Eric Brown: 0:05

You're listening to the Audit presented by IT Audit Labs. Welcome to the Audit. My name is Eric Brown, and joining me today is Kyle Rosendahl, nick Mellom and James Arndt. James is our guest today, as we're going to tell some tales from the trenches. Hey, james.

James Arndt: 0:31

Hello, thanks for this opportunity.

Eric Brown: 0:33

Absolutely so day in the life of James. What is that like? What do you do professionally?

James Arndt: 0:41

I am a cyber threat intelligence analyst and so we get big feeds of malicious emails and malware coming in and we analyze that and send that out to our customers so that they can use that to check their own environments for legit, known bad things. So we've got a variety of roles that we are rotating through and it's been a slow week kind of this week. So we've got a variety of roles that we are rotating through and it's been a slow week kind of this week, so I've been messing around with a lot of NET malware, doing some research on that. It's pretty interesting.

Eric Brown: 1:14

What's some of the things that you've seen.

James Arndt: 1:16

Well, it's NET malware. It's really quite interesting in that it is accessible to just about anyone. You only need a couple of tools like a DN spy, il spy. You just load it up in there and you can see all of the code just right there in front of you. It's not like you're digging down into binary or some obscure assembly language or anything like that. It's all just written in C sharp and you can easily just follow the code around and you know if I can do it. I think anybody can do it really.

James Arndt: 1:55

But yeah, there's a. There's a couple of families that are all mainly written in a dot net, like agent Tesla key logger, snake key logger. Occasionally form book is also. And so when you can get past that initial first stage and get into the second stage where all of the different variables and things it's C2 channels, it's email addresses, it's sending information out to once you get to there, then it all is just laid out right in front of you. You can really see the internals and how it works. It's really quite fascinating of you can really see the internals and how it works.

Eric Brown: 2:25

It's really quite fascinating. What have you seen recently as far as? What are they going after?

James Arndt: 2:35

Well, it really kind of depends on the malware family when it comes to, like Agent Tesla or snake keyloggers. They're really just embedding themselves on the endpoint and then just well, being a keylogger that is monitoring all your keystrokes, grabbing them all and sending them off to whoever is listening. On the other end, snake Keylogger is also quite modular in that it can also run through all of the installed programs on your endpoints and start trying to grab saved usernames and passwords inside, themucking all those together and then sending them off to the bad guy too. So, yeah, grabbing passwords, key logging, screenshots even, and all information about the endpoint too. So, whatever it is that the bad guy is going to try to get, yeah, he'll try to do it.

Eric Brown: 3:21

Wow, and how are these getting onto the end user's workstation?

James Arndt: 3:27

Through phish, as always. You know they're just. It is not overly difficult for an attacker to sneak malware or sneak a malicious attachment in an email through all of the security devices that are on your network and get it to a person's inbox.

Eric Brown: 3:49

And then when they click the link.

James Arndt: 3:51

Yep, yep, they open up the HTML attachment and they click the link, and sometimes well, okay, sometimes, when you open the HTML attachment, you click the link, the actual first stage is embedded directly in the HTML document itself, so that looks like you just downloaded something. You open it up and, hey, what do you know? It's malicious, executable. Other times you click the link, then it downloads something. Most often, though, you click the link in a malicious e-mail or attachment, it brings you to another web page and then asks you to download the thing. That's how they're bypassing. It's not necessarily the case that the malicious thing, the stage one, is always inside the email itself.

Eric Brown: 4:36

So it used to be that you could prevent users from having local admin on their machines so that they couldn't install these executables and you'd have ways to detect C2 callouts, or command and control callouts on your network. Are you seeing ways now that the threat actors are able to bypass these things?

James Arndt: 5:02

A lot of them, it doesn't require administrative rights to run them in user space. I mean, at my old company we'd have to play whack-a-mole because people were installing a browser that we didn't want them to. Well, they didn't need admin rights to install them locally as a user. Well, malware can work. The exact same way also when it comes to C2 information. Yeah, if you know about it, If you're whatever network security devices you have, if they know about it, then they can detect it.

Kyle Rosendahl: 5:28

But, man, if you don't know it, it's not always the case that it's going to be found. Yeah, so when these are getting installed? So I mean one of the things how effective do you find like endpoint, new endpoint protection programs to be right? I think a lot of people use something like CrowdStrike. Palo Alto, symantec is out there, right, I mean, they all have these new EDR platforms for endpoint protection. How well are these guys getting around those protections to get their code executing on the boxes and what are some of those strategies that they're using to kind of bypass those EDR detections?

James Arndt: 6:06

I really don't live in that aspect of malware analysis and just testing out different EDR tools. What I do know is that, depending on the EDR, you know they'll be looking at different behaviors as to, hey, where did this actually get installed from? Where did this get executed from? Somewhere in downloads? Okay, maybe that should raise an alert. Is this a DLL that's being loaded up? Is it signed or not? And then whom is it signed by?

James Arndt: 6:34

So there are different ways that they can try to detect all of this stuff. For a while, everybody was hating on you know, using signatures and antivirus products and stuff. But there's a lot of them, but they're fast and they're good at detecting yesterday's stuff. The new hotness now is always how quickly can we figure out and find today's stuff? And that's how you get all of these different sorts of behavioral analysis and behavioral analytics promises that EDR vendors are selling. So yeah, that was at my old job. I lived in that quite a bit. As far as nowadays, man, if there was something that attackers were doing and it wasn't working anymore, they'd find a new way to do it. So what's the quote from Jurassic Park? Life will find a way. Well, so will threat actors.

Eric Brown: 7:21

So it's interesting that you talk about the phishing, and I think we've all seen this, we all know it, we all talk about it that phishing is the number one threat vector for our end users to be attacked, and I saw one over the summer that just reminded me how ingenious these threat actors are and can be and why we need to continually educate and remind our users the importance of really paying attention to the emails. It's not just emails that have links in them. The one that I was involved with involved the company that I was working with and then their third party rental broker property manager. So the company I was working with had a few rental properties I was working with, had a few rental properties. Somewhere around $16,000 a month in rent was due to one of their property management entities that they rent from through this property manager, and that property management company had suffered a breach previously, maybe a month or so before, and had not told their customers of this breach.

Eric Brown: 8:55

So the property management company was breached. One of their employee accounts was taken over. Employee accounts was taken over and they set up. They reviewed all of the emails that were in that person's account, learned about their customers and started crafting email rules that would send emails off-site to another email address that the threat actor controlled. So when the property management customer sent an email in, that email would be rerouted to the threat actor's mailbox and they could curate and learn about their intended targets, which were the property management company's customers. So in this particular instance, the threat actor crafted an email on behalf of the person's account that they had compromised and at this time the person doesn't know that their account's been compromised and they send that email targeted email to that customer, who happened to be the company that I was working with, and the email was structured where it was enticing, in that the email said we are changing our ACH information and we want to offer you a discount of 5% if you prepay your rent through the end of the year. So $16,000 a month times six, somewhere close to $100,000 in rent. They get a discount of 5% on that if they paid by the end of June and there's five days or so left in the month of June at this point in time.

Eric Brown: 10:53

So the person at the company I was working with then sends back well, you need to fill out this information change request, which was a form where they put down the new ACH routing information and contact information, as the policy was that you call to verify any bank routing change instructions.

Eric Brown: 11:18

But this is where things got a little bit convoluted and they received back the form and then that form needed to go to a different department and that department would do the verification.

Eric Brown: 11:33

Well, the threat actor added that undue pressure of it's getting close to the end of the month, we need these routing instructions changed in order to take advantage of that discount. With that time pressure and not following the administrative controls that were in place, those routing the ACH information was changed, payment was sent, it was sent and the person that thought they were doing a good thing for the company did that, had it done, sent it off to finance and said you know, this information needs to be changed. Finance changes, it executes the payment and then everybody forgets about it until about a month and a half later where the property management company then reaches out via phone and says we didn't get payment for the last two months and then that ensued an investigation and discovery of actually what happened and at that point in time that property management company revealed that they had been previously breached breached. So long story, short phishing without actually clicking on a link is still widely prevalent and it works.

James Arndt: 12:56

Nice Did that company. Then, did they change up any of their procedures for payments going outbound and did? Do they have now checks and double checks on top of that?

Eric Brown: 13:06

That is in process as I understand it.

James Arndt: 13:09

It seemed like in a situation like that, it's not necessarily the person's fault who messed it up or who blindly believed the person on the other end, you know.

Eric Brown: 13:19

Yeah, absolutely. And you know, I think it's one of those things that it realistically could happen to anybody and no matter how many technical controls you put in place, you need those administrative controls that are thoroughly reviewed and tested and then roadblocks cleared or the process restructured blocks cleared or the process restructured. When you do run through those in a tabletop exercise and you sit there and say, wow, you know, yeah, this isn't working. It could take two weeks to get this approved because of all the bureaucracy. Let's fix that. And you know, unfortunately, you know, without that, those tight and tested administrative controls, I could see this happening again. For sure.

Nick Mellem: 14:09

Yeah, that's a wild story. I think one of the biggest problems and things I hear that happen in a situation like this is everybody is quick to blame it on the fish or however it came in, but nobody ever steps back to realize nothing was reviewed. The processes weren't reviewed. The processes weren't reviewed. How long has the business process has been in place? So when we go back and review it, we realize well, that probably was one of the main issues. I think we don't review policies and procedures enough to prevent situations of this nature. But great story, very interesting.

James Arndt: 14:44

Yeah, that reminds me I heard this in a class one time where the instructor was saying you know, let's say that someone at your company does have an eight-character password and it does get cracked super easily. You could say it's that person's fault for having an eight-character password, but what technically allowed that person to make an eight-character password in the first place? That's the problem.

Eric Brown: 15:04

right there you have to get down to the root of it and understand. Yes, if we understand that the problem is that technical control, well then that's something that you can fix, and in that case, there'd be the technical control that would enforce the password, the characters and the length of the password, and then there'd be the administrative control that would say that it's okay for the company to have a character password. How about you, Nick? What have you run across in your past?

Nick Mellem: 15:30

Yeah, I'm glad you asked. So when we were talking about doing this, I was trying to think of all the great stories and I always come back to social engineering because it's my favorite of all the cybersecurity it has to offer us. But when thinking about the stories and what we've been through and recently we, you know, have engaged in different types of social engineering, but this specific story was in person and the company engaged us to test the new RFID badges that they just had installed. I think that's what we're seeing more often nowadays is everybody's going away from the physical key and they're going to the reader, so you get within. I think that's what we're seeing more often nowadays is everybody's going away from the physical key and they're going to the reader, so you get within. I think, generally under 12 inches. Sometimes people just touch you see them touch the pad and the door unlocks. So they specifically wanted to see if we could utilize this new technology and gain access to the building. So when we were doing this, this was specifically at a production company of a construction company. So there's a lot of people in and out, a lot of moving pieces, which generally aids in our effects, making us more effective.

Nick Mellem: 16:40

So what we did is we essentially reverse engineered one of these readers and you can get cloners online. I think Hack five makes them, if I'm not mistaken. So we took one of these, uh, and kind of reverse engineered it. So every time we walk by somebody with a badge, it was essentially taking the reading of the badge. It houses, though, that information. You go back to your office, car, whatever, whatever have you, and you start cloning badges and see which ones work. So the easiest way we found to do it was put this reader actually in a bag or a backpack. We dressed up as the UPS driver making a delivery, carrying a bag. We walked through the lunchroom, basically just around, and nobody said anything to us because we had a clipboard and a package, right. Those are kind of the two items that you pass, go, you're good, right, they see this, they don't question you. So we walked through a bunch of areas. At the end we totaled about 12 badges that were red.

Nick Mellem: 17:45

So we come back the next day when we, after we clone the badges, the one we found to be the most useful was maintenance. Right, generally, maintenance has access to everything. So we used this. We did try all the badges that we got to clone. But when we used maintenance we were able to get into basically any room we wanted and in this case, including the crown jewels right, we were able to get into the any room we wanted and in this case, including the crown jewels right, we were able to get into the server room. So then we were able to use different hack 5 tools right, the shark jack and we kind of bled over into there. But the most fun right was getting this badge reader to actually get the badges and walk around here and collect all that data and just see that people and collect all that data and just see that people were not questioning us at all.

Eric Brown: 18:38

So that was one of the most interesting, most recent stories, I think. Again, I think that comes back to those technical control side where there's quite a few things that you could do with. Encrypted readers make it harder to clone them Although, al, I think you've got some tools where you've cloned the encrypted badges before, but that's probably a different podcast but you've got those technical controls. But then you have the scenario of the impossible travel which we look at in the IP space. Right, you know, is this user coming from New York and then 10 seconds later they're coming from Moscow? Probably something not quite right there we could do the same thing as security practitioners with badge access. If we see person one going into building one at 10 o'clock and then at 10.01 they're going into another building across campus, well, that's probably unlikely because of an impossible travel scenario.

Eric Brown: 19:35

And I think the way in which most organizations are set up is property management controls the door, the badge access and the door security and information security controls the technical side of the security for the organization, and those two don't often meet or don't often have access to each other's data. But I think in just about every organization that I've worked in that was large enough to have multiple departments. There was that separation of duty between the property management side and the technical information security side. But I always thought it would be an interesting thing to go and grab the logs from the door readers and just comb through them and see how much impossible travel is in there and identify which badges have been cloned.

Nick Mellem: 20:33

Yeah, absolutely. And I think you know with the technical controls the biggest issue we have is just not educating staff on actually confronting people that they might think are illegitimate. Right, we don't question authority. In another instance we actually dressed up as a fire marshal checking fire distinguishers. So again, where people just think, oh, they're important, they've got a badge, we just rigged up a badge on a little plastic thing. Quick, you know, you don't get close enough, you won't notice. Similar to the story I just told. It's still a technical issue with the technical control, but it all kind of comes back to the same issue. So it's a position of authority Generally. It's fair game.

Eric Brown: 21:17

Okay, so you can get in anywhere with a clipboard Exactly.

Kyle Rosendahl: 21:21

Yeah, and I think, nick, that's an interesting point too that you bring up about not training users or people to confront people that they think might not belong, right, I mean, working in the consulting space, we're constantly among different buildings, different work groups with different clients, things like that, right, we're constantly kind of a new face in new areas. Um, sometimes we have, you know, badge access with readers that function. Sometimes not so much, but the number of times that I've been able to just tailgate somebody through a door or just look like I belong there and they'll hold the door open for me and say, oh, you're going this way and you go, oh, yeah, yeah, yeah, right, and you just put on a smile and walk through the door. Nobody really gives you a second thought, right, and similar to Eric's story, where you see an email and if you think about it too long, you know maybe something doesn't seem quite right.

Kyle Rosendahl: 22:15

Or you think about, you know, leaving the door open for somebody that you don't know 100%. You know there's always that. You know what if they're here for something bad, or what if they're doing something, or what if this isn't what they say that it is right when it comes to an email or tailgating someone through a door, and I just think people don't want to be uncomfortable and have that potentially awkward conversation of like you know I'm interrogating somebody because I don't recognize them. They're coming into my office space right Like people just want to do their job and get home and do a good job in most cases. So it's just interesting that so many of these are possible just because people don't want to rock the boat. I guess in a lot of cases Well, we are Midwest nice.

Kyle Rosendahl: 23:00

We are, yeah, and it's good and it's bad. Right, I mean, try to tailgate someone into New York. I'm sure it's a different story than doing it in Minneapolis.

Nick Mellem: 23:09

Yeah, You're spot on, kyle, with everything you just said, and it does make it very difficult to train and educate staff. Because of that, I think that when we are educating staff, one thing that I think about is ask a question that is friendly, right? You ask them hey, who are you going to see? Where are you off to, what meeting are you going to? And that's when you start to think, okay, well, I've never heard that person, or maybe they have a long pause, right, or they start to trip up there. So to me it's well, would you let somebody tailgate into your own house? Right, obviously you wouldn't. But we go back to. Obviously, if this person's got a clipboard, I'm probably gonna let them through. So it is very tough to you know kind of figure out what's right and when what's wrong, because you don't want to confront somebody. But, yeah, great points you're bringing up, absolutely.

James Arndt: 24:02

You need to have that culture of security built in from the top down, though you know you need buy-in from the upper people in order to push that down to everybody. Otherwise, if it's just from the security team, you might not get all the way across the company like you need to kind of gets a looped in with the phishing training.

Nick Mellem: 24:19

Right, we give it all the time, but somebody's still going to click on that email or the link with an email yeah, and I mean speaking of that.

Kyle Rosendahl: 24:28

I mean that kind of leads into my story that I prepped for today. But you know, there's kind of social engineering, trusting all of those pieces, and maybe it'll be a good segue for Jamie too, or James. It started with a penetration test that took place at the client. I mean years past, years before I had even started there, this group of penetration testers, during the engagement, ran a phishing campaign, right so sending out emails that look legitimate to drop a piece of malware onto the client computers to try and get remote access to those systems or command and control capabilities you know just kind of basic stuff. And they sent out this email that looked like it came from the Citrix organization and said hey, you know, your Citrix client is out of date. Install this application to update your Citrix and everything will be good to go. So they did that. In reality, there's actually a what was the tool set, powershell Empire, which is like a kind of C2 framework for PowerShell. I think there's some Python scripts with. It now Gives you a whole slew of capabilities. I don't know if it's currently being worked on, it was for a while, but anyway it was just basically an HTA script that would execute in the browser and then do a callback to a C2 server that lived off at the penetration tester's company. So they send this out Years later.

Kyle Rosendahl: 25:54

I start kind of helping out at this client and looking through some of their logs, looking through some of their old stuff, looking through you know, alerts that are popping every so often. And there's this one called citrix underscore, update dot HTA and it keeps going off and saying, hey, this looks like you know some malicious file. This looks bad. This doesn't look good. And you know, having just started there, I'm like, hey, team, what's this file that's hanging out right Like this notifies us that it's bad. This says it's bad. You know, everything here says it's bad. If we upload it, it looks like it's a bad piece of malware. And they're like, oh, it's not malware, it's just a Citrix updater. You know we keep it around in case we need to update anybody's Citrix. And we're like, okay, cool. So you know, I let it slide the first time and it pops up again. And it pops up again. So I said, okay, what am I going to do with this? So I grab it. Not super difficult to get into, I mean, it was basically just an HTA, which is an HTML application file, basically just base64, encoded A little bit of kind of trickery here and there to obfuscate. It wasn't necessarily encrypted, but it was obfuscated code in there.

Kyle Rosendahl: 27:00

Pull that apart, see what it's doing, run it in a sandbox that I had, find the IP address that it was reaching out to pull back those records, go to that IP address and say, okay, who owns this domain that lives there? Sure enough, it leads back to that penetration tester's domain. You know somebody else who's doing security work and so I reach out to their guy over there and I say, hey, you know, I've got a question about this file that I found on our systems, not knowing at this point that it was part of a penetration test, just like. Well, you know why is this thing reaching out to your servers? You know I'm thinking could it be? You know a man in the middle like they're trying to send it to another trusted source and then exfiltrate data. You know what's the purpose behind this and he's like, oh no, that's. Yeah, let me pull those old reports. You know, here's our old reports we did for this client back, you know, four or five years ago.

Kyle Rosendahl: 27:52

And yeah, here's that file. It says it was a Citrix update and nobody had cleaned it up, right? So it's an instance where people receive this email, they receive this, this thing that looks official, they believe it and then they save it in longevity to hang on to it and say, oh yeah, no, this is an official document, right, we got the email, this is fine. Even when the penetration test completes, the report is handed out, nobody goes through and cleans up the files. Nobody alerts the entire staff that, hey, you know that file you received that's not really a Citrix update, right.

Kyle Rosendahl: 28:28

So I mean a successful fish. In the fact that you know not only one was it successful and it helped them achieve their goals during the pen test. But it was also successful in that, you know, they trick people for years on end into thinking that this file isn't what it is. And even, you know, faced with detections in their anti-malware, in their endpoint detection softwares right. Even when faced with the evidence that, hey, these things say it's malicious, they were like, no, it's not malicious, right, this is a totally normal file. Somebody sent it to us. That's just a misclassification. So, you know, when it comes from an official source or something somebody thinks is an official source and they don't want to rock the boat right then. Even when given evidence against that, they're still going to just claim it's the other thing. So a pretty interesting story, both on making sure you actually clean up after your penetration tests, but also don't always believe everything everybody tells you in an email, so that's really similar to a social engineering situation.

Nick Mellem: 29:29

right, you don't question authority, you don't question what somebody told you, and it lives there as a backdoor forever.

James Arndt: 29:35

So were those HTA files still calling out regularly.

Kyle Rosendahl: 29:39

Only when somebody tried to execute it. Now our anti-malware was stopping it from running because it recognized the source right. That's saying, hey, this is an Empire script, and so no, they weren't calling out anymore. But I had to get the actual file out of the quarantine when it got picked up and then pull it apart to find where that IP was hard-coded. So no, they weren't receiving any traffic from us, but people were trying to execute it, and then it would get caught and then sent off to the security team.

James Arndt: 30:08

Who did not seem very concerned about it.

Kyle Rosendahl: 30:12

Yeah, until we started taking a really close look at it and I got to write up a whole like five, six page report. I'm like here is why this is not a citrix update, right like, here's all the evidence, here's all the screenshots. You know, go do it yourself. Here's how you pull it apart, you know, similar to what, james, you do for work, I'm sure, but I mean, just step by step, pull the thing apart from, you know, obfuscated to plain text, and show people that no, it's not what you think it is.

James Arndt: 30:39

Pretty much. Well, one time I messed with a pen testing company. It was pen testing us. I was, um, it was when I was working for an electrical utility. You know fishing and fishing analysis that was my bread and butter. I love that. That was my favorite thing.

James Arndt: 30:56

And we start getting reports of coming in and the email was beautifully written. It had some C-level persons. You know their signature, phone number, cell phone number and the signature. I mean it was perfect. I followed the link safely and it came to an exact copy of our login portal. I mean it was branded and everything. It was beautiful.

James Arndt: 31:22

So I was like, oh, I mean it was one of those times like, okay, I know, we're a target, we were definitely being targeted. This was bad, all right. And then 20 came in, 30, and then up to, like you know, maybe 75 to 80 of these all came in to different people around the company. Like, okay, okay, okay, get all hands on deck right, um, start going through it. Uh, we're blocking, uh, any sort of traffic to that uh url. Um, we're, um, you know, getting a list of all the people who received it. We're deleting it from inboxes and then a different one starts coming in from a different C-level person. It was beautiful Again. It had all this information in it, still going to the same, like, oh, this is horrible. And then one of my coworkers says wait a minute, wait a minute, are we being pen tested right now? And we're like, oh, you're probably right, because this wasn't just really really good, it was perfect. It was almost too perfect, right? So what I did was I put in a fake username and a fake pin and just left it. That told my boss. He's like okay, good job guys. So we wrote up what we did and everything and we did that.

James Arndt: 32:27

Well, some weeks later, the pen testing company came to our company and they did a big you know all hands meeting about hey, how did it go? And everything. And they even did some physical pen testing too. And you could see on camera how they piggybacked off of someone. They, you know, had on the appropriate looking sort of you know helmet and gear and jeans and boots and they were carrying big binders that were branded with our company stuff, you know, and they just snuck right in behind someone.

James Arndt: 32:59

But when he was talking about the phishing email and the stats and what they were sending it out to and everything. That's when I perked up and he's like, yep, we didn't get anybody to click on it, but we did get one Not that they didn't get anybody to click on it, but as far as gathering actual usernames and pin numbers and everything you know because they were waiting for them to come in so that they could quick take that pin and then just reuse it on the site and get back in. But he said, yeah, I know that we got found out because somebody put in the username Jenny and the pin number 8675309.

James Arndt: 33:30

Everybody died laughing. He's like all right, who was it? And so I raised my hand. He's like all right, that was hilarious, that's going on our wall of pen testing memories and so. So yeah, that's, but still, when you don't know you're being pen tested and you see the perfect fish coming, it's like this is not good. And then everybody starts getting one. It was a. It was a good test of our incident response and email deletion capabilities. It all turned out well, though that's good.

Eric Brown: 33:59

And Jamie, you do a little bit of instruction or work with SANS too, don't you?

James Arndt: 34:05

Well, I was in the SANS mentoring program for a while. A while I had, you know, that was just like a local community class, where it wasn't the full seven-day course, you know, it was maybe one or two hours and one night a week for maybe six or seven weeks and so, yeah, I was doing that. That was a lot of fun. I have teaching in my background too, and so it was a lot of fun to do technical things. But it was during the pandemic when SANS, when they closed down the mentoring program, since so much of their content is also available to streamed online or just prerecorded, so it makes sense for them to have closed it down. But boy was it fun when I, when I had the opportunity.

Eric Brown: 34:53

Yeah, good for you, and I know those courses are really well received. I don't think you can go wrong with any of the SANS courses and I know the folks that have taken them on the teams have all spoken very highly of them.

James Arndt: 35:10

Yeah, they have a very impressive cadre of instructors working for them. They're all very, very good at what they do.

Eric Brown: 35:18

Yeah, jamie, thanks for coming on, really appreciate your time. I've always loved the work that you've done and the training and the chats that you've done with the teams when you've come in and done some in-person training, so thank you for that as well.

James Arndt: 35:33

You bet Always happy to help out. Thanks again.

Eric Brown: 35:40

Want security leadership without the headcount. As an extension of the team, IT Audit Labs will provide the experts to guide and counsel your company. We will start by creating a custom security program that caters to your industry while providing transparency and remediation to improve cyber posture while reducing risk. Contact IT Audit Labs to find out more.