The current state of MITRE ATT&CK.
Rick Howard: Hey, everybody, Rick here. The MITRE ATT&CK Wiki is the only open-source collection dedicated to cataloging known nation-state and some crime hacker tactics, techniques, and procedures, TTPs, across the intrusion kill chain. I've been a fan of it for over a decade now. My old intelligence director, Ryan Olson, introduced me to it when we founded the Palo Alto Network's public-facing intelligence team, Unit 42. It took a while for Ryan to get it through my thick head, the immense potential value of the MITRE intelligence collection to anybody pursuing the intrusion kill-chain prevention strategy. But once I got it, it was like inserting the last piece into a very large puzzle. It was a eureka moment for me. I realized that there really is nothing else like it in the world. The intrusion kill chain prevention strategy realizes that hacker groups like The Shadow Brokers, Fancy Bear, and the Lazarus Group, et cetera, must successfully execute a chain of offensive actions against their victims in order to accomplish their goal. Not one thing, a set of things. Sometimes the InfoSec profession refers to that set of things as offensive attack campaigns. The strategy makes a couple of assumptions. First, the hacker group reuses these campaigns against multiple victims. They don't build it, use it once, throw it away, and then build another one. That would be wasteful, which brings us to the second assumption. Designing, building, and deploying attack campaigns is expensive in terms of the people/process/technology triad. Hacker groups are reluctant to abandon a good one, which is good news for the good guys. Analysts studying attack campaigns can loosely categorize subsets of the campaign into stages of malicious activity like delivery, installation, exploitation, command and control, lateral movement, et cetera. With that categorization, analysts can then design and deploy prevention and detection controls for one or more of the TTPs in that attack stage. When the Fancy Bear hackers run into one of our blocks, they don't throw the entire campaign out (see assumption one). They pivot. They try to find a way around that one block. Even if they are successful, though, you know, they develop some new thing in the exploitation stage, let's say, something that the good guys have never seen before, some new code that we don't have a prevention control for yet, it doesn't guarantee Fancy Bear's success because the good guys have deployed other prevention controls in other stages in the attack sequence. Those controls will defeat the adversary. The more controls you put in place for each stage reduces the probability of a material cyber event to your organization from the hacker campaign. If the key defensive strategy for your InfoSec program is the intrusion kill chain prevention strategy (see my First Principles book for a deeper explanation), you have to be using the MITRE ATT&CK Framework Wiki or something very similar that you either built yourself or you paid for. Over the years, I became one of its biggest unofficial evangelists, as I was out and about speaking at conferences and talking to security professionals of all stripes. When I met with the MITRE people about it, I kept quietly suggesting that they should give me a commission for my support. I'm still waiting to hear back. MITRE, if you're listening, send checks to the Rick Howard Bermuda Islands Retirement Fund. But that doesn't mean that I haven't been frustrated with it, too. Although it has had a large impact on the InfoSec professional community already and the MITRE people behind it have made huge improvements to it in a very short amount of time, the idea of it has so much more unrealized potential. So here we are in 2024, over 10 years since MITRE released version one. I thought it was time to put a stake in the ground and assess what the current state of the MITRE ATT&CK Framework is today. So hold onto your butts.
Samuel L. Jackson: So hold on to your butts -- butts --
Rick Howard: This is going to be fun.
Samuel L. Jackson: Butts -- butts -- butts -- [ Music ]
Rick Howard: My name is Rick Howard, and I'm broadcasting from N2K Cyber's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A, and you're listening to "CSO Perspectives," my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. [ Music ] It all began with the Lockheed Martin paper published in 2010. It caused a shift in the collective cyber professionals' thinking away from defending against generic, offensive tools like viruses, malware, and exploit code, with no relation to what the adversary was trying to accomplish, towards specifically defeating the adversary's overall goal. Before the paper, most of us were using a defense-in-depth strategy designed to block the hacker's generic offensive malicious software. By generic, I mean that we didn't associate the weapon with any adversary plan. We were just looking to detect and prevent bad things on the network. To counter the deployment, network defenders would stack one or more blocking tools between the boundary of our digital environments and our crown jewels, like firewalls, intrusion prevention systems, and antivirus software. The idea was that if the first tool failed to prevent the deployment of the offensive weapon, then the second prevention tool in the stack would catch it. If that one failed, then the third one would be successful. That's what defense in-depth means, multiple ways to prevent bad things from happening. The number of defensive tools you had in the security stack depended on your internal budget. The kill chain paper's great insight was that all cyber adversaries, regardless of their motivation, have to complete a set of tasks in order to accomplish their goal, and their goal, whatever it is, doesn't really matter in terms of devising a defensive strategy. Whether it's crime, espionage, hacktivism, low-level cyber conflict, or just mischief making for the fun of it, every hacking crew has to follow this general model. Instead of cybersecurity professionals trying and mostly failing to block all of the generic hacking weapons in existence with the defense-in-depth strategy, we would instead design prevention controls for known adversary campaigns and install them at every stage of the attack chain. The brilliance of this model is that the hacker team has to be 100% successful in avoiding all of those prevention controls in order to accomplish their goal. They can't make one mistake. The defenders, on the other hand, only have to be successful once somewhere along the attack chain. If we are, we can break the attack sequence. We can kill the attack. That's why the paper's title says that it's "Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains." By doing a post-mortem on victim zero and other subsequent victims, cyber intelligence analysts can construct the attack sequence in the aftermath and potentially identify multiple locations along the chain where we can kill the attack. That doesn't help victim zero, but it helps every other potential victim that Fancy Bear has its sights on. That's a magnificent and radical insight. It seems obvious to us now that we're 10 years past the initial paper publication, but back then, it was revolutionary. Just a year later, 2011, the Department of Defense published their paper on the Diamond Model. It provides a structure for how cyber intelligence teams can analyze attack sequences and provide a standard language for intelligence analysts to discuss the same campaigns. In the early days of the idea, we were all doing our own thing. It was exceedingly difficult to communicate what I knew about the Lazarus Group campaign with somebody else because we were all speaking different languages. The result was that the Diamond Model became a supporting guidebook for organizations pursuing the kill chain strategy. And then in 2013, MITRE released the first version of the ATT&CK Framework. The team recognized the overall value of the kill chain strategy direction, but they wanted to convey the actions that individual adversaries make: How one action relates to another; how sequences of actions relate to tactical adversary objectives; and how the actions correlate with data sources, defenses, configurations, and other countermeasures used for the security of a platform and domain. Over time, I started calling these three research efforts the intrusion kill chain trifecta. [ Music ] When we first started doing this podcast back in 2020, the intrusion kill chain prevention strategy was one of the first topics we covered. In 2022, we covered it again. And of course, when we published the First Principles book back in 2023, I dedicated Chapter Four to the idea. In the book and the podcast, I made the case about why these three research efforts should be considered collectively and not separately. They are three significant elements coming together. One is a strategy document, the Lockheed Martin paper. One is an operational construct for defensive action, the MITRE Framework, and one is a methodology for cyber threat intelligence teams, the Diamond Model. You don't choose one model over the other. All of these models work in conjunction with each other. To be clear, though, there wasn't a lot of collaboration between the research groups. The Lockheed Martin people weren't saying, hey, we're doing the strategic piece. DoD, you work on the intelligence piece, and MITRE, you build an intelligence wiki. No, different parts of the InfoSec profession were all thinking along the same lines, working independently, and coming to different conclusions. The situation was similar to the old Buddhist parable, where six blind men examined the same elephant. Each man was convinced that what he experienced was the correct interpretation, when really, it was only a piece of the whole. Frank Duff is the Chief Innovation Officer at a startup called Tidal Cyber. Their mission is to make it practical and affordable for all enterprises to adopt MITRE ATT&CK, and full disclosure here, I advise Tidal Cyber, so take whatever I say here with a grain of salt. Before Tidal Cyber, though, Frank spent 20 years working for MITRE and the last 10 years supporting the ATT&CK project. Here's Frank.
Frank Duff: It was serendipitous, I guess, is a way of looking at it, right, coincidental that a lot of these things happened. Like any good standard, right, you had everybody doing their own standard, I guess, at the time, right? They were all kind of pushing the same philosophies. And then --
Rick Howard: Yeah. Smart people thinking the same kind of things and how would they make that happen is kind of how I see it, yeah.
Frank Duff: Exactly, exactly, and I think that there -- right, that there was this common need, right? And the community is a close-knit community. So I think that a lot of people recognize this common need to create taxonomy, but I think there is always the challenge in moving from one to the other, right? Like your application of the Diamond Model is looking at a very specific how thready is the threat kind of concept, right? And yes, you're trying to describe it, but it's trying to solve a slightly different problem. Or the kill chain was a great way of making it so that people could realize kind of the steps that an adversary would have to take. But then with ATT&CK, it's like, all right, well, those steps don't always happen linearly. I don't think that it's a you-pick-one kind of thing, which I know that you're a strong believer in, right? It's, I think, those things continue to excel at what they were developed to do.
Rick Howard: Sure, yeah.
Frank Duff: And they're all great pieces of making it so that you can communicate, making it so that you can prioritize and the like.
Rick Howard: Amy Robertson has been working at MITRE for the past six years as a cyber threat intelligence engineer and the last four years as the ATT&CK Engagement Lead. She concurs with Frank. She says you take the output of the ATT&CK Wiki as inputs to the Diamond Model, and the outputs of the Diamond Model support the kill chain strategy.
Amy Robertson: I would view them more as complementary. So I do think that they have different purposes, essentially. So, you know, ATT&CK documents have more detailed adversary behaviors, while, for example, the Diamond Model is more helpful if you're trying to get a better understanding of how to cluster intrusions, potentially how to use it for attribution. But, you know, ATT&CK map techniques are going to be a useful source of input into the Diamond Model as you're using it to analyze adversary capabilities. So I think those are complementary. I do not think that you have to use them separately. You can use them together. I think that that makes a really good pairing, and then similarly, the kill chain, it's at -- ATT&CK is at a little bit lower of a definition because, again, we're describing adversary behaviors. We're describing how they're doing things, and so instead of that kind of more linear model where ATT&CK is unordered, we're trying to reflect how an adversary is moving realistically across a network. [ Music ]
Rick Howard: The question then is, where do most of us get the threat intelligence that will inform us about known attack sequences? Well, you can develop it yourself by using the Diamond Model and reading thousands of security vendor intelligence blogs about this adversary campaign or that one, like the latest ESET report on the Chinese hacker group Mustang Panda running attack campaigns against the shipping industry in Europe, or the Microsoft report on the North Korean hacker group Moonstone Sleep running attack campaigns against software development firms for the purpose of cybercrime and cyber espionage. But doing it yourself is hard, expensive, and is likely not part of the core business model for whatever organization you work for. Unless you're a Fortune 500 company, the NSA, or the FBI, in terms of available resources, establishing an intrusion kill chain strategy for your organization will likely not make it past your next budget planning round. Or you can buy the information from commercial cyber intelligence firms, but that just makes the process slightly less hard, and there's likely a lot of back-end work from your internal team to turn the inbound commercial intelligence into something actionable. More importantly, it's still expensive. Or you could join an information-sharing group like an ISAC or an ISAL, Information Sharing and Analysis Centers or organizations. That would be less expensive but still very hard because you will likely have similar intelligence transformation tasks that you had with the commercial intelligence firm. This is where MITRE ATT&CK comes in. The MITRE ATT&CK Wiki, as I like to call it, is the largest collection of open-source cyber intelligence designed specifically to collect data of known adversary attack campaigns across the kill chain. At least that's how I see it. I'm not sure that the rest of the cyber security profession sees it that way, though. So I'm probably wrong. Even MITRE doesn't like to link ATT&CK too closely to the kill chain strategy.
Amy Robertson: With the kill chain, it was very much a little bit different of like, if you stop the adversary here, then you're going to be able to, you know, kind of remediate in the intrusion, whatever your -- whatever, however people describe what they were trying to do. But definitely, I agree with ATT&CK it's more like a lot of times, you know, you throw -- something is thrown, a challenge or a blocker is thrown in the adversary's pathway. They're going to figure out something else, and so that is what ATT&CK is really trying to do, is trying to reflect how adversaries are moving, how that they can pivot and choose, you know, this is not working for me. I'm going to try a different method for lateral movement. It's like that in-depth profiling of adversary behaviors that are going to help you understand what defensive controls you need to prioritize in order to stop or counter that adversary. And then comparing that to your own, what you have in place just helps you kind of like, I'm nervous about Scattered Spider, and here are the common TTPs that they are using, kind of the common operations flow that they've been using. How can I counter that? What defensive controls do I have in place, and then, where are the gaps?
Rick Howard: The way I see it, though, is that ATT&CK lists all of the scattered spiders' known TTPs. It doesn't anticipate the new thing that Scattered Spider invents, but it does know every TTP that Scattered Spider has used in the past. When a Scattered Spider pivots to a new thing, the results aren't devastating because we have prevention controls for all the other steps in the ATT&CK sequence. [ Music ] We forget that around this timeframe, 2010 to 2013, most of the network defenders in the commercial world were unaware of the intrusion kill chain strategy. That trifecta is the result of three different U.S. governmental organizations, two contractors, Lockheed Martin and MITRE, and the U.S. Department of Defense. And although their respective research work was public, it wasn't like the commercial world was racing to embrace it. CTI, or Cyber Threat Intelligence, wasn't really a thing yet for most in the InfoSec community. That started to change in February of 2013. The commercial cyber intelligence company Mandiant released the now-famous 74-page APT1 Report that told the story of how the Chinese military had been conducting cyber espionage operations against almost 150 different commercial and government organizations around the world. Chinese cyber espionage had begun in the early 2000s, and the US military's secret code name for it was Titan Rain, but prior to the APT1 report, nobody in the commercial world, except for maybe Google in 2010, talked about successful Chinese cyber breaches against their organization for fear that the public knowledge would impact their bottom line. The Mandiant APT1 Report catapulted commercial cyber intelligence from an obscure practice performed by elite organizations to a legitimate commercial business and a best practice for all InfoSec programs. According to Nick Selby writing for Dark Reading back in 2014, one of the most positive impacts of the APT1 report is the undeniable rise in the stature of the threat intelligence industry. Here's Kevin Mandia, the CEO of Mandiant at the time, before Google acquired it, speaking at the RSA conference in San Francisco the next year after the publication of the APT1 Report.
Kevin Mandia: When we released this report in February of 2013, the evidence was in the form of about a 60-something page report, 3,000 different indicators, 141 different victim companies. First, we took our nomenclature at Mandiant of APT1, and we linked it to PLA Unit 61398, a military unit with people in uniform being charged to compromise private-sector entities. We released, also, 3,000 different indicators of compromise, meaning bad domain names, bad IP addresses, and basically, the C2 infrastructure of APT1's backbone where they launched the attacks. Specifically, when we released this report, we absolutely, at Mandiant, only knew the lower bounds of what PLA Unit 61398 had done over the last seven years. We had responded to 141 different victim companies, and every time we tracked these intrusions at these 141 companies, the technical evidence brought us to Shanghai, and the anecdotal non-technical evidence brought us to Shanghai. So let's take a look at some of that. You know, we responded to 2,672 separate intrusions. The IP addresses went back, ultimately, to IPs registered in Shanghai. When we looked at the command and control being used, it was about 97% of the time as well. You've got to remember back in 2012 and to 2014 when it was really getting its feet under it, there wasn't a whole lot of CTI available.
Rick Howard: Most of those in the commercial space didn't even think of CTI as a thing, right? The Department of Defense did, but in the commercial world, we still had not seen the APT1 paper from Mandiant yet, so it hadn't really broken through, right?
Kevin Mandia: That was exactly where I was going, right? The APT1 paper, which I mean, that was really one of those cornerstones --
Rick Howard: Yeah.
Kevin Mandia: -- or, really, turning points in the industry, in my opinion, right? That didn't exist when ATT&CK -- instead, it was just Mandiant publishing like 230-day dwell times and stuff like that, and that was the only data point you had, but there's no understanding of the why to do, so hundred-percent agree. [ Music ]
Rick Howard: Even though ATT&CK has had a huge impact on the cybersecurity profession, most people that I talk to don't really understand what it is. There are many misconceptions about how it operates and the intelligence that it collects, and frustrations felt in the community about its direction and progress. First, as far as I know, MITRE hasn't deployed thousands of sensors themselves across the world's networks to collect that intelligence. What they do have is a loose collection of defense industrial-based companies, DIB companies, think U.S. government contractors, who regularly share threat intelligence with the MITRE Intelligence Team. In that way, the MITRE ATT&CK Wiki is an intelligence product of an ISAO, Information Sharing and Analysis Organization, although MITRE doesn't refer to itself like that. This might be the reason that ATT&CK doesn't track that many cybercrime groups and mostly focuses on nation-states. The DIB company's most pressing concerns deal with nation-state threats, after all. Although I don't see why a ransomware group wouldn't target a Raytheon or a Leidos, both relatively known Beltway Bandit companies. As a side note, the phrase "Beltway Bandit" is an old pejorative meme from the late 1970s for companies that do a significant amount of contract work for the U.S. government. Of course, I use it here with only love and affection, because I used to sell to these guys in the past, and I even work for one. By the way, the MITRE Intelligence Team is relatively small. That's why updates to the wiki and to the configuration of the site are not in real time. They update the wiki three or four times a year, which for me is a big frustration. I would like that to be updated continuously and not every once in a while. I get why, but I don't have to like it. Amy says that the biggest misconception that she runs into is that the ATT&CK Wiki is comprehensive, that it attracts all known adversary activity. [ Music ]
Amy Robertson: Every adversary activity that is conducted is included in ATT&CK, and that is just not the case.
Rick Howard: Nope.
Amy Robertson: It is not the case. It will never be the case. We have a fantastic but relatively small team, and so we do depend on, you know, those contributors giving us their insights. And so something I think, that we have used in the past is, if you see something, contribute something. And so that is definitely a misconception around ATT&CK that I see and hear all the time. So, you know, I'll be talking to some folks about threat intelligence for a certain threat actor, and they say, well, that's not an ATT&CK. How are you saying that that -- that this is happening? And, you know, there's a huge world outside of ATT&CK, and lots of these things are happening outside. And so we would love to include everything, but we are not comprehensive enough to include everything right now.
Rick Howard: I think the biggest misconception that I see is that the security profession still uses hacker names like The Shadow Brokers, when what we are really talking about is the attack campaign that members of the Shadow Brokers team are running against their victims. That may seem like a subtle and useless point, but it has significance over time. First, The Shadow Brokers may run different campaigns against different victims that aren't related to each other. I know I said at the beginning of the show that one of the key insights to the kill chain paper was that hacker groups don't throw out attack campaigns willy-nilly. They might change a component of the attack sequence, but not the entire thing. That's still true, but any hacker group that has had success for a period of time will likely have developed more than one campaign. Using the hacker group's name to refer to one campaign they ran in 2012 and to a completely different campaign they ran in 2020 just causes confusion. My frustration with ATT&CK is that they are just now getting on the campaign bandwagon a decade after it began. According to the MITRE website, a campaign describes any grouping of intrusion activity conducted over a specific period of time with common targets and objectives. As of this writing, though, ATT&CK is only tracking just under 30 campaigns. Since it also tracks about 150 hacking groups, 30 campaigns seem small in comparison. I'm also not sure that their definition captures the requirement. In my mind, it's way more than that. An attack campaign is the collection of all TTPs a hacker group uses across the intrusion kill chain. It should also roughly include the sequence. You know, Fancy Bear used TTPX for delivery, deployed TTPY and Z for lateral movement. [ Music ] And I know this kind of intelligence work is hard, and the MITRE Intelligence Team is small, but it's still frustrating. Still, it isn't like anybody else is doing that much better. Frank's company, Tidal Cyber, a company that's trying to operationalize MITRE ATT&CK, is only tracking 75 campaigns. It feels to me that the InfoSec profession hasn't fully embraced the campaign idea, in my mind, the true power behind the intrusion kill chain strategy. Today, ATT&CK is tracking some 650 TTPs that known hacker groups have used. That's useful. But that collection is also eerily similar to what we were doing back in the defense in-depth days, blocking malicious technical things on the network without really understanding what the adversary was trying to accomplish, without the specific goal of trying to defeat the adversary. Rick Doten is the VP of Information Security at Centene, a Fortune 25 company, and a regular visitor to the CyberWire Hash Table. When he worked for Lockheed Martin back in the day, he was involved in evangelizing the kill chain paper.
Rick Doten: The thing to me about the MITRE ATT&CK Framework is it provides no context. It's all technical. It only provides the measurement of protections and detections of the tooling, not anything about the process to identify and respond to attacks or how to learn about the abilities or intents of the adversaries. [ Music ]
Rick Howard: From where I sit, ATT&CK helps the InfoSec profession be better than we were back in the defense in-depth days, but it hasn't quite reached its full potential. So here we are in 2024, just past the 10-year anniversary of the MITRE ATT&CK Framework, and I asked both Amy and Frank what their big takeaway was after this discussion.
Amy Robertson: I think the future of ATT&CK is that we will continue to evolve with the threat landscape, evolve with the adversaries and technology, and hopefully, continue to provide really actionable intelligence and resources to inform defensive strategies. I think that has always been the goal, and hopefully, that will continue to be the goal as we kind of continue to evolve.
Frank Duff: I look back on ATT&CK and the journey that we had, and it was some of the best times in my life personally. But more than that, I think that the way that it was able to evolve the industry was just incredible, right? It went from this, every vendor selling snake oil, some of them still do sell snake oil, but it led it to be this thing that could be grounded in adversary behaviors, right? It let people stop thinking that the higher I build my wall, meaning AVs, the more secure I am, and instead be like, you know what? Let's take a little bit more defeatist perspective. I mean, there's so many opportunities for you to defeat the adversary before they get to encrypting your data and sending it over, or stealing your data, right? There's so many chances, and realizing that there's so many chances, and that it's not just build a super-high wall and hope they don't get over or don't get under, right? It was an incredible thing, and I look back on the 10 years and realize where it came, right? From, I think, the first publicly released version was maybe around 75 techniques, and now it's up to 623 techniques and sub-techniques, and frankly, they're not done yet, right? There's a lot of variation in those techniques that needs to continue to be expanded out, but now the whole industry is communicating on the standard, and I think that that is just so great.
Rick Howard: For me, despite my frustrations and the common industry misconceptions about it, I think I'm still its biggest fan. I would like it to be bigger (all campaigns, not just nation state), faster (continuously updated, not every once in a while), and I would like it to fully embrace the campaign concept, but those are all things that can be fixed. In the meantime, I will be here on the sidelines, waiting for my check from MITRE, as its biggest unofficial evangelist. [ Music ] And that's a wrap. I'd like to thank my colleagues, Amy Robertson, one of MITRE's threat intelligence engineers, and ATT&CK'S Engagement Lead, Frank Duff, Tidal Cyber's Chief Innovation Officer, and Rick Doten, Centene's VP of Information Security, for coming on the show and helping me assess the current state of the MITRE ATT&CK Framework. CSO Perspectives is brought to you by N2K CyberWire. Visit thecyberwire.com for additional resources that accompany this episode. I've added some helpful links to the show notes to help you do more of a deep dive if that strikes your fancy. And check out our book, Cybersecurity First Principles, a Reboot of Strategy and Tactics, for another deep dive on a lot of the topics we've covered here. And by the way, we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app, and you can also fill out the survey in the show notes or send an email to csop@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me sound good. I think it's only appropriate that you know who they are.
Liz Stokes: I'm Liz Stokes. I'm N2K CyberWire's Associate Producer.
Tre Hester: I'm Tre Hester, Audio Editor and Sound Engineer.
Elliot Peltzman: I'm Elliot Peltzman, Executive Director of Sound and Vision.
Jennifer Eiben: I'm Jennifer Eibin, Executive Producer.
Brandon Karpf: I'm Brandon Karpf, Executive Editor.
Simone Petrella: I'm Simone Petrella, the President of N2K.
Peter Kilpe: I'm Peter Kilpe, the CEO and Publisher at N2K.
Rick Howard: And I'm Rick Howard. Thanks for your support, everybody.
All: And thanks for listening. [ Music ]
