How Honeypots and Canary Files Catch Attackers Before They Strike

You found the Backup Wrap-Up, your go-to podcast for all things backup,

recovery, and cyber recovery.

This episode, we take a look at honeypots and canary files, two

tools that can tell you that a bad guy is poking around your network

before they've done any real damage.

Dr. Mike Saylor is back with me and Prasanna to break down how these work,

uh, why layered security matters, and what the actual daf- difference is

between a honeypot and a canary file.

We also cover, uh, how to stand one up without spending a fortune, why

clock synchronization matters more than you might think, uh, that is, if you

ever want your evidence to hold up.

And, uh, Mike and I also have, uh, a little bit of news about

our new O'Reilly book, Learning Ransomware Response and Recovery.

Hope you enjoy it

welcome to the Backup wrap up.

I'm your host, w Curtis Preston, AKA, Mr. Backup, and I have with me

a guy who's apparently in a hurry.

So we gotta get started.

Prasanna Malaiyandi.

How's it going, Prasanna?

Let's go.

Let's go.

Let's go.

Come on.

Fast, fast, fast.

you know how I do all my YouTube at two x?

Can we do this at like two x?

Yeah, I don't think we can do that.

at least pretend to speak faster.

Yeah.

I think this episode, think maybe this episode might be quick.

I always say that and then, next thing I know, 45 minutes later,

One hour.

yeah.

run around with my hair on fire.

Yeah, I see what you did there.

And, speaking of, hair on fire.

we have our guest with us once again, Dr.

Mike Saylor.

How's it going, Mike?

Whoop, whoop.

It's going well.

and he, unlike me is the possessor of physical books.

Could do you have it nearby?

Can you hold it up?

I don't have it nearby.

Oh, so disappointed in you, Mike.

so both of us have been waiting for the shipment, the physical

shipment of the book that we just wrote, learning ransomware response

and recovery, and he beat me.

I, guess shipment to Texas is faster than shipment to California.

I don't know, maybe it's 'cause

I have pictures of it.

although, yeah,

pictures.

of it.

By the way, I like your offer and I'm gonna follow it up as well.

I'm gonna do the same thing with my copies.

We as authors, we get 10 copies and, we're looking for stories, we're

looking for ransomware stories, ransomware events, things like that.

And, we'll pick the best, basically send me a DM on LinkedIn, send Mike a

DM on LinkedIn, and, and then, we'll pick the best ones and the best ones get

a signed copy if that's what you want.

and,

Can you, can they can they get it made out to eBay?

you're so funny.

There's also audio, ver audio book versions for those that don't

like to hold books while they

I literally

consume knowledge.

to the audiobook version just a few minutes ago.

It is very weird.

I'm curious what voice they're using.

is it good?

The guy's fine.

he's a professional audio book narrator.

Mike

Okay.

name.

I actually know a guy that does audio book narration.

His name's William Shakespeare, believe it or not.

and I know him.

And then I have another friend whose name is Robert Lewis Stevenson.

I introduced the two of them.

I also know Stuart Little.

I just know some random odd people.

Anyway.

so Mike, why don't you, why don't you give us a little, there, there was a

little story I think that can help, an analogy here with, talking about

doing alarms in the yard and stuff.

why don't you tell us that story?

Security's all about layers.

Whether you're talking about cybersecurity or physical security, you don't want,

you don't want the one bell or alarm that goes off, to indicate that you

know a threat is right in your face.

you'd prefer that, you know something off in the distance.

trip wire smoke, something coming across the river and making noise in the water.

there's some indication at some point out in the distance that gives you

the idea that something is coming as well as the time necessary to

identify the threat if it is a threat.

respond appropriately.

Like, how do I prepare for this?

if you think about it, in the middle of the night, if you hear something,

the first thing you do is you wake up and go, I think I heard something.

And then you're gonna wait a second and then maybe you hear it again.

And if not, you eventually, you may get up and check it out.

But at that point.

They're already in the house.

And so what do you grab whatever's closest to you, whether it's

your cat or a candlestick or

Baseball bat.

a shoe.

You're not truly prepared for whatever that might be.

You're reacting in the moment and that's not good.

And so from a physical security perspective, typically.

And like in a neighborhood, you've got the street, you've got a curb, sidewalk,

yard fence, and then you got the perimeter of your house with, doors and windows.

And then inside the house, maybe outside the house too, you've got motion lights

and some other things that may trigger.

awareness.

and then you've got, maybe you've got, a door and window sensors.

So if any of those, are interacted with you, maybe you get a beep or the alarm

goes off, and then hopefully you've got other stuff in the house like a dog that's

gonna bark, or more lights or more people.

but the point is if a car, or somebody comes off the street.

there, there's layer one, layer two is across the sidewalk.

maybe that's how far out your motion sensors are, and now they're in the yard.

Now the light goes off, or the dog starts barking.

and so now there's other indicators that there's a threat approaching.

and you, so now you're starting to respond.

you're looking out the window.

you're on the phone with nine one one or you're grabbing your weapon, or you're.

You got your crew together, to respond to this threat if it comes through the door.

So that's the idea.

And si very similarly in cyber, we don't wanna wait until

something gets to our laptop and, someone's moving our mouse around.

we want other things between us and the bad guy, at least enough

of them, more than one thing.

so that we start to become aware of weird stuff much sooner than all

of a sudden our files are encrypted and we can't use our computer.

Mike, I love that analogy.

one thing that I know people sometimes say is you just want to make your house

look less appealing for a would be robber right than the house next door.

and by having those motion lights or motion triggered lights and things like

that, it's like, Hey, maybe I should go next door and see what's there.

Rather than trying to go to your house, is there something similar, like

does that analogy also apply in the cyber world as well, or not so much?

At least that part.

Okay.

So in the physical world, we've got a much, a much more

personal sense of risk, right?

So if I'm on the street and I'm a bad guy and I'm on the street and I'm

looking at house A and house B. I'm absolutely assessing the risk to myself,

my health, my, my consciousness, per perhaps, being caught and going to jail.

injury.

Do they have a dog?

I don't want, I don't like dogs, right?

I don't wanna get bitten.

or is there a sign in the yard that says there's an alarm system?

there a car in the driveway that says, local police department?

first Amendment, or Second Amendment, or, don't tread on me.

And I like guns and we don't call the police.

We, we call the landscaper, So I'm doing this assessment because I am

personally, physically, personally involved in this threat, this crime.

cybersecurity is much different for a couple of reasons.

One, very rarely do bad guys sit back in their chair and they, look at

company A and company or, victim A or victim B. they don't always do that.

In fact, it's very rare.

what they typically do is just cast a wide net using tools to

find open windows and open doors in these victim networks and systems.

And it's not until they start looking into, what does this door,

what, who, where does this door go?

Where does this window go?

That then they determine, that's a, that's nasa, right?

I don't want to, maybe I'm risk averse to.

That,

Yeah.

versus, Joe Schmo dental office.

so it's, it does happen, but not to the same degree and definitely

not early on, like physical.

I'm doing it.

Step one.

I'm assessing risk cyber, it's down the road a bit.

as they get to know who the victims are.

Yeah.

And so

Targets are.

is, that determines like how you're going to do the kinds of things.

It's a good analogy of the security, but how we're going to

respond is a little bit different.

But I think there are some.

Analogous things.

So you talked about, you literally used the word tripwire.

You could have a trip wire.

there's a product called Tripwire.

the, there are, and they operate in much the same way.

I think the thing, the primary thing that we're gonna talk about today.

I don't think there's really an analogy to that in the, kinetic world.

that word keeps coming up.

I don't think there's really an analogy to this concept of a

honey potter or a canary file.

Before we talk about that, a persona, do you know why do

we use the term canary files?

Or why do we use the term canary?

Of course I've watched movies.

Did they not use a canary in Zoolander?

I don't think they did.

I don't think they did in Zoolander, but that's funny.

I was like, what is he, why is he talking about Zoolander?

Yeah.

the, yeah, it's the cana The phrase is the canary in the coal mine.

what was that?

So when miners would go into these coal mines, of course at some

point oxygen gets low, right?

You have a good chance of suffocating.

And so what they would do is they would bring a canary, which is a little bird

with them along deep into the mines.

And if a canary passed out or something else like that, then they

knew, okay, there's less oxygen.

Probably a buildup of carbon monoxide.

We need to get out of here before we pass out.

We die.

So canary in a coal mine.

Of course the honey pot.

I think this is really just an analogy to, Winnie the Pooh.

and, 'cause he cannot resist a honey pot.

So let's talk about what the, so this idea, Mike is again that we're

trying to, trying to figure out that somebody is doing something, before.

actually do something, is that, I'm trying to take your analogy, which I really

like, and then bring it into this world.

We're trying to figure out that they're up to no good they

actually get up to no good.

Does that sound right?

I.

Close.

it, that, that is one objective honeypots, actually serve a

couple of different purposes.

one of them, is, a blatantly vulnerable honeypot is designed to allow, entice,

bad guys to attack it so that we learn about their tactics and techniques.

So what's the newest way bad guys are attacking the newest version of Windows

or Apple io Mobile, iOS or whatever.

So we put these honeypots out there to figure out why or how, bad guys are doing

it, and we use that information to make our products better, or it's also a good

way to, attribute, a given attacker's.

Techniques and tactics and procedures, we call those TTPs.

so how do we attribute then, because maybe we've got this open case, comp all these

victims, they're getting attacked and we underst, we've documented those TTPs,

but we can't figure out who's doing it.

so we can put a honeypot out there with similar victim.

attributes, something that looks like the profile of a company these bad guys are

attacking and we learn from that and it gives us an opportunity to potentially

tra track that activity in real time.

So there's that.

So it's a learning tool to try and get, more, familiarity with bad guy TTPs.

the other one is a distraction, I've got this very valuable production network.

So maybe I'm a, an IOT network and IOT's very vulnerable, especially

the older ones where we didn't really build secure architecture.

It's, I can ping a wellhead from a conference room.

That's not good.

If I build a very similar, potentially even simulated, honeypot

environment, bad guys compromise it, and it looks and reacts just

like my production environment, then they're gonna stop looking.

They think they've achieved their goal, right?

And so it's a distraction.

And then lastly, honeypots can be used as a test environment.

so I can.

If it's only used for that, then we wouldn't call it a honeypot.

But because we've already created this simulated environment that's

supposed to replicate and behave like production, why don't I also use that

for testing my changes, like change management, other stuff, right?

so there's a couple of different thing, ways we can use honeypots and a real world

kinetic, example would be like bait cars.

we, the, the auto.

auto theft division of police departments.

how are bad guys stealing the brand new Cadillac when it's supposed to have these

coated keys and this, that, and the other?

they'll put one out on the street and they'll make people, they'll let the

right people know that car's gonna be there for a while and then they observe

bad guys and how they attempt to steal it and then they steal it and now we

can track it and figure out all this stuff and those bad guys get caught.

and then back on the.

gone in 60 seconds.

That's what's, it's a good show.

and they do that with a variety of different things.

It's not just cars.

They do it with bikes and computers and that's, of value that they've

got this high volume of theft with.

they'll create these bait, bait situations where, they want bad guys

to take it so they can learn from it and track 'em and, potentially curb,

curb the, The volume of that crime.

So a non sequitur, I'm going to comment on one of my favorite bait sort of

things that people do is a porch Pirates where they do the glitter bombs.

Yep.

So that's also a honeypot, right?

Yeah, it's like a honey pot.

A honey pot with a exploding honey.

yeah, I do love the Porch Pirate glitter bomb, folks.

and.

Yeah, I do.

I do love that very much.

and I think the idea with the honeypot, especially given what you're saying,

that not just a matter of alerting us, But, it's also a matter of,

learning about the attacker and also.

their techniques and also potentially slowing them down.

That is, I hadn't actually thought about that second one.

The idea that if we do a good enough honeypot, that it, they

actually might think that they've accomplished their objective.

That's a really interesting, method.

And of course, I'm assuming that it would also activate some sort

of notification, so that we know that something has happened.

did we talk, go

but yeah.

Just a question on a honeypot though, right?

It all boils down to though how realistic of a honeypot you create.

Because if a bad guy knows, hey, it's like I think Mike, in one of the previous

episodes, you talked about, okay, if malware runs and it's Hey, this is running

within a virtual machine or a sandbox machine, I think on prior episodes, right?

It's okay, maybe the ransomware.

Or malware doesn't operate in a certain way.

And so I think in order for a honeypot to be useful, it needs to really

emulate a real world, example use case such that a bad guy doesn't know,

Hey, I am in this isolated network.

I am attacking a machine which doesn't have any value because then

they'll just move on from that.

Right?

And it and honeypots are not, to your point, they're easy to set up,

but they, it takes some time to, and management to, care and feeding.

but if you're a, a sizable organization that has a test development

environment, it's a similar.

Exercise, right?

So you've got, you wanna replic, replicate to a degree or mirror

your production environment so that your testing is, is applicable.

if you can then take that test dev environment and mirror

that in your honeypot, whenever you update test dev just.

the copy in the honeypot.

and you should be using scrubbed or simulated data

in your test dev environment.

so all that stuff could, if you're doing it the right way, be pretty easy to

replicate or mirror in your honeypot.

it, and that, that takes me back, takes me back, back in the day.

once again, and I remember that we had, we had a naming convention

would very much, to the purpose of the server, and it would allude to

the fact that it was a production server or a test or a dev server.

And in this case, if the test of dev is also gonna be acting as a honeypot.

then you would definitely not want to do that, right?

You would want it to

Yeah, don't call your honeypot assets.

don't start their names with honeypot, or test dev.

Yeah,

Yeah, honey.

one.

honey pot one.

Yeah.

Don't do

Someone call that a clue.

it does the idea is that it's gonna be something like it's still running.

windows 2003 server, with SMB turned on with no authentication.

RDP my favorite, the ransomware de deployment protocol, RDP is

turned on and it's available.

All of the things that we're not supposed to do in our production environment,

it's expected that you would do that in a hunting pot environment.

one of the things too, bad guys are absolutely gonna jump at the opportunity

to get into a network like that, but at the same time, they're gonna go.

They're gonna go cautiously because of how blatantly obvious it is.

So if you're gonna, if you're gonna, if you're gonna really walk outside

with your robe open, make sure that you sprinkle in some documentation, for maybe

there's a text file that says, we really shouldn't be putting this online yet.

Or, some false artifacts, that, that would state risk or identify risk or,

my favorite is, emails from executives telling it, I don't care what the

risk is, we've gotta do it this way.

stuff like that would help, further the story and potentially keep,

bad guys engaged a little longer.

Interesting that, so the social engineering aspect of

this is quite interesting.

I'm thinking about, I'm actually thinking about, the, when they, in World War

ii, when they staged the attack for D-Day and they had that entire other.

fake army and they had plans and all of that, right?

and they really did, they fooled them, right?

that they thought that this, that this was happening.

at, it was, but they thought it was happening in a completely different

place at a completely different time.

I've actually been

Yep.

location where they states that it was really cool that the

fake, tanks and things like that.

Are there.

Tools people can use for creating honeypots and configuring.

I know you said it's probably e not too bad to set it up, but to actually

like configure it and getting it more legitimate and all the rest

takes time, caring and feeding.

And so I was just wondering what are some of the tools out

there people may use for this?

there's a couple, you can just Google it.

you'll find open source projects there.

There's one called the Honeypot Project.

and so there's, Image files there, there's pretty much everything you

would need, to set up your own honeypot.

but really a honeypot is just an environment that, segmented

away from everything else.

and it could just be a, literally a mirror of your test dev environment.

or if you've got a backup of a production environment from

years ago, just spin that up.

'cause all that stuff isn't gonna be patched.

So you don't need, necessarily need.

Okay.

That's actually good to know because that means you don't need something special.

You could use whatever you already have for the most part

in order to spin up honeypots.

Yep.

So there's free stuff and there's also services, mostly

for the research part of that.

I think Tea teapot, tea dash pot, it's, it's European or it's somewhere overseas.

It's foreign service.

and I think there's a pay for version of that, and there's a free version of that.

I, I need to go find the link that IS that.

I, I sent to you guys, I don't know, a week or two ago.

I'm seeing advertised people on budgets or time constraints.

I've been seeing this advertised, this basically honey pot in a box, and

it's literally, it looks around the same size As like the, the firewall,

which is a product I like a lot.

and, it's, it is just literally tiny little box.

It is just plug and play.

honeypot.

I don't know much about how it works, but that's a tool that I've seen out there.

I gotta see if I can find that and put that in the episode description.

I think just the idea is like having the go back to, and we say this a lot,

something's better than nothing, right?

and, you can walk before you can or crawl before you can walk

and walk before you can run.

anything is better than nothing.

about this idea?

Mike, go ahead.

As long as you train with it.

we don't have a whole lot, but I have this thing.

have you ever used that thing for that purpose?

A great example of that is having a cat.

I have a cat.

I love cats.

Hypothetically, I'm actually allergic to cats, but, let's just,

You don't

let's say you're a cat person.

example.

No, a cat is a great example.

I could use a dog, but after I get through this, you'll understand why I didn't pick

a, maybe a chihuahua, but not my dog.

all right, so you have a cat.

You love your cat, you pet your cat, you take care of your cat.

Your cat is company.

it's a domesticated animal.

You don't have any other security controls in your house.

maybe you're a good fighter.

You've got nails.

you can scream.

you can run fast, but no other real security controls.

If someone breaks into your house, if you think about it

and you're comfortable doing it, throw your cat at the bad person.

'cause the first thing the cat's gonna do is claws first towards

whatever it's heading towards.

And bad it.

Put yourself in the bad guy's shoes.

Someone just threw a cat at you.

Are you still coming forward or you're stopping to like,

defend yourself against his cat?

that gives you a couple of seconds at least to, to get away.

'cause maybe you are fast.

but again, because I'm not a cat person, I'm, I like cats.

I just, I'm allergic.

I couldn't use dogs.

'cause obviously in that example, dogs are heavier and dogs, if again, if you've

trained them or you've put them in that situation would attack or at least.

Growl and

Yeah, it

make a scene.

Make someone think twice.

I used to have great Pyrenees, 160 pound, great Pyrenees, super

sweet dude, big male, great Pyrenees, and I was outta town.

Once he set off the motion alarm in the house, called the police.

Police showed up to check to make sure nothing was in the house.

And.

He got to the side door and this big great py, he is just sitting

on his butt, looking out the door, head down a little bit.

And the police, I was on the phone with the officer, he is yeah,

no one's going in that house.

that's different.

That's different.

but if all you have is a cat and you think about it and

you've actually done a little.

Maybe mental exercise.

Throwing your cat at a bad person is a, next best thing to nothing, to

Curtis's point, it's better than nothing.

Right.

but you have to have at least put yourself in that situation so that

you can think of or do, whatever that one thing is that's better than

Don't try it with the goldfish.

it.

the throwing a, a goldfish bowl at somebody is probably good.

the another important thing about a honeypot and on the, we're

in the action items part here.

So if we're gonna do something right, if we're gonna do a honeypot

there, part of that needs to be that a notification, right?

And so you do need to create a type of notification that won't easily

be noticed, 'cause You want to be notified that somebody has hit the

trip wire that somebody has put their.

their hands in the honey pot, but you don't want the, the bad guys

to know that they've been caught with their hands in the honey pot.

wanna monitor the honeypot just like you would.

parts of your network because you, you need to know, you need to know

bad guys are attacking your honeypot so that you can better prepare

for the iop, the scenario where they attack your real network, if

you're using it to learn from them.

Obviously you're gonna collect all that telemetry data.

and if they start taking things from you, that's a great place

to put those canary files.

So now you can track where it goes.

going to just ask about Canaries, 'cause we talked about it at the very beginning

and then we moved off to honeypots and.

So yeah, so Canary files would be something just, it is like a

honey pot within a server, right?

So you have a regular server, and then you've got, these files that

were very, very, but does that, are you okay with that description that

it's like a honeypot within a server?

Does that sound okay?

Mike

doesn't

so a honey pot is really just anything that a honey pot's, anything that, that,

looks appealing, it's gonna attract.

So you're attracting bees, you're attracting things to the honey.

So yeah, the canary file could be the honey for sure.

So it's just a, it is just, I think it's just a different

term for kind of the same thing.

It's just a, it's a file as opposed to an entire server.

And that file

the objective is a little different.

So the honeypot in general is designed to capture, it's designed to distract,

it's designed to attract, and capture activity and learn from and keep them away

from, the beehive, but the canary file.

Adds a couple of other objectives to that one.

because it's a file, a particular object, and that object is typically a file,

like a spreadsheet or a Word document or.

a file, it's not a folder, it's not a volume, it's a file.

That file has its own little trip wires and a couple of things that, that are

going to trip them is any change to the attributes and metadata of that file.

So if when we set that file two days ago, the last accessed and

created date was, two days ago.

If any of the metadata changes today, that trips the Canary file, so we'll get an

alert that says, Hey, someone touched it.

then in addition to that, if someone takes it.

We can track that.

So wherever it lands that hosted, that rented, command and control server, bad

guy's, cell phone, bad guy's, laptop.

It goes from here to there, it calls home.

It beacons, to the extent possible.

if a bad guy really knew what he was doing, he would prevent that.

But the canary,

It.

excuse me.

yeah.

Canary, Canary files, could be classified as malware because the

recipient fully aware of the intent or behavior of what they took.

So that would be classified as malware.

it's not.

It says it's, it says it's the financial spreadsheet, but really it's Canary file,

so that would be classified as malware.

It's not presenting itself as what it really is.

but yeah, Canary files do a little bit more, and it's designed to, to go

with, outside your honeypot, go with the bad guy, and hopefully report back

It.

It's like what in all those TV shows where it's like someone downloaded

the file, oh, I can track 'em with GPS at this particular location.

Okay, let's go bust it and grab them.

Sort of, yeah.

Yeah.

But one final thing, just to note, if you're in, if you're looking

at implementing a honeypot or a canary files, it's important to

have your clocks synchronized.

So use NTP, to make sure that all your clocks are the same.

Why would that matter, Mike?

synchronization in general is just, important from a networking

perspective so that things work.

in, misaligned time sync is actually a vulnerability.

And so that, you could use that as an enticement, but you're looking

at collecting data for evidence and for behavior and for tracking, that

information needs to be correct.

It happened on this day and time, and you can tie that together with

other, so if I'm gonna, if I'm gonna catch a bad guy and I said, you

hacked my system last Tuesday, all the logs and event data is from 1999.

You're gonna have trouble in court.

or January 1st, 1970.

Yep.

all right, I think we've talked about canary files enough.

person, any final thoughts?

you should go watch Zoolander.

Go watch.

I think I got the black long pop.

and, how about you, Mike?

Any fi any final thoughts?

I think canary files and honeypots are useful tools if you've got the

time to deploy them and to keep them updated, along with the playbook for

what happens when bad guys actually, start to, and it's not always bad guys.

Sometimes it's just, we call 'em script kitties.

just the curious, low level, people that, that are just getting into

cyber are curious about cyber.

they're running queries across the internet with the

tools they have access to.

They're gonna find your honeypot.

and so what do you do?

What do you do when, When, when they do it is kinda like back in the day when

your house is on fire, what do you do?

You closest to exit, stop, drop and roll, get outta the house.

We don't do that anymore.

I don't think my kids would know what to do if my house caught on fire.

'cause there's no commercials, there's no public service announcements.

but quite similarly, if you're gonna build something to attract bad guys,

make sure you've got a plan for how to handle that when it does happen.

Mike, I have one question for Mike.

Since you engage with a lot of people who've been attacked by ransomware,

malware, et cetera, how often do you see cases where the honeypot

exposes the attack, the trip wire before the main attack comes in?

Very often, if it, if it's a, if it's a, a representative honeypot, in other words.

Everything the bad guy did to this honeypot network would

have been similar to what they did to the production network.

if they're not the same, then you've got some indication of how a bad

guy operated and got where they got where they, where they ended up.

You can compare that to how that would've gone against the production environment.

but very often, you bad guy tactics.

From one type of bad guy, one group, one, one skillset.

It's kinda the real world, we call, what's their mo, what's their modus operandi?

some bad guys on, on the cyber side, they use the same tools.

they follow the same process.

They do this first and this second, or, there's this decision tree, but

it's, it's almost always the same from one, one victim to the next.

So is it safe to say though, if a bad guy attacks a honeypot, you detect it, there's

a high likelihood that your production environment is going to be safe.

it's gonna be next.

Okay.

Okay.

That's yes.

yeah, so the hunts, because at some point they're gonna go.

Why aren't they reacting?

Why aren't they shutting this down?

Why aren't they shutting me out?

I'm just in here having a good time.

I'm gonna invite some friends.

At some point they're gonna, this is weird.

I wonder if we're in a honey pot.

Now they're probably, there's a good chance they're gonna get upset about that.

back to Curtis's point, we've gotta monitor that honeypot so that you're

aware when they're attacking you.

that's your defense.

That's one of those layers.

That's gonna give you time now to really put focus on your

production environment, 'cause it's likely gonna be the next target.

And you, now you've got a chance to be ready and prepared and maybe

even, add some staff call, call a friend, start blocking stuff

that you don't narrow necessarily.

Block, start, shutting remote access down and things like that.

Turn off all your third party vendors that don't need access right now.

And maybe for the next six weeks, really put focus on that 'cause.

If they find out that there was a honeypot, yeah.

They're gonna, they're gonna look for your real network, your real environment.

Call a friend.

Call a mic.

right.

with that, I will say that is a wrap.