Antisyphon Training Anticasts | How to Detect Malicious Remote Workers w/ James McQuiggan

Summary
Could a nation-state threat actor get hired and stay invisible to your SOC?

🛝Webcast Slides-
https://www.blackhillsinfosec.com/wp-content/uploads/2026/03/SLIDES_2026-03-11-AntiSyphon-DPRK-Hiring.pdf

Join us for a free one-hour training session with James McQuiggan, CISSP and Advisory CISO, as he teaches you the full lifecycle of North Korea’s AI-enabled IT worker operation, from AI-generated identities and U.S.-based laptop farms to the data theft and extortion that follow once they’re inside.

You’ll learn a practical detection and hunting playbook covering behavioral anomalies, identity red flags, and post-hire SOC indicators that catch what background checks miss.

If your SOC isn’t hunting for threats that were hired legitimately, this Antisyphon Anti-cast will change that.

Chapters

(00:00) - Intro – How to Detect Malicious Remote Workers - James McQuiggan
(01:17) - DPRK Solution – Did you Hire a North Korean?
(02:35) - But Really, Did We Just Hire a North Korean?
(04:31) - How comfortable are you to spot deepfakes?
(05:46) - Who is James R. McQuiggan
(07:42) - Webcast Agenda
(09:36) - Overview - North Korea Situation
(11:56) - DRPK Education
(14:31) - The Ultimate Inside Threat – DPRK Job Opps
(16:17) - Attacker's Playbook — Contagious Interview / WageMole Campaigns
(17:47) - Investigations – Crowdstrike / Okta / Unit 42
(19:14) - How Identities Are Built – AI Images
(21:05) - GenAI Resumes
(23:39) - Stateside Assistance
(25:23) - Face Swap / Voice Cloning & Webcams ➜ LIVE Deepfakes
(25:49) - AI Face Swap Demo
(29:55) - Video Camera Real time Video Deepfake Face Swap Interview
(30:43) - KnowBe4 Use Case – July 2024
(34:18) - Legal Impact
(35:42) - Companies Infiltrated — The Numbers
(36:11) - North Korean Farmers Arrested
(40:23) - SOC Playbook – Deepfake Dashboard
(40:53) - 12 Best AI Deepfake Detector Tools
(41:54) - Detecting VOIP Numbers & Identity
(43:01) - SOC Telemetry
(45:17) - Hiring Flags
(46:08) - HR – Hiring Tips
(48:24) - Human Risk – AI First Ready Security Team
(50:26) - Wrap Up and Q&A
(54:39) - James' Survey QR Code

Credits
Chat with your fellow attendees in the BHIS Discord server:
https://discord.gg/bhis
in the #🔴live-chat channel

🔗 Register for FREE Infosec Webcasts, Anti-casts & Summits –
https://poweredbybhis.com

Click here to watch a video of this episode.

Brought to you by:

Black Hills Information Security

https://www.blackhillsinfosec.com

Antisyphon Training

https://www.antisyphontraining.com/

Active Countermeasures

https://www.activecountermeasures.com

Wild West Hackin Fest

https://wildwesthackinfest.com

Creators and Guests

Host

Deb Wigley

Deb Wigley is the Director of Kindness and Generosity for Black Hills Information Security (BHIS). She joined the team in 2019 after celebrating 20 years of working in customer engagement and satisfaction in the Automotive Industry. She brings her passion for helping and serving people to the work she does at BHIS. The part of her role she enjoys the most is interacting with the community through our webcasts and educational content, our Discord servers, and conferences. She loves being a mom to her four kiddos and in her spare time, she enjoys reading, hiking, frequently entertaining a beach day, and being whisked away on rewilding adventures with her husband of 20+ years as much as possible.

Host

Jason Blanchard

Jason Blanchard has been happily adopted into the hacker community at Black Hills Information Security (BHIS) since 2019, even though he “works in marketing.” He’s had every dream job imaginable: teaching filmmaking, owning the world’s most famous comic book store, and fostering the infosec community efforts for SANS. While some at BHIS call him the “Director of Excitement,” he is formally known as the Excitement Co-Creator. In his day-to-day work of “sucking at capitalism,” Jason enjoys helping others, sharing his knowledge, and giving away lots of free stuff. When he’s not working, Jason spends time with his wife and daughter, hosts a semiweekly job-hunting Twitch stream, and enjoys writing short stories and performing stand-up comedy.

Guest

James McQuiggan

James McQuiggan brings over 20 years of cybersecurity expertise as Security Awareness Advocate at KnowBe4, where he specializes in Human Risk Management and strategic thought leadership. Through industry conferences, webinars, and media engagement, he translates complex security concepts into actionable insights for diverse audiences. His extensive background includes senior cybersecurity roles at Siemens Energy and Wind Divisions, with expertise spanning cybersecurity standards, incident response, and industrial control system security. McQuiggan also serves as part-time faculty at Full Sail University, teaching Cyber Threat Intelligence. A dedicated community leader, McQuiggan volunteers with ISC2 as Co-chair of the North American Region Advisory Council and Chair of the Southeast Chapter Regional Management Committee, following eight years as President of the (ISC)² Central Florida Chapter.

What is Antisyphon Training Anticasts?

Podcast audio-only versions of weekly webcasts from Antisyphon Training

Jason Blanchard: 00:12

Hello, everybody. Welcome to today's Antisyphon Anticasts with James McQuiggan. Did I say that right?

James McQuiggan: 00:17

You did.

Jason Blanchard: 00:18

Alright. And this is how to detect malicious remote workers. And so, James has already freaked me out a few times by changing his face to my face, and then there's an opportunity that, he was working on like a voice modulator, but may or may not be able to get that work. There's some videos that are gonna play today, but I have learned from James in the past. And whenever James is like, I have another Anticast that I can give, you're like, yes.

Jason Blanchard: 00:40

Let's get James scheduled. So if this is your first time ever seeing James present, you're in for a treat. If this is your third, fourth, or fifth time, then welcome back. Once again, if this is your first time at an Antisyphon Anticast, we do these every single week. We wanna give you some free knowledge to the best of our ability and show you what it's like to take training from us because it's a lot like this, and so it's just longer.

Jason Blanchard: 01:02

And so, James, thank you so much for being here. Thank you for being a part of this community, and thank you for sharing your knowledge. I'm gonna go backstage. And when I'm backstage, if you need me at any time, just go ahead and call for me, I'll come and join you. Alright?

Jason Blanchard: 01:13

It's all yours. Thank

James McQuiggan: 01:15

you very much, Jason. Well, if you happen to catch me Monday night on the Black Hills InfoSec news that we did, when I signed off, one of the things that I mentioned was in the first thirty seconds or the first minute of this presentation, I'm going to give you a way to be able to detect if you have a North Korean employee working your organization. Because while we're talking about malicious remote workers, this is based on the whole DPRK attack well, infiltration, we'll say, into a whole lot of tech companies back in 2024, kinda where it's going and what we can do about it. But I did mention I'm gonna give you a way. So let's get into it, and we'll I'll give you the first way that you can do it right now.

Deb Wigley: 02:05

Are you a North Korean? Are you a North Korean?

James McQuiggan: 02:08

Okay. Maybe you won't do it in the office because we know they're all remote workers. So they'd have to do it over Zoom. Right? So let's see how it would be over Zoom.

Deb Wigley: 02:18

You a North Korean? Are you a North Are a North Korean?

James McQuiggan: 02:26

I didn't say it was gonna be a good way, and I just said that I was gonna give you a method of being able to detect it. So okay. Did we really just hire North Korea? And I'm sure a lot of folks were certainly asking that question a couple years ago. Some folks might even still be asking it now because essentially, you know, deepfake job application, the, you know, webcam's not working, AI's being used, you know, kind of a a triple threat of different types of attacks.

James McQuiggan: 02:59

Because for me, when it comes to infiltrating an organization, you know, if you can get inside, you know, it's pretty well game over. Right? I mean, even when we're doing red teaming and pen testing, you know, we gotta get in, gotta get access to the system. And, of course, there was that one organization that came forward, No. Before.

James McQuiggan: 03:17

And, essentially, you know, 2020 July 2024, they came about out out about it, and we're gonna go into a little more detail later on. But, you know, we are, there have been a lot of articles about it. You know, fake IT workers being hired, you know, significant increases, leveraging AI. Wall Street Journal even wrote a whole article about it as well in in sharing with us not only was it North Koreans, but also how they were had convinced socially engineered Americans to be able to help them with that. And so we're gonna look through all that here today.

James McQuiggan: 03:56

So I'm really curious. And this is one of the things that I love doing presentations here with Black Hills Antisyphon, Wild West Hack and Fest. And one of the things I love is the the Discord channel. Great way to be able to give feedback as a speaker, as a presenter. Feedback is what we thrive on during a presentation.

James McQuiggan: 04:18

So seeing the memes pop into there, that warms my heart. So definitely your comments, your feedback, and everything else that's coming in there is great. So I have a question for everybody really quick. I know it's not a dad joke. That's later.

James McQuiggan: 04:31

Now I'm curious. How comfortable do you think you are to be able to spot, we'll say, deepfake or somebody being hired. You can do it in the web I don't know if you can do it in the webinar with a thumbs up. You or no or not sure. You can drop a meme.

James McQuiggan: 04:47

You can drop oh, good. You can do the reactions. Great. So seeing a lot of thumbs up. So a lot of people comfortable.

James McQuiggan: 04:53

Some are aren't sure. Yeah. Because that's the laughing emoji there on the not sure. Because a couple years ago, when you were having these peep the North Koreans coming in with a deep fake, they were doing face swaps, and I'm gonna show that in a little bit as well. But they were essentially coming in with on camera because I remember when it happened with KnowBe4 and it came out in the media and everybody was like, you know, they have webcams.

James McQuiggan: 05:23

You know, you can interview them. There are background checks. Yep. You're all exactly right. However, the kicker was is this the level of sophistication was something that hadn't been experienced.

James McQuiggan: 05:34

And we had heard about deepfakes and we were talking about them, but we just hadn't seen it used in that capacity. And so now that's been brought to light and essentially go we're gonna go through and we're gonna take a deeper dive. Real quick, I know we did the introductions during the pre banter, but if you're just coming in now, my name is James McQuiggan. I am a part time faculty professor at Full Sail University teaching cyber threat intelligence. So if any of my students are watching, don't forget to work on your reports this weekend.

James McQuiggan: 06:04

I'm also kind of in between roles right now. I my role was eliminated at the January. So for the last couple months, I've been seeking the new family, seeking that new opportunity. But I did spin up my own LLC so I can do contract work as well, and I've titled that company apparent security. And for those folks that know who I am and know what I love to do, you get it.

James McQuiggan: 06:31

For those of you that don't, I like to make cyber threats apparent. That's why the logo is a lighthouse because what I used to do at Know Before was essentially looking at trends, looking at what's going on in the industry, be that lighthouse that's out there advising folks through thought leadership, conferences, presentations, webinars, blogs, you know, all the different mediums that were out there. And I truly one of the best jobs ever had. Had a blast doing it. So still kinda looking to do that now, maybe even through contract work.

James McQuiggan: 07:03

But a parent security because, you know, a joke becomes a dad joke when it's a parent. So I figured that was the perfect name to have for my little LLC. So but I'm there you go. Thanks, Jerry. Before I carry on, big shout out and thanks to Jason, Deb, and John, to Natalie and Ryan, everybody supporting me.

James McQuiggan: 07:26

There at Black Hills getting this on today, and I'm really excited to kinda go through and share all this information with you. And then, of course, shout out to all the the awesome folks with Simply Cyber team Simply Cyber. Alright. Let's get into it. So today's journey that we've got, they told me that I had, like, two and a half hours.

James McQuiggan: 07:47

Oh, wait. No. That was a workshop. Sorry. But it could I could do two and a half hours.

James McQuiggan: 07:51

But kinda today, you know, I'm gonna do an overview of where kinda how what happened, kinda give you some background with regards to North Korea and, you know, how we were ending up hiring these people overall. Then we'll look at the attacker's playbook. We're gonna look at some of the tools that they they used and kinda discuss, and I'll give some examples, and and I'll even demo one as well. We'll look at some use cases. I'm gonna deep dive into a little bit with the know before story there.

James McQuiggan: 08:22

And then look at the legal impact. What have been the consequences, the fallout from regards to that? And then, of course, I know everybody wants to learn about the you know, what's the playbook for us? That's great. This has all happened.

James McQuiggan: 08:35

But what do we need to be aware of, which we'll go through? And then I'm gonna talk a little bit about the human risk. What can we do as humans? Because, essentially, this was, you know, a human interaction with another human to hire somebody. Yeah.

James McQuiggan: 08:49

We've got our ATS, our resume reviews, the AI doing all that stuff. But when it comes down to it, we know that a human is making that decision, and there's that social engineering aspects. So I'm gonna touch upon some of the things that we can do as humans overall. Cool. So essentially, you know, I've been in this industry twenty five, two decades, twenty five plus years, lost track, kinda like John.

James McQuiggan: 09:14

You know, feel like I'm the still the intern. But essentially, one of the first computers that I hacked into years ago actually belonged to Forrest Gump. I got in because I was able to guess his password. Yep. It was 1, Forrest1.

James McQuiggan: 09:33

So there you go. Got some new ones for you here today. Let's kinda have an overlook, an overview of kind of the North Korea situation. How did these attacks go through? And just to kinda baseline everybody, kinda one of the perks of being a professor, gotta make sure everybody's all on an even keel, same level overall.

James McQuiggan: 09:53

Kind of as we look at it, you know, you've got North Korea. You've got the program leaders working with foreign based other North Korean employees that were based in China, then targeting US organizations. Dad jokes or sad jokes? No. They're not sad.

James McQuiggan: 10:09

They're fun. But, anyway, collab North Korea collaborating with China because they had a lot of other contacts there as well. Targeting US, Canada, North America, they were targeting UK companies as well, and then essentially going after the different tech companies. Now you had organizations over in North Korea, one of which the three one three General Bureau of Munitions Industry Department. They had tech workers.

James McQuiggan: 10:35

They had people that were trained up to enter to apply and try to get hired by these tech companies over in The US. Also, the miniature Ministry of Atomic Energy was another one. They were a critical player not only for nuclear weapons, but also day to day operations of trying to get hired to get these, you know, to get hired into the the the organizations overall. And you had a variety of other smaller organizations within the North Korean government that were also working to get hired, which is why we've seen as we get through several different organizations from North Korea, also including China and and US folks being arrested in in some of the cases and and with regards to the investigations that happened, the people that got arrested and and who was tried and so forth and sentenced as well. But looking essentially, you know, they get hired, and the money that they're collecting, they're sending that money back over to oh, back to North Korea so that they can fund.

James McQuiggan: 11:46

Ironically, some of them were trying to get paid in cryptocurrency, which, you know, I think was a red flag right out of the gate. And so they weren't getting hired and realized, okay. You know, get the salary that we need because when it comes down to it and you look at the education with regards to the North Koreans with regard and not getting political with this whatsoever, but just kinda how they focused on education and training in a lot of IT related subjects. They had a lot of strong IT degree programs at their universities over there. Ironically, was the Kim Chusung University, but several of the different universities that were over there, they had like back in their, what was it, early late two late two thousand teens, 2019, 2020, they had 30,000, 40,000 students that were studying IT, and they were extremely dedicated to that.

James McQuiggan: 12:41

40 different universities, 85 different programs, all focused on technology, engineering, math, you know, the list goes on and on, but all STEM type subjects. And essentially, the education system over there is extremely competitive, and they only take the top students. So, you know, over here, we've got our SATs, and, you know, you we always say do well in school, and then, you know, off you go to university, and you can get a good job. There, they were only taken it was like the Harvard's of all Harvard's over there looking to bring only the top students into these high value science and technology programs. Students were actually recruited into these.

James McQuiggan: 13:22

They were looking at them early in secondary schools. And of course, you know, just like, you know, whether it's Ivy League schools here in The US and so forth. But once they got in there, then they were receiving additional train once they graduated top of their class, they were getting the the top IT students. They essentially were giving them additional training regarding overseas information, you know, culture, learning about what life is like in Europe, in The UK, in The US, and so forth. And essentially, they would end up going to other countries to try to learn that, whether it's Africa, Asia, South Asia, but basically getting them additional training overall.

James McQuiggan: 14:07

So, you know, extremely competitive, top students, and then giving them additional training overall. And then it was essentially going out and trying to get those IT jobs. And when we look at those, you know, it pretty well you look at this this sheet here and you're like, yep. Pretty well any one of our own organizations, we need people like this. And these IT workers out of North Korea, they were earning, like, 10 times more money than a typical labor or somebody working, you know, over there.

James McQuiggan: 14:42

Essentially, coming to work getting jobs in North America, they'd be looking at earning, like, $300,000 a year. Those developers, they get paid well because they were coming in with, know, with with high-tech skills. I even remember seeing and I'm gonna show you the resume in a bit. But the resume that we had that came in to know before that was made publicly available, you read it, and it's, you know, kind of a a a top notch high level developer program or knows all the stuff, and we're gonna look at, you know, some of the ways that they were developing it. But you can see all the different you know, everything from IT to support hardware development, AI applications, and so forth.

James McQuiggan: 15:24

And so essentially, you know, these job opportunities for them gave them opportunities to make all kinds of, you know, really a lot more money than they were gonna make over there. And it was a way to be able to steal from The US or the other countries that they were gonna get paid really well and be able to to bring that money back over for their WMD programs, their weapons mass or munitions department, and essentially and bring the that money back over. And while we might be thinking, well, that was only must have been a handful of companies, it's a lot more surprising than that as well. Alright. So kind of the baseline there with regards to DPRK, with regards to the employees, what kind of people were coming to apply for jobs over here.

James McQuiggan: 16:13

These were the the smartest of the smarts, we'll say, that was over there. So as we look at how what was in their playbook, how did they go about doing it? I snagged this from Zeekaylor. They put a nice, infographic. There you go, Jerry.

James McQuiggan: 16:27

Put a nice little infographic together. If I had saxophone music, I could play it for for somebody. But, essentially, you know, it's that similar to the diagram I showed you before, but looking to get hired into an organization. They were showing up with stolen identities. They were going out, grabbing the stolen identities, grabbing the stolen credentials, usernames and passwords, finding those, and looking at, you know, the different images.

James McQuiggan: 16:57

And this particular diagram is based off the contagious interview wage mole campaign where, essentially, they were trying they were looking to get hired into, you know, tech companies or into tech departments within organizations. The contagious interview, basically, they were just trying to steal data where wage mol was going in stealing the data and then using it for almost like a social engine a ransomware attack looking to extort them. And, of course, social engineering plays a big part into this. And with regards to not only the stolen information, stolen identities, they were leveraging those stolen identities so that when it came to doing background checks, they would end up passing. So once this all started to come about, you had Palo Alto, Okta CrowdStrike.

James McQuiggan: 17:53

They all came about and were doing their own investigations. Palo Alto went through. Within seventy minutes, they had a fully operational face swap program running. Somebody had never used it before, figured it out, was up and running in about seventy minutes. I'm gonna demo it here in a bit, but with regards to face swap, there is plenty of software that's out there, open source as well as commercial software.

James McQuiggan: 18:20

You had CrowdStrike. They had identified particular groups that were using it. They were reporting that back in 2024, '25. But knowing that they as they were getting hired and they had to be for remote jobs, you had to be on camera. So the face swapping technology played a huge part in it as well.

James McQuiggan: 18:38

Octave basically was doing real time deepfake video with interviews and knowing that with the generative AI, translating voices and transcribing conversations in real time because that was the other aspect. And I've seen some of these. I was trying to find one to put in here, but on TikTok, you've seen those kind of videos where you've got somebody shouting going, you need to be on camera now. You've gotta start sharing your screen because there's been so much of this already. Nowadays, organizations when interviewing remotely for coders, developers, they're wanting to, you know, get them on screen, make sure there's no blurred backgrounds, and so forth.

James McQuiggan: 19:16

But looking at, you know, the different identities, you know, they would this is on the left here, you have a stock photo, which ironically, I saw in a presentation a couple weeks ago. Somebody had this stock photo as somebody representing a group of people or whatever. But they had that stock photo, which was the one that was used in the know before event with Kyle, and basically changed it to his face, so that, you know, could pass the the background checks, the video, verifications. But they were using things like Remaker, you know, just simple AI tools that are available online to be able to go through. Now you can be going through and using some of the face swap software programs that are out there.

James McQuiggan: 20:04

Or, you know, when you're creating the images, you know, it's very easy to go through and use something like this. Heck, you can drop it into Gemini nowadays and get it to remove backgrounds and and change facial features, just as easily. But with using the the stolen social security numbers, the addresses, the credentials from, you know, real US citizens, along with large using large language models to be able to write the resumes, to write the cover letters, you know, manipulating all of that information, CrowdStrike recognized, and the name they gave him was the famous Colima, but basically created the the real LinkedIn profiles that go with it. Remaker goes along, was recognized in with the contagious interview infrastructure for creating all those different profile pictures as well. But this is kind of where it starts is you have the the fake image, you have the fake resume, and so forth to be able to pass those background checks.

James McQuiggan: 21:06

Here, you kinda get an idea of what the resumes look like. You know, if you've seen your software engineer, you know, lots of experience working with lots of different languages. I know when this resume came through, one of our top tech people looked at it and said, this is one of the best experienced people that I've seen in a long time. Granted, you know, wasn't a red flag because we thought it was legit. We weren't experienced at looking those.

James McQuiggan: 21:32

But with regards, this Kyle here was basically applying for a principal software engineer relating to AI, submitted the resume. The picture came after they were they were hired, but we were doing videos with them already. So then he realized, oh, shoot. I need to have an ID picture. They appeared on the video, you know, to be US born citizens living in The US of Asian descent, claimed that he was educated in Hong Kong, worked with a bunch of US companies, did four Zoom interviews overall, passed all the technical checks and every and the reference checks.

James McQuiggan: 22:11

And, essentially, you know, the background check company that we used was able I verified the stolen identity, not as stolen, unfortunately. It wasn't until way after the fact that we realized that there there are other companies that can be used. I'm trying to think of the one begins with an s, and it's I'm blanking on it right now. But, anyway, are background check companies that do deeper dives than just, you know, Social Security number verification check or looking at your companies. It goes deeper by looking at your education.

James McQuiggan: 22:44

Usually, in organizations, they're just looking at Social Security number, check checking work references, and your address. For me, and I'm flashing back now to my days of doing NERC SIP compliance where we had to do background checks and working with particular companies where not only was it your the items I just mentioned, your where you worked, your Social Security number, but we looked at education and going back as far as possible with regards to education and where you've worked, not just the last couple places overall. So essentially, you know, you got they got these resumes, they were going on the interviews, and getting hired overall. When we look now at they couldn't just do it all by themselves. You know, getting hired was great.

James McQuiggan: 23:32

Now you're in North Korea, but you've got an address in The US. How are you gonna you're gonna need help. And so there was a lot of stateside assistance with these either laptop farms, but they needed the physical US addresses for delivery because they were gonna be remote. Looking at, you know, also payroll checks, you know, they they need to have banks set up, and so it required a lot of support from people here in The US, and and we're gonna look at a couple folks here in just a bit. But just overall, there were people that were set up here in The US.

James McQuiggan: 24:08

Again, social engineered to think that you're working for an IT company overall, but they needed help with, you know, the RemoteAc software, accepting payments, and then getting it to a point so it could get over to North Korea. Helping them with fake identities, helping them sign forms. You know, there was some reluctance with regards to that. But a lot of the a lot of the hosts, a lot of the people, they were unaware. They believe they were helping out other people in China.

James McQuiggan: 24:34

So North Korea, yes, we know. Okay. That's an embargo country like Cuba and so forth. China, when people were desperately looking for jobs in 02/2021 because of COVID, you know, you have people that were basically organizing each laptop for each of the different organizations that the North Koreans got hired, helping them with, you know, creating those fake identities, signing forms. Even though there was hesitation on her part, she knew that she needed to be able she was helping them out and was like, okay.

James McQuiggan: 25:07

But next time you've gotta do, you've gotta sign this because she was thinking these people were were over in China, were an American citizens and would be able to do it. So there was a lot of help needed stateside to kinda carry this through. So it wasn't all just one-sided. Now when we look at the face swap when they did the interviews, you know, with regards to the deepfake, there's a lot of different commercial software out there. There's open source software out there as well.

James McQuiggan: 25:33

Swapface is one of the common ones, and you basically just upload the image that you wanna do, and the software is able to basically pick it off, and you can swap the faces and go through. You also have deep face live or deep live cam as well. So I figured it would be worth kinda showing you and kind of demonstrating how this works. So I'm I'm the good thing is I'm sharing this screen here so I can bring up the software. What I have and you'll be able to see it here in camera, and it's using my camera that's in front of me, but I can go through, and I've already uploaded a couple faces already.

James McQuiggan: 26:13

So here's the one that freaked out Jason. Right? But I can't be Jason unless I've got my Rica hat on. Right? So, you know, I could do the deep face.

James McQuiggan: 26:22

I could do the swap face with this. Got some new glasses, and that kinda works there as well. Or I'm gonna freak out John even more, you know, and I could be John. Or I could be, you know, Jerry.

Jason Blanchard: 26:35

You

James McQuiggan: 26:35

know? Jerry Osher. I think I know a lot of folks know him. But for right now, I'm gonna switch over to this gentleman That's nobody of consequence. He's probably a model of face model that landed in here.

James McQuiggan: 26:47

But now at this point, it's not me. It's I've been able to put in this face swap overall. Now the kicker is is this software over here called Altered. I had it working before I connected into Zoom when I was doing my demos. But what I've got is this this Scottish accent and essentially just changing it in here.

James McQuiggan: 27:10

Let's see if I can get it to play. I'm gonna turn it off. I'm gonna turn it back on. So my voice should be coming through. And as I turn on the voice changer because this is also get the the the idea behind it is using it like in video games, change your We love you, James.

James McQuiggan: 27:30

Love your audio.

Jason Blanchard: 27:32

Oh, James.

James McQuiggan: 27:33

You might have to turn on the additional sound. No. I'm back. Here it is. I just have to turn it back on through Zoom.

James McQuiggan: 27:40

I'd switched it over to what it should have done using the altered software, but it didn't do it. So there you go. Demo fail.

Jason Blanchard: 27:47

Wouldn't it fly? Wouldn't wouldn't it be nice, though, if the North Koreans also had the same failure?

James McQuiggan: 27:52

Yeah. I guess so. There are there are a variety of open source ones, and it's kinda one of the things I'm working on now is to kinda have a way to be able to, you know, do this with commercial software, virtual software, or with, on prem, your own system. Because this is all running off, my laptop that that's here. Well, that's a bummer.

James McQuiggan: 28:15

But, anyway, let me go back to what I normally look like, so I'm not freaking everybody out. Alrighty. There we go. So we'll drop that. We'll drop that.

James McQuiggan: 28:24

But I also did have a a fun demo as well. Let me play this. And I'm there's no audio in this. But, basically, this is me doing the face swap software. It's Ira Wigley, which is always fun.

James McQuiggan: 28:37

This is when I did a presentation on CruiseCon, Roger Grimes, Robert Downey Junior. And one of the things that I just did there I'm a let me just kinda back that up. I'm gonna pause it if I can. Let's see if gotta have the pause button there. Alright.

James McQuiggan: 28:53

So one of the tests that they've had a lot of folks do to determine if it's, you know, real or is it Memorex, When the face swap software is happening by putting your hand in front of it because it's not able to detect that it's a hand, and it draws essentially the mouth and the the whatever part of your face you're covering it. The other thing is usually on the sides, the kind of the stitching that shows up. They've asked, you know, folks to kinda lift your head way up and way down to try to catch it as well. But the software has gotten real a lot better. And even some of the open source stuff that's out there, even doing this, they've been able to figure out a way to be able to bypass that as well.

James McQuiggan: 29:39

So we essentially while we have ways of being able to detect it visually, a lot of the time, you're you're gonna run into issues where that may not be as successful because they're already able to bypass it. So one of the other fun little videos, and I've shown this in my deepfake one, but it's kinda neat just to see it. This is a somebody trying to apply for a tech job through a Polish tech company, and the CTO, David or David, basically realizes there's something off. So I'm gonna play it here. There's no audio from the Korean.

James McQuiggan: 30:20

So maybe his audio wasn't working. Yep. So he threw the hand up. So he end and he ends the call there. He actually ended up writing a an ebook all about the experience of this and deepfakes.

James McQuiggan: 30:34

After I get done here, I'll drop it into the the chat so you can check it out. It's got a lot of great info in there overall. Okay. So the noble four case, I've touched upon it a little bit already, but just to kinda give you a little more insight before we dive into, you know, the SOC playbook. Went through the interviews, hired the person, shipped them a laptop.

James McQuiggan: 30:56

And at about 10:00 at night well, what ended up happening was we're getting ready to ship the laptop. And the the person that we hired, Kyle, stated that, oh, I'm I'm moving up to Seattle. Can you send my laptop there? Okay. Sure.

James McQuiggan: 31:14

The laptop gets shipped. We see that it arrives. We see that it gets signed for. And at 09:55, the we see the employee power on the laptop, get connected to the Internet, and we then discover that they're trying to install some sort of malware, some password stealing malware on there. They tried doing it through a USB device.

James McQuiggan: 31:34

Now we gave them a MacBook, and, essentially, they tried to download the malware from a flash drive. That failed. So then they ended up trying to do it through a Raspberry Pi. That failed through a network connection. Then we saw they were trying to manipulate some of the log files on there, and essentially this generated some EDR alerts into our SOC.

James McQuiggan: 31:57

They got alerted, and then essentially brought in the powers that be. The CSO, reviewed the application, reviewed the resume, and kinda figured, yep. There's something wrong here with weird excuses why they can't get on a audio call, can't get on a Zoom call. And, basically, the employee was refusing, not surprisingly, because, you know, they're because we're communicating through Slack, not surprisingly, because they knew they couldn't get on camera. So ended up breaking the laptop, and this happened at 10:20.

James McQuiggan: 32:32

We ended up shutting down the system and disabling it. We know before reached out to Mandiant, the FBI, and collaborated with them to discover that, yep, you guys hired a North Korean that had all their telltale signs. But one of the things that KnowBe4 did, at Stu's request, Stu Sherriman, the CEO at the time, Nobel four was a security awareness company. It was, you know, one of the the big tenants of the organization was radical transparency. You know?

James McQuiggan: 33:02

Look. Hey. If we've been infiltrated like this, how many other organizations have have suffered the same fate? Or it's had it's happened to them and they don't realize it yet. And so we put out a press release, we put out we had a webinar, we did an e book, we had white papers.

James McQuiggan: 33:20

Yeah. Nobeliefor got ridiculed for it, but in the end, a lot of folks came forward and said, hey, we discovered that we had ended up hiring, you know, North Koreans as well and a lot more organizations came forward and and wasn't at that point. It wasn't a bad thing then. Oh, okay. But we break know before basically brought it to light and brought more attention to it overall, which was a good thing for a lot of organizations.

James McQuiggan: 33:45

So essentially, kind of wrapping the the the book closing the book on on know before with regards to their case. Overall, excellent learning experience. Great way to bring the transparency. And, of course, you know, we're always dealing with computers, whether we're interviewing people, whether we're hiring people, we're working on them, so forth and so on. But has anybody ever wondered what kind of music a computer likes to listen to?

James McQuiggan: 34:13

Well, that would be an algo rhythm. Yep. So there you go. So let's kinda look at the legal impact. What kind of, you know, fallout was there?

James McQuiggan: 34:25

Because not only we brought know before brought it to light, but also there were other investigations going on. Four investigations, actually, you had the Yambian Velasys one that went from, like, 2017 to March 2023. It took six years to build the case, get the information before they were able to handle indictment. And, essentially, you know, this one that one was well over, I believe, almost a $100,000,000 in losses based off organizations. The next one, the chat the Chapman, that was Christine Chapman.

James McQuiggan: 35:00

I'm gonna talk about here in in a in a minute. But essentially, there were, you know, 300 over 300 companies infiltrated through her laptop farm that she was running costing well upwards of about $20,000,000. Wang, Zhengshing Yang, his operation at New Jersey, there were two indictments for US, but, basically, there were 29 other laptop farms with that one in 16 different states, almost 30 different financial accounts that were used to launder and elicit the funds overall. Yeah. So a lot of fallout with regards to that.

James McQuiggan: 35:40

Mandy and CTO Charles Carmichael came out and was saying, you know, hundreds of fortune 500 organizations. They've hired these North Korean workers. Literally, every fortune 500 company has at least dozens, if not hundreds of applications. We're getting the applications coming in. It's a matter of making sure that we're not hiring them, which is the critical part.

James McQuiggan: 36:00

Yeah. We know that there were a lot of applications, a lot of different I North Korean IT folks were trying to get hired overall, whether they were successful or not. In the end, there were several indictments handed out. You had while they're North Koreans, we've handed out the indictments. We can't arrest them, non extradition, but we were able to or the US Department of Justice was able to arrest several people within The US.

James McQuiggan: 36:31

Two out of New Jersey that were working with people from China overall. And then, essentially, these are all the other, the other 12 that were listed in the indictments overall, of people that were involved, in these trying to get people trying to get hired or or were hired. This is one of the images that came out of Christine Chapman's room. So essentially, just to give you a little background on her, March 2020 or begin you know, March 2020, we get hit with COVID and everything shuts down. She gets a LinkedIn request to be a US face for an IT staffing company, and it takes several months, but by October 2020, she starts working with overseas IT workers or so she thinks.

James McQuiggan: 37:20

And she ends up running 90 devices, 90 different laptops from her home. Now she started out working out in a trailer park, I believe, in New Mexico, and she ended up buying a house in Arizona. She was making good money off of this granted, you know, coming from coming from China, coming from North Korea. This was the other wall, and you can see all the little sticky notes. I'll give her I'll give it to her as she was trying to be organized, but we no doubt there was username and password.

James McQuiggan: 37:51

And so she would have to get logged into these systems, get the VPN up and running, get connected in the organization, but then allow the remote access software to allow the the North Koreans to be able to log in. Over her time, she collected $17,000,000 in paychecks from over 300 different US companies. Also, with regards to the once the North Koreans were inside, there was date of theft that was going on as well. And looking at, you know, stealing information as well as doing the work that they were doing. Now the funny thing was with regards to Christina Chapman, this is this is Christina here, and this is her on her TikTok channel.

James McQuiggan: 38:34

Best life thrift. And it was interesting. I looked at her TikTok channel. It's still it's still active and out there. Hasn't posted anything since late twenty twenty four.

James McQuiggan: 38:47

Because since then, in October '23 was when her home was raided and, yeah, raided in Arizona and essentially went to trial and was, she pleaded guilty February 11, and 102 basically, eight and a half years of federal prison, three years of supervised service, and she has to pay back almost $300,000. So kind of a bad situation for her, but she would have her TikTok channel. She'd always open it up with, hello, loveys, talking to her followers, and she would be talking about her day. She was posting a lot of things regarding certain political issues and events that were happening, world events that were happening. But she'd also be talking about her day, getting new glasses or, you know, having to go, you know, get food or our clients wanting to do something.

James McQuiggan: 39:47

And, basically, you can see the laptops behind her. She thought she was working for a legit company, but the FBI were able to see that and go, yep. Nope. And they ended up storming her place and and arresting her. So, essentially, you know, we all, you know, living here for those of us that are here in The USA, you know, we live in a very interesting company, a great country, some folks will say.

James McQuiggan: 40:10

So I'm really curious. Does anybody know what comes after USA? Well, that would be USB. And now we've got USB c too. Right?

James McQuiggan: 40:20

Yeah. Okay. So the playbook, the SOC playbook. What are things that we can do within our SOC, within our organization, you know, whether we're collaborating with the FBI through the I c three, the different behavioral indicators maybe, post hire tools, TTPs, you know, looking at different ways that we can go through to be able to detect. Now from a technology standpoint, you've got the deepfake dashboard, which is but that's only on deepfake videos.

James McQuiggan: 40:52

However, when it comes to deep fake detection, you've got a variety of different company that cater to enterprise organizations going through being able to, you know, detect in real time through Teams, through Zoom, Webex, whatever video software camera software you're gonna use. Get Real, Validia are kind of the two leaders that I've seen out there in the industry where they're able to do real time face swap detection to determine if it's a you know, they're using any type of correction on their face, swap swapping faces and so forth. Okta's got ID verification features built into their stuff as well. Sentinel one's got stuff. Red Canary, CrowdStrike.

James McQuiggan: 41:37

So a lot of the the the tech companies have come forward with different tools and capabilities to be able to, you know, monitor for inside your organization, but also, you know, through video swap as face swap as well. Now a lot of the time when they would do phone calls, they'd be using voice over IP systems. They would reuse the numbers and mainly VoIP numbers. And so one of the things you wanna be able to do if you have folks that are applying and the remote jobs and you wanna verify, verify the phone numbers. You know, whether you've you leveraged something like Verifone or phone validator through an API, and whenever it comes through on your HR system, see if it's a VoIP number.

James McQuiggan: 42:23

Maybe even on the web application, you know, through green yeah, Greenhouse Glasshouse going through have something there to be able to use some sort of VoIP lookup service so that you can flag any temporary or disposal numbers that would be used, you know, by North Koreans so that they could, you know, appear to be in country. This is usually not one of the things a lot of folks mention, but VoIP numbers is a kind of a good way to be able to go through and verify the the number of whoever it is that's supplying. See if you can even line it up that it is the right person with the number they're giving. So some telemetry basically from within the SOC. You know?

James McQuiggan: 43:06

Once you've got the person hired, you know, some things to look for. You know? Essentially and we probably you're probably already doing this or and most stocks do is like, hey. You're logged in here in The US. Now you're being logged in from Korea.

James McQuiggan: 43:19

You know? Sometimes that's a telltale sign. That's why they ended up shifting to more VPNs, leveraging those, but using it with inside the country. Using remote management tools, if that gets loaded onto a system, that's usually kind of a a noticeable tactic as well. They were using a specific VPN tool on the system.

James McQuiggan: 43:41

This one, the Astral, that kinda helps us detect it as well. Your endpoints, a lot of the time, were trying to load remote that remote management software either on servers or looking at USB device insertion here in this case. You know, if you you're blocking USB devices, great. If not, then it's certainly something to be able to on the lookout for Monitoring for traffic, you know, looking at which ones are connecting to what VPNs. You know, maybe outbound traffic looks weird.

James McQuiggan: 44:15

You know, if they've got the remote connection coming in to one of these laptop farms, you know, maybe even large data transfer. So, again, this still falls under a lot of things that you would be doing already within a SOC, but you just kinda adding to it, again, giving you an opportunity to be able to dive deeper if you think something is is is up. Unusual volume control, SharePoint, one bulk access, email forwarding, that's kind of something else as well where they're getting tired of connecting in. So just email it back and then you've got email roles set up to an address in China or wherever else. But, essentially, looking at it, you know, with regards to DLP Canary, Red Canary, they were able to find unusual sign ins.

James McQuiggan: 45:02

Mandiant's got a bunch of IOCs as well. I don't have the link, but it's not that hard to find. And then I know unit two published a whole bunch of IOCs that are out there as well with regards to the RMM tools that are out there. So some hiring flags. You know, as I mentioned already, reused VoIP numbers or email addresses, you know, same phone number appearing across multiple application resumes.

James McQuiggan: 45:28

So once you've got that phone number come in, if it comes in under another name, maybe it might be a good idea to flag it. Mismatch for laptop delivery where, you know, the address differs from where they want the for the resume. You know? It's one address on the resume, but then they want it sent somewhere else. Maybe reluctance to be on camera or they're coming up with ideas reasons why, oh, no.

James McQuiggan: 45:51

Not able to get connected at this time for whatever the reason may be. Don't wanna turn it on. As we saw, you know, if you don't turn it on, we're not interviewing you and and it's over. Not only the laptop, but maybe other devices get forwarded to another location as well. In the hiring process, one of the big things and Wade Wells and I were talking about this the other day.

James McQuiggan: 46:15

With regards to hiring, you're gonna get a resume of somebody. Have a look where, you know, they went to school. Have a look at where they live. See if you can get information relating to it without being overly sensitive or PII or anything of that nature. You know, avoid the religion questions.

James McQuiggan: 46:32

But favorite restaurant. What you know, I I in particular, you know, for college, you know, look to see what are the local bars and see if they can name those. One recommendation, which I thought was kind of interesting was if you're you really wanna see if they're from North Korea, ask them about Kim Jong Un. You know, the the operatives basically will answer without hesitation. It's just kind of, you know, part of their wiring.

James McQuiggan: 47:00

And if you ask a question about it, they'll do it. But later on, was something where, you know, if they would terminate the call rather than say anything negative. But if you were to ask something about it and see what the response would be, it kinda would help with that interview as well. But, you know, maybe asking about the main road or asking about a restaurant, asking about people or a professor. I know one time a question was asked.

James McQuiggan: 47:26

The person on the resume stated that they were born and raised in Dallas, Texas. And the fun thing about that was the question got asked about, you know, the cowboys are having a rough time this year. And there was a bit of a delay, and then they came back and said, yeah. They're having a tough time wrangling up all the cows and get them into the farm. Yeah.

James McQuiggan: 47:47

We that was pretty well a clear indicator because anybody who's anybody, even if you do live in Dallas, Texas, and you're not a big fan of the sports ball, the football, or whatever else, you know who the cowboys are overall. So being curious is kind of a key indicator with that as well. So with all these different industries being targeted, I don't know if anybody realizes, but Spider Man and Wonder Woman are going into business together. Yep. It's gonna be called Amazon Web Services.

James McQuiggan: 48:23

So there you go. Alrighty. So real quick, the human element with regards to this. You know, we can look from, you know, remote workers, insider threats, DPRK. We wanna be threat modeling it.

James McQuiggan: 48:38

You know, going through with our either AI first ready security team, whether it's our HR security team, part of our tabletop exercises, going through and doing threat modeling, you know, looking at, okay, if somebody gets in, what's our process? What should we be looking at with regards to that? You know, tool familiarity, understanding what the different tools that they might be using to come in. Maybe even once they're inside, you know, again, cross functional literacy, understanding, you know, insider threat, the different tools that could be used for that. But understanding the different tools, making sure we understand them, what could be used overall.

James McQuiggan: 49:17

And then, of course, upskilling, you know, making sure we're getting our folks educated, not only our HR team, and most likely a lot of folks are, but it's always good to keep them educated on the different attack methods with regards to deepfakes, swap faces, and so forth. Essentially, we're kinda almost looking at trusting and verifying, being a little skeptical, maybe politely paranoid, especially on remote workers. You know, this applies to anything relating to the human, especially with what we're seeing so much in AI. We're seeing so much with remote workers with these events that have occurred overall. You know, having these, you know, mindset for now until the technology is fully there, it's fully available, and we can go, yep.

James McQuiggan: 50:00

No problem. We know it's fake. You know, being politely paranoid doesn't hurt. Now we're dealing with people all the time, and I know we've probably got a lot of men and women on here today, and, you know, I don't know who the most secure guy in the world is, but I'm curious if anybody knows the name of the most secure woman in the world, and it's not Jen Easterly. No.

James McQuiggan: 50:22

Her name's Emma. Emma Fay. Yep. I can hear the groans. I can hear the face palms.

James McQuiggan: 50:29

Cool. Alright. So we are at about I got about six minutes left before I wrap up because I can do the wrap up in about a minute. I wanted to see if there were any questions. I see the q and a here has exploded with, like, 20 different questions.

James McQuiggan: 50:45

Or if you've got any questions back there, Jason, I'm seeing this. I don't see any questions in here. I see about losing audio. Shouldn't that indicate the user's connecting through VPN? I assume they're not connecting through North Korean.

James McQuiggan: 50:58

Usually, they were doing is connecting through the laptop farm, but coming in through a VPN to that and then but usually, for the interviews, they were most likely connecting in through The US first and then connecting into the organization. Central database maintain. There's not a database. The question was, is there a central database maintained between companies who they identified as malicious actors? I I didn't grab the link.

James McQuiggan: 51:28

I but there is a GitHub out there that collected a whole bunch of email addresses and phone numbers. If you ping me on LinkedIn, can see if I can dig it up or I'll dig it up after we get done. But I know that there was a GitHub with all that information that was out there. Credential checks, drug and health screens, etcetera. How do they falsify those?

James McQuiggan: 51:50

Take it those weren't required to be in person. Sterling, yes. That's exactly who I was thinking of for the background checks because they go deep. Usually on the credential checks, they had, like I said, on the employment, they had the references already in place with the phone number so they call up and verify. But the drug and health screen, they would just send somebody else with they would either leverage the person's face or the organization wasn't doing drug and health screens.

James McQuiggan: 52:20

I know that we were I can't I'm I'm not sure how they got around it, but most likely they were using a fake ID or they paid somebody off or some other way. Yeah, no doubt that they were they got around that. Google voice numbers are VoIP. Yes, they are. If you give them your GV, you might get flagged.

James McQuiggan: 52:42

Sterling appears to partner with UPS Store for fingerprinting. That's kind of one of the things that I remember talking with folks is we need a you almost need like a notary to verify that, yes, this is the person. And by going in, you know, with UPS, that, you know, for in person fingerprinting, identity verification, that is something that would be good if we had something, you know, you could have Sterling or one of those companies partner up to be able to get that verification overall. Let's see. Keyboard language detection.

James McQuiggan: 53:20

Yeah. Sports, TV, sports, food, spotting unusual answers seem to be all the ones we spot. How do we get a copy of the joke book from James? It's in the works. Working on a book right now.

James McQuiggan: 53:32

Should Soho Business consider this as an active threat or only? They were mainly going it's basically remote work, which also would have to believe that any contract work would have to be they would be trying to do that as well. Things like Upwork and and office hours, think is what it's called. You know, the the where you can get contract work. No doubt they would be trying to go through and doing that there as well.

James McQuiggan: 54:01

Cool.

Deb Wigley: 54:02

Cool. Well done.

James McQuiggan: 54:05

Thank you. Let me just wrap up here real quick. Yep. So key takeaways. Let me throw these up here.

James McQuiggan: 54:11

You know, we know what over 300 organizations, 400 really, you know, have been involved in these discovered. There's probably dozens, hundreds more that are out there. They're using a b AI. We know that's that's out there. It's important that we do the threatening.

James McQuiggan: 54:26

Sorry, Wade. But the threat hunting based off the IOCs extortion can happen. Some of the things that we were seeing when employees were once they got in, they were already prepping to do a ransomware attack overall. Finally, if you I I can't remember if you guys have a survey, but I do. You're more than welcome to go out there.

James McQuiggan: 54:46

Provide me some feedback. It's just me. It's not any other company behind me, but you can scan the QR code. That's the link right there. Don't come at me with it.

James McQuiggan: 54:55

But the QR code is there, and you're welcome to go out there and provide me some feedback. What you like, what you didn't like, and so forth. And with that, I will throw it back on over to you, Jason and Deb. Thank you again. This was a hoot.

James McQuiggan: 55:10

This was a lot of fun. I love following along in Discord. You guys always crack me

Deb Wigley: 55:14

up. Yeah.

Jason Blanchard: 55:16

Thank you, James. Thank you so much for sharing knowledge today. Real quick for everyone that's still here in the Zoom chat, you'll see the link to get the free survival guide incident response edition. So if you haven't gotten that yet, you can go ahead and order it. If you're in The United States, if you're outside The United States, then please, go ahead and download it, the PDF version, because we can't ship overseas at this time.

Jason Blanchard: 55:39

Other than that, the six hour free SOX Summit is coming up on March 25. We'd love for you to register for that. We only have spots for about 5,000 people, and we're getting ready to reach that number. And so we'd love for you to join us. It's a six hour, session with 11 expert speakers.

Jason Blanchard: 55:55

Alright, James. James, before we get going, so you're currently you're currently looking for a new home, new place?

James McQuiggan: 56:05

There's three irons in the fire, and they're glowing hot. I'm Okay. Getting close. I'm getting close. So we'll see.

James McQuiggan: 56:11

So I can't say any more than that.

Jason Blanchard: 56:13

I I do wanna say, like, hey. You know, James, I teach people all the time to job hunts, I always tell them keep hunting until you get your first paycheck. Yep. Because I come from the film industry where you could be working, and it's not a real job until you don't get paid. Yep.

Jason Blanchard: 56:29

And so in case anyone's job hunting or needs somebody, James is might reach out to James on LinkedIn. Alright. James, thank you so much for sharing your knowledge. Thanks for being here. We're going I think I feel like we're good.

Jason Blanchard: 56:43

So we're just gonna end right here.

James McQuiggan: 56:45

Mhmm.

Jason Blanchard: 56:45

And so if you haven't checked in yet for Hackett, you can always do that on the Black Hills Discord server. If this was your very first time here and this was all new to you, we'll come back next week or come back tomorrow. Troy Wojewoda tomorrow is gonna be talking about a a breach assessment that we did where we found an attacker had been essentially there for seven months doing a very novel attack that we had seen for the very first time and wrote a report on it recently and and put it out. So, James, I know you gave your final thoughts, but if you could what's what's your last thought before we go? And then Deb, and then we'll go ahead and kill it.

James McQuiggan: 57:21

Be vigilant with regards, you know, especially on the remote workers. I I know they're still applying. They're still trying to get in, so be vigilant with regards to it. Share the word. Share the knowledge.

James McQuiggan: 57:33

And, not only on the DPRK folks, but just, you know, on the insider threats as well. K.

Jason Blanchard: 57:40

We do have the slides, I believe, are in the resources channel. So they're in Discord. They're also in the Zoom chat. Ryan, if you can confirm that they're actually in Zoom where people can go ahead and get that link and get to the the slides. And then as Deb's saying her final thoughts, we'll make sure that those are there in case anyone needs still needs the slides.

Deb Wigley: 58:00

Oh, I think Blueshore nailed it. He just said be excellent to each other. So I'm just keeping kind to each other. There's a lot of crazy stuff going on. So just keep being in Discord, being kind, generous person, helping others is always gonna be my ask.

Deb Wigley: 58:13

And we love you guys, and thanks for showing up. Yeah. That's it.

Jason Blanchard: 58:16

Alright, Ryan. Can you confirm that the link was there and the resources were there for people to get the slides if they wanted them?

James McQuiggan: 58:23

Yeah. Link is in Zoom resources.

Jason Blanchard: 58:25

Okay. So if everyone before we kill the session, if you look in the resources in Zoom, you should see a series of links and documents and things like that. You can go ahead and look in there. And I'm gonna give you, like, forty five seconds to get it before we kill the webcast, today. So with that last forty five seconds, join us for the Sock Summit.

Jason Blanchard: 58:45

Join us Mondays for the news, Wednesdays for Anticasts, Thursdays for Black Hills webcast. We do this a lot. We have workshops coming up. We have all kinds of things. And so if you are here, thank you.

Jason Blanchard: 58:58

We'll send you emails in the future. We don't send you emails about our services. We only send you emails about things that you might actually want. I mean, you might want our services.

Deb Wigley: 59:04

You want our services.

Jason Blanchard: 59:05

Yeah. You might want our training. You might want to take corporate like, get your entire team to take antisyphon training. I'm not gonna turn that down.

Deb Wigley: 59:14

Yeah. When a form comes in, when someone fills out the contact us form and it says they heard about us through webcasts, I always get very excited. Mhmm. Like, that's that's us. Yay.

Jason Blanchard: 59:26

Alright. And with that, in 1098765432.

Deb Wigley: 59:40

1. Boom.

Jason Blanchard: 59:44

Alright, Ryan. Kill it with fire.

Deb Wigley: 59:45

With fire.