 Okay, let me introduce you here. Well, welcome everybody to DEFCON 30's Alt Space VR DEFCON group meeting. John Clay is from Trend Micro. He's going to give us a presentation on cyber attack trends in 2022. John Clay has worked in a sub-security space for over 25 years and uses his industry experience to educate and share insights and threat research and intelligence to the public. Delivers webinars, writes blogs and engages customers and the public on the state of cybersecurity around the world. Accomplished public speaker, John has delivered hundreds of speaking sessions globally. He focuses on the threat landscape and cyber criminal undergrounds, the attack lifecycle and the use of advanced detecting technologies and protecting against today's sophisticated threats. So thank you for being here, John, and take it away. Get away. Yeah, thank you. So this will be an interesting one because obviously we don't have slides so I'll try to talk through the details of what I wanted to go over today but thanks everybody for joining us. Hopefully we'll get these slides rolling here at some point. But let's talk a little bit about attack trends. You know, Trend Micro is one of the founding members of the Cyber Security Tech Accord which is a group of over 150 organizations around the world and we did a survey recently around nation state threats and challenges with nation state threats. And we asked a number of questions and I thought we're gonna be pertinent to this discussion today. And I wanted to share some of those with you. So the first one is how concerned are you with being a victim in state attack? You know, as we've seen with the Russia-Ukraine conflict going on, there's a lot more talk about nation state activity. You may be in an industry that you may be targeted by nation state actors but it was interesting. The responses went from very concerned, somewhat concerned, a bit concerned to not concerned at all. And only 2% said not concerned at all. So everybody is a little bit concerned about this and about nation state actors targeting them. The next question was how will we prepare to defend ourselves against these nation state attacks? And one is increasing investment on cybersecurity related technical measures. So certainly looking at the technical aspect. They also said improving training and education of employees. So we're looking at people and the people side of the equation. And then designing a person or designating a person or a team to be in charge of cybersecurity, establishing or enhancing corporate policies. So when you think about risk, right? We always talk about the people process and technology and the answers here definitely fell in line with that, which is, so as organizations start building better defenses in the future, you need to really think about that. All three of those areas in your business is how you're gonna deal with people, how you're gonna deal with process and how you're gonna deal with technology. One of the interesting questions was we asked where will people be attacked? Where do they think within their organization they're gonna be attacked? Number one at 60% was the cloud environment. Certainly with the pandemic happening, a lot of organizations have done some newly investment in cloud architecture. And that definitely is gonna be a cause. And the criminals know this and they also realize the criminals realized that it's new to a lot of organizations. So they probably are making some mistakes and it may be an area that is not as easily defendable by an organization as some of the other areas that have been around much longer. Number two at 47% was employee computers and laptops. Kind of no, not surprising, obviously. They're gonna target your employees. They're gonna target and obviously the devices that they're using. Another one was mobile phones was at 22%. Hardware infrastructure was actually three at 46, almost 47%, which is like your servers and stuff. So that was, I thought was an interesting. And then how will we be attacked? They asked this question in two parts. They said, how will it be attacked today and how will we be attacked in five years? What's interesting is today, they say 67% say malware. And then there is phishing and spear phishing. Third is ransomware. Fourth is denial of service. Fifth is sequel injection and sixth is man in the middle. But five years from now, they think number one will be ransomware. And obviously we've seen ransomware quite a bit in the news quite a bit. And so these respondents really feel that ransomware is going to increase in the future rather than decrease. The second one, although is denial of service. So I think they're thinking that these actors may be looking to a little bit more harm within organizations systems. Malware dropped to number three. And then we had phishing and spear phishing is number four. So that was just kind of gave you some idea of based on some of your peers responding to this survey, I thought would be a good idea to key up. The next area I wanted to look at is the actors and their motivations. So a lot of you probably know who all the different types of actors are. But when I talk to a lot of the customers and people in the industry, one of the things I mentioned a lot is that you need to think about who could be targeting you. So when you're gonna build a defense plan and strategy, you need to think about who are the most common actors that could be targeting you because obviously their motives and the methods may be different based on the different types of actors. So today, obviously we have probably the number one is cyber criminals, financially motivated folks. These are the ransomware gangs out there. Business email compromise gangs. But you also, you have amateurs and script kitties. We certainly still see the script kitties out there. Although one of the guys that I work with who heads up one of the research communities inside Trend Micro was sharing with me the other day. We used to have this pyramid of sophistication when it came to the actors. And at the bottom was the script kitties which were a lot, not very sophisticated. In the middle you had some of the newer people not around. And then the very top was the nation state. We always thought nation state actors were gonna be the most sophisticated. But if you think about it, you're a much better person in your job today than you were when you first started. And we've seen a lot of these actors being in this industry for many, many years. So the sophistication level and it's almost taken that pyramid and flipped it upside down so that most of the threat actors out there or within the actor gangs are very sophisticated. Almost as sophisticated as the nation state actors are. So that is one of the challenges we feel is happening in the world today is that they are getting much better at what they do. Hacktivists still around. We saw an emergence of Anonymous with the Russian invasion of Ukraine and Anonymous people going after Russian networks. So certainly those, the hacktivists and again their motive may be a little different from obviously a cyber criminal, for example. Nation states obviously we mentioned that but also competitive spies can be out there. So when you're thinking about that defense and depending on the industry you're in you wanna think about who are these people that could be targeting me so that you have the ability to understand their TTPs in the way that they could be attacking you. The next area is motivation. So what motivates these threat actors? And I have four areas that I talk about a lot in this area. Was there a question? Okay. I just muted him. Yep, yeah, speed it up a bit. Oh no, I was saying I just muted them, no worries. Oh, okay, sorry. The first area is espionage. So again, mostly like Chinese actors tend to be very prolific in the espionage stage. They're trying to steal intellectual property. If you're a manufacturer, for example you've got your processes down and how do you manufacture your product? And they may look to steal that because they don't wanna invest in the R&D that goes into that having to do that. So cyber espionage is pretty big. The second area is financial gain. That's probably the biggest. Again, I think this industry now is closing in on over a billion dollars in illegal revenue coming from cyber crime. So it's definitely a huge business out there today. It even could be multi-billions for all we know. They do not put in W2 forms to the IRS when they make money. So we don't really know how much money they're making but it's certainly probably extensive. The third area is disruption or destruction attempt. So, and this is where, as we saw with the Russian-Ukraine conflict we saw more destructive attacks. There were some wipers thrown out there very on that tried to wipe systems versus encrypting systems, for example like the ransomware actors. If I wipe a system it's not usable anymore whereas if I encrypt it obviously if I can get the key I can get that system back up and running pretty quickly. So disruptive and destruction attacks. And the fourth area which a lot of people don't realize today is an education motive. And we're seeing this happening more and more especially in the critical infrastructure area where you may have actors inside your critical infrastructure but they aren't doing anything destructive. They aren't doing anything to create financial gain. All they are doing is trying to learn how to access ICS or SCADA devices or access an OT network so that they can figure out can I do it? What can I do? We kind of saw this potentially with the Russian invasion in the Ukraine power plant years ago where they probably did that as much as for educating themselves on how to get access to that network, how to bring down those systems. So these are a lot more stealthier type of activities because again, they're gonna come in, they're gonna do stuff and then they're gonna leave and wipe all of the traces of their attack. So they're kind of different. So again, thinking of the motivation of these actors against your organization depending again on what industry you're in what products you produce, what services you produce that kind of stuff. So think about that as you're building that defense model. The other thing I wanted to highlight is the attack stages. So there's a definite model that has been followed over the last several years of the attack life cycle and it all came out with kind of the cyber attack chain that Lockheed Martin has patented. And it really starts with intelligence gathering. So they're gonna learn before they even launch any type of an attack against your organization. They're gonna figure out who do they wanna target? Again, that's gonna be not only who the victim is and what their motivation is in attacking them but also who in the organization do they wanna initially target? So they'll go all this upfront intelligence gathering to understand who, what, when, where, why, how am I gonna target them? So they'll have all of that information usually upfront before they actually go into the second area which is point of entry. So how do I initially access this network and get into it? And we're seeing some new things I'll talk about in one of the future slides here. But point of entry certainly is the next stage. The third stage is where they did establish a command control infrastructure. They need this to continually keeping access to that compromised network. And this can come in many different forms but there's always going to be typically a command and control infrastructure that they will establish inside the organization and outward bound to allow them to see that information and continue to have that access. And then the fourth stage is lateral movement. And this is something we're seeing even a lot of the ransomware attacks where they'll get in and they will then laterally move because obviously if I compromise an employee's system to get access, usually that employee's computer's not going to have the information or the data or what they want to achieve and their motive in getting access to your network. It will then need to laterally move across the network to two different areas. It could be your cloud infrastructure, it could be your data centers, it could be critical infrastructure, your OT network, whatever that might be. The fifth area is that asset and data discovery. So again, if they're an actor group that wants to steal data they're going to look for your customer data, your intellectual property, your source code. They're going to, and as part of that lateral movement process where they map your network out they're going to learn where those repositories are and then they look again, how do I access those? The sixth stage is what we call data exfiltration. So once I find data, I need to exfiltrate that out to their command and control infrastructure or to somewhere where they can get access to that data. And again, this is not going to be done through massive uploads to the web. It's going to be done in bite size increments so you don't see it very easily. It's going to be encrypted obviously. It may utilize different channels. It could use a Dropbox channel. If you use a Dropbox inside your account it could use a one drive. It could be an email with an attachment, whatever it might be, they're going to figure out a way to make it exfiltrate it without you realizing it. And there's actually a seventh stage which a lot of people don't realize it but it's called a maintenance stage. And the maintenance stage is where they will continue to stay in resident in the network but they may not be as active. They may throw some back doors on systems that they just let sit there. They may ping the command and control infrastructure every month or every couple of months just to let them know that they still have access because they may want to sell that access at some point or utilize that access for another attack against that organization. So that's, you're going to see that regardless of whether it's a ransomware attack, whether it's a business email compromise attack, whether it's just a data exfil type of attack that these stages are all going to be very similar in any attack that you're going to see today. Now, one of the things that if, I don't know if everybody reads the Verizon data breach as the gative report that they publish every year but it's a pretty good report if you're not reading it because it does give you some very good information about how the attacks are happening. And, but back in 2019, they actually had an appendix that was written by the United States Secret Service. And I continue to use this because it's still relevant today and it's very good information because what Secret Service had done is they had interviewed all these malicious actors that they had arrested over the years in some of the very big breaches and they asked them how did you get access to these networks? And one of the, there's three areas that they came, they came out of these interviews with these hackers. The first thing they look for is human error. So how can I find somebody who makes a mistake, misconfigures an S3 bucket, misconfigures an open IP that gives me access to that network or to that device. So they look for people making mistakes. Obviously human error also when I send an email in and the user clicks on a link that they probably shouldn't have. So that human error thing. The second thing they look for is IT security complacency. And this is where you think about like not patching quickly, not configuring things, not doing, enabling some of the advanced detection technologies that you have access to, you just don't do it. The third area that they look for were technical deficiencies. So am I not running stuff that I should be running in certain areas of the network? Maybe the OT network has been, traditionally hasn't had a lot of security running in it. So it's deficient of security controls. So they look for that. The interesting thing was, they mentioned that, and this was quoted in the article. It is when multiple TTPs are utilized in concert that cyber criminals are able to gain and maintain access to a computer network. So they're looking for not just one of these, but if they find two of them or three of them together, they almost absolutely know that they can get access to that network. And one of the actors actually talked about being in resident on a very large organization's network for over 10 years, just following this model over and over and over. Some of the tactics that we're seeing today utilized by the malicious actors. I mentioned the extensive intelligence gathering before the attack. So that's certainly going to continue to happen. If you are publishing information out there about your network, if you're publishing information about the people, that's always going to be helpful to these criminals. Collaboration between groups is happening more and more. And this is a very concerning area that we've seen happening in the undergrounds. In the past, you used to have these groups in the underground and they'd be working only with themselves. They'd only work together with if they were an independent person. But even now we're starting to see, for example, access as a service gangs whose only purpose in life is to figure out how to access a network. And then they will sell that access to another group. It could be a group that uses EMOTET and use it to laterally move across the network. And then they will sell access to a ransomware gang who will ultimately do a ransomware attack. So this collaboration is happening much more often than we've seen in the past. Counter-incident response is used extensively today. So they are obfuscating their malware, they're cleaning up after themselves, erasing their tracks. I was talking to our incident response manager just this morning and I was asking him, what are some of the things we're seeing? And for example, we're seeing now where they will deploy some malware on a device inside a compromised network. And that malware gets detected. So good for the security product that's running on that endpoint, but what we are seeing now is that within a few hours or a couple of days, we see a variant of it popping up and running and being executed on those networks. So they're actually taking that detection and then recoding, refiguring it out on how to bypass that organization, that security product. So that's happening quite often. The attacks today are gonna be across many of the different areas of your network. So as part of that life cycle we're seeing today, as I said, the attacks aren't gonna stop and end at the endpoint. So EDR, great technology, but it's only gonna see a small piece of the overall attack that you're gonna see against most organizations. There's gonna be network access and network traffic that they're gonna be utilizing. It's gonna go into the cloud infrastructure. It's gonna go into a data center. It's gonna use the email. It's gonna use the web layer. All of these areas of your network could be utilized by these threat actors in the campaign against your organization. So that's why we're starting to see more organizations starting to adopt more of a platform approach potentially where the products are working together in the past, obviously we used the best to breed model that worked very well back in the day, but today because those products are pretty siloed, they don't talk to each other, they don't give a lot of information, it's making it very hard for you, the defenders, to manage that and see the visibility of these campaigns. So you detect something on one endpoint, you may detect something on a server in a different area of your network and not realizing that it's part of the same campaign. Today we're starting to see technology innovations that are allowing you to see that and identify that much more effectively. And then lastly, one of the other areas we're seeing today are what we call supply chain attacks or island hopping where they're actually utilizing your software vendors who are regularly, you know, have communications into your networks and they're using them to pop into those networks or you have a small business who's a vendor of yours like in the Target Attack years ago where it was the HVAC vendor who had access to the network and because they're a small business, they may not have as good as security controls as you and your bigger organization and so they will use it to pivot or latterly move from that network into your network. So we're seeing more than that. Obviously SolarWinds was an example, SEA was an example of that. We just saw one just recently happening as well. So software supply chain attacks are gonna be on the increase more and more as we go through it. Now, this next slide, I wanna talk about, you can't see it, but I'll tell you what's going on here. I've been discussing with our tech support organization over the last several years, you know, how are these customers or prospects that call us getting infected in the first place? So what's the root cause of an infection that happens? And there's some commonalities that we are seeing today from organizations that are dealing with these successful attacks. First is weak credentials. So there's no question that the threat actors today are looking to compromise credentials and accounts. If I can get the active directory account, administrative account, I have pretty much keys to the kingdom at that point. We actually see this quite often where that account gets compromised. And so the actors are gonna go in, they're gonna turn off, they're gonna stop the security product running on the endpoint, that process, they'll turn it off because they can, they have that access, they have those credentials. So weak credentials is a big one. Email accounts, for example, business email compromise happens a lot because I'm able to compromise that CFO's email account very easily because they're using a weak credential on it. And then I send emails from that account into the organizations. I asked my finance person, hey, why are transfer a million bucks to this account? I need it today. By the way, don't call me because I'm in a meeting to do the two factor verification process. Second area, outdated and unpatched operating system or applications. We certainly know question that exploits are being used regularly, whether it's an end day exploit, which is a known vulnerability with a patch or a zero day, which is a unknown vulnerability that does not have a patch today. Those are being utilized quite often. But certainly we see regularly customers like, oh, I thought I patched it or I hadn't patched it or in other cases, it's an unsecured device that doesn't have the ability to get patched, for example, or it hasn't been patched in years like on an OT network, for example. So that's gonna happen. Advanced detection technology is not being enabled. So we see this often where customer actually has the technology available to them, they just didn't enable it. AI and machine learning are prime examples of this. So you may be relying simply on signatures and you haven't enabled the behavior monitoring, you haven't enabled a machine learning engine, be able to analyze that malware and specifically those variants of known malware that would be able to be detected by those newer technologies. So make sure that you have those enabled. Another area is misconfigurations. We talked about that earlier, so we see this quite often. And then one thing I wanted to highlight is ransomware gets all the hype today. It's certainly in the news quite often. And one of the reasons is because it is the most visible, most loud threat we've ever seen in the history of cybersecurity. It pops up on the screen and it says, hey, you've been encrypted by Conti or by LockBit or whoever it might be. So when you get ransomware, you know you got infected. The challenge that a lot of organizations have is maybe thinking that that's the only threat against them, whereas the reality is that that actor group has probably been in the network for quite some time because ransomware is usually the last revenue option that they take because it is so visible. They once they launch ransomware, they know the organization is gonna know they're infected and they've got somebody resident in their network. That's just be aware that if a ransomware gets popped up, the likelihood that other activities have been happening is very, very high. Now, the next area I wanted to just highlight is some of the areas that we're seeing them target as they do their attacks. So one area is why am I gonna target credentials? Why am I looking for accounts out there? First and foremost, they're very trusted. Your AD account or your exchange account, Office 365 administrator account, those are gonna be trusted. If I can compromise those, I probably, like I said, I have the keys to the kingdom. It allows them to disguise their activity because again, I'm acting as that person so I can disguise it. There are a ton of stolen credentials being sold in the underground today. So I can go and buy RDP to credentials that were stolen from previous hacks all day long. In the underground and I can use those. And again, if I don't have a very good credential update process happening in my account, the likelihood that I have an account still out there that has the same credentials being run. We also see, for example, I was asking my IR guy today, I said, do we ever see where they can compromise the Trend Micro administrator account? And he says, it happens on occasion, but usually when they find that out, it's because they use the same account credentials that they use for their AD server. So they're sharing accounts credentials across multiple applications. And again, big no-no for most people, but it still happens. And again, weak credentials is big. Now, why am I gonna target people? So again, people are probably the weakest link inside your organization, the employees, but why would they continue to wanna target them? Well, first, it's definitely easier than a technical attack. I don't have to go and buy a zero day for $500,000. I can just craft an email from after my intelligence gathering about this employee who likes, for example, likes the NBA. I can craft an email that says, hey, check out this latest trade in the NBA. Click here, click, boom, infected. Difficult to detect and respond to. A lot of times these employees don't even realize they've been infected. So they aren't communicating it to you in the soccer and to the IT department. So you don't even realize that they're infected and they don't realize it either. People definitely give away way too much information in social media. As I just previously mentioned, the NBA thing, they're gonna give their likes, their dislikes, their hobbies, whatever it might be. So crafting socially engineered content to them is very simple after doing a scan of social media accounts of those people. And it's very low risk for high reward. Vulnerabilities, I talked about vulnerabilities before. Why are they targeting quite a bit? Obviously new vulnerabilities happen every single day. I think the last patch Tuesday, Microsoft disclosed over 140, which was a record for them. And that's just one vendor. So you obviously have multiple applications and operating systems you're running in your organization. You're probably getting updates every day from one of those or multiple of those. And so these criminals recognize that. They actually monitor those patches as they come out and they look at them. We're seeing more and more one day vulnerabilities than we've seen ever before, which is basically a vulnerability that's been exploited one day after the patch was released. So that's certainly a challenge because there's so much information out there being shared publicly. Even the proof of concept stuff out there is being shared quite often that they use that. There's an exploit marketplace in the underground. So there's buying and selling of exploits of vulnerabilities. You can go in the underground and you can search for exchange or Office 365 vulnerabilities. It'll pop up a number of exploits that are for sale in that area. If I want one for a business application, I just search for that and I can find it and then buy it and use it. And then lastly, zero days, we're seeing more and more zero days. If you didn't see Google Project zero last year, said there was, I think there were 50 or 80 plus zero days used in active attacks last year, highest ever seen. And maybe the reason I postulate that potentially is because you're doing a very much better job today of protecting your networks from the traditional stuff. So you're blocking those end day vulnerabilities or exploits that are being used. So they have to move to zero days because they are unknown and they actually still work. And then the last area I wanted to just highlight is why target external facing infrastructure. So you all probably use Shodan or you heard of Shodan. Shodan is a tool that can be used by you or cyber criminals, for example, of scanning the internet for open IPs. And it'll give you information about those IPs. It'll tell you what it is, what ports are open, what services are open. And so it's very easy to scan. And obviously that's the first thing that they're gonna look for in an organization is what open IPs does that organization have? I'm gonna scan those IPs and do a scan on them to figure out is there anything on there that I can target and utilize to get access to that device or that IP. So that's gonna happen. Misconfigurations, we talked about that. They are all over the place. There's exposed ports and services, certainly all the time on these devices that may have should have been shut down. And often it's forgotten infrastructure, for example. We see again, when we talk to customers, they go, I didn't even realize that IP was still there, that device was still on the network. It should have been archived years ago, but it's still active and still there. So that's kind of the main stuff that I had today to talk about in terms of what is happening, how is it happening in the underground? The next, just a few minutes, I wanted to highlight and give you some recommendations that I give customers and people out there on how to help you defend against these. Again, this is a great time right now to really look at your overall cybersecurity strategy and your plan and how you go about things. Because like I mentioned before, with all these different types of TTPs and attack scenarios, maybe a traditional approach to your cybersecurity may not be helping you today. It may be actually hurting you more than it's helping. So first area, audit and inventory. So attack surface management, attack surface discoveries are terms that are being used quite often, but they're actually pretty good because as I said, if you can't see it, don't know it's there, how do you defend against it? So having something that can do some more attack surface discovery for you can help you understand audit and inventory, all of the devices that are on your network, both internal and external, to understand that. And then identify authorized and unauthorized devices and software, make an audit of event and incident logs. So you're obviously logging a lot. Make sure you're looking at those logs and identifying. If you don't have the expertise, you don't have the manpower to be able to do that. That's where maybe look at a managed service provider or managed service option for you. And then configure and monitor. So manage hardware, software configurations. So we talked about misconfigurations. You may take this time right now to look at all your configurations. Have a call with your cybersecurity vendor or vendors and make sure that you have their best practices guides. Make sure you have configured their products properly too and given the best opportunity to tech the latest. Make sure you have the latest and greatest software from them, from those vendors and make sure it's working. Grant admin privileges and access only when necessary to an employee. So again, looking at who has access to your AD administrative accounts, who has access to your customer data and then only limit them to being able to access that at the right time and the right person having access. Monitor network ports, protocols, services, activate security configurations on network infrastructure devices. So again, a lot of this activity, network activity can help you identify if you're compromised. That lateral movement is an area that you can do. Even a command and control infrastructure as it pangs outside to the command and control server or servers out there, you may be able to identify. Maybe that infrastructure is built in a region of the world where you don't have businesses and business. So then you could look at, oh, why do we have something connecting to a server connecting to a server in Zimbabwe or wherever it might be and then you could cut off that access. Another area is patch and update. We talk about that quite a bit, but one area is virtual patching. You may not even, you may not think about virtual patching, but virtual patching actually allows you to virtually patch that vulnerability for a period of time until you actually can do the proper process and QA of the full patch. A lot of times those patches aren't complete. So the virtual patch may have a more complete ability to detect an exploit. In fact, Google project zero of the 24 zero days that have been used in 2022, 12 of them were variants of earlier vulnerabilities that had been used in attacks before. So they're starting to, even the criminals are starting to use variants of exploits that worked in the past because they work now and they can get around the defenses. But virtual patching, look at that. Also a network IPS outside in and inside out, that can help you identify some of this stuff as well. Protect and recover, certainly implement data protection, backup recovery measures as ransomware is one of the big things ransomware was can you back up and recover very quickly from an encrypted system that's encrypted? So that would be a good one as well. Enable multi-factor authentication, definitely got to be that in, especially with, like I mentioned, those big applications, those business critical applications and any access to your critical data, your customer data, your source code data, your IP data, et cetera. Secure and defend, a lot of times there's actually preventative measures. So EDR is great, so for generally, but there's a lot of technology that can actually prevent these attacks. Look for early warning signs. If I see EMOTAT detection in my network, that may be an indicator that there's a ransomware attack coming in the future and that can inform you and maybe look at you to hardening some of the areas, especially if you know the actor group because you could go to MITRE attack framework site, look up that actor group that uses EMOTAT or uses Cobalt strike, for example, and you can identify their TTPs of future areas of what they could inside your network. And then lastly, train and test your employees. Train your employees, train your users. If you're doing a cloud infrastructure, make sure your cloud architects are fully trained in how to secure that cloud infrastructure. Maybe implement some of these technologies today that can identify when somebody misconfigures something and it can alert you or ping that person that, hey, maybe you shouldn't make that configuration change because it's opening it up to attack at that point. So that's all I had today. I hope this was helpful. If there's any questions, I'd be happy to take those now. Thank you very much for the hand claps. I appreciate that. Well, I will sign off then. Everybody have a great rest of your conference. I hope it all goes well. And if you have any questions or anything, you can certainly reach out to me. John underscore clay at trendmicro.com or John L clay on Twitter, J-O-N. I don't have an H there. So thanks everybody. Have a great day and stay safe and healthy. Talk to you soon. Bye-bye. Thanks, John. Thanks very much. Yeah, press the R key to... Which key? Drop the Romeo key to drop the mic. Romeo. Romeo R, letter R. Mio. Yeah. Down your keyboard. If you press R and drop the mark. There we go. There you go. Thank you, John. That was excellent. Thank you, John, the excellent presentation. We're still working on the slide problem, by the way. It looks as if the service that they use for allows us to project slides into the meeting space has gone down. We are contacting... We have contacted and put in a trouble ticket to all space we are tech support. And we've got multiple people working on it. They're doing PCAPs to see if there's anything going on, like some type of network problem, that sort of thing. But right now it looks like the service is down. Now, in the meantime, hey, Giglio, you need to meet your mic because we're getting your keyboards. Thanks. So we're working on that. Our next speaker will be here in about eight minutes. And as soon as they're here, we'll introduce them.