Research Saturday 9.29.18
Ep 55 | 9.29.18

Sophisticated FIN7 criminal group hits payment card data.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:26] And now a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:02] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Nick Carr: [00:01:42] They first came on our radar when we didn't really know who they were and associate them with a financial group at that time.

Dave Bittner: [00:01:50] That's Nick Carr. He's a Senior Manager of the Advanced Practices team at FireEye. The research we're discussing today is titled "On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation." It's research Nick did along with Kimberly Goody, Steve Miller, and Barry Vengerik, who we'll be hearing from momentarily. We recorded this interview back in August, just days after the United States District Attorney's Office for the Western District of Washington had unsealed indictments and announced the arrests of three individuals within the leadership ranks of FIN7.

Nick Carr: [00:02:24] We consider them an uncategorized threat cluster that we were responding to, and our experiences with them started with responding to and unveiling a bunch of new tools that the group was successfully using to surveil and attempt to extract payment card data from one of our clients.

Dave Bittner: [00:02:44] Now, this is a group that a lot of vendors refer to as the "Carbanak Group," just for clarification there. But you all made the point that perhaps not all CARBANAK use equates exactly one-to-one with the group you're tracking as FIN7.

Barry Vengerik: [00:03:00] About this same time last year, we released a blog post where we tried to talk a little bit about CARBANAK versus FIN7.

Dave Bittner: [00:03:06] That's Barry Vengerik. He's a Technical Director on the Advanced Practices team at FireEye.

Barry Vengerik: [00:03:11] So we usually try to avoid naming a threat group after a tool, just because we don't like to make a one-to-one association with malware or a specific toolset with a threat group. Primarily because of cases like this, where we can see multiple threat actors are overlapping groups using the same backdoor. So what it looks like is CARBANAK may have been shared or used by individual operators transitioning between different groups or criminal gangs for different operations. So calling all activity that was associated with CARBANAK the "Carbanak Group" is really kind of a reductionist and makes it a lot harder to differentiate between different threat groups.

Barry Vengerik: [00:03:50] So what we've actually seen is the understanding from other vendors as well as kind of peeled back a little bit as time has gone on, to show that some of the earlier CARBANAK activity, that folks like Kaspersky and ESET reported on, is definitely a different cluster then what we've seen being used by FIN7. And if you look at that blog post that we did last year, we actually broke down some of the major clusters of activity we saw using CARBANAK.

Nick Carr: [00:04:18] So, overall, FIN7 is a FireEye name that fits our naming convention, if that helps for background for you. It's similar to the APT, you know, APT1, obviously some of the APT numbered groups. It represents our promotion of a cluster or multiple clusters of activity into a high-fidelity named, either APT group or, in this case, financial group. So FIN7 is our terminology for this cluster, and we've been pretty consistent for who these attackers are throughout.

Nick Carr: [00:04:54] And we've also tried to be clear in our several blogs as we share new techniques that FIN7 is using, that that is indeed completely separate, or we have maintained that these are separate from what others call Carbanak Group and it's really hard to get into how other people categorize groups, especially when they start using your terminology. Others use the term FIN7 to describe activity they've observed.

Dave Bittner: [00:05:19] Sure. Well, let's walk through some of what they're up to, what they go after, and who they're targeting. Can you take us through that?

Barry Vengerik: [00:05:27] I think FIN7 is interesting in that we saw them kind of hit two major industries and clusters. And they're not exclusively targeting these industries, but they're where we saw the vast majority of activity. So, initially, we saw them heavily targeting the hospitality industry. So, hotels and casino gaming. And then we saw them make a transition into the restaurant industry. So, the tactics they were using varied slightly between the industries they were targeting, particularly in how they were approaching the spear phishing. But those are kind of the two major industry sectors that we've seen are targeting heavily.

Dave Bittner: [00:06:05] Now, they are fairly sophisticated here, and it seems as though they also have a good amount of resources at their disposal. I mean, they're they're using things like spear phishing, actually doing the homework on the people that they're going after, which is resource intensive.

Nick Carr: [00:06:21] Yeah, we would definitely agree with that assessment. When you get into the role of saying someone is sophisticated, we can't measure someone's success and say that that was sophisticated in itself, because that might have to do more with the maturity of their victims and defenses in place. But we've tracked them long enough, and we try to highlight in the blog some of the things that we felt make FIN7 sophisticated. All the first things they developed that were completely their own. Some of the really unique mechanisms they used to compromise clients, and we walk through some of those innovative things that they deploy.

Nick Carr: [00:06:58] But like you said, the spear phishing, the quality of that - I suppose we got insight into multiple teams working at the same time, so not only do they have high-quality phishing emails and social engineering schemes, based on the amount of response we did into this group, we would actually be responding to a FIN7 compromise at one client and then see them attempting to get into several more FireEye clients with these other techniques. So, it really gave us unique visibility into the scope and scale of this activity.

Barry Vengerik: [00:07:29] Yeah, and speaking to the sophistication, you know, as loosely as we're using the term, I think one thing that's easy to talk about, because it's really easy for people to conceptualize, is how they were doing the initial spear phishing. So they were almost exclusively targeting customer service personnel. So whether that would be booking agents at hotels that are responsible for booking large groups, or individual restaurant managers who are, you know, kind of the first line for fielding complaints, or customer service lines that field complaints at a restaurant.

Barry Vengerik: [00:08:01] They were really aware of who they were targeting, and how they were building the spear phishing towards those targets in order to elicit folks to open the spear phishing attachments that they were sending, all the way down to including detailed instructions on how to bypass some built-in Office security mechanisms like enabling macros and enabling active content in the spear phishing documents.

Barry Vengerik: [00:08:24] So they were really aware of the folks that they were choosing to target at the victim organizations where people that were in customer service roles and would, in the normal course of their jobs, be dealing with a lot of people they never talked to before and a lot of unsolicited email attachments that they would have to open. So they kind of bypassed a lot of that best practices, user training stuff that is always being talked about for - to mitigate spear phishing.

Dave Bittner: [00:08:49] Now, one of the things you highlighted in your research was how they were creating novel obfuscation methods, and that they were varying them at a fairly rapid clip. Can you describe what they were up to there?

Nick Carr: [00:09:01] Yeah, so there was a period where, again, we saw these - what I would categorize as multiple teams - and the team that was developing the phishing documents, they were developing and testing those documents on, at one point, a daily basis, around I think July of 2017...

Barry Vengerik: [00:09:19] Yeah, last summer.

Nick Carr: [00:09:20] ...It reached the height of its rapid development. And they came up with a technique of obfuscating the commands on the command interpreter that was so unique we gave it its own term. But it was obviously successful because then on a daily basis we saw them tweak and change. And so it was a grind to stay up with every variation there. And then we'd see those tested in a number of ways and then delivered to our clients - to FireEye clients - attempt to get into their stores the same day via phishing emails.

Dave Bittner: [00:09:53] Now, another thing that you highlighted, you have a section here describing all the phone calls that they would make to these organizations. They used a technique of complaining about a lot of things. One of the things that caught my eye is they would lodge food poisoning complaints, which I love - internally you all called that "FINdigestion." Love it.

Nick Carr: [00:10:12] (Laughs) Yes.

Dave Bittner: [00:10:13] Describe to me, what was the approach here by these complaining phone calls?

Barry Vengerik: [00:10:18] So I think the main takeaway from how they were doing this spear phishing is, just like I talked about a little earlier, they wanted to create a sense of urgency around the communications. So we would see frequently where they wouldn't even introduce the spear phishing document until they had had a two or three email exchange with one of the users in the victim organization, just to build that kind of sense of trust that this is a legitimate communication I'm having, and then pass along the spear phishing attachment.

Barry Vengerik: [00:10:46] We saw them use web complaint forms, so kind of an avenue outside of traditional email. And then we saw scenarios where they would call the victim after they had sent the spear phishing to elicit them to open the attachment over the phone call. So really persistent, more advanced social engineering tactics around actually getting the initial victims to open those attachments.

Nick Carr: [00:11:09] Yeah, and if you start to break down people calling to simply ask, did you receive my complaint, or did you received my email, it's a really unique way that FIN7 is able to identify if a security solution blocked the phishing email and it didn't make it to them. And if they did receive it, they can walk them through it or continue to social engineer in ways that you'd expect a very good red team to use.

Dave Bittner: [00:11:36] Yeah, it's interesting, to actually make the phone call to make sure that you got the malicious email. That's not something you hear every day. One of the things you included in your research was you had a sample letter that they had written, that they were claiming to be from the FDA, the Food and Drug Administration. And it's interesting, sort of the contrast, some of the obvious shortcomings in this, but yet, I guess, still successful. I mean, it says the first word is "hello," but hello is misspelled.

Nick Carr: [00:12:04] (Laughs)

Dave Bittner: [00:12:04] You're not off to a good start, and there are - you know, I guess that we sort of joke about all the grammar errors within this, but I guess it's good enough to work.

Nick Carr: [00:12:13] So this was a unique one because that is so front and center. We almost didn't include it, but the FDA example - two parts here. You can see the amount of effort that went into not only the templated email that appears to come from FDA, and delivered ostensibly from the FDA which was spoofed here, but even using a specific center within the FDA. All of these Photoshop templates that are customized and professional looking. And then beneath that within the blog, we also show you that that same templating was matched with an encrypted document where they further social engineer users to engage with and, in this case, enable macros.

Nick Carr: [00:12:51] But yeah, this was a rare one because it was a one-off that went a little bit more broadly, that we didn't see this language before. So perhaps as this was written as a one-off campaign, the language didn't go through as much review, perhaps, and has a misspelling. To be honest with you, the spelling was not typically an issue if it was emailing or contacting that they left a backpack here, or calling ahead for special allergies, or making a catering order.

Nick Carr: [00:13:20] And then, to be honest with you, when customer service is engaging with the general public, I'm sure that spelling mistakes are pretty common. So, you know, this one I think stands out a little bit because it appears to come from the FDA on very official letterhead, so spelling mistakes wouldn't be there. But in other cases we didn't see them so much and they probably wouldn't be too big of a deal.

Barry Vengerik: [00:13:43] Yeah, I mean, a good example is one that we were just looking at this week where they complained that their daughter had been injured at a location of the restaurant and they were trying to send documentation of medical ER visits to treat the injury. So obviously, once again, building that sense of urgency and really getting into a scenario where whoever receives that email is going to open it as quickly as they can.

Nick Carr: [00:14:07] Yeah, there's - it's urgency, almost some litigious nature to them as well.

Barry Vengerik: [00:14:12] Yes.

Nick Carr: [00:14:12] If you look at the kinds of things they submitted, this is something that would be a very bad thing if I don't engage and have a record of responding.

Barry Vengerik: [00:14:20] And my suspicion is they moved to that because it's much more successfully. We initially used to see them just do things like a catering order, or a "I left my backpack in a store." But it's almost all transitioned to stuff of a more litigious, emergency nature, like the food made me sick, or my child got hurt in your store.

Dave Bittner: [00:14:40] Now, one of the things you all were able to do was to track individual personas over the course of keeping an eye on this. Do you have any sense for the scope of this? How many people are involved or are members of this organization?

Nick Carr: [00:14:54] At least three.

Dave Bittner: [00:14:56] (Laughs)

Nick Carr: [00:14:58] Outside of the arrests, we tried to - we track certain tool marks that are associated with each phase, and we later determine how relevant something is or how linked it might be to a particular group. So in some cases you might have a tool developer leave something they might not have known they left within a phishing document. You might have someone setting up infrastructure who makes a mistake. In a lot of these cases, it's a combination of small mistakes or small things where attackers might not know what can be identified within there.

Nick Carr: [00:15:33] And then, in this case, we released some of those personas that we found to be interesting and relevant. In some cases, it turns out that personas that we track are tied to a tool creator that doesn't work in that particular group, or someone from the criminal underground who's serving and sharing and passing around a document. In these cases, the metadata - a lot of what we're sharing is from an artifact that's pretty new, and we suspect the attackers were maybe not aware of it.

Barry Vengerik: [00:16:03] I think what - the artifacts are actually stuff that we've pilled out of the phishing documents, and we went into it a little bit in the blog. So, as far as scale, we can infer a lot from the indictments and how they describe the organization's working. So, where the three indicted individuals were kind of more at the top and type of a project management or overview role, it definitely infers that there's, you know, quite a few folks working on different aspects of their campaigns against the victims. So, folks sending out the spear phishing, folks doing the actual intrusions, folks harvesting the card data. So some of the details in the indictment kind of point to a very widespread, large organization conducting these campaigns and operating against multiple victims at the same time.

Dave Bittner: [00:16:47] Yeah. Since the indictments came down, how have their activities shifted? Have they gone quiet for a while, or are they still at it?

Barry Vengerik: [00:16:56] So, about February of last year and then picking up towards the end of summer of last year, we were tracking some parallel activity that Proofpoint initially blogged about as "BATELEUR." So it was a very similar initial-stage backdoor, very similar phishing to what we had seen from FIN7. And that activity has kind of increased as what we had traditionally tracked as FIN7 decreased.

Barry Vengerik: [00:17:20] And so we're seeing a lot of parallels from that activity to the FIN7 activity, and it's actually reached a point where we have enough evidence to say that this is either a direct offshoot or closely related to the previous FIN7 activity. So that new strain of activity has actually been very consistent through - with the indictment happening, and into last week, we have some spear phishing they sent out last week.

Barry Vengerik: [00:17:45] So, I think what you're seeing here is, with an organization this large and diverse, that taking two or three or four guys out of the equation is definitely not going to have a significant impact on their day-to-day operations in the way that some folks think it might, just due to the fact that this is a large criminal organization and they obviously have been very successful so far. So I don't - we don't see any kind of material impacts on the day-to-day based on the indictment. And I think that's something that FBI and DOJ kind of intimated when they made the announcement, that like, hey, this isn't going to go away but we're making progress by doing some indictments.

Dave Bittner: [00:18:24] Now, tell me about this company called Combi Security. You all kept an eye on this group, evidently a front company for FIN7?

Nick Carr: [00:18:34] That's right. And that was confirmed by the DOJ announcement about Combi Security. This is to me one of the most fascinating pieces of the FIN7 story, was the front company that had a full-on online persona as the world leaders in protecting large information systems from modern cyber threats. They had headquarters, they had three different headquarters locations, and job advertisements, that actually, once people knew to look for them, you know, they were out there. In order to have a digital front company, I suppose you really need to embrace it always. So they had LinkedIn profiles for several members that had various roles within the team.

Nick Carr: [00:19:16] One of those things we nuanced this with is it's certainly possible that there were unwitting individuals that were recruited to work for Combi Security, you know, FIN7, who may have thought they were operating a traditional red team or security tests, and that access was then used for criminal purposes.

Dave Bittner: [00:19:38] There's no indication that there's a legit side of Combi Security and groups are out there freelancing as FIN7? It seems that the whole thing was a front for these criminal activities.

Nick Carr: [00:19:50] Yes, I can let Barry chime in, but a hundred percent, Combi Security is believed to be a full front organization.

Barry Vengerik: [00:19:58] Yeah, there's no indication that there was any kind of legitimate security testing being done by Combi. And it's actually - it's kind of an ingenious way to do it, you give yourself some a plausible deniability. The idea that there may have been folks who were hired by Combi as unwitting is interesting. Personally, I think that after the first couple of pentests they probably would have figured out what's going on, but it's really hard to say from our perspective. You know, how much individual operators who may have been employed by Combi really knew what they were in for.

Nick Carr: [00:20:32] Yeah, and some were developers, according to information available on LinkedIn and things like that, developed capabilities for them. It's certainly possible that this helped explain some of the really innovative things they were doing. This is obviously a well-resourced group. After a few of their operations, Combi Security then has some more money to spend on FIN7 development. Of course that's speculation. I don't have insight into that, but for us it was an interesting way to look back at the activity under this front.

Nick Carr: [00:21:02] And by the way - not only do we expect this activity to continue, to have FIN7 members that have not been arrested here - I would expect, and we have reason to believe, their same behavior with setting up successful front companies would continue on. So we think this based on the success, you know, the conservative estimate of a billion dollars in card data taken. This is obviously a successful model for financial criminal organization that it's operating like this. So we'd expect them to continue to operate and do a lot of the same things that we saw Combi Security and FIN7 do.

Dave Bittner: [00:21:38] Now, what are your recommendations in terms of people protecting themselves against this? If I'm in the hospitality industry, how do I protect my organization and my staff?

Nick Carr: [00:21:47] There's a lot of recommendations we give. So, specific to FIN7, we provide not only a lot of technical details but some other ways to quote unquote "hunt" through your environment, looking for the kinds of things they do, so we try to provide some insight into behaviors. From those, there are a lot of things that can be gained about how it makes sense to secure your environment.

Nick Carr: [00:22:09] Really, you know, in organizations that can do so,there's some core recommendations. We tend to pick up and prevent FIN7 intrusions with our email security. So an advanced email security solution. You don't want your users to be the first people to open a document or enable macros. It makes sense - there's entire products in industries, companies like ours, that have developed technology that works in that regard.

Nick Carr: [00:22:38] So there's some technical solutions, there are some policy solutions and recommendations. Restricting what you enable to run in your environment - some of these phishing documents would drop scripts where highly locked-down systems and systems with more up-to-date policies restricting user behavior were were able to prevent FIN7 from being successful.

Nick Carr: [00:22:59] But I think the key here is this is not a user awareness story. This is not going to be solved by user education. Barry started this by explaining the kinds of people they targeted, the people that have to open the emails, the kind of people that have to click the attachment.

Barry Vengerik: [00:23:14] There's also mechanisms, and this was obviously stuff that was bypassed in a few cases, where you can have complaint forms to avoid customer service personnel dealing with - or web forms in general - to avoid personnel dealing with attachments. However, you know, a lot of these forms allow for an attachment to be provided as well, or after an email response from the form an attachment was introduced.

Barry Vengerik: [00:23:38] So, obviously, FIN7 is aware of kind of these mitigation techniques that a lot of the victim organizations are putting in place. So it's really kind of a thorny issue on the initial spear-phishing end. But some of the suggestions that Nick mentioned, like, you know, having really limited, isolated systems and user accounts that are responsible for dealing with those attachments, are honestly some of the best ways to go.

Barry Vengerik: [00:24:01] I think what we also saw is that some of the organizations that were targeted are not well resourced to deal with this kind of threat in terms of how many controls you really need to be in place to isolate yourself from this. You know, if you're a small restaurant chain with a couple dozen locations, this type of stuff is way down the list of your costs and concerns, especially in the IT front. So it's really - the real challenge I think is for those small to medium restaurants that, you know, may be processing a huge amount of cards, but just really don't have a robust enough IT infrastructure to really even think about this in their normal threat model. So, it's just really challenging for those smaller organizations.

Nick Carr: [00:24:46] Oh, I would be remiss if I didn't mention the most successful defense against FIN7, in our experience - now, defense against them achieving their full mission, which was card data theft, first and foremost, that's their bread and butter - was protecting your point-of-sale, your POS environment, with end-to-end encryption, or point-to-point encryption.

Nick Carr: [00:25:10] So we had several scenarios where FIN7 was able to get past some of those controls or, in a lot of cases, those other controls weren't in place. And once they would attempt to get down to the - and surveil the card environment and attempt to get that card data, and run all their tools custom-built to extract that data, they weren't able to do so. They'd encounter encryption and they would try to actually - we talked a little bit about the things they would do then, you know, what they would research and then how they try to monetize intrusion overall. But that is the core FIN7 mission, is payment card theft, and encrypting the end-to-end POS systems was the most successful defense.

Barry Vengerik: [00:25:53] Yeah, and that's something that partly explains why most of the FIN7 activity that we responded to was in the US. The US is kind of the last bastion for swipe card transactions which are unencrypted and have card data hitting memory of affected point-of-sale systems. So I think as we see that transition to, you know, chip and PIN, and chip and signature, in the US - the EMV transactions - we're going to see these type of point-of-sale compromises go down.

Barry Vengerik: [00:26:23] However, there are several very large industries in the US, one being gas stations, that are kind of sunsetted - I guess sunsetting's not the right word - they have exemptions for swipe transactions, given the capital costs in replacing all the terminals at the gas pumps. I think, Nick, they're into like 2019 at this point, or 2020.

Nick Carr: [00:26:44] I believe that's right, yeah.

Barry Vengerik: [00:26:46] They keep pushing it back. So there's definitely still vulnerable industries where there's a lot of swipe transactions and unencrypted card data floating around to be targeted.

Nick Carr: [00:26:56] Yeah, and sorry, just a narrative side note - when they did encounter the encryption, we actually talked upfront. We were unveiled for the first time within our report, some of the other things that we saw FIN7 doing to monetize those compromises. So, you know, targeting material non-public information that FIN7 may have used to gain a competitive stock-trading advantage. So when they'd run into that encryption and really couldn't figure out how to subvert it, you know, identifying individuals within the corporate finance team and things like that once they were already in the network.

Dave Bittner: [00:27:32] Yeah, that's interesting. So, while we're here, we might as well loot the whole place or, if we can't get the main thing we were after, we shouldn't go home empty handed.

Nick Carr: [00:27:42] Exactly. For me, it's simply that Steve, Kim, Barry, and myself had the opportunity to write a blog and spend two days putting this together. But we wouldn't be able to do this - this is not a Nick and Barry story or a Kim and Steve story without all of the work that went into this, not only from the many Mandiant engagements and all the people leading those investigations, all the hard work, but from the industry too. I mean, this was a big security industry story, and something where it was certainly not just FireEye. A lot of people contributed to stopping this activity, contextualizing, understanding it, and doing our best to collectively share that with each other as well.

Barry Vengerik: [00:28:26] I'd just like to reiterate what Nick mentioned, that we have a great advantage here at FireEye, that we have kind of unparalleled insight into what some of these attackers are doing within victim networks through our Mandiant Instant Response. So it really helps us builds kind of a big picture throughout an attack lifecycle of what attackers are doing. You know, I just want to thank all our Mandiant instant responders as well as all the other folks across the company that really have helped our understanding of FIN7 and then, you know, allowed us to contribute to things like the blog. And that's it.

Dave Bittner: [00:28:58] I'm curious, just from a personal point of view - when the USDA comes in and makes these arrests, and that's in large part to the work that you all have done - when you see the work you're doing pay off and that bad guys are being brought to justice, there must be a certain amount of satisfaction and gratification that comes from that.

Nick Carr: [00:29:18] For me at least, a lot of what I do and a lot of what Barry does is responding to cyber espionage. Responding to nation-state or nation-state activity, or nation-state actually on commercial industry or individuals frankly. And there seemed to be more indictments and more rhetoric calling people out. The interesting part about a story like this is, you know, these are extradited and arrested individuals who are at least those caught here paying the price for the activity. You don't always get that in a lot of the others. There might be other geopolitical reasons to call out a group, but it won't realistically and closure, I think, for people.

Nick Carr: [00:29:59] So, overall, I think it was exciting, interesting, and close to home, certainly, for around three years of this work that we've put in, and keeping up and getting to know the full identity behind the people we've gotten to know on network and kind of know them on keyboard, we know what they do. And it's just fascinating to get that law enforcement visibility into everything about them.

Dave Bittner: [00:30:27] Our thanks to Nick Carr and Barry Vengerik from FireEye for joining us. Their research is titled "On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation." It's research they did along with Kimberly Goody and Steve Miller. You can find it on the FireEye website. We'll also have a link in the show notes.

Dave Bittner: [00:30:48] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:30:55] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:31:04] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.