![Preventing cyberthreats – cease them earlier than they cease you! [Audio + Text] – Naked Security](https://nakedsecurity.sophos.com/wp-content/uploads/sites/2/2022/12/ns-1200-generic-featured-image-blue-digits.png?w=775 "Preventing cyberthreats – cease them earlier than they cease you! [Audio + Text] – Naked Security")
Paul Ducklin talks to world-renowned cybersecurity professional Fraser Howard, Director of Research at SophosLabs, on this fascinating episode, recorded throughout our latest Security SOS Week 2022.
When it involves combating cybercrime, Fraser actually is a “specialist in everything”, and he additionally has the knack of explaining this tough and treacherous topic in plain English.
[ROBOT VOICE: Sophos Security SOS]
PAUL DUCKLIN. Hello, all people.
Welcome to the Sophos Security SOS week.
Today’s subject is: Preventing cyber threats – cease them earlier than they cease you!
And our visitor right now is none apart from Mr. Fraser Howard, Director of Research at SophosLabs.
Now, these of you who’ve listened to SOS Week earlier than will know that I like to explain Fraser as a “specialist in everything”, as a result of his data isn’t just broad, it’s also extremely deep.
He ticks each cell within the spreadsheet, you can say.
So, Fraser, welcome again to the SOS Week.
I wished to start out by specializing in one thing that goes by the identify of LOLBIN, which I consider is brief for “living-off-the-land binary”, which is jargon for software program that’s there already that the cooks love to make use of.
FRASER HOWARD. Exactly that.
DUCK. And the large drawback in the meanwhile appears to be that the probably LOLBIN, or the probably pre-installed program that the crooks will dine out on, for need of a greater phrase, is nothing apart from PowerShell, which is constructed into Windows.
It’s out there on each model of Windows as quickly as you put in it.
And it’s the medium of administration nowadays for Windows itself.
So how do you reside with out it?
FRASER. Exactly – identical to you described, from the attackers’ perspective, LOLBINs are sensible.
They both convey their very own knife to the battle, and their knife may look very completely different to every little thing else that’s on the system…
…or they use a knife that simply occurs to be current on the system within the first place.
And that’s advantageous to the attacker, for apparent causes.
Any safety software program gained’t see some model new, shiny, unknown software immediately being run and utilized in a part of the assault.
But instruments like PowerShell are already there – that’s when the video games start when it comes to making an attempt to work out, “Is it something good, or is it something bad?”
I want there was a one-line reply to how we detect malicious PowerShell versus benign, however truly it’s fairly a fancy state of affairs.
What precisely is the PowerShell course of doing itself?
On one finish of the spectrum, you can use expertise like, for instance, software management.
And as an admin, you can select: “PowerShell, you should not be allowed to run in my environment.”
That’s form of a panacea, for those who like, and it could cease PowerShell being abused, however it could additionally break a lot of professional exercise, together with the core administration of most Windows machines right now.
DUCK. OK, so software management is Sophos’s identify for the flexibility to detect, and optionally to dam, software program that’s not malware, however {that a} well-informed administrator won’t wish to assist of their surroundings?
FRASER. Exactly.
And it’s not nearly admins and their alternative of “Which application should my users be allowed to use?”
It’s about fundamentals.
If you consider safety, what’s one of many issues that we’ve been telling individuals for the final 5 or 10 years?
“Patch!”
If you’re an administrator and also you’re permitting anyone to make use of no matter software they need for his or her browser, that’s perhaps 5 to 10 completely different browsers that you must patch.
Actually, for admins, applied sciences like software management allow them to slim that risk floor.
DUCK. But PowerShell… some individuals say, “Oh, just block PowerShell. Block all .PS1 files. Job done.”
FRASER. It’s not fairly so simple as that!
DUCK. Could a sysadmin handle with out PowerShell in a contemporary Windows community?
FRASER. [PAUSE] No.
[LAUGHTER]
I imply, there are coverage choices that they may select to solely enable sure signed scripts, for instance, to be run.
But there’s an entire number of suggestions and strategies that the attackers know that attempt to bypass these mechanisms as effectively.
Some of the older scripting engines… the perfect instance is Windows Scripting Host – most individuals don’t comprehend it’s there.
It’s not the one-stop store for admin that PowerShell is, however WSCRIPT and CSCRIPT…
…these binaries, once more, are on each single Windows field.
They are much more possible to outright block, and so they get abused, once more by malware.
DUCK. So the Windows Scripting Host consists of issues like JavaScript (not working in your browser, exterior your browser), and good previous Visual Basic Script?
FRASER. There’s an entire host of them.
DUCK. Now, Visual Basic script is discontinued by Microsoft, isn’t it?
But it’s nonetheless supported and nonetheless very extensively used?
FRASER. It’s highly regarded with the Bad Guys, sure.
And it’s not simply scripting engines.
I can’t keep in mind precisely what number of binaries are on a number of the most important LOLBIN lists which are on the market.
With the proper mixture of switches, rapidly, a binary that you just may use to handle, for instance, certificates regionally…
…truly can be utilized to obtain any content material from a distant server, and reserve it to disk regionally.
DUCK. Is that CERTUTIL.EXE?
FRASER. Yes, CERTUTIL, for instance.
DUCK. Because that can be used to do issues like calculate file hashes.
FRASER. It may very well be used to obtain, for instance, base64-encoded executable content material, reserve it regionally, and decode it.
And then that content material may very well be run – as a method of probably getting by means of your net gateways, for instance.
DUCK. And that will get even worse with PowerShell, doesn’t it?
Because you’ll be able to take a base64-encoded string and feed that into PowerShell because the enter script, and it’ll quietly decode it for you.
And you’ll be able to even put in a command line possibility, are you able to not, to say, “Hey, if the user said ‘don’t allow scripts to execute from the command line’, ignore it – I wish to override that”?
FRASER. You talked about .PS1 recordsdata.
That’s a bodily script file that may exist on disk.
Actually, PowerShell is fairly adept at doing issues filelessly, so simply the command line itself can comprise everything of the PowerShell command.
DUCK. Now, my understanding is most so-called “fileless malware” does contain recordsdata, in all probability various recordsdata in its operation…
…however there might be a key level at which one thing you may detect *solely exists in reminiscence*.
So, safety software program that’s solely capable of monitor disk entry will miss out.
How do you take care of that form of state of affairs, the place the crooks have gotten all this semi-suspicious stuff, after which they’ve disguised the actually harmful bit with this fileless, memory-only trick?
How do you take care of that?
FRASER. One of the methods we take care of that, significantly with regard to PowerShell, is Microsoft offers an interface which provides us visibility into the behaviour of PowerShell.
So AMSI is an interface which distributors, safety distributors, can use to get a peep into malware.
DUCK. AMSI is… Anti-Malware Scanning Interface?
FRASER. Exactly.
It provides us a window into the behaviour of PowerShell at any time limit.
So, because it could be doing issues filelessly… any conventional interception factors that are in search of recordsdata on disk, they gained’t be coming into play.
But the behaviour of PowerShell itself will generate exercise, for those who like, throughout the AMSI interface, which provides us the flexibility to recognise and block sure kinds of malicious PowerShell exercise.
The different factor is that, though “fileless” is seen as a little bit of a panacea for the unhealthy guys…
…truly, one of many issues that the majority attackers are after sooner or later is what we name persistence.
OK, they’ve received some code working on the machine… however what occurs if that machine is restarted?
And so their fileless malware usually will search to have add some stage of persistence.
So, many of the fileless assaults that we’ve seen truly interact, usually with the Windows Registry – they use the registry as a method of attaining persistence.
Typically, they put some type of BLOB [binary large object] of knowledge within the registry, and modify some registry keys such that such that when that machine is restarted, that BLOB is decoded and malicious behaviour carries on once more.
Today’s merchandise are all about an entire vary of applied sciences, from easy, proper by means of to fairly terribly complicated.
DUCK. That additionally helps to clarify why individuals take recordsdata which are kind-of the precursors of malware, however not overtly malicious themselves, add them to a web based service like, say, Virus Total…
…and go, “Hey, nobody detects this. All security products are useless.”
But it doesn’t imply that file can spring into life and begin doing unhealthy stuff with out getting stopped…
FRASER. That’s an excellent level.
I feel it’s one thing the safety trade has tried… however the truth that we nonetheless speak about it – we’ve in all probability didn’t get this level throughout:
What is safety?
What can we truly imply?
What does defending somebody in opposition to a risk usually imply?
Most individuals have a tendency to consider it like this… OK, they’ve a risk; they need a file that’s “the threat”; and so they wish to see if that file will get detected.
But that specific assault… let’s suppose it’s a bot.
There could be 10,000 of these recordsdata *each single day*, because the unhealthy guys flip their deal with and churn out a lot of completely different replicas which are basically all the identical primary factor.
And so the truth that 1, or 10, or 100 of these recordsdata will get detected…
…it doesn’t actually let you know very a lot about how effectively a product may shield in opposition to that risk.
DUCK. “Bot” means software program robotic?.
Essentially, that’s one thing that sits in your pc recurrently, calling residence or polling some random server?
FRASER. Exactly.
DUCK. That server could change from everyday… and the bot will continuously obtain a listing of directions, similar to “Here’s a list of email addresses to spam.”
Next, it may very well be, “Here is a list of file extensions I want you to scramble”, or it may very well be “Turn on the keylogger”?
FRASER. Exactly.
DUCK. Or “Take a screenshot right now, they’re in the banking app”.
It’s basically an lively backdoor…
FRASER. It *is* a backdoor, sure.
And we spoke about backdoors 20 years in the past… I keep in mind doing buyer shows 20 years in the past, speaking about backdoors.
DUCK. “Back Orifice”, for those who keep in mind…
FRASER. Yes, sure!
We had been making an attempt to persuade clients that, truly, plenty of the backdoors on the market had been extra vital than the high-profile malware of the day.
What you don’t wish to get contaminated with are the backdoors, which permit some miscreant someplace the flexibility to manage your machine and do unhealthy stuff, similar to take a look by means of your file system, or modify knowledge in your system.
That’s a much more horrifying risk than, for instance, a self-replicating worm that simply spreads from pc to pc.
That may get the press, and it would trigger issues in and in and of itself…
…however, truly, anyone gaining access to your system is arguably a a lot larger risk certainly.
DUCK. And considering again to Back Orifice in… what was it 1999? 2000?
That famously it listened on port 13337, didn’t it?
FRASER. You’ve received a very good reminiscence [LAUGHS]… sure, “elite”!
DUCK. And as quickly as individuals began getting onto DSL connections at residence, and having a house router, Back Orifice was ineffective as a result of inbound connections didn’t work.
And so individuals thought, “Oh, well, backdoors rely on inbound network connections – I’m protected by my ISP by default, so I don’t have to worry about it.”
But right now’s zombies, right now’s bots – they name residence utilizing some form of encrypted or secretive channel, and so they *obtain* the directions…
FRASER. And as a result of it’s on HTTPS, they mainly cover that community exercise amongst the million-and-one different net packets that exit each minute on most residence connections.
DUCK. So that’s another excuse why you need defence-in-depth or layered safety?
FRASER. Yes.
DUCK. Obviously, new recordsdata – you wish to study them; you don’t wish to miss malware that you can have detected.
But the file may very well be harmless in the meanwhile, and it might change into rogue after it’s loaded; after it’s manipulated itself in reminiscence; after it’s known as out and downloaded stuff…
FRASER. And so, to get again to the unique level: how we measure safety merchandise right now is extra complicated than it ever has been.
DUCK. Because some individuals nonetheless have the concept that, effectively, for those who actually wish to take a look at a product, you simply get a large bucket stuffed with malware, all in recordsdata…
FRASER. Commmonly known as “a zoo”.
DUCK. …and you set that on a server in isolation someplace.
Then you scan it with a static scanner, and also you learn how many it detects, and that tells you ways the product behaves.
The “Virus Total” method.
But that: [A] will are inclined to underestimate good merchandise, and [B] may overestimate unhealthy merchandise.
FRASER. Or merchandise that specialize in detecting recordsdata solely, for the aim of primarily trying good in these type of zoo-based exams.
That doesn’t translate to a product in the true world that can truly present good ranges of safety!
In actuality, we block recordsdata… in fact we do – the file remains to be an important foreign money, for those who like, when it comes to safety.
But there’s a lot of different issues, for instance just like the AMSI interface that lets us block malicious PowerShell exercise, and a program’s behaviour itself.
So, inside our product, the behavioural engine seems to be on the behaviour of processes, community, visitors, registry exercise…
…and that mixed image lets us spot probably malicious behaviour for the aim of blocking not essentially a particular household, or perhaps a explicit form of form of risk, however simply *malicious exercise*.
If there are particular kinds of behaviour that we will decide are simply outright malicious, we are going to typically attempt to block that.
We can block a sure kind of malicious behaviour right now, after which a risk household that has not even but been written – in three months time, it would use that very same behaviour, and we are going to proactively detect it.
So that’s the Holy Grail of what we do: proactive safety.
The potential for us to write down one thing right now that sooner or later will efficiently block malicious behaviour.
DUCK. I suppose a very good instance of that, to return to what we talked about earlier than, is CERTUTIL.EXE – that certificates validation utility.
You could be utilizing that in your personal scripts, in your personal sysadministration instruments, but there are some behaviours that you wouldn’t anticipate, though that program might be made to do these issues.
They would stand out.
FRASER. They would stand out, precisely.
DUCK. So you’ll be able to’t say, “The program is bad”, however sooner or later in its behaviour you’ll be able to go, “Aha, now it’s gone too far!”
FRASER. And that touches on one other attention-grabbing facet of right now’s panorama.
Historically, EVIL.EXE runs; we’d detect the file; we’d detect some malicious behaviour; we clear it out of your system.
You spoke about LOLBINs… clearly, once we detect PowerShell doing one thing malicious, we don’t take away POWERSHELL.EXE from that system.
DUCK. “Ooh, I found Windows doing something bad – wipe the whole system!”
[LAUGHTER]
FRASER. We mainly block that course of; we cease that course of doing what it was about to do; and we terminate it.
But PowerShell nonetheless exists on the bodily system.
Actually, right now’s attackers are very completely different from yesterday’s attackers as effectively.
Today’s attackers are all about having a purpose; having a goal.
The previous mannequin was extra spray-and-pray, for those who like.
If anyone blocks the assault… unhealthy luck, they provide up – there’s no human presence there.
If the assault works, knowledge is stolen, a machine turns into compromised, no matter it occurs to be, but when the assault was blocked, nothing else occurs on the system.
In right now’s assaults, there truly is way more of a human aspect.
So, usually, in plenty of assaults we see right now – that is typified by a lot of the ransomware assaults, the place the crooks are particularly making an attempt to focus on sure organisations with their ransomware creations…
…when one thing is blocked, they struggle once more, and so they carry on retrying.
As we’re blocking stuff, and blocking various kinds of malicious behaviour, there’s one thing behind the scenes; some *individual* behind the scenes; some risk group behind the scenes, retrying.
DUCK. So 10 or 15 years in the past, it was, “Oh, we found this brand-new, previously unknown Word malware. We’ve deleted the file and cleaned it up, and we wrote it in the log”.
And everybody goes into the assembly, and ticks it off, and pats one another on the again, “Great! Job done! Ready for next month.”
FRASER. Now, it’s very completely different.
DUCK. Today, *that wasn’t the assault*.
FRASER. No!
DUCK. That was only a precusor, an “I wonder what brand of smoke detectors they use?” form of take a look at.
FRASER. Exactly.
DUCK. And they’re not planning on utilizing that malware.
They’re simply making an attempt to guess precisely what safety have you ever received?
What’s turned on; which directories are included; which directories are excluded out of your scanning; what ambient settings have you ever received?
FRASER. And what we speak about right now is lively adversaries.
Active adversaries… they get a lot of press.
That’s the idea of the entire MITRE ATT&CK framework – that’s is actually a bible, a dictionary, for those who like, of combos of techniques.
The techniques are the verticals; the horizontals are the strategies.
I feel there are 14 techniques however I don’t know what number of strategies… a whole lot?
DUCK. It is usually a bit dizzying, that MITRE grid!
FRASER. It’s basically a dictionary of the various kinds of issues, the various kinds of approach, that may very well be used on a system for good or unhealthy, basically.
But it’s basically aligned to attackers and lively adversaries.
If you want, it’s a taxonomy of what an lively adversary may do when on the system.
DUCK. Right, as a result of within the previous days (you and I’ll keep in mind this, as a result of we each hung out writing complete malware descriptions, the form of issues that had been vital 15 or 20 years in the past – you had been speaking about EVIL.EXE)…
…as a result of most threats again then had been viruses, in different phrases they unfold themselves and so they had been self-contained.
Once we had it…
FRASER. …you can doc, A-to-Z, precisely what it did on the system.
DUCK. So plenty of malware again in these days, for those who take a look at how they hid themselves; how they went into reminiscence; polymorphism; all that stuff – plenty of them had been much more sophisticated to analyse that stuff right now.
But when you knew the way it labored, you knew what each era may seem like, and you can write a whole description.
FRASER. Yes.
DUCK. Now, you simply can’t try this.
“Well, this malware downloads some other malware.”
What malware?
“I don’t know.”
FRASER. For instance, think about a easy loader: it runs; it periodically connects out.
The attacker has the flexibility to fireplace in some type of encoded BLOB – for instance, let’s suppose it’s a DLL, a dynamic hyperlink library, a module… basically, some executable code.
So, “What does that threat do?”
Well, it relies upon precisely and fully on what the attacker sends down the wire.
DUCK. And that might change daily.
It might change by supply IP: “Are you in Germany? Are you in Sweden? Are you in Britain?”
FRASER. Oh, sure we see that very often.
DUCK. It might additionally say, “Hey, you already connected, so we’ll feed you NOTEPAD or some innocent file next time.”
FRASER. Yes.
The attackers usually can have strategies they use to attempt to spot when it’s us [i.e. SophosLabs] making an attempt to run their creation.
So they don’t feed us what could be the last word payload.
They don’t need us to see the payload – they solely need victims to see that payload.
Sometimes issues simply exit quietly; typically they only run CALC, or NOTEPAD, or one thing clearly foolish; typically we’d get a impolite message popping up.
But usually they’ll attempt to hold again the last word payload, and reserve that for his or her victims.
DUCK. And that additionally means…
…I glibly used the phrase “polymorphism” earlier; that was quite common in viruses again within the day, the place each time the virus copied itself to a brand new file it could mainly permute its code, typically in a really sophisticated method, even rewriting its personal algorithm.
But you can get the engine that did the scrambling.
FRASER. Yes.
DUCK. Now, the crooks hold that to themselves.
FRASER. That’s on a server elsewhere.
DUCK. And they’re turning the deal with within the background.
FRASER. Yes.
DUCK. And additionally you talked about loaders – individuals could have heard of issues like BuerLoader, BazaarLoader, they’re type of well-known “brand names”…
..in some circumstances, there are gangs of crooks, and that’s all they do.
They don’t write the malware that comes subsequent.
They simply say, “What would you like us to load? Give us the URL and we’ll inject it for you.”
FRASER. The unique bot operators from 15 or 20 years in the past – how did they become profitable?
They compromised networks of machines – that’s basically what a botnet is, a lot of machines below their command – after which they may mainly lease out that “network”.
It may very well be for distributed denial of service – get all of those contaminated machines to hit one net server for instance, and take out that net server.
It may very well be fairly generally for spam, as you’ve already talked about.
And so the pure evolution of that, in some sense, is right now’s loader.
If anyone has a system contaminated with a loader, and that loader is asking residence, you basically have a bot.
You have the flexibility to run stuff on that machine…
…so, identical to you say, these cybercriminals don’t have to be involved with what the last word payload is.
Is it ransomware?
Is it knowledge theft?
They have a car… and ransomware is nearly the ultimate payout.
“We’ve done everything we wanted to do.” (Or we failed in every little thing else we had been hoping to do.)
“Let’s just try ransomware…”
DUCK. “We’ve logged all the passwords now, there are no more to get.” [LAUGHS]
FRASER. There’s nowhere else to go!
DUCK. “We’ve stolen all the data.”
FRASER. Exactly… the ultimate cash-out is ransomware!
At that time, the person is conscious, and the directors conscious, there’s knowledge loss.
So, right now’s loader is nearly an extension of, an evolution of, yesterday’s bot.
DUCK. Fraser, I’m acutely aware of time…
So, given that you just’ve painted an image that clearly requires full-time work, full-time understanding – you’re an professional researcher, you’ve been doing this for years.
Not all people can provide up their day job in IT or sysadministration to have *one other* day job to be such as you within the organisation.
If you needed to give three easy suggestions for what it is best to do (or what you shouldn’t do) right now to take care of what’s a extra sophisticated, extra fragmented method of attacking from the crooks – one that offers us many extra planes on which we have to defend…
… what would these three issues be?
FRASER. That’s a troublesome query.
I feel the primary one needs to be: having consciousness and visibility into your organisation.
It sounds easy, however we very often see assaults the place the place to begin of an assault was an unprotected field.
So, you may have an organisation….
…they’ve a beautiful IT coverage; they’ve merchandise deployed throughout that community, correctly configured; they could have a workforce of individuals which are expecting all of the little sensors, and all the info getting back from these merchandise.
But they’ve a website controller that was unprotected, and the unhealthy guys managed to get onto that.
And then, inside the entire MITRE ATT&CK framework, there’s one approach known as lateral motion…
…as soon as the attackes are on a field, they are going to proceed to attempt to laterally transfer from there throughout the organisation.
And that preliminary form of foothold provides them a degree from which they’ll try this.
So, visibility is the primary level.
DUCK. You additionally should know what you don’t know!
FRASER. Yes – having visibility into all of the gadgets in your community.
Number two is: configuration.
This is a little bit of a thorny one, as a result of nobody likes to speak about insurance policies and configuration – it’s frankly fairly boring.
DUCK. It’s form of vital, although!
FRASER. Absolutely essential.
DUCK. “If you can’t measure it, you can’t manage it,” because the previous saying goes.
FRASER. I feel my one suggestion for that will be: if in any respect potential, use the really helpful defaults.
As quickly as you deviate away from really helpful defaults, you’re usually both turning stuff off (unhealthy!), otherwise you’re excluding sure issues.
DUCK. Yes.
FRASER. For instance, excluding a selected folder.
Now, that could be completely acceptable – you may need some customized software in it, some customized database software the place you say, “I don’t want to scan files within this particular folder.”
It’s not fairly so good for those who’re excluding, for instance, the Windows folder!
DUCK. “Exclude C:*.* and all subdirectories.” [LAUGHS]
FRASER. It is.
DUCK. You add one, you add one other, and you then don’t go and evaluate it…
…you find yourself the place you mainly have all of the doorways and all of the home windows propped open.
FRASER. It’s a bit like a firewall.
You block every little thing; you poke a number of holes: tremendous.
You carry on poking holes for subsequent three years, and earlier than you recognize the place you’re…
…you may have Swiss cheese as your firewall.
[LAUGHTER]
It’s not going to work!
So, configuration is de facto vital, and, if in any respect potential persist with the defaults.
DUCK. Yes.
FRASER. Stick to defaults, as a result of… these really helpful defaults – they’re really helpful for a cause!
Within our personal merchandise, for instance, while you deviate from defaults, very often you’ll get a crimson bar warning that you just’re mainly disabling safety.
DUCK. If you’re going to go off-piste, ensure you actually meant to!
FRASER. Make positive you may have good visibility.
And I assume the third level, then, is: acknowledge the talent set required.
DUCK. Don’t be afraid to name for assist?
FRASER. Yes: Don’t be afraid to name for assist!
Security is complicated.
We like to consider it’s easy: “What three things can we do? What simple things can we do?”
Actually, the truth is that right now’s safety may be very sophisticated.
Products may attempt to bundle that up in a reasonably easy method, and supply good ranges of safety and good ranges of visibility into various kinds of behaviour occurring in a community.
But for those who don’t have the talent set, or the useful resource for that matter, to work although the occasions which are coming in and hitting your dashboard…
…discover somebody that does!
For instance, utilizing a managed service could make a large distinction to your safety, and it might simply take away that headache.
DUCK. That will not be an admission of defeat, is it?
You’re not saying, “Oh, I can’t do it myself.”
FRASER. We’re speaking 24 x 7 x 365.
So, for somebody to try this in-house is a large endeavor.
And we’re additionally speaking about complicated knowledge – and we spoke about lively adversaries, and that type of assault.
We know the Bad Guys, even once we block stuff, will proceed to retry: they’ll change issues up.
A very good workforce which are taking a look at that knowledge will recognise that kind of behaviour, and they won’t solely know that one thing’s being blocked, these individuals can even assume, “OK, there’s somebody repeatedly trying to get in through that door.”
That’s fairly a helpful indicator to them, and so they’ll take motion, and so they’ll resolve the assault.
[PAUSE]
Three fairly good items of recommendation there!
DUCK. Excellent, Fraser!
Thank you a lot, and thanks for sharing your expertise and your experience with us.
To all people who’s listening, thanks a lot.
And it stays now just for me to say: “Until next time, stay secure.”
[MORSE CODE]