1 00:00:02,970 --> 00:00:05,370 Okay, let me introduce you here. 2 00:00:06,690 --> 00:00:13,490 Well, welcome everybody to DEF CON 30's Altspace VR DEF CON group meeting. 3 00:00:13,490 --> 00:00:15,230 John Clay is from Trend Micro. 4 00:00:15,230 --> 00:00:19,930 He's going to give us a presentation on cyber attack trends in 2022. 5 00:00:20,210 --> 00:00:30,830 John Clay has worked in the cybersecurity space for over 25 years and uses his industry experience to educate and share insights on threat research and intelligence to the public. 6 00:00:30,830 --> 00:00:37,430 Delivers webinars, writes blogs, and engages customers and the public on the state of cybersecurity around the world. 7 00:00:37,470 --> 00:00:41,650 An accomplished public speaker, John has delivered hundreds of speaking sessions globally. 8 00:00:41,650 --> 00:00:51,930 He focuses on the threat landscape and cyber criminal undergrounds, the attack lifecycle, and the use of advanced detecting technologies in protecting against today's sophisticated threats. 9 00:00:51,930 --> 00:00:55,030 So thank you for being here, John, and take it away. 10 00:00:55,310 --> 00:00:56,810 Yeah, thank you. 11 00:00:56,810 --> 00:01:05,710 So this will be an interesting one because obviously we don't have slides, so I'll try to talk through the details of what I wanted to go over today. 12 00:01:05,710 --> 00:01:08,250 But thanks everybody for joining us. 13 00:01:08,250 --> 00:01:11,750 Hopefully we'll get these slides rolling here at some point. 14 00:01:12,130 --> 00:01:16,530 But let's talk a little bit about attack trends. 15 00:01:17,310 --> 00:01:29,710 You know, Trend Micro was one of the founding members of the Cybersecurity Tech Accord, which is a group of over 150 organizations around the world. 16 00:01:29,710 --> 00:01:40,830 And we did a survey recently around nation-state threats and challenges with nation-state threats. 17 00:01:40,890 --> 00:01:47,310 And we asked a number of questions that I thought were going to be pertinent to this discussion today. 18 00:01:47,810 --> 00:01:51,110 And I wanted to share some of those with you. 19 00:01:51,110 --> 00:01:57,170 So the first one is how concerned are you with being a victim of a nation-state attack? 20 00:01:57,170 --> 00:02:05,550 You know, as we we've seen with the Russia-Ukraine conflict going on, there's a lot more talk about nation-state activity. 21 00:02:06,210 --> 00:02:10,550 You may be in an industry that you may be targeted by nation-state actors. 22 00:02:10,550 --> 00:02:12,570 But it was interesting. 23 00:02:12,570 --> 00:02:18,150 The responses went from very concerned, somewhat concerned, a bit concerned, to not concerned at all. 24 00:02:18,150 --> 00:02:20,890 And only 2% said not concerned at all. 25 00:02:20,890 --> 00:02:27,750 So everybody is a little bit concerned about this and about nation-state actors targeting them. 26 00:02:27,890 --> 00:02:35,310 The next question was, how will we prepare to defend ourselves against these nation-state attacks? 27 00:02:35,310 --> 00:02:40,750 And one is increasing investment on cybersecurity-related technical measures. 28 00:02:40,750 --> 00:02:44,130 So certainly looking at the technical aspect. 29 00:02:44,770 --> 00:02:47,730 They also said improving training and education of employees. 30 00:02:47,730 --> 00:02:52,790 So we're looking at people and the people side of the equation. 31 00:02:52,930 --> 00:03:02,490 And then, you know, designing a person or designating a person or a team to be in charge of cybersecurity, establishing or enhancing corporate policies. 32 00:03:02,570 --> 00:03:08,070 So when you think about risk, right, we think about, we always talk about the people process and technology. 33 00:03:08,070 --> 00:03:18,470 And the answers here definitely fell in line with that, which is, you know, so as organizations start building better defenses in the future, you need to really think about that. 34 00:03:18,470 --> 00:03:25,990 All three of those areas in your business is how you're going to deal with people, how you're going to deal with process, and how you're going to deal with technology. 35 00:03:26,810 --> 00:03:31,110 One of the interesting questions was we asked, where will people be attacked? 36 00:03:31,110 --> 00:03:33,990 Where do they think within their organization they're going to be attacked? 37 00:03:33,990 --> 00:03:37,850 Number one at 60% was the cloud environment. 38 00:03:37,850 --> 00:03:46,270 Certainly with the pandemic happening, a lot of organizations have done some newly investment in cloud architecture. 39 00:03:46,530 --> 00:03:49,230 And that definitely is going to be a cause. 40 00:03:49,230 --> 00:03:50,850 And the criminals know this. 41 00:03:50,850 --> 00:03:55,190 And they also realize, the criminals realize that it's new to a lot of organizations. 42 00:03:55,190 --> 00:03:58,030 So they probably are making some mistakes. 43 00:03:58,030 --> 00:04:07,570 And it may be an area that is not as easily defendable by an organization as some of the other areas that have been around much longer. 44 00:04:07,690 --> 00:04:11,830 Number two at 47% was employee computers and laptops. 45 00:04:11,830 --> 00:04:15,050 Kind of not surprising, obviously. 46 00:04:15,050 --> 00:04:16,810 They're going to target your employees. 47 00:04:16,810 --> 00:04:20,530 They're going to target, obviously, the devices that they're using. 48 00:04:21,370 --> 00:04:26,430 Another one was mobile phones was at 22%. 49 00:04:26,430 --> 00:04:33,330 Hardware infrastructure was actually three at 46, almost 47%, which is like your servers and stuff. 50 00:04:33,330 --> 00:04:35,930 So that was, I thought, was interesting. 51 00:04:35,930 --> 00:04:38,630 And then how will we be attacked? 52 00:04:38,870 --> 00:04:41,170 They asked this question in two parts. 53 00:04:41,170 --> 00:04:44,190 They said, how will we be attacked today? 54 00:04:44,190 --> 00:04:47,290 And how will we be attacked in five years? 55 00:04:47,470 --> 00:04:55,010 What's interesting is today they say, or 47% say malware. 56 00:04:55,250 --> 00:04:58,870 And then there is phishing and spear phishing. 57 00:04:58,870 --> 00:05:00,970 Third is ransomware. 58 00:05:00,970 --> 00:05:03,370 Fourth is denial of service. 59 00:05:03,370 --> 00:05:05,290 Fifth is SQL injection. 60 00:05:05,290 --> 00:05:06,990 And sixth is man in the middle. 61 00:05:07,050 --> 00:05:10,630 But five years from now, they think number one will be ransomware. 62 00:05:10,630 --> 00:05:15,910 And obviously, we've seen ransomware in quite a bit, in the news quite a bit. 63 00:05:15,910 --> 00:05:22,950 And so these respondents really feel that ransomware is going to increase in the future rather than decrease. 64 00:05:23,750 --> 00:05:26,310 The second one, though, was denial of service. 65 00:05:26,310 --> 00:05:36,870 So I think they're thinking that these actors may be looking to a little bit more harm within organizations' systems. 66 00:05:36,870 --> 00:05:42,890 Malware dropped to number three, and then we had phishing and spear phishing as number four. 67 00:05:44,190 --> 00:05:53,950 So that was just kind of gave you some idea of, based on some of your peers responding to this survey, I thought would be a good idea to key up. 68 00:05:53,950 --> 00:05:59,430 The next area I wanted to look at is the actors and their motivations. 69 00:05:59,430 --> 00:06:04,570 So a lot of you probably know who all the different types of actors are. 70 00:06:04,570 --> 00:06:15,450 But when I talk to a lot of customers and people in the industry, one of the things I mention a lot is that you need to think about who could be targeting you. 71 00:06:15,450 --> 00:06:23,210 So when you're going to build a defense plan and strategy, you need to think about who are the most common actors that could be targeting you. 72 00:06:23,210 --> 00:06:29,890 Because obviously, their motives and their methods may be different based on the different types of actors. 73 00:06:29,890 --> 00:06:35,170 So today, obviously, we have probably the number one is cybercriminals, financially motivated folks. 74 00:06:35,350 --> 00:06:41,290 These are the ransomware gangs out there, the business email compromise gangs. 75 00:06:41,610 --> 00:06:45,070 But you also have amateurs and script kiddies. 76 00:06:45,070 --> 00:06:47,310 We certainly still see the script kiddies out there. 77 00:06:47,310 --> 00:07:04,390 Although one of the guys that I work with who heads up our research, one of the research communities inside Trend Micro, was sharing with me the other day, we used to have this pyramid of sophistication when it came to the actors. 78 00:07:04,390 --> 00:07:10,610 And at the bottom was the script kiddies, which were not very sophisticated. 79 00:07:10,610 --> 00:07:14,170 In the middle, you had some of the newer people not around. 80 00:07:14,170 --> 00:07:20,190 And then the very top was the nation state, we always thought nation state actors, were going to be the most sophisticated. 81 00:07:20,190 --> 00:07:26,590 But if you think about it, you're a much better person in your job today than you were when you first started. 82 00:07:26,690 --> 00:07:30,770 And we've seen a lot of these actors being in this industry for many, many years. 83 00:07:30,770 --> 00:07:48,590 So the sophistication level, and it's almost taken that pyramid and flipped it upside down so that most of the threat actors out there or are within the actor gangs are very sophisticated, almost as sophisticated as the nation state actors are. 84 00:07:48,590 --> 00:07:58,550 So that is one of the challenges we feel is happening in the world today is that they are getting much better at what they do. 85 00:07:59,490 --> 00:08:10,870 Hacktivists still around, we saw an emergence of Anonymous with the Russian invasion of Ukraine, and Anonymous people going after Russian networks. 86 00:08:10,870 --> 00:08:17,610 So certainly the hacktivists and again, their motive may be a little different from obviously a cyber criminal, for example. 87 00:08:18,070 --> 00:08:23,030 Nation states, obviously, we mentioned that, but also competitive spies can be out there. 88 00:08:23,210 --> 00:08:37,530 So when you're thinking about that defense, and depending on the industry you're in, you want to think about who are these people that could be targeting me, so that you have the ability to understand their TTPs and the way that they could be attacking you. 89 00:08:38,750 --> 00:08:41,010 And the next area is motivation. 90 00:08:41,010 --> 00:08:43,830 So what motivates these threat actors? 91 00:08:44,030 --> 00:08:49,290 And I have four areas that I talk about a lot in this area. 92 00:08:50,090 --> 00:08:51,490 Was there a question? 93 00:08:53,630 --> 00:08:55,190 Okay, I just muted him. 94 00:08:56,070 --> 00:08:58,210 Yep, yeah, speed it up a bit. 95 00:08:59,130 --> 00:09:00,590 Oh, no, Shane, I just muted them. 96 00:09:00,590 --> 00:09:01,450 No worries. 97 00:09:01,450 --> 00:09:02,490 Oh, okay. 98 00:09:02,490 --> 00:09:03,230 Sorry. 99 00:09:03,990 --> 00:09:06,070 The first area is espionage. 100 00:09:06,070 --> 00:09:12,170 So again, you know, mostly like Chinese actors tend to be very prolific on the espionage stage. 101 00:09:12,170 --> 00:09:14,670 They're trying to steal intellectual property. 102 00:09:14,890 --> 00:09:21,110 If you're a manufacturer, for example, you've got your processes down to how you manufacture your product. 103 00:09:21,310 --> 00:09:28,910 And they may look to steal that because they don't want to invest in the R&D that goes into that, having to do that. 104 00:09:28,910 --> 00:09:32,210 So cyber espionage is pretty big. 105 00:09:32,210 --> 00:09:34,070 The second area is financial gain. 106 00:09:34,070 --> 00:09:35,230 That's probably the biggest. 107 00:09:35,230 --> 00:09:44,150 Again, I think this industry now is closing in on over a billion dollars in illegal revenue coming from cybercrime. 108 00:09:44,150 --> 00:09:47,590 So it's definitely a huge business out there today. 109 00:09:47,610 --> 00:09:50,110 And even could be multi-billions for all we know. 110 00:09:50,110 --> 00:09:55,450 They do not put in W-2 forms to the IRS when they make money. 111 00:09:55,450 --> 00:10:00,770 So we don't really know how much money they're making, but it's certainly probably extensive. 112 00:10:00,850 --> 00:10:07,870 The third area is disruption or destruction attempts. 113 00:10:08,070 --> 00:10:14,990 And this is where, you know, as we saw with the Russian-Ukraine conflict, we saw more destructive attacks. 114 00:10:14,990 --> 00:10:23,430 There were some wipers thrown out there very early on that tried to wipe systems versus encrypting systems, for example, like the ransomware actors. 115 00:10:23,430 --> 00:10:26,510 If I wipe a system, it's not usable anymore. 116 00:10:26,510 --> 00:10:32,750 Whereas if I encrypt it, obviously, if I can get the key, I can get that system back up and running pretty quickly. 117 00:10:32,850 --> 00:10:35,470 So disruptive and destruction attacks. 118 00:10:35,470 --> 00:10:41,110 And the fourth area, which a lot of people don't realize today is an education motive. 119 00:10:41,310 --> 00:10:52,770 And we're seeing this happening more and more, especially in the critical infrastructure area, where you may have actors inside your critical infrastructure, but they aren't doing anything destructive. 120 00:10:52,770 --> 00:10:55,730 They aren't doing anything to create financial gain. 121 00:10:55,730 --> 00:11:06,830 All they are doing is trying to learn how to access ICS or SCADA devices or access an OT network so that they can figure out, can I do it? 122 00:11:06,830 --> 00:11:07,710 What can I do? 123 00:11:07,710 --> 00:11:24,750 We kind of saw this potentially with the Russian invasion of the Ukraine power plant years ago, where they probably did that as much for educating themselves on how to get access to that network, how to bring down those systems. 124 00:11:24,750 --> 00:11:35,250 So these are a lot more stealthier type of activities, because again, they're going to come in, they're going to do stuff, and then they're going to leave and wipe all of the traces of their attack. 125 00:11:35,430 --> 00:11:48,290 So again, thinking of the motivation of these actors against your organization, depending again on what industry you're in, what products you produce, what services you produce, that kind of stuff. 126 00:11:48,290 --> 00:11:51,810 So think about that as you're building that defense model. 127 00:11:54,560 --> 00:11:59,480 The other thing I wanted to highlight is the attack stages. 128 00:11:59,480 --> 00:12:08,420 So there's a definite model that has been followed over the last several years of the attack lifecycle. 129 00:12:08,420 --> 00:12:15,560 And it all came out with kind of the cyber attack chain that Lockheed Martin has patented. 130 00:12:16,380 --> 00:12:20,240 And it really starts with intelligence gathering. 131 00:12:20,240 --> 00:12:27,740 So they're going to learn before they even launch any type of an attack against your organization, they're going to figure out who do they want to target. 132 00:12:27,740 --> 00:12:38,820 Again, that's going to be not only who the victim is, and what their motivation is in attacking them, but also who in the organization do they want to initially target. 133 00:12:39,100 --> 00:12:48,960 So they'll do all this upfront intelligence gathering to understand who, what, when, where, why, how am I going to target them. 134 00:12:48,960 --> 00:12:56,160 So they'll have all of that information usually upfront before they actually go into the second area, which is point of entry. 135 00:12:56,160 --> 00:13:01,300 So how do I initially access this network and get into it. 136 00:13:01,300 --> 00:13:06,120 And we're seeing some new things I'll talk about in one of the future slides here. 137 00:13:06,140 --> 00:13:09,200 But point of entry certainly is the next stage. 138 00:13:09,200 --> 00:13:13,740 The third stage is where they establish a command and control infrastructure. 139 00:13:13,740 --> 00:13:19,380 They need this to continually keeping access to that compromised network. 140 00:13:19,380 --> 00:13:38,440 And this can come in many different forms, but there's always going to be typically a command and control infrastructure that they will establish inside the organization and outward bound to allow them to see that information and continue to have that access. 141 00:13:38,820 --> 00:13:41,200 And then the fourth stage is lateral movement. 142 00:13:41,200 --> 00:13:47,420 And this is something we're seeing even a lot of the ransomware attacks where they'll get in and they will then laterally move. 143 00:13:47,420 --> 00:14:03,520 Because obviously if I compromise an employee's system to get access, usually that employee's computer is not going to have the information or the data or what they want to achieve and their motive in getting access to your network. 144 00:14:03,520 --> 00:14:08,660 It will then need to laterally move across the network to two different areas. 145 00:14:08,660 --> 00:14:15,560 It could be your cloud infrastructure, could be your data centers, could be critical infrastructure, your OT network, whatever that might be. 146 00:14:16,300 --> 00:14:19,140 The fifth area is that asset and data discovery. 147 00:14:19,140 --> 00:14:27,300 So if they're an actor group that wants to steal data, they're going to look for your customer data, your intellectual property, your source code. 148 00:14:27,300 --> 00:14:35,420 They're going to, again, as part of that lateral movement process where they map your network out, they're going to learn where those repositories are. 149 00:14:35,420 --> 00:14:39,340 And then they look again, how do I access those? 150 00:14:40,060 --> 00:14:43,140 The sixth stage is what we call data exfiltration. 151 00:14:43,140 --> 00:14:53,420 So once I find data, I need to exfiltrate that out to their command and control infrastructure or to somewhere where they can get access to that data. 152 00:14:53,440 --> 00:14:58,980 And again, this is not going to be done through massive uploads to the web. 153 00:14:58,980 --> 00:15:02,920 It's going to be done in byte-sized increments so you don't see it very easily. 154 00:15:02,920 --> 00:15:04,800 It's going to be encrypted, obviously. 155 00:15:04,800 --> 00:15:06,740 It may utilize different channels. 156 00:15:06,740 --> 00:15:08,960 It could use, you know, a Dropbox channel. 157 00:15:08,960 --> 00:15:15,760 If you use a Dropbox inside your account, it could use a, you know, a OneDrive. 158 00:15:15,760 --> 00:15:19,200 It could be an email with an attachment, whatever it might be. 159 00:15:19,200 --> 00:15:24,840 They're going to figure out a way to make it exfiltrate it without you realizing it. 160 00:15:24,880 --> 00:15:32,240 And there's actually a seventh stage, which a lot of people don't realize it, but that's it's called a maintenance stage. 161 00:15:32,240 --> 00:15:39,580 And the maintenance stage is where they will continue to stay in resident in the network, but they may not be as active. 162 00:15:39,580 --> 00:15:45,060 They may throw some back doors on systems that they just let sit there. 163 00:15:45,060 --> 00:15:47,420 They don't, you know, they don't activate. 164 00:15:47,820 --> 00:16:02,400 They may ping the command and control infrastructure every month or every couple of months just to let them know that they still have access because they may want to sell that access at some point or utilize that access for another attack against that organization. 165 00:16:02,420 --> 00:16:20,680 So that's, and that's, you're going to see that regardless of whether it's a ransomware attack, whether it's a business email compromise attack, whether it's just a, you know, a data exfil type of attack, these stages are all going to be very similar in any attack that you're going to see today. 166 00:16:22,660 --> 00:16:40,140 Now, one of the things that I don't know if everybody reads the Verizon Data Breach Investigative Report that they publish every year, but it's a pretty good report if you're not reading it because it does give you some very good information about how the attacks are happening. 167 00:16:40,720 --> 00:16:49,240 And, but back in 2019, they actually had a, an appendix that they, that was written by the United States Secret Service. 168 00:16:49,280 --> 00:16:53,520 And I can, and I continue to use this because it's still relevant today. 169 00:16:53,520 --> 00:17:09,240 And it's very good information because what Secret Service had done is they had, all these malicious actors that they had arrested over the years and some of the very big breaches, and they asked them, how did you get access to these networks? 170 00:17:10,020 --> 00:17:16,960 And, and one of the, there's three areas that they came, that came out of these interviews with these hackers. 171 00:17:17,180 --> 00:17:20,200 The first thing they look for is human error. 172 00:17:20,360 --> 00:17:35,900 So how can I, can I find somebody who makes a mistake, misconfigures an S3 bucket, misconfigures a, a open IP that gave, gives me access to that network or to that device. 173 00:17:35,900 --> 00:17:38,840 So they look for people, people making mistakes. 174 00:17:38,840 --> 00:17:45,780 Obviously human error also when I send an email in and the user clicks on a link that they, they probably shouldn't have. 175 00:17:45,780 --> 00:17:47,260 So that human error thing. 176 00:17:47,260 --> 00:17:52,100 The second thing they look for is IT security complacency. 177 00:17:52,380 --> 00:18:05,800 And this is where you think about like not patching quickly, not configuring things, not, not doing, enabling some of the advanced detection technologies that you have access to. 178 00:18:05,800 --> 00:18:07,820 You just don't do it. 179 00:18:08,000 --> 00:18:12,160 The third area they, that they look for were technical deficiencies. 180 00:18:12,460 --> 00:18:17,360 So do I, am I not running stuff that I should be running in certain areas of the network? 181 00:18:17,360 --> 00:18:22,520 You know, maybe the OT network has been, hasn't had a lot of security running in it. 182 00:18:22,520 --> 00:18:25,860 So it's deficient of security controls. 183 00:18:25,860 --> 00:18:27,320 So they look for that. 184 00:18:27,320 --> 00:18:41,360 But the interesting thing was they, they mentioned that and this was quoted in the, in the article, it is when multiple TTPs are utilized in concert that cyber criminals are able to gain and maintain access to a computer network. 185 00:18:41,360 --> 00:18:51,940 So they're looking for not just one of these, but if they find two of them or two or three of them together, they almost absolutely know that they can get access to that network. 186 00:18:51,960 --> 00:19:03,420 And one of the actors actually talked about being in resident on a, on a, on a very large organization's network for over 10 years, just following this model over and over and over. 187 00:19:05,300 --> 00:19:10,660 Some of the tactics that we're seeing today utilized by the malicious actors. 188 00:19:10,860 --> 00:19:14,940 I mentioned the extensive intelligence gathering before the attack. 189 00:19:14,940 --> 00:19:17,660 So that's certainly going to continue to happen. 190 00:19:18,000 --> 00:19:28,340 If you are publishing information out there on your, about your network, if you're publishing information about the people, that's always going to be helpful to these, these criminals. 191 00:19:30,020 --> 00:19:33,200 Collaboration between groups is happening more and more. 192 00:19:33,200 --> 00:19:37,420 And this is a very concerning area that we've seen happening in the undergrounds. 193 00:19:37,420 --> 00:19:44,540 In the past, you used to have these groups in the underground and they'd be, they'd be, you know, working only with themselves. 194 00:19:44,540 --> 00:19:49,120 They'd only work together with if they were an independent person. 195 00:19:49,120 --> 00:20:00,080 But even now we're starting to see, for example, access as a service gangs, whose only purpose in life is to, is to figure out how to access a network. 196 00:20:00,080 --> 00:20:03,160 And then they will sell that access to another group. 197 00:20:03,160 --> 00:20:10,760 It could be a group that does, that uses Emotet and use it to laterally move across the network. 198 00:20:10,760 --> 00:20:15,980 And then they will sell access to a ransomware gang who will ultimately do a ransomware attack. 199 00:20:15,980 --> 00:20:21,140 So this collaboration is happening much more often than we've seen in the past. 200 00:20:21,380 --> 00:20:25,100 Counter incident response is used extensively today. 201 00:20:25,100 --> 00:20:27,880 So they are obfuscating their malware. 202 00:20:28,000 --> 00:20:32,380 They're, they're cleaning up after themselves, erasing their tracks. 203 00:20:32,380 --> 00:20:39,800 I was talking to our, our incident response manager just this morning and I was asking him, you know, what are the, some of the things we're seeing? 204 00:20:40,080 --> 00:20:50,540 And for example, they are, we're seeing now where they will deploy some malware on a device inside a compromised network and that, that malware gets detected. 205 00:20:50,540 --> 00:20:55,400 So, you know, good for the security product that's running on that endpoint. 206 00:20:55,400 --> 00:21:05,640 But what we are seeing now is that within a few hours or a couple of days, we see a variant of it popping up and running and being executed on those networks. 207 00:21:05,640 --> 00:21:17,900 So we're actually taking that, that detection and, and then, you know, recoding, refiguring it out on how to bypass that, that organization, that security product. 208 00:21:18,580 --> 00:21:21,560 So that's happening quite often. 209 00:21:22,300 --> 00:21:27,460 The attacks today are going to be across many of the different areas of your network. 210 00:21:27,460 --> 00:21:34,620 So as part of that, that life cycle we're seeing today, I, as I said, the attacks aren't going to stop and end at the endpoint. 211 00:21:34,620 --> 00:21:43,960 So EDR, great technology, but it's only going to see a small piece of the overall attack that you're going to see against most organizations. 212 00:21:43,960 --> 00:21:49,160 There's going to be network access that, and network traffic that they're going to be utilizing. 213 00:21:49,300 --> 00:21:51,380 It's going to go into the cloud infrastructure. 214 00:21:51,380 --> 00:21:53,000 It's going to go into a data center. 215 00:21:53,000 --> 00:21:55,760 It's going to go, it's going to use the email. 216 00:21:55,760 --> 00:21:57,880 It's going to use the web layer. 217 00:21:57,880 --> 00:22:05,480 All of these areas of your network could be utilized by these threat actors in the campaign against your organization. 218 00:22:05,480 --> 00:22:15,600 So that's why we're starting to see more organizations starting to adopt more of a platform approach, potentially, where the products are working together. 219 00:22:15,600 --> 00:22:21,540 In the past, obviously, we used the best of breed model that worked very well back in the day. 220 00:22:21,540 --> 00:22:25,360 But today, because those products are pretty siloed, they don't talk to each other. 221 00:22:25,360 --> 00:22:26,880 They don't give a lot of information. 222 00:22:26,980 --> 00:22:33,600 It's making it very hard for you, the defenders, to manage that and see the visibility of these campaigns. 223 00:22:33,600 --> 00:22:42,780 So you detect something on one endpoint, you may detect something on a server in a different area of your network, and not realizing that it's part of the same campaign. 224 00:22:42,900 --> 00:22:50,960 Today, we're starting to see technology innovations that are allowing you to see that and identify that much more effectively. 225 00:22:51,560 --> 00:23:11,000 And then lastly, one of the other areas we're seeing today are what we call supply chain attacks or island hopping, where they're actually utilizing your software vendors who regularly have communications into your networks, and they're using them to pop into those networks. 226 00:23:11,000 --> 00:23:22,380 Or you have a small business who's a vendor of yours, like in the target attack years ago, where it was the HVAC vendor who had access to the network. 227 00:23:22,380 --> 00:23:28,600 And because they're a small business, they may not have as good of security controls as you and your bigger organization. 228 00:23:28,600 --> 00:23:34,240 And so they will use it to pivot or laterally move from that network into your network. 229 00:23:34,240 --> 00:23:36,280 So we're seeing more than that. 230 00:23:36,280 --> 00:23:38,440 Obviously, SolarWinds was an example. 231 00:23:38,440 --> 00:23:40,640 Kaseya was an example of that. 232 00:23:40,640 --> 00:23:45,140 We just saw one just recently happening as well. 233 00:23:45,140 --> 00:23:51,700 So software supply chain attacks are going to be on the increase more and more as we go through it. 234 00:23:53,040 --> 00:23:59,780 Now, this next slide I want to talk about, you can't see it, but I'll tell you what's going on here. 235 00:23:59,800 --> 00:24:11,640 I've been discussing with our tech support organization over the last several years, you know, how are these customers or prospects that call us getting infected in the first place? 236 00:24:11,640 --> 00:24:16,140 So what's the root cause of an infection that happens? 237 00:24:16,140 --> 00:24:25,720 And there's some commonalities that we are seeing today from organizations that are dealing with these successful attacks. 238 00:24:25,720 --> 00:24:28,300 First is weak credentials. 239 00:24:28,940 --> 00:24:37,100 So there's no question that the threat actors today are looking to compromise credentials and accounts. 240 00:24:37,100 --> 00:24:44,160 If I can get the Active Directory account, administrative account, I have pretty much keys to the kingdom at that point. 241 00:24:44,160 --> 00:24:48,460 And we actually see this quite often where that account gets compromised. 242 00:24:48,660 --> 00:25:01,420 And so the actors are going to go in, they're going to turn off, they're going to stop the process, the security product running on the on the endpoint, that process, they'll turn it off because they can, they have that access, they have that those credentials. 243 00:25:01,640 --> 00:25:04,100 So weak credentials is a big one. 244 00:25:04,100 --> 00:25:15,580 Email accounts, for example, business email compromise happens a lot because I'm able to compromise that CFO's email account very easily, because they're using a weak credential on it. 245 00:25:15,580 --> 00:25:25,440 And then I send emails from that account into the organizations, I asked my finance person, a wire transfer a million bucks to this account, I need it today. 246 00:25:25,440 --> 00:25:31,380 By the way, don't call me because I'm in a meeting to do the two factor verification process. 247 00:25:32,000 --> 00:25:35,860 Secondary, outdated and unpatched operating system or applications. 248 00:25:35,860 --> 00:25:51,000 We certainly know question that exploits are being used regularly, whether it's an end day exploit, which is a known vulnerability with a patch or a zero day, which is a unknown vulnerability that does not have a patch today. 249 00:25:51,000 --> 00:25:53,380 Those are being utilized quite often. 250 00:25:53,380 --> 00:26:11,740 But certainly, we see regularly customers like, oh, I thought I patched it or I hadn't patched it or in other cases, it's an unsecured device that doesn't have the ability to get patched, for example, or it hasn't been patched in years, like on an OT network, 251 00:26:11,740 --> 00:26:12,660 for example. 252 00:26:13,280 --> 00:26:14,820 So that's going to happen. 253 00:26:14,820 --> 00:26:17,840 Advanced detection technology is not being enabled. 254 00:26:17,840 --> 00:26:26,740 So we see this often where customer actually has the technology available to them, they just didn't enable it. 255 00:26:26,740 --> 00:26:30,680 AI and machine learning are prime examples of this. 256 00:26:30,780 --> 00:26:49,360 So you may be relying simply on signatures, and you haven't enabled the behavior monitoring, you haven't enabled a machine learning engine to be able to analyze those, that malware and specifically those variants of known malware that would be able to be detected by those newer technologies. 257 00:26:49,360 --> 00:26:54,360 So make sure you know when you have those enabled. 258 00:26:54,360 --> 00:26:56,560 Another area is misconfigurations. 259 00:26:56,560 --> 00:26:57,880 We talked about that earlier. 260 00:26:57,880 --> 00:27:00,400 So we see this quite often. 261 00:27:01,080 --> 00:27:06,260 And then one thing I wanted to highlight is ransomware gets all the hype today. 262 00:27:06,260 --> 00:27:08,740 It's certainly in the news quite often. 263 00:27:08,740 --> 00:27:18,740 And one of the reasons is because it is the most visible, most loud threat we've ever seen in the history of cybersecurity. 264 00:27:18,740 --> 00:27:26,960 It pops up on the screen and it says, hey, you're in fact, you know, you've been encrypted by Conti or by Lockbit or whoever it might be. 265 00:27:26,960 --> 00:27:30,200 So when you get ransomware, you know, you got infected. 266 00:27:30,200 --> 00:27:37,340 The challenge that a lot of organizations have is, is maybe thinking that that's the only threat against them. 267 00:27:37,340 --> 00:27:47,360 Whereas the reality is that that actor group has probably been in the network for quite some time, because ransomware is usually the last revenue option that they take. 268 00:27:47,520 --> 00:27:56,540 Because it is so visible, once they launch ransomware, they know the organization is going to know they're infected, and they've got somebody resident in their network. 269 00:27:56,540 --> 00:28:06,440 So just be aware that if a ransomware gets popped up, the likelihood that other activities have been happening is very, very high. 270 00:28:08,060 --> 00:28:17,060 Now, the next area I wanted to just highlight is some of the areas that we're seeing them target as they do their attacks. 271 00:28:17,060 --> 00:28:20,160 So one area is, why am I going to target credentials, right? 272 00:28:20,160 --> 00:28:22,400 Why am I looking for accounts out there? 273 00:28:22,400 --> 00:28:24,540 First and foremost, they're very trusted, right? 274 00:28:24,540 --> 00:28:31,320 Your AD account, or your exchange account, Office 365 administrator account, those are going to be trusted. 275 00:28:31,320 --> 00:28:36,200 If I can compromise those, I probably, like I said, I have the keys to the kingdom. 276 00:28:36,660 --> 00:28:44,120 It allows them to disguise their activity, because again, I'm acting as that person, so I can disguise it. 277 00:28:44,120 --> 00:28:49,140 There are a ton, a ton of stolen credentials being sold in the underground today. 278 00:28:49,140 --> 00:28:56,260 So I can go and buy RDP credentials that were stolen from previous hacks all day long in the underground, and I can use those. 279 00:28:56,260 --> 00:29:09,420 And again, if I don't have a very good credential update process happening in my account, the likelihood that I have an account still out there that has the same credentials being run. 280 00:29:09,420 --> 00:29:17,520 We also see, for example, I was asking my IR guy today, I said, do we ever see where they can compromise the Trend Micro Administrator account? 281 00:29:17,520 --> 00:29:26,380 And he says, it happens on occasion, but usually when they find that out, it's because they use the same account credentials that they use for their AD server. 282 00:29:26,520 --> 00:29:31,360 So they're sharing accounts, credentials across multiple applications. 283 00:29:31,360 --> 00:29:36,460 And again, big no-no for most people, but it still happens. 284 00:29:36,460 --> 00:29:38,960 And again, weak credentials is big. 285 00:29:39,080 --> 00:29:40,860 Now, why am I going to target people? 286 00:29:40,860 --> 00:29:47,660 So again, people are probably the weakest link inside your organization, the employees, but why would they continue to want to target them? 287 00:29:47,660 --> 00:29:51,060 Well, first, it's definitely easier than a technical attack. 288 00:29:52,040 --> 00:29:55,680 I don't have to go and buy a zero day for $500,000. 289 00:29:55,680 --> 00:30:11,720 I can just, you know, craft an email from after my intelligence gathering about this employee who likes, you know, for example, likes the NBA, I can craft an email that says, hey, check out this latest trade in the NBA, click here, click, boom, infected. 290 00:30:12,080 --> 00:30:14,020 Difficult to detect and respond to. 291 00:30:14,020 --> 00:30:17,040 A lot of times these employees don't even realize they've been infected. 292 00:30:17,040 --> 00:30:23,060 So they aren't communicating it to you in the SOC or into the IT department. 293 00:30:23,060 --> 00:30:27,220 So you don't even realize that they're infected and they don't realize it either. 294 00:30:27,220 --> 00:30:32,020 People definitely give away way too much information and social media. 295 00:30:32,020 --> 00:30:38,920 As I just previously mentioned, the NBA thing, they're going to give their likes, their dislikes, their hobbies, whatever it might be. 296 00:30:38,920 --> 00:30:49,040 So crafting socially engineered content to them is very simple after doing a scan of social media accounts of those people. 297 00:30:49,300 --> 00:30:52,320 It's very low risk for high reward. 298 00:30:53,660 --> 00:30:55,940 Vulnerabilities, I talked about vulnerabilities before. 299 00:30:55,940 --> 00:30:58,180 Why are they targeting quite a bit? 300 00:30:58,240 --> 00:31:01,220 Obviously new vulnerabilities happen every single day. 301 00:31:01,220 --> 00:31:07,580 I think the last patch Tuesday, Microsoft disclosed over 140, which was a record for them. 302 00:31:07,580 --> 00:31:08,900 And that's just one vendor. 303 00:31:08,900 --> 00:31:14,540 So you obviously have multiple applications and operating systems you're running in your organization. 304 00:31:14,540 --> 00:31:19,660 You're probably getting updates every day from one of those or multiple of those. 305 00:31:19,660 --> 00:31:22,280 And so these criminals recognize that. 306 00:31:22,280 --> 00:31:26,920 They actually monitor those patches as they come out and they look at them. 307 00:31:26,920 --> 00:31:38,080 We're seeing more and more one day vulnerabilities than we've seen ever before, which is basically a vulnerability that's been exploited one day after the patch was released. 308 00:31:38,540 --> 00:31:44,740 So that's certainly a challenge because there's so much information out there being shared publicly. 309 00:31:44,740 --> 00:31:49,820 Even the proof of concept stuff out there is being shared quite often and they use that. 310 00:31:49,860 --> 00:31:52,440 There's an exploit marketplace at the underground. 311 00:31:52,440 --> 00:31:59,480 So there's buying and selling of exploits of vulnerabilities. 312 00:31:59,480 --> 00:32:04,660 You can go in the underground and you can search for Exchange or Office 365 vulnerabilities. 313 00:32:04,660 --> 00:32:08,760 It'll pop up a number of exploits that are for sale in that area. 314 00:32:08,760 --> 00:32:15,700 If I want one for a business application, I just search for that and I can find it and buy it and use it. 315 00:32:16,100 --> 00:32:18,200 And then lastly, zero days. 316 00:32:18,200 --> 00:32:19,920 We're seeing more and more zero days. 317 00:32:19,920 --> 00:32:29,160 If you didn't see Google Project Zero last year, it said there was, I think there were 50 or 80 plus zero days used in active attacks last year. 318 00:32:29,780 --> 00:32:31,300 Highest ever seen. 319 00:32:31,300 --> 00:32:41,080 And maybe the reason I postulate that potentially it's because you're doing a very much better job today of protecting your networks from the traditional stuff. 320 00:32:41,080 --> 00:32:45,920 So you're blocking those end day vulnerabilities or exploits that are being used. 321 00:32:45,920 --> 00:32:50,940 So they have to move to zero days because they are unknown and they actually still work. 322 00:32:52,820 --> 00:32:57,460 And then the last area I wanted to just highlight is why target external facing infrastructure? 323 00:32:57,780 --> 00:33:01,800 So you all probably use Shodan or you heard of Shodan. 324 00:33:01,800 --> 00:33:09,160 Shodan is a tool that can be used by you or cyber criminals, for example, of scanning the internet for IP, open IPs. 325 00:33:09,160 --> 00:33:11,500 And it'll give you information about those IPs. 326 00:33:11,500 --> 00:33:16,780 It'll tell you what it is, what ports are open, what services are open. 327 00:33:17,620 --> 00:33:19,540 And so it's very easy to scan. 328 00:33:19,540 --> 00:33:27,860 And obviously that's the first thing that they're going to look for in an organization is what open IPs does that organization have? 329 00:33:27,860 --> 00:33:36,900 I'm going to scan those IPs and do a scan on them to figure out, is there anything on there that I can target and utilize to get access to that device or that IP? 330 00:33:37,540 --> 00:33:38,720 So that's going to happen. 331 00:33:39,200 --> 00:33:43,480 Misconfigurations, we talked about that, they are all over the place. 332 00:33:43,500 --> 00:33:52,120 There's exposed ports and services, certainly all the time on these devices that may have, should have been shut down. 333 00:33:52,120 --> 00:34:01,960 And often it's forgotten infrastructure, for example, people, you know, we see again, when we talk to customers, they go, I didn't realize that IP was still there, that device was still on the network. 334 00:34:01,960 --> 00:34:06,580 It should have been, you know, archived years ago, but it's still active and still there. 335 00:34:08,560 --> 00:34:17,820 So that's kind of the main stuff that I had today to talk about in terms of what is happening, how is it happening in the underground. 336 00:34:17,820 --> 00:34:30,420 The next just few minutes, I wanted to highlight and give you some recommendations that I give customers and people out there on how to help you defend against these. 337 00:34:30,420 --> 00:34:56,200 Again, this is a great time right now to really look at your overall cybersecurity strategy and your plan and how you go about things, because like I mentioned before, with all these different types of TTPs and attack scenarios, maybe a traditional approach to your cybersecurity may not be helping you today, 338 00:34:56,200 --> 00:34:59,340 it may be actually hurting you more than it's helping. 339 00:34:59,340 --> 00:35:01,420 So first area, audit and inventory. 340 00:35:01,420 --> 00:35:16,240 So attack surface management, attack surface discovery are terms that are being used quite often, but they're actually pretty good, because as I said, if you can't see it, don't know it's there, how do you defend against it? 341 00:35:16,240 --> 00:35:30,340 So having something that can do some more attack surface discovery for you can help you understand audit and inventory, all of the devices that are on your network, both internal and external, to understand that. 342 00:35:31,120 --> 00:35:39,160 And then identify authorized and unauthorized devices and software, make an audit of event and incident logs. 343 00:35:39,160 --> 00:35:44,500 So you're obviously logging a lot, make sure you're looking at those logs and identifying. 344 00:35:44,500 --> 00:35:55,640 If you don't have the expertise, you don't have the manpower to be able to do that, that's where maybe look at a managed service provider or managed service option for you. 345 00:35:55,800 --> 00:35:57,480 And then configure and monitor. 346 00:35:57,480 --> 00:36:00,000 So manage hardware, software configurations. 347 00:36:00,000 --> 00:36:01,900 So we talked about misconfigurations. 348 00:36:01,900 --> 00:36:05,620 You may take this time right now to look at all your configurations. 349 00:36:05,700 --> 00:36:13,760 Have a call with your cybersecurity vendor or vendors and make sure that you have their best practices guides. 350 00:36:13,760 --> 00:36:20,340 Make sure you have configured their products properly and given the best opportunity to detect the latest. 351 00:36:20,340 --> 00:36:26,220 Make sure you have the latest and greatest software from them, from those vendors, and make sure it's working. 352 00:36:26,640 --> 00:36:31,420 Grant admin privileges and access only when necessary to an employee. 353 00:36:31,440 --> 00:36:46,640 So again, that looking at who has access to your AD administrative accounts, who has access to your customer data, and then only limit them to being able to access that at the right time and the right person having access. 354 00:36:46,760 --> 00:36:50,120 Monitor network ports, protocols, services. 355 00:36:50,560 --> 00:36:55,100 Activate security configurations on network infrastructures devices. 356 00:36:55,320 --> 00:37:01,920 So again, a lot of this activity, network activity, can help you identify if you're compromised. 357 00:37:01,920 --> 00:37:05,020 That lateral movement is an area that you can do. 358 00:37:05,020 --> 00:37:13,340 Even a command and control infrastructure, as it pings outside to the command and control server or servers out there, you may be able to identify. 359 00:37:13,340 --> 00:37:20,600 Maybe that infrastructure was built in a region of the world where you don't have businesses and business. 360 00:37:20,600 --> 00:37:32,600 So then you could look at, oh, why do we have something connecting to a server in Zimbabwe or wherever it might be? 361 00:37:32,600 --> 00:37:35,040 And then you could cut off that access. 362 00:37:36,580 --> 00:37:38,260 Another area is patch and update. 363 00:37:38,260 --> 00:37:39,460 We talk about that quite a bit. 364 00:37:39,460 --> 00:37:41,200 But one area is virtual patching. 365 00:37:41,200 --> 00:37:55,500 You may not even, you may not think about virtual patching, but virtual patching actually allows you to virtually patch that vulnerability for a period of time until you actually can do the proper process and QA of the full patch. 366 00:37:55,500 --> 00:37:57,880 A lot of times those patches aren't complete. 367 00:37:57,880 --> 00:38:04,320 So with a virtual patch may have a more complete ability to detect an exploit. 368 00:38:04,340 --> 00:38:18,060 In fact, Project Zero, of the 24 zero days that have been used in 2022, 12 of them were variants of earlier vulnerabilities that had been used in attacks before. 369 00:38:18,060 --> 00:38:27,640 So they're starting, even the criminals are starting to use variants of exploits that worked in the past because they work now and they can get around the defenses. 370 00:38:27,640 --> 00:38:29,500 But virtual patching, look at that. 371 00:38:29,500 --> 00:38:34,600 Also network IPS outside in and inside out. 372 00:38:34,600 --> 00:38:38,400 That can help you identify some of this stuff as well. 373 00:38:39,100 --> 00:38:40,280 Protect and recover. 374 00:38:40,280 --> 00:38:44,960 Certainly implement data protection, backup, recovery measures as ransomware. 375 00:38:44,960 --> 00:38:52,240 As you know, one of the big things for ransomware was, can you back up and recover very quickly from an encrypted system that's encrypted? 376 00:38:52,240 --> 00:38:54,780 So that would be a good one as well. 377 00:38:55,640 --> 00:38:57,980 Enable multi-factor authentication. 378 00:38:57,980 --> 00:39:13,120 Definitely got to be that in, especially with, like I mentioned, those big applications, those business critical applications, and any access to your critical data, your customer data, your source code data, your IP data, etc. 379 00:39:14,060 --> 00:39:15,540 Secure and defend. 380 00:39:15,540 --> 00:39:18,660 A lot of times there's actually preventative measures. 381 00:39:18,660 --> 00:39:26,220 So EDR is great for detection and response, but there's a lot of technology today that can actually prevent these attacks. 382 00:39:26,220 --> 00:39:27,900 Look for early warning signs. 383 00:39:27,900 --> 00:39:36,760 If I see Emotet detection in my network, that may be an indicator that there's a ransomware attack coming in the future. 384 00:39:36,760 --> 00:39:58,260 And that can inform you and maybe look at you to hardening some of the areas, especially if you know the actor group, because you could go to MITRE ATT&CK Framework site, look up that actor group that uses Emotet or uses Cobalt Strike, for example, and you can identify their TTPs of future areas of what they could do inside your network. 385 00:39:58,260 --> 00:40:01,600 And then lastly, train and test your employees. 386 00:40:01,920 --> 00:40:04,080 Train your employees, train your users. 387 00:40:04,080 --> 00:40:11,300 If you're doing a cloud infrastructure, make sure your cloud architects are fully trained in how to secure that cloud infrastructure. 388 00:40:11,480 --> 00:40:26,580 Maybe implement some of these technologies today that can identify when somebody misconfigures something and it can alert you or ping that person that, maybe shouldn't make that configuration change because it's opening it up to attack at that point. 389 00:40:27,480 --> 00:40:29,440 So that's all I had today. 390 00:40:29,440 --> 00:40:30,980 I hope this was helpful. 391 00:40:30,980 --> 00:40:34,140 If there's any questions, I'd be happy to take those now. 392 00:40:45,620 --> 00:40:47,700 Thank you very much for the hand claps. 393 00:40:47,700 --> 00:40:49,180 I appreciate that. 394 00:40:50,900 --> 00:40:53,220 Well, I will sign off then. 395 00:40:53,220 --> 00:40:55,480 Everybody have a great rest of your conference. 396 00:40:55,480 --> 00:40:56,720 I hope it all goes well. 397 00:40:56,720 --> 00:41:00,080 And if you have any questions or anything, you can certainly reach out to me. 398 00:41:01,280 --> 00:41:05,480 John underscore Clay at Trend Micro.com or John L. 399 00:41:05,480 --> 00:41:06,480 Clay on Twitter. 400 00:41:06,900 --> 00:41:08,000 J-O-N. 401 00:41:08,000 --> 00:41:09,280 I don't have an H there. 402 00:41:09,280 --> 00:41:10,580 So thanks, everybody. 403 00:41:10,580 --> 00:41:13,720 Have a great day and stay safe and healthy. 404 00:41:13,720 --> 00:41:14,380 Talk to you soon. 405 00:41:14,380 --> 00:41:15,160 Bye-bye. 406 00:41:15,480 --> 00:41:16,620 Thanks, John. 407 00:41:17,860 --> 00:41:19,120 Thanks very much. 408 00:41:19,320 --> 00:41:21,040 Press the R key to... 409 00:41:23,160 --> 00:41:24,080 Which key? 410 00:41:24,080 --> 00:41:27,440 The Romeo key to drop the mic. 411 00:41:31,100 --> 00:41:31,980 Romeo. 412 00:41:32,460 --> 00:41:33,180 Romeo. 413 00:41:33,180 --> 00:41:33,800 R. 414 00:41:33,800 --> 00:41:34,920 Letter R. 415 00:41:35,180 --> 00:41:35,620 Romeo. 416 00:41:35,620 --> 00:41:36,080 Yeah. 417 00:41:36,460 --> 00:41:37,480 Yeah, on your keyboard. 418 00:41:37,480 --> 00:41:39,220 If you press R, it'll drop the mic. 419 00:41:39,660 --> 00:41:40,380 There we go. 420 00:41:40,380 --> 00:41:41,200 There you go. 421 00:41:41,380 --> 00:41:42,180 Thank you, John. 422 00:41:42,180 --> 00:41:43,280 That was excellent. 423 00:41:45,640 --> 00:41:46,660 Thank you, John. 424 00:41:47,100 --> 00:41:48,680 Excellent presentation. 425 00:41:50,200 --> 00:41:52,900 We're still working on the slide problem, by the way. 426 00:41:52,900 --> 00:42:00,980 It looks as if the service that they use for... allows us to project slides into the meeting space has gone down. 427 00:42:01,400 --> 00:42:07,580 We are contacting... we have contacted and put in a trouble ticket to AllSpace VR tech support. 428 00:42:07,580 --> 00:42:09,480 And we've got multiple people working on it. 429 00:42:09,480 --> 00:42:15,400 They're doing PCAPs to see if there's anything going on, like some type of network problem, that sort of thing. 430 00:42:15,400 --> 00:42:17,620 But right now, it looks like the service is down. 431 00:42:17,620 --> 00:42:18,580 Now, in the meantime... 432 00:42:19,800 --> 00:42:24,620 Hey, Giglio, you need to mute your mic because we're getting your keyboards. 433 00:42:25,680 --> 00:42:26,540 Thanks. 434 00:42:28,640 --> 00:42:30,320 So we're working on that. 435 00:42:30,320 --> 00:42:33,520 Our next speaker will be here in about eight minutes. 436 00:42:33,840 --> 00:42:36,620 And as soon as they're here, we'll introduce them.