Achieving Comprehensive Cyber Defense

Achieving a Threat-Informed Defense with MITRE ATT&CK - Ben Opel | CypherCon 6.0

Estimated read time: 1:20

    Summary

    In this engaging talk, Ben Opel explores how to achieve a threat-informed defense using the MITRE ATT&CK framework. He emphasizes the importance of understanding one's vulnerabilities and preparing defenses accordingly, rather than merely reacting to threats. Ben elaborates on the process of dissecting organizational weaknesses through a center of gravity and critical vulnerability analysis, enabling better preparation and defense against potential cyber threats. He also highlights the significance of emulating adversary tactics and fostering collaboration within cybersecurity teams to enhance overall security strategies.

      Highlights

      • Ben Opel stresses the need to prepare for threats instead of just reacting to them ⚔️
      • Emphasizes the importance of understanding critical vulnerabilities and how they can be exploited 🔍
      • Encourages using MITRE ATT&CK framework to understand potential threats better and plan defenses 📊
      • Discusses the significance of a collaborative approach to cybersecurity 👥
      • Provides insights into using free tools for implementing effective cybersecurity measures without unnecessary costs 💰

      Key Takeaways

      • Understand your organizational vulnerabilities to improve cyber defenses 🛡️
      • Use MITRE ATT&CK for designing a threat-informed defense strategy 🎯
      • Emulate adversary tactics for better preparedness in cyber defense 🔄
      • Collaboration within security teams is crucial for effective defense 🤝
      • Utilize free tools and resources to strengthen security protocols without a hefty budget 💡

      Overview

      In a world where cyber threats are constantly evolving, Ben Opel brings forward an insightful discussion on the importance of preparing a threat-informed defense strategy. He provides a breakdown of key methodologies such as understanding your critical vulnerabilities and employing the MITRE ATT&CK framework to stay one step ahead of potential attackers.

        Ben elaborates on how a deep understanding of your own systems' vulnerabilities is crucial. He delves into the methods of analyzing center of gravity and critical vulnerabilities to form a robust defense mechanism. By identifying potential threats and preparing accordingly, organizations can prioritize their security strategies more effectively.

          Moreover, Ben highlights the necessity of collaboration within security teams to bolster defenses. He advocates for the active engagement of red and blue teams to emulate adversary tactics, thereby refining and strengthening defense mechanisms. Additionally, he encourages utilizing available free resources and tools to enhance cyber defenses without incurring high costs.

            Chapters

            • 00:00 - 01:30: Introduction and Background The chapter 'Introduction and Background' opens with a casual introduction by Ben, who identifies himself as Ben Oble. He clarifies that the presentation is not related to the 'miter attack' talk as might be presumed from the flyer or schedule.
            • 01:30 - 03:30: Ground Rules and Approach The chapter titled 'Ground Rules and Approach' begins with a reflection on the speaker's past experiences attending conferences related to cyber defense. The speaker observes that there is often an abundance of talks on the miter attack, although many are not of high quality. Intending to provide a better presentation, the speaker notes the time constraint of 25 minutes, emphasizing a desire to use the time efficiently. With a background in cyber defense within the Department of Defense (DoD) for seven to eight years, and subsequent experience in the private sector for two years, the speaker highlights extensive experience in building diverse teams in the cybersecurity field, noting the significant financial resources available and a lack of concern about expenditure.
            • 03:30 - 06:30: Understanding Threat-Informed Defense This chapter, titled 'Understanding Threat-Informed Defense,' begins with a discussion of experiences in Special Operations, known for encountering challenges and abrupt endings - often humorously referred to as going 'up in flames.' The speaker, previously part of this community, now contributes to Attack IQ, a company specializing in professional services related to cyber defense. The author emphasizes that his role is not in sales but rather in enhancing understanding and cooperation in cyber defense initiatives. Prior to discussing the main content, the speaker establishes ground rules to ensure a constructive discourse, acknowledging that past talks have occasionally turned adversarial, albeit not in the desirable way related to threat-informed defense. The chapter sets the stage for what is likely a detailed exploration of frameworks and methodologies to improve organizational resilience against cyber threats.
            • 06:30 - 09:30: Knowing Yourself and Critical Vulnerabilities In this chapter, the discussion revolves around understanding oneself and recognizing critical vulnerabilities. The speaker introduces the concept of threat-informed defense and emphasizes the importance of becoming both aware of and embodying the threat. The speaker also mentions the significance of communicating achievements in threat management to relevant parties. Furthermore, the discourse involves identifying practices that are counterproductive while promoting best intentions and encouraging problem-solving. The chapter hints at a subsequent discussion on tools that can be utilized to tackle aspects of the MITRE ATT&CK framework.
            • 09:30 - 16:00: Means of Attack and Threat Intelligence In this chapter, the speaker emphasizes a general approach to discussing companies and individuals. They advise against naming companies when criticizing them and suggest creating fictional examples instead. The speaker operates under the assumption that individuals and companies can always do better and prefers not to make personal attacks. Furthermore, the speaker encourages open dialogue and welcomes challenges to their views, acknowledging that no hypothesis remains intact after being tested.
            • 16:00 - 21:00: Developing Courses of Action and Emulation Planning The chapter focuses on developing courses of action and planning for emulation. The speaker emphasizes that they are not there to teach the specifics of using tools like the Ampersand but to convey an empowering message. The key takeaway is that individuals can achieve great things using readily available resources without incurring significant costs. It's more about demonstrating the potential and capability everyone holds.
            • 21:00 - 26:00: Aligning TTPs to Defenses and Execution The chapter discusses the significance of fundamentals in aligning Tactics, Techniques, and Procedures (TTPs) to defenses and execution in various fields, including personal work, customer service, and military support. The speaker emphasizes the importance of possessing a comprehensive set of fundamentals but acknowledges that not everyone, including themselves, may have this. They introduce a discrete workflow designed to provide substantial benefits across different applications.
            • 26:00 - 34:00: Continuous Improvement and Collaboration In the chapter titled "Continuous Improvement and Collaboration," the discussion centers around the concept of constructive interference through effective workflow methodologies. The speaker emphasizes the importance of understanding threats, which opens up new avenues for research and generates high-quality data. This actionable data leads to the creation of good test cases, enabling the evaluation of whether processes are right and preparedness in terms of threats is adequate.
            • 34:00 - 39:00: Tools for MITRE ATT&CK Implementation The chapter discusses the end goal of creating a threat-informed defense utilizing tools like MITRE ATT&CK. The speaker emphasizes the importance of a continuous feedback loop in improving defense strategies. Mention is made of MITRE Ingenuity and the Center for Threat-Informed Defense as key elements in this approach.
            • 39:00 - 41:00: Conclusion and Questions The Conclusion and Questions chapter summarizes the efforts of a nonprofit organization dedicated to advancing the field of threat intelligence. The organization conducts independent and sponsored research, focusing on three main areas: utilizing threat intelligence, engaging defensively through emulation and red teaming to assess system reactions, and promoting sharing and collaboration. This approach, termed 'threat formed defense,' aims at improving system resilience and fostering information exchange. The chapter concludes with a thank you to the audience for attending the talk.

            Achieving a Threat-Informed Defense with MITRE ATT&CK - Ben Opel | CypherCon 6.0 Transcription

            • 00:00 - 00:30 [Music] all right hey so I'm Ben uh Ben oble specifically you see it on the bottom left of the slide uh and this is not another miter attack talk um that's not what you see on your flyer it's not what you saw on the schedule um that's
            • 00:30 - 01:00 because uh last time I came here there was maybe one miter attack talk at all the other conferences though I've been to there are several and most of them are not great so I'm going to continue that Trend uh except for that last bit so moving forward I only have 25 minutes I'm not going to waste too much of it I come from a background of cyber defense DOD for about seven or eight years been working in the private sector for two years now um built teams of every color you can imagine it was really fun uh there was lots of money and no one cared where it went it just
            • 01:00 - 01:30 tend to go tended to go up in Flames especially in the Special Operations Community you know what I'm talking about if you've been there um either way I was politely shown the door a few years ago I'm still on the Christmas card list but uh now I get to work with a company called attack IQ and the pro Services team won't go too much into that ask me about it afterwards if you like I'm not in sales all right what we're going to do today lay down some ground rules I do this every time I give a talk uh because things have gotten adversarial in the past and not in the way we're we all know and love um a little bit of a lead in why
            • 01:30 - 02:00 we're doing it and then we're going to talk about threat inform formed defense about knowing yourself becoming informed by the threat becoming the threat and then bragging about it to all the right people uh and then we'll talk about some tools you can use to get after the actual miter attack part all right ground rules I will always call out bad practices I will assert mostly arguable truths I will assume everybody in the room has the best intent uh and I will attack problems on the other side of that I will almost nearly in most cases Say
            • 02:00 - 02:30 Never call out bad companies by name make stuff up and just pull it out uh I will assume the best effort I will never assume best effort I will generally assume that people aren't trying hard enough that they actually have potential to do better things uh and I will Almost Never attack people personally that's actually the one that hard and fast so don't worry about that right there um one rule above of all else come at me bro if I say something you disagree with I do want to hear about it uh no good hypothesis survives the first experiment unscathed
            • 02:30 - 03:00 so let's lead it in so where we stand on this right now um I'm not here to teach you how to attack with the Ampersand um it's great but it's pretty simple if you work in the field and you go to the website I promise you you will figure it out pretty darn quick um the important part here is to teach to show to demonstrate that you all have the power to do something uh with a whole lot of free stuff that's out there uh and to do so without using a lot of money uh
            • 03:00 - 03:30 which is pretty important for a lot of us even if it's not you everyone wants to save a bit the important piece here is that a fundamentals are fundamental and that you may not be working with a full set of fundamentals this is not an accusation I am not working with a full set of fundamentals uh this is something that I want to give to you because I found it to be very useful both for my own personal work and all of the customers I deliver services to for all of the units that I supported when I was in the military uh this is a a discret workflow that can do an awful lot of good for a lot of people in my humble
            • 03:30 - 04:00 opinion we want to create constructive interference here okay that's that's the whole idea of using a workflow a methodology like this that you're about to see um because understanding threats opens up Avenues of research new avenues of research generates lots of good data data gives you uh what's the word I'm looking for actionable data I mean actionable data there it is it's right there uh G creates good test cases to see if what you're doing is actually right and good tests let you understand risk as a function of prepar preparedness for a threat and that's the
            • 04:00 - 04:30 end State we all want to get to when we're talking to the people who make decisions feedback loop starts we go back to the top and we continue improving ourselves that's what we're trying to do here and that's the context within I will talk about miter attack as a tool for creating or helping you create a threaten form defense now what is threaten form defense uh anybody anybody ever seen miter Ingenuity yeah one in the back good man um Center for threat formed defense is a
            • 04:30 - 05:00 nonprofit organization that does a lot of independent research and funded research by you know with sponsors and partners to help Advance this discipline and it consists of three things and that is threat intelligence using good threat intelligence defensive engagement of the threat which is emulation red teaming things like that actually seeing how your systems react to it and focus sharing and collaboration talking to people about what you do and making things happen that's threat formed defense thank you for coming to my talk
            • 05:00 - 05:30 okay okay my point is that of all the complexity that exists in our industry end of the day malware is malware it's understandable there is a finite set of capabilities out there however large uh that is entirely understandable uh and there are ways to understand it and to make it actionable inside your environment so malware is malware why are you reacting to it and not preparing for it that's the question here that we're trying to get to so the first thing you need to do
            • 05:30 - 06:00 in my opinion but apparently my opinion matters because I'm sitting here on the stage or at least I tell that to myself uh is to know yourself all right when I say this it's knowing what's important and why is the only way you can actually start walking down a path that leads you anywhere near your destination okay and the best and the way to do this that I found great success with is by conducting what's called a center of gravity and critical vulnerability analysis who here has heard these terms before fantastic these are my favorite audiences okay center of gravity this is
            • 06:00 - 06:30 the thing that if it's broken compromised results in you failing your mission okay so let's just presume that you know your company makes widgets if a Cyber attack happens and your company can't make widgets they got after your center of gravity you lose that's that's what I'm saying here critical vulnerability though that is the means by which the center of gravity can be broken it is the Avenue of approach it is how you get to said center of gravity and break it
            • 06:30 - 07:00 so two key terms knowing yourself means knowing what those are in your case and there are processes you can use to figure out what that is in a nutshell let's take a fictional company called Rift research uh scientific R&D they do government contracts they do public sector stuff doesn't really matter that's what we're working with private sector public sector so we're so we start by decomposing an organization into its constituent operational elements the things that individually contribute to their own
            • 07:00 - 07:30 missions and to the overall mission tell me to stop I'm going too fast I talk fast I a third child in the public sector they have military contracts obviously and energy contracts the private sector they got consumer and Industrial okay so each one we break it down break it down we see that there are many different parts contributing to the mission of this whole now we continue our analysis all the way down the binary tree and we get to this point where we say well that's interesting the military contracts and
            • 07:30 - 08:00 the consumer production contracts both have an awful lot of money coming in from these these really amazing like radiation proof shower curtains like they are amazing they're super good now if anybody here can pick out the actual Easter egg and all of this I will do something cool so so we get to this point where we like well that's really important because if I can't make and sell shower curtains here at Rift research we lose a lot of money so we can consider that a center of gravity therefore we need to figure
            • 08:00 - 08:30 out what its critical vulnerabilities are we do some more analysis and we find out that well the uh the formula for the um quote unquote plastic that we use to make these shower curtains are pretty sensitive we don't want to lose those one critical vulnerability the production lines they are very very sensitive uh and extremely dangerous and bad things can happen if somebody messes with them cool another one customer data we don't want to lose the trust of our deep pocketed customers nobody wants that production figures we
            • 08:30 - 09:00 don't want another company to Ace Us in the market okay so we now have the ability to look to say if I can protect these four things this center of gravity has a reduced risk profile that is the analysis in its simplest form and I promise I'm going to get to miter attack but like I said it's not another miter attack talk so and we already I got ahead of myself so don't worry about this slide uh I talk too fast and too much at times
            • 09:00 - 09:30 now what we want to do is break these things down into their into their constituent components understand what those things are that if they break fail or taken or messed with are touched in the wrong in the wrong way will cause us to fail understand how those things can be affected and then take action against those things throw a hand up if I am talking gibberish fantastic love to hear it love to see it so what do we do now we need
            • 09:30 - 10:00 to understand given a critical vulnerability and the context within which we exist and operate as an organization as an infosec professional um how somebody could get after our our stuff how they you know how they could actually exploit that critical vulnerability we need a means of attack what is the actual let's take it down One More Level we had center of gravity critical vulnerability we're going down another layer of abstraction into the means of attack I'm not talking about keystrokes quite yet we'll get there but let's just say this our organization makes widgets in order
            • 10:00 - 10:30 to create widgets we need wets okay well that sounds like a critical vulnerability to me because if I don't get my wets on time I ain't making no widgets bad news so means of attack could be some way of disrupting our ability to receive on time accurate and complete shipments of wets okay there's an awful lot we can pull out of that if anybody here Works in any kind of logist know a company that has any kind of complicated Logistics pipeline you see a variety of ways this could all get hosed up so
            • 10:30 - 11:00 great we Now understand what could happen fantastic and we know which of those things that could happen are the worst things so we have priorities so we can start understanding the means by which they can be attacked and start devising defenses so now we let the threat inform us we know the things we don't want to happen now we want to know well who can and might actually do those things to us okay this is how we make intelligence
            • 11:00 - 11:30 useful and this is where we start talking about things like uh miter attack okay the center of gravity and the critical vulnerability these are context for more detailed analysis as you're seeing us go down these layers of abstraction we need to know what reasonable means of attack exist to exploit the critical vulnerability and actually figure out who's capable of doing that and the means by which they could and have they have or could done say they have done it or could do it there we are now I'm not going to run
            • 11:30 - 12:00 you through a full pmpt analysis this is uh reasonably common um neonic for knowing which bits and Bobs and parts and factors of various threat actors there are to understand to figure out if they care about what you do however it's a handy abstraction to understand am I involved in something that has political weight am I involved in something that makes money is there information involved that's sensitive or could be used to do
            • 12:00 - 12:30 political economic or military things do I exist physically in a place that makes me more vulnerable or physically in a place that produces political considerations who knows military it's like it's political with a looming Spectre of violence same thing right social do people like or not like my company my organization because of what we do or don't do I I've had to nod at that one more than a few times uh infrastructure do I depend on something that is easily pable that is not within my direct control is
            • 12:30 - 13:00 there infrastructure I depend on that I need to ensure I have backups for and is there a certain time of day month or a year uh or siderial time uh that is important or significant about when things are happening fair questions to ask now I'm saying this as to establish the context of the who we were just talking about the what and the why in those in those earlier slides so we're were talking about kind of the who now we're going to get to how next all right courses of action who's heard courses of
            • 13:00 - 13:30 action before cool all right cool welcome welcome to class this is fantastic all right a COA course of action I don't like saying course of action too much discreet statements of possible adversary action the who what when where why and how the why is sometimes important um not always the most important thing about generating a COA is that it Feeds out of the critical varability and center of gravity analysis you did and that they describe feasible and
            • 13:30 - 14:00 testable conditions which will guide your planning for red and blue team actions feasible and testable there's no point saying well the adversary could um jump off of a mountain and roll down achieve terminal to Velocity and uh become a bowling ball and go through the wall into our data center probably not even if there were was feasible you're not testing it extreme example but you see the point so so using a
            • 14:00 - 14:30 COA you wanted to look at every critical vulnerability you found and give it at least one COA like there has there you know if you can't come up with a COA for it it's not really good CV so most of your CVS will have several of these however that means code generation is going to take a minute but that's good because this is this is that brainstorming session when you get sit when you sit down with red blue infrastructure whoever else wants to come and play and think about all the awful things that could everyone loves being a Doomer I mean come
            • 14:30 - 15:00 on and so we have here on the bottom is a completed COA we have the who or aasum because threat actor naming conventions are hilarious the what and the where this is in relation to the critical vulnerability they'll compromise a a supply fulfillment Logistics workstation uh they're going to use spear fishing as we always do that's the how and the why it's important it's also not important depending on how you phrase it but the why is saying because they want to cause a cascading delay in widget production
            • 15:00 - 15:30 and this is the part that really ties back to your critical vulnerability and thereby your center of gravity the thing they're trying to affect is the why we're trying to understand the how and the who so that we understand the defenses we need to put in place and more specifically against what kind of capabilities now that we've thought about all our coas we know all the awful things that could happen who might do it and how they might do it we will become the threat right uh and there are ways to do many ways to do that I'm not going to tell you how I do work for a breach
            • 15:30 - 16:00 and attack simulation company I'm not going to tell you how I'm not in sales I love red teams I think red teams are great used to be on a red team either way now we do emulation planning okay we need to think like an adversary and put together a campaign against ourselves we turn coas into ttps when I say ttps I mean miter attack ttps all right we want we want to actually start framing these out in an understandable format so that we can generate on keyboard actions and from those on
            • 16:00 - 16:30 keyboard actions we can generate defensive M defensive strategies and mitigations that defensive piece happens next we align our ttps to the defenses that we can actually test the things that we monitor things that we know if they've done something or haven't done something or can't do something then we validate our plan by running it now we're going to derive our ttps where's my timer okay derive ptps from things that have been done and things that could be
            • 16:30 - 17:00 done right past actor events and intelligence how has it been done in the past and associated in relevant tools what has been used to do this before what we're trying to do is build AOE here okay area of effect for anyone who's not a gamer which I'm assuming is a small proportion of the people here I mean we want to go for AOE on our defenses because no one ever said one in doubt Firebolt I see I see you laugh I see your D Anders over there no it's one and doubt Fireball right you want a large area of effect you want to do as much as
            • 17:00 - 17:30 possible with one strike at any given time and that's what we're trying to be do we want to see the overlap between what the actors of Interest our actors of Interest are capable of doing and the things that we know that they've done in the past this way we start to see if I put in a mitigation against this it's going to cover me against these past campaigns we want to we want to reduce that space of possibilities for the adversary to get around us and you see that I'm doing this in Miner attch when I want know how it's
            • 17:30 - 18:00 been done I'm going to go into the going to go into Miner attch I'm going to look at the average to the groups page click into the group that's important to me look at all the techniques they've used and then I'm going to go to that technique page I'm going to see all the tools that implement it because each tool will have a slightly different implementation and it's also have a bunch of other capabilities that we should probably assume that the adversary could use against us even if they're not listed in the adversary's page gibberish or not excellent aligning ttps to defenses
            • 18:00 - 18:30 we all know what defenses are don't we we're we're infosec professionals even if we're red teamers we know the things we have to break breaking things is fun so when we're coming up with a test even as a red teamer you're coming up with a test you know what you're testing in most cases depending on what kind of test you're doing you might know what's actually waiting for you uh in the objective Network either way when we come up with a test we want to know this is what I should be this is what should
            • 18:30 - 19:00 be catching this because I because I am a stalwart upstanding by the book blue teamer who knows exactly what all my tools do yes okay and I'm gonna say well this should catch this and this one and this one yep okay that I have an entire emulation plan of things whereby I know what they're going to do and this is the important part when we emulate an adversary by any means you choose you know exactly what you're doing you know in many cases to the keystroke
            • 19:00 - 19:30 level what is going you know what's what's going on the keys what's going across the wire or the air um and what's going to hit you and so you should understand exactly where that should be caught now I'm not expecting everybody to sit here and say I know exactly how all of my tools are configured I don't know my I know exactly down to the bit level my crowd strike policies no you don't that's okay we're finding out so we align ttps of defenses so we know what we're testing now there are a lot of ways you can do this not going to bore you with it fact
            • 19:30 - 20:00 is you want to understand sequentially how it's going to test or should I say roughly sequentially you can Gant that out if you want I used Excel because you know what I um I was in the military for a while and I had to do that a lot and then we say this is how we're going to implement the technique this is how we're going to implement the detection or the prevention this is the policy we're putting in place and we go forward I'm getting the hook here just kidding um I'm terrible at time planning for these
            • 20:00 - 20:30 so detection planning ask me about it afterwards I want to get to a few more things now when I say brag about it I mean interact with people concerning the things that you have planned and done um if you're doing this in a silo you are absolutely missing the point uh if you are a blue teamer and you're saying I'm going to test myself like are you sure like I'm I don't doubt that you could but are you sure that's the best idea do you have the context and the experience to say this is exactly what I should be testing myself against should
            • 20:30 - 21:00 you even ask somebody who does Cyber threat Intel should you ask somebody who's a red teamer who who understands tradecraft at a deeper level than you do maybe same logic applies to everybody in that triangle don't forget your CIS admins and it Ops don't forget your CIS admins and it Ops we love them I love them if you're in here I love you okay um and we need you because whenever you want to fix things you you have to ask them just a little warning so go brag about it be
            • 21:00 - 21:30 like look at this great idea we had look at this plan we came up with and they're like oh that plan that plan's kind of sucky let's work on it okay fine and we work on it then we have great then then you have a great plan you execute the plan you improve yourself you get into this wonderful little cycle on step five right there it took me about 20 minutes to make that graphic and bend the arrows because you know um PowerPoint is great um that's the important part right there folks have to get into that self-improvement cycle you have to get to the point where you are continuously testing each other and making mitigations making it harder for
            • 21:30 - 22:00 everybody at every step and you're doing that by increasing the actual area of effect of the test that you come up with uh by doing good research and understanding all the ways that things bad things could happen to you so it was a minor attack talk but not actually a minor attack talk now I've got some stuff here um that's just some tools free tools that use miter attack I'm just going to kind of blow through them here for a second attack workbench if you haven't seen it uh excellent collaboration tool for annotating uh and collaborating over your own instance of minor attack um
            • 22:00 - 22:30 that is continuously updated uh from the core repository uh at at CED fantastic tool highly recommend it attack powered suit um and I have to just say this the folks who came up with us and wrote most of the code who wants to guess where they're from you get it right I'll do I'll I don't know what I'll do but all right some awesome incredibly smart dudes from Fujitsu they're like we need this and they wrote it and they're like well we
            • 22:30 - 23:00 get to name it we're like yeah you do you absolutely do because they wrote most of the source code powered suit anybody here is a Mobile Suit Gundam fan no yeah anybody nice so powered suit it is an add-on for your browser it let that massively simplifies a research workflow that involves using miter attack for um any purpose within it very cool attack Navigator a little more complex you can generate custom uh vers versions of of every one of the attack matrices uh
            • 23:00 - 23:30 download it as a Json object and then do whatever the hell you want to do with that Json object very fun uh lots of interesting applications for this if you want to talk about it catch me afterwards car cyber analytics repository it's free analytics it's literally what it is people just put analytics into it to catch all the various Min attack techniques sounds good to me tram natural language processing tool you give it a plain langu a plain text
            • 23:30 - 24:00 Intel report it spits out attack techniques pretty nifty worked on this on myself very fun anyways thanks for coming to my tid talk I'm Ben and I'm not on Twitter any [Applause] questions