 So we have a really interesting talk for you. We're going to find out why you aren't able to buy PS5 or a graphics card or any other in-demand item. We have a first-time speaker and first time a DEF CON member up here, Eric Qatar. Please give him a warm welcome. Thank you. Thank you very much. So every time you buy anything online, especially if it's a limited stock item, you compete against both and most likely to lose miserably. You probably can relate with the statement. If you'd ever try to get your hands on an Xbox or PS5 console, you couldn't quite understand why the stock is always out even three minutes after restock. Maybe when you scroll down on your social feed, you've seen your favorite Ancest console tickets sold by four or five times of their original price and wondered how come. Maybe even on your way here to DEF CON when you try to book yourself a flying ticket, you watched how the prices goes up even for flights that were just published. Both operators are to blame. Every board can simulate thousands of human-like web interactions. They will buy anything you want before you even Google it. They will schedule appointments with government services that you will pay for later. They will win at every online auction that you will attend and they will fake positive reviews that will lolly buy your bullshit detectors into buying scam products. Even when you're asleep, there's a really good chance that the bot is trying to log his way into one of your 200 plus accounts while to enumerate your password. Bots are responsible for 77% of the global hacking and productivities. That comes up to almost a quarter of the total internet traffic. Regardless if we like it or not, malicious automation is able to stay. It serves tens of thousands of underground hackers and drive millions of dollars worth of economies. In the next 40 minutes, I will give you a deep dive into the fascinating architecture and techniques that being used by actors, by both operators when they're trying to crack their way into your password or log in and still weigh your stock from your cart. So a little bit about myself. My dad served two decades as an Israeli police force as the head of the fraud investigation department. During this time, he got a chance to investigate the most fascinating criminals that hacked the financial system during what is considered now then, the era of financial fraud. Among all of those people were also the ex-husband of my mother, which 20 years later led me to the most awkward how I met your mother conversation that you can ever imagine. And of course, growing up with a detective dad wasn't always an easy task. Here you can see a really authentic photo of me and my dad having their where have you been last night casual conversation on Saturday. But on the good part, I got a chance to hear a lot of stories, fascinating stories about criminals and those financial fraudsters, their courage and their creativity and the ability to flex their mind and to hack into systems. That was the characteristics that I found in myself and this was what shaped my point of view as a cybersecurity researcher, that research from the hacker perspective, not from the defender perspective. And indeed in the last five years I spent most of my time under 64 different hacking avatar, different identities on darknet, deep web and open web sources. Collecting intelligence for the companies I worked for. I started my way in bright data. Some of you will know it as Luminati Network. Some of you, the older ones will know it as HoloVPN. In bright data I was in charge of doing an investigation upon high profile clients that try to misuse residential proxy IPs for cyber activity, for cyber attacks, DDoS, frauds and all this kind of stuff. I had to carry a lot of investigation there but the most interesting one was a three month investigation after a 21 year old from Latvia that basically simulated 30,000 very popular gaming platform users using 30,000 concurrent sessions every time. He was collecting through the bot's users, the coins, the gaming coins, centralized them in specific avatar, went to the gaming shop, bought some skins, sold and sold every sold for $6,000. This kid made in three weeks $1.6 million just from selling sold skins of a popular gaming platform. In 2020 I moved to the Fender side to Parameter X which two weeks ago merged with Human Security. There I basically mapped the landscape, the threat landscape of any threat actor that is trying to hurt our clients and basically did a lot of proactive threat intelligence activity like credential honeypots that were reposted by other crackers that didn't know it's a honeypot or hunting down malware and infostillers that ran in the wild at least a year and a half before discovered by antiviruses. So a lot of this experience I'm going to take the most meaningful insight there and share it to you. Our agenda for today, first I'm going to define what is exactly top performing because it's really arbitrary title there. Afterwards we're going in the first part of the talk about account crackers specifically. Those are trying to steal your account. If you ever lost an account to an hacker you'll find it very interesting. The second part will be dedicated to retail scalping which means using bots to hack the stock of specific retail product to buy all the stock and to sell it to you after three times of its original price. Lately lastly we'll have a summary of all the TTPs we went through and we'll talk about the future of malicious automations and after the talk will be over I'm gonna have of course a Q and A personal session here so I promise not to answer like a bot. So like I said we're going to focus on two use cases since the whole malicious automation world is enormous. First is going to be a counter cover using credential brute force and the second one is retail scalping using automation to buy stock. Retail stock. I've defined top performing as those hackers who maintain a sustainable business model. Meaning we are not aiming into hit and runners here. We're talking about those who are making a living out of their operation. There should be at least six months of online presence to these hackers and they should belong to the top 20%. And I'm going to clarify this one because the hacking distribution, the hacking skill distribution among application hackers pretty much applied to the 2080 law which means that while all 80% of the hackers out are making only 20% of the successful logins, the rest 20% are making actually 80% of the successful logins or checkouts. So I'm going to focus on that specifically 20%. Which means I'm not going to specifically talk about the most common tools onto techniques but those who are rare but serve the top performance here. So let's jump in. First we'll do the brute force. So there are many brute force tool out there. The whole purpose is practically the same is to camouflage all the concurrent sessions into real log in. And they all do it by performed as a one stop shop for the cracker architecture. Which means that all the components of the architectures I'm going to talk about in the next slides come all together in this dashboard that you can see of OpenBullet. While there are many tools out there, one of them, his popularity has went exponentially high in the last three years. His name is OpenBullet. It's an open source tool that like other many cracking tools developed from web testing that went into OpenBullet and from there to BlackBullet and CyberBullet. Now all of the three works under the same principles but they have different integration capabilities with other hacking tools. And practically this will be the open that will bake this whole cake that the hacker is doing. Now that they have the open, I need a recipe of the attack. And that will be the config itself. It will be the script that runs or everything. Every config can be roughly divided into three main parts. The first part that you can see on the right upper right is the part that defines the path of the attack itself. It will include all the headers and the static variables that will repeat with every user that will use this attack specifically. The second one will be the authentication, the login itself to the account. This is where you can find the payload manipulation techniques, the cookie replay attack methods, legit services spoofing or API spoofing in which a hacker finds out an API that's supposed to communicate with legit third party and it rides on it to make a logins because this path is not regulated by the target site. The last part of every attack config will be the capture. And this is what you can see right there in the middle. After the login is made, the first part of the same attack, it will go to your account and it will try to figure out what essence do you have. Here you can see a checklist of very popular streaming services. So we check what kind of programs the hacked account has on is, of course, a subscription. And this is how the hacker knows later how to price this stolen account because stolen accounts that has credit card worth much more than the one that don't. And the left and the right and the bottom, you can see an ad of a config developer that published it in an underground form. You can see, it talks about CPM. CPM stands for credentials per minute or combo per minute, which means this is the highest amount of credential that you can try per a specific path, specific config. And it tells you, it depends on your proxy services and your recapture services. So it depends, like the number you can attempt depends on other architecture components that we'll talk about in the next slide. Also, it's mentioning that it has a capture of credit card and gift card. This is a CC and CG you see at the bottom. It means that this specific script can tell you exactly what is the essence inside the, it's assigned the account. It tells you as a hack and need to go and figure it out and log in yourself. Of course, it's limiting to five copies and it's doing differential pricing in order for that not to be spread too much and not being patched by security companies. So now we have the tool, we have the receipt, but we don't have any cake. And the cake starts with the credentials to themself. It's commonly to believe in the cybersecurity community that credential are easy to get but needs to go through some steps in order to get them like paying a little bit or going to the dark net. While the truth, the awful truth is really out there. The screenshot that you are seeing right now is from a marketplace that you can find on Google and you, everyone can sign up and have access to all of these credentials. This is almost 11 billion credentials. If you ever found your email, all the email address in have I been pwned, it's practically gonna be here. This is a compilation of all the data breach from the last 10 years. 11 billion credentials for the use of many hackers that are keep recycling those credentials again and again and again. So Hacker knows that, of course. This is their playground and they keep collecting those combos all the time, running them from VPS virtual servers that has much more stack capability when and of course establishing my SQL server in which they can use for creating rich data sets that will later be used for cracking your password. Now we'll touch it later. Of course, this database can be shared among several hacker specific hacking groups or it can be privately used, but the biggest essence here is that most of the people in this crowd also are reusing the same password across different services and Hacker knows that. So they're creating the tables that create your email, your password and all of the last passwords. So we can be used later on when they try to brute force. So it's really nice that I have a lot of credential and 11 billion is really nice, but I can't do attack with 11 billion credentials because I will go bankrupt as a hacker. So the next step, it's not really in which, it's a step in which they will go and do mail validation. Mail validation, practically it's a process in which they go and clean non-relevant users that are not signed up to the target site because there's no logic targeting accounts that don't really exist. And they will do it mainly with using two techniques. The first one will try to figure out using the website itself. It will be an open bullet config that will be marked as VM, valid mail config. And you can find many of those online for free. And they will go to the target site and they will do forgot password with the victim email and they will check the response. If the response will be this email does not match to our records, then I should not attack it as a hacker. So I will put it on the ban list and I will filter out more my target lists. But if I get, hey, we sent you a recent link to this email, that means that this practical, this user is signed up and this is why it will be later on targeted as a brute force attack. The other path that can go is most stealth and it will use an exploit unregulated API path that will practically, they will check, we're using this API path if the email is signed up or not, depend on the request that they will get if it's 400 or three, then, but if it's something else, leave it in the site itself. And now we have everything that we need to do but we don't want to guess all the possible combination. We want to be precise as hackers and we want to aim directly to the point, like a sniper, not just shooting like Arnold Schwarzenegger is one of the movies. And this is the precondition before doing the enumeration itself. There are two predictabilities that make our password really predictable into hackers' eyes. First, the first type will be involved with the pattern itself. Every target site has a password policy like you can see right here. But most of the people, when they sign up to account, the last thing that they want to do is to think creative about new password that they will have to remember. Most of the people will just go by the simplest row out there, which means that our hacker doesn't need to try all the combination which you can just go for the most common one. Like, let's just say I'm supposed to do eight to 100 characters, most of the people will use eight to 10. So therefore I have no reason to enumerate more than that. uppercase and lowercase will usually be uppercase prefix, which is a built-in feature in every brute force tool out there. And also the list, when you need to use a number, most of the people will use one, five, or seven suffix in the password. Also there are the creative people that use the keystrokes that are next to each other and creating different shapes. This is what helps them remember that. But just so you know, it's a feature that exists in a lot of tools out there. So when they are doing the enumeration, they will first try the keys next to each other. The next part that we have of predictability is involved around the content itself. This tax comes from the last year Google's research about passwords. And it involves 50%, practically says that 50% of US adults are using the same password in at least 12 different services. 33% will use their pet's name. And this is where it all comes to a big one workflow. First, the hacker will go back to the table that I've talked about in the last slides, where they have the username and they have the password and they will enrich those data sets with the victim's PII. It's really easy to do that using open source repositories out there, that just looking up accounts that are related to the specific email, social media accounts, and extract from specific places, these data points like education institutions, spouse names, birthdays, everything are totally available out there. As you can see, they're using a password generator that has these capabilities. Like you can see there, use password or birth date or postcode, all of those will be used for doing smart enumeration, not just one that goes off randomly. And the enumeration at the end will be, depend on three things. The victim PII, like its pet's name, its wife name, a birthday and stuff like that. Bridge passwords, all the password they could ever found in the past at being bridged and outside in the underground forms and the password policy predictabilities that we talked about. And this is how they can turn one email into large combination of passwords that has really good chance of hitting the target. Now that I have everything, if I try to log in from specific IP address, I can manage to do at the top like maximum three logins before I get blocked. So in order to bypass this IP rate limit, hackers are just using many IPs, many proxies. Those are connected with the service that's called proxy network. And this service is actually managing the whole proxy operation for them. I do really recommend you to learn about proxy networks and their capabilities. It's really the one most common attack factor of all cyber attacks out there, specifically malicious automation. And also it serve them as its hydro true IP, which is really important since cracking into accounts is a criminal act in most United States. Of course, using a network allows the whole outsource of the proxy operation, which means the hacker doesn't need to go with the proxy list and then check which one of the IPs got banned, which one is really not working well. And then we place it, he saves this time while connecting through API of specific server to a proxy network that does everything, and even rotate the request itself when capture pops up. So here we can see everything comes up together to the same kind of cycle. It goes from the left bottom. You can see the attacker there. He will use the mail validation we talked about to the username. The password will go through a row this generation that will set a specific type of password that will be customized to the specific user. From then the request will be connected through the super proxy, which is the entry point of the corp proxy network. The super proxy server will use different and thousands of load balancers to spread those accounts, those are request among different devices, real devices of real people, which will make the target side really hard to block those requests afterwards. And with the successful logins that he managed to do, using the capture, he knows what their essence, and then he gives back to these prospects 10%. Prospects means the people that are following him, following his activity, but didn't bought anything yet. In front of them, he has the challenge of gaining their credibility. So this is why he's acting just like a freemium business model. He gives them 10% of the valid access account, the ones that he managed to break into, he gives it for free, and this is how it creates more and more people and more and more attention on the dark net. 90% will go over different digital marketplaces like SELIC, Stopy, AT Shop, and these kind of services that are practically marketplaces that are legit, but are being misused by hackers all the time. And the last phase, with all of their accounts, they didn't manage to break into because they didn't guess the right password. He will do combo recycling. He will release it again in some kind of form, harvesting all the credits, all the likes, which will worth later money in the same marketplace of the same form. So it's actually beneficial for him. And from this point, it will be picked up by other cracker that will go from the same phase all over again. And this is why I could recall the sustainable cracking. Here we did a, actually in Panameter EGGS, we did a honeypot that actually demonstrated the capabilities of hacker on the underground forms. We faked 50 credentials. We marked them on our end. We post them one time into one hacking marketplace and we waited for the logs, the request. The first malicious automation, open bullet requested, we've seen, came after only two minutes from the moment I pressed post. Overall, we had 50 reposts. It's when a hacker sees it, they say, hey, it's nice, I will repost it on other platform. So we had another 15 websites that were exposed in this whole operation. 50 reposts after the first 24 hours. Overall, we have 600 attackers that took part on this party without the will or knowing. And this is basically how we can demonstrate and see it from both sides while using simple social engineering techniques on hackers there. So from ATO, from stealing accounts, let's talk about the bots that are using those accounts exactly afterwards in product release. And we'll give you a one minute intro there because scalping is used to believe to be only a thing of PS5 or sneakers, but basically it affects all of us in a matters that we can't even imagine. We have two groups of scalping out there. The first one would be the limited edition. Those are the classic one, the sneaker marketplace, GPUs, PS5, NFTs, tickets for concert, for flying tickets, all of them are being sold and bought all the time using bots. But we have the second part which is really interesting, the opportunistic scalping which mean those who rely on standard demand but temporary low supply. We've all seen it with the COVID mask in the beginning of the pandemic when it costs something like six times more than it costs right now. We had it with the baby formula which one during the last year, one big baby formula factory was shut down because of a violation of health regulation which caused a temporary low supply. And I've seen a lot of bot operators out there in the scope of the fact that they switch sneakers or PS5 in that moment to buying baby formula and selling it through a Facebook marketplace. And the last thing that we've seen is government services, appointments, specifically passport or visa embassies around the world, a visa appointment as well you will have to at least a year because of that pandemic of bots right there. So let's talk about retail, the ones that are buying the PS5 consoles. The first thing that they will use in order to increase their success rate will be aged accounts. Aged accounts are digital accounts that exist at least six months and sometimes even more, sometimes it comes to a year. The more the better, the more the price will be up because their value will be higher in the perspective of the hacker. And why is that so? Because aged accounts are practically have lower security standards. The more we go through time, the more the target site, e-commerce site know and understand the hackers and they're doing much more adjustment of security measurements. So therefore age account has less strict thresholds and less strict regulation under the compliance of the target site itself. And this is why they have much higher success rate. This is by the way where account takeover and bots are connected because those accounts are being bought usually from account crackers. The next thing that will be used here is the cookbook itself, which is the community of the scalpers that involves and focus on specific retail product and sometimes even specific bots. This is basically the only community which serves as a knowledge base. Since scalping and buying product online is really complex operation and you need a lot of knowledge and a lot of different fields. So cookbook will be the answer for that. These groups are exclusive, not open to anyone, cost a lot of money and they will have limited amount of people inside. So in order to get access, it will take some time to most of the beginners but this is how most of the scalpers begins. In these cookbooks, they will do a good buys off-bought and therefore reduce their expenses. Or they will share some tricks that will practically make them more successful. And the third thing that they will use is the bot itself, which is practically the most overrated part of the component because it's practically, every bot has a specific model for every target site. There can be a specific bot that is really good. This model is really good for a specific site but really bad for other sites. And also if it's good for a specific site on a specific launch, it doesn't mean that in a week it will be the same situation. It can be patched easily by the detection of the anti-bot solution of the target site. So therefore the bot itself has different, the prices are various between $400 to $6,000 a month. And again, limited amount of API keys out there, very exclusive. But top performers will use several bots for the same reasons that I just mentioned. They will do several products, they will do several sites, and therefore they will use several bots. And in order to keep yourself on top of that, or may, like just huge operation, you will have to use a bot manager. And a bot manager is practically a one-stop shop for all of the bots you are using. The most common one out there is AYCD. Which practically gives 12 different bot tools for scalpers from creating fake credit cards to generating emails addresses that you can use for fake signups. Everything they will need to use is right over there. And we have the fourth thing will be the product release monitoring service. Whenever you want to know when there's a new restock of PS5, you will practically go manually and search PS5. This costs a lot of time. This is practically one of the reasons that you will lose to a bot. A bot won't do it himself. He will wait for a third-party service, which is basically a web crawler that goes every second to the target site and check. PS5 exists, PS5 exists, PS5 exists. Whenever PS5 exists, he will go back with the PAD, the product ID, and he will tell the bot exactly where to go for. And we'll show you this in the two slides for now. But this one is the most important, one of the most important components in the architecture. As you can see on the right bottom, the two tweets of heat monitors, one of the most notorious product release monitors out there. You can see basically they are bragging about the fact that they spotted product release and their competitor missed it totally. And on the total right, they are bragging about the fact that they were faster from their competitors in 1.4 seconds, which might sound like a little, but in the world of bots, this is forever an eternity, which practically makes the whole function of product monitoring service. It serves exactly like the gun that we see on the Olympics competitions. It tells the bot exactly when to start the competition to the PS5 unit. And now we have all of this. It's really nice, but we want to use better stack than what we have on our PC. The scalper, the top performer scalper will put some money and we will rent a dedicated server. Dedicated server means that it's not shared with other scalpers and you don't want to be share resources when you are playing a zero sum game. When every PS5 console that I will buy, my friend, my scalper friend won't buy, I don't want to share any resources. This is why the service is dedicated and not shared and also bare metal and not VPS. They are physical, they exist and they're located geographically located around the target side servers. So they will minimize the ping time, just like you hear about FinTech companies that does that in order to get closer to the stock market or for any kind of financial institution they need to work with, that this is exactly what scalpers are doing. They will choose specific geolocation that are physically close to the target side so they can know exactly, it can be first before you. And the last thing that will be here from the dedicated server itself, they will spread all of those requests through different proxy IPs. This time, unlike records, they will not use just residential PCs IPs, they will use mobile. Why mobile? Mobile has different thresholds. The amount of actions you can do from a five inch screen is much higher than the amount of actions that you can do using your keyboard and mouse. As a result, every target site, every common site that you are surfing with will have different thresholds, different amount of tasks that you can do per IP. They're using emulation to emulate the whole fingerprint of mobile and mobile IPs so they can do a much more task, much more quickly from specifically geolocated peers, proxy peers that are located right there. So here is where everything comes to one place. As you can see, our scalper here is connected through remote connection. Usually it will be an RDP remote protocol desk, remote desktop protocol of Windows but not necessarily. He will manage his operation which will be on the dedicated server, not on his stack. The dedicated server will constantly communicate with the product monitor service that you will see under mesh there. The product monitor will go all the time and will return once the product is released to the site. He will come back with a PAD which is basically a shortcut to the product itself. And then the bot will go directly while you were looking for the specific unit, he will go directly and will buy it before you. Also, all of this request will come up from specific geos, unlike Cracker that doesn't really care about where the IP is located. Scalper has really important, high importance about where he choose to his exit points, exit proxies. He will usually located next to the target site which basically most of the time will be Ashburn Virginia but not necessarily. And from there, all the successful checkouts that he made to all the PS5 units that he's supposed to get by mail, he will use a post proxy company that will use fake addresses around the United States. All of those PS5 will be sent to different proxy addresses and from there it will be moved to his native country in which he located and which he will sell it by 600, 700 bucks for one unit. So, where are we heading? I'm not a prophet and I'm not to pretend to be one but I know that there are several actors and factors that shape the whole malicious automation world that keeps on going specifically because of Ukraine war and because of COVID. The first thing that we have to understand here is that the top performers, the 20% that we are talking about are basically the early adopters of new cracking tools and techniques which means that whatever they are using will be what everybody will use in a year. Open bullet when it came out in May 2019, it was a niche at the beginning. Only few hackers knew how to really develop a good config. Nowadays, it's a standard. It's really that you can really find a config developer, developer that writes ATO scripts that knows how to write it in anything else than a lowly script, the language of open bullet. So, it's really important for us to understand those 20% and not just focus on the average attacker because as I said about the hacking distribution, it's 20 80 low, there's no average hackers. It's either you are in the beginners or you will stay there in the beginners or the mid range or you will go to be a top performer very, very quickly. If you have the right persistency and creativity and courage. And the second thing is that every retail supply chain bottleneck is a business opportunity for both operators which means that what now they like just like the same kind of attack architecture and scalping architecture that we've seen on sneakers. Turn around against PS5 and Xbox. It's the same thing that we'll keep on seeing on other products. And I mentioned earlier the baby formula that was just an example but we have many other cases going on. Whatever you hear on the media about a supply chain coming up, first thing, think about the bots because they will come afterwards because they will see that the temporary low supply can drive them a lot of profit when we're selling it. In fact, if a retail bot had any physical existence in this conference, who would practically take over all the water supply and resell you every glass of water for 70 bucks. So what differentiates the top performers from other threat actors? The first thing is that they will think development operation. Just like a startup, they will think about minimizing the time. They'll think about customating the architecture around the architecture of the target site. They will think about reducing the architecture resources and increasing its efficiency. They won't, like let's just say for example, a new scalper that try to get the PS5 will care about the most about his bot. He will think that the bot is the key success for that. But a top performer will focus and do an awesome to walk and figure out where is the target site service allocated and it will be in his architecture around it. He will use the same ISPs as the target site so he will minimize again, a little bit, a few every millisecond matters in that aspect and he will think differently. And this is exactly one main differentiator that we have there. The second one and really important one is they all use us awesome. Either it's the cracker that we've seen earlier that established a big data set that includes all of us, all of our PII that can be found on social media. Or either it's the bot operator that use product release monitor in order to figure out exactly when the launch is happening. They're all making a preparation, they know exactly where everything is located and this mindset exactly with validating the breach email and using UX exploitation, all of this will practically makes them in a different type of level. The third thing here, and this is practically the most important one as I see it from my last five years of research. The scalper or hacker at all, biggest asset is not his money but his time. Most of the people think the hackers goes through a phase that is really similar to normal people where it's called the promotion paradox. The promotion paradox simply claimed that every time you get a promotion, you get to do less and less the thing that got you the promotion from the first place. Which means for a hacker perspective, a lot of hackers are out there thinking, yeah I can write a code really well, I know how to hack, I'm going to do tons of money out there. And then they open up their own business and they began to be client facing which is something that they never did before. All of a sudden they need to do marketing in order to gain some credibility in really full of fraud market. And they try to sell in a one-on-one conversation, they try to understand, to explain to people their value. Later on they will do of course customer support and they will handle tickets of clients which is something that I believe never thought it will happen. Here you can see right there in the middle of the left a real message of a 18-year-old hacker that did try to do an anti-bot bypass solution. And this guy during exam period actually mentioned that he won't be available since he's had many exams. Of course we took advantages of it and put 12 different detection logic while he had his exam period. Muah! And of course, so time is also something that is really necessary. A lot of security companies are thinking about yeah, should make the attack more expensive so they will go on other side. But what's driven 13 out of the 13 hackers that I've tracked in the last year and a half was under budget. It was their time and the fact that they needed to remain on top of the thing and to keep handling all the time with stuff like that. So the top performers are doing a small thing that we all need to do in our personal life. First, the outsourced, the code we needed. Whenever they can, whatever they can they will outsource or decide so they will keep themselves the biggest ass in their time. But they will keep under their control the stuff that they will have to do, the debugging, the reverse engineering of the payload. They will learn about obfuscation techniques. They will learn about de-offication. They will be there in order to maintain their operation walking and to handle problems. But all the rest of the operation like proxies, like wall disks, like even credentials they will use credential API in order to minimize their time. So all of it will be outsourced so they will have the maximum efficiency since hackers are most of the time in this aspect at least walks alone. So basically what I want you to leave this talk with. First, go to underground forms. If you haven't been there, open up an avatar, start learning and be on the other side. It doesn't matter if you were pentesters, white hats, amateur hackers, it doesn't matter. Every code that you want to write down somewhere, someone built it, wrote it, made it, upgraded it to the level of out and uploaded it online. I still find pentesters that trying to write down techniques that are being out spread all the time. So know your enemy, know the threat actor because as we've seen here, they are collecting intelligence about us all the time. The second thing that is really important here is think like a threat intelligence. And let's put it in a practical example, okay? Let's just say a defender is watching this talk right now on YouTube and he thinks to himself as a defender, I should probably put a two factor authentication on my account. That's nice, but that's a defender type of kind of mindset. If you want to work from the threat intelligence, think to yourself what nobody is doing on their password and the answer will be putting space note. Nobody is using space notes inside of password and any password generator that I came across, none of them had the possibility to add spaces because nobody do that. And no hacker that I've met ever came across thought about that enumeration with space notes. And the reason of that, he never seen that kind of password. So use spaces in your world until everybody else will do it and a hacker will go for it too. But be there, hunt them down, know your enemy and stay safe. Thank you very much. I will get questions if anyone have here. And thank you very much.