April 19th, 2021 – MITRE ATT&CK & The Perch 2021 Threat Report
In this video, industry experts discuss the MITRE ATT&CK framework and its application for Managed Service Providers (MSPs) in understanding and countering cyber threats. They delve into the importance of leveraging threat intelligence to build effective defense strategies and the value of using frameworks like MITRE Shield to enhance detection capabilities. The conversation emphasizes the need for MSPs to integrate technical knowledge with risk management strategies to provide robust security solutions for their clients.<ul><li>The combination of MITRE ATT&CK and MITRE SHIELD frameworks allows organizations to understand and counter adversarial tactics effectively by knowing how attackers operate and how to defend against them.</li><li>MSPs can leverage threat modeling and adversary emulation to improve their security posture and demonstrate their capability to handle threats to clients, ultimately offering cyber resilience.</li><li>The importance of deception technologies, such as canaries and honeypots, is highlighted as underutilized tools that could significantly improve detection and response capabilities in a cybersecurity strategy.</li></ul>
Guests
Video Transcript
Okay, Well, we are live and back for week 46. Gary, good to see you back with us. How are you? I wanna give us a, Hey, yo. Hey. Ready to roll? Good. Whoa. Good to see everybody. Um, got a lot of people coming in right now, so that's fantastic. We hope Forest Carver from Mitre will join us back here momentarily. We had him in Mire, he might not. Yeah, you got all the forest through the trees. You got all the, uh, all the stuff coming today, Gary. Um, okay.
So, um, if not, um, Ryan's gonna have a very, you know, spirited conversation with himself about Mitre, uh, shield and Mitre attack. So, um, okay. Uh, just a real quick, um, a quick, quick announcement. I'm gonna put a poll in. Uh, I'm not sure if you guys know or not, but, uh, cyber Phish got acquired by Conce, and Conce is one of the, one of the largest security firms in the globe.
Um, they own pretty much the enterprise when it comes to phishing and security awareness training and things of that nature. Um, I've, they reached out to me and said they really wanna make a concerted effort to come, you know, support cyber phish and, and come down market. If you look at the poll, we have access to their, you know, their threat teams and things like that. And, and I'm thinking of how we could best do a cyber call. You know, not, it's not us sitting there promoting cyber phish.
It's like, what things we really want to know about, uh, when it comes to phishing. Um, what could, what could help your business. As, you know, the cyber call, we're not, we're not a promoting a vendor, but if we can bring their, you know, intelligence team on and, and anything to educate you, we will do that. So that's that announcement.
And then, Gary, I was telling everybody a few weeks back when, you know, you couldn't make it, but, um, you are releasing a new portal and we are going, we're building a security track. Yep. Speaking of more vendors answered by Cisco, but tell us a little bit about what that's gonna be about and how we're gonna open it up, uh, for, for a certain period of time. Yeah, so what we're gonna do is, anybody who is here on the cyber call, we're going to, we're, we're developing a landing page.
They can just go and sign up. They'll get access, not just to the cybersecurity content. We've developed some of it, some of it came from the, the team here, but also they're gonna get full access to all the true methods, content, everything on sales, packaging, pricing, service, delivery, delivery. And so, um, yeah, we wanna try to help everybody out, and we're gonna do that free of charge.
So I'm hoping Andrew, maybe by the next call, um, you'll have reviewed the, um, uh, the landing page and we'll be ready to, to release it. It'll be quick and easy for everyone to, to get some help. Okay. Fantastic. Um, Wes, anything from forests? Yeah, his, uh, laptop is rebooting. He's having Mac problems, so, uh, he may be soliciting for it. Help Mac the brutal. Okay, Ryan, then here's what I'll do.
I'll play you, you can play forests, and when Forrest gets here, we can learn a little bit more about, um, um, MITRE. But, um, but you, what, what's cool, Ryan, is you, um, you know, you've mentioned Mitre attack. You, you know, you're, you truly understand TTPs. And, and, and maybe for those of the people out there, if you could explain TTPs and why they're important, and then maybe a little bit of a difference between Mitre attack and Mitre Shield.
And then we'll kind of move into some of what's going on. And to lastly, folks in the call to action, right below, you'll see it says, mapping the Mitre path. And what kind of made me put this together is our good friend Harry Pur, if you don't know Harry's, he's at Mitre. And he was heading up trying to help, uh, with protecting MSPs years ago. And there, but needless to say, he's like, Hey, Andrew, this just got published.
And I was like, wow, Wes, why something that happened in 2017 is just getting published. But we'll, we'll come back to that in, in in a moment. But Ryan, to that question, if you could, you know, help everybody a little bit understand, uh, attack and shield and, and, and start in there. Yeah. So let's first start with TTPs. TTP stands for Tactics, techniques and Procedures. Um, that's a fancy way of just saying how the attackers do what they do or what they do.
We also call it trade Craft, that name, uh, thrown around. Um, and so what Mitre Attack seeks to do is it seeks to, uh, really kind of define adversarial tactics and techniques and common knowledge. So the Attack framework stands for, right? Um, and really it's, it's a knowledge base of information that helps security professionals, uh, to understand those, those TTPs, right? And what SHIELD is, is it's, it's a complimentary framework. Um, and it is really kind of meant to, um, excuse me.
Um, it's, it's help, it helps us figure out how, what to do with those TTPs. So if the attacker is going to use decoy credentials, what can I, like, what can I as a defender do if the attacker is going to use that against me? Right? So Attack tells us here's how they do what they do, and SHIELD tells us, here's what you can do to defend against what they do. Got it.
So there's two things together are really powerful because you can start to answer, you know, know thyself, know thy enemy, know thy battlefield. If you know how your enemy is going to behave in the battlefield, you can start to deploy, uh, kind of counter attack strategies and defensive strategies that are gonna become very effective against that adversary.
And what, what Menu Pass is, is a definition of a specific threat actor that has been seen targeting MSPs, and it defines what that threat actor is, what the attack, uh, TTPs are that they use. And then you can use SHIELD to say, okay, given they use this TTP, what can I do in my environment to prevent that TTP from being effective? And you can really start to build a defensive strategy that is aimed at a very one specific actor. But the beautiful thing is most actors reuse TTPs. Hmm.
So if you start, even if you took kind of the Menu pass, um, or any of the other, um, kind of threat actors that are in kind of the Mitre database that have focused on, uh, CSPs, I, TSPs, MSPs, whatever you wanna call them, um, you'll see that they reuse tactics. And so if you start working through those adversaries, you're actually gonna start creating points of alerting and detection in your environment that are gonna actually translate across multiple threat actors.
And that's why, you know, I get so excited when I'm talking about Mitre because everybody Forever has been like, how do you understand what threat actors do? And like, and like, oh man, you must be so smart. And it's like, well, no, you just observe it long enough. You kind of figure out what they do and how they do it. And then you, now we have this database that helps people that haven't, you know, that are trying to figure this out.
You can literally just go and front load that information very quickly and immediately start taking action. You don't need to have been a security professional for 10 years to really start, um, knowing your enemy. Hey, Ryan, when you do this enough, do you start to get some pattern recognition Absolutely. Of Understanding, right? Yeah. I mean, there's, there's, you know, again, we, we've talked about the, the kind of Lockheed Martin kill chain.
Um, and you're really, what you're gonna see is there's, there's really common sets of TTPs that are used in different parts of that kill chain. And so you can almost take a different cut where you could be like, okay, I'm not gonna take an adversary specific cut. I'm actually gonna look at the most common TTPs used across all adversaries, and I'm gonna look at them across those seven phases, the of the kill chain. And I'm gonna use SHIELD to build protections in for each of those.
And so it, it, it really, it's a really powerful framework. 'cause you can use it in multiple ways to build out a really strong way to defend your network, whether it's threat actor specific or, or TTP specific. Um, it's, it's, it's just a, it's just an incredibly useful tool. That was, that was, that was a great explanation. And you know, with Forest here, let's first do a sound check for us. Everything good? Two thumbs up. Awesome. It's great to have you with us.
You're coming to us from Germany. Yeah. Yeah. And uh, I just had to get my lucky Murray State coffee mug. That is what gave me the it go Racers skills to fix the MacBook Audio Fancy Go Racers, it's great to have you. Thank you for joining us. For us quickly do a quick timeout. Ask you to tell the folks here a little bit about yourself. You've been with us before. Um, and then I'll have Ryan jump back in. 'cause I think you're only with us to the bottom of the hour. Is that correct? For us?
Right till about halfway through. And I can, I can go a little over if I need to just, uh, deconflict a little bit since the time zone difference over here. But yeah, so just real quick intro. So I'm an, I'm an engineer with Mitre. Um, I've been with Mitre, actually this is my fifth year. And before that I was with, uh, the Department of Defense for, uh, almost eight years. All in kind of cybersecurity, actually started in vulnerability assessment and blue teaming and that kind of stuff.
Audit and risk. And then, um, moved into penetration testing, red teaming and, and all that with the government. And then since I've been with Mitre more on like the defensive side detection, analytics and things of that nature with a little bit, a little bit of the pin test, uh, computer exploitation and all that work. But I, I picked up Ryan's description of Attack and Shield and really, I guess I ought to have come prepared to give him a job offer as we speak.
'cause he really broke it down, I think, in a pretty accurate way. Yeah, I, Uh, you know what? You probably can't afford 'em. Oh man. They're probably trade now Are where it's at. Yeah. He's the CSO of a publicly traded company. Fair enough. Fair enough. Yeah, he's backing Up. Alright, well it's great to have you with us Backing up the Brinks truck. Thanks for joining us again, Forst. Um, Brian, let me let you take, uh, take it from here with Forst.
And, uh, I, I would love to see you put in some flavor on your, uh, resilience and write a boom stuff if we have time for it. Uh, because I think this plays right into it. And then love to hear eventually from Gary if this is operational and if so, uh, how, um, you know. Yep. No problem. Ron gotta gotta pick the dog up. This is a family family show. I, I got a Filler question while we're waiting for the, uh, barking pooch.
Can you, um, for can you talk to us a little bit about, um, the Center for Threat Informed Defense and what all is going on there at Mitre? Yeah, so I mean, honestly, I'll have to defer to a couple other guys that are really still neck deep in that. But the whole concept of the, uh, center for Threat informed defense is like Mitre people, I used to know Mitre because the CBE database, like we are the database for the entire world for like vulnerabilities.
And when you get your like, vulnerability scans and patches, right? CVEs where it's at. So we might just been doing that for a long time. Attack was really, i, I guess our foray into doing that. But instead of just thinking about vulnerabilities and patching, it's like, how do you describe adversaries in the same way to get us all on the same page, the same lexicon and all that. And, and actually like Ryan broke down. It really makes a lot of things more straightforward, right?
When you're like, oh man, somebody's already mapped this, this particular a PT group that's coming after my industry vertical. I can just look it up and I can, the whole attack framework's huge. And you can't defend against all that in a day. But now I can zero into like the 10 relevant to me. And I heard Ryan talk about even the Forget a PT groups, right? You just talk about the most commonly occurring TTPs. 'cause they crosscut a PT groups and that's a great recommendation too.
So, so the Center for Threat Informed Defense, right? For those that really haven't heard about Mitre, we've been around since the forties, but all we do is work for the federal government. And we really started in the Department of Defense. And even now we only work for the federal government. And so a lot of cool like intellectual property and research and things we were doing. And every once in a while, a little bit of it, we can publish to the whole community, right?
Like CVE and like attack. But a lot of it we can't. And we, we kinda had some conversations with the government and they were like, Hey man, look, if you look at where, you know, the industry's going, especially in cybersecurity, they're like, really industry is gonna be the solution to these problems.
Not like, you know, a couple of decades ago where the government was trying to solve a lot of these big problems, when you think about critical infrastructure and when you think about the banking sector, all these different areas, industry's doing a lot more innovation now in general than the government.
And so the Center for Threat Reform defense was something the government allowed us to do, where we could actually do basically collaborative r and d with industry to try to bring some of that intellectual properties, some of that expertise we developed in the intelligence community and in the Department of Defense and all that, but really partner with industry to tailor it to industry specific problems. So, so that's really what they've got going on there.
Uh, uh, most of it is around the concept of threat informed defense and doing analytics better defenses better, um, and trying to publish some capabilities from like an open source perspective that could be ingested by, uh, yeah, a Fortune 500 company, but could also be ingested by like a mom and pop shop trying to get started, um, so that they could get their cyber program off the ground. So there's a lot of things going on there.
The, the most recent, which actually I think is, uh, we, you're probably tracking the concept of sidings, but, uh, CTID is working the sightings effort now to try to get people to not just use attack in your analytics, but as you have hits on those analytics to share those back to kind of the consortium as sightings. So now it's not just us reading threat reports saying, oh, these are the most commonly occurring things. It's actually based on real analytics hitting across industry.
You're like, Hey man, I'm really seeing bad guys do this thing. Um, and then we can correlate it in industry verticals and do all that kind of stuff. And pretty interesting. So sightings is going on. And then there's also this concept of, um, basically purple teaming and, and using automation around emulating bad guys and then trying to bring some automation around detecting bad guys and playing those things out in a purple teaming way.
I think those are probably the two big things going on right now in the center. Very good. Very cool. Very cool. Alright, Ryan. Ryan? Yeah, so I think from, from, I'm getting really bad feedback. Yeah, we're getting that going. Lemme go on mute while you Try it out. Um, yeah, there we go.
So I, I, I gave a little bit of an overview of Attack and Shield, but from your perspective, what's the most intelligent way for MSPs to, to kind of leverage that framework, um, to, to protect themselves, to protect their customers? Like what's, what's kind of, you know, what have you seen, how have you seen people use it? What do you see as being the most effective? Yeah, so I think what you were breaking down a second ago, Ryan, is spot on.
The, the concept first is there's a lot of things in attack, right? Because there's always gonna be more and more ways that adversaries exploit our systems, whether that's the vulnerabilities upfront or if that's some new novel zero day to hook some Windows process, right? Cyber changes under our feet multiple times a day.
And so you're, as we expand attack on an ongoing basis, again, the concept of trying to build analytics or defenses against 100% of the attack framework is unrealistic in, in a short amount of time and depending on your resource constraints. So I think the way you explained it is absolutely right. You can use the research that we've done and you can augment yourself too. But, but we are leveraging CrowdStrike and Mandy and all these others that are doing real world investigations, right?
That's where we're pulling the data when we do a PT mappings and attack. And you can use the work we've done to say, Hey, look, who is coming after my industry vertical? Or who's specifically targeting MSPs? Kind of to your point. And then you can just target that subset of attack. You know, it might only be out of, instead of 500 things, you're looking at 12 things.
And it doesn't mean that you don't need to eventually get to the 500, but it does mean that like the bad guy coming after your house is most likely to try like the front windows and the front door and then the side door, right? So go detect those things first before you start worrying about second story windows. 'cause the bad guy coming after you doesn't have a ladder, right? There's my, my little metaphor there.
And so I think you can use that first to understand your threat model and then you use that to drive building detection, analytics and stuff like that. Am I gathering the right logs? Am I collecting the right information? Am I getting it from hosts? Am I getting it from servers? Once you've got the right data, then you write the analytics, then you test the analytics and we've got a capability. There's many out there breaching tech simulation tools, right?
But, but our open source one is Caldera. And just recently actually, I partnered with an agency where we were using Caldera to automate that threat model that I just described. We'd tune analytics, we'd automate, we'd tune, we'd automate, we'd tune until we had low false positive noise and high detection rates. And uh, and again, that was just for the subset that was a priority for them. And I think you described SHIELD perfectly too, right?
'cause it's all well and good to say, Hey, bad guys are doing things and now I'm collecting logs so I can detect the bad guy doing things, but the bad guy's still doing things. So how do do I actually stop them? Or how do I control their activity? How do I defend and not just detect? And that's where SHIELD comes in.
And, and I think what, uh, what our team supporting Shield just did where they had leveraged the same a PT group mappings was super helpful because if you're already high speed on attack and you're using our mappings a PT groups there, then it's really intuitive to switch over to SHIELD and look at the defensive recommendations for those specific TTPs. Yeah. Yeah. Just a pro tip to add onto there, right?
For those MSPs that are with us that are using the CIS framework, CIS is mapping to Mitre attack. Yep. So if you can take the controls you have, they're map to Mitre attack and attack maps to shield, you can now very clearly say, because I have these controls from CIS implemented and operating effectively, I have the following countermeasures to those TTPs from the attack framework implemented.
And then you can start to actually look at the threat profiles or the threat models that you have where you have coverage and where you have gaps. Which leads me to my next question. We talk a lot about knowing your enemy threat models, threat profiles, et cetera. That's still somewhat of a nebulous concept, I think for MSPs, right? They don't, they don't really know or understand, how do I go about understanding my enemy?
Is my, my enemy might be a PT 28, or it might be random guy that just joined up as a ransomware affiliate and decided he wants to focus on MSPs. How do you recommend that with all these techniques and countermeasures, MSPs should choose where they should focus. Like how do they build that threat model? Or what, what would you recommend they do? Would you say, well, menu passes in there, so go model menu pass.
But menu pass may or may not be representative of the most common threats threat actors that they're coming, uh, coming into contact with. So how should they think about building that profile and really applying this to themselves when they may not fully understand their enemy? Yeah, no, that's a good point.
I think that you could take one of the groups you mentioned, one of the more ubiquitous groups like 28 because the, Or APT three or, you know, there's a few that I think are kind of foundational that people have been looking at for a while. But I think that your point you're making is start somewhere, right? And, and, and then if you, if you pick one as a lesson learned and you want to like, let me, let me investigate what's mapped for APT three.
Let me investigate what's mapped for, for fin six or for menu pass, right? It gives you a place to start. You begin to understand the framework, you understand how it's used. And then as you do it one time, you'll see that the way that we've already mapped for a given adversary, like say menu pass, there's, there's all the, all the research is footnoted at the bottom, right?
So you're like, oh, I pulled this from this FireEye report and I've pulled this from a crowds stack report and I pulled this from, uh, an NSA or an FBI report. Right? We all those are linked. And then if you, if you really wanna start to understand that concept of threat intelligence and how it's being analyzed and how it's being associated with those different TTPs, you can just use it, um, just as almost like a case study right? To read for yourself and really start to understand it.
But I just encourage people to, to start somewhere if you pick one of them and then just ask yourself for your environment, like, am I collecting for this subset? 'cause again, you, you just can't solve world hunger in a day. So pick one and pick one with just a few TTPs and then begin to ask yourself for, for both for my own enterprise as an MSP, but then also for my clients, am I collecting the required logs that I would even need to do this thing?
And then if I do have the data, how would I, how would I query it to detect the actual malicious activity out of all the real legitimate activity? Right? And if you just train yourself to go through that kind of one time, I, I think that a lot of light bulbs come on. And then actually, since we're talking about menu pass, right? I'll like toot my own horn because I was like heavily involved in this Center for Threat informed defense that West brought up until I moved to Germany.
But the last thing that I was part of was the public release of this menu pass emulation plan where basically it's like a pick your own adventure book and you can just follow the script to emulate like a nominal menu pass attack, how they do infrastructure setup and how they kind of get intel on your environment. How they start to walk through their process to get access and laterally move and ultimately, yeah, hit, hit like a ransomware type threat.
And we've got emulation automation capabilities for all that. You can walk right through it, either hands on keyboard or you could use an automation tool to just click go. But if you, if you want to use that, like test yourself and then, and then go look at your seam and like, Hey, did we, did we see the thing? No, we, we didn't see the thing. Okay, try again, try again, try again. And that's actually where I really think the power of automation is.
Since I, I mean, I used to be on a, on a red team, a pen test team, right? For the government. And even if you use the same human two times, they're probably not gonna attack the system the same way. And so it's really hard to do that tuning process, right? But if you can bring some automation to bear, I think it, it, that just helps, you know, bring everybody up to a certain level and it's repeatable. Yeah, I agree.
We've, on the call, we've talked a lot about CIS controls and we've talked a lot about adversary emulation or attack emulation, right? But really the middle of that sandwich, the meat of that sandwich is attack and shield, because you don't get adversary emulation if you don't have a common language and, and a way to model that behavior.
So, um, you know, I think you could take the blind approach, I'm just gonna do CIS controls and then I'm gonna do calera or atomic red and wanna see what I see and see what I don't see. But really understanding kind of what that sandwich is, is, is made out of, so to speak, is is, is incredibly important to really understanding what you're measuring when you do those adversary emulations, right? Yeah, absolutely.
And, um, I saw somebody earlier actually kind of posted about, uh, red canaries atomic red. So I certainly don't want to just like only toot miters horn, you know, that you've got a lot of people out there that even partner with us in the center. Red canary is certainly one of 'em, uh, to, to automate kinda adversary emulation. But you're right, you've gotta have that common framework, that common, that common terminology, so we all know what we're talking about. Yeah.
Um, and it gives you an organizing principle. The other thing, actually, I wanted to point out, I, I don't know how much it's gonna impact kind of MSPs and then the, the various industries that you all work with, but Mitre is also, since you mentioned CIS controls we're about to public release or just did, uh, a correlation of 853 and 871 71 controls also to attack.
So kind of in the same vein as CIS, if you start looking at vulnerabilities and what adversaries really do, and then you start implementing those 853 or inner 1 71 controls in your environment, you'll also start to see that correlation. Like, oh, okay, if I implement this control, it should give protection or detection against this subset of adversary activities.
So then it, I think, you know, from a, a CISO kind of perspective, or even as an MSP doing secur as a service for a client, overall, this is risk management, right? Right. And it all costs money. It all has to have a return on investment. You're all, you're trying to drive to some acceptable level of risk. So when you can start integrating the nerd speak of attack and shield with, with what, you know, with what I mean truthfully, right? Like, ah, it's T 1 0 0 7. Like, what does that mean?
Well, once you start, you know, integrating the nerd speak with what the leaders care about, like acceptable risk and risk management and, and how to control the enterprise, and on that kind of teeter-totter of cost and, and return, I think that's where you start really getting senior leaders to, to understand and to, and to appreciate the impact.
I think that's, I mean, you, you, what you did is you just, you know, whether or not you realize that this is a very technical audience and, and they understand the concepts of risk, but they're not risk, you know, cyber risk experts probably not to the level that, like Wes and I are, right? Mm-Hmm. They understand technology.
And so if you can say, I've, here's a technological representation of the capabilities that you need to have for cyber resilience, and you can look at them and say, if you do this one thing, you can reduce X amounts of gap. What you're saying is, your investment in this activity or building this capability is the most risk reductive thing that you can do. And that's really ultimately the conversation that we wanna be having both for ourselves and and and for our customers.
So Andrew, you Yeah, I was gonna ask, lemme ask, because I, I love the way Forest talked about the techniques and that, you know, hey, it's the first floor that'll typically come in, but not the second floor. My question is to kind of, to Gary, Gary, you know, hypothetically you own your, you know, third or fourth MSP now and are, are you, you know, talking on that write a boom with a customer in, in layman's terms saying, Hey, would you want us to stop these threats?
'cause we now know for your industry how they're attacking you at the first floor of your home. And, and using that as a maybe a wedge to start to get into it. I am just wondering. And now we have sandwiches versus chocolate cake. So it's, it's right up your alley. You're on mute. You're on mute. You guys can't read lips. Not well. So we've been, we've been talking about this, you know, kind of on and off, right?
Every few weeks, this kind of same topic comes up about how does an MSP have a conversation both with a prospect and with their customers, um, to be able to have them start to see things the same way without completely nerding them. Right? Exactly. So the customers just want to have, you know, an understanding.
And I'll tell you, um, fors, something you said struck me, which is we've been focusing so much on, um, the controls, but now what we're talking about is if you can really understand the actors and the threats and see how that matches up, you won't see it as flat anymore. Right? You'll see and be able to have these conversations, I think in, you know, uh, risk level, high level terms with customers so that they can more quickly get an understanding of where they are and what needs to happen.
And once you do that, Andrew, um, this idea that customers won't do it, you know, sometimes that means money, like they're gonna invest more with you, and sometimes it means they have to make trade offs, right? In their business between convenience and security. And they'll start to do that. If they're not, then we have more work to do here because it's our fault. It's not the customer's fault every time. Yeah.
What I heard, and I'd love Forest's comment for us, I just wanna say is that, and, and you really did a great job of that for us, but it allows Gary to tell a story and stories are things that sell people now. It's just like, Hey, in your vertical, here's what's going on.
And I'm not simply talking about, let me talk to you about this control, and let me tell you what it does where that's Yeah, I, I was saying Andrew, like, you know, if I'm gonna, if I'm selling, I'm a car salesman, I don't need to be able to build an engine, but I gotta be able to do more than drive a car. Mm-Hmm.
Like, I have to have some idea of what's under the hood, how, you know, how an operationally so that I can explain to people those benefits compared to, you know, you know, other things. So I don't need to be a mechanic, but I can't just be a driver. Yeah. And so that you're talking about is understanding the engine and how it runs. So when there's an issue with it, you get it. Yeah.
And the concept of ride a boom actually is a really powerful thing because I think, uh, I don't know what it's like now, but, but when I was still more on the like risk audit side of life and compliance audit, everybody just wanted to prevent, right? Everyone was looking for a silver bullet. They're like, Hey, if I put the triple mega magic mocha firewall out there, right? The new one, the triple mega magic, no bad guys will ever get in, right? Because that's what I want.
I wanna buy the thing, the magical appliance. And you're like, that appliance doesn't exist. There's, there's really awesome appliances. You actually still have to configure the That's right. And, and the truth is, eventually bad guys gonna get in. And I think so many times in our security programs, we invest heavily on this prevention, uh, kind of line of logic that ultimately will break down, right? You see all the major vendors writing papers on this now, right?
Assume breach though, it will happen. And then you start thinking like, wow, if I put 90% of my security budget over the last five years and into super mega whizzbang appliances at the boundary, but oh crap, now the bad guys are in, and you kind of like look behind yourself. You're like, okay, the guy got past me and I, I don't even have any lights in my house. So like, now I'm trying to find the bad guy and I can't find him.
He's in my house, he's doing things and, and I don't even know where to start now. And that's kind of where I think Attack was trying to lead us was it starts with the bad guy has access, it starts with boom. And I go, oh man, well now that he's in there, we're in a whole different kind of fight than when I was in the prevention fight.
And, uh, you know, that that joke about configuring it well too, man, I remember, we'll never forget I was doing an inspection of a place that, uh, with no details, right? And they're like, ah, you know, I, I'm reading the policies. 'cause everybody cares about policies at the C level, right? And they're like, I'm like, show me where you have a policy that says you have boundary defense. And the guy was like, had this 300 page binder tabbed out. He flips to the page, it's highlighted.
He's like, yay, very, this is my policy. And c paragraph two sentence one, we shall have boundary defense. So from a policy perspective, you're like, checking the box. And then I go over here to go like, walk through his data center. And I'm like, so, so show me that sweet mega magic firewall, right? And he's like, it's right there. And it was, in fact, it was right there in the rack with the ethernet cable routed completely around it.
So like, so I mean, it was there, it got bought it from a policy perspective. They checked the box and whoever was the engineer, like, oh, we bought it. It's in the rack. But, but, but they really had no security. And that's why I really care so much about finding the right stories to bring the policy leadership, the ones who make decisions together with the technical staff.
'cause otherwise policy people make jobs too hard for the technical staff and then you end up with bypass firewalls, right? Or, or the technical staff try to explain something to their boss again in that nerd speak and the boss, it doesn't, it doesn't link. And so I think, yeah, for, for an MSP, when you're coming in with that level of subject matter expertise, you should be able to bridge that gap to help them understand that policy and that level of leadership.
When we say risk management, you're managing real risks, like the potential of a bad guy getting in and can I recover from a ransomware attack and how many dollars am I losing per minute and how do I get that data back? And like all these things, they're, they're real things we have to be thoughtful about and and really be able to control. I a question for Wes. Oh, I'm sorry, go ahead. No, I was gonna say the PowerPoint story with MI attack framework, I'll give you a real example.
I, I, as a public company, you have an audit, uh, an audit committee. It's a subsection of your board of directors that cares about the due diligence and due care and risk management of the company.
So I, I went in front of our audit committee last week and one of the things we talked about was, um, hey, we actually emulate the behavior of threat actors and that that threat actor that you're worried about at that other MSP centric, uh, public company that got compromised, we emulated their behaviors and we found that we had, you know, 70%, um, overlap in all of the detectors that we, that could potentially fire it through the entire kill chain and we're closing the gaps on the other 30, right?
Imagine if you're the MSP talking to an SMB and you can say, we've done a case study of the capabilities that we deploy and here's how bad guys do what they do. And we've tested our capabilities against that and we can offer you 95% assurance that we will either prevent or detect them once they get into your environment and minimize damage, which is ultimately cyber resilience, right? You're offering 'em cyber resilience.
But through the story of we understand what bad guys do, we've measured our capabilities against that, and we can articulate to you that we understand what they do and that we know that we can defend against it. That's an incredibly powerful story. It worked with my board. It's definitely gonna work with your customers. That's spot on.
I mean, that, that's the exact logical flow that should drive a decision to a decision maker to understand, ah, they understand my problem and, and they understand how to come alongside me and help. Right? It it's huge. Yeah. And it's a real answer to the, I could, what happened at, so-and-so happen to me, well, I understand the threat actor. I can map the threat actor to their TTPs.
I can look at what SHIELD says to do and I can determine if I do those things and I can model them with Atomic Red or Calera and like I can actually walk towards a real answer instead of a feels like answer. Right? So anyway, I was, I interrupted going to Wes, so go for it. Yeah, Go ahead Gary. Yeah. And kind of that was, I'm glad that you kind of went in the same direction I wanted to ask Wes. Wes, you work with so many MSPs, right?
And when you see people, those MSPs you work with that are, um, further down the line with their security maturity, so they spend more time on the things we're talking about today, understanding write a boom, are those MSPs also translating that, like Ryan said, you know, in terms of, you know, protect and detect, like they can actually get better on the other side of it 'cause they have that understanding. Yeah. Uh, they are, um, there's, uh, there's clearly varying degrees of that, right?
But like, I think I look at it like an offshoot of a mature security, uh, program in your own MSP an offshoot of that a sign of success with, there's several signs of success I look for, but one is not only do I understand detection versus response versus recovery versus prevention, all these things, but I can actually convey that in ways that make sense to management. And in my sales motions, my, my sales team can understand a high level of that to defend the, the value for it.
Just like Ryan kinda gave that example of like 90%. Like I think that's powerful. Um, but then also I think it manifests in other ways too, Gary, um, not just the understanding of it, but you see it manifest in ways like how they even present pricing and packaging, how they even describe the tool sets and the stack that's provided. Like you see this in a lot of offshoots that I think is actually quite unique that MSPs have a much deeper of understanding of than enterprise do.
And enterprise can still be very, very confusing in their approaches when they go to the board and they want to explain everything their, their security program is doing. They can get lost in a thousand things and, you know, endlessly long rows of, of Excel spreadsheets showing all the things they do. Whereas a an MSPA good one can actually come at you and say, here's how we provide security. Here are the check boxes.
Like for example, use, um, the, the cyber defense matrix, here's how we cover all of this, or here's how we align to like 95% of the critical security controls in implement implementation group one and two. And we take care of all of that in Ms P cybersecurity package at this much a month. Like they're really good at explaining this in a powerful, simple, effective way.
Um, so yeah, Gary, I do think there's that correlation there, Which by the way, once you're good at it, this is what everyone should understand once you're good at it with the customers. And that's really important. That's the same skillset that allows you to uncover pain with a prospect and create separation between their other alternatives, uh, in you.
So it's that same process that helps you bring on new customers at the right price as to being able to go to your customers and have them understand the investments they need to make in the changes and protections that, that you're making. So the logic is, is identical and that's why top MSPs are growing so fast. They're growing their current MRR base and they're adding more customers at a higher price than their competitors.
When you do those two things, um, you know, margins go up pretty quickly. Yeah, Good stuff Gary. Yeah. Hey, and Forest, I know we're, we're over your 30 minute commitment, so, uh, I don't know how much longer you're able to stay, but I did just personally wanna say thank you for joining. No, thanks guys. Thanks for the opportunity. This is awesome. And honestly, it's, this is exactly what we want to hear, right? That the things we're doing, people actually find them valuable.
They're not just like, we're not just publishing on people, like, ah, that's too hard to use that, you know, it doesn't make sense. It the fact that there's old community and, and you all are finding it useful, the logic makes sense, the time we're spending mapping them makes sense. Um, I, that's just powerful us for us to hear.
And so I will at least say that if you do have any feedback, if you look at any of the things we're doing, whether it's attack shield and it doesn't make sense, there's attack@mitre.org, shield@mitre.org. I personally know the guys on the other, or and gals on the other end of those email boxes. If you wanna email me directly, I'd be glad to let 'em know your email's coming. But help us make it relevant because, uh, you know, we're, we're spending time doing this.
And certainly if, if you look at it and you think it's stupid, then we're not really accomplishing our mission of helping the community all kind of get better together. So if you'll help us with some feedback, we'll be glad to tune those products. Fantastic fors, thanks a million for staying for, and uh, it was great to see you as always. Brian. Call me, man. Mitre call me. Bye guys. See you for us. Call him on a Secure line a signal. I'm gonna skiff.
Hey, can I go super off script for a minute? Uh, you know what would be really cool, Andrew, and I'm gonna look at you on this as well, Ryan, 'cause maybe you and I need to co-lead this, but, um, who here would be interested in like a threat modeling workshop of sorts where we sort of take Yeah, I'm raising my hand too. Yeah, we sort of take a, you know, maybe we start at a threat threat actor.
Maybe we even start with Menu Pass and, and do like an hour, hour and a half, maybe even two hour session, all probably like in Excel or something like that. And how we can walk through threat modeling and how we can actually take that and at least do the beginning pieces of what is this, how does it look? And then how can we begin to model with our own msp? So give us a yes in, uh, chat if you guys would be interested in that.
Um, not that we have all of the answers, but I think that'd be great because Ryan, I think what's so exciting about this is yes, the yeses are coming in. Ryan, what I get excited about this is like, I feel like in the past maybe two years we've finally gotten this point, not just in the channel and with MSPs, but even in enterprise Ryan, we've got to this point where're bringing data science into security.
And we're finally like, no longer do we have, like, you hear the, you know, the, the post breach, what the heck happened, like what, or, or you also hear in the front pre-boom stuff like, man, I heard X, Y, Z got hit. And then you see people knee jerk too, well, I've got such and such a vendor so that can't happen. And I'm like, what? Like, none of that makes any sense at all. It's like a bunch of like potion that we're putting into a cauldron and hoping it comes out to some answer.
But like the reality is going through threat modeling exercises and understanding what we have and go what goes into our security program, it's hard to do, but it, it really does bring light and insight and science into what we're doing. Don't you feel the same way, Ryan? Yeah, I mean, I'll, I'll take it a little more pie in the sky.
I wish that the breaches that were happening that there was some sort of requirement that you not only had to disclose and report them, but that you actually had to release the, the Mitre attack map of how it happened, right? Because then other people can take that and they can emulate it and they can model it and they can, they can answer very and like otherwise, it just creates a lot of this hysteria.
You know, the technology has definitely come a long way, but we know technology is one piece of three pieces. The people in the process are just as important as the tech. And so yeah, for sure. I, I completely agree. And I, I, you know, I've, I've said this in email offline, I'll say here I am all in on threat modeling and, and threat profiling. 'cause I think it's one of the hardest things that MSPs are struggling with. How do I understand my enemy, right?
They, they can know themselves and they can know their battlefields, but how do they understand their enemy is one of the hardest problems for them to solve. And I think we could do a lot better. And I think it's also, listen aside from talking to customers, right? And prospects, you know, MSPs tend to have their cybersecurity knowledge, um, in really small areas like a person or, you know, and so this same type of thing, I think Ryan is how you start to get the basic knowledge, okay?
So that when anyone does any job in any delivery area, they have that thought process when they're doing something of the impact. Once they understand it, if they don't, they're gonna continue to do things that create risk as a byproduct 'cause they don't even understand it. Whether it's professional services, centralized services, support desk, what, what, whatever it is. And that has to happen, right?
The general, uh, cybersecurity, uh, knowledge and awareness, it has to start to permeate everyone, uh, who touches anything on your systems or your customer systems. Great. Um, I agree. And Ryan, one thing you said that was really good, I want to come back to, if I were writing policy and law, uh, I would actually go exactly what you just said.
I would force and mandate in cyber law to say in breach response and in disclosure, ye shall describe with Mitre attack how this thing happened in every single breach. Um, imagine how powerful that would be for us to kind of get that data back that comes back to us and we, we really begin to understand it's not just, you know, what you hear is hearsay, but you actually have real data behind what's happening.
Um, and imagine what we could do with that as a follow up, Ryan, that's, that's a great example. What Forrest was talking about, policy driving true effectual change. That that would be one really, really good example. Yeah, Great. Questioning all the billing blocks come, right? CIS is mapping to mire. You have the attacker emulation technologies out there. They're giving you the information, the framework's there.
We just, we just need to figure out how to build it in and from a process perspective, uh, in how we manage. And we talk a lot about like, how are we as a community community gonna get organized? You know, I'll, I'll, I'll put a dollar on, on, uh, on the, the square that says the Mitre attack is gonna be absolutely essential to the community organizing around this pop problem, right? And let's spin the wheel and see if it comes up. I'm, I'm, I'm betting my chances are pretty solid on that one.
What was it Wes? A great question. I'm glad you brought it up. Um, what we could do offline is work, you know, together. Um, me and Gary can, can work on, you know, landing pages and things and, and work on something that's meaningful for everybody in a workshop. And I, and I, what excites me is this has really brought a, a real three dimensional f if you know what I mean. It's given it actual full color versus just, Hey, we live in a box and let's talk about a framework.
Well now we can actually apply all of this in real life. So this is really exciting. Um, yeah, it's Good. Andrew, we, we try to do something big like this every quarter. This is the perfect, Yeah, this'll be the next one. Very cool. Thanks wes for that. Um, Gary's gonna take that and, you know, uh, actually, um, say it was his, I just want you to know Yeah, I I'm used to it. Yeah, absolutely. I mean, listen, your point, What is it?
Uh, good, good writers borrow and great Gary Peak as Steel, I think is something like that is the quote. Yeah, I never had an original thought in my life. All right, well, fair enough. Let's go to Wes. Um, and, and we, cool, we got some good questions coming in here, so I promise you guys we'll get to this.
Um, Wes, um, this, you know, as we talked about this today, it reminded me, and I'm not sure if folks that on with us today, remember Chris Sanders, but it reminded me of when I looked at Menu Pass and, and I hope you guys went to the URL here to take a look at it, it reminded me of, okay, well if we see how they're attacking us, and I'm using the term loosely here 'cause we were talking about Canaries already, but Wes, uh, honey pots, right?
Can you kind of frame out folk for folks what that was about? Who Chris is? Yeah. And, and, and is this where we use those types of things? So first of all, uh, credit where it's due, Chris is also a, uh, Murray State alum Go Racers, uh, uh, there's quite a few of us running around, um, and was a fellow student of mine.
So we had Chris on, on a previous cyber call, and I don't remember, this goes back to that conversation we had last week of we need to help like crowdsourcing metadata from different cyber calls, because I don't remember which one he was on, but it was really good. So he, so he's, he, uh, runs a really awesome, um, uh, like a training, uh, company, uh, in cybersecurity.
And he does, he just came outta this book about Practical pack, no, not practical pack analysis, um, uh, intrusion detection honeypots, it's Yellow book. Go get it on Amazon. Really, really good. And you know, we, one of the things we talked about on the call was sort of this idea of deception is an offshoot of detection. You don't see it in the Mitre, or I'm sorry, in the, uh, cybersecurity framework.
You don't see it ever listed in frameworks itself, which I think at some point we need to visit that what does deception look like? Where does it belong? But I sort of, at least at the moment, I sort of see it as an offshoot of detection because we can leverage the same things the bad guys are using in terms of detection, pre attack, pre-boom to fool us. We can take those same tactics, seize those and say, we're gonna turn those back onto you once post boom has happened.
And I'll give you an example of that when you look, and I've got it in front of me right now, so sorry for not looking at the camera, but I'm looking at Mire shield right now. Um, if you click down below where, um, Andrew has the mapping to menu pass at the bottom of this screen, you'll see this come up. You can actually just even like Ctrl F or Apple F for you Apple people here, um, go through and find like these ideas of like decoy deception.
There's quite a bit of this that have been put in here of like deploying decoy systems to look for scanning, to look for, um, you know, using a particular account or a particular device or a particular file, um, breadcrumbs, things like that, that exist to say, Hey, look, that's, that's nefarious or at least abnormal activity that should not be happening in my network because I know I've set that up as a decoy, a trap as it were. And that's powerful, right?
That's a powerful way for us to say we're operating under assumed breach and should we see something hit that we're gonna do something about it. And you actually see a number of these techniques that are all around decoy and deception all through, um, this particular, uh, shield entry on, on a PT 10 or menu pass. And so I think that's powerful, Andrew.
I think it's something that we should begin to think more about of how can we productize or consumerize and make this more usable in terms of, uh, deception based technology. Because certainly it's not as easy as just pushing button, getting deception. Um, but Andrew, it's really powerful for sure. Yeah. But today Wes, like, I'm sorry, Andrew, today, if you look at MSPs like how prevalent is this in, In real life's?
It's not, I mean, there, there certainly are like canary platforms and, and honeypots that are open source. Go get Chris's book and you'll see any number of them that are actually really powerful. But I don't see it very often. Um, I know my friends at Huntress are doing some canary stuff, which is really, really cool.
Um, I know at Perch we have some integrations in with like Red Canary and a couple of the other canaries that are out there, should you wish to deploy your own and then have integrations in with perch on the alerting. But I don't see it commonly. Um, and, and, uh, Ryan, I'll turn to you on this. You know, the reason I don't think it's common is we really haven't, um, gone down that journey yet of like bringing better awareness to deception.
And then we also still don't really have it productized in consumable ways that we truly need in the, in the channel. Um, but what else would you add to that, Ryan? I think it's the productization, right? I think Huntress is doing a lot of, like, um, my understanding is they, they've kind of really brought the, the concept of, of canaries to the, to the channel with and with, you know, I think if you Google MSPs and Canaries, it's like one of the top results, um, in there.
But the idea of a canary has been around for a very long time, right? And honeypots is, is a, is a way of really, when you talk about a canary, right? The canary in the coal mine is the thing that when it stops chirping indicates that there's a problem and you should probably get out, right? So canaries in, in this world are, it can be a number of things, and we've usually, usually thought about them as files, um, or network services.
But when you think about the ransomware threats that exist now, you could have, um, you know, look at like real ransomware and all the things it tries to kill or stop. You could have canary services, you could have canary processes. You can have all sorts of different things on your, you know, in your environment that give you that detection, right? Because it's really what canaries are.
There are detective pieces of technology that give you a chance to determine that an adversary has bypassed your protective layers. And, and to me it's really just no one has figured out how to productize it, or, or another thought here is it's so simple that no one has thought to productize it, right? Because just go create a process on all of your systems that's backup exe. And when that gets killed, you know, there's ransomware in the environment trying to destroy your backups, right? Yep.
Um, like there's just, you know, you don't, you don't really need to buy something to do that, but, you know, maybe that's an interesting add-on to some piece of technology you already have. So For Ryan to do this, again, you're talking about really everything we talked about today. In order to understand and deploy this, you not only have to understand the framework, you really have to understand the, the, uh, the attacks. Absolutely right.
But again, the, the attack framework and shield, right? If you take this concept of a canary and you're looking at shield, you can say, I could put a canary here, right? If you're walking through that adversary already, and right, like if you're, if you're looking at what the latest version of Rio Ransomware is doing, there's all sorts of canaries. Like, um, I can't remember.
I think it was like the French government put out an alert on the latest ook one when the, they had the, um, I think it was WMI based, um, uh, scheduled tasks that were kind of spreading. Rio, they did a really amazing writeup and I, I put something cyber nation, there are tons of canaries that you can create just based off of the intelligence and that report alone. Uh, but I agree, it's, you have to take the time and you have to understand it.
And, and so maybe there is an opportunity for there to be a, a, some sort of product there, but I agree, like I think deception, technology and canaries are incredibly underused, especially in the MSP space. So, so all I wanted to say real quick was, I'm posting it in chat is af right after Chriss Sanders was on Dana pp, who's also been on, who's one of a great red teamer views the CEO of off anvil, which became a Kaseya product. I forget what it's Paley now. Paley, yeah.
Um, he posted his free port scan honeypot for anybody to use, and he created a video. It's in GitHub. Um, so if you guys wanna mess around by the way, he's given it all to you. Um, so the URL is there, uh, for anybody to, to, to take and use. Um, and, uh, Wes, um, just may, you know, interest of time, maybe I defer to, if I could. Um, I, I just want to ask if, if we could chat with, uh, one, if you could briefly tell us how this might relate to the 2021 threat report.
And then, you know, Gary, if you could maybe just wrap us up here on your thoughts of operationalizing this whole piece and, you know, how MSPs can start to be thinking again about post boom and, and maybe we, again, we do a multi-part thing here with what Wes mentioned, and then how do we build packaging and pricing around this. So Yeah, I, I can just say something in just maybe a couple minutes to save enough time for Gary.
Um, so yeah, so we did just finish our threat report and, uh, it's mostly fed by data from you guys in some surveys. Um, so Bryson, uh, met Lock, Paul, Scott, and a few of the others really took the brunt of writing that, and they did a really good job. Um, and one of the things I would say in it, and this, this does dovetail back into what we've been talking about today, is MSPs are going down a journey today that we're already at terminal velocity.
What I mean by that is we're so far down this road of, um, threat actors knowing who we are and operationalizing us inside of their, um, attack methodologies and understanding that we're targets. That's one. Two, MSPs are going down this journey of compliance and, uh, requirements that are being added onto them on a day by day basis that they're stuck in the middle of having to address for their clients. And three, this gets into, um, one of the predictions that I wrote in the threat report.
What I'm just looking at what's going on, you, you consider this terminal velocity. We're it's, we're too fast to to stop, too fast to go another direction too fast to like, um, get out of the direction we're going, right? Like the big the big, uh, Apollo thing is coming down. There's fire all over. And the direction of that is in the future, um, regulations here to stay, right?
And what that regulation may look like is up for debate, but whether it's compliance, it's pushed onto us from our clients, um, whether it's state-based regulators, like what's happening in Louisiana as a guidance, what you'll see soon in New York coming out, those are examples of this, of understanding who the MSP is and what their relationship is to at least their state agencies, um, cyber insurance carriers getting together and defining the minimums, or ideally MSPs banding together through an ISAC and ISO or some other conduit to say, enough is enough.
We're gonna self-regulate. That's the direction that we're going, right? And so we're, we're at terminal velocity, right? Uh, the fire is around the spaceship. Uh, the only question is are we gonna survive it? And, uh, where exactly are we gonna land? Is it gonna be in the ocean with some parachutes? Is it gonna be, uh, you know, somewhere not so great? Uh, who knows? Uh, maybe we're gonna land in Russia when we tried to land, you know, in the Indian Ocean. I don't know.
Um, but that's the direction. And so, uh, that's one of the big things I wrote in the report is that direction. And we talked about that on the call before, but, um, that, that's a, i i, you can see where we're going in this industry, Andrew. Sure. Thanks for that. Wa Gary, close us up. Yeah, so here's, here's the difficult part, right? Which is you have to look at how an IT provider, how an MSP runs they run today with, hopefully they run with roles.
If they don't have specific roles, um, then this is a bigger issue. If everybody's doing everything, then how do you start to get all these things done? So if we look at it, we have to ask ourselves, okay, um, honeypot, right? We want to, we wanna start to do this. Well, who's gonna do it? And does it is an additional role or does it fall into one of the existing roles I have? If it does, how does it change my costing?
You know, in other words, you know, I have a, uh, someone who does compliance and alignment. Yeah, today they manage 22 customers, however many seats per customer. Well, can they only manage 18 now? 'cause I'm asking them to do some additional things. So where is this overhead? And you have to have a framework for how all of these proactive things are gonna land and how they're gonna relate back to how many seats somebody can touch. 'cause then we we're gonna know what, how our costing changes.
Listen, and I'm talking about math. This is not something most MSPs love to talk about. They love to talk about the stuff that we talk about on here, right? Which is the tech. And this was like a really cool hour today, right? I'm writing down things on here. It's a cool hour, but it's not so cool for your customers if you can't figure out, okay, what are we gonna do? Who's actually gonna do it? How's it gonna change our cost?
And then we gotta go out to the customer and be able to explain it to them so that they can support it. Really well said. Very cool. Um, Ryan, any closing comments for you here on our last minute? Great job, by The way. I mean, I, I, this is, you know, as, as my former CTO said, this is my butter zone. Like this is the stuff that makes me really excited.
Um, I'll geek out on this all day, so I know I get a little animated when we get into this super cool stuff like this, but, Um, that's sad and awesome at the same time. It kind of is. Yeah. Um, um, that's when, you know, you get a true cyber geek in your hands. So, but no, I think like it, like, do not be afraid of this framework. It can seem daunting, but like, this will pay dividends in terms of your ability to speak to your customers, to tell stories, to understand your defensive posture.
Like this is a really important tool in your tool chest. You don't, don't be afraid to spend a little bit of time trying to become more than just passing leaf familiar with it, because it's pretty foundational to how we think about most other things in the space. So definitely spend some time on, uh, on I would say shield, attack and calera if you can.
If you, you can spare the time because those three things are gonna make you, you know, they're, they're gonna quickly notch you up above some of your competition and let you have conversations that others just can't have. Awesome. Alright, well with that, have a fantastic week everybody. We'll look forward to seeing you next Monday. Thanks guys. Thanks guys. Good job everybody.
Related Videos

The Vulnerability Crisis No One is Funding
The Vulnerability Crisis No One is Funding

The Vulnpocalypse Is Here & Your MSP Can Survive It
The Vulnpocalypse Is Here & Your MSP Can Survive It

The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois
The CyberCall: The 2026 Verizon DBIR Unpacked with Author Philippe Langlois