SlideShare a Scribd company logo

Defender economics

A
addelindh

Slides from Troopers 15 talk.

Technology
1 of 41
Download to read offline
Defender Economics Andreas Lindh, @addelindh, Troopers 15
Who is this guy? §  From Gothenburg, Sweden §  Security Analyst at I Secure Sweden §  Used to work for a big
 automotive company §  Computer security philosopher Ø @addelindh -> Twitter §  Security Swiss Army knife Ø Not sharp, just versatile J
What’s it about? §  Understanding attackers, their capabilities and constraints
 §  How this information can be used to make better defensive decisions
 §  Bonus: provide input on how offense can get better at emulating real threats
Inspiration §  This talk shamelessly builds on the work of some very smart people, so thanks: Ø Dan Guido (@dguido) Ø Dino Dai Zovi (@dinodaizovi) Ø Jarno Niemelä (@jarnomn) §  You should really go Twitter-stalk these guys if you aren’t already
Disclaimer
The thing about security
Security truism #1 “An attacker only needs to find one weakness while the defender needs to find every one.” The defenders dilemma
Security truism #2 “A skilled and motivated attacker will always find a way.”
The sky is falling
Attacker mythology Photoshop magic by Mirko Zorz @ http://www.net-security.org
Meanwhile in the CISO’s office
The thing about the thing §  On the one hand Ø Yes, attackers are evolving Ø No, you can’t protect against everything
 §  On the other hand Ø No attacker has infinite resources Ø Do you really need to protect against everything?
Hackers vs Attackers
Attacker considerations
Attacker math “If the cost of attack is less than the value of your information to the attacker, you will be attacked.”
 Dino Dai Zovi, “Attacker Math”*, 2011 *https://www.trailofbits.com/resources/attacker_math_101_slides.pdf
Attacker economics §  An attack has to make “economic” sense to be motivated
 §  An attack that is motivated has to be executed using available resources §  Bottom line: keep it within budget
Defender economics §  Figure out your attacker’s limitations
 §  Raise the cost of attack where your attacker is weak and you are strong §  Bottom line: break the attacker’s budget
Know your enemy
Attacker profiling §  Motivation
 §  Resources
 §  Procedures
Motivation §  Motivation behind the attack §  Level of motivation per target OMG! Meh.
Resources §  People and skills §  Tools and infrastructure §  Supply chain §  And so on...
 §  Willingness to spend resources depends on motivation
Procedures §  Attack vectors §  Post-exploitation activities §  Flexibility §  And so on...
 §  Procedures often designed for efficiency, reusability, and scalability
Two very different examples Google Chrome vs Malware Big company X vs APT groups
Google Chrome §  61.6% market share (December 2014) Ø Source: w3schools §  220 RCE vulnerabilities in 2012-2014 Ø Source: OSVDB §  Should be an attractive infection vector for malware
Attacker profile: Malware §  Volume driven §  Drive-by downloads §  Requires file system access §  Supply chain dependency Ø Exploit Kits
Exploit Kits §  Most exploits not developed in-house Ø Repurposed from other sources Ø See Dan Guido’s Exploit Intelligence Project* §  Exploits developed for default setup §  Very few 0days §  Limited targets *https://www.trailofbits.com/resources/exploit_intelligence_project_paper.pdf
21 Exploit Kits in 2014 7 3 Exploits added in 2014 Flash Internet Explorer 7 8 88 179 0 20 40 60 80 100 120 140 160 180 200 Flash Internet Explorer Patch-to-exploit Shortest Longest Source: Contagio Exploit Kit table - http://contagiodata.blogspot.com/2014/12/exploit-kits-2014.html
Chrome security model §  Strong security architecture Ø Tabs, plugins run as unprivileged processes §  Rapid patch development Ø Capable of 24 hour turnaround §  Rapid patch delivery Ø Silent security updates Ø 90% of user-base patched in ~1 week
Chrome vs Malware §  Raised cost for exploit developers Ø Usually requires multiple chained vulnerabilities for file system access
 §  Raised cost for Exploit Kits Ø Few publicly available exploits Ø No market for exploits that are only effective for a couple of days
Big company X §  50 000 employees §  Centrally managed IT §  No rapid patching §  Low security awareness among employees §  Has an APT* problem *OMG CYBER!
Attacker profile: APT groups §  Target driven §  Phishing §  0ldays and 0days §  Off-the-shelf and custom tools/malware §  Post-intrusion activity §  Stealthy presence §  Professional
APT groups – previous research §  “Statistically effective protection against APT attacks”* by @jarnomn §  ~930 samples of exploits used in the wild by APT groups 2010-2013 §  EMET was found to block 100% of exploits Ø Indicative but not conclusive *https://www.virusbtn.com/pdf/conference_slides/2013/Niemela-VB2013.pdf
APT groups active in 2014* §  13 groups §  Active from 2003 §  100% spear phishing §  ~50% has used 0days (≥ 2) §  Only one exploit bypassed “non- default” 5   3  3   2   1   1   1   Exploited software Adobe Reader Flash Java Windows Internet Explorer Microsoft Office WinRAR *Source: https://apt.securelist.com
APT strengths | weaknesses §  Strengths Ø Post-intrusion activity Ø Stealthy presence Ø Professional §  Weaknesses Ø Predictable attack vector Ø Unsophisticated initial intrusion
Options for Company X §  Cheap but effective Ø Exploit mitigation Ø Secure software configurations §  More expensive and effective Ø 3rd party sandbox §  Very expensive and possibly(?) effective Ø Email security product
Conclusion
Security is hard, but... §  Attackers are not made of magic §  Every attacker has limitations §  Understanding these limitations is the key to making informed defensive decisions §  Raising the cost (bar) of attack can be very effective §  This is NOT about being 100% secure
For the pentesters §  Thinking like a hacker is not the same as thinking like an attacker
 §  Understand that attackers have scopes and constraints too
Thank you for listening! Andreas Lindh, andreas.lindh@isecure.se, @addelindh Questions?

Recommended

(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use casesPriyanka Aash
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 

Recommended

(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use casesPriyanka Aash
 
Break IT Down by Josh Smith
Break IT Down by Josh SmithBreak IT Down by Josh Smith
Break IT Down by Josh SmithEC-Council
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Tech ThrowDown: Invincea FreeSpace vs EMET 5.0
Tech ThrowDown: Invincea FreeSpace vs EMET 5.0Invincea, Inc.
 
Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea fake british airways ticket spear-phish malware 03-21-2014
Invincea fake british airways ticket spear-phish malware 03-21-2014Invincea, Inc.
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Laura Bell
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrixCyphort
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1FRSecure
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 
Oak Tree
Oak TreeOak Tree
Oak TreeMoss Lawton
 
Pixar Summer Internship 2015: Personal Story
Pixar Summer Internship 2015: Personal StoryPixar Summer Internship 2015: Personal Story
Pixar Summer Internship 2015: Personal StoryMoss Lawton
 

More Related Content

What's hot

Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Laura Bell
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)ENOInstitute
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchersvicenteDiaz_KL
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...Brian Kelly
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responsejeffmcjunkin
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrixCyphort
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1FRSecure
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackIvanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackIvanti
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)Priyanka Aash
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobilegrugq
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...Clare Nelson, CISSP, CIPP-E
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security BreachAlienVault
 

What's hot (20)

Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 
Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017Continuous Security - NDC Sydney 2017
Continuous Security - NDC Sydney 2017
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a Criminal
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)Cyber Threat Hunting Training (CCTHP)
Cyber Threat Hunting Training (CCTHP)
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
How To Stop Targeted Attacks And Avoid “Expense In Depth” With Strong Authent...
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrix
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
 
OSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced AttackOSB340: Disrupting an Advanced Attack
OSB340: Disrupting an Advanced Attack
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
 
SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)SACON - Deception Technology (Sahir Hidayatullah)
SACON - Deception Technology (Sahir Hidayatullah)
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
 

Viewers also liked

Pixar Summer Internship 2015: Personal Story
Pixar Summer Internship 2015: Personal StoryPixar Summer Internship 2015: Personal Story
Pixar Summer Internship 2015: Personal StoryMoss Lawton
 
Pixar Summer Internship 2015: Tortoise and the Hare
Pixar Summer Internship 2015: Tortoise and the HarePixar Summer Internship 2015: Tortoise and the Hare
Pixar Summer Internship 2015: Tortoise and the HareMoss Lawton
 
Disney Talent Development Test
Disney Talent Development TestDisney Talent Development Test
Disney Talent Development TestMoss Lawton
 
2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)
2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)
2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)TAVAR
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 

Viewers also liked (7)

Oak Tree
Oak TreeOak Tree
Oak Tree
 
Pixar Summer Internship 2015: Personal Story
Pixar Summer Internship 2015: Personal StoryPixar Summer Internship 2015: Personal Story
Pixar Summer Internship 2015: Personal Story
 
Pixar Summer Internship 2015: Tortoise and the Hare
Pixar Summer Internship 2015: Tortoise and the HarePixar Summer Internship 2015: Tortoise and the Hare
Pixar Summer Internship 2015: Tortoise and the Hare
 
Disney Talent Development Test
Disney Talent Development TestDisney Talent Development Test
Disney Talent Development Test
 
2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)
2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)
2016 台灣虛擬及擴增實境產業白皮書 (Tavar協會發行)
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 

Similar to Defender economics

Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9UISGCON
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber SecurityGTreasury
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
Conf 2019 - Workshop: Liam Glanfield - know your threat actor
Conf 2019 - Workshop: Liam Glanfield - know your threat actorConf 2019 - Workshop: Liam Glanfield - know your threat actor
Conf 2019 - Workshop: Liam Glanfield - know your threat actorTechExeter
 
Avoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsAvoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsJumpCloud
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sectorCore Security
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Claus Cramon Houmann
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramMorphick
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data ScientistsDavid Arcos
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017Bret Piatt
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 

Similar to Defender economics (20)

Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Declaration of malWARe
Declaration of malWAReDeclaration of malWARe
Declaration of malWARe
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known Vulnerabilities
 
Spo1 r31 spo1-r31
Spo1 r31 spo1-r31Spo1 r31 spo1-r31
Spo1 r31 spo1-r31
 
A Look Into Cyber Security
A Look Into Cyber SecurityA Look Into Cyber Security
A Look Into Cyber Security
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
 
Conf 2019 - Workshop: Liam Glanfield - know your threat actor
Conf 2019 - Workshop: Liam Glanfield - know your threat actorConf 2019 - Workshop: Liam Glanfield - know your threat actor
Conf 2019 - Workshop: Liam Glanfield - know your threat actor
 
Avoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security ThreatsAvoid These Top 15 IT Security Threats
Avoid These Top 15 IT Security Threats
 
Trending it security threats in the public sector
Trending it security threats in the public sectorTrending it security threats in the public sector
Trending it security threats in the public sector
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Three Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response ProgramThree Considerations To Amplify Your Detection and Response Program
Three Considerations To Amplify Your Detection and Response Program
 
Security for Data Scientists
Security for Data ScientistsSecurity for Data Scientists
Security for Data Scientists
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 

Recently uploaded

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Defender economics

  • 2. Who is this guy? §  From Gothenburg, Sweden §  Security Analyst at I Secure Sweden §  Used to work for a big
 automotive company §  Computer security philosopher Ø @addelindh -> Twitter §  Security Swiss Army knife Ø Not sharp, just versatile J
  • 3. What’s it about? §  Understanding attackers, their capabilities and constraints
 §  How this information can be used to make better defensive decisions
 §  Bonus: provide input on how offense can get better at emulating real threats
  • 4. Inspiration §  This talk shamelessly builds on the work of some very smart people, so thanks: Ø Dan Guido (@dguido) Ø Dino Dai Zovi (@dinodaizovi) Ø Jarno Niemelä (@jarnomn) §  You should really go Twitter-stalk these guys if you aren’t already
  • 6. The thing about security
  • 7. Security truism #1 “An attacker only needs to find one weakness while the defender needs to find every one.” The defenders dilemma
  • 8. Security truism #2 “A skilled and motivated attacker will always find a way.”
  • 9. The sky is falling
  • 10. Attacker mythology Photoshop magic by Mirko Zorz @ http://www.net-security.org
  • 11. Meanwhile in the CISO’s office
  • 12. The thing about the thing §  On the one hand Ø Yes, attackers are evolving Ø No, you can’t protect against everything
 §  On the other hand Ø No attacker has infinite resources Ø Do you really need to protect against everything?
  • 15. Attacker math “If the cost of attack is less than the value of your information to the attacker, you will be attacked.”
 Dino Dai Zovi, “Attacker Math”*, 2011 *https://www.trailofbits.com/resources/attacker_math_101_slides.pdf
  • 16. Attacker economics §  An attack has to make “economic” sense to be motivated
 §  An attack that is motivated has to be executed using available resources §  Bottom line: keep it within budget
  • 17. Defender economics §  Figure out your attacker’s limitations
 §  Raise the cost of attack where your attacker is weak and you are strong §  Bottom line: break the attacker’s budget
  • 19. Attacker profiling §  Motivation
 §  Resources
 §  Procedures
  • 20. Motivation §  Motivation behind the attack §  Level of motivation per target OMG! Meh.
  • 21. Resources §  People and skills §  Tools and infrastructure §  Supply chain §  And so on...
 §  Willingness to spend resources depends on motivation
  • 22. Procedures §  Attack vectors §  Post-exploitation activities §  Flexibility §  And so on...
 §  Procedures often designed for efficiency, reusability, and scalability
  • 23. Two very different examples Google Chrome vs Malware Big company X vs APT groups
  • 24. Google Chrome §  61.6% market share (December 2014) Ø Source: w3schools §  220 RCE vulnerabilities in 2012-2014 Ø Source: OSVDB §  Should be an attractive infection vector for malware
  • 25. Attacker profile: Malware §  Volume driven §  Drive-by downloads §  Requires file system access §  Supply chain dependency Ø Exploit Kits
  • 26. Exploit Kits §  Most exploits not developed in-house Ø Repurposed from other sources Ø See Dan Guido’s Exploit Intelligence Project* §  Exploits developed for default setup §  Very few 0days §  Limited targets *https://www.trailofbits.com/resources/exploit_intelligence_project_paper.pdf
  • 27. 21 Exploit Kits in 2014 7 3 Exploits added in 2014 Flash Internet Explorer 7 8 88 179 0 20 40 60 80 100 120 140 160 180 200 Flash Internet Explorer Patch-to-exploit Shortest Longest Source: Contagio Exploit Kit table - http://contagiodata.blogspot.com/2014/12/exploit-kits-2014.html
  • 28. Chrome security model §  Strong security architecture Ø Tabs, plugins run as unprivileged processes §  Rapid patch development Ø Capable of 24 hour turnaround §  Rapid patch delivery Ø Silent security updates Ø 90% of user-base patched in ~1 week
  • 29. Chrome vs Malware §  Raised cost for exploit developers Ø Usually requires multiple chained vulnerabilities for file system access
 §  Raised cost for Exploit Kits Ø Few publicly available exploits Ø No market for exploits that are only effective for a couple of days
  • 30. Big company X §  50 000 employees §  Centrally managed IT §  No rapid patching §  Low security awareness among employees §  Has an APT* problem *OMG CYBER!
  • 31. Attacker profile: APT groups §  Target driven §  Phishing §  0ldays and 0days §  Off-the-shelf and custom tools/malware §  Post-intrusion activity §  Stealthy presence §  Professional
  • 32. APT groups – previous research §  “Statistically effective protection against APT attacks”* by @jarnomn §  ~930 samples of exploits used in the wild by APT groups 2010-2013 §  EMET was found to block 100% of exploits Ø Indicative but not conclusive *https://www.virusbtn.com/pdf/conference_slides/2013/Niemela-VB2013.pdf
  • 33. APT groups active in 2014* §  13 groups §  Active from 2003 §  100% spear phishing §  ~50% has used 0days (≥ 2) §  Only one exploit bypassed “non- default” 5   3  3   2   1   1   1   Exploited software Adobe Reader Flash Java Windows Internet Explorer Microsoft Office WinRAR *Source: https://apt.securelist.com
  • 34. APT strengths | weaknesses §  Strengths Ø Post-intrusion activity Ø Stealthy presence Ø Professional §  Weaknesses Ø Predictable attack vector Ø Unsophisticated initial intrusion
  • 35. Options for Company X §  Cheap but effective Ø Exploit mitigation Ø Secure software configurations §  More expensive and effective Ø 3rd party sandbox §  Very expensive and possibly(?) effective Ø Email security product
  • 37.
  • 38. Security is hard, but... §  Attackers are not made of magic §  Every attacker has limitations §  Understanding these limitations is the key to making informed defensive decisions §  Raising the cost (bar) of attack can be very effective §  This is NOT about being 100% secure
  • 39. For the pentesters §  Thinking like a hacker is not the same as thinking like an attacker
 §  Understand that attackers have scopes and constraints too
  • 40.
  • 41. Thank you for listening! Andreas Lindh, andreas.lindh@isecure.se, @addelindh Questions?