Register now for our upcoming December Secure Code Summit! Register Here
Shopping Cart

No products in the cart.

A Young SOC Analyst’s Illustrated Primer

The SOC Age Or, A Young SOC Analyst’s Illustrated Primer

This webcast was originally published on October 23, 2020.

In this video, the speakers discuss the complex and dynamic topic of cybersecurity. They explore various security challenges and the latest strategies for protecting digital assets. The conversation includes insights into emerging threats and the importance of proactive defense measures in the ever-evolving digital landscape.

  • The webinar discusses various essential skills and tools for SOC analysts.
  • It emphasizes the importance of understanding and handling vulnerabilities effectively.
  • The session highlights the necessity for continuous learning and adaptation in cybersecurity.

Highlights

Full Video

Transcript

Transcript begins at 12:24 of the webcast.

Jason Blanchard

All right, everybody, thank you for joining us today. This is the black hills information security webcast. If you ever need a pen test, where to find us. But we got John covering his soc essentials information.

We have a soc training class coming up with a pay what you want class all the way down from 395 to dollar 20. You get to choose what you want to pay for that class. And we’ll have the link available on discord and go to webinar.

But that’s not what this is about. This is what John’s here for. And John.

John Strand

All right, let’s go. We’ll be sharing that link for the pay, what you can. I hate to say pay what you want, because everyone’s like, I just want it for free, but I like to say pay what you can.

And we’ll talk more about that and kind of how that works at Black Hills information security. And Jason said the low was dollar 20, but you can get it for $0 if you just send us an email and anyway, we’ll talk about all of that here as we progress, and Jason will get you that link.

But what we wanted to set out with, and the reason why I decided that this was a good topic is, some of the incidents that we’ve been working at Black Hills information security.

We’ve gotten the opportunity to work with different SoC analysts from different companies. And I don’t want to say that they were horrible. That’s not true. They’re very, very excited people.

They’re involved and they want to really do well. But I’ve noticed that a lot of them are missing some absolute core key skills whenever it comes to trying to secure, trying to secure the systems, or more accurately, trying to respond to an incident.

And that is the focus of what I’m going to be covering here today. We’ll talk about that. We’ll get through it quickly as well. All right, so let’s go. So whenever we’re looking at, your skill set, you don’t want to look at your skillset.

Like, Jeremy popped up. Who put it up? Selenia popped up. The security roadmap. I saw this from Paul a while ago, and it’s these crazy information security certifications that are absolutely everywhere.

And unfortunately, whenever people are getting started in security, especially junior analysts, they feel the need to actually jump straight in and say, I need to write exploits.

Like, we’re going to go into exploit Dev, let’s do that. Or they say, well, we’ve got to go through and reverse engineer super advanced malware, and I need Ghidra, and, I need Ida pro.

And this is what I’m going to do. To do security. Slow down. There’s some fundamental skills that are required to be able to do those different things. And ultimately, if you look at anything related to computer security, it boils down to one simple rule.

And that one simple rule is that security is a, glorified implementation of the basics. And the fundamentals. I see people are asking for the slides. Let me share those really quick, and I’ll send that to Jason, and then Jason can post them for everybody.

And we are back. All right, so Jason will be posting the slides here in a second. So I want to talk about the core Lego block skills that you absolutely need to have anytime you’re going to be trying to do anything associated with being a Soc analyst.

Now, if you’re an advanced person, I’m sorry, this is a basic webcast that’s pointing people in the right direction of the skills that they need to have to get started. We’ll get a little bit more insane as we go.

Now, if you want to keep this real simple, really, this game basically has everything that you need to know on the procedure cards. Honestly, it does. And a lot of those concepts in the procedure cards and backdoors and breaches we’re going to be discussing here.

And if you’re a Soc analyst and you have endpoint analysis skills, you have Netflow zeek analysis, you have the ability to cut through user and entity behavioral analytics. how to isolate systems.

Endpoint protection analysis, server analysis. You’re in a really good place, right? Because these are the skills. I put them in the game. I didn’t put them in the game just because I thought they looked cool.

I put them in the game because these are the things that we absolutely must have before an incident occurs. And as part of a Soc analyst, you’re doing that, right?

You’re going through and you’re trying to figure out how you can get better at your craft. And Radis brought up said, I’m advanced in the SoC, but I want better ideas on how to mentor junior people. This game is great.

It’s absolutely fantastic. Arnsmaster said, what game are we referring to? It’s called backdoors and breaches. So we’ll give you out a link on that here in just a couple of seconds.

Let’s start with server analysis. I’m working backwards from this a little bit, but the server analysis is pretty important because it’s one of those things that I honestly feel is missed when you get started in computer security, everyone’s all about the operating systems.

Operating systems are cool. We’re going to talk about Windows. How do we secure windows? How do we lock down windows? How do we lock down Linux? How do we secure these things? A little bit of backstory on that.

Years ago, back in 2099 timeframe, those operating systems were swiss cheese by default. They were bad. There were a bunch of guides that came out.

Sans released a hardening guide on how to harden Windows Server 2000 and how to harden Linux, Linux, Red Hat Linux and things like that. That was necessary back then.

Today, many of the operating systems that we have, they come with a lot of the security features locked down by default because they don’t want to get in trouble for basically releasing an operating system that is insecure.

The trouble with this is everyone got so focused in trying to lock down operating systems that we still see a lot of people fighting that exact same battle. Like how do I lock down and secure a windows system.

That’s irrelevant. Okay, it is. You keep your windows systems patched, keep them up to date. I think there’s a remote that’s not a zero day. But the bad neighbors IPV six DNS, vulnerability came out.

We’re seeing those types of remote exploits are incredibly, incredibly rare. And most of the time whenever an operating system is exploited, it’s exploited through an application or service that’s running on that server.

So let me explain. Whenever we’re looking at servers, key points that we need to be looking at are the processes, users, network connections, open ports and logs. Now what’s interesting about this is people mistakenly attribute me whenever I say processes, users network connections, open ports and logs.

They automatically get into that operating system mindset. What processes is this particular application using on the operating system? What users does it have on the operating system?

And that’s not what I’m talking about here. Instead, what I’m talking about are what are the processes and services that start up within the application itself? What are the users in the application itself?

What are the network connections that this particular application makes and what open ports does it normally associate with popping it open? So let me give you an example. If we do Apache, what are the services you have the HTTPD process, what are the users, where are the user configs the network connections?

You might have lots of inbound network connections, but very few outbound network connections. You can start doing that analysis on that application, on that server that is running.

This is different than actually looking at the operating system itself. We’re looking at all these to the server processes. This also becomes incredibly important when you start looking at cloud security because these processes, these users, these network connections, these ports, it gets a lot more difficult to cleanly identify them when you’re dealing with a cloud based app.

But they are still the same questions that we have to ask about these particular servers as well. How to learn this? I wanted to give you some tips on how you get started.

Hardening guides. This is literally how I get started. Whenever I was working in computer security around 99 2000 at the Department of Interior working with Accenture, these hardening guides came out and I would spend hours going through these hardening guides.

And really in a lot of ways those hardening guides became defined manual. And I hate that I’m telling you this in a SoC class, what, RTFM.

But I’m going to be honest, there’s some value in that statement. And that’s literally how I got started in computer security and learning about different applications.

Another dirty trick. This is horrible, but it’s true. I do a lot of consulting with companies and they say, well we’re running this particular vendor product and we want to know how to do these following things.

John, can you help us? I pull down the user manual, folks. I just go through the user manual and I read it. When you read a lot of these, a whole bunch of them, you learn where you can skip over things like initial install and configuration, blah blah blah blah blah.

We just kind of jump through whatever and then they start talking about enabling UEA, they start talking about security groups, they start talking about default passwords.

And a tremendous amount of my career is basically reading the manual, going to people who had questions, telling them what was in the manual, and then they go, that’s brilliant.

My God, how did this? John, I have the manual, 600 pages and I went through it 20 minutes before the call looking for your specific question.

It was on page 400. Now I’m not that blunt, but I’m telling you right now that works wonders. It is absolutely super cool.

Right, so where can you get these? A center for Internet security has a whole bunch of guides. And if you’re just getting started, if you’re just getting started in security, right, and you’re just getting started as a SoC analyst, one of the first things I recommend is you find out what are the technologies you’re using at your organization.

Then you’re going to go look at the CIS benchmarks and you’re going to download them for free. You’re going to read them cover to cover. You’re going to go through and run those commands manually on another system.

If you look at this, they have like Amazon Linux, Ellium Linux, Apache Tomcat. If your organization’s running Tomcat, yeah, you’re going to want to pull down that guide and you want to go through all the relevant sections in the Apache Tomcat hardening guide so that you’re familiar with the security relevant settings.

bind, you’re running bind DNS, great, there’s a guide for that. Keep going. You’re using Docker, you want to get started and everyone’s like, oh, how do I get started in Docker security? Great, here’s a guide.

Is it going to be as full featured and as wonderful as contacts? No, but is it going to help you understand those advanced contacts and help you understand what they’re discussing in black hat presentations and Defcon presentations?

Yes, it is. So this becomes, if you’re thinking about it as a swimming pool. If you’re getting started as a Soc analyst and you want to go swimming, if you jump right in, you’re going to drown.

You’re going to drown real fast. You might get into a meeting and be like, well, I think if we’re going to try to secure this system, I think that we need to look at the underlying crypto algorithms because I had a class in college about crypto algorithms and that makes me sound smart.

Everyone’s going to look at you like an idiot. You just jumped into the deep end, sunk straight to the bottom and everyone’s laughing at you. Sorry, but if you start working with these guides, they’re like putting on your little water wings, starting at the edge of the pool and starting to go out in a safe way.

So what are some other ones? lots of operating systems in here. Kubernetes. You want to know about Kubernetes. Here’s a guy, literally, you stand up a Kubernetes instance and then you start going through this guide, start running through the commands.

This is what you’re going to do. Microsoft Azure, great. You want to learn cloud security in Azure. There it is, right there. This is easy as a sock analyst.

If you take the initiative and you start cutting through all of these guides, if you’re like, okay, in our environment, I know we’re running oracle, I know we’re running Apache, I know we’re running kubernetes.

Then you read these guides and then you go through and then you basically put tabs on it and you learn these things, read them cover to cover.

Youre going to become that sock person. Thats a genius, right? Theyre like, well, how the hell did John know that? Thats amazing. This is it, right here. And if you have other guides that arent in CIS, if youre running vendor products, read those guides too.

I try to pull down the guides for endpoint security products to learn how to navigate them. What features are available? Do they have the ability to actually interact with the firewall? What level of interaction can they get with the firewall?

What do I expect the logs look like? What are the logging fidelity? It’s all in the manuals. Read them, read them. Hey, John. All right, yeah, go ahead.

Isn’t that guide is a little bit of an index to learning? Right? Because it’s not always going to give everything. So you’re going to have to go out and find youtubes on things or white papers.

Oh yeah. But the guide will actually start as that base I don’t want to say Rosetta stone, but it’ll actually start as that base understanding and then you’re going to start cross referencing.

Also, I’ve noticed the cis guides some, actually, almost all of them. They do a great, great job of describing what the setting is, why the setting is important, what the different configurations are.

It’s that great Rosetta stone for learning what those configs mean. Yep. Thanks. All right. Did we just bring cis down, folks?

I just saw somebody pop up and say, anyone else getting server not found on the CIS website?

Joff Thyer

yes, we did, John. We just dossed cis benchmark. Sorry about that, folks. Take your time. when you’re visiting that, it’ll come back.

John Strand

I’m sure all 1315 of you. Take your time. You don’t have to go right now. Yeah, take your time.

what I did years ago is I downloaded every single benchmark I get my hands on. I read them all cover to cover. So that’s it. So that’s the bhis hug of death, folks.

So, cis, you’re welcome. All right, let’s keep moving. Let’s talk about memory forensics. So a couple of the incidents that we’ve worked at Bhis over the past couple of months, the SoC analysts that we’re working with on the, other side, they’re still very much in this hard drive analysis mode.

And that, and that has to do with a whole bunch of security books from years ago that are like, here’s how you do hard drive analysis, and here’s how you use autopsy. And look, that’s a skill.

I’m not going to talk about that skill. It’s a skill. But a more important skill is how do you actually do memory analysis to figure out what is going on on a particular computer system.

Because a lot of the malware actually now resides in memory. Like, joc, you’re here. Honestly, dude, do you even want to write to disk if you don’t have to?

Joff Thyer

I avoid writing to disk, as much as possible with, actual malware. And that, you can get it in memory many different ways. Disk is.

Is potentially the case of death, right? Because that’s as soon as you get something on disk, a tool can analyze it and do stuff with it. So we try to. We try to avoid that if possible.

John Strand

So we had, we had a customer, where we have a customer that we’re working with right now where they had a whole bunch of systems that were compromised. And they’re like, we’ve got all the hard drive images, do you want to start going through them?

I’m like, no, I do not wish to do that. I choose to pass on that activity. And if you’re looking at the memory, analysis, it’s not that hard.

Now the main tool that you’re going to use for this is volatility. I doubt we can bring volatilityfoundation.org download, but who knows? The cool thing about volatility is that it is the de facto tool for doing memory analysis.

And they have the ability for it to run on Mac, on Windows, on Linux computer systems. It also has the ability to ingest a wide variety of different memory images. You want to get familiar with this and actually going through and practicing doing memory analytics and getting used to looking at those processes, those network connections.

I usually recommend starting with network connections and working backwards from there. Now let’s get time for real talk with John Strand. Memory analysis is a train wreck, folks.

If you get into it and you’re basically like, hey, a bunch of these modules don’t work, that’s normal. That’s the way that that usually happens. That’s not a bad thing per se, but it’s something that you need to be aware of.

For example, if you’re running volatility on a modern Windows ten computer system and you run Netscan to look at all the network connections, you’re going to see that all of the processes that are Windows processes have nice process ids and the process names.

Hooray. Anything that’s not it gives you a dash, just says, hey, there’s a network connection to port 80 on some site. Who’s opening that connection? I don’t know.

What’s the process id? Couldn’t help you. It’s horrible, but it is what it is. One of those phrases that I keep hearing on both sides of the aisles these days. But it’s still key for you to be able to look at the memory from a computer system.

There’s a number of ways that you can pull the memory. You can dump the memory with tools like Winpmem. That’s great. You can actually go through and you can pull the memory. It’s funny, there’s a video using memory forensics and security investigations volatility.

I actually have a link to that in just a couple of slides. well done. hisp, well done. You can pull memory using winpmen, you can pull the memory using FTK imager, and if you’re working on a server, you can actually do a snapshot and you can pull suspended state files and snapshot files and you can mount those with volatility as well.

So it’s an amazing utility. It’s an amazing group of people behind it, and we should all get familiar with it. And if every SoC analyst knew at a core how to take the memory and do some quick analysis with that memory, it would make our jobs so much easier.

I also recommend you go learn. Now this is good news and this is bad news. Okay? The good news is there’s lots of memory images for you to practice on.

Lots. You have Windows XP images? Windows XP images, Windows seven images. Windows seven images, crap. See a theme.

There’s not a lot of Windows ten images. And that has a lot to do with what Microsoft did with actually the symbolic linking and the mapping tables. They stopped sharing those and then they started to back up.

And they stopped and then they started back up. So, windows ten is a bit of a nightmare whenever you’re trying to do analysis on these things as well. You have a lot of memory images that you can practice with.

They will not be the most up to date, but you’re going to get familiar with what the tool itself actually does and what the different modules like DlL list, PS list, Netscan, Netstat.

On some older versions of Windows, you’re going to get familiar with these different modules, how they run and how to actually do an investigation on them as well. Now I provided a bunch of links here in the slides.

So when you’re looking at these links, there are all kinds of links to webcasts that I’ve done in the past. There’s webcasts of the volatility ones as well. That, that one is in there. That one’s in there as well.

I’m giving you links that you can actually start to learn this. Now. Some of this stuff is going to be outdated, like I said, in volatility. If you’re running Netstat, it’s not going to give you the right data. Pstree may not work on some versions, but that’s okay.

I want to explain why that’s okay. Whenever you’re doing soc work, when you’re doing anything in security, knowing the limitations of your tools is one of the most important things that, you can learn.

And this becomes key, especially if you ever get in front of a judge and a jury. If a tool doesn’t behave the way that you expect it to and you’ve experimented, you’ve played with it, you’ve hit that wall before an investigation that ends up in court.

Good day for you. That’s awesome. Congratulations. If the first time you play with the tool, you run into these problems and you don’t understand these problems. You’ve never seen these problems before, and you’re on an investigation that’s going to end up in court, that’s going to sock.

So let’s practice with this stuff before we actually get involved with an actual incident. The other thing I would recommend is if you’re working in a SoC and if you’re a SoC manager, I guess this is a request for SoC managers.

Don’t overtax your socks, your SoC analysts. Okay. SoC analysts need free, unstructured play time to work with these tools, to get familiar with these tools and how these tools actually work.

So you shouldn’t be stocking your Sock and saying, everybody in the SoC is working five day work weeks. We have the night shifts. We have the weekend shifts. You should probably be staffing at four day work weeks, and you should be setting it up.

So SoC analysts can play with memory forensics. They can play with hard drive images. They can create challenges for each other. That’s one of the ways that you can actually deal with SoC Burnout and make it so it’s not as bad of an issue.

Almost every organization I’ve worked with that has massive SoC Burnout is pushing every SoC analyst to the absolute limitation of what they can do. And we run into this, too, Bhis.

We’re standing up HToc and Soc services. its tough standing these things up. It absolutely is. But we need to recognize that burnout and start dealing with it before it actually becomes a catastrophic issue.

All right, next thing that every SoC analyst should know is egress traffic analysis. All right. Im serious. Like, this is so not happening right now, and it so bothers me.

Now, you would expect that, right? Because of Rita and everything that we’ve been doing with active countermeasures, we’d be really big into network traffic analysis, and we are. And there’s a number of ways that you can get involved.

And I wanted to share with you a couple of things that’ll help you accelerate your SoC career. First one is Zeek. Right. Somebody just popped in. You mean there’s supposed to be more than one analyst for an entire organization?

I am so sorry, but yes. Right. All right, so here we go with this. We love Zeek. And the cool thing about Zeek for you as a sock analyst is it’s something you can install at home.

It’s something that there’s lots of resources and training that you can get, learning how to use zeek and the different Zeek cookbook commands that you can run with has a massive user base, lots of support.

It’s very consistent. It is amazing. And I talk about it here because your organization should have it. If it doesn’t have it, it should be planning on getting it as quickly as possible.

I know that some organizations will be like, well, we’re going to go with extra hop. We’re going to go with dark trace. I think that that’s neat, but I think the team needs to have a basic understanding of, packet captures and zeek before they jump into those products.

This is an endemic problem. I know that this makes me sound old, but one of the big problems we have in the industry today is clouds. I like to yell at clouds. Clouds are a problem. An old man yells at clouds.

But the big problem is we’re buying a lot of products, and these products are hyper advanced. But the people that are running the products don’t know how the products work in far too many socks.

The only training that they give their analysts is how to use like Sentinel one. Cyber reasons silence, carbon black. They don’t actually teach people how to do stuff at the core operating system level.

they get Fortnet, or they’re running Palo Alto, or they’re running all these different tools and utilities on the network side, and they don’t understand basics of packets and how network connections work.

That’s jumping way too far ahead, and it’s going to really hobble you as a Soc analyst if you’re running super awesome network tool and you don’t know what that tool is actually doing.

So Zeek is a great way to get started. So, egress traffic analysis, how would you do that? Full pcap? I recommend getting started doing analysis with full pcap.

You’re going to have to deal with it at some point in your career, the more you have this skill, like capturing packet captures and sharing packet captures via, things like ssh.

How do you deal with very large packet captures that are broken into hundreds of different files? These are problems that you’re going to encounter because your tools will take you so far. And then you basically, somebody just said, how do you get a Soc analyst job without understanding basics of networking?

Right now, we are so understaffed in this industry, security BAEAC, that we’re, literally pulling people that can spell cyber and they’re getting thrown into jobs.

And I think in a lot of ways, we’re doing a tremendous disservice to them. And by the way, we have free network threat hunting training. If you want to learn the basics and fundamentals of some of the network stuff that we’re talking about, it’s free.

Check it out. So learning how to deal with PcaPs and learning how to deal with full packet analysis using things like TCP dump is going to be huge. Wireshark.

All of those tools for anybody that is a Soc analyst key. Absolutely. And for me, working with firms, I’m spending a lot of time in the incidents that we’re doing at Bhis.

I’m m spending a lot of time walking people through how to create a basic packet capture, spending a lot of time walking people through. I’m like, oh, well, here’s all the domains that resolve.

And people will say, how did you do that? I’m like, that’s just wireshark. It’s this right here in statistics. And they’re like, ooh, black magic. It’s not, somehow there’s a disconnect for people coming in and they’re not learning these core skills.

And I know that there’s some intro to security classes that are out there that don’t teach these things. Like they’ll teach you spend a whole day on crypto. Why the hell do we need a whole day on crypto? They’re not teaching the right skills off the gate.

They’re trying to teach skills that were important a decade ago. So we need to get better at some of these core skills as well. So the next one is security onion and I saw this one scroll by and Magula brought up, please learn Berkeley, packet filter as well.

And absolutely correct. Magula is right on key. And we’ll talk about where you can get some resources learning how to do these filters. And, one of them is the training that we do for network threat hunting as well.

Securityonion is another great distribution by Doug Birx and the team. What’s really, really, really cool is you can download it and run it for free. You can run it at home.

You’re going to learn all kinds of skills by running this. You’re going to learn Kibana, you’re going to learn how to do elk queries, you’re going to learn, Sarakata, you’re going to learn snort, you’re going to learn all of these different tools.

And what’s cool about everything in securityonion is everything you learn in securityonion is actually transferable to other tools. And what you’re going to find, unfortunately, is you’re going to find that you’re going to be able to do something in security onion, and then you’re going to go to commercial tool x, you’re going to be like, what is this?

I can’t do what I can do with security onion. And that’s frustrating, right? That is very, very frustrating. So this is a way for you to develop the core skills that are transferred, but you’re also going to run into.

You’re going to run into times where you’re going to have limitations. The commercial tool won’t do everything that you want to do under the hood, but that’s cool, because if you’re a Soc analyst and you get into a situation where you’ve pushed the limits of what a tool can do, and now you’re dropping down and you’re using brocut or you’re using zeek or you’re carving through a PCAP, that’s where people were popping it up.

It’s like, oh, are you a wizard? Absolutely. It’s absolutely something you want to be in that wizard category that many people just aren’t familiar with.

That’s fun. We can actually do that. I just lost my discord channel. There it is. we can actually do that. And we can get good, and we can get good at home doing this on a home network.

And by the way, we had an entire webcast on building a home network with full packet capture. We can get that up for you. I’ve given you a couple of links. Both of them are from active countermeasures.

And I want to share with you what we’ve been doing at active countermeasures over the past couple of months. Actually, one of the things that we’ve been doing is we have a ton of different blogs on monitoring one gig connections.

But the big things I want you to look at are malware of the day. We have tons of malware of the day packet samples that you can play with. Now, a lot of these are generated with cobalt strikes, malleable c, two profiles.

We generate these, we give you where the profile actually exists, and then we give you analysis with AI Hunter, because that’s the product we sell. But then we also give you the analysis with free tools like Rita.

We give you the packet capture files so that you can practice going through and doing this analysis on these malware specimens in a safe fashion.

And the samples are relatively small, and this is actually fairly close to what you do as a Soc analyst. If you have a workstation you think is compromised, you’re going to fire up a packet capture, and you’re going to look at that packet capture of that particular malware specimen as well.

The other link on here is the one that’s our video blogs. Chris and Bill and myself and Keith and Ethan, we do a lot of free videos for getting people caught up to date with, t sharp and how to do network threat hunting, data exfiltration, and detecting it with a single command.

And then we also have our training classes that we’re doing for free. Basically, we’re bending over backwards, folks, to try to get it to the point where these core fundamental skills are available and accessible to everybody.

I’ve talked about this quite a bit. I’m sick and tired of entry level gates in this industry where if you want to get into security, you have, to spend thousands and thousands and thousands of dollars on an intro security class.

That’s garbage. I’ve had it. I’m done. I’m, over it. And that’s why Chris and I, who have trained for years, we’re spending a lot of time and effort doing free training classes.

So that’s why our intro to soccer class is pay what you want or pay what you can. That’s why our intro to threat hunting class is free. That’s why our intro to security class is free.

The core fundamentals shouldn’t cost anything at all. So next up, I’m not going to do the whole rant. paranoid nerd. We’re not going to do that whole thing.

The, next thing is dealing with logs. Logs are hard. They’re really, really, really difficult when you’re looking at trying to get started in security and you’re trying to do soc analysis and you’re trying to understand what’s going on on Windows event logs, I am sorry.

There is no easy way to do this if you’re not capturing the right logs. If you’re just looking at standard windows event logs, security application and system logs, you’re host. you’re not going to have a good day at all.

If you start getting into Sysmon, then you’re starting to get the proper logs. And those things we will actually talk about in the intro class, and we talk about in a lot more detail in the SoC class as well.

But, here’s the problem. There’s no log that says you’ve been hacked. There’s no 666 event log, right? Sysmon? Yep. Again, just say yes, make it happen. And if you look at an example, and I always use this example, and I’ve used it for years.

If you go in and you change the security policy on a system, it never says John Strand changed security policy. What it says is John Strand invoked privileged use and system changed the system the security policy.

That’s crazy. Why would it be that hard? You got to piece a whole bunch of logs together to figure out what’s going on. Also, whenever we’re looking at the Verizon data breach, reports less than 5% of the detects in organizations, whenever they detect that they’ve been compromised are actually coming from logs.

We’re getting into huge problems with percentages. Linux logs, not much better. Bash logging, awesome. Turn it on, on every system that you have. It’s great.

All right, so what about user and entity behavioral analytics? Well, that’s getting us better, but still, as a Soc analyst, I have this slide that talks about false, positives here in a second.

And I sit down with soc teams and they’re like, yeah, are you EBA? it’s just crazy. There’s too many false positives.

When I sit down and I look at what’s going on, they’re not false positives, they’re actual, real things that are happening, like system accounts doing what system accounts do. But I think that a lot of people think that there’s a lot of false positives because they feel uncomfortable with what it is telling them and they feel uncomfortable actually filtering the false positives out.

So if we’re looking at the behavior of attacks, it requires us to have a better understanding of active directory and how these things communicate with each like internal password spray.

So logon tracer is a cool tool for playing. It’s really not a great tool for running an enterprise of just 100,000 nodes, but it’ll at least get you up, to date on what types of things Ueba can detect.

Like you can see one system that is authenticating to literally hundreds of others computers. That’s important. As a Soc analyst, you want to be able to pull down that information and you want to be able to see that, right?

And the key event ids, if you’re a Soc analyst, start here. And the reason why I started with these is these are the key ones that are used in log on tracer. These are also the key event ids that are used whenever you’re using a commercial UeBA.

These are the main ones that are used for detecting lateral movement attacks. So. And it’s not even all six, right. The big ones you should be looking at are six, 4624 logon successful, 4625 logon failure, 4768, Kerberos request.

And then 4769, Kerberos service ticket request. You should know those four event ids and read the technet articles on them and learn what they need.

Because whenever you’re trying to troubleshoot a, UEBA or trying to troubleshoot a log analysis tool, and it’s doing detection on an environment, these are the absolute core event ids that you need to know.

there’s other event ids that are important. Don’t get me wrong, there are, but these are the main ones that are going to tell you the vast majority of lateral movement and post exploitation attack techniques that are going to happen.

So start here. Now, once again, we have a long class, two days that we’re going to be talking about all these different things. But at a core, you need to understand these things because regardless of whatever tool you’re using, you’re going to constantly coming back on this again and again and again and again.

I just saw this pop up. We had a reference that just basically popped up. Tavis, basically said, we disagree on this sms. Two factor authentication is harmful. That’s one of the things where I disagree with them.

Just because two factors better than no two factor, we can argue about what two factors best, but yet, if you have the chance to have it, yeah, that’s something that’s better than, having standard password.

And here I am. I might as well just start disagreeing with Bruce Schneier as well. Let’s just disagree. I’ll just disagree with all the infosec luminaries. Just ride this all the way into the dirt. So let’s talk about false positives.

So, false positives, this is horrible. They’re not a thing. Okay. And people’s heads start exploding. Right?

And I talked to a lot of teams and they’re like, oh, there’s so many false positives. There are so many false positives. And I say this, and they get all controversial.

we’re going to fight, let’s do it. Or a geek fight, right? Whatever. But when you’re looking at every damn security tool that has ever come down the pipe, every one of them needs to be tuned.

Okay? We have a customer, we just got done doing a pen test with this customer. Joff did it. And, the customer pushed our team hard. Pushed the team very, very hard.

But they had instrumented and tuned their endpoint security product well beyond what the vendor does out of the box. Why? Because the defaults didn’t work to stop advanced adversaries.

If you look at firewalls, almost all firewalls out of the box, they let a tremendous amount of traffic go through, and they do just basic signature detection.

That’s it. Why? Because the spice must flow. So when you’re looking at, tools that have, quote unquote low false positives, that’s not what you should be worried about.

You shouldn’t be worried about false positives in the dead of the night, waking up being like, oh, God, there’s a lot of false positives. You should be terrified of false negatives. And your job as a security analyst, your job as a Soc analyst is going to be going through and is going to be going through and tuning these products.

Is it hard? Well, yes. Does it take time? Absolutely. Will it make you an infosec Tyrannosaurus rex? Yes.

Because if you look at anybody that’s good, anyone like, you start at Chris Brenton, you move to Rob Lee. You talk about the Seth Meisner, Eric Conrad, even Joff, who does offensive stuff.

Back in the day, whenever he was doing defense at a university, and then he was working with another consulting firm who shall not be named. All of these people, they all have a common story that they tell about going through and filtering through their logs and creating different scripts to filter through their logs and doing different regular expressions to filter through their logs.

And they became amazing at what they did. Once again, did it suck? Yeah. Was it hard? Absolutely. Were they all false positives? No, they’re not.

Whenever you have, a system account or a service account that’s triggering it, it’s triggering it for a damn reason. You can go through, analyze it, say, yes, this is, in fact, triggering multiple logons to multiple different systems.

I expect this behavior. Now I’m going to create a filter, and then I’m going to keep going. And then you work through it. This is hard. It is usually a problem of tuning. It is usually a problem of understanding the network.

And at the end of the day, this is our job. I’m so happy that ingenuity got my reference to predator. All right, I have some links here for some different websites that you can look at.

we have elk and we have YouTube videos, tons of things available for you. So check these out. I saw some people. I think it’s kind of funny. And there’s some people that are new to our webcast.

They’re like, oh, my God, they’re giving out so many links. I’m getting overwhelmed. Welcome. That’s the way our webcasts grow.

so Deb, the Deb is sharing out all the links. All right, now let’s talk about endpoint analysis. I struggled with this one a little bit just because it’s more on the endpoint security analysis.

Because if you’re trying to get into the SoC industry and you don’t have silence, you don’t have carbon black. How the hell are you going to get a job if you’ve never used any of those products?

And there’s some amazing things that are actually available to you. So let’s start with the basics. One, I, can’t recommend the stuff that Eric Conrad and Seth Meisner release.

Enough. They are two of the finest sans instructors on the face of the planet. You should go follow them on Twitter, you should take their classes. And they’re not only just great instructors, they’re just all around great people.

Eric Conrad released this tool called Deep Blue Cli. What deep blue Cli does, you feed in event logs where Powershell logging is enabled and it will go through and automatically detect a wide variety of different attacks.

It’s great for a Soc analyst, especially if you can enable Powershell and command line logging on your workstations, because it’s going to kick that SoC analyst up further ahead of the curve for detecting evil on that computer system.

Please, please, please check it out. It’s amazing. Deep white ClI is basically taking sysmon event logs and then doing the same type of analysis. So, if you’re a sock analyst just getting started, you should absolutely be two tools that are in your chest, two quick tools that you can run with.

However, those tools aside, you also need to learn the sans cheat sheets. I’d recommend you learn the Linux cheat sheet and the windows ir cheat sheets and you need to learn them cold.

You need to be learning task list based forward slash SVc, taskless space, forward slash m m taskless m m and a DLL. You need to be learning WMic. process list full.

WMIc qfe list full. You need to be able, WMic get last startup, time. Like you need to learn these things and you need to learn them not necessarily cold, but you need to be very very very good at as many things on these cheat sheets as you can possibly get.

Once again, a lot of Soc analysts at this particular point, they start to get bogged down because this is a lot of crap, right? And they’re like, what, it’s just easier, man, if I just, I just learned sentinel one or carbon black and then I’m good at that.

That’s good enough. No it’s not. Sorry. almost all the incidents that we’re working right now as part of the IR stuff, I’m working on one right now with Jay Ham.

Jonathan Hamm will be doing some training and stuff with us in the near future and he’s amazing, by the way. He’s one of those absolutely outstanding instructors and yeah, those get us in the ballpark.

But it’s part of the reason why this webcast came about is there’s times where Jonathan and I roll up our sleeves and we dive into the command line, we dive into packet captures, and then the SoC analysts that we’re working with and the customer are just like what is this black magic?

And it’s not blackmagic. It isn’t. It’s some basics and fundamentals and we need to get better at this stuff. So you can pull down these, these sans cheat sheets and you can go with them.

And then I’ve got the links here. Windows command line research results, ultimate list of sans cheat sheets and then some YouTube videos on initial analysis on a Windows computer system.

So you’ve got a lot of links that you can work with as well. Now as I said, this section was hard because if you’re just getting started in security and you’ve never worked with an advanced EDR, many times it is required that you have some experience with an advanced EDR product.

The problem with advanced EDR products up until recently they, you couldn’t get them at home. But now we’re starting to see some home versions, but still, that costs money.

So what’s really, really cool is we’ve got to take a step back and we’ve got to understand that all of this is part of overlapping fields of view. And for you as a SoC analyst, your goal is to get good in as many of these different field areas as you possibly can.

Now let’s spend a couple of moments and let’s talk about what this sets you up for. If youre good at Avedr, youre good at NSM, youre good at UEBA, and youre good at SiM and youre good at analyzing the endpoint and youre a solid, good young Soc, analyst or an older Soc analyst and you develop these core skills, youre going to develop a path.

Either your path is going to move to incident response and forensics. Thats where Soc analyst jobs usually dont pay that well. Im sorry. I apologize. They just dont. Theyre usually looked at as entry level jobs.

But if you want to progress beyond it, then you can move into forensics. That pays really well. You can progress beyond it, and you can get into IR. And that pays really well if youve advanced DDR, if you advance.

And you can also move into pen testing, because if you learn these things and you develop this foundation, it opens up, career opportunities to you that normally wouldnt exist if you just popped out of college and youre like, im going to be a pen tester.

I got a degree. That’s rare, folks. We have a couple of them at Bhis. It’s rare for you to pop straight out of college and go into pen testing. It’s rare for you to pop out of college and go straight out into forensics.

It’s very, very, very difficult. So all of these things matter as your core. But when you’re looking at these advanced EDR products, you need to understand that, yet again, there are weaknesses.

Mitre, has done the Mitre ATT and CK evaluations where they’ve gone through and they’ve evaluated a whole bunch of EDR products and endpoint security products, and every single one of them had gaps.

Every single one of them had weaknesses. And I’m putting this in here in the SoC analyst class so that you as a SoC analyst or you that’s bringing on junior SoC analysts, you need to break people of the thought that these tools are invaluable, that, these tools will always detect everything, that these tools will detect any type of malware that’s on the system.

That is not the case. And this evaluations actually demonstrates that very clearly that these tools do miss things from time to time.

If, we work with that idea that there is a blind spot, the blind spot exists, and we’re going to try to work around that blind spot by looking at multiple different types of tools and overlapping visibility.

Folks, you’re starting to get to the point where you’re a fine Soc analyst and you have some really, really cool things that you can. All right, now to play at home, how do you do this?

Well, for many of you, going out and purchasing an advanced EDR is out of the question. It’s just not going to happen. But there’s tools out there like Bluespot.

Bluestaban is out of a university of, Virginia. I can’t remember if it’s Virginia Tech or Virginia University of Virginia, and I don’t, somebody will correct me and they’ll pull down the link. But Bluespawn is an open source EDR product that has a lot of really solid coverage with the mitre, ATT and CK technique matrix.

So it is absolutely amazing for you. And then elastic endpoint. That’s right, I forgot. Elastic endpoint is now free as well. So if you’re trying to get in as a Soc analyst, at SoC analyst, you now have tools like elastic, you have Bluespawn, where you can start playing with these tools, playing with tools like Red Canary, playing with tools like caldera, and you can play with them at home.

So now on your resume you can start putting in. These are the tools that I know Tora just asked for Sim skills. Would it be proficient just learning open source elk or an example b?

Enough. Do you recommend learning a commercial product like Splunk or Greylog? Actually, I recommend that you learn sigma and let me explain why.

So the reason why I recommend Sigma is Sigma is a generic format of, event logging. And then you can write the rules in Sigma language, and then the rules are automatically crossed portable to all the major sims.

You can basically write a rule and then you can basically convert it to splunk, you can then convert it to elastic, you can then convert it into logarithm. you can convert it into a bunch of other different types of platforms.

So this really allows you to develop that one kind of ring to rule them all. We are learning this core signature language that then allows you to port your rules over to other formats as well.

There you go. So with Bluespawn and elastic, you now have the ability to start doing analysis of attacks on your system. You now can go for a job and you can say, well, do you have any experience with EDR?

Yes, I do. I have experience with elastic, I have experience with blue spawn. What did you do? Well, I fired up blue spawn and then I ran red canary, atomic, red team, and I was able to detect the attacks and learn.

That is going to put you at the very tippy top of that list of candidates that are coming through as well. All right, let’s talk about lateral movement. So just a standard exploit.

I’ve used this slide set quite a bit, but when you’re looking at standard exploits, this is how most people focus on IR, they focus on. All right, well, one system’s compromised.

I could do forensics on that system. No, if you’re talking about a Soc analyst, you now have to look at that lateral movement. This requires you to understand protocols like Psexec, pass the token R desktop, pass the hash WMIC, Windows RM.

There’s a ton of them that you have to be familiar with because these are common protocols and these are common techniques that attackers are going to use to move laterally.

And if you’re not aware of these techniques, like we’re working, we’re working a gig. The customer has no idea what SMB is, but one of their compromised systems is making thousands of SMB connections to other systems in the environment.

All of a sudden we’ve lost that kind of conversational fabric that is required to keep us together so we can talk the same thing. So you have to be familiar with these different things to tie it together.

So I’m certain that I’m missing some protocols, but Jaff helped me out. I know I’m missing some. I’ve got SMB, psexec, WmI, RdP, Winrm, Microsoft, Kerberos, Landman, NtLm and Ntlm v two.

Would there be any other protocols that you would recommend here?

Joff Thyer

Oh my goodness. I think you hit just about all of them. that goes along with SMB. But, but you, yeah, John really hit it. one of the one of the very interesting things.

Quick story. I was just on an engagement and doing some password spraying, which is a technique to guess passwords. And I used Kerberos instead of a traditional SMB login.

And so Windows event id 4771 became actually really interesting to them that they hadn’t seen before because it was a Kerberos pre authentication failure.

John Strand

Yep.

Joff Thyer

So. But yes, John’s right on target. I think he hit them all P’s execs. Not really a protocol more than it is sort of a methodology.

John Strand

Yep.

Joff Thyer

But yeah, WMI. Do not forget WMI, because that’s, that is something that a lot of people overlook. And it’s really important to get your head into.

WMI tends to be not as well instrumented in logging in environments. And there I go, giving away some of the secrets. Right, that’s fine.

John Strand

we have some people that are talking about like Ssh. We very rarely see post exploitation on Windows computer systems where they pivot with SSh. It happens. But it wouldn’t be nearly as much as you would see these particular protocols.

Joff Thyer

We’ll try to use normal protocols in the environment.

John Strand

Right.

Joff Thyer

So SMB and IDP will be two really big things because we look like regular users in the environment when we use those protocols. it’s much nicer to blend in than it is to stand out every time.

John Strand

Every time. All right. So if you want to get started with this and kind of breaking down these things, what they look like and you’re like, what does it mean when John says know these tools?

Well, let me show you what it means to know these tools. So, all right, so JP cert, went through these different tools and these different protocols.

They basically are like, okay, Psexec, overview of what Psexec is, the operating systems, the communication protocols and ports that it’s going to use. What do you get from the logs?

What do you get for standard event logs? What do you get for sysmon event logs? So you’re really learning like Prefetch, it shows up in Prefetch, right? What are the registry keys? The destination system, what does it look like on the destination system?

So you get the opportunity to not just sit there and be like, okay, I’m going to fire up Wireshark. I’m going to read a blog. They actually have already done a lot of that work for you. I don’t require you to be able to rattle this crap off.

I want the RFC for psexec and SMB. It’s like, yeah, that’s stupid. But if you can say, well wait a minute, I’ve got this website that I go to that has all this information. It breaks it down for me.

Can I check it out? Hell yeah. 90% of what we’re doing at Bhis is literally googling crap and going to, going to a bunch of different websites and just copying and pasting as much as we possibly can.

It’s not so much knowing stuff like trivia, but it’s more in line of do you at least have awareness of it and then where you can get that information to dig deeper, that’s going to become absolutely critical as well.

All right, so vulnerability management, is vulnerability management something that SoC analysts do. It’s split 50 50. 50% of the people said no, 50% of the people said yes.

So I figured we’re just gonna, we’re gonna leave it right here, right, so we can just go through it. All right. So low and informational blind spots are critical. And this is a basic section for SoC analysts.

And the SoC analysts that I’ve encountered recently that are doing like vulnerability management, they’re doing it the wrong way. They’re going through and they’re starting with the highs and the criticals and those are the only things they take care of and they ignore everything else.

They’re breaking things up constantly by IP address and that doesn’t work, right. It just doesn’t work at all. And further, they spend a lot of time on this, right?

And if you look at the mitre ATt and CK technique matrix. Two squares out of all of them are addressable by like vulnerability management. Like you get that traditional, this is a CVE.

So we want to set the right amount of time and we want to be able to set it up in such a way that we can get the maximum bang for a buck. So here’s the wrong way.

Many organizations address vulnerabilities by the IP addresses they’re going to go through and they’re going to break them up and they’re going to go each IP address one at a time. This is daunting. So if you have 1000 IP addresses, 25 vulnerabilities, you’re going to try to address 25,000 vulnerabilities.

To hell with that. No one wants to do that, no one got time for that. We aren’t going to deal with that at all. It’s the most common approach that I see and it’s wrong.

You just shouldn’t do it this way. Instead stop focusing on IP addresses and range and instead focus on the vulnerabilities. Instead of 25,000 vulnerabilities you’re really looking at a few hundred vulnerabilities spread across multiple systems.

What I mean is you’re going to have systems that have the exact same vulnerability. And as a SoC analyst you got to ask yourself how do we address these vulnerabilities globally across all of our different systems?

How do we use that as automation? This is incredibly effective. We’ve talked about Ian’s faculty and also at Bhis. We’ve scanned a million IP addresses and we’re able to get through that in less than three weeks.

that’s because we use this technology or technique. We take the technique of taking the vulnerability and working backwards. And that’s because that same vulnerability be replicated across hundreds if not thousands of computer systems as well.

Very quickly I wanted to talk about threat emulation. We’re coming down to the end of this. I wanted to deal with this infosec burnout problem in SoC. And I really think one of the things we should be doing, and one of the things we’re going to be doing at Bhis’s SoC and HTOC is threat emulation and adversarial simulation in our customer environments.

The reason why you want to be doing this is you want to make sure that your tools work. You want to make sure that your analysis and your EDR is picking up the different attack vectors that your network security monitoring is picking up, that command and control and that lateral movement.

You need to get into the habit of running tools like Caldera. As a Soc analyst, this should be something you run at work all the time. We can run things like atomic red team.

Set this up and run it. We’re going to have some webcasts. Darren, and Kerry are going to be offering a class on how to use atomic red team to maximum effect for adversarial simulation.

You need to be doing this. And this goes back to on that off day, quote unquote off day, your SoC analyst should be running these tools. They should be running and seeing how it reacts on their EDR.

They should be making sure that the alerts actually show up on the simulation. We’re constantly testing, constantly evaluating, and making sure that stuff, works. This puts you into a position of an active sock.

This is just a run of what red canary looks like. Things that are hard, though, things that I can’t seem to teach. I have a really hard time teaching people to keep digging, just to keep digging.

If you get stuck, keep going. Ping pork. Parse basic troubleshooting. Can you ping the IP address? Is the port open? And then can you parse any error messages or can you parse the command?

This is basic fundamentals. Fighting burnout sucks, especially here in 2020. I think everybody is burnt out. I know a lot of people that love their jobs and they’re just tired.

I’m tired today. This is my third presentation out of five. We have a lot of stuff going on in this industry. Never get stuck. Pivot. This is kind of correlated to digging, but it’s just constantly pivoting and moving and thinking about things in different ways.

But you’re only going to be able to move and think in different ways based on the exposure that you have had in the past and a lot of the things from the network, a lot of the stuff that we talked about on the host, a lot of things we discussed here.

This will give you greater visibility and greater understanding of how you can pivot. Also, let me google that. It’s very, very, very hard where you have people that ask questions constantly that are easily googleable.

As a soc analyst, you need to be able to google these things. If you come to your, management with a question and they google it and it’s literally the first answer, that’s not cool, folks.

That’s not cool. It gets to the last point, I can’t teach you drive. I just can’t. As a sans instructor for years, we’re always trying to inspire people.

Many people didn’t realize this, but a lot of sans is not about teaching core skills, but it’s this edutainment to get people fired, up and excited about doing their job and then using that drive that we hope we can give them to come back and then hit the books and learn stuff.

Technical things, folks tend to be very, very, very dry. You have to have that, fire, in your belly to be able to actually go and actually do this stuff and to do it well.

And I hope, honestly, you can get that burnout is real, but you got to push through it. You got to find that thing, that star. That’s going to be your guiding point, that’s going to pull you through this, because right now, this year sucks.

It does. It’s just a bad year. Incidents are getting worse. Ransomware is getting worse. We’re not even going to talk about politics, but let’s just say a flaming dumpster fire of a train wreck doesn’t quite sum it up.

But we still have to wake up every morning. We have to find that tribe. And here’s the thing, and I give a longer version of this speech. If you don’t have that tribe, I recommend you go out and you find that thing that gets you excited.

It could be construction. It could be underwater basket weaving. Go find that thing that you have that passion for and do that thing. The reason why is there’s a lot of people out there that have that drive, that are looking for that opportunity to get into this field, that are looking for that opportunity to move up and they should get their shot to do that.

and I say this not to make people mad and basically say, oh, well, I don’t like you or anything like that, but I’m a firm believer in finding that thing that you’re excited about and doing that thing.

And there’s a lot of people that are excited about getting into security. All right, so architecture. Remember that overlapping fields of visibility and try to start thinking in terms of this type of, like, defense, in depth architecture.

With that we’ve gone over, I just want to say thank you so much for coming. I hope to see you in the intro to soc class. As we said, it’s pay what you can, and if you send us, if you can’t pay, there’s no shame.

We had to make the base to be $20 because we had a crap ton of people that offered to pay nothing and they didn’t show up. A whole bunch of people didn’t show up, and that’s okay.

But if you’re somebody that’s just getting started. If you’re working as a side job, if you’re washing dishes, if you’re busing tables, but you’re probably not right now.

If you’re out of work, the, only thing we ask is that you send us an email. That’s all. I’d like you to put something in it about yourself. I don’t want you to explain why you can’t pay.

I would much rather know where you’re coming from and where you want to go. That’s the only thing I’m asking in exchange for taking this class for free.

I just want to know where you come from and where you’re going. I don’t want to hear why you can’t pay because I trust you and I know people are going to take advantage and I don’t care. For those of you that are looking at this like, well, people are going to take advantage of that.

They’re going to get it for free. I don’t care, folks. Doesn’t matter to me. What matters to me is where did you come from and where do you want to go? And hopefully we can get you there. So thank you so much, everybody.

Get out of here. I have another presentation starting up in just about ten minutes and we’ll do a quick ten minute post show banter and then what? We’ll get here.

So. Oh, my gosh. So, Jason, how are you doing?

Jason Blanchard

So I had a migraine about four minutes into the webcast and I started going blind. And then, while I was blind, like, Deb took over a bunch of stuff and then I had my vision back.

So here we are. it’s been 1 second hour, but.

John Strand

Yeah, you’re feeling better now, though? I am.

Jason Blanchard

Like, it’s been, I went on a journey while you were taking people on a journey.

John Strand

All right, all right.

Jason Blanchard

So I posted the link inside the gotowebinar chat for the soc class. Feel free to go in there. Deb has said she’s already gotten about 20 emails. She’s sending out those discount codes, the people who are emailing us.

And yes, the other thing I wanted to tell people is that if you are in college or university or high school and you have a computer club, I’m going to post a link inside discord for you to, request five decks of backdoors and breaches or your team, your club.

John Strand

And, we should all say thanks to Deb because she’s answering all these emails with the discount code. We should set up a separate email address that we can set an out of office reply. That just gives people the discount code.

But I know Deb’s going through and reading the stuff. But it matters to me, by the way. It does, because I hope to get to read some of these. It does matter to me where you’re coming from and where you’re going.

All right, I now get to go do a presentation on artificial intelligence and machine learning.

Joff Thyer

Wow. So, that should be fun, John.

John Strand

Oh, it should be cool. I get to talk about ping pong balls and tables and blind theories and decision trees and all that stuff. It’s going to be awesome.

Joff Thyer

The fun part is when you can actually train, the, neural network or the decision tree to make the wrong decision.

John Strand

That’s.

Joff Thyer

That’s the funnest part of all.

John Strand

Oh, Joff, that’s where we’re going in this presentation, right? Oh, absolutely. Oh, my God. I just gave it away. It’s another irons gig. That’s.

That we’ve got to do so. Well, I’m going to drop off. You guys can have some posture banner, but I recommend not easy like goes and lays down.

Joff Thyer

yeah.

John Strand

All right. All right. Take care, everybody.