hi everyone uh welcome to Intel 471's UK threat landscape brief um search for everyone's awareness this brief is TLP white um we do have more content available at TLP Amber and Amber strict so if anyone does want any more further detail please use my email which will be on the last slide um and we'll get you that information as soon as we possibly can but thanks for joining us everyone so uh today's brief we'll usually take around 20 to 25 minutes uh maybe 30 depending on how much detail I go into on some of the slides um and then there'll be some time for questions at the end as well if you do have any questions if you want to pop them into the questions chat box um I'll get around to them at the end so today we'll just go through a brief introduction about me who I am my role at intel471 um Intel Force everyone and our bread and butter which is humans uh human intelligence um we'll talk about why human intelligence is relevant to CTI um rather than being physical humans more of a cyber human spin on them and we'll talk about the British underground and so we don't call the dark web or the deep and dark web we call it the Cyber underground because it's definitely not deep but it's definitely not dark either um so we'll refer to it as the underground throughout this presentation [Music] uh we'll talk through some top threats to be aware of which will be access Brokers ransomware information Stealers uh the impact to uh Russia Ukraine and the ongoing conflict there um one particular group called killnet um and then our future outlook on where we see potential threats um in the near future and then as I said questions at the end too so a bit of background about myself uh so I'm one of the intelligence directors here Intel 471 uh prior to joining Intel Force everyone I worked at a company called crisp where I was the global intelligence team lead there on end prior to that um I was in the intelligence score um in the UK military working with a variety of units worldwide um and in the UK so with that background um I have a large Commercial background I've worked with a variety of companies such as Google YouTube or the whole alphabet group in general Tick Tock uh Facebook and then uh some big brands at the bottom like Philip Morris International Chanel Gucci um and across my tenure working between those different companies I'm a military background I've done a variety of CTI um counter csam uh counter radicalization and then also counter terrorism as well through that Tanya so why humans um so human intelligence is usually thought of as more of a physical type of intelligence discipline and humans isn't easy at all but what human does provide and why it's our bread and butter is that it provides detailed alien sites and context that's not available anywhere else anybody can scrape a forum or anybody can scrape content together but what people really need is the insights and context without that anything you could take any anything away from some of these Forum posts cyber criminals or criminals in general do lie um so it's important that we get that that valued context as and when it's needed so what kind of contact Can We Gather well one of the main things is insight into adversary tactical techniques and procedures from these particular criminals or in general human gives you that so in the cyberspace that may be specific malware or specific tools or infrastructure that these cyber criminals tend to use so by that there may be groups of individuals talking together or in closed forums where they may discuss a new a new particular type of malware that they've developed or that they are developing and they may talk about particular tools they're looking at or what how they gaining access to different types of infrastructure or how they want to impact the different types of infrastructure it also gives you insight into tactics and capabilities that aren't going to be published anywhere else at the end of the day these criminals are criminals and they tend to have what the more advanced ones anyway tend to have increased objects or operational security they're not going to be posting publicly or forums where anybody can access what their new tactics are what new capabilities that they've developed or their teams have developed and that's key and human brings that it also provides an insights into their targets and motivations as well so they aren't going to publish that they're going to attack a particular sector or they believe a particular sector is vulnerable such as let's just say the consumer industry or product sector as that becomes more digitized threat actors are going to announce that they're going to Target that particular sector above others that will only start to be seen without humans over time as you start to correlate events moving forward so with that it's important to understand that humans also provides the context and relationships between other actors so actor X may speak to active Y how do they communicate what are they talking about is there a link there and we'll talk about this further in the presentation as well one example of this may be access Brokers or initial access brokers who provide that initial access to particular ransomware groups those ransomware groups then can then accelerate their operations and then move forward with impacting companies with ransomware rather than spending time trying to gain their initial access that relationship will build over time and they will then eventually become partners we'll also see things like threat actors use in particular bulletproof hosting providers and or use in particular threat actors that offer to make malware for fully undetectable so all this kind of context is information that human does provide and that relationship is key when you start to try and map out this threat landscape in general so knowing you're knowing your advisory enables you to build your defenses around that unless you know what you're coming up against you can't build your defenses around it it's like going back to my military days we wouldn't start building uh sandbags and putting sandbags down to protect us against things unless we knew it was going to come from a particular direction or what those things were and the same applies to the CTI space you need to know what you're coming up against and if you don't then you can't properly defend yourself or defend your business so like I mentioned why is human relevant to CTI I've covered some of this already but just to go through in a bit more detail why Intel 471's difference so our human capability we offer a boots on the ground model so what we mean by that is we have researchers and individuals that are located in countries where threat actors operate now that not only enables them to speak the native language of these threat actors on these particular forums groups or whatever that may be but it also enables these individuals to speak the criminal language of these criminals such as when you're talking to these criminals if you're going to do this in let's just say a physical space again if you're going to infiltrate a drug gang or a terrorist Network you would have to act or talk in a certain way if you didn't you would be found out this is much harder to do behind the keyboard because you can't interact with someone you can't get physical cues so being able to do that and speak discriminal language is very unique to Intel 471 and what gives us this amazing Insight across the board it enables you to fully understand the adversity of your Facebook rather than trying to plug gaps from lots of different reports lots of different vendors for example and trying to piece everything together um in your in your own business trying to pull that together and then brief that to why the people within the company to build those defenses or change your attack to be able to better defend in general against potential or Lumen threats knowing what you're coming up against this rate is really key so although we are human driven we do rely a lot on technology and automation as well so it's not just humans we are backed by technology and automation too a big one for me um across the board with humans and why it's relevant to CTI is already half done about previously is verifying claims so a threat actor may post on a forum and say um you know I have access to this particular company um it may be VPN access and these These are the credentials I want five thousand dollars for them what's key is our unique Insight of being able to understand if that is real honor engage in a threat actor and being able to communicate via humans and say let's see if this is real we don't want to start starting fires we want to start putting out fires and that is really key is understanding if that claim is legitimate or not like I've already said criminals do lie um and they do want to make a quick book every every criminal well most criminals I should say not every criminal most Criminal on the Cyber on the ground is in this four financial gain they want to make money if they can make money in a quick way by selling you something while selling people something that isn't legitimate then of course they will and automation doesn't provide that context human intelligence definitely does also a variety of businesses especially in 2022 are aware of the threat posed by cybercrime especially with like some big incidents like the colonial pipeline instant um and even years before that like the wannacry um incidents from uh met many many years ago people are are aware of these particular instance but they're not aware of how to defend against it and that's where human provides that added context that's not normally available so those lessons that we identify and Lessons Learned From humans can support business operations and business plans ultimately with our end goal of enabling you to fight cybercrime and win foreign so the British on the ground I call it the British I'm calling it the British underground because there are different tranches within the site with the Cyber on the ground there's like the Italian underground the French on the ground I'm calling about to give it unique context because it is different the underground is made up of many different faucets it's not just one thing where everybody goes and I'll talk through this now so the British on the ground what is key here is that a lot of threat actors do tend to speak English now where do they operate they operate on a variety of forums so we see them on operating on russian-speaking forums or what used to be predominantly russian-speaking forums and they will communicate in English years ago there used to be Italian speaking forums only or Portuguese speaking forums only um French speaking forms Etc where they communicate with one another however criminals have learned that by speaking in their native language that their opsa isn't exactly great which brings me on to the why why do they communicate in English well there's two reasons for this one is that it provides them added operational security because they're coming across as being English or from an English-speaking country um which allows them to then communicate with their large the client base there's a lot of people on the Underground that speak English or understand English so by operating and communicating in English that then opens up their their client base as it were for more and more people to buy their product or buy what they're selling so it is also an operational security measure but it is also a a business Improvement measure from these individuals so we will see russian-speaking forums or Chinese speaking forums and individuals will be communicating on there in English now there are also English-speaking forums too where a lot of threat actors will only communicate in English and with a few other languages thrown in in the middle but predominantly English too um telegram has become an extremely popular and I'll come on to kill and that's further down into the presentation but telegram is becoming extremely popular um with underground threat actors it's easy to communicate people have it on their phones there's no need to you can't get on tour on your phone stuff like that it allows them to communicate with one another and build up that personal relationship the social media is also becoming extremely popular one social media platform in general Facebook they can set up closed groups for that so being able to set up a closed Facebook group where you have to answer set questions or a bit of a test to get in there really makes it difficult for people to gain access unauthorized people to gain access to that group that they don't know or they're having passed their criteria as it were so with the social media is also become an extremely popular Twitter is also popular for these threat actors to publish things on there um or throw things out there to move people off track where they should be looking and they do this as well as an operational security measure so Britain has been extremely impacted by access Brokers and we see that across the British underground access Brokers are actively compromising a variety of British businesses every single day on quite a large scale in some cases there's also been a steady volume of ransomware attacks or ransomware as a service operations in 2022 there's no surprise there and but that is something that we are seeing a steady increase of um across the country in general the UK is ranked third out of all EU countries I will just say that although it's there out of all EU countries um when it's put on one of the slides further down that is dwarfed by America because there's a lot more attacks that happen in America so compared to Britain America is much more significant so on the graph either dial it does reflect that so the breakdown of the underground so the underground is like any um commercial business or commercial businesses would operate so there are products for sale there are goods for sale and there are services for sale and we've broken this down at Intel Force everyone um threat actors operate in all of these three areas so for example they may sell particular products um such as malware web injects fishing kits which they can which can be purchased or made bespoken in some circumstances which cross into the service bit but generally speaking they tend to make these web injects malware or fishing kits uh which can then be purchased as products by potential buyers the good side of things now this is where the access Brokers come in they sell a particular good uh which is network access um they can also sell account credentials which again links into uh network access there's credit card data and there's also database dumps and a lot more other things such as pii Etc that are also sold as commodity Goods and the services these are particular services that threat actors offer so one may be ransomware as a service where particular threat actors decide to make uh new um ransomware which may have additional features or develop ransomware another point we'll come on to later Downs lock bit 3.0 um and how they develop that ransomware so one would be developing ransomware another one may be malware as a service so particular actors may offer malware as a service or say I have this particular information stealer for example if you tell me what you wanted to do I will try and add that to this or configure it with this within this information stealer and then I will make it bespoke or specific to you as a customer um whilst also offering other things like making malware fully undetectable from antivirus or other systems these are all common offers that we see across the underground and of course bulletproof hosting as well which is a common um service that we see offered regularly so in terms of recent threats towards the UK um I won't go on into detail about too many of these through our TLP weights but again if you're doing any more info uh please do drop me a line so um one top example was in September we've seen an actor offer to sell network access credentials to a variety of businesses worldwide not just Britain but from many many uh other countries too one of those impacted entities was a UK Educational Institute now that is commonplace we tend to see that through September onwards um and again when universities start to return to um to school so with that we start to see these threat actors Target these these universities but the main question is why well universities do offer a variety of research you conduct a variety of research if they're able to compromise that research they could arguably hold the university to Ransom as they are seen as financially lucrative institutions because of the fund than that universities get so they believe if they get hands on this um research or this confidential information they could then try and Ransom that back to the the business and or they could look to seller in order to make a quick profit for um for themselves to um other things well that we see is um threat actors offering teams or discussing teams of hackers or individuals that are willing to Target businesses of all sizes across Australia Canada the UK and the US is that example there we see this quite regularly where they're offering um or they're discussing their team and how they can impact the variety of businesses across these countries um and then again also actors offering to sell them account config files targeting different organizations with the UK us being a commonly targeted um areas so top threats to be aware of um access brokers in my opinion is one of the biggest one is one of the biggest ones the reason being is that access brokerage is now being seen as a very lucrative uh trade or job set as it were within within the Cyber on the ground so we're starting to see a lot more actors shift into the access broker world as well as traditional access Brokers increasing their numbers of offerings and and that's something that all businesses should be aware of because there is a link between these access Brokers and we'll come on to this shortly as well the next one I would say is um malware so malware in general is a specific threat to be aware of ransomware obviously a type of malware is arguably the biggest threat to businesses because of the financial impact that that can cause information Stealers is also a significant threat because of how commonly available are how cheap they are how easy they can be spread the fact that they can stay on a system and they need to be removed you can't just change your password make information Stealers a very big threat to be aware of in 2022 I'm moving into 2023 and some other threats to be aware of so killnet and hacktivism in general uh so kilnet are a group that we'll discuss further down too um and other groups since the start of the Russia UK and conflict we have seen groups like killnet pop-up and they are a significant threat more of a nuisance at the moment that doesn't mean they won't Branch out into other things uh but I'd argue kill matting groups like them are also a significant threat and then social engineering so the use of marketplaces and threat actors and purchasing cookies for example off-market places conducting a session hijacking attack and then starting to conduct social engineering whilst they've conducted the session hijacking attack to allow them to gain further access into a variety of networks is significant also social engineering and just in general is a significant threat that we're starting to see more and more of and we have seen a lot of throughout 2022 so access Brokers um well first of all what are they um well it's exactly what it says in the tin access Brokers are individuals that sell access to businesses for um a variety of reasons but the main reason is for financial game why are they important well you need to be aware of these as businesses within the UK if they're selling access to either your own business or your third parties that you work with because if they're able to compromise you or your third parties they could be fair the more sophisticated cyber attacks either directed at you or your business partners further down the line foreign access there's a variety of different access merchants and they operate in a variety of different ways some of the most common ways that we see them attain access is through information Steelers and so malware logs and then compromise credentials but then one other way is we see a lot of lower level access Brokers and when they first start out doing this as a trade as it were they tend to gather all of old um lists and old credentials or old malware logs and they combine them into one big list by making that into one big list they then sell and they'll try and seller for more money and but all they've done is just combined a load of old data and then try to sell it some of it may still be correct or accurate and but that is just something to bear in mind too they can be detected and then therefore they can be prevented and the main way of doing that is monitoring forums or using companies like Intel 471 to be able to provide the human intelligence and go through this data or be able to dig into it and find out what companies these access Brokers are selling access to so then you can then either speak to us their party or you can investigate it further and then find out if this is a particular threat if it has actually impacted your organization and then therefore you can prevent it foreign go into too many of them uh by name but one which I will talk about a TLP writers an actor called the BAM so the ban was a predominantly russian-speaking actor um now this actor used to sell a variety of accesses VPN um RDP accesses he was he or she was selling them for quite some time across a variety of underground forums they've since gone back um since they were removed from a few forums so that's why I'm talking about them but there are many many others um I'd say there's probably a top 10 list of access Brokers that are continually operate in are like the top level of access brokerage and they're actively selling access to a variety of companies from a variety of sectors most of these access Brokers don't tend to care what companies they have they don't Target particular Industries or sectors what they want to do is just making money however that being said we are starting to see more links now between ransomware groups and access Brokers where they have a sort of relationship um it's arguable that they have a retainer scheme with these with these ransomware groups where they'll say we want access to company X should you gain access to that company let us know straight away and we'll be interested in buying it we are seeing that it's very hard to detect that though but that is something that I would say we are starting to see to General prices for Access again depends on the broker um the more advanced the access broker the more money they want a bit like football players the better they are the more money that they're going to want from their club now access Brokers are very very similar in that sense so if they're more advanced access broker or they believe the access that they have is legitimate or they've tested it which is one thing we also see them do checking these credentials but if this is something that we that they think is legit or they think it's a very very um lucrative business to have access to then they'll want more money other access Brokers tend to sell them in chunks so they may say accesses of 50 70 100 maybe but they want between five thousand and ten thousand dollars for this list of accesses people on the Underground do do pay those prices the more lower level um access brokers who combine those lists like I spoke about previously um or they are just trying to gain a quick book they haven't tested anything out they may be all malware logs those prices for individual accesses can range between 75 to maybe 200 depending on the organization and depending on the number of accesses level of access Etc uh but generally prices can range from between 75 all the way up to ten thousand if not fifteen thousand dollars malware so um as we've already mentioned ransomware is probably the main one to be aware of um now ransomware so I already mentioned this slide covers the us too so obviously the the UK plotting on there doesn't look like its significant but in comparison um it is it is it is still quite quite large so globally we are starting to see a general uptick in ransomware however the months that we do tend to see an increase are in the middle of the year and towards the end of the year so arguably October November maybe even December around the holiday period we will start to see more ransomware but again March April and May middle of the years when we uh the beginning of the middle of years when we start to see an uptick in ransomware too so some victims um I won't go into the go into too much detail on these but some victims that we have seen are on the right hand side and then the ransomware variant that we've seen it's not just the same variance over and over again we are starting to see groups like Vice Society Hive clock um and others start to compromise UK businesses I'd argue lock but 3.0 it was one to take away um as well as Hive and blackbuster as key takeaways those three ransomware variants or some uh variants that we are tend to see a lot of globally and they are starting to Target the UK foreign so this slide just depicts UK ransomware breakdown so as you can see there are a variety of sectors that have been impacted and over the course of the Year lockbit 2.0 was the mo that was the most active variant Target in the UK businesses and if anyone does want this breakdown again I can I can pass this on after the brief two uh but just as a key takeaway blockbit 2.0 followed by counting and by Society are the three uh top variants that we've seen in 2022 this slide just discusses uh the European ransomware breakdown and where the UK sits in that so as you can see the UK sits there uh only being uh trumped by Italy and Germany in terms of most impacted countries with no surprise again lock bit um being one of the most active ransomware variants targeting all countries across all countries in Europe most impacted sectors in Europe being consumerian consumer and industrial product sector and the manufacturing sector as well argument that's because those factors have become more digitized therefore increasing their their attack surface which then I like which then gives ransomware groups uh a larger Target to aim for so a breakdown of lock but 2.0 the reason that I'm putting this on the screen is to just show you how impactful lockpit 2.0 was now lock bets have developed a new variants a lot with 3.0 so arguably this slide over the next 12 months or the next six months will be locked by 3.0 and we're going to see a similar if not more increased um period of activity from this particular Branch from a group now the group wasn't really targeting any particular sector above others as you can see consumer and Industrial Products really yeah took a hit from lockbit and they tended to impact the us more than any other country um again the US has a lot of businesses there there's a lot of threat after see there's been a lot of money there as well so they tend to Target that sector a lot more and as you can see on the right hand side the breakdown again being April is a very active month on March foreign pathway um how ransomware groups operates I really want to hammer this home not everybody talks about ransomware ransomware ransomware but ransomware is the last turn of the screw in any operation in order to be able to defend against ransomware or be aware of ransomware the um how to stop around somewhere attack you need to look at the Precast just to run somewhere like access Brokers like particular malware being used and you know software that's being discussed and being used by threat actors are they using great where for example that you can search for on your systems like are they using mimikats are they using particular Cobalt strike beacons can you look for them all those kind of things are things that you need to be aware of in well before ransomware has been has been deployed if ransomware has been deployed it's the last 10 of the screw so this attack pathway just discusses that the gain entry they understand the environments they don't tend to just do it straight away what that what they tend to do is they'll move around this environment they'll look for data of importance they'll then see where if they can make any more accounts do they have access to an admin account start to gain a foothold within that Network and then and then they'll start to move with that they'll move lastly within that way because I've just mentioned and then they'll look for data of importance to actual trade now when they deploy ransomware the more advanced groups tend to destroy backups and deploy around somewhere simultaneously so that the organization can't just restore that um so that's why I'm saying ransomware deployments is the very last time the screw it's already too late at that stage so the links as I mentioned between uh ransomware and access Merchants I won't go on this slide too much but generally speaking we tend to see access Brokers monetize access on forums ransomware Affiliates pay for that access and then they deploy rather somewhere the average time we're seeing between access being offered is and then ransomware deployed this around 71 days with the average Ransom demand and q1 of this year being 3.79 million so a significant sum for any organization so next information Steelers so what are they well an information stealer in general is very similar to a Trojan and it's designed to gather information from a system now the most common form of information that information Steelers try and gather is login information like usernames and passwords and then they'll send that over a network um or via an email to other systems that are operated by threat actors why are they important well they're important because they're programmed to steal credentials and other information that's stored on the machine now they aren't that makes them very very significant for any business so you need to be aware of information dealers in general and how and how they're spread which brings me on to the next point they usually spread um through mulch spam um or maybe uh macro enabled documents stuff like that so it's common um infection vectors how how they're spread but that's something to be aware of in general especially when communicating with wild individuals within your business I'm as I mentioned what they do with the data they send it they send it back um threat actors can then take this data and they can use data for their own personal game so this data may be high value data which that you can then use for their own advantage or they can also scan systems and they can identify them where they where particular files may be or where these threat actors want to deploy around somewhere and some top examples are k-pot uh raccoons dealer Red Lion and Vadar there's some other top ones that we're starting to see raccoons dealer is constantly being developed um and there's plenty of other Steelers as well people tend to develop them and some people offer them as a service you pay a fee a nominal fee over the course of a year and they'll rent uh these these types of Steelers out there or sometimes they just they just give you um their their stealer the general prices for these they can range it depends on the Steeler sometimes fifty dollars sometimes two hundred dollars so it entirely depends on the stealer um and what that stealer does so if the Steeler for example is just there to steal browser cookies it may be cheaper than a stealer that's been developed to steal crypto quality Watts um or to look at desktop applications or take screenshots on the system so the Russia Ukraine impact the Russia Ukraine impact has impacted the Cyber underground um in some ways um with the server on the ground being you know a main breeding ground financially motivated cyber crime it hasn't impacted that much but it has started to see um a significant impact in terms of fracturing so one of these fracturings is a particular group called killnet now these are a pro-russian hack the history but and what they tend to do is Target a variety of businesses through DDOS activity they Target organizations that are seen as hostile to Russia or that oppose the war in Ukraine and they tend to publish all of their Communications via telegram um and they communicate it in advance they do operate their own DDOS service from botnet um and they are made up in this particular way so they have the main kilnet group a DDOS team called Legion they have different Legion squads the target a variety of different countries and then Affiliated groups that work with them as you can see on the right hand side now killnet aren't really a significant threat in terms of their damage it is only DDOS um however they have been talking about the delve into ransomware so although they're more of a nuisance at the moment and okay yeah they will cause disruption and sounds of a significant threat it's not as significant as other threats um out there across the Cyber on the ground so with that being said they are more of a nuisance so it doesn't mean that they won't become um more and more advanced in the future in terms of targets by country and as you can see they have targeted Ukraine quite a lot Italy Latvia and Estonia again ex um Serbia countries um and also a variety of other countries that are opposed to the war in Ukraine top sectors uh three key takeaways uh telecoms national government and then Aviation Transportation again more of a disruption piece you target those sectors uh the more that they can disrupt them the more impact that they believe they have so before you mentioned target support is in advance um they tend to work to um to prevent any support to Ukraine that is their main their main goal basically um and then with that the actual impact is limited as I've already mentioned um they can be prevented uh using systems like Cloud fair for example uh DDOS mitigation Services you can prevent against them they publish their targets in advance so there is that early warning system in place by monitoring these these telegram channels um however they won't be able to launch sustain indeed us for weeks on end um it would be more of a short high burst impact more than anything else they've recently just had a Hiatus period and where they went quiet and they've come back saying that they're recently targeting a variety of government organizations across Japan on the right-hand side just discusses the telegram group um sorry that telegram group there um and then again other groups that have tried to combat kill Nets which is anonymous which we saw in Italy other impacts that we're seeing um since the war in Ukraine is a group called cyber Army Russia which also conduct uh DDOS attacks against government websites and they have targeted the energy sector as well uh From Russia with Love team they've targeted they tend to publish um data classify data as they call it from Ukraine and the US and then MVP hackers as well and they tend to want to expose um Ukrainian government official data and then also Journal efforts for kilna to bring down the ru tour forum uh no name zero five seven um is the most active route that we've seen and they also conduct edos attacks similar to kilnet as you can see these are very impactful and they're more of a nuisance rather than a significant threat um so just things to be aware of and then again no names targets a variety of countries like illness Finland Lafayette Norway and Poland today but a few so finally future outlook so what is likely to happen over the next six to 12 months well as the energy crisis um looms it's highly likely that we're going to see threat actors paths on this just like we have done in the past with covert now they're likely to use fission um as a particular type of law to Target people and this will tend to be a financially lucrative um way for these people to make money so the energy crisis will probably be something that these threat actors latch onto now one point to be aware of as well is that threat actors do tend to follow um Global events such as the energy crisis just like they did in the UK recently when there was um Water Crisis the water industry was heavily targeted so it does show that what's going on in the world will impact what happens in in the server on the ground these criminals do tend to pounce on that and they use it to their advantage for their own personal gains uh the public sectors actively being targeted since the war in Ukraine um and with that we all tend to see a lot more hacktivism which takes place globally but may mainly for those countries that are uh Pro Ukraine that's the buyer down the middle is something that we have seen published across the underground as well by a variety of actors people started with different different countries um in in that space initial access Brokers that's become a very lucrative job role within within the Cyber underground something that's only going to increase in my opinion over the next six to 12 months so with threat actors that used to operate um maybe selling credit cards or um bins anything like that they will then start to now look at this access brokerage as a potential other way of making income and move into that more um as we as we move forward big ones takeaway is session hijacking and social engineering so being able to use marketplaces to obtain cookies and then conduct session hijacking is huge and social engineering is going to be extremely significant especially over the next six to 12 months so that act has become more and more advanced with this and it's something that we are going to see a lot more of and obviously run somewhere too but finally that's it from me so thank you all very much my details are on the screen if you do want to drop me an email or you want to reach out my emails on the screen um that is it depending any questions thank you all very much I see there's one question there in the channel um top 10 initial access Brokers list yeah um if you're a customer within South 471 uh we can pass that on um if not if you drop me an email um we can pull some bits together for you which we'll be able to discuss um if the answer is your question um One More Story will the TLP white slides be made about yes they will be made available at the end of the session and if there's no other questions then just thank you all very much for joining our talk I really appreciate it and like I've said if there are any more questions please do reach out um and we'll be in touch with any answers that we have thanks everyone foreign