. So that's pretty cool. And you know the other cool it was for the laws. I you know I'm such a Lizard Squads fan. You know anyone know that one? Yeah. Thank you. Three people. Yes. I'm that I'm that old. Um yeah Lizard Squad. Those are the guys that uh they took down like PlayStation and they they ruined Christmas. sad. So many children crying that that Christmas season they do. It was the PlayStation and Xbox, right? The whole the whole thing took it down. It was amazing. And then on a random note, this is when

Twitter was super young. I was like, "Oh, dude, man, Blizzard Squad did it again." They like retweeted my stuff and I deleted my account immediately and absolutely not. I didn't even say their name. So, going back to that. So, we're talking about open source. Um, first thing we do, um, we typically get a call every Thursday because everyone's been working on it Monday, Tuesday, Wednesday. They're like, "Well, the weekend's coming up. We should probably call someone so we don't have to work the weekend." Every time contract negotiations Thursday, we're on site Friday and working the weekend for sure. First thing we do, uh, which I think is a little, well, I think it's a little different than most people. A lot

of people, they jump in head first and they just start looking at all the data. I call it chasing. They're like firemen. So they see the fire, they're going to kick in the door and they're going to start spraying water everywhere. Well, that's good, but but they don't actually know where the fire is coming from. The way I paint it like this is during an incident, you don't run in there and start spraying water if you paid attention, right? There could be a gas leak. So, not actually fixing the problem. They need to take a break and figure out how they got in. So, the first thing we do is we do basically a pin test. Um, we find their environment.

I'm going to show you guys a few. You guys may know some of these, but we do this to every client that we have. So first thing is uh DNS dumpster. Anyone ever heard of that? Anyway, so the reason why we use this first because we have to get a threat landscape. Um we start running through that. We start um looking at the landscape to see where the vulnerability is. If there is one externally because it could be um so we probably get in so we take it to our red teamers and say hey if you if just on the outside if you could get in where would you go? What would you attack? And

that's kind of where we start. So you'll need crit critical assets. Um uh we always ask for a network diagram because everyone apparently no one has a network diagram anymore. So that's kind of a I guess a thing of the past. Um determine so here's thing in this is I talk about ransomwares um worked a few of these but my favorite one was uh company got ransomware they were like oh man it's we got to pay it. I was like great pay it. Who's going to pay it? Then no one knows what to do. So then they go to the higher level and they take a debate on are we going to pay we not going to pay

it. As a rule of thumb if you guys have an instant response plan in your desk probably uh collecting dust. Um determine if you're going to pay it or not and that'll save you about four hours of debate going back and forth if you're going to pay it or not. Sometimes that's not an option. Um I've even worked uh with some brokers to uh go back and forth to actually use Bitcoin to get uh get the data back. Um there's a few things about that. I'm kind of jumping off topic. if you guys are interested. Um I have spoken with many hacking people. Um I'm I'm actually more sus uh suspicious of brokers that we

work with. Uh one of my favorite one is we call this company in city in uh New York City. They work brokers. Um so what they the broker does is they have Bitcoin kind of ready. They're like a security company with insurance. And I think we worked with it was Medusa. And I was like, "Yeah, it's Medusa." They're like, "Oh, we work with those guys all the time. They're great. They'll give you their credentials." And I'm like, that's weird you say it like that. And then and then I found out there the founders for that company in New York are out of Russia. So maybe they do hang out with them. I don't know. Yeah. But

that it was it was weird. So watch out for that. Um and I always say this uh if you guys in your environment know where your goal is. Someone said that earlier like why is what what does this company do? Why are we important? What makes us special? Know where that is and how to protect it. Showdown's pretty easy. Um I got most of these are pretty generic slides. I got permission to do that. So that's cool. Um, Showdown's pretty easy. This is a remote desktop protocol. If you guys don't know Showdown, you should. It's very fun. It'll scare everybody to death. Um, I got a few slides I'll show. Actually, I found some funny ones this morning. So, um, it's

good way to evaluate what the public can see because, um, a lot of people that move stuff to the cloud from an internal environment um, they don't realize that it's wasn't protected on the inside, at least the file. Also, when they put it in the cloud, you have no there's no security parameters around it. So, it's a good exposure and people are scanning this consistently all day. So, if your stuff is can be popped, it probably won't take that long. Um, this is be kind of funny here. Hang on a second here. I'll hold these up today. Oh, you might have

dislike for me.

going to be fun. It

was so your age again.

That's what I want your photo.

[Music]

Windows Windows TV.

All

right.

You're right.

second.

Okay, that's a bummer. Um, well, anyway, um, I just want to show you guys this anyway. That's fine. Important. Okay, so I was just doing some, uh, scoping it down some video cameras. Um, this one's kind of funny. You can see in people's house and stuff. Right there. pass it around. Right there is my favorite part. Uh that guy right there's some weird guy sitting in his living room. You see that? It looks looks terrifying. So I'm proud to see it's real. Probably seen this before. I just don't know who that guy is. It's kind of scary. So yeah. So this is the kind of stuff we do when we're doing any type of incident response or stuff like

that. So we go through see what's available. And it's also my favorite is um when the IT guy definitely always tells the truth to us about how he left an RDP for open at home and he definitely never had it because it's closed now. It has historical information we can go back and say well this date it was actually open. So it's uh we win those arguments. So that's my favorite. They're like that'd be impossible. There's no way you could get in. unhack.

All right, back to this. That sucks, man. I got I have to just do pass it around for real. I was even We'll go next slide here. It's fine. Maybe not. Perfect. Um, another thing is uh I'm not sponsoring any vulnerability scanner. First thing you got to figure out is where's the vulnerability? So we do an external scan all the way. This is sorry this one's open source. I'm so old I know what green bone is. Um open vos for you youngsters. Um so we do scanning. So we do scanning outside of that so we can start determining what what's the path because we've had uh had a lot of clients let's say I'll say a lot like

four that um we get involved and they're like hey you know we're good now. We think we've patched the issue. We think it was a fishing email. and then or they got the environment rebuilt. So about uh three weeks later, almost every time three weeks later we get a phone call, they're back in Rans Square our environment again. So happens a lot. Um vulnerabilities. You guys probably seen this before, right? It's an old one. Um it just helps identify where we're going to go. I am super super upset about this because I was going to show you guys like um the dark web. I know a lot of people talk about it, but have you actually seen it? Does

anyone actually do the dark web thing? Still credit cards. Perfect. Right. Um, so what I was Yeah, we're actually borrow. It's sharing, isn't it? So, um, I have a few uh dark web uh sites. Uh, Abyss, I don't know if you guys seen. I'm gonna guess I'm not going to unplug. I'm scared to touch this thing. So, here's all the stuff for sale for this one. It's there. And it's really nice how you can just click on it. It's for sale. You can download it which is illegal to possess it. So don't do that because that's a crime. Um and then uh they got a really cool So this is dark web. They got a

really cool logo though. I'm proud of that. Nice, right? They they've really come a long way in the the dark web. Their websites used to look like front page. It was pretty wild. It's very shameful. So they definitely started like working on their marketing material right? Everyone heard of the W to cry, right? They weren't the biggest one. They just had a cool name, right? So the marketing company is working well for them. So very exciting. So this these are also um that's also something that we look at because we don't know if your information is for sale yet. Um if it if it is, we have a better chance of uh figuring out if you actually got

breached because some people don't they are not aware. This thing is tripping. Man. Jeez Louise.

Okay, cool. Whatever. Um, oh, also, um, this will be in the slides. I'm I don't I forgot the guy who made this. Uh, probably that person. Um, awesome threat intelligence. Absolutely 100%. So, threat intelligence information. There's like I think a hundred different places you can pull that information from on what type of threat. Also, if you're looking for information to uh inject it to your if you have a SIM tool or anything like that, it's a great place. They're all there some you got to buy, but most of them are free. So, super cool. Thank you for that. Um here's something we made which is kind of cool. Um we call it the snafu which is not

what you think. It's the secure network and forensic unit, not a military term. So, what we basically did is when we we come in um we have incident. So, I'm showing this because you guys could do this too. I'll show you kind of how we built that. So, so time to this. Um, so we basically bring this in, we put it in line, we do a separate basically in and out. We have a clean one. We have a we call it dirty dirty environment, clean environment. And we have this all the way compact. We run it through um a different open- source uh IDs IPS um uh onion security onion. So, we have security onion running on that. We also

have some um open source EDR stuff that we push out. And then we have if it's like terminal, if the the company's down for some reason, we also have a connect to 5G which is pretty cool too. And yeah, so that's that's really fun. Uh do what you want. You guys ever seen Cabana? Um you could pull this information in um with the uh onion. The reason why I bring it up because it looks you could put it on the you know the the big monitor look tell your boss how much you're doing for them because there's colors and if you got it really fancy you can take the logo of your company and put it over here. That way

they know that it's them and you did really good. Okay. It's really easy to set up too. Yep. And you can even go dark mode and get really serious with it. Right. Look, there's numbers here. You know, it's very important stuff. And they job security is what I call this one. So, yeah. Yeah. See, I Yeah. I don't have the Yeah. See, that's So, that's that's a different monitor. Yes. You know what's funny is that thing doesn't work anymore. So, you just go back to like YouTube. You just go to YouTube. We do that sometimes and put it on the window. It's hilarious on that in the TV. Uh the coolest part about this uh you guys can

see that it's red in there. So, it was very important for the designers of this machine. One of them is actually in this room. It's my associate over here. It was high-tech. We were like, man, it just doesn't seem like it's enough. How are they going to know if it's working or not? So, the team bought a USB LED strip. So, so that way when we plug it in, it's red because what does red mean? It's bad, right? So when we get the environment cleaned up, we change it to green. It's hilarious. I'm not even joking. It's hilarious. It's like RGB. We changed to green. There was like everything is going good. We're like, it's green. Yeah.

Right. It is kind of funny, but it makes them feel bad, you know? It's all about that. We're going back to the pretty stuff, right? Funny, funny, funny. Um, so man, also, uh, this is this is my joke. I don't even know where I got that. No logs, no crime, right? So on I get to I have the luxury of working with a lot of attorneys who which I'm not I don't know anything about law but I have worked a lot of cases is we worked a lot of well say a handful of breaches where the the attorneys will say go through the port hey here's what happened here's the steps they came in blah blah blah and we

go to the firewall and they're like yeah we got logs there I'm like this is you have like four days I you've been you've definitely been breached for like three months they're like so so wait let me get this straight you You can't you can't tell if they actually got him through the firewall. I was like, the logs are gone. He's like, okay. Okay. So, so nothing was stolen. No, it's for sale on the dark web. You could download actually, but but you there's no evidence that it was stolen. Is that correct? I'm like, you can say whatever you want. Like me, like I'm pretty verbose about that. That conversation has happened quite a bit. So, uh, no

logs, no crime. Apparently, that's a real thing. Um, another funny story about the dark web and no logs, no crime is, uh, we had a customer that, uh, definitely was kind of the same situation. I was butttheads with the attorney on that stuff and being like, "Hey man, like your clients are going to know." Those guys were pretty gnarly. I forget the attacker, but they um, they were sending emails to all of their clients. It was like it was like the NBA, NASCAR, I mean Microsoft, and saying, "Hey, so and so has been breached. They're lying to you. Here's a link to your data." and they were given a tour link to their data and uh they

said well just keep quiet we'll talk about I was like they're going to get sued to death like I don't know how you're going to exist this is really bad and that was a no logs no crime so how did they get so how did they rebuild their code because they were ransomware for the second time all their stuff is toast um it wasn't this one we did have another client who said hey we got under control then they logged into their beam server and you can see the command prompt where they just deleted everything and just said now what with a happy face true story that was pretty crazy so going back to these guys

Everything's destroyed. We're out. It's just it's everything sucks. So what we did is they said, "Hey, didn't you say our stuff's on the dark web?" And I was like, "Yes." They're like, "Well, how much though?" I'm like, "I know where this is going." Okay, all of it probably. He goes, "Can we just download it? You got put it back in our environment?" I was like, "Sure, let's do it. Why not? Went in Rome. We got paid for it. Whatever." So I was like, "Let's let's get it. Let's, you know, scan it. Make sure it's all safe." But yeah, they rebuilt their infrastructure with the data that was available on. So pretty wild. Pretty wild. So if

you actually have logs, if you guys uh know, it's actually it's pretty much a disaster to go through all logs. You can scroll through Excel. It's so hard, you know, or through Windows event. Um viewer. This one's pretty good. Um I don't use this. I should. It's chainsaw. You can't actually read that. Everyone use chainsaw. Tanner. See, he's the one. There you go. See? Yeah. So it it as opposed to you doing like control F and trying to find different event numbers forever. Um this is the way to do it. It's it's runs super fast. I guarantee this this is the way that well I would say we find so much stuff so quickly. That's probably the fastest tool we have

and it's it's it's free. So it's free. Pretty cool. Shout out to those guys. I don't know why this is in here. Marketing got a hold this. What happened? I don't understand this. Anyway, um so one of the tools that we well it's open source so we don't technically use this. I have um autopsy. If you haven't used it, you should even just for fun. That's how I kind of got forensics. I've been I'm so technologically old. I did my first examination 2003. Um so I use a lot of uh control uh a lot of control uh manual stuff. This one when it came on the scene was pretty good. I used to buy hard drives off the

internet and recover data. I just actually start carving by hex just I don't know was bored and it's fun though didn't find anything weird that that's what I didn't tell myself that I mean that could have been wrong so yeah so I use this um I use this more for um when I'm doing an incident if I'm looking at something on a share I'll do what's called a logical not a full disc image because I would say traditional forensics which I would call hard drives the whole thing unallocated all that that's existing that's a real thing but in an instant response you you don't have time for that like you need answers quickly so taking a a logical snapshot

of like a folder or even a file you can throw in here and check out the hex on it and maybe even um submit that to uh online services where you can dump malware and stuff like that and figure out what you're doing. Um, my favorite thing is uh is memory forensics volatility. Homie name uh Andrew, I always forget his last name. He's in New Orleans. He's super cool guy. Um, what's up there? This is important. You guys got to see this. Boom. Okay. So, why it's important is um we'll do a and again as opposed to doing a whole machine like it's probably going to be something going on in memory. Um, so you take uh you use FTK

Imager not sponsored by them. It's free. Coolest guy ever who made that. He sold it like three times, but the rule was you can never make anyone pay for this. It's free. It's kind of cool. It looks like it's like an eight bit thing. Has like the hilarious little uh picture of a memory stick. It's green. Click on it. You can drop it in here. And uh this is the most important to me. So PS scan, it's a uh basically it's a process that gets hit and it deletes itself. A lot of stuff will uh spin up spin up eight other services then delete itself. Why that's important is you're never going to find what's actually a manipulating

machine unless you use this uh PSS game DLL dump. You can kick that out of there. This one I put back in the slide because it's hilarious. So, um you can see people like uh not know how to unzip. Hackers have a real big problem unzipping stuff. We see them go here and it's like syntax error. So, then you see them go to the internet and like how to unzip file. True story. I'm not even joking. It's hilarious. So, that's where that's where the fun stuff is. file scan, all that stuff. Net scan, we're going to go to that one. And then this one, uh, it's probably expired now, but um, on Windows, was it 10 or 10? 10. Um,

if you guys didn't know this, Internet Explorer came on there, installed it anyway for free. You know, when they had Edge, it was still there, right? So, what people were doing, which I thought was super clever, is they were getting on the machine and exfiltrating, launching Internet Explorer like this way because you would, no one's even looking for that traffic. So, launching it, they have full access to it. They're not updating it either because you wouldn't update it. No one's using IE6 at that time. So, pretty cool. I So, you can see what they typed in there, all that cool stuff. Very fun. Um, PCAN kind of example, uh, the ID number. This is the terminated process. This these are

old, but I also have had to get permission to use all these here. Um, so as you can see, you can use these anything. Figure out what's terminated, figure out what's running, figure out where the parent ID is to what process. This is a parent ID and a PP ID is basically the kids if you will. So you can see which one birthed the other processes and hook stuff down. Net scan is my favorite. Um so what this what this is you can see everything is listening on what port or what IP address probably your local. If it's going to a foreign address that's really easy. That's where you can find maybe some command and control. You can see

that this process probably called service because they all are right. Um, and it's listening to a rogue IP address, and that's where you can go to the firewall and start to see what kind of traffic went to that uh that destination. And yeah, what's next? Uh, cmd. Yeah, this one's funny. So, you can see everything in command. I told those guys who are didn't know how to unzip some stuff. This is where we find the funny stuff. So, anything when that machine was running, we can see everything that was put in command prompt on that that computer. Pretty cool, huh? Uh, con scan, connection scan, same thing. This is a little better shot. Uh, remote hosts. A lot of that's Microsoft

and stuff like that. But you can see ports, where it's connecting, what port it's going out on, what's the process ID. Really cool stuff. That's probably super nerd stuff, but I'm totally into this. Even like you got your offset. Next, let's go. Uh, network forensics. Um, I I always say I kind of get excited for the people who hate getting in syntax errors and don't use Linux like me. U, this is a gooey, so you're welcome. So everyone's familiar with wire sharkark. Yeah, pretty much. Okay. So what you could do for testing purposes only is you should go to your university or your house or your business for educational purposes only. Do a pcap and then just drop it in this

one called network miner. There's a newer one that you got to pay for, but it's it's still pretty good. This one's the free one. And like I said, it's a guey, so you're welcome. You can sit you can check some DNS if it gets there's some poisoning going on. uh different connection browsers, IPs of where stuff was headed, um file source where stuff is being downloaded to or what was and this is in the packet, right? So, this is on your network of all these devices. I even use this um for uh it's on there. I use this as asset research, too. So, put on the network and see what asset is out there because you can click I don't

think I have it there. Thought I did. Uh oh, I guess I don't. Uh there you go. Host count. Sorry. Thanks. Had so it'll scan everything that's talking during that time. You can see if it's Windows, if it's a Apple computer, all this stuff is available here. And you got to just take it and just drag and just drop it. It'll process it. It's really cool. So, if you have an unauthorized device, you can find it pretty quick because the name's probably going to be different and it took you like five seconds. So, it's a really cool tool for that, too. So, very, very pumped. So, there we go. All right. Wrong class, right? So, this this

little tactic came up from our team because um I don't I have never never heard anyone talk about it is we were getting a lot of environments where the customer would be kind of partially compromised or maybe fully compromised and we didn't know how to get access back or get a domain admin was really tough. So my team was like just hack them. I was like wait hack the customer that's already hacked. I was like that sounds weird. They're like no we should do it. What do we do? No it's going to break. It's already broken. I was like I'm listening. So my uh engineers this is I got permission to put a blood hound.

This is no blood hound too familiar with this trying to find the least of path path resistance to the domain admin. Um run this in the environment. This is also what we do on some pin testing stuff. Obviously it's a old screenshot but we try to figure out how we can get access back to the admin account so we can steal it back for them because also when they do reset domain admin passwords they're really passwords have been pretty easy to crack to be honest. So that's that's pretty funny. Another thing is um anyone uh this kind of wow uh anyone heard of cobalt strike or use cobalt strike? Yeah. Okay. So we were trying to figure out what this command

and control was doing. So there's thing called so beacon hunting. We're trying to see who's who's actually talking outside to the command and control. Um and what you can do is what uh we were trying to figure it out. Also we wanted them to stop theoretically in the metaverse stop attacking our clients. So we had to take them down in the metaverse clearly. So we installed all of our own beacons on our entire environment and uses a tool called cobalt spam. So it takes all the we put 10 basically we'll call it tokens on each machine and we make everyone talk to that that client and it uh causes it to collapse in the metaverse and the

person can't get back in because that gots and they can't come back up. So pretty cool. Um yeah so I can't find so this is one thing that this is actually more relevant. Um, this is another one. If you guys do find something where it's a patch or something that's that's not working, um, this is PDQ deploy. Um, all you have to do is have access, if you can do that, you can push anything. Thank you. You can push anything out to the entire uh entire company. Um, sometimes we get limited access. You can do this on your local machine and we just push it out and push malware to everybody for free. It's very nice tool.

Very nice. Anyone ever heard of that? Yeah, it's good. It's good. Good stuff. All right. other issue admin um attacker change domain password he's the admin now so then my team was like well let's just steal it back so we use responder so just it's thinking differently right it's the same techniques right so responder collects hash passwords we steal the hash sorry we take our property back and then we cracked the hacker's password change it and then just shove them out of the whole environment because we basically broke we hacked the hackers if you will legally Solution two, this works sometimes. Uh the zero login exploit. The reason why I put this in here, not everyone's going

to be vulnerable to these, but we've used these multiple times. So what we do told you earlier is once we had the environment, found out what they took control, especially the domain controllers. We did our own vulnerability scans so we could see what vulnerabilities we want to do to see if we can basically exploit that machine and take ownership back. So pretty cool. We used this one before. This one is hilarious one. I forgot it's kind of old, but the sticky key say this thing sticky key. they alert, it opens a CMD prompt. So, we were able to do that for one of our clients and regain a domain admin and rebuild the company and kick

them out and give hilarious name messages because if you guys don't know if uh usually you're talking to a hacker, um you'll have to go through like they have their own um probably signal or they'll go through what's that? XMPP. Yeah, XP communication. So, when we when we air quote win, we definitely give them uh grief all the time. You're welcome. Yes, definitely make their life hard. Um, random for the maybe one compliance person that's here. If you work in banking, you have 36 hours to report. Um, if over 250, that actually does matter um with your state law whether you have to report it or not. Also look for um a uh breach policy

um if you guys have it. If you don't, you should start doing that. Legal counsel instant respondent blah blah blah media coverage. Hope you did forensics right prevention. I'm just like everyone's saying, uh, yeah, logging would be help. Make sure it's not three days. I know the vendor told you it's forever, but it's probably not. So, maybe ask for for logs. Um, yeah, you must know, and I would say do this as a team exercise with other companies you work with. We we try to find their gold and see how easy it is to get to their gold. Do you know where it is? Do you know who to contact if something's down? Finding vulnerabilities is always fun.

Uh, I say no checkbox pin test, penetration test. There's a big difference in the world still fighting this forever like like patches is um the difference between a vulnerability scan and pentest. So just so we're clear on that. Tabletop exercises MFA everywhere. And that is it. Thank you for coming to my talk.