CSO Perspectives (Pro) 9.13.21
Ep 58 | 9.13.21

Adversary playbooks around the Hash Table.


Rick Howard: Hey, everybody. Rick here. On the last episode, I did a deep dive on one of my cybersecurity pet peeve and personal vanity projects - a concept called adversary playbooks. These playbooks are the result of my first principle idea that after 25 years as a community and an industry incrementally improving our defenses, just what exactly are we trying to accomplish?

Rick Howard: If you've come along with me this far in the podcast series, you are probably sick of me saying that we are trying to reduce the probability of material impact to our organizations due to a cyberattack. But if that is the ultimate objective, perhaps we should refocus our efforts away from only preventing malicious technical tools from working against our digital environments with no context about what the adversary is trying to accomplish and concentrate instead on defeating how our adversaries actually work in cyberspace. In other words, don't just defeat a random tool, defeat the group campaign. 

Rick Howard: Now, I didn't develop this idea by myself. Many people contributed to the evolution of it. But my main partner in this whole endeavor is one of the industry's world-class cyber intelligence minds. And when we started working on it, he just happened to be my intelligence director when I was the Palo Alto Networks chief security officer. His name is Ryan Olson. And I thought it would be a good time to talk to him about what we did and what exactly is the next step in the adversary playbook evolution. 

Rick Howard: My name is Rick Howard. You are listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: Ryan and I have been working together off and on for over 15 years. When I was the intelligence director at iDefense, a commercial cyber intelligence company bought by Verisign, he started as a malicious code reverse engineer. When I landed at Palo Alto Networks many years later, he was the guy I called to run the first public-facing intelligence group for the company. So sit back and enjoy my conversation with Ryan Olson, vice president, threat intelligence, Unit 42, at Palo Alto Networks. 

Rick Howard: Let's see. 

Ryan Olson: OK. 

Rick Howard: So I've told the story about how you and I built Unit 42 back in 2014 many times from my perspective. And I think it would be very interesting to get your take on how it all started. What did you think you were getting into when I called you and said, hey, you should come over and do this thing for me at Palo Alto Networks? What was going through your mind? 

Ryan Olson: The thing that drew me over was the data - because as someone who had been working in threat intelligence for eight years at that point, at Verisign working on iDefense, we were finding all these interesting threats scrounging up a lot of interesting data that was out there in the open. But I always had a desire to get some sort of exclusive access to data about real attacks that are happening live. And that was something that Palo Alto Networks was starting to acquire at that time. And I saw in that an opportunity to go and do some interesting new research, hopefully discover some things and put it in front of more people than the small population we'd had doing private threat intelligence back in the past. 

Rick Howard: That's right 'cause when you and I both were at iDefense, it was all open source. We weren't collecting telemetry from customers. We were ripping apart malware, ripping apart exploits, actually sending people out in the world talking to hackers. But we weren't collecting telemetry anywhere. So Palo Alto Networks, with all its huge customer base, provided an opportunity to get some real-world intelligence to actually see what was going on. I didn't realize that's what compelled you to come over. That's interesting. 

Ryan Olson: I mean, that was big. And that was what I've used to recruit a lot of people in the team since then. When I joined WildFire, which was our malware analysis platform, pulling in all this malware, had, you know, five- or 10,000 customers. Now it's, like, 35,000 customers - but even bigger than that, all these other places where we can gather data - from firewalls, from endpoints, et cetera. It's really compelling for a lot of people to say, how can I learn about what threats are out there in the wild today and from the closest possible source to reality? 

Rick Howard: So when we started Unit 42, it was a thought leadership exercise. You know, we had a lot of people within the company who knew what the bad guys were doing. They were doing threat intelligence. But there was nobody dedicated to telling the people what they saw. So in the beginning, that was at least part of the mission statement. 

Rick Howard: So five years later, like, in 2019, as I was thinking about leaving the company, it made sense that Unit 42 should have a direct input in - onto the product side of the company. And now today, that idea has morphed into Unit 42 being directly responsible for one or maybe even more products at Palo Alto Networks. So tell me if I got all that right from your perspective, and maybe give me some detail about what this new product responsibility is. 

Ryan Olson: Initially, it really was just that. It was - we didn't have anyone in the company thinking about threats sort of from a big-picture perspective. We were going and dealing with them product by product. So Unit 42 had that mission of looking across everything, as well as the - sort of being the public face of what we know for threats. And we did that for years. And we grew into different directions. 

Ryan Olson: But it was right around when you left that we combined sort of the old Unit 42 team with some other intel groups inside the company and had this more expansive role around not just the public-facing mission and sort of interaction with others in the security industry, but also to evaluate all sort of major threats coming in. Do we have good product coverage for them? Is there something else that we need to understand about this threat to improve the product in the future and sort of to cross all of these various functions that the company was now supporting with a single intelligence mission? 

Rick Howard: So we get Unit 42 up and running. And you and I almost immediately start working on this adversary playbook idea. I remember many lunchtime sessions in my office with whiteboard diagrams and arguing and debating. And we finally got it into shape, at least good enough shape to bring the rest of the Unit 42 analysts in on it. And I remember we got some pretty hard pushback from them - a lot of resistance. Do you recall what their big issue was with the idea? 

Ryan Olson: Some people, you know, they felt like the sports metaphor would be lost on an international audience. I remember that was one push 'cause they'd be like, but they don't do that in other countries. I'd be like, OK, I don't do it here, but I understand it. And some people wanted to use more of a generic term like a blueprint or something else like that. But blueprints aren't an active process that you go through. 

Ryan Olson: And then there was also the - and this is still a real challenge - is other teams use playbooks as well. So if you're in a SOC, you've got a playbook for countering a threat. Would it be confusing if you had two different sort of terminologies that use the exact same word? - which has definitely been a real challenge for us to deal with going forward. 

Ryan Olson: But I think it's just - naming stuff as hard. Naming stuff is difficult. I don't think it was conceptually hard for people to understand what we wanted to do. But the name was certainly a challenge. 

Rick Howard: So it wasn't - from the Unit 42 analysts, it wasn't that they didn't like the idea - OK - that we should be tracking adversaries across the entire kill chain. It was just that they were very worried about how we portray it and it would get lost in the noise somehow. 

Ryan Olson: Yeah, I don't think - and this is something that is different, I'd say, for intel analysts versus most of the security community. But for us, when we think about, how would you build your defensive posture? - thinking about it as you're defending against adversaries is obvious. Like, you should know who they are. You should know what they're going to try to do. You know what they've done in the past so that you can build the appropriate level of defense against it. 

Ryan Olson: But that is not the case for, I'm going to guess, most security people around the world. Most folks, especially - and remember, in the early days, when you and I were at Palo Alto Networks working on this, we were thinking about it for firewall customers, mostly. So you're talking about people who are trying to defend a network using network equipment and not even people necessarily who are working inside of a SOC. For a lot of them, they just want to know, what do I deploy? What do I - what feature do I implement? What policy do I need to implement that will stop this threat from being successful? And they don't necessarily say, it matters to me whether or not I'm stopping this adversary or that one 'cause it isn't necessarily something that's going to change the way they do their work. 

Rick Howard: Well, and also, you know, intel analysts specifically and security people in general have this - I love them all, OK - but one of the flaws we have as a group is that if it isn't perfect, if the idea isn't absolutely perfect, it's got to be horrible, right? It's going to - it's - so there's no middle ground, all right. So it has to be absolutely the thing we all do or it's just crap and nobody should even talk about it. Do you agree with me on that? 

Ryan Olson: I think a lot of intel analysts are that way, which is one of the reasons that a lot of intel analysts - you know, growing up - and if they've come from a more formal intel training background, they like to use a lot of caveats. They like to use a lot of language to explain how confident they are in something or what the true meaning of their wording is because they know that what they say could be interpreted in a way that could have a big impact. And they want to be cautious about that. 

Ryan Olson: But it bleeds into how they want to communicate everything. So they want to communicate a new concept that they're excited about, and they tone it down by 70%. And they add all these caveats until you're like, well, is - what are you really even talking about here? And I think that can be challenging for communication. 

Rick Howard: So at the same time, while we were figuring all this out, my boss, the Palo Alto Networks CEO, Mark McLaughlin, asked me to build the first ever ISAC for security vendors - asked us to help get that community started. And we eventually called that the Cyber Threat Alliance. And I saw that as an opportunity to spread this adversary playbook idea to the security vendor community. 

Rick Howard: We met resistance there, too. You know, the analysts from the original founders - you know, Check Point, Cisco, Symantec, McAfee - they were not that keen on this - ideas we put forward. But since the boss told me to not let this project fail, I tasked you to build the first Cyber Threat Alliance sharing platform. And if I'm not mistaken, you wrote some of the first code for that. Isn't that right? 

Ryan Olson: I'm not sure if I wrote any code for the original CTA stuff. What I was involved with really heavily was defining how are we going to share and what's important because we knew sharing between multiple vendors, every vendor has their own way of representing information. We wanted to make sure that we used standards and we didn't create a new standard. So one of the early things we did was settle on the STIX standard for actually sharing threat intelligence information, which most of the vendors at that time had never implemented. Or some had tried and didn't like it. But we didn't want to create a new standard. And it was functional for what we needed. 

Ryan Olson: But to the point around sharing adversary intelligence specifically, I think the big pushback that we got there was - and this was true as the members built out as well - is people were not storing and representing their knowledge about an adversary in that way. They weren't thinking, let's keep this all sort of connected in a single data set that could be shared. 

Ryan Olson: You know, they had their data about malware. They had their data about command and control servers. They had notes generally that connected things together between those, but are not in a way that they could easily share. So I think a lot of the pushback was, hey, you're really going to change our process. And it's going to be hard for us to join and contribute, which was part of the goal, was to sort of push people in that direction as well. 

Ryan Olson: Yeah, I don't think we ever convinced everyone, hey, you need to track adversaries and share based around adversaries. It is a pretty big challenge for a organization that is - you know, oftentimes security companies are built off of supporting individual products, and they have their data sort of siloed - not necessarily blocked off, but built to be able to support that product. So altering that in a way that's sort of to make it more holistic, which can be challenging to do in the first place - but I think a place where we couldn't really convince people which may have made a difference is that this would make their products better at the end of the day. 

Rick Howard: When I left Palo Alto Networks, you and I published a paper over at the Army Cyber Institute that captured all the ideas and lessons learned that we got from developing the idea over the years. It was kind of a stake in the ground, a - you know, like a milestone, so to speak, something akin to, we've carried the ball this far. To go further, somebody else is going to have to pick up the ball and move it forward. And you guys have done that, right? Unit 42 has looked at the original idea and asked, how can we make this thing more useful? So tell me. What is your new direction here? 

Ryan Olson: As Unit 42 was changing, we are getting closer to products. One of the things that we were looking at was, how can we make threat intelligence as valuable as possible to our customers? And we sort of went back to the beginning and said, what is it that a Palo Alto Networks customer - and we were thinking about different customers, but next-gen firewall customers who were sort of the initial thought process - what is it that they want out of threat intelligence? And in those discussions, we - my mind immediately went back to adversaries because that's what I think about. 

Ryan Olson: And I started thinking about whether or not a guy whose job is to run the firewall, deploy the firewall - if he's thinking about adversaries in the same way. And from a short bit of research and thought, the answer is no, not thinking the same way. He was generally thinking about, what is the fastest way for me to stop this threat? He wanted an easy button. That's what he wants. He wants something that he can say, hey, for APT29, if he were to tell me I need to reconfigure my firewall in this way, I need to turn on these features, modify these settings or make changes to endpoints, whatever they might be, what's that easy button look like? Because he may have read our report on the threat, understood it and said, that's terrifying. I want to stop it. But he also needs to make the case to his management - change management committee and everyone else that we should implement these changes. 

Ryan Olson: Some of them can be big. Your implementation might be, this threat always operates all their traffic. The actor knows people don't decrypt SSL traffic. So you need to decrypt it to have visibility to block it. Implementing something like TLS decryption is not an easy thing. But he wants to know, what's that easy button look like? So we started saying, what if we extended the playbook concept another step further? So we have adversaries. We know they're launching campaigns. Within their campaigns, they use certain techniques. Within those - to execute those techniques, they may leave IOCs behind. 

Ryan Olson: But what if we also connected the technique itself to a course of action that you could take to either prevent that technique from being successful or you detect it retrospectively if it has occurred in your network and use the IOC data for that? What if we sort of continue that out to make something that could eventually - if you had all those courses of action, you could get to sort of an easy button. If you understand this configuration change or this feature implementation will make me secure against the threat as we know it today, you may be able to actually get to the point of automating that reconfiguration as well or scanning your logs to determine if you've seen it. 

Ryan Olson: So we - when we rebranded our version of the playbooks into ATOMs - actionable threat objects and mitigations - the intention of that was to demonstrate that we're talking about mitigation here. That's what we're trying to do. It's about the action that you can take based off this information, rather than about understanding the adversary, which we want people to do. We wanted to convert that into something that they could use. And that's really where we've been directing a lot of our efforts since then, is continuing to map out all of these courses of action as we understand them, as well as just continuing to update which adversaries are using which techniques in their attacks. 

Rick Howard: So the new name from Palo Alto Networks - the next iteration of adversary playbooks are ATOMs. And tell me what the acronym stands for again. 

Ryan Olson: Actionable threat objects and mitigations, and that's definitely a backronym, which... 

Rick Howard: (Laughter). 

Ryan Olson: ...Going back to naming things. 

Rick Howard: I went to the Unit 42 website this morning. And you guys are tracking some 48 or so ATOMs at this point. Is that right? 

Ryan Olson: That sounds right to me. 

Rick Howard: Something like that. And that means that for the Palo Alto Networks product line, I could click the OilRig ATOM, and you would tell me all the things that you could do for the Palo Alto Networks product line to prevent that adversary group across the kill chain. Is that the idea? 

Ryan Olson: Yeah, so the ATOM viewer that's on the website has the same sort of format to the previous playbook viewer. So you walk through the same thing. You can choose an adversary. You can look at their campaigns. And then when you look at a tactic that they employed, that's when you can actually see mitigations across our platform for whatever that tactic is. And really, the - and we haven't done this on the website. 

Ryan Olson: But this is where we see the value of this, especially for our customers in the future, is to flip that over instead. And instead of saying, hey, look at a specific adversary, for a customer to say, hey, these are the adversaries I care about and even help them select those based off of your knowledge - adversaries who attack their industry or their region, which - we can select that down. And then flip the whole pyramid upside down. How do you get the best bang for your buck? Because we know people aren't going to - honestly, the easiest easy button is turn everything off. Lock everything bad. Implement everything. That's really easy. But people can't do that because it doesn't mesh with their internal policy. 

Ryan Olson: So instead, flip it over and say, what are the next five things that you can do to stop the most adversaries? And if you can see connectivity between your top 10 and the techniques that are commonly used, maybe the very top thing is enable SSL decryption because that's going to have the most impact. But then instead of you going to your change committee or your leadership or your board and saying, what we need to do is enable SSL decryption because I know it's bad. I know people - bad guys are using. It's to say, here are the 10 adversaries who are targeting our industry, and this is the impact that they've had. This is what we should do to stop them. Let's go and do that. And it just - it's a different level of evidence that they can use, which I think is - if the value of threat intelligence is helping people make better decisions, part of that has to be - in defense of cyberthreats, part of that has to be how they can use that intel to communicate to the people who can make those changes. 

Rick Howard: That idea was in the paper that we published. A lot of the paper we wrote was about, you know, centering in on adversary groups. But there is this benefit, like you said, that if we track all those bad guys, we're going to be able to find sets of things that are common between many of them. And if you can pick the one or two or 10 that's unanimous across all of them, then that is probably the first thing you should do because you have the widest protection available. Is that what... 

Ryan Olson: Yep. 

Rick Howard: Is that how you describe it? 

Ryan Olson: Exactly, best bang for your buck. 

Rick Howard: I remember that was part of the presentation and the... 

Ryan Olson: It was. 

Rick Howard: ...Best bang for the buck. And... 

Ryan Olson: I had scales. There was the word bang and a picture of a buck - like, a male deer. 

Rick Howard: I will direct everybody to the YouTube video so they can actually see that little bit of creativeness... 

Ryan Olson: Mastery. 

Rick Howard: ...From Ryan. Yeah (laughter). So is it still just manual, Ryan, or are you guys - is the road map for ATOMs to be able to push a button and say, OK, I want to deploy all of these things that we could do on the Palo Alto Networks platform for OilRig? Is that on the road map or maybe even possible today? 

Ryan Olson: It is in a proposed road map, I'll say. I'm not going to say it's in a product road map or anything like that. But as far as... 

Rick Howard: Yeah, yeah, yeah, yeah. 

Ryan Olson: ...The goals for what we want to build, what - we've been organizing all this data. Because what we've made public in the ATOM viewer is just snapshots of the data that we have inside our own systems. So as we build all of that up, though, having that be programmatically accessible - once again, back to automation - to be able to compare to your configuration, to be able to compare to how you've deployed agents and other information, I really do think is the way that we help people improve their security posture using threat intelligence. 

Ryan Olson: Because you can do that on a rolling basis. You can say, like, every week, there's a new attack that occurs out in the wild, and people read a report about it, and they say, hey, these people got breached. Would we have been susceptible to that as well? And if they're reading a traditional threat intel report, there's probably a lot of tactics described in there. There's probably a lot of IOCs listed in there. But unless they've mapped those tactics to their current defenses and can automatically say, are they configured to stop this or not, they really can't answer that question. 

Ryan Olson: So I think that's the end goal of what we build, is to help our customers and other people take this data that we can coalesce and say, am I protected or not? And if so, if not, what do I need to do to change? What do I need to do to make it better as close to the easy button as possible? 

Rick Howard: Well, one of the great benefits of using an orchestration platform like Palo Alto Networks - and there's lots of them out there, you know, your competitors - Check Point, Cisco, Fortinet, you know, pick your orchestration platform. The folks that have chosen that as their security stack, this is soon - this is what's well-suited for having one of those things. If you are developing ATOMs for known adversary groups and you provide the ability to push a button and deploy the prevention controls for that security orchestration platform, man, that makes it so easy. That means I don't have to do that on my end. That's the reason it's such an interesting idea to have a platform that does most of the things for you, as opposed to you doing it individually with a thousand different security tools. 

Ryan Olson: Yeah. And I think a lot of companies get in a position where they have - maybe they have some sort of source platform, but they need to connect that to their threat intel platform. Because if you want to be able to hunt inside your data or you want to be able to actively action those indicators as they're coming in, you've got to be able to have some automation around it. If it's up to a person to read it and put it into a system, things just don't function as well, which is definitely something that our XOR platform is built for. 

Rick Howard: Well, one of the great insights that you came up with during this development period - in the early days, we were focused on just tracking the groups. But you came up with, it's more important to track the campaigns. Panda Bear might run five or six of them, and none of them are completely different. There are little tweaks to the first one, but they're still unique in that way. So maybe what you and I are coming to is that tracking the group by name, like Evil Corp doesn't matter as much as naming the campaign that we saw across the intrusion kill chain. It really doesn't matter who the group is at all. Just what are you doing to protect yourselves against what a adversary is doing in the attack sequence? 

Ryan Olson: Yeah. From a defense perspective, it's what are you doing to stop an adversary using these techniques? 

Rick Howard: Yeah. 

Ryan Olson: Because the techniques are generally - you should have - you shouldn't have a single control for every single technique. They're more broad than that because there's different implementations. But yeah, I think you're right. Tracking those campaigns are really what's key, that layer below. And even if you don't know who the adversary is... 

Rick Howard: Yeah. 

Ryan Olson: ...Tracking that the campaign occurred is sort of key before you even can go and say, it's this particular Panda. 

Rick Howard: You and I have had that conversation many times. I just don't care that it's from Russia. And most network defenders don't care, either, unless you're a very specific subset of the government. All you're really trying to do is prevent them from being successful, right? So yeah, it's fun to know that it's the Russians or the Chinese or, you know, Joe down the street. But it's not necessary in order to protect your enterprise. 

Ryan Olson: Yeah. For most organizations, it doesn't influence decision-making for them whether it was a country or another country. It's really around, what do they need to do at the end of the day? 

Rick Howard: So we're talking about adversary playbooks. Is there anything we haven't covered, Ryan, that you'd want to spit back out that we haven't really delved into yet? 

Ryan Olson: You asked me, where would I put adversary playbooks on the Gartner hype cycle? And I am very interested where you would put it because I was thinking about this and trying to think about where. But I'm curious where you're at before I give you my answer. 

Rick Howard: It's going down the trough of disillusionment is where it is, right? Once we figured out what to say - it took us a couple of years to even figure that out. But it all was very positive. Everybody was very excited about it. But the actual work to get it done, which is typical of the Gartner hype cycle - it isn't ready for prime time, and there isn't anything out there yet. So it's just started down the trough of disillusionment from my mind. What about you? 

Ryan Olson: I think - for you and me and for a small group of people, I think that's where it lives. 

Rick Howard: Yeah. 

Ryan Olson: But I think there's a lot of the rest of the world where it never went up the hype cycle yet. 

Rick Howard: That's probably true. 

Ryan Olson: We never quite got there. 

Rick Howard: Yeah. 

Ryan Olson: And like, I - when I think about looking at what MITRE's ATT&CK framework has done - we used ATT&CK in the playbooks. It's a very core function of being able to have a common terminology to talk about techniques. I think ATT&CK shot up the hype cycle, and it is now about there. And I think playbooks are sort of - potentially, it's a way of using that as a component to be - it'll actually take action with it. There's lots of different things that use ATT&CK, and I think it's probably in the trough of disillusionment now, although maybe still somewhere along there, some people get value out of it. But it's a lot of work to get there still. 

Ryan Olson: I don't know if we ever made it up the hype cycle. I don't think we ever got the same level of a lot of people excited about using it and trying to implement it. I think we got a core group of people, but we didn't quite get over the hump. 

Rick Howard: Let me take it to the next level then. Should we continue to pursue it? Or is it a dead idea? 

Ryan Olson: I don't think it's a dead idea. What I think we need is to understand the best way to get value from it. We coalesce all this information about adversaries, their tactics, techniques, together into one place. What we need to build a connection to is, how does someone get more secure from that? There's some technology and some process that really needs to exist for someone to get value from it. Because I don't think we were able to bridge that gap. We had a lot of discussions. We had different conversations with technologists around doing this. We talked to so many breach and attack simulation vendors who wanted to use a playbook to be able to replicate an attacker in the network. So that's a way that someone could get value. But as far as that easy button, I think that's where we've got to bridge that connection. 

Rick Howard: Well, we need somebody like Palo Alto Networks to implement it, so I'm waiting for you to do that for me, Ryan, since I can't influence that anymore. 

Ryan Olson: Task accepted. 

Rick Howard: (Laughter) Ryan, out of all the things I miss out of not being part of the Palo Alto Networks - what I truly miss is the arguments that we've had over the years about how to do certain things, right? So I thank you for coming on the show and helping me understand where we are today with adversary playbooks. Any last words? 

Ryan Olson: I will happily argue with you every week, Rick. 

Rick Howard: (Laughter). 

Ryan Olson: Just give me a call. 

Rick Howard: All right, man. 

Ryan Olson: Thanks for having me on. 

Rick Howard: Yeah, thank you, sir. 

Rick Howard: That was my good friend and colleague, Ryan Olson, the vice president of threat intelligence, Unit 42 at Palo Alto Networks and, by the way, just the nicest guy in the planet. Palo Alto Networks is lucky to have him. 

Rick Howard: And that's a wrap for this episode on adversary playbooks, and it's also a wrap for Season 6 of "CSO Perspectives." That's right. We put another one in the bucket. As we stumble across the finish line in this latest season, I hope you learned something and maybe expanded your thinking a bit. I know I did. And don't feel bad. We'll be back with Season 7 on 18 October. The CyberWire elves are already hard at work on the new shows deep in the inner sanctum sanctorum underneath Baltimore Harbor, and Season 7 is shaping up to be the best season yet. 

Rick Howard: In the meantime, we have the CyberWire's quarterly analyst call at the end of this month, where we've invited two experience security practitioners - M. K. Palmore, former FBI, an old buddy of mine and a Google Field CSO, and Dr. Rebecca Wynn, our newest Hash Table member and the global CSO and chief privacy officer at Guidepoint. They're going to give us their views on the most impactful cybersecurity news stories in the past 90 days, and there have been a boatload of them, so you don't want to miss that. You can register at the CyberWire website at thecyberwire - all one word - .com/analystcall - all one word. That's thecyberwire.com/analystcall. 

Rick Howard: One more thing. If you have friends who you just know will love the "CSO Perspectives" podcast but are too cheap to pony up the subscription fee for a Pro account, you can tell them that we have just released Season 2 on the ad-supported side. So Season 1 and Season 2 are available for free if you want to listen to commercials. I don't want to listen to commercials. That's why I pay for Netflix. But, you know, it takes all kinds. 

Rick Howard: And just one last thing. Thank you for being CyberWire Pro subscribers. We couldn't do this stuff if it weren't for you all. And I want you to know that everybody here at the CyberWire knows it and appreciates it. So thank you. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I am Rick Howard. Thanks for listening, and we'll see you in a month for Season 7.