Hello, welcome to the webinar. Good morning and good afternoon. Depends on where you are in Asia Pacific. Today we're going to have our series Let's first session of of our series of webinars Defense in Depth. Today our speaker is Christophe Say he's very experienced network security at in and today he's going to talk about the first session offensive security. Before we start, I want to remind you about something. So first is like Q&A. So if you have any questions about the during the presentation, don't wait till the last minute. You can always raise your question from the Q&A box. So Kristoff were spending some time at the very end to answer all your questions or you want to contact Cloudflare. There's a box in your view you can just e-mail us directly. So we will reach out to you after the session. So next I'll over to you, Christophe. Yeah. Hey, thanks, Eric. Hey, hello, everybody. This is Christopher from Cloudflare. I've been the social network security view in the sense that I handle things that the doors and the things that you trust or write the sensitive portion, so and so forth. OK. So there's a little bit of my background. So over the last 20 years I've been major in core network working from Cisco, Juniper and my before joining Cloudflare was from VM Ware doing the network security NSX portion, right, virtualization, so and so forth. So in a sense that very fortunate I have the best of both work touching the, the core physical network as well as the virtual and now I'm doing cloud security now. OK. So that's a little bit, little bit on my background. OK. As you can see by slide here, the main title is called Defense in debt, OK. Some people ask me Chris, what do you mean by Defense in debt coming from Cloudflare kind of anger because we hear a lot of people doing layers cruelty from different vendors, some is doing the CNET, some doing the cloud, some doing the on Prem, some doing the test and so forth. OK, so not to worry. We have a total eight session in the whole series, right? In fortnightly Today, we've been touching on the session one. All right. This is sort of setting the platform. OK, the foundation of all the rest of the section, as you see, the name is called Offensive Security. OK. So without further ado, let me go through that agenda as in the whole other eight section. OK. So I believe you saw that in the registration portal the eight session will be #1 offensive Security second defense that coming from Cloudflare Cloudflare angle how what do we play all right in the whole defense in depth of space OK how do we help customer to secure their physical their crowd environment so the multi cloud then we move on to cracking the wall which is very interesting right. How hackers or how a pen tester is able to bypass the primary defense and how can we help customer secure that. Right there are the four one be ransomware fingerprinting. We'll go through a scenario on how a complex ransom comes in because a lot of people thought that ransom just downloading some file and create my data ask for ransom. It is not as simple as that. In fact it is very complex. OK then moving down with your trust versus your knowledge. I will hold that until the session will file to let you know what I'll be trying to bring the message across. Then we go on to the world without stranger. We're talking about how you will link your multi cloud together. How can they, how can we simplify your operation, data operation that link multi cloud into of networking as well as the security space, the last of the enemy last resort talking about the DDoS. OK, so I believe you have heard a lot of DDoS so-called incident nowadays. It is not a small matter. It is not a trivial thing that we can take it for lightning. OK because that is really the last. If I cannot do anything, I cannot ask for ransom. I cannot also call do data situation. The last thing I want is to bring down your your services and then ask you for payment. So there's another form of drastic change. Then the last session with session 8:00 we put everything together. Coming from Cloudflare perspective, how can we really help you to secure your multi cloud environment, right. So these are the eight session today we are on the session #1 called Offensive Security. Let's move on right. Number one, OK, before I start is that I talk to a lot of customer, OK. In fact most of the customer tell me that A we are spending, Chris, we are spending so much money picking up our parameter, picking up our so-called micro segmentation, so and so forth. OK, but we still got breached, OK, ransomware is still on the on the height. What's wrong? We have spent so much resources into a human being in terms of the licensing in the different solution, but things still move on. OK, very simple. My only one question is that to them is always, do you know what you're defending? People thought that if I got multi tier, all right, we're talking about layer defense. OK, layer security. Multi tier of security, I am safe. For example, let me call you an example. If we treat your, your, your Internet and your application sitting at the center, you put 10 layers of firewall all right, different brand, different make OK, different model OK, are you safe? The question that the answer is no reason why Because your application is running or let's say this thing or 443 OK, SSL OK HTTPS it's supposed to be very safe and crypto right? The whole tunnel is not true. Even if you got 10 layers of firewall in between, all firewall need to permit TCP 443 to punch through. That means if I'm outsider, I'm a fantastic, I'm a hacker from outside, I don't even need to bother with a firewall. OK, I can touch and reach your application directly because all your firewall need to permit to go through. Now some of argue saying that, but my firewall is a UTM boss is a big share, I can detect all signature. Yes, that's great, that's fine. But there's a tactic is that when I try to exploit your application, I'm not trying to exploit the OS using a well known signature, but I'm exploiting a buck for for. So As for the buck, that's basically no signature. It's a day zero, OK. It's a zero day kind of attack. So the tallies of firewall have, it's not going to make any difference to you, All right. So there must be something more complex, something more comprehensive that we do look into more detail. And that's where we call offensive security. That means looking from the hackers, repent as the anchor to know how they come in, how, what are they trying to achieve? All right, in what way, what Ave. what that antenna, they're coming in. OK, then I would know what am I defending? Because without knowing how they come in, I'm just bright folded. It's called bright folded security, you ask personally. But we are not going to do that. We have to know our enemy, how they come in, right? So let's take a look at this. I believe a lot of people of you heard about this thing called the MITRE attack framework. All right. So if you talk about, talk to any security vendor, this is the common security language, everybody will talk about that because why, why The attack framework is an open source organization. They have done the very group very great work to consolidate all the observe that and then it used by hardcore hackers in the whole world. So don't they observe any that they attended that we use either new or old, they'll consider it together in the framework so that we know in what Ave. through what ways do they come in and how can we defend again against that. By the way, MITRE attack the attack means adversarial tactic, technique and common knowledge. So we can't go bride folded security. We need to know what are we defending. And The thing is that there's so many things to defend, right? You talk about ransomware. MITRE today have also called a lockdown 56 ransomware globally and 100 / 156 over attack track group globally, right? There's so many defense, so we need to be specific. How do we do that? So we go now, we go by the Mitre active framework, right? So this is how it looks like. OK so if OK as you see down here in my screen. OK this take a screenshot taken from the actual MITRE active framework navigator. This is a common scouted language of all scouted vendor. There's a link below. So when you get the deck you're able to go to there to navigate. So as of today they have the so-called recorded up 914 tactic and 500 plus technique right Technique is talking about how and why they come in. The technique is talking about how they come in. So using the navigator you can gauge or measure your readiness against let's say IoT attack, Enterprise attack, crowd attack. Yeah, so let's look into the the, the more detailed double click insight what each of these tactic is talking about by the technique. So initially we have the initial assess execution persistent all the way to impact your child. But if you're sharp enough you'll find that just now in the earlier slide OK we got 14 technique but now only got child. OK reserve very simple. The first two is doing the recognition like I double check I do a record on your domain name to find out who are the administrator or I do a check on the IP address for me to so-called take a foothold for me to stop my attack to play my attack in. So those are nothing that you cannot defend because those are public information that a hackers or pentas will get from OSINT or since. All right, but the rest of the child that is something that we can defense. For example, without going through every single one of them. I would quickly go through like #1 for initial essence that I'm trying to get into network. Then once I get in I will try to run Malaysia code like malware. After doing that I'm going to do A to a persistent kind of also track attempt to gain a foothold. I want to have a back door. Even after I leave and come back, I still can either command control or just some way I can still come here and exploit. And next one is to escalate my bridge because by gaining up a foothold like to reverse shell, I might not have the have the admin bridge. I need to escalate my bridge and that's what I call privilege escalation. Then so and so forth until the end is impact. Impact in the sense that like ransomware today we're talking about triple ransomware. OK, what do we mean by that? That means one, I encrypt data I asked you for ransom at the same time as you trade your data and sell it away. But if either one of them does not work, I do. The third one is I create DDoS within your environment either to destroy the system to create a headwat so that you cannot function. There are many reasons why they do so. All right, we're not going to go into the details. OK, there are two attack track group that I would like to so-called bring to attention because they have already created a very big impact in the past. For example, the first cycle of Visa Spider, these are one of the track group, some track group called the Fin Saver, some Acura, so and so forth. All the lot pick the famous topic they heard in the past might have been turned out right. So so this these two are very good example for example Visa Spider is a financially motivated criminal group. OK. They target the MNC and healthcare facility. Then the next one of the same work, they are Russian track more like coming from political point of view. OK. So that that people are at the Ukraine for example, right. You know the war is going on that kind of thing. So I'm not going to get into that detail. So I want to keep times the bit on what are they doing, how do they, OK, achieve what they wanted to achieve in the past. So if you use a minor active framework and if you for those are familiar, if you're not lemma, it's OK. There's one portion you can select the kind of track group or the kind of ransomware and then you'll highlight to you what are the tactic and technique that they use infiltrate and achieve what they wanted in your environment. So the screenshot here, you see that the purple one is the wizard spider, the blue one is the same word. OK. So what do I mean by that? Why is this so important? That means you see in your environment there's so many things to defend. There's no way it can defense against every single tactic technique. Ransomware of track group at one goal. No way. You need to plan and strategize your your way. So using this navigator you're able to say that now OK so if let's say in my country, certain country, OK, I'm prone to assemble kind of track group, I need to know what am I defending. So I need to beef up my defense along that line. This is why I'm coming from is that I must come from offensive security view and get to know how they come in and how to defend else. I'm doing bride. I'm just doing a bride for the security which not going to going to anywhere and that's why a lot of customers to complete that I have all the layer defense I still got breached that is the one main reason because they never look coming from the offensive security anger. OK. So in the wizard spider kind of attack these are the flow. OK. The first one is very obvious spearfishing but office document macro. That's a very old trick by still workable today. OK someone double click and the malware was being triggered. OK so establish A persistency. If you heard about the term got imitate. OK it's a as a service OK so so it's a it's a it it. I should say it's a track group that offers service to help people to gain access into their target. So these are the one after they get the the foothold they try to search for domain control. Why I need to find the domain control so that I can bridge. I can get something you call a golden ticket because all AD work by Chrome boss right. There's something called the golden ticket. If I'm able to impersonate or I I I can. I can gain the. That means I'm the king of the whole AD infrastructure. I can do anything on the whole Microsoft network. That's what the hackers or pen testers in for whenever we are trying to do a pen testing on AD domain environment. All right then after that, if let's say I got a foothold, I'm able to escalate my page. I download something called the dropper. The dropper. It can be malware or it can be additional tools for me to add 1 speed and escalate my page. So one of the things is because it's one of the things that worked very well in the past in the Microsoft environment. To escarish my previous, let's say I'm in Windows 7, Windows 10 OK or 11. I use these two to escalate my privilege and last resort based on the results. Spider is the aim is to encrypt data and ask for ransom. OK, it's a riot ransomware in the past. Of course, today we didn't know about how to do we already have a defense against them, but it's very good case study. That's why I bring it up here so that we know what is the methodology, how are we going to successfully or effectively defense our environment instead of being bright folded. All right, if you've got any question to drop me, drop question in the clear name box, I will answer that in the end. OK, let me quit next. All right, let's take a look at how a hacker's methodology. I come from a pain testing background right in past my career, So this is the my, the methodology that I use. In fact, this is the most common methodology that any pain tester or the real hardcore hacker would use. There might be some variation here and there, but more or less is the same, right? Remember just now in the beginning I mentioned that some customer thought that if I got 10 years of firewall to be a street to to to to be more accessory, I am beefing out and protecting myself. Let's take a look at this, see whether is it true in this sense. So in this so-called block you see that I have a hackers or pen tester from outside, if you can see my cursor, I point, OK, my it's on my or is it a crowd right person there so that represent a external hacker or pentester. Then on the bottom you see another person there that represent your insider can be administrator all right, or it can be some malicious user sitting inside your environment with certain privilege, right. So coming from outside, a hackers or pentester will do this thing, right. Normally we do a pop mapping, we scan the pop. So it's very common that you heard people say that the most fundamental is that close up all your pops. So now you got some pops being exposed even if it's 443, right. So as I mentioned, even you got 10 days firewall protecting a 443 is not going to make any difference because I'm going to penetrate through, I'm going to punch through. Your firewall rule has allowed me to punch through right? And then I have the way to to exploit the vulnerability of of your applicant. It can be a bug. It can be doing the so-called coding, you know or developer security is never in their mindset in a sense right. Although today we are talking about so-called the left shift of building and baking security inside the whole CICD pipeline. But still we are seeing that this practice not being enforced diligently. OK, so there's bound to be loophole. There's bound to be bug that a Pentaso hackers can find exploit. So the very first thing that I can do is do a pop mapping to find out are you listening on port 22443 eighty or 445? OK, the 80 ports. Once I found that, OK, there are a couple of things I can do. I can check if there's any vulnerability. All right, Based on the version that I found, let's say I can find that, OK, you're listening. You're running on SMB 1.0, which one I cried in the past have been using SMB Microsoft SMB OK protocol Mobile 1.0 to to escape and propagate through the whole network. Of course today we are no more using that, so this is very good example. Then the other thing I can do is that you can have a public website OK HEPSW w.example.com for example. All right. So I I, I I want to check if there's any hidden time trade those commonly known hidden dietary. I will do a a a scanning to find probably you're not announcing but I can find. Let's say you have some admin, WP admin, web WordPress admin or so-called so-called dietary. That's not being exposed probably, but I know I can find that can go into check if there's any vulnerability or blocking that can exploit, right. Then the third one is that I will check your application vulnerability. I will discover OK, based on the version of your application based on the 4443 for free you're listening on TLS 1.0 or you're only on 1.1. OK, but the the most strongest today is 1.3. The perfect for secrecy in in the way that my private key and public key is not static. They always change perception. So all these add out into. Of the vulnerability for external hacker or pandas to exploit, to discover and and to make use to gain the foothold into the whole environment. So this to defend street the first three boxes is possible important. Assuming I managed to get into one of your application and I clear reverse shell, OK, that means I have a common a command prompt control in your application. OK, I would need to do some things that I I need. I need to escalate my privilege because without escalating my privilege, there's basically nothing much I can do. OK, I I cannot create or or. For example, I want to so-called create a a ES e-file. I will create a shell file right? For me to do lateral movement discounting. I need a escalation. So if if you follow my box, in case you don't see my cursor, I'm at the privilege escalation box. OK, so what's next? I'm talking about now targeting at a single application. Getting assess, getting the the bridge escalated. It might assess. Then there are four things I can do. You look at the file right? There are 4 orange boxes. I can either do data as situation. That means I create a command control code tunnel elsewhere Outside I can be using things like the DNS cat. OK, DNS cat is something that a lot of people may not be aware of in the sense that normally in any enterprise environment you have firewall that allowed by DNS recursive query to external. OK, so I allowed SATCP or UDP port 53 so hackers able to make use of them to get out the to make a connection to command control because of firewall doesn't know. You need to know that OK, it's TCP 53 or UDP 53. You allow that to happen and that's where I will be able to successfully create the command control, right? And then I push the data out, create that, achieving my data as situation objective. Next I could be downloading a malware or ransomware to encrypt the data. OK, And then I asked for ransom. That's called double extortion. Or as I mentioned, I can go for the third extortion. That means you don't pay me, I'm going to create DDoS or the doors within your environment to cause your whole system to come to a halt. OK to come to the point that you cannot function right. OK now that I have gained access to the post Scanning Dietary Discovery or at least exploit all the way to bridge exclamation. I want to move on because normally my first foothold is always AD and B site a web public facing web services. I need to move on. I need to do a pivot thing. I need a pivot into your another layer, your trusted layer, because it could be your application or I can do a double pivot thing into your database right? So that's what we call the lateral movement pivoting. So the whole process will repeat itself once I pivot to another host. OK, I'll do the same thing for mapping, dietary discovery or pre discovery. One pre exploit getting the real shell escalation, so on and so forth. The whole process will repeat and repeat until I jump to the the right target that I want. It could be ultimately it could be your CRM, your database, it could be your MySQL database, MSS scale database. I want to get your data for the sake of asking for ransom or steal your data for some competitive competitive motive right. So just OK, you see the bottom, there's another person picture down there. Just as I mentioned those are the insider. Most likely they are the administrator or probably the other riches user with some malicious intents. So once I go inside, it's very easy for me to do things like service protocol, vulnerability discovery. I want to discover, OK, what are the protocol they're using? They're using SMP 1.0, SMP 2.0, are you using SSH version 1/2? So and so forth, that kind of thing. Is your SSLTLS based on version 1.01.1? And I want to find out that so that I can export the quantity. So if follow the the the arrow flow, once able to exploit the vulnerability I will gain access. Normally it's going by the real shell. OK there are a couple ways to do that. The one if you heard about Team core meter Sprite framework right those are automated. One with a known feature or a hardcore hacker normally would not use that because in between you got IDSIPS it's easily being able to pick up and notice something's wrong. So most of the time we do so-called obscuration or I call write code on the fly. I can write create AC file, AC program right on the fly and then push down to create it and real shot back to me and I move on to the escalation. So the whole flow keep going round and round until I reach my objective regardless I am an insider, I'm an insider or an external hacker or pan tester. All right, so these are the most common methodology that anybody would use more or less. There will only be somewhere or some deviation, but this is the main methodology. OK, I saw a question here to transfer the domain to Cloudflare. Is there a way of not changing names of registrar? OK, I'll resume the question later. It was the end. This question actually is more on the product, more on Cloudflare product, right. So let me continue my, my, my page here first. OK, OK, now that we know the methodology, so when you look every look security in the environment based on the my data framework I talked about just now and this methodology they are supposed to work hand in hand, then you start to say that A is my application A OK being exploitable by this methodology? OK. If yes, how? And what are the potential sources inside the external? What are my risk factor? How can I defend against that? So there are a couple of things I'm going to bring you through in the next next couple of slides. Now let's look at this. When you talk about port mapping is very simple, OK, you're public facing a fire firewall. Firewall is the one that of course will reduce that test surface area because a firewall will say that I only allowed port 443 and not pop 80 to come in for example, and I do not allow POP or TC-22 which essentially to come in OK so the IT all the POP mapping attempt you can use firewall to control that. But what if an insider? All right, so when insider in the sense that if I gave a access to a web application, I want to do a POP mapping on my application or on my pure web services, how can I stop that? That's where the microsemination concept comes to picture. That means every below, every instant is isolated based on a white distinct. That means unless I say you can't reach, you're not able to reach your peer, you're not able to reach the other layer or the other subnet. So microsemination is something that we cannot emphasize enough. They here able to talk about that, although it seems to break fundamental by super super important. If you've got very strong microsemination strategy, you will have already stopped the hackers about 50% of his attempt right then the next one talking about the dietary discovery. So normally I'll do things like I made API call, I do a scan to test whether let's say www.example.com/WP admin or slash some member site, something like that, some known dietary. If you have API Gateway governing my API call, OK or you governing my my, my HP GET command OK to say that no you're coming from this source. I do not allow you to ask you this HP get to me. I'll just drop you that then then that will successfully or effectively drop the dietary Discovery attempt. API Gateway is a way to go to to safeguard that, right. Of course some customer, they tell me that I really got my firewall protecting my application. But the problem is firewall doesn't look at the layer 7 firewall the most. You look at the layer three, layer four. It doesn't look at the URL, the URL or the Uri that you're trying to attempt to assess because of the firewall is still powerful for three. Remember from A to B, web to from webs to your. Your application is still based on 4th tree, most of the time HTTPS. So you need something to that that that's able to understand the layer 7 which is API Gateway. Now what about WAF? OK, can WAF drop that? Maybe yes, maybe not OK, but what is not built as the API gateway in the sense that I could not able to stop access based on your eye. So API Gateway is still the way to go in general. So the next boss talking about application want to be discovery and application want to be exploit. Yeah, there's a place where your web comes a picture. For example, I'm trying to exploit your database to your apps. OK, that means you have a web portal, you ask your username, password, if there's a bug or vulnerability your application that you either safeguard against SQL injection. OK regardless you're using MySQL or MSSQLI can do SQL I SQL injection to gain privilege. All right. So to to gain access you know I do not have the right credential well I can do cross site scripting to inject script so the next person will try up the web portal they will sort of trigger my script all right or and they're able to grant me the access or I able to so-called grab your potential as a punching. So the watch is super important to got the latest 7 attacks things are Buffalo overflow. Buffalo overflow of course for those of various so-called security CB. You might say that a today we are based on so-called CD4 big of OS. OK so I got LSI kind of so-called space reputation. So Buffalo flow is not ready effective to Yes, you're right. But it's still workable. There's still some old legacy system. It's based on X, it is 32 big, OK, for example, it's able to be exploitable all right. So the one super important to govern against that as in the application exploit in a sense that you might be in the platform of the container, it can be virtual machine or physical server. So the idea of the desktop outcomes in very, very important because remember in desktop today we're talking about the left shift, we're talking about baking security mindset and two at the very front end of the whole CICD process that's where you you do your static code check right to make sure that there's no exposed credential. There's no so-called boxing application that try to send credential or or important information elsewhere. So there's a portion that there's a practice is supposed to important to guard against moderately exploit of your application next which is the I said reverse shell as well as the escalation that's a part of your IDPS, your network NTA, network traffic analyzer and your EDR endpoint detection response comes to picture things like if I really get a a so-called malware success story, OK to phishing sites or to spam your your user annoyingly double click I create a process. The process can be say like paint dot ESE Microsoft Paint or notepad or note dot ESE. To most common user this is something like a there's no harm, this is a notepad, right? I can double click. But you never know that malware is able to do process injection. I'm able to insert, inject another process, change my name to let's say other things and you can evolve OK and gain the real shot as well as escalate my pledge for the remote user, the remote hacker pantester to come in right to gain the whole root control or super admin control of your services. So Idps, MTA, EDR is all there to help safeguard you. So that's what we call the multi layer defensive debt, OK? It cannot just depend on firewall alone, right? OK, then on the bottom you see the internal so-called malicious user. Again, ITPS and MTA come to the picture. IDPS of course, without explaining too much. You know that it's Intrusion Detection and as well as Intrusion Prevention System detect. That means I only tell that someone is trying to do something malicious, but will stop prevention. That means I will stop right then. MTA is something that very effective for zero day monitoring because you monitor your traffic. For example, let's say normally I just put a very simple example. Let's say you've got Exchange Server. OK, normally no one would assess actually server. We were admin right in the middle of night 2:00 AM or somehow some somewhere this fine day someone tried to assess and then pick up that this is at normal. This is something that's that that that raise a threat. All right. That something is not correct in the behavior. OK, so some people call this UABA, OK, but this part of the NTA to help to monitor the traffic, the network traffic for any abnormality from the insider. All right, moving forward, OK. The phishing attack today without me explaining too much, you know that everybody is talking about do not become a victim of phishing attack, especially to website or e-mail. Don't click anything any organization. I believe she already has some form of internal training to train the internal user not to fall into with him as a phishing attack. So. But The thing is that user is user. OK, we find that almost 70% of how organization has been breached is true. Social engineering is true phishing attack. There's still a way that human although we are how no matter how we are train them, they are still vulnerable. So your content filtering is super super important to get what the e-mail that come in what the website that your user is accessing. So content filtering is supposed to stop that attack and by right if you raise it, let's say someone click on certain thing in a phishing attack, OK, it's supposed to download a malicious file. So your sandboxing is super important to understand. OK, the behavior of the file. Of course there are a lot of argument, OK, how effective are sandboxing? What kind of sandboxing are you using? Is this so-called the full system illumination or is this self application illumination? So and so forth. That's beyond the topic of today. But sandboxing by itself is super so important to detect any malware or ransomware because ransomware, What's the factor of it? Once I got ransomware being double clicked, there are a couple of things I would do. Let's say this is a windows system. I will so-called disable your Windows Update. I'll disable your system security. OK, I will rewrite your auto copy file. OK, I I I, I will disable volume shadow copy so that you cannot backup your data so and so forth. And the next time when you reboot I'm still fired up, your data is still being encrypted by me. So I need a sample thing to understand behavior. No matter how smart, how AI enable your malware is, I need a technology OK to be able to detect that. And that's for under the same boxing social engineering. That's beyond any technology defense because this human OK, you need a lot of education and it has to be continuous decide for big organizations like the banking. OK. The government every quarter you find there's a retraining and retraining and retraining again again about the social engineering, what not to fall between me too, OK, where not to go, What is your best practice so that we can minimize the charges of being compromised. So education is important, but that's not technical, so-called gut rails command control. There's many, many things you can do on that microsemination. One of them because you do not want your workload to unnecessarily connect to external connect to somewhere that is not being allowed. Content filtering as well. OK, what you downloaded, what you sent out, DLP, data link prevention. OK what things are being going through and through your data. So these three item micro simulation, content filtering, data link prevention is effective to govern against that command control. Likewise in the middle you have a firewall, Idps and Wafs so and so forth. They must have the intention to know that if I go to acertainabc.com for example, and know that this is a well known malicious site, command control site, I must be able to stop that. So the choice of the technology, the choice of your solution is super important in all these aspect. OK, I take a pause. Any question? I don't see any question here. It seems that you guys are very quiet, right? In fact, I'm going here on myself and this is my last slide based on here. I would like to hear from the ground, Let's say in your organization, what do you think works and what doesn't work? And after hearing the the concept of the My Data framework and Hacker's methodology, does it give you an overview, an idea how to defense rather than so-called defense briny. OK, OK, I see there's a question here. The question is does Cloudflare conduct training on how to use a MITRE attack framework? OK, that's a great question. OK, if you remember at the beginning of the the slide that the presentation I thought about MITRE attack framework, how important it is for you to know what what to defense against right instead of doing bride folder security. The thing is that coming from Cloudflare we are we we don't we we don't provide that kind of services OK. But we do go to customers saying that OK customers who are interested I can walk you through, I can go ask walk you through how to make use of the matter at the framework. OK. How to use that? OK to to to gauge or the measure how Radiant is your your defense against let's say you want to cry against Akira, right. Against let's say sample right. I I can go through that with you. OK. But officially we don't offer the kind of training or service. We don't but I can go through with you with that. Yeah, no issue. Let me see the other question. OK. OK. Someone asked in which area does Club Fred play in the defense in depth strategy. That is a very good question. OK. Yes. Because after talking about this thing, OK, so yeah, naturally you ask, so is Club Flare doing the sandboxing this? Club Flare doing ID, PS:, NTAEDI, So and so forth. I will reserve that answer until the next session. Session two. OK, which two is from Now when we are, when we will be talking about the defense that we go through, our Club Flare architecture, our social architecture? In what area do we come into this hackers methodology or the multi active framework? All right, I will keep it to that session #2. Someone asked will there be a recording of the session? Yes there will be. If I'm not wrong, you'll be automated. That means once a session over the whole system will will will process recording and say it to you. Yeah, Christoph, let me answer this question. So for the recording, yeah, the recording will be available or if you join late or you vote, if you want to review the record, the session, that's a lot of information to that digest. You can access the same webinar using the same link, I think like half an hour after live session, you can see the review, it's on demand. So the recording will be available within half an hour after live session. Yeah. Any other question from the ground? Let me see. Oh, OK, so. I will answer the question from about the transfer the domain to Cloudflare. Oh, yeah, yeah, yeah, yeah. OK. OK. The question, something outside of this, so go to this session, but let me briefly bring that up again. So that's where's the question. Is there a way of not changing name server the registrar? If we have authorized authorization code, Microsoft doesn't offer any string to change updating server for domain purchase from there itself from one OS. OK, there are a couple of ways to do that. One way is to C name. OK, that means you can C name a domain to us. So once you C name OK, we're able to resolve the area code. OK the whole OK, I'm jumping ahead of myself on our solution. It's supposed to be the next session but just give you a little bit highlight. So the question about like how can Cloudflare help me to defend my application if let's say hacker come in attack at my domain name. OK so the the very important for the matter thing is that the traffic must come to Cloudflare because of Cloudflare is an engine is whole global cloud that defense against layer three, layer four and layer seven attack. OK so C name is one way to direct traffic to us so that we can mitigate the attack. Of course the best is that you can make Cloudflare as a tortilla and server or the other thing is that I can do a June transfer but that is not ready and effectively to do that. I can walk you through in detail offline, you can just drop me an e-mail or it can approach any of our SE to D dive in to be on that, right. Hopefully that can that answer your question. OK. I see the other question. OK. The the other question is that can Cloudflare help us to defend against ransomware that is spot on. That's exactly what we are doing here for our customer, 1002 thousand customer worldwide, OK, with only seven DLP cash P protecting your cloud services so and so forth, we can effectively help it to guard against ransomware. I will keep you in suspect. I'll keep that until next session when we talk about the defense in depth as well as a session #4 where we are deep dive into ransomware. All right, we'll give a very full picture, a very deep picture of how complex a ransomware function, how you propagate, how you get a foothold into your organization and how can you, how can it achieve its so-called objective, right? So I'll yeah, I'll keep that until the next session and the 4th session when we did dive into ransomware because I don't want to jump here myself. Yeah, I think it's time. Time is almost over and we probably only have time for one more last question if if there's any new question coming, but I want to when we're waiting for last question, I want to just announce that we are, we're going to have this, this series of webinar we will have every two weeks and today is the first session. And so there's some lot more topics to be covered in the future sessions. I really encourage you to join us for the future sessions if there are any interested topic. And so over to Christoph, if no more question, probably you can wrap up today's session. Thank you. Sure. OK. So I would like to wrap up this by summarizing the topics they were touching on in the rest of the you can set more session to go in total 8. So as I mentioned, the next session will be depends that that we really go through the whole Club Flare methodology to help you to govern against those attack. That's just how you saw, OK, the way they detected dating. All right. Then of course the ransomware which is one of the next the question that someone asked there will be a session #4 where we did die. So you can jump into any of this session, OK. But preferably you go for us through every single session because every session session builds upon the one before that so that you have a fuller picture how it works all together, not just about cloud resolution, but also having a so-called eye view on the market to global track how they work and that will help you to effectively plan on your strategy to guard against all those attacks, right. So yeah, hopefully today's session is beneficial to you and we look forward to see you in the next session. Thank you so much. Yeah. Sorry, there's one more question from Jeffrey. Maybe you can answer the other one and then we can close off. So to answer the question from John X, we won't share the slides, but you can still review the on demand recording of this webinar using the same link after this live session. So, Christophe, there's one more live. This is one last question from Jefferson. So can you answer that? OK, hello. I'm currently using clock for the Wharf and the red emitter. Wharf is very effective. The way to ask an e-mail and there's a positive detection based on the Wharf rule, Yeah, you can always configure the notification if you go to your dashboard right on the left, so-called as you say the the pedal on the bottom is something called the notification. You can always choose the kind of notification you want, either by e-mail or or yeah, by web, the kind of thing you can do that, yeah. OK, since that's. Great. Yep. Since that there's a big couple of people who who are interested in how our situation work probably outside of this session. All right beside this subscribe you can push us directly or any of the SE. OK, then we can give you a deeper so-called work through or how it can be done. All right, Eric. Thank you. Thank you. Thank you, Christophe. And please reach out to us and and also we will have seven other sessions in the next few weeks and we're looking forward to having you in our next session in two weeks. Thank you. Bye, bye. Thank you so much. Take care. Bye, bye. _1722036672698