Purple Teaming with Reut Weitzman

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth. So Adam, we have a special episode today. Yes, it is special.

Wait, wait. Are we interviewing turkeys from Staten Island?

No, we're not interviewing turkeys. They're apparently very, very wily. We can't manage to catch any. But we have our first returning guests. Somebody who was already on actually agreed to come back. So that's cool.

My question is, how much money did we give her? I don't even know.

Well, I know how much I gave her. I don't know if you gave her any more. But anyway, once again, we have Reut Weitzman. Reut, how are you today?

Hi, guys. I'm good. How are you doing?

We're doing OK. I can tell you, here in the New York metropolitan area, it is snowing for the first time of the year. And I'm guessing it's not snowing where you are.

No, actually, I'm in Israel, and although this is January, we are having such a wonderful weather. It's beautiful outside.

Oh, that's good to hear. I think our record is over 600 days of not more than an inch of snow. I'm going to think it's about over 60,000 days in Israel with not one inch of snow. Yes, probably.

Not since the Ice Age or something, I don't know. Anyway, so we're going to be talking about a really fascinating subject that we've mentioned before here and there. We come up with a lot of good stories with it about purple teaming, which is a type of, you know, kind of war game type exercise. But before we get into that, let's get to something important. Let's get to the cocktails. Your choice for you. Last time we had a really interesting one, the Negroni that stumped me, one I hadn't had before. What do we have in this time?

So this time I went with strawberry gin, which is actually gin and tonic with some strawberry inside.

Well, I have to, I have to apologize. I'm going with the straight gin and tonic. I didn't have any, any strawberries because I, well, I guess I kind of forgot to go to the supermarket. So I can't say we can't get them in the winter here because we can. Are they sponsoring us? I don't know.

Any money I might or might not receive, I can't disclose.

Well, cheers everyone.

Cheers guys. Oh yeah. I can't get my top off.

You're so unprepared for class. God, you know.

Sorry. It's supposed to be a twist off. I must be weak.

It's not a twist off and you don't have a bottle opener. That's, that's great. I do have a bottle opener. Well done. Thank God. I thought you were going to have to like use the end of the desk, like in a, like we did in college. That's what you used. Great. Very impressive.

Well, just to let you know, sometimes you have to use adversarial force in order to accomplish your goals. I'm known as the red teamer. in alcohol and getting bottle caps off.

I guess so. And I guess, you know what, that is a very clever segue into our topic. So why don't you tell us what a purple team exercise exercises and a little bit about, you know, what, what you do with them.

Yeah, sure. So purple team concept is essentially a collaboration between the traditional red team playing offense, being the attacker, and the blue team playing the defense, the monitoring team, usually.

So we have the mix of the two. And I think the term If I remember, it kind of comes from the, I mean, if you go way back into the military thing, when they, when they do like actual real military exercises, isn't always a, when you see on the, on the board, isn't always like the red or the bad guys and the blue are the good guys.

And, uh, so exactly, exactly.

Right.

I don't know about good and bad. I mean, red team is the offense and blue team is the defense. You can still be offensive and still be a good person.

I know many people who are offensive, who I suppose are morally good people, but, you know, I mean, I get what you're saying, but, you know, well, it's, it's, well, it's, it's attacker and defender because, you know, we have other things where there's a penetration test where you just have someone trying to break in to test your defenses.

So, right. Where do we get the, where do we get the color purple from?

Well, it's the mixture of the colors, right? Red and blue, mix them together and you would get purple. Yeah.

Yeah. I want to make sure.

Wow. Adam, could you come up with a more softball question than that? I mean, that's just about the easiest thing, you know? Well, I'm, I'm amateurish, you know, that's how it is. No, but it, but it's interesting because it is, it is a little bit, different than what people might've heard of, because the point of it is not so much to test your systems, but to really test and exercise your defenders, right? Because there's, you know, defense now isn't art. We don't just sit and wait for things to happen. There's more of an active defense going on in most organizations.

I mean, if you look at it overall, right, a purple team's meant to simulate a real attack, but real attacks happen sometimes over periods of days, weeks, months, and even years. Part of a Purple Team engagement, and Rui is the expert on here, expert on this, is you condense the timelines and then there's kind of rules of engagement. So some passwords might be handed over and stuff. But Rio, can you explain more about that?

Sure. So what we would usually do, the red team would develop tailored attack scenarios that are designed for the organization environment, the security posture, the critical assets. And they would do that with a varied level of sophistication from commonly used attack techniques to compromise simple things like Active Directory to tailored cloud or OT-based attack simulations to actually get the organization's security team to feel what a real attacker would be able to do. So the red team would actually do a live attack and see if the blue team can identify it, if they know how to investigate, how to respond.

I got this kind of weird question, right? Do you ever have a blue team engagement where you just wanted maybe to hurt the person on the blue team because they were really obnoxious? On the blue team? Maybe on the red.

Well, not hurt, maybe at most embarrassed. It's not usually physically harm and physical harm in these attacks. It is a cyber exercise, right?

I know, but I've heard that, I don't know, maybe a certain individual might have been really bad during the engagement and did things that they weren't supposed to do at certain periods of time and probably not really happy with those people.

Well, you know, it is, you know, as you were saying, it's, It is targeted in the sense that you do it to test things, right? You want to see how is your glue team or your defenders going to be able to see something and how do they respond to it, right?

Right.

Right. OK. But it is interesting. It's very technical. It's very deep. We do all these things. But it can get kind of fun. Not heated, but there is Nobody likes to lose. Everybody likes to lose, right? I mean, you have a lot of that element.

It's a banter. It's a banter in a way, right? It's a banter because, you know, look, like full disclosure, we've engaged in other parts of our life and purple teams. And, you know, there's a back and forth is like, um, you know, a 20, if you may, you know, sometimes the blue team will try to do things in order to kind of be playful with the red team and the red team will do things. It's almost like, you know, if you look at an engagement and people do things sometimes just to kind of antagonize or push, there's no disrespect there. It's just a lot of fun. So for example, maybe the red team might do something to somebody's computer just to be playful, maybe change the screensaver or change the backgrounds or change something like that. And the blue team might do something like gather artifacts that they shouldn't be gathering. That's what I'm getting at.

That's an interesting concept. Yeah.

Well, actually let's ask about that because we have made certain assumptions that people do purple teams the way Adam and I have have done them where yes, there is a little bit of and i want to say fooling around but trying to show who's smart and we have stories that we've told before we'll tell some more uh... about some of the kind of funny things that can happen when weird things happen i mean where you've been you've done a lot of these including with us are they usually that lively do you usually have uh... that much playfulness and uh... you know real uh... i don't know people being really animated and into it or is it typically

The real question is, are we not special?

First off, you are special. Yeah, we've been working with you for several years, so we already know you good enough and we're friends by now, so you are special and we're doing more fun and goofy things with you. And also, you were so well trained and mature, so we had to be more creative with you. But the point of the exercise is actually to provide support to the organization's monitoring team to train them how to react to triggered alerts, how to identify tools and techniques during the exercise. So usually it's more serious, I would say. But with you guys, really, we've been doing that for several years. So we had to come up with new tricks.

Okay, so then let's say it's a... someone who, an organization who's new to it. They're doing their first purple team exercise. You know, what would you recommend or what would you typically do as sort of a starting point? You know, what would be the, you know, kind of, I don't know, I don't want to say beginner's package, but you know, for a first exercise, what sorts of things would you recommend to structure it?

That's a great question. First off, the organization should understand if they are mature enough to actually conduct such an exercise. They should have a solid foundation of security measures in place, including well-established policies, procedures, processes, regular vulnerability assessments, functional incident response plan. So, Essentially, the organization will have to have proactive security stance before engaging a PRPL team. They would have to have a security team and monitoring team that would know how to react because we're actually attacking in real time. If there are areas of lack of visibility or if they don't know how to investigate, they wouldn't even see the attacks.

So if you don't have a good monitoring capability and response capability, you're kind of wasting your time because you won't catch them. You're also probably in a lot of trouble, too, because the real bad guys are coming in.

Yeah, because they have bad posture. But I think it's also safe to say in our particular case, you know, it wasn't me. It wasn't Joe. It was a really incredible team of people that really worked together extremely well. So yeah, we did have the tools. Yeah, we did have talented people and people a lot more talented than me. But we were able to be cohesive like any team. A team is only as strong as its weakest individual. And we had some really strong people that were very capable. Plus, you know, I don't know if it's part of the purple team, but I heard that somebody infiltrated your refrigerator at your headquarters.

Adam, Ryu already told us that we're special. It's okay. You got it.

But yeah, but you know, I wanted to throw that in there. I'm using this episode as a resume.

No, sorry. So getting back to it, it's like, okay, if you want to do a purple team, first you need a mature organization with a response capability that you want to test. So say you've got that, then what kind of things would you recommend starting with? How would you start to put it together?

Can I just drop one more thing in there? So I think it's important to also talk about like incident response, right? The blue team should understand the basics of incident response. If they don't understand that, then they're going to be completely lost. Does that sound accurate?

Yeah, exactly. Like you said, they would have to be able to identify that there is a suspicious activity to realize that this is an actual attack, to investigate what the attacker has been doing, what was the infiltration vector, and what was the damage if it's not too late.

So, I was gonna add to that. I was gonna say, you know, that's kind of like the basics, right? You know, incident response, you need to know how to react, but you also need to know how to record, you know, different methods of recording chronologically events in order to determine when you might have been compromised, you know. gather artifacts, have good understanding of custody, custody of artifacts, so that if you have to use it in a court of law, if you have to use it with law enforcement, let's keep in mind, right, you're in Israel, but you don't just do this in Israel, you don't just do this in the United States, you've done it in other countries. So each of the countries have its own rules and regulations in order to engage in a real incident and that's applicable as part of the PRPL team. Does that sound right?

Yeah, that's correct. And even more than that, not just for regulations or for additional investigation when law enforcement are involved, but also for the organization itself. We also teach when we're doing those purple teams, special methodology of how to investigate events, how to keep the proper timeline, how to collaborate with the different teams. I've seen some organizations who are used to just open a Slack channel and write whatever they identify on the Slack channel, but it doesn't really sustain when it comes to a very long investigation. It might work for a short exercise, but if you really have an incident that would require a long investigation of days, maybe weeks, months, then we would recommend different methods. Also, like you said, we've been working with different countries, so we've seen different types of methodologies. Another thing to keep in mind is how you record the time step. to be universal.

Yeah. I was just going to say that. Yeah.

Yeah.

Yeah. That's perfect. Cause I know that sometimes organizations, even though they're international, you can be in the United States. Meanwhile, your SIM tool is using one time zone and then you're not coordinating everything. Even though you might be in many different countries, you should be using a Zulu time or right. Is that how it works? Yeah.

That's what we would recommend.

Zulu time. I haven't heard that term for a long time.

I'm actually 99 years old.

No, but I know it's true. But that's one of the things you can learn from the exercise is that it was too hard to respond. It was too difficult to, you know, do the investigation. You know, here are some of the things that were that you need to improve on. Right. That's part of the point.

Right.

Well, it's got a, it's got a hurt route and her team when they're engaging another team, a blue team, and they're really lost. I mean, some teams I'm sure really have to be handheld. Um, every team has to be handheld. When you, when you're dealing with red team, it's a red team. That's been very seasoned, uh, coming from the backgrounds that most of you have come back from most of you, military trained, most of you who've been highly engaged. And then meanwhile, you have blue teams, like our blue team, we do it once a year, even though we might be somewhat okay, or somewhat good, we can't be as polished as a red team. That's been doing it every single week or every single month. You know, there's, there's no ego. There really shouldn't be an ego. Um, and, and that's what happens, right? Some people I'm sure get upset, like, Oh no, no, they're cheating. Well, I did, um, you know, All egos aside, you have to really be humble about how you deal with a sophisticated, well-polished red team. And I'm not looking to put you guys at a pedestal, which I just did, I guess, unfortunately. But you guys are good.

Thank you. Yeah, like you said, we are doing that every day. And so when it comes to responding to incidents, we're working on four different incidents every day. So our team is very trained, very experienced, and also we share all this knowledge. As a consulting firm, knowledge is our power. So it's very different because most organizations, hopefully, will not have to go through a cyber incident in their lifetime. But when it happens, it happens once and you want the best with you or people who are very trained, right? So usually when that happens, people do put their egos aside.

Well, you know, that's a really interesting thing because, you know, we're talking that it is, you know, it's a game, it's an adversarial, you know, you have two teams going against each other. And, you know, there can be, I'm curious to know, you know, have you seen cases where, you know, egos are a problem, or even where you, you know, to the point where you've even had to say, you know, some of your recommendations are, you know, I'm sure you put in consulting language, but people need to grow up, so to speak, or they, you know, because they're not focusing on the things that they need to focus on, have you?

Why are you talking about me, Joe?

Stop. I'm not talking about anyone. I'm saying hypothetical. No, seriously, because insecurity, there is a lot of psychology and organizational dynamics and things. Of course, you never encountered that with us, but I'm just curious if you have to deal with those issues at all.

No, actually, no, it never, I never encountered that.

that's good to hear. Do you think that's because you just work with such fine people or I mean just thinking maybe that's because you need to do this with a this kind of thing with a mature security organization and I don't mean mature just they're grown-ups but also that people who understand that you need to always be improving your security program and not be you know defensive and that kind of thing. Is that typically the way things roll?

Yeah yeah I think so. I think also since they know that we are experienced and we are managing such incidents on a daily basis, then we can teach them. And this is the approach, actually. It's an exercise for training. We're there to teach them new tricks. And it never happened that we had any resistance or ego when it comes to that.

Yeah, I was gonna add to that. I mean, come on, let's think about it, right? In order to engage some of these purple team or exercises, the company has to have some pretty deep pockets. I mean, let's be honest, right? And if you're going to the Super Bowl, there's a certain behavior that's expected out of you when you engage. So most of these organizations are very enterprise, very, they have world presence or, you know, they really should be okay. If somebody's not really engaging at that level, they probably shouldn't be on the team anyway. But I'm sure there could be certain times when one individual or two individuals can get out of line a drop, but let's hope that they don't wound it for everybody, right?

Okay, Marie, you're so calm in everything with this. You have the perfect demeanor for this, but you know, this is podcasting. We've got to stir the pot a little bit. Okay, have you had a situation where there is someone on the blue team who is so arrogant where the red team says, we've got to kick this guy's ass, we've got to own him?

I don't recall.

congressional testimony.

That's great. So Joe, let's put it this way, right? I kind of feel like I was on that receiving end a little bit when I did what I did, right? And I got onto the red team's computer and I did something I shouldn't have done and you reprimanded me and they went and tried to attack me, but they hit the wrong person. So they were teaching me a lesson.

Yeah. Adam, I think that we're all friends here. You can share the story.

Okay. I know you're dying to tell the story. I think we might've told them before.

No, I'm not doing it.

All right. So we had, we had something where, um, there's some going back and forth or whatever. And Adam had been. Adam and whatever. It had been a little, you know, playful or whatever. And they said, okay, we got to get Adam. We got to do something with Adam. So they went and they managed to, I think, get into the desktop management system or something. They were able to get into desktops. And they said, we'll put a little something on Adam's screen on his desktop or something. They were going to do something like that. And so they do it, and they're all proud of themselves, and we have a meeting, they come back from lunch or whatever, and they're like, Adam, how's your machine? And he's like, it's fine, there's nothing going on. And they're like, you know, he's playing cool, and then they finally realize, they're like, it didn't work, it didn't, but they're like, but it did, but it did work, but he doesn't see it. It ended up that they had hit the wrong machine. And fortunate it was like, it wasn't Adam Roth that was like, I don't know, Adam, something else with an R, whatever. And so as the manager, and then I said, first of all, clean it up. And I said, as the manager, I had the pleasure of calling up that person who fortunately was not a big executive and it was actually someone I knew pretty well. And I'm like, other Adam, how's your machine? He's like, oh, it's fine. I'm like, see anything weird on there? He's like, no, it's OK, fortunately. He's like, yeah, I just got back from lunch, so everything's cool. I'm like, oh, thank God. So he never saw it, but you have to be careful with stuff. But also, and we've talked about this with pen testing too, even when you're not fooling around a little bit, it is a totally live exercise and you have to be careful because kind of by definition, you need to do it on your real systems and your real monitoring. There's Nobody really has the money to, although it's going to duplicate their whole system. The point is to do it on your live systems, right?

Cause you have to test it. Yeah.

I mean, typically the way, the way it's done, right. There's no other way around it, is there?

But we did an engagement once where. The red team was plugging into ports in the office and we shut down that port in order to stop them and they were running out of ports. unbeknownst to us, that port also hosted the access point for an executive and we shut down that executive's access point. And they could never get, they couldn't get to the internet on their wireless devices. Yeah, so we were troublemakers. Real life has real consequences.

Yeah. So, so right these days, what are some of the classic attacks you do or what are you doing these days? What sorts of things do people want to test in terms of what you're typically throwing at them?

Okay. Yeah. So when we're planning such an exercise, we're working usually with the CISO to select attack vectors. In order to do that, we have to have a thorough understanding of the organization's infrastructure, specific challenges, potential threats, also what is relevant to the industry. And it's essential to focus on realistic scenarios that would align with the organization's risk profile. And it could be something including web application attacks, BYOD attacks, OT, whether it is physical security like Adam mentioned. And the goal is to familiarize the security team with attackers commonly used and also with advanced tools and make sure that those techniques would be relevant to what they might encounter in real life.

Can we also talk about rules of engagement as part of that? Because I don't think everybody, I think most people don't understand and we're kind of getting to a wider audience. And I think that's a really important part of a purple team is the rules of engagement. What's allowed, what's not allowed.

So we would make sure not to cause actual harm, even though we're working on production environments. This is why it's important to structure the scenarios and to work with the CISO in advance to understand what are the limits. And also, Everyone needs to be onboarded at the organizational side, whether it is IT, if they have a NOx or any other monitoring team, so they would know that there is an exercise. So once they would identify us, they wouldn't block us because we need to actually proceed. So they can monitor and simulate what they would do if this was a real attacker, but allow us to move forward and progress with the scenario.

It is important to note that sometimes you do cheat a little bit and give you just a little bit of an advantage, just to let a scenario and attack unfold.

Right. So my next question is, and we've had this conversation before, and some of the security trainings I've done have spoken about this. Ever been in a purple team? and then find out that, oh, there's an adversary on the network. I don't know if you guys have had it, but I know others have.

I've never experienced it, but it sounds like something that can happen. Definitely. We did, however, identified several times vulnerability, critical vulnerability. vulnerabilities. And at the end of the day, in addition to recommending more visibility or enhancement of rules and alerts on the SIM system, we also recommended additional hardening configurations and so on.

Well, that's good to hear that that's never happened. You know, one of the things you have to tell your teams in your briefing is I know when we start that I've always done is say, OK, guys, we're doing this. We're doing this episode and everything. But don't forget, you have to do your regular monitoring of everything too. You can't assume that everything is the red team and that it's not a real, real attack. It's kind of that nightmare scenario of when you say to the red team guys like hey guys caught caught you doing this thought you were clever and they go, that wasn't us. That's a tough one. Yeah.

So that's, that's also interesting like Without giving specifics, I know that people have involved themselves, like you said, Ryut, in Purple Team exercises, and then all of a sudden at the end of the engagement, you end up finding two zero days. And for those who don't know what zero days are, those are vulnerabilities that have not been discovered and documented and were just found. So once those are identified, you usually have a disclosure period, you let the vendor know, They're supposed to fix it. If they don't fix it, you release it. And I'm sure you can add a lot more to that route.

Yeah, so exactly. Like you said, we were able to exploit real vulnerabilities in the IT and security stack and recommended immediate fixes. So yeah, it happens all the time. It can be whether it is a patch or maybe changing something in the configuration, enhancing segregations, and maybe the way that the organization is managing their identity and access to different assets.

Yeah, one of the important things that a PRPL team can teach you also is When you have those things that are exploitable, but there are always things that are going to be exploitable in an environment. It's very, very difficult to get them all out. And very often from a risk management point of view, you'll say, well, okay, this is too hard, or this is a business critical system we can't change. And you say, you're going to accept the risk of it. Well, the purple team is very helpful. If you go after some of those things and then we say, okay, but when someone went through it, we weren't able to detect it or we were not able to, you know, could we get them at the next step? It's really helpful for that kind of stuff too.

So watch Joe's face. Um, I think one of the best tools you could ever have in, um, a purple team environment, especially when you're the blue team is having really enhanced packet capturing. What do you think about that? Will enhanced packet capturing on a network be able to detect adversaries a little bit easier than others?

I feel like it's a private joke between you two.

Well, you feel like it's a private joke because everyone has, as we're saying this, Adam and I are both texting Rayyut how much, like, you know, we'll pay her for the answer that we want. Adam wants her to say, yes, it's essential. And I'm going to say, no, it's not so important. Just kidding. But we talk about this all the time. But yes, how do you feel about full packet capture?

Another excellent answer. So I'm going to bring it up. I'm going to bring it up. So Adam, how did you feel about it? Full packet capturing, you know, I know things are encrypted end to end, and I know packet capturing can be a little bit elusive sometimes, but full packet capturing will give you historical data between endpoints and allow you to find adversaries. However, the packet capturing cost even at the lowest level about five years ago, six years ago was 2.5 to 3 million US dollars. So it's a little bit pricey for most people.

Well, the way you want to do it, especially.

Well, but I did, I did enjoy using deception technology during the, uh, the red team, uh, blue team engagement. That gave me some really good knowledge. The purple team is a perfect point in time. to test out your tools, right? You spend all this time putting together the different tools. And for me, tools that are really important in any PRPL team exercise, but of course, the health and hygiene of a network is a SIEM or security information event management, getting all your logs into one place and then being able to create these use cases, these alerts. What else is important? Segmentation. being able to keep different parts of your network apart, right? Only allowing source to destination ports and IPs. So when you have these tools in place, and then you have deception technology, and then you have SIM, and then you have EDR, which is endpoint detection and response, if you have configured most things correctly, you should be able to hopefully find an adversary. But adversaries, nation states, criminal enterprises are really good. So there's no perfect scenario. But at least if you have these tools in place, you get to play with them. You get to actually utilize them in a close to real life situation or scenario, which is why I love purple teams, because that's like the Super Bowl after you put everything in place. And then a good polished red team, They can destroy you and there's nothing wrong with being destroyed. It is just another learning experience. But at least you're learning from them and hopefully not from a real adversary. That's my synopsis or overview of it.

Yeah, you're right. It's a dynamic field and these exercises play a crucial role in preparing organizations for a real case. So yeah, it's better to experience it in the lab environment than in real time.

That's very true. And you know, Adam sees it as the opportunity to use all his toys. But I'm going to go back to something that we talked with Monty about a few weeks ago, which is, it's not just the tools, it's does your team know how to use them? And do they know how to, and this can be very helpful in helping the team go and use them in a more realistic scenario. Because, you know, it's like, When you're a defender, you're always reading the papers and the press about all these new attacks. But there's a big difference between saying, we'll handle it this way. But when something is actually thrown at you, and you don't know exactly what it is that's being thrown at you, it might be one of a lot of things. That's when it gets really interesting. And that's when you really test yourself.

And I'm gonna paraphrase Mike Tyson's comment about getting into the ring. Everyone has a plan until they get hit in the ring or something like that, right? That's my thing I always use. Dude. Oh, I'm sorry. Wait, Joe. Joe, what's that famous line from Mike Tyson?

Everyone has a plan until they get punched in the face. Come on, right?

And that's exactly the point, right? Everyone thinks they're ready to get into incident response and defend themselves, but when the Beep beep hits the fan. Are you ready? And I'm going to I'm going to make a recommendation to any of those people that are listening to our podcast and want to get into purple teaming. Not only do you have to be a really good blue teamer, but you should understand red team and you should get onto one of those. websites that allow you to hack the boxes and try to do lateral movement and engaging scenarios because I'm getting back into that again. And it reminds me of how little I know. And it's also like another scenario, right? If you ever did martial arts, you start out as a white belt, you don't know anything. You become like a blue belt or a green belt. You think you know everything. And then you hit black belt and you realize, you know, you're absolutely nothing. And that's the same thing, I think, in anybody who's come to, come to, what's it called, an epiphany of getting involved in cyber. You think you know a lot when you first start, and then you realize you know absolutely nothing. Even the most seasoned, experienced people say, oh crap, I can't believe that happened.

All right then. Well, on that note, we come to last call. This has been a really interesting discussion. I don't know, it's tough. On the one hand, we can go and talk about it for a long time, but it's something you almost have to experience to really get the full flavor of it. But Rayuka, we're gonna give you the last word. You're our expert here. What are your final thoughts on the topic?

Well, make sure you have high visibility on your systems. Make sure that your configuration is in line with best practices. And, um, yeah, practice is important. Like, uh, Mike Dyson said, and like Adam said, right.

It's, it's better to, it's better to take those shots and in an exercise and in a very close to real world exercise than when it's really happening. That's totally true. Okay. Adam, your final thoughts.

My final thoughts are if you are interested in doing any type of blue team, red team, AKA purple teaming. There are plenty of organizations out there that allow you to engage, join a team, start practicing on those virtual machines, learn how to do some of the basics like privilege escalation and lateral movement. And I say basics, cause it's a thing that you need to know. It doesn't mean it's easy. It's, I mean, it's a, it's a basic concept that you need to perfect.

All right. All great stuff. So, Rayud, thank you again for joining us again. It's been a lot of fun.

Thank you so much, guys. Thank you for inviting me.

Thanks for coming. Thank you very much. All right. Adam, take it easy. Bye. We'll see you.

Take it easy. All right.