Local Threat Intel - You're Soaking In It!
We chatted with ReversingLabs’ very own Hrvoje Samardžić and Independent Malware Hunter Luigi De Mori/JAMESWT (@JAMESWT_MHT) about what kinds of internal threat intelligence are the most useful, where to find it, and how to leverage this data to improve your organization’s defenses.
EPISODE TRANSCRIPT
PAUL ROBERTS
This is ReversingLabs' new podcast, and every couple of weeks, we're coming to you with discussions with some of the leading threat intelligence analysts, threat researchers, reverse malware engineers, and folks who are really close to the ground in understanding new malware and helping companies defend themselves from it. And this episode is a great example of that. We got some amazing talent on the line. Just a couple of things on the format. Basically, this is just an open discussion and we do take questions from the audience. So we're using Zoom webinars. There's a Q&A feature, and please feel free to use it because we're going to be leaving time at the end of our session today to ask and answer questions from you. The other thing is we're going to be conducting a short poll at the end of our episode and folks who respond correctly to our poll questions will get a very exclusive ConversingLabs T-shirt sent to them with a cool ConversingLabs logo. Which you can kind of see. Unlike the - sorry wrong way - see on the side of my screen and be the first one in your group of friends to have one. So hang out for the poll at the end and I'll get you a T-shirt. So, without further ado, I'm going to introduce our guests and actually get them to tell you a little bit about themselves before we launch into our conversation on internal threat intel. So to begin with, I'm going to start with my friend and colleague, Hrvoje. Introduce yourself to the audience. I don't think they've heard from you yet.
HRVOJE SAMARDŽIĆ
Thank you, Paul. So my name is Hrvoje Samardžić. I've been with ReversingLabs for the last almost five years now. So time flies by when you're having fun. But prior to that, my IT security journey started with financial industry almost a decade ago. So I started auditing IT systems. I was looking for flaws throughout the bank system. I was doing data mining on various kind of logs. So I would say that's when I fell in with the job with the industry because I was using my, I would say, data mining skills to hunt for anomalies, I would say bad guys in our system. So that kind of fun and that kind of adrenaline, it's hard to match. So that's basically my story now with ReversingLabs I'm using all of that experience and knowledge to create best possible threat intel solutions based on data we have. Yeah. And I would say that during that time, my path crossed this fabulous person who is going to introduce himself next. So he is one of the, I would say, best threat hunters in the world. I'm making a small intro and I would say his path is not that different from mine because he's also the master of his environment. Because you probably didn't know that about JamesWT. He's an exceptional cis-admin as well. But to now go in more details. James. Or should I say Luigi? Please introduce yourself. Thanks.
JAMESWT
Yes, I am an IT manager and my company is part of a hotel, hospital and school. I manage all inside my company from domain controller, PC client, internet contract and firewall and all things that concern about informatics, servers, etc.
PAUL ROBERTS
Jack of all trades. That is the Idiomatic expression, yes. So the first question for you all. So the topic today is internal threat intel - you're soaking in it. Which if you're not from the United States and didn't grow up in the 80s like I did, is from a commercial for Palm Olive dishwashing liquid. But I'll forgive you if you don't get the reference. But we're really talking about mining the threat intelligence in your own environment to kind of improve your cyber defenses. For Luigi and Hrvoje maybe can take the first stab at this. When we're talking about threat intelligence, what are we referring to and what kind of distinguishes high quality threat intelligence from less high quality or low quality threat intelligence?
HRVOJE SAMARDŽIĆ
Yeah, let's first start with trying to define what threat intel is. In read, in preparation for this session, I've read a couple of definitions, but I would sum it up as information that can help you defend yourself. So that's the bottom line because some of the I would say definitions are focused on existing or emerging menaces or hazards. So I would say this threat intel is bit wider to me. It also consists of information on your data, on your system, on your user behaviors because all of that information is helping you defend yourself. It's also part of this threat posture that's in your environment and to defend properly, you need to know both. You need to know yourself and need to know your opponent. So when it comes to high quality... the topic, the subject of today's session is internal or local threat intelligence. I would say that's almost the definition of high quality threat intelligence. I'm not saying that external one cannot be high quality, I'm just saying that the internal one is definitely providing the best value because it got the right, I would say scope because it's all about you. It's timely as possible because it's happening real time in your system and it's definitely relevant. So it's providing the best value you can get from threat intel. It tells you who's attacking you and how that kind of information. Even with the best external threat intelligence, there's some effort to filter out the right scope, the right threats you are seeing in your environment. I would say the threat intel that's tailored to your, I would say I don't know, servers or SSUs and so on. So I would say high quality comes down to this kind of information.
PAUL ROBERTS
Luigi, you said that you work as an IT administrator on behalf of hospitals and other types of enterprises. Do you use both external and internal threat intelligence in your work? How do you use threat intelligence? Just in your day-to-day work as an IT administrator?
JAMESWT
Well, threat intelligence is not easy for me to understand and explain because there is some factor, internal factor is understand the user of my company, understand what they use, if they use webmail, if they use not-corporate software, and if they use WhatsApp or other application. And the other factor is understand what happened in the world, the cyber trade, for example, Italy is under the attack with ransomware, or other cyber attack. Then you must understand.
PAUL ROBERTS
That changes things for you. If the larger context, threat context is you're in Italy, you're working for companies that are operating in Italy, and in that environment, there are a lot of ransomware attacks going on that changes the context, I guess.
JAMESWT
Yes. But for example, I can learn so much from email what malware is received from spam, and I can change some rules inside Firewall after I check spamming emails. For example, for Urban block, I check the attachment, I check what attachment do. For example, today arrived on TNT fake mail with one Excel document attachment and campaign was pulled today, but the domain was malicious. And I check my Firewall is my antivirus block it. If not block it, I manually insert the blacklist. This is one task related to the threat intelligence. Or for example, if I found as I tweet about a fake installer of Windows, I check all the IOCs, block all IOCs.
PAUL ROBERTS
IOC = Indicators of Compromise.
JAMESWT
Fake domain, fake website about malware contact.
PAUL ROBERTS
So, I think one question and I'm sure all the people who are on this and listening have is you're talking about internal threat intelligence, where can they find it in their organization? Is this information that they might already be collecting but maybe not using as well, or mining for intelligence? Luigi, I think this is probably a question for you first. Where can they find this information? I think you've given us an idea already in your answers, but just go ahead.
JAMESWT
Well, in my case, I found it in spam, because I manage anti-spam and I check all attachments, other search, for example, Abuse, Chakra, Bazaar and some public.
PAUL ROBERTS
So these are like public sites where you can check these against.
JAMESWT
People should understand and check what the user inside of the company do with the client. Yeah, I think that, for example, in my case, I have Firewall with software that check all website visited, and I have some alert about fake website or malicious website.
PAUL ROBERTS
Yes.
HRVOJE SAMARDŽIĆ
I have a question for Luigi. Luigi, when you analyze your spam emails attachments, what kind of tools do you use for that? Do you have some internal sandboxes or you refer to, I don't know, Bazaar or any one, some other tools to extract those IOCs?
JAMESWT
I use a lot of sandbox and free services, as you have mentioned, for Excel document or Office document. In general, I use for payload, I use to enter the apps, and of course I use ReversingLabs sandbox. It's very useful to upload the sample to Bazar, from Abuse.ch. And because inside there is a lot of sandbox that analyze the sample the sandbox creates, there is a lot of them. It's more easy, a free sandbox that check every single sample in manual mode because I have no time to do my work and my patience that is related to my Twitter account.
PAUL ROBERTS
Yeah, so, I mean, that brings up a good question and I'm sure folks would say, which is, listen, I've got however many users, 1000 users, 5000 users in my environment, I'm getting millions of emails a day, tens of thousands of attachments. How do you scale that type of analysis, sandboxing and analysis of attachments in a way that doesn't completely make it impossible to do anything else that you need to do. So how do you scale this I guess is the question, given that most of those attachments are just going to be identified as known malware and a certain small percentage of them are not. But how do you scale that? Luigi?
JAMESWT
In my case, I have anti-spam from Libraswa, that is Italian company, and I have some custom rule engaged. If an archived attachment is blocked by default, if the table attachment is blocked by default, if I have some office document, if the document inside macro is blocked by default, and then I take all block attachments and I check it manually, every single file. Fortunately, I received a lot of spam, but only five or ten mail with malicious attachment. That is easy for me and my job.
PAUL ROBERTS
So we talk a lot about how most attacks of sophisticated attacks these days start with phishing emails and malicious attachments or malicious links and emails. Is that the most valuable kind of threat intelligence, just that those attachments and that email traffic? Or are there other sources and systems that you should be paying attention to as a network defender, as a cis-admin, besides just the spam traffic and the email traffic.
JAMESWT
As I speak about before, the other important thing is understand what happened around you. And if there is a remote desktop attack, you must learn about it and understand what you can do to defend your company. For example, open remote desktop for domain controller is a bullet because you must protect it with IPU whitelist and true with some blacklist. Then another task is that all user inside the company that use PC client, not must be admin, but regular user. And you must block one installation of apps or software from the user. There are a lot of tasks that you can engage related to intelligence. Threat intelligence, my opinion is understand what is a cyber threat and engage a lot of action to protect from inside threat and outside threat.
PAUL ROBERTS
Hrvoje, Luigi brings up a really good point, which is you need to understand what's going on within your environment and even just what platforms people are using. So for example, if people are using WhatsApp or Telegram, those can be avenues for attack. And if you're not aware that they're being used, you're not going to be monitoring them. But how do you or Slack is a more common example as well. Right. How do you go from knowing that people are using WhatsApp within my environment to actually monitoring it and collecting and sort of managing it from a security standpoint and collecting potentially threat intelligence from it?
HRVOJE SAMARDŽIĆ
That's a question for me, right?
PAUL ROBERTS
Yes, unless you want to punt it to Luigi.
HRVOJE SAMARDŽIĆ
I'll cover it, no worries. But I'm also interested what Luigi has to say on that. What we've been discussing is paramount to know what your users need, how do they behave. For instance, one thing that's very cool about Luigi, he's been telling me about, he's restricting the usage of certain resources in his environment only on working hours. So there are many different ways how you can limit the attack surface to your attackers so they don't have the opportunity to use those tools that are, let's say, potential attack vector. For instance, you can limit those hours or like your users, if these tools are being misused, they will get a notification they are being used so they can also see something fishy is going on. There's also a blacklist or whitelist opportunity. You can decrease the level of access rights for each user. So it's basically tailoring your defenses based on your customer needs. So whatever happens outside of that restricted access, it's a red alarm. So it's creating an environment. When an attacker tries to do something, they're like a bull in a china shop, they will just kick every single booby trap. I will call it booby trap because whatever they do that's out of this standard, it will create some kind of an alert. So knowing your environment and knowing... so we haven't talked about a lot about this external threat intelligence, it's about the information on what the usual TPP's tactics of your adversary are. So by knowing what they will usually do, you can prepare to better detect those kinds of behaviors. More and more, they're trying to lay low and to be, as much as possible resembling your users. So they're trying to blend in, to be your user, to mimic them. But by knowing that you can change something so they will stand out of the crowd, that's very important to know.
PAUL ROBERTS
Yeah, Luigi, we hear a lot today about attackers, like living they say living off the land, right? So using common administrative tools, PowerShell and stuff like that, to facilitate their activity, lateral movement and so on, how do you handle that as an IT administrator? Because there's a lot of that activity going on all the time. Most of it is not malicious. So how do you monitor those really common administrative tools and look for behavior that may be suspicious or malicious?
JAMESWT
Can you explain that, please?
PAUL ROBERTS
Yeah, sorry, that was a long way to word it. So attackers use common administrative tools like PowerShell a lot, right. How do you use local threat intelligence to help identify when they may be using that type of traffic that may be malicious?
JAMESWT
Well, I have some records from Firewall that show me if I am under attack or there is some nasty traffic. And, I have engaged for example, intrusion prevention system, gateway antivirus, botnet blacklist. But in my case, I have prevention approach. I close all service that I don't need. I filtering service from outside connection. And as I said before, I use a lot of widely blacklist...
PAUL ROBERTS
You mentioned like spotting unusual platforms like WhatsApp or Discord or things that employees may be using. Once you know that those are in use, how do you monitor those? Is it just about limiting use of those within your environment or is there a way to actually monitor them and see if they're being used maliciously?
JAMESWT
I limit the user in this case. With Firewalls, I can block apps so I can block the desk, I can block WhatsApp and if the user need to use WhatsApp or other application that is not related to the work. I have WiFi connection that is not connected with the domain controller and I tell the user to use on smartphone or own notebooks that are not business device to do all.
PAUL ROBERTS
So can you give us an example, Luigi, of how you were able to use local threat intelligence or internal threat intelligence to actually identify an attack? Can you give us like an example or a war story from either the recent past or whatever about how you were able to go from... Go ahead.
JAMESWT
A lot of years ago when I started to work with my actual company, I realized that some firewall was under attack. I identified the IP was of a university, and then with this information and these are malicious tasks that I log. I decide to block all connection to my firewall from only true IP and not as it was before that everyone could be connected to the firewall login. This is one example. Another example, and when I was hit by a ransomware seven years ago, I started to learn more about it and I started to learn how to protect from ransomware. And I engage some tasks, change anti-spam, change anti-virus solution, and change how I back up all my data company and all my virtual machines. I understand how ransomware hit my company. Seven years ago, ransomware was from a recent domain when user visited or from spamming email. Today, ransomware is an attacker from a remote desktop, most of the case. Then you must understand it and take the right decision to protect it.
PAUL ROBERTS
Hrvoje, I know obviously ReversingLabs works with organizations around threat identification a lot. What are you seeing out there just with the customers you're working at and how they're leveraging both internal and external threat intelligence and kind of maybe like how do you is there a way to combine those two sources to improve internal threat detection, threat hunting? What's the mix of internal versus external and how are companies leveraging that right now?
HRVOJE SAMARDŽIĆ
Yeah, I would say that the local, internal threat intelligence is the cornerstone of the threat intel programs. And that is definitely how anyone should start because that involves creating processes around your environment, collecting logs, inspecting those, learning about yourself. And with some maturity, then I would say external threat intel feeds come into play, but I would say that is sometimes just a checkbox, meaning that this external threat intel is not always, I would say verified. Does it really make a difference to the consumer environment or not? Because it always has to be a specific focus, specific scope to get the best value out of it. So what people will tend to do is buy several. So with having a couple of them, they are, I would say, certain they will get what they need. So that is how it usually plays out. It's not, I would say, bad way of doing it, I'm just saying it's maybe not the best cost-effective way of doing it, but other than that, there are very different levels of maturity between companies and investments being made in the field. So depending on that, you have people. When it comes to external threat intelligence, I would say open source threat intelligence is the main source of external threat intelligence with I would say more mature companies having different vendors, providing different types of threat intelligence. Because there's not only this tactical level with lots of IPs, domains, emails or whatever technical level of indicators, but there's also a higher level of intelligence that big companies need to make database decisions on where to invest. Because with all the global situation and attacks like evolving, being more sophisticated, it's really posing a great threat to any enterprise. There are big investments being made and they need to be really the battles that they are choosing to be chosen very wisely to get the best value out of threat intel programs.
PAUL ROBERTS
Just a note to our attendees, we are going to be taking questions from the audience. So if you've got questions for Luigi or Hrvoje, use the question and answer feature and Carolynn is here with us and she's going to be taking your questions and she'll pass them on in a couple of minutes. Yeah, go ahead.
HRVOJE SAMARDŽIĆ
I would like to add something I've missed to comment when Luigi was saying he's using malware Bazaar and other tools for basically creating his local threat intel because these files he's getting on his email, they are just a starting point. You need to analyze those files. But I would like to emphasize the importance of sharing those files with the community because what Luigi is doing is very important to the community and I want to stress that multiple times because by uploading his files, his findings, because it's not only files he sees in his environment, it comes from all over the space and beyond. It's providing... His local threat intel is basically the world's threat intel because by using those platforms, he's sharing all of that information worldwide. Everybody knows JamesWT because of this. He's really tireless when it comes to sharing this information.
PAUL ROBERTS
Yeah, Luigi, tell us about that. How did you come from just sort of dealing with the stuff that's going on in your environment to sort of saying want to I kind of engage with the broader threat hunting community and share what I know and obviously get back what they know. And has that helped you in your work?
JAMESWT
Did you ask me how I started?
PAUL ROBERTS
Yeah. When did you get the idea to start going on Twitter and really sharing what you were learning with the broader community?
JAMESWT
I think about eight years ago I started with a malware file where a lot of people ask about it because they were infected. Then I started to open wireless Total account that at the time I was free account with no ability to download sample. Then I became a part of the Malware Team, and I started to open a Twitter account and then I can know other people that give me and insert me inside other malware forum and they gave me Virus Total intelligence account and then start to work with my actual company. And after it was the ransomware, I started to learn myself because at the time I have not found any solution that can protect myself. Then I started to learn myself. I start my Twitter account and my nick is all starting from infection when my company was hit, I start to learn more and start to social, twitter account...
PAUL ROBERTS
Yes. Luigi, you mentioned malware hunter team. They're a very famous group of folks like Luigi who are really deep in this. Are there other sources online that folks can use? I mean, Luigi just said like I got hit and I needed to deal with that and then also learn more about why I got hit. Are there other resources out there online that folks should know about for getting some of this information and kind of improving their awareness, their threat awareness?
HRVOJE SAMARDŽIĆ
You mean like open source threat intel sources?
PAUL ROBERTS
Open source threat intel sources, forums and communities. Obviously individual kind of Twitter handles or groups.
HRVOJE SAMARDŽIĆ
Yeah, I would say Twitter rules these communities. There's a lot of information being shared through Twitter, but I would say it's sometimes hard to follow everything. It's really overwhelming.
PAUL ROBERTS
A lot of noise.
HRVOJE SAMARDŽIĆ
There are a couple of accounts that you will if you start from JamesWT and see a couple of his connections, you can limit yourself to couple of dozens at most tops of accounts that are really sharing the most valuable data. I wouldn't go farther than that because there's just too much noise and a lot of this information, at least the most valuable one gets retweeted and it will definitely be tweeted by some of these accounts. So that's when it comes to Twitter. But like we were discussing about these, I would say platforms like Abuse.ch, their malware bazaar and tracker. There is also a lot of stuff is publicly available on Virus Total. So many of the files you come across in your environment will already be uploaded somewhere like on Bazaar or Virus Total and you get a lot of information already being prepared in those places. So guys, you will usually pull down the data and cross reference in their environment because there is no need to. Like if you're a smaller shop, there's almost no need to invest in your analysis capabilities when a lot of these data is already available. But when the environment scales up, there are more incidents, it gets more complex, and you need to automate on pulling all of that data and actually leveraging that data. Because JamesWT is a great example of how well motivated knowledgeable cis-admin can become a world threat hunter, and his local threat now is, I would say, world threat intel. And I'll thank him again for that. But when the operation scales up, then the automation comes into play. So then when your analysis system needs to build up, there's probably some threat intelligence platforms. You will need to organize all of that data and share across your organization and pull in the data from likes of external TI vendors. Pull the data from also from Twitter, from Malware Bazaar and other places that offer this information for free. So the more complex your environment is, the more complex your threat intel program will get.
PAUL ROBERTS
Okay, that's almost the end of our talk. Carolynn, do we have any questions to put to Hrvoje and Luigi?
CAROLYNN VAN ARSDALE
We do have some questions. Hi everybody. My name is Carolynn van Arsdale. I'm a cyber content creator here at ReversingLabs.
PAUL ROBERTS
Welcome back, Carolynn.
CAROLYNN VAN ARSDALE
Hi, thanks for having me. Excited to be here. So, for our first question, I have a question for James. Do you ever run simulations to test efficiency of existing controls or test detection if for example, you drop some IOC objects to production environment?
JAMESWT
Yes. I test some tests. For example, I tried to hack myself.
PAUL ROBERTS
You tried to hack yourself? Red team your own environment?
JAMESWT
Yeah, from inside and outside. And it was very important to understand what I can change to protect more. Obviously you can't protect 100% all, but I learn from myself how to improve then to check if until the solution board. I have a real PC client where I run malicious sample, ransomware or office document that tried to download the payload from a recent domain. Not every time all go good, but sometimes, for example, anti-virus solution not identify the malicious document, but it's able to block the malicious domain or payload. In other case, I tried to run some ransomware then I was able to restore and some disaster recovery task.
CAROLYNN VAN ARSDALE
Okay, great, thank you. Okay, I'll go ahead. Hrvoje, I have a question for you. With the rise of AI solutions, in your opinion, how far are we from having AI replacing all or most of the work threat intelligence analysts are doing? Is that already happening and is that possible?
HRVOJE SAMARDŽIĆ
Interesting question. I would say that as far as AI goes with Cybersecurity, we are leveraging machine learning in different places. So it's an attempt to find patterns, behaviors that can be pulled out from these huge volumes of data that are generated to better defend. But I would say that even this machine learning models are today modeled with the help of humans. And that's as far as it goes today. And I don't see AI being leveraged or replacing threat analysts or cybersecurity personnel anytime soon. Because even when the true AI joins cyber ranks, I believe they'll be working hand by hand because AI doesn't know what our interests, how do we think, and so on. They will definitely need some help in hand. So we are safe for now at least our jobs.
CAROLYNN VAN ARSDALE
That's good to know. All right, Paul, what are we thinking?
PAUL ROBERTS
We're going to push you a poll question. And this is for the we actually have two poll questions, but only one of them is really a question question. And folks who answered this right are going to get a ConversingLabs T shirt. So here we go. I'm going to launch the question, and the question is what are common sources of internal threat intelligence? And the options are third party software bills of materials, open source repositories, or network central logs, email gateway, endpoint security agents. If you answer this correctly, you will get a ConversingLabs T-shirt and we'll give you another 30 seconds. People googling furiously. 10 seconds left to answer, folks. Okay, I'm going to end the poll. Okay, the correct answer, the credited answer, as they often say, is network sensor logs, email gateway, and point security agents. Those are all sort of some of the things that Luigi and Hrvoje were talking about. I can guess, like open source repositories. In theory, we might give you a T shirt for answering that, but generally for internal threat intelligence, not really talking about open source repositories. Okay, final question just to push to you is more kind of a follow up question, and that is if you'd like to learn more about leveraging internal threat intelligence, please let us know and we will follow up with you with some additional information, resources that might help you in your own endeavors. And with that, I think in terms of just wrapping up, Hrvoje and Luigi, any final recommendations or advice to people who are on the line who maybe like Luigi are in your situation, cis-admin and looking to just get started using local threat intelligence? What should they do? What are some easy things that they can do to make use of this.
HRVOJE SAMARDŽIĆ
Luigi for you?
PAUL ROBERTS
Or Hrvoje, whichever.
JAMESWT
As I said before, check on environment, check if there is some hole, some back door open for back door, I mean, remote desktop, open tool. And check if you have a good anti-spam. Check if you have some group policy inside your company to check what your user do and block what you don't want that user. I think. That is the first step.
PAUL ROBERTS
Hrvoje?
HRVOJE SAMARDŽIĆ
I can add on. I mean, Luigi is the best, I would say proof that knowing your environment is very important. So that's the start of knowing what's not in your baseline, because all of that is your local threat. So whatever stands out, that's the starting point of, I would say, the iteration cycle, because based on all of that information, you either monitor or block. That was what you found, and you do it constantly over and over. So every day, Luigi will take part of his malware samples, pull out the IOCs, block that or tweak his environment so he can better detect their TTPs. So it's a constant process. And you need to write all the time.
JAMESWT
Another thing.
PAUL ROBERTS
Yeah, go ahead.
JAMESWT
About threat intelligence. Understand the malware spam campaign, for example, if you check my sample at the malware box are related to smith. You can understand with the upload date of the sample. That the campaign are Monday, Tuesday, Wednesday for one month, two months. Every time or other campaign are only one time at the Mount, about two years ago, before COVID, there was a malware campaign where I can predict malware campaign because they followed cybercrime, follow a skin when eating, for example, Italy with Uzmif or Gods, where... it's funny, previous to Melissa domain name, for example, last domain was Fast Link or link fast. When you receive one office document with Fast Link, you can try reverse the domain name and maybe you are lucky and you have found another IoC.
PAUL ROBERTS
Yeah, it's really interesting. A lot of what you're talking about is just using the tools that you've already got. It's not like they're new silver bullet magic tools to help you do this. It's kind of using the information and tools you've probably already got firewall, anti spam, et cetera, but just doing it in a lot more active way with a lot quicker response time and also staying on top of active threats and campaigns in a way that not kind of sitting back and just hoping that the tools work. Right. Okay, I think that brings us to the top of the hour. And so I wanted to thank Hrvoje and Luigi and Carolynn again so much for joining us. We'll be back in a couple of weeks with another ConversingLabs episode. We're going to be continuing to explore this amazingly interesting area arena of threat hunting, malware research, malware investigation, and reverse engineering. So we hope you join us. If you've got topics that you'd like us to discuss, please feel free to send us an email, let us know what you're interested in, and we'll try and get it on the agenda. But Luigi, thanks so much for joining us. Hrvoje, thanks so much for being here. We really appreciate it having you both.
