 Hello everyone and thank you for joining me today in the session about the CTI League. I called the session watching the Watchmen because first I really like comics and I really really admire the Watchmen comics, but second I think that this is the question of the CTI League. Who watched the Watchmen? Who saved the people that protect in our lives? Who take care of the people that take care of our lives? This is really really important and today we are going to speak about the CTI League, about the effort of us and how we are trying to make a safer cyberspace for the medical sector and a little bit about cyber intelligence. We will start with an introduction for the CTI League about our mission and how we are trying to achieve this mission. Then we are going to speak about cyber threat intelligence on the matter of the threat actors, the organization focused and the unknown world of the intelligence and a little bit about what is the future for the CTI League. So let's start with an introduction. As I said my name is Oad Zeidenberg. I'm one of the founder and the executive director of the CTI League. Moreover, I'm a CTI researcher, cyber threat intelligence researcher mainly focused on threat hunting and intelligence for the past 10 years and doing that and focus on learning how to make intelligence better. The CTI League founded in the first wave of COVID in March 2020 by me alongside with Nate Warfield, Mark Rogers and Chris Meyers. We started as an organization that tried to neutralize cyber threats looking to exploit the COVID-19 pandemic and today we are more focused on the healthcare sector in general. We are a non-profit organization all voluntary land. It means that for the first time there is an organization that based and derived by its community that based on the community and the members of the community, the volunteers have the right to say, hey, I think we should do something differently. Our members are from all around the world. In the past one year and six months of operating, we had more than 1,500 members who lost industry. CTI researchers from an intelligence company, from intelligence companies, from the infrastructure industry, but not only from any organization that can support our mission from all around the world, around 80 countries, including countries that I as an Israeli can't go to, including law enforcement organization and agencies from all around the world. Let's take a look on our volunteering map. You can see that almost every continent is representing in the lead and more importantly, we can achieve greater results by breaking the silos and the barriers between countries. This is what we believe in. Therefore, we developed the open self model. It's a community model. For the first time, we want to build not a national self that protect hospitals, lifestyle and organization and medical sector in general. We want to build an organization assert that derived by its community, by the people that share with us their time, their skills, their capabilities, anything. We believe that if they share it with us and share it with the league, basically, we need to give back. And to give back is the right to speak and to say, hey, I think that we need to do something differently. And we are part of a trend, war trend, and I really, really like it, of hosting for good. Like other organizations as the village, we are trying to do better things with hosting. We are not connected to any hospital in the world, but we can make large impact for them. Today, I'm going to share with you how we are trying to make this impact. In order to understand that, we need to speak about the mission. So the city I live mission, as I said before, was to neutralize cyber threats looking to exploit the COVID-19 pandemic. Today, our mission is larger. Within a peak of the attacks against the medical sector, hospitals in particular during this year, we saw how vulnerable they are. And therefore, we want to be there for them, not only during COVID. Of course, in COVID, it's an emergency. It's a world crisis, and someone needs to protect them. But a ransomware that attacks hospital, it's not something that we can say, okay, this is fine in regular days, which are not days of pandemic. We have to be there for them. We spoke with so many citizens from all around the globe, and some of them told us unbelievable equations that they needed to make. One of them, for example, a sister from Israel, told me that the board of the hospital told him that if he wants to build stock department in the hospital, he need to choose between purchasing beds for ER department or to build in the south. No CISO, no manager, need to make this decision. Their mission is to protect people, to save lives, to give therapy. Our mission is to create safer cyberspace for the medical sector and any life-saving organization. Of course, we focus on the segment of the stakeholders, the organizations that can't really protect themselves. They don't have the budget, they don't have the skills, they don't have the knowledge, or they are not capable to do it. And we believe that this is the greatest mission that we chose to protect the people that watch us, to watch the watchmen. In order to achieve this mission, we developed the three layer of protection method. The first layer is prevention. Prevention is like wearing a mask, trying to reduce the level of threat for any organization. And we do that by supplying, for example, reliable information regarding cyber attacks. Not only, we are going to discuss about this mainly today. In the future, we have to train medical organizations from all around the world how to protect themselves from cyber attacks, how to overcome cyber attacks. And of course, the supporting phase. What do you do if the organization was already targeted or attacked? Or there is a data leak from the organization? We want to support cyber capabilities, the guidance and technical advisors want to mitigate attack and help them to mitigate the attacks. And in special cases, like the coordinated October attack against U.S. hospitals, we will build operations or intervention teams to help them to exceed the maximum impact we can make on these organizations. But as I said, we wish to be assert. So if we want to be assert, we need to make something more radical. And in order to do that, we developed the third layer of the protection, which is neutralization, not only reducing the level of threat with masks or going to the doctor for therapy. It's vaccine, how to cut from the route, the threats, how to disrupt the ability to conduct the criminal activities. We escalate information for law enforcement organizations that have mentioned before from all around the world. Hopefully, they will make the further step. And we know they already did. We had amazing collaboration with them. And in some cases, we found the person that executed the attack. With that, we can make the biggest impact for the organization without even talking with them. But today, I want to focus mainly on the prevention aspect. We are going to do that. We're speaking about cyber threat intelligence. So let's start with some intelligence point of view. For me, as an Israeli former soldier in the Israeli army, everything is divided to three. So if I try to summarize the points of view of intelligence, we can take a look on the Meadow of Cyber course. We can take a look of three main aspects or points of view. The first one is the threat actor. There's been information about the threat actor specifically. The second one is on the Meadow of the organization, the victim, the sector. It doesn't matter, but we are not trying to find information about the specific threat actor. We are trying to find information that enable us to protect specific organizations or specific sector or to learn more about an attack that happened in the sector. So we can say, okay, if something happened to this organization, it's going to be reflected to other organizations. The term for the few, which is the unknown, it's like Lekolin style. You know that it's there, but no one knows about it. This is really challenging. And in the following minutes, we're going to discuss about each part of this point of view. And we're going to see how the city I lead trying to make the impact to find the information that enable us to share it with the organization and enable the organization prevent cyber attacks. If they would prevent the cyber attack, they would be more protected. And then they can give more good therapies from any people that go into the hospital. The question that we need to ask when we are working on cyber threat intelligence or any other type of intelligence is fishing or hunting. By fishing, we spread next in the lake, in the ocean, in something that we are familiar with, and we believe that there are fishes there, but we don't focus on specific fish. We can say, okay, the probability of this fish in the same spot is really high. So we are going to spread the net and we're going to try to find anything that we are trying to, but we can focus on a specific threat because it's hard. It's really, really hard. You can, you know, trying to find a hunt like you're hunting the specific threat. Every type of intelligence have the pros and cons. And in the city I lead, we are doing the both aspects. We are spreading the nets and also hunt for the information. So let's start with the threat actors, the main aspects of cyber threat intelligence. Who targets the healthcare sector? Is it the APT, the nation-state-sponsored attackers? Is it the crime, the financial attackers that want to make profits from cyber attack? Is it the activist? Sadly, it's everyone. From North Korea and Iran, the APT is to the E prime, as we saw in the coordinate attack on hospitals in the US, or as we see almost weekly about hospitals from all around the world that were infected by ransomware. We saw some activists trying to leak data. So this information operations. So if we ask, is it only the sharks, the largest fish in the ocean? No, except the whales of course, but the largest fish in the ocean? No, it's everyone. So another question that we need to ask is why they target the healthcare sector? Because at first, it wasn't make sense for me at all. I thought every country in the world has its own hospitals. So they know that hospitals are in charge of people like therapy in days of pandemic, for example, like countries like Iran, know how challenging this time is. So why to attack hospitals? This makes it so tricky. My fear when we developed the CTI League, when we first established the League, that the stinking that happened in WannaCry in the UK hospitals, for example, the slow motion of the therapies is going to happen again. And we saw that it happened. Someone died in September, not directly because of ransomware, but the delay of in-air hospitals make it really, really challenging. So we don't have a case now that someone died directly because of cyber attack, but it affects people. If it slows down the therapies, if it disables some therapies like MRIs or some other therapies, it can affect people. It can cause death. So what can we do about it? And let's share some insights. Today, I want to focus on two main threat actors, not APTs. I'm going to speak about the ransomware and the initial access worker. These two actors are really, really relevant for the medical sector, for the public health sector, and any other life-saving organization. Let's start with ransomware. In the darkness report that we've shown February, the early darkness report, we explained why the CTI League prioritized ransomware. We said that we see the peak, the increasing of the attacks from ransomware against hospitals. Some ransomware groups, like May's, declared in the beginning of the pandemic that they are not going to attack hospitals. That was false claiming. They did. A lot of groups did. And for example, we learned that a cancer center that was a victim of ransomware was so impacted by this attack. So the staff and the patients needed to try to make the therapies, the treatment, rebuilding it from memory. This is something that we can't accept as the infosir community. We can't accept that some criminals will make this impact on people's lives. It's not a fair game between countries. It's not a fair game between people. It's not about spying or espionaging on something that's related to the country. This is against civil people. It's not okay. So here are some insights that we learned from the efforts of the darkened team. Before that, some words about the darkened team. The CTI League Dark is an amazing collaboration between people from all around the world, professional and expert in the darkened domain that also focus on ransomware led by really good people that also helped me to build this presentation. And I will acknowledge them afterwards. And these are some of the insights that we find. You can also find these insights and more in our website, cti.league.com in the darkened report. So we found that the main variants, the main ransomware groups in 2020 that targeted hospitals were Quantic, Maze, Networker, Ryuk and Riebel. They are not alone. A lot of ransomware groups attacks targeted hospitals during this one year and six months since we invented the League. But these are the main variants. In some cases, it doesn't matter if they are sophisticated, they are really clever, they know how to execute the most brilliant attack in the world, because we saw ransomware groups like Darkside make a huge impact on the US. And here some data about what we found in the last quarter of 2020. And it's really important. 18 publicly reported ransomware on hospitals were shared in the last quarter of 2020, but 23 victims, their data was leaked online. So there are more attacks that not reported publicly and it's important. No one wants this personal data or medical data to be shared online. It can affect the people that their data was leaked, but also it destroys the resilience of the hospital to overcome this turmoil. When someone is shared private data from a hospital, people can take a look at this hospital and say, this hospital is not secure enough, this hospital not protect my data. I'm not going to believe this hospital. I'm not going to go to this hospital again. And this can cause undermining of the authorities. And this is a cycle that we can enter now. The disinformation of COVID as we learn from a disinformation team in the CTI lead is so large that we can't accept someone that harming the resilience of the organization. In 2014, they made up over 35% of all attacks against the healthcare system. And since then, guess what? It only increased. It means that more and more threat actors focusing on the healthcare system, they want to attack them, no matter if they are in charge of our life, no matter if they also have some therapies in hospitals. They attack not only hospitals, the healthcare system in general, the public healthcare. Of course, as I said, the CTI league focused on the hospitals that can protect themselves, but we want to learn about any attack because then the implication of it can be shared with another hospital and maybe prevent the next attack. And let's not list RDP as the ransomware attack vector, significantly rose compared to 2019. This leads me to the next threat actor, the initial access brokers. So for those of you that never heard about the IAB, the initial access broker, let's define them. Initial access broker is someone that gains access into a victim network and then selling that access to the highest bidder. It can be one actor or it can be more. So if we saw before that RDP as a ransomware vector significantly rose, these people are the people that in charge of selling RDP. This is a map from the document report that shared the presence of attacks of the initial access broker shared in 2020. As you can see, the majority attacked North America, but it's a world epidemic. A lot of threat actors now use the data of the initial access broker. It's a ripple effect. They hack, they compromise, for example, RDP as the main vector of the initial access broker. And then they sell it online, here's an example for that. They sell it online for the highest bidder. The highest bidder can be a ransomware group that doesn't necessarily need to have a skill of exploitation. They do it for them. And then they can sell it for the highest bidder. The ransomware can use it. They can leave the data, all the cycle, all these ripple effects effect on our life. Someone need to gather information about it and say, first of all, here's the IOC, simple as that, block the IOCs. We had a conversation back in April 2020 with some sales from Europe. And one of them told me that they don't know how to digest information from MISP. So we created the Github of the CTI lead with block list and allow list, think as that. Anything that we can share the information, deliver it. We developed sticks and MISP course, stick, tax and MISP to share it. And in the future, we hope to have complete intelligence cycle for them. So if we know the BIOCs, the behavioral IOCs and the IOCs, and we know the main vectors that the initial access broker operates, we can share the data about these threat actors, these specific threat actors with law enforcement organizations, or with the hospitals, the medical sector in other life-saving organizations. And what happens? Reduce the level of stress. The awareness of any type of attack is the first step of every prevention. If we want the mission of us is to create safer cyberspace for these organizations, we should start with giving them the knowledge. First, these are the threat actors that we know that want to target you. Block. Block it. Make sure that you are covered from tip to toe. If the RDP station is the main vector, focus on that. Monitor it. But not only. We can't look only on threat actors because then we can spread the Yara rules, the nets of the threat actors. We can learn about them. But if we are looking only on the threat actors that we're familiar with, we are going to miss a lot of attacks. So we need to make sure that unlike the threat actors, we focus on the organization and make sure they are protected enough, regardless of any type of attack. So how can we protect an organization without any access to it? As I said before, we are part of a wall trend of Austin for good. And we are not connected to any hospital and they share the data with us. We are not a stock. We are a set. So this is the challenge. If we spoke about the main vector of attack, removed access, why don't we monitor some vulnerabilities or some open RDP, for example, share it with stakeholders with the organizations that need and want our help and we can help them. And then reducing the level of threat, regardless of a specific threat actor. I'm going to present two types of intelligence that we gather in the city. First of all, the prevention aspect is protecting the gates of the organization. If we spoke about remote access and we spoke before about the importance of vulnerabilities, we need to find it. So I'll get to the data. I want to emphasize the importance of discovering one day in your system. This is very, very important because there are threat actors, APTs, e-crime, activism, anyone that can exploit it in days, maybe from the moment that someone shared one day then for the exploitation, it's going to be minutes, hours, days, but the organization response is going to be so low and we need to alert them. So we prioritize critical vulnerabilities and prioritize some vectors that we learn that are very, very, very risky and make the organization very vulnerable. We created a monitoring system on that and I want to start with, say, special code is to show them that enable this system alongside with good people, we develop the system that monitor on that and then we can find a vulnerability, validate it, share identification through the organization. If we have connection with the organization, if not, we can share it with the law enforcement organization. In some cases in their language, it means that if we send a message, for example, for the TICER, that we really, really, really love the connection with them because we really believe this is a prominent connection between the CTI League, NSR, really, really, really far away from the critical mass of this league that which is in the US. So we can send it in Thai language and then they can just forward it to the organization, to the hospital, to the vaccine company that needs this alert and they can make it as fast as they can because we translate it to their language. Let's take a look on the data. Before I make this presentation, I checked how many notifications we sent only in July. In July, we sent more than 550 notifications. Now, consider that we are opening for one year and five months, almost six, how many vulnerabilities, how many critical vulnerabilities, whether they are CVS or human vulnerabilities, like OpenRDT, how many we found, how many we sent and how many organizations can be protected more. The level of threat reduced significantly because organizations patched and if we can help them, this is our main mission. So you can take a look of CVE 2018-07-08, for example, 338 alerts only in July 2021. Well, low enforcement organizations receive our alerts daily basis anytime that we found it and it passed the validation process all around the globe. And this is really important to us. We believe that we can work together as one unit, no matter what your country, no matter what your place, no matter what you believe your political agenda. Working together, collaboration is the key to make impact because one fact that the UK suffered can be returned in any other country in the world. So if we learn the insights from this attack, we can give recommendations for any other organization in the world, this is what we are trying to do. With the collaboration within the city elite, we're promoting and encouraging the collaboration. Of course we make friends and of course we make a lot of impact for the people that are volunteering, but mainly we can make huge impact for the organization as a start. And this is only on the prevention level. So if we talk about collaboration, let's talk about another organization that help us in the monitoring system, zero BS and I want to take Marcus for the details. Zero BS monitoring system, they call it infrastructure team certification, connected to 16 cells worldwide, through source worldwide. They prioritize 95 critical vulnerabilities and they send on behalf of the city elite, more than 2000 notification since we created the league, 61 million, more than 61 million IPs reported by zero BS to the league and from the league to anyone. This collaboration and more collaborations like this are very important. If you want to make impact, this is the key. Zero BS and other companies that exist in the league have the data. In most cases because no one pays for that and I understand it MBA in the university, I know the importance of have the business plan. You can't share the data freely and this is what we are trying to do. We are trying to encourage the collaboration and make safe and trust platform for people to share their data and then we can use this data together to make the impact of the hospitals. So I want to say again, thank you for zero BS both for the data and for the amazing collaboration in one year and six months. Renediation is the key. So if we take all the data both on the threat actors and the organization, now let's speak about some actual matters that any organization can take. If we speak about intelligence, we need to understand the lack of the information that we have. We don't know everything. And then therefore, we don't know for a lot of zero days that exist. We don't know for any type of attack, any TTP, even if we look at the micro attack, we can see that every time more and more reports came out and we have new methods to attack. So if we have the sense that no one is 100% protect and we know that, we know that we need to make some matter. So the first matter is to connect to yourself and your local authorities, make the low rich barriers. It means that if you got attacked by ransomware and you need someone to call, you don't, you don't start a search and do all this process from the beginning. You have already someone to reach and say, hey, call it by name. I got attacked. No, dear sir, this is the first time I'm calling you. And my name is Radaydemov from Hospital X. And now we need your help. Make these connections, collaboration and working with people is the key for succeeding. Prepare for the attack. Make strong password to a face, protecting the other piece, restrict access, go at this location. For example, we've talked about some of the measures before and we are trying in the supporting layer to guide and advise any organization that we work with how to protect better. So the organization have to be protected as you can. It's not going to be 100% protected, of course, but make it highest as you can. But know your weakness, know when you can't protect and what you do about it. For example, if you have some antique workflow or you have some machines from, I don't know, from the 90s, if you're using some Windows XP, for example, there are so many critical vulnerabilities about it. There are so many critical vulnerabilities exposed yearly and every time like double the number or more. So know what are your weaknesses and know how to take care of it. No one is 100% protect even if you're building the tallest wall that cover your city. But if someone will dig in your soil and get into the city like that, or if you know the story about, you know, the, I guess, the green, the green course, this is something that you need to consider. So connect yourself, prepare for the attack of what you know that you can protect, know your weaknesses, take care of the human factor, your users, your employees, need to know better, not only use strong password and use 2FA, explain them the rationale, remember that they are not people experts in the cyber domain. You need to explain the end point behind any steps, the importance and not the policy alone. If you said to them, do not connect your phone to the computer. It's not some policy that you need to take care of it. There is a rationale behind it. Explain how it can affect on the system, on the network, how they can enter models into the network by explaining them, by communicate with them, by working together as one unit to protect the organization. You make them the first soldiers that protect the organization. You reduce the human factor. You never going to believe if you check the numbers, how important the human factor and how critical the human factor in any cyber attack. They can protect you from any decoy document, for example, if they know, not to download decoy documents that send to them in email, in spearfishing campaign, and not to press immediately the enable contact, you made a lot of change to reduce the level of threat to your organization. And the last part is have a plan. Any cyber attack is a term one, whether it's small cyber attack, like a basement attack, or larges, the largest attack that you can ever imagine, like the carrom river attack, or solar wind, every plan, every organization that gets into the cyber attack with a plan can succeed to overcome the turmoil. We learned it, for example, in the October coordinated attack against US hospitals. A lot of few hospitals were attacked at the same time in October 27, 2020. And the organization that had the plan, the best practice and the compliance knew how to overcome it. So if you know that your weakness is in a system specifically, if you connect, if you can disconnect it from the old network, it's better. But it's not. Prepare for a cyber attack. Take care in your consideration that you can be attacked from ransomware, someone will disrupt your ability to help the patients. And what do you do next? So we spoke about the threat actors, we spoke about the organization, and the CTI League holds the third, also the third aspect of cyber security, the unknown. The third aspect of intelligence, it's wide, risky, and required to think out of the box, because you need to search for something that you don't know that exists. Then you need to ask yourself the intelligence questions. What is the PIR? What I'm trying to understand? What is the question that I'm asking myself? And with that question in my mind, I'm going to search and trying to identify the new information. What is the endpoint? For example, if I'm going to search for data leak in hospitals, that I don't know what is the hospital, and I don't know which threat actor can leak the data or compromise the organization, what do I do? How do I find this information? I need to think about the PIR and I need to think about the endpoint. The endpoint, as we spoke before, is to alert the hospital, to help them save their cyber resilience, to protect the patients that their data was leaked online. And if we can neutralize it, then we need to analyze it. So let's take an example of some of the CTI missions. First, identifying compromised remote access platforms in the wild. It's both on the dark net, but not only. We are trying to do that without thinking of any organization, without having a list of hospitals from all around the world that we are searching the name. We do that on the matter of organizations. If we have the data, we will do it. But here, we are trying to search the remote access platform that was leaked or sell online. And if we identify it, then we can move it forward for law enforcement organization. They can check, they can protect the hospitals because they have the data. Collaboration is the key. We are not trying to make a profit here. We are trying to make an impact. So it doesn't matter if we search the name of the hospital or the law enforcement search for the name of the hospital. We're trying to make an impact. Monitoring, attempting to sell compromised assets, mainly in the dark web. For that, we develop scrapers. The scrapers will try to find any selling of compromised assets. This is really important because then we're searching the unknown. We can't know follow specific users in the dark web or searching for specific queries or terms we need to search and think out of the box. These two can be done with fishing, with spreading nets, as I said scrapers. But it's not enough. We want to hunt. So we hunt for the information in remote operation in the dark web team of the CTI League, CTI League dark web professionals that are really, really good and can hunt the information from the threat actors and take for example RDP sessions that someone is trying to sell to steal the information back and then we can share it. In these operations, you need experts. You need the talented people in the industry. And for luck, there are a lot of good people that believe in the mission of creating safer cyberspace for the medical sector and other life-saving operations and want to join us in order to fulfill our mission. Hunting for new vulnerabilities. We don't search for zero days. We don't check the vulnerabilities in the systems of a specific hospital. But if we find something that can indicate of a new vulnerability, like the four of July operation, that we understood first that there is the F5 vulnerability back in last year, in July last year, we created a team who work for the entire weekend to search vulnerabilities that's related to the F5. So we have the two types of methods, fishing and hunting. We have the three points of use of intelligence. So before we speak about the future, let's summarize. We are the CTI League. We established in 2020 as a community of people that wanted to do some good during the pandemic to make a change for hospitals and to prevent and neutralize cyber threats, looking to exploit the current COVID-19 pandemic. In this one year and a half, we learned how vulnerable these organizations are. We chose the segment of organizations that we don't want them to make the equations that they made before, or they can't protect themselves from a lot of reasons. It can be large organization or small, but as long as they are in our segment, we want to protect them and we will do everything we can to protect them. We work with members from all around the globe. In the last one year and six months, we have more than 1,500 members that join us in the way to fulfill our mission. We now have a mission of creating safer cyberspace for the medical sector and like seven organizations. And we do that by three layers of protection, prevention, supporting and neutralization. Here in the stock, we spoke about the first layer, the prevention layer. In order to prevent cyber attacks, we need intelligence. We had three types of intelligence in general terms. The first one is the threat actor. The second is looking on the organization and the third one is the unknown. We spoke about ransomware and initial access broker as some insights that we found during this work in the league, mainly by the CTI League Dark team, that is just amazing team. And I want to thank every single member that joined this team during this time. We spoke about the initial access broker. We focused on RDP sessions as a main vector and prominent vector, but not only any remote access is important, alongside we've exchanged. We found some uptick in the last months in exploiting exchange vulnerabilities. We spoke about the organizations, how we do that by our monitoring system or the zero BS monitoring system and every other organization that helps us in this mission, in fulfilling the mission. This is what's great about the CTI League. We are a self that derived by a community within the community. We have the talented people in the universe that want to do some good, that believe in the mission. They joined us because they wanted to neutralize cyber threats, looking to exploit the current COVID-19 pandemic. And now they are here because they want to create safer cyberspace for the medical sector and lifestyle organization. And we spoke a little bit about remediation, about some steps, how to overcome the thermal cyber attack. We spoke about stretching in the unknown, both in the next, in the phishing method or in the answering method. And now it's time to speak about the CTI League future. I spoke about the collaboration so much in this session and the people that know me already know that it's my first mission. This is the wheel that I'm carrying with me. So collaboration is hard, but rewards are great. And these are two rewards that CTI League members should be proud of because this is not about me or my partner, smart, this and Nate or the people that volunteer in the watchtower. You know who you are. These are for all the CTI League. You made it. So the CTI League had two rewards in 2021. It's the CTI League won the difference maker award winner for 2020 by Sunset Institute. Really, really, really amazing ownership. And the second one is the highlighting of the CTI League in wire 25 in people who are making things better. The members of the CTI League are the people that making things better. The members, for example, of the dark net team, making the way of monitoring and finding information in the dark web differently. And they make it in the best way. The information that they find can prevent cyber attack and reduce the level of threat can support any organization to remedy attacks and mitigate attacks. And also, they work so hard. We've learned for some of the organization escalated information. Hopefully, we will disrupt the criminal abilities to conduct the criminal activity. So this is the time to look off every single member and say, thank you. These prices are yours. And we are hoped that we can expand our services and increase the impact that we make for the organization. And now we do it. This is our way to do it. Open cert. We have the watchtower that develops the independent services that we don't want to rely only on the community. Because we understand that volunteering is hard. A lot of people don't have spare time to volunteer. Or it's really hard to share scarce resources of organization. So in any point that we can make it by the name of the CTI League, we can make it. Automate it. But we have the global community of professionals. And this is the main aspect of the CTI League. This is what drives the CTI League, the community of professionals. Non-profit organization, we don't hear for the money. We don't hear for the profit. We are here for the impact. And we want to focus, of course, on the medical sector of hospitals and other life-saving organizations. But not least, I want to say if we are speaking about the community model, we need to say thank you. This is a community thought. This is not my talk only. I shared it here in the session. A lot of the data that's gathered by our amazing team from all around the aspects, from the people that's searching for vulnerabilities, the people that support infrastructure, the dark web team, the disinformation team, the people that gather IRCs, the people that work with us as collaborators, the law enforcement organizations that join our mission and work together, the bio-arching village that let me this platform to speak with you today and share this insight with you. Thank you. Thank you for all the members that helped in this session and building. Thank you for Mattias and Marcos and Sean and everyone that I must forgot their name. You know who you are. You know how I care about you. How we care about you. And your collaboration is what make me wake up every morning with the sense that we do something good here. This is for you. Thank you so much. Hi, my name is Dr. Dagenberg. As I said, I'm one of the founders of the CTI League. But the CTI League is an organization of the community. For the first time, the infrastructure community want to do something differently as a search for the first time we united over a mission, specific mission that is so important. If we succeed with our mission, we will make impact. We will save life and we will give a lot of spare money and spare time for the hospitals, the medical sector, the healthcare sector and other life-saving organization to save lives. Thank you so much. Here is the website of the CTI League. If you want to follow us, if you want to connect with us, please let us know in the website. You can find emails. You can reach out on Twitter or on LinkedIn and we will do everything we can to connect with you. Thank you so much.