Threat Intelligence: How to Focus Fire on the Bad Guys Coming for Your Network

[Music] hello everyone my name is kyle hubert and today i'll be talking about threat intelligence how to focus fire on the bad guys coming through our network now we do have a lot of material to get through today and we do have a demo towards the end of the presentation so let's just go ahead and jump right into things first a little bit about myself i'm an air force network analyst and blue team lead and when i'm not working with threat intelligence i'm also interested in iot security and purple teaming now before i get too far ahead of myself i do need to say that none of this is official policy or official views of

the air force or the dod these are all personal views and processes that i've made that i felt would be beneficial to share with the greater cyber community so that being said if you'd like to see more things that i build by all means you can follow me on twitter my handle there is apt-get kubert and i'm always looking for feedback so if you have some thoughts on how to improve either the presentation or the code that you'll see towards the end that'd be a good place to get a hold of me and make those suggestions and i'd love to hear from you [Music] so what to expect about this presentation well what you are going to

learn is how to prioritize the techniques that you want to hunt for on your particular environment you're also going to learn how to focus your defenders on specific adversaries and perhaps adversaries that are targeting your specific organization or maybe something a little more broad like organizations in your industry vertical what you're not going to learn is that this is some magic bullet that will always find the bad guy that will always solve all your problems you're also not going to learn about any techniques that you don't have to look for in a perfect world you would be able to look for every threat actor that's out there in every technique that they use unfortunately we don't live in a perfect

world and last time i checked i believe mitre had identified about 106 different threat actors across the board that's a lot of bad guys and telling your defense team to just go find evil is a pretty broad ask when they have to look for 106 different threat actors all with varying amounts of different techniques of accomplishing their objectives so hopefully by the end of this you'll have a little better idea of how you can focus your defenders on specific threats and prioritize so you're not just giving them a very broad go find evil [Music] so what is threat intelligence well my working definition is the application and analysis of threat information in order to better inform defenders how

adversaries will accomplish their goals of course that begs the question what is threat information that is defined as any information that can help an organization identify assess monitor and respond to cyber threats an example of threat information would be like an i p address generally these things are more like atomic indicators things like ips or hash values these are things that by themselves are more like data points and don't really inform defenders of anything specific by themselves what you want to do is you want to start adding some context around that data point and then once you start doing that then you start going from information to intelligence and that's where we're kind of getting

into this third bullet here and this is probably one of the more important pieces of the presentation so if you take away nothing else take away this information becomes intelligence when it is analyzed and used to inform defenders of a specific threat so again going back to our i p address example what you could do is perhaps whenever you hand that ip address to your network defender you say hey this is a known bad ip that's used for exfiltration and this particular adversary uses ip address so right there not only did you tell them it's a bad ip which okay fine that's a good start but he also said it's used for exfiltration which now tells your analyst that they

should be looking for data going to that ip you also said it's associated with a specific threat actor so now that they can do uh they can go and do some research about that thread actor and see if there's any other techniques that they want to research or maybe hunt for on the environment and this is where you start going from the again the information part to the intelligence part adding that context and connecting some of those data points together as opposed to just giving your analyst raw information if we look at this in terms of the pyramid of pain most times when we're talking about threat intelligence we're talking about the lower three tiers of the pyramid of pain

now to be clear i'm not saying that threat information is not useful or not important it is i'm just trying to show that there is a very clear line between what is threat information and what is threat intelligence threat information individually doesn't inform defenders of anything specific once you start adding that context and enriching that data and starting to connect that information together then you start getting into the threat intelligence spaces then you start being able to inform your defenders of something specific again going back to our prip address example maybe you are saying that this ip address used for exfiltration is part of this particular tool set and then they can look that up

or at the very least they have this technique that they can start doing some research on and see what's going on there so this is where it really starts to come together and crossing that line from information to intelligence but now that you know uh what threat intelligence is why would you want to use something like this i'm glad you asked so the why to use threat intelligence this is where you start getting those stereotypical sun tzu quotes that come to mind but they really do make sense in this context and really the why to using threat intelligence boils down to three main things you have your understanding prioritization and efficiency now what i what i mean by understanding

is that by using threat intelligence you'll gain a deeper understanding of adversary tactics and techniques uh that are targeting your organization or organizations like your own this is important because if you have a better understanding of how an adversary would accomplish their goals or how they would carry out an attack on your organization you have a much better chance of catching it and seeing how you could mitigate some of those actions this also gets into prioritization because if you know what to look for you're going to probably move that up to the top of the list of what you want to hunt for and what you want your team to be looking into so this is making some of these

techniques and the threat groups that execute them uh some of your most likely uh threats to the target which in this case unfortunately the target is you they're coming for your organization and your data and you're trying to defend against it [Music] again going back to what i said before you don't want to tell your teams just go find evil so by using this prioritization you can focus them on particular groups and techniques that are most likely going to be used against your organization and then finally efficiency so let's say you have identified five uh groups that are most likely going to come after your organization based on prior targets or network infrastructure whatever you deem or how you decide that

one there might be some common techniques between them such as powershell so what you could do based on whatever tools that you have available to you to your hunt team is you could figure out how to write a hunt that would look for powershell use across all five of those thread actors as opposed to doing five individual hunts one for each thread actor and this is extremely important especially when we get into if you have a smaller team or maybe a compressed timeline for some reason being able to increase your efficiency and figure out how you can do less hunts to still cover the same amount of techniques or the same amount of thread actors

really really helps in terms of getting through more hunts and trying to find more bad guys quickly [Music] so now we're going to look at threat intelligence as a process and this is a bit of a misconception because a lot of times when people think of threat intelligence they think it uh it's more like a checklist and they might do this before the beginning of an operation or the beginning of the work week and then they'll just go through the checklist and say okay they'll check the boxes and they'll say yeah we did our threat intelligence and we're good to go and they'll never touch it again that's not how this is supposed to work

this is more of a process it's something that you should be doing over and over and over again and there's a lot of different processes out there to kind of show this but the one that i like the best is the f3 ead model and this is a little bit of a weird model not many people use it but the f3 e80 basically stands for find fix finish exploit analyze and disseminate and the reason i like this model so much is because it does a very good job of showing how incident response or the operation side of security operations can very easily feed into and support threat intelligence or the intelligence side of operations and how that process can begin again

with intelligence feeding operations so whenever you start this process you're most likely going to be in the find phase and what the find phase is as you take you basically are taking known bad so maybe white papers that you come across online perhaps some intelligence that's been shared between you and a partner organization or a threat intelligence group that you're a part of and you take that intelligence and you start looking for it on your network and perhaps you find something and you find some bad guys well at this point you are now in the fixed stage of the incident response side of this process and fixed does not mean you are fixing the problem

that that's a bit of a misconception fix actually means that you are fixating on the bad guys in your network you're scoping the intrusion this is where you want to identify all of the locations where the bad guys have kind of set up persistence you want to identify all the malware that they've dropped on your network you want to figure out how they're getting in and out of your network and this is where you fully scope the intrusion so that when you do take those ir actions you're not leaving anything behind that the adversary could take advantage of [Music] so of course that brings us to the finish phase and the finish as the name implies is where you are

finishing off the enemy you are taking those ir actions to remove any sort of footholds that they have in the network and hopefully you're collecting some of those malware samples and pcap files and anything else that could be useful for when you get into your threat intelligence phase so at this point we cross over into threat intelligence and the exploit phase and the exploit phase is where you start collecting all that information so you take those malware samples you found you take those pcap files you've captured and you just want to collect as much information as possible now again at this stage this is threat information this is just raw data so you just want to collect as much data

as possible at this point so you can then take that in the analyze phase and turn it into intelligence so we're now in the analyze phase and this is where you're going to take as i said that threat information and start analyzing it enriching it adding some context to those data points and hopefully at the end of this phase you should have a pretty good amount of some threat intelligence that you can use now this is also the stage where you would probably want to start making the attack timeline you'd want to start looking at how did the adversary gain initial access how do they gain persistence what other actions did they take and when did they take them and this is when

you want to start building that out as well so you have a better idea of how they progress through your network up until the point where you took those ir actions to remove them and then finally we have the disseminate phase and this phase is pretty important because this is where you share those findings those awesome white papers you've written all that threat intelligence that you've created and at the very least i would hope that you would share it with your own organization if not maybe your threat intelligence sharing group or even the cyber security community at large this is where you publish those findings uh you share that with the community and then hopefully someone can take that

threat intelligence and then go into their own find pays as the process begins again [Music] now before we go too much farther i do want to talk a little bit about the miter attack matrix because i am going to be referencing this a good bit throughout the rest of the presentation if you're not familiar the mitre attack matrix the attack piece stands for adversarial tactics techniques and common knowledge and basically this is something that miters built out that they try to show every possible way that an adversary could accomplish objectives or accomplish their tactics on your organization's environment and this page in particular we're looking at is a screenshot of one of the group pages that they have

the above the associated group descriptions you would have the group name in this case it is apt 19 along with a summary of the group you also have the associated group descriptions there or their aliases and then below that you have the techniques the techniques used so this is all the techniques that this particular group has used in the past if it's been a while since you've looked at the miter attack matrix you might notice a few things that look differently and namely the technique ids there recently miter has switched from a t and then a four number uh numbering scheme to the t the four numbers and then in some cases if there are sub techniques

to that category that's where that decimal number will come into play so that's where you'll see the decimal zero zero one zero zero two zero zero three things of that nature and this actually caused a little bit of issues with the demo code uh but we were able to get that corrected for you guys so you can actually see the demo today um but if it's been a while things might have looked a little bit different on the miter attack matrix than what you pass remember so what do you need to do threat intelligence so this is four big points that you want to make sure you have in order to do this correctly the first one is a list of your

organization's critical assets now this is not just your secret source code or your super cool app that you built or maybe the secret recipe to the company barbecue sauce those are all important and should be defended but you want to look at other things that an adversary might want to leverage for example a trusted relationship maybe your organization has a secure pathway or a trusted relationship with a government entity or another organization you want to take a look and see if an adversary might want to exploit that trusted relationship to go from your organization to the other organization whatever that looks like it's they may not be interested in attacking you just for the secret sauce that you have they

might just be wanting to go through your network to hit another organization just something to keep in mind so the second point there is knowledge of threat intelligence resources now the good news here is there's a lot of really good resources out there that are totally free so you don't need to go out and spend a lot of money to start a threat intelligence program or threat intelligence sell in your organization now that being said if you take a look at the products out there and think that they would be beneficial and you have the budget to do so then by all means go spend money on a threat intelligence platform but this is simply saying that

you don't have to do that if you don't want to now there are some resources out there that will go over and there is a list of those resources towards the end of this presentation that you'll see but a lot of the white papers out there the apt specific reporting there's some very solid reports out there that are completely free to the public so again just be aware of what's out there and know what resources you can pull from the third bullet here is a little bit more difficult this is where you have to sit down and have some very honest and potentially difficult conversations to identify what your limits are and there can be any number of

limitations that might be on you and your team it could be budget constraints it could be manning it could be time it could be experience and all those things are totally fine especially in the experience phase we all start somewhere so if you don't have a super experienced team that's totally okay just you need to make sure though that you understand what those limits are if you have a list of 10 thread actors but based on for whatever reason you can only look at five you need to understand that and you need to make sure that you're focusing on maybe those top five threat actors as opposed to trying to spread yourself or your team too thin

by trying to look at all ten so just make sure you have a pretty good handle on what you can and can't do what is in the realm of the possible for you and then finally you to have a good situational awareness of world events now this one's a little unpopular because again as tech folks we like being in the bits and bytes and getting into the weeds the technical side of things and i totally get that but there is something to be said about keeping an eye on the situat just what's going on in the world in general mostly because there again you have nation states out there that some of these groups are suspected to be

connected to and some of those countries strategic intentions match up seemingly very closely with some of the actions these groups take so knowing what what's going on in the world and how that might affect your organization can be very helpful in identifying the types of threat actors that might be coming after your organization or what their strategic intentions are and what their goals might be in terms of what they might be trying to gain by attacking your organization or organizations in your industry [Music] so just to make sure we're on the same page here because i know that i've thrown out tactic and technique a lot i just want to make sure we we're on the

same page in terms of the terminology so whenever i say tactic i'm talking about the overarching goal or the objective that the bad guy is trying to accomplish so for example a bad guy might try to establish initial access and then gain persistence in a particular environment those are tactics those are big goals that they're trying to achieve the way that they accomplish those tactics is through techniques so in order to achieve the tactic of initial access a bad guy might use the technique of a spearfishing link or utilizing that trusted relationship that we talked about earlier and then once they've accomplished that tactic they will try to accomplish the tactic of persistence perhaps by using

a boot kit as the technique so i just want to make sure we're clear on what that actually looks like and what that means before we go too much farther all right so you have all the background information at this point you know the the what the why so how do you actually use threat intelligence well first whenever you start off with this you're going to be in the red section of that circle you're going to be looking at all the bad guys that have ever been identified that are out there and again that's a lot we're looking at about 106. so the first step is who wants your assets who wants to get your stuff

who wants those crown jewels and hopefully uh that should take your list down pretty considerably depending on what your organizations is involved in so once you've identified who wants your stuff then you want to dig a little bit deeper into those specific groups and see if any of those groups have the capability to access your assets now unfortunately if we're talking about nation state threat actors then more than likely if they want your assets or they want your stuff they can probably get to your stuff and that's totally okay this is just to help add another layer to again maybe weed out some of those script kitties or less funded groups that for whatever reason you or your organization

just doesn't feel like they're quite a threat or you just don't want to focus on them right at this point in time and then finally once you identify who has the capabilities to get to your stuff then you want to see where those techniques overlap this is getting back to what i said before when you identify that it's maybe a technique like powershell is used across all of the groups that are interested and can access your assets well at this point you would want to say okay well let's figure out what kind of hunts we can do that can look for those tech those shared techniques as opposed to doing individual hunts for each of the techniques

so to illustrate this let's walk through a quick scenario for this scenario we're going to say that you're an admin for st cyber's medical center this is a hospital that primarily focuses on patient care but you also have some research facilities that you need to be aware of and make sure that you can protect [Music] whenever we start this process you're going to be in the red you are looking at all the bad guys that are out there and you haven't whittled down that list yet so let's start doing that first thing you want to do is start looking at who's targeted health care or medical r d in the past now there's a lot of good resources out there that

can help you with this but the two that i'm going to highlight here are the m trends yearly report this is a report put out every year by the fireeye corporation and this is a about the the 2020 report was about 60 pages and this will talk about large overarching trends in cyber security that fireeye is expecting to see in the coming year one of the findings of that report actually showed that talking about ransomware use was going to go up in 2020 i think we've all seen that so that's something you can use to get a more of a big picture view of things and then you can also look at the miter attack matrix

groups as i said before there's a summary on those groups so you can actually go back and read through those summaries to see if any of those groups have targeted healthcare in the past many times those summaries will include past industries past countries that they've targeted so that's a really good place to start to get a general idea of the different threat actors that might be interested either in your specific organization or at the very least your sector so at this point you now are in the orange you should have a short list of groups and then hopefully you can now at this point start whittling that down to see if there's anyone in that group

that cannot access your network for whatever reason to do this you're going to want to start looking at the specific techniques that each threat actor uses and see of the ones that want your stuff who can access your stuff to do this you're going to have to dig into some of the apt-specific reporting again i'm going to go back to fire right here they have a really good report on apt-41 apt-41 this report is about a 68 page deep dive and the reason i really like this particular report is that it links the activity of apt 41 back to china's strategic intentions namely it references china's five-year plan it also references that made in china

2025 initiative which is talking about how china wants to produce more higher value products like pharmaceuticals and getting more involved in pharmaceutical r d which is something that you need to be worried about being an admin for st cyprus medical center so this is where again you want to look into not only the techniques of these specific threat actors but maybe some of their goals and some of the driving factors behind their operations going back to that situational awareness of world events and and why that would be important here so at this point uh you have now gotten all the way down to the blue you've more than likely most of the folks that want your stuff can access

your stuff but again that's okay and now you can start working on getting into the green now uh just to show you uh what those directors look like from that scenario again we started with 106 different thread actors and we were able to get that down to eight really nine thread actors white fly is a new addition that was just added to uh the miter groups fairly recently but if you were looking at all the thread actors that are targeting healthcare you would have apt 18 apt 19 apt41 deep panda fin4 menu pass orange worm tropic trooper and of course white fly now we did add apt 19 on there manually i did that because if you look at the reporting for

apt 19 specifically you'll see that while they haven't targeted uh the healthcare industry directly they have shown an interest in r d as well as pharmaceuticals so that's where we added them to that list as well and then for argument's sake we'll say that you wrote an amazing strategic intelligence brief to your sizzle you looked at the m trans yoga report and did a little write up on it and your sizzo wants you to focus on suspected chinese threat actors as well as any actors that utilize ransomware is kind of their standard operating procedure when they attack an organization using this guidance from your sizzo you can then whittle those ninth right actors down to six

you would eliminate orange worm tropic trooper and white fly from your list so then finally you would have a short list of six thread actors from 106 that you can start looking at and now see what common techniques do those six thread actors share and this is where we're going to get into the demo because this code hopefully will make this process a little bit faster for you so let's see what the demo gods have to say all right so you can see we got the script pulled up here ready to go uh for this python script you will need python 3.8 installed so just keep that in mind whenever you're trying to make the script work

so the very first thing it's going to do whenever we run the script is it's going to ask if you want to add countries in bulk or add groups in bulk by country excuse me now in this case since we're going looking at this in terms of a sector of industry we're not really interested in adding or removing groups by country so we're going to go ahead and just skip that by putting in six all right so now we get to the spot where we can start adding groups in bulk by industry sector and since we are looking at the medical and health care industry we're going to go ahead and put in number eight

[Music] all right so we've added all the target or all the groups from the medical and healthcare industry that's awesome so now we'll go ahead and do zero so we don't keep adding groups in bulk and then this last step here is where you can individually add a group so since again we said we wanted to add apt 19 because they showed an interest in r and d we're going to go ahead and put in apt 19. all right so that was added and then type in end and now you can see this is our almost final list of the nine thread actors that we had previously identified so you can see you have 18 41 deep panda

fin4 menu pass orange worm tropic trooper white fly and apt 19. now again we need to remove the three of those from this list before we can go any further so we're going to go ahead and say yes we would like to remove groups at this point we would go ahead and just remove orange worm [Music] and tropic trooper [Music] and white fly alright so we've removed those three from the list go ahead and type in end and as you can see we now have our final list of six thread actors and this is our short list that we want to start looking at and seeing what techniques do all six of these threat actors share amongst

themselves so the next step here is you want to put in a minimum number of groups that share a technique so for example if you were to put in three then you would see all of the techniques that are shared between three or more of the groups that you've selected for in this case we're going to go ahead and just use four just as an example [Music] all right so you can see that we have a total number of six groups selected and here it's kind of interesting you can see that the total unique techniques between just those six thread actors is still 90 different techniques so that means that even if you would have whittled it down

to just six threat actors and then told your hunt team to just go look for every technique that those six threat actors use you would still be looking at about 90 different hunts that they would have to go and do to look for every technique that all of those threat actors use that's still a pretty big ass depending on the size and experience of your team so the next couple lines here actually show the techniques themselves so you can see we have obfuscated files or information web protocols valid accounts spear phishing attachment and our favorite power shell you can also see that all of these are shared between uh four out of the six adversary groups

that we've identified so now you have your short list of techniques that you can hand off to your hunt team but let's go a step further because telling your hunt team what techniques to hunt for doesn't help a whole lot if they don't have the right data sources and if they're not ingesting the right data to actually potentially find bad guys using those techniques so this next step here will help you identify what data sources you need in order to start hunting for some of these things so what we're going to do is we're going to go ahead and do number one first and what this is going to show you is the basically it's going to list out all of

the data sources that you can use to find these techniques and it's going to tell you how many techniques a single data source can capture [Music] now there's a lot of text there i understand that we'll just step through it this is not ideal unfortunately in a perfect world what you'd like is maybe a couple different data sources that could potentially find all of those techniques that you've identified unfortunately in this case that's not going to happen here but you can see that the process monitoring can catch about four out of the five shared techniques you have file monitoring can potentially catch three out of those five techniques if you have a way of capturing that

data source but then once we start getting down to the process command line parameters and below you can see that these data sources can only potentially catch two out of five or even one out of five uh techniques that we've identified and that's not as useful as you would like so let's go ahead and do number two and see if that gives us some better output and this looks a little bit better so basically what's going on here is instead of showing the data sources and the total number of techniques that they can identify or instead looking at it in terms of the five techniques that we've shown to be the ones that are shared

across all of our threat actors so if you want to look for that obfuscated files or information you can use any one of these data sources preferably more if you can but these are all of the data sources you could capture potentially to find obfuscated files or information if you wanted to catch web protocols you could you could capture any one of those data sources to potentially catch an adversary use of web protocols and so on and so forth down the list and this just is i wanted to add this in here in case we had some of the output that was a little harder to read and had a bunch of different data sources that maybe only could catch

one two three data sources and you just wanted to very quickly identify what data sources you need for these specific techniques that you've already found [Music] now this basically runs through a switch statement so you can go back and forth between option one and option two if you'd like i know there's a lot of text there so if you need to take notes or anything else and then whenever you're done you can go ahead and press number three and that will exit out of the script [Music] all right so demo god's worked with us today that's awesome so at this point let's see what we accomplished through that demo and through that code so you can see that we started with a

hundred and six different threat groups now we also from that 106 focused on our six most likely attackers and then from that group of six threat actors we still had 90 different unique techniques we would have had to look for so using the ttp aggregator script there we were able to boil that down to five specific techniques we wanted to look for that we can then hand off to the hunt team and also the data sources we need to capture in order for them to carry out those hunts [Music] so at this point you are now in the green you've identified all the techniques you found with the overlap and you can send your team off with

hopefully a very realistic expectation of what they can hunt for [Music] so just doing a quick review here what did we really cover first threat information is not threat intelligence uh it is still useful it is still important but information does not equal intelligence and that's a key takeaway here you also want to keep in mind that threat intelligence is a process this is not something that's one and done this is not something you just do as a checklist and then say you never have to touch it again this should be something that you're doing on a regular basis and really in a perfect world your incident response folks should be taking what they learn

and then feeding that into your intelligence process and then your intelligence folks should share what they've learned and what they've analyzed and share that with your ir team and then again that just that feedback that positive feedback loop really uh helps make everybody better and then finally you want to be willing to consider non-technical sources again i understand that as a lot of tech folks we want to get into the nitty-gritty of things but we cannot discount how important some of these softer documents can be and especially in terms of keeping an eye on what's going on in the world uh some of the long-term goals of certain nation-states and certain groups that are suspected to be tied to

those nation-states you want to try to keep a broad world view so you can see exactly what's going on in the world and how that could potentially impact your organization or other organizations in your industry i also want to take a second just to thank a few folks the dr pinky and stack frames these two folks did a really great job helping me out on troubleshooting some of the code in the demo you just saw as i said earlier right before the presentation miter changed how they did the matrix and they changed how they outlaid some of the ttps they also changed their back end api code a bit and that really threw a lot of things

off in the demo code itself so these two really stepped up and helped me out in troubleshooting and finding some of those bugs and fixing them so we could give you guys an outstanding demo uh without having to try to walk through a tabletop the entire time so really big thanks to to these two and helping squash some of those bugs in [Music] time now this is the list of resources that i've kind of been talking about throughout the presentation the awesome threat intelligence list of resources this is on github and this is basically just a really big list of different threat intelligence things out there that if you don't know where else to go to start

that's a good place to go you also have the nsi the national security innovations group they publish strategic multi-layer assessments or sma papers and these are pretty beefy they're usually above 100 pages i put these the types of documents that can give you a pretty good idea of the strategic intentions of different nation states and what might be deriving some of their decision making processes so i would recommend maybe checking those out if you have some folks that like reading those sorts of things of course we have the m trends 2020 report as well as the apt-401 report that i talked about the miter attack matrix which i've already talked about a couple times and then finally we also have

intelligence driven network defense by lockheed and this is a paper put out by lockheed martin talking about uh the cyber kill chain um but it's still a good report to kind of familiarize yourself with uh and just see what they're talking about and how you might be able to tie that into your organization uh specifically when you're trying to write up the uh attack cycle that an adversary took in your network and whenever you're trying to write that up for your ir report or maybe handing that off to your threat intelligence folks and then finally we have intelligence for an incident response i know this is an o'reilly publishing book last time i checked this was about

60 dollars but this is a really good book that would really be the only thing you really have to pay for in this list to get started in threat intelligence this book also walks through that f3 ead cycle some more and a little more in depth and it's a really really good resource i would recommend picking up if you want to dive into this threat intelligence and this process a little bit deeper than what we were able to talk about today so with that that's all that i have for you guys today thank you for listening to my presentation i do appreciate it if you want to reach out with any questions or comments by all

means you can hit me up on twitter that's my handle again apt getcubert you can also find all the not only the demo code but the slides as well as well as some spreadsheets that i've published to work with the code itself that's all my git lab there that you can find and just use it as as much as you want and then finally also my linkedin there so if you want to send me a request on linkedin or a message there by all means you can you can do that if you'd so choose but yeah that's that's all i have and hope you guys learned something and like i said if you have any feedback

please let me know thank you

you