1
00:00:00,000 --> 00:00:15,000
Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability and compliance on the Microsoft Cloud Platform.

2
00:00:15,000 --> 00:00:22,000
Hey, everybody. Welcome to Episode 79. This week is just myself, Michael and Sarah. Mark and Gladys are taking a little bit of time off.

3
00:00:22,000 --> 00:00:32,000
And this week we have a guest, Thomas, who's here to talk to us about MysticPy. But before we get to our guest, let's take a little lap around the news. Sarah, why don't you kick things off?

4
00:00:32,000 --> 00:00:42,000
Sure. So I've just got one little bit of news this time, which is the Azure Linux container host for AKS has now gone GA.

5
00:00:42,000 --> 00:00:59,000
So if that's something you might have played around with in public preview or something that you need to have or you need to use. So if you want to use a Linux container in your AKS, go and have a look because it's now GA, which means it's fully supported.

6
00:00:59,000 --> 00:01:15,000
And yeah, we've had quite a few customers who've been running it for a while now in the public preview. Plenty of people saying good things about it. So we'll put a link in the show notes. So if that's something you might be interested in, go and have a look.

7
00:01:15,000 --> 00:01:30,000
The other thing I've been away for a couple of weeks. I've been doing some conferencing. I was super lucky to be at Black Hat Asia and also a conference called NDC, which is Norwegian Developer Conference, which is in Oslo.

8
00:01:30,000 --> 00:01:45,000
There I've been speaking to devs about security and talking to them more about how they can secure things because we know that a lot of security issues can lead from how people build things. So it's great to go talk to not just security people about security.

9
00:01:45,000 --> 00:01:53,000
Go and talk to the wider IT land. Something that was really interesting, Michael, I don't know, because you've done secure coding for a long time.

10
00:01:53,000 --> 00:02:05,000
I asked the room who had had a bad experience with security in the past. Bear in mind, this is a room full of, you know, basically devs. Pretty much everyone put their hand up, which is really sad.

11
00:02:05,000 --> 00:02:22,000
And the people sort of had negative experiences with their security team. I think this comes from, you know, the days of us just saying no and not being helpful. But I don't know. What do you think, Michael? You've had experiences with that before. You've been doing secure coding stuff for a long time.

12
00:02:22,000 --> 00:02:35,000
I think the number one skill that I think a lot of security people actually miss is the ability to choose your battles, right? Some things are just not worth fighting. And some things are. I mean, you're willing to die on the hill for that particular position that you want to take.

13
00:02:35,000 --> 00:02:43,000
The other thing is, and I've sort of believed this for a long time now, is, you know, anyone can tell you how to secure something.

14
00:02:43,000 --> 00:02:58,000
But I think it really takes a really experienced security person to know when you don't have to. Because sometimes you don't have to. And unfortunately, a lot of security people don't like to take that position.

15
00:02:58,000 --> 00:03:11,000
And hence, they end up just saying no, no, no, no, no. Whereas sometimes there's a very amenable middle ground. And a lot of security people don't want to take that middle ground. They want to just take, you know, no, no, no, no, no. And unfortunately, that doesn't get you anywhere.

16
00:03:11,000 --> 00:03:14,000
Good point. Actually, I love talking to developers. I love it.

17
00:03:14,000 --> 00:03:22,000
I've got a few items. The first one is in public preview is Azure Active Directory Support for Azure Files SMB shares.

18
00:03:22,000 --> 00:03:35,000
This is cool because, I mean, historically, you know, if you talk about SMB, for example, on-prem, that was primarily using, you know, Windows specific algorithms, transport algorithms and authentication algorithms.

19
00:03:35,000 --> 00:03:46,000
Now, for SMB file shares using Azure Files, you can now use Azure AD. Now, that's really cool because you can use managed identities. And that's really cool as well because now you don't have to store credentials.

20
00:03:46,000 --> 00:03:55,000
You know, AAD takes care of the credentials. So now we can start building much more secure solutions because we're not persisting credentials anywhere. So great to see that.

21
00:03:55,000 --> 00:04:06,000
The next one is in general availability is PrivateLink Support for Application Gateway. Again, you know, App Gateway was historically something that was just public, sort of public facing.

22
00:04:06,000 --> 00:04:13,000
Well, now you can lock it right down if you're using it, you know, with private endpoints. So this is another great thing to say.

23
00:04:13,000 --> 00:04:20,000
As I mentioned, on so many episodes of the podcast, we're seeing this huge wave across the company and have been seeing it for a long time now.

24
00:04:20,000 --> 00:04:26,000
So we're seeing more endpoints and more use of managed identity and AAD authentication for clients authentication.

25
00:04:26,000 --> 00:04:34,000
And the last one also on managed identities generally available is managed identity support for capture in Event Hubs.

26
00:04:34,000 --> 00:04:47,000
So there's a capture feature in Event Hubs and users can now use managed identities when capturing event streams to storage services such as, say, Azure Storage Services or Azure Data Lake Storage Version 2.

27
00:04:47,000 --> 00:04:58,000
So it enables users to do cross subscription data capturing as well. So again, really great to see more products using managed identities and AAD authentication for clients authentication.

28
00:04:58,000 --> 00:05:03,000
So with that little short news section out the way, let's turn our attention to our guest.

29
00:05:03,000 --> 00:05:12,000
This week we have Thomas who's here to talk to us about MysticPy. Thomas, welcome to the podcast. Would you like to take a moment and introduce yourself to our listeners?

30
00:05:12,000 --> 00:05:22,000
Sure. Thank you, Michael. So my name is Thomas Rocha and I'm currently working at Microsoft as a senior security researcher in the Defender team.

31
00:05:22,000 --> 00:05:30,000
So the goal of my team is basically to look for new threat and improve the detection for our products.

32
00:05:30,000 --> 00:05:46,000
So basically we are always looking for new techniques that will try to bypass the antivirus and giants and the security that we put in place in Windows OS and Windows products and Microsoft products.

33
00:05:46,000 --> 00:05:55,000
So yeah, my goal is mainly to investigate malware, understand how they work and build detection and signatures against them.

34
00:05:55,000 --> 00:06:08,000
And yeah, I've been part also to the MysticPy team since a year now. So I'm involved with some of the development features and so on. And yeah, that's me.

35
00:06:08,000 --> 00:06:16,000
Thomas, obviously, well, you also live in Melbourne like me, so we have met in person a few times.

36
00:06:16,000 --> 00:06:28,000
But what is your team? What's your team's kind of main goal? Because I know that we have a lot of research teams in Microsoft and they all do different things.

37
00:06:28,000 --> 00:06:37,000
We've had a couple of people on before who've done research stuff. So I'd be really keen to hear what your focus is.

38
00:06:37,000 --> 00:06:46,000
So my team is so. So obviously the team is super big. So there is different kind of work groups and different research research team.

39
00:06:46,000 --> 00:06:56,000
My team in Melbourne is focused on what we call advanced techniques, detections and poor and grayware research.

40
00:06:56,000 --> 00:07:08,000
So basically this is some of the research that that we do against potential unwanted application and potential unwanted software.

41
00:07:08,000 --> 00:07:16,000
But also we are looking for how these tools are used for install malware.

42
00:07:16,000 --> 00:07:22,000
And it could be also some some research around hardware because I do have a big economy as well.

43
00:07:22,000 --> 00:07:34,000
So the team is basically working on this kind of focus and tracking the cybercrime economy related to add fraud, add clicking and so on as well.

44
00:07:34,000 --> 00:07:40,000
You actually said something there that I'm not so afraid and I'm not super familiar with. You said grayware.

45
00:07:40,000 --> 00:07:43,000
I don't know what is grayware.

46
00:07:43,000 --> 00:08:00,000
So it's basically software that are supposed to be that appear to be legit. But in fact, they are playing in the border and just you don't really know if it's a legit application or if it's a malicious application.

47
00:08:00,000 --> 00:08:07,000
And it kind of it's kind of a gray area because you don't really know and you have to investigate.

48
00:08:07,000 --> 00:08:12,000
And most of the time there is malicious stuff running in that space.

49
00:08:12,000 --> 00:08:22,000
Well, that's really cool. Now, I know that one of the things that you work on and I wanted to talk about this quite a lot because I know of it, but I don't know enough about it is MysticPy,

50
00:08:22,000 --> 00:08:32,000
which is a tool that's been around a little while. But can you tell me about the tool and, you know, the history of it, what we do with it, et cetera?

51
00:08:32,000 --> 00:08:43,000
So MysticPy is basically a Swiss Army knife tool for threat intelligence. So it has been created by Jan Hellen.

52
00:08:43,000 --> 00:08:53,000
I think it was in 2017 or something like that. And at first it was an internal project used to interact with a lot of Microsoft data and so on.

53
00:08:53,000 --> 00:08:57,000
Jan and Microsoft decided to release it as an open source tool for the community.

54
00:08:57,000 --> 00:09:06,000
So MysticPy is a Python library which you can use to analyze different kinds of data source.

55
00:09:06,000 --> 00:09:11,000
You can also use it for logs, but you can pretty much use it for any kind of data.

56
00:09:11,000 --> 00:09:19,000
And the advantage of MysticPy is that you can use it using a Jupyter Notebook,

57
00:09:19,000 --> 00:09:27,000
which is basically a framework to create Python code and exchange the information using a notebook with your team.

58
00:09:27,000 --> 00:09:41,000
So this is super powerful because you can combine Python visualization capability as well and also Jupyter for exchanging a kind of workflow with your team.

59
00:09:41,000 --> 00:09:54,000
MysticPy is basically, as I said, a Swiss Army knife for threat intelligence. So you can use it, for example, for querying different kind of logs for investigation,

60
00:09:54,000 --> 00:09:57,000
forensic investigation, incident response as well and so on.

61
00:09:57,000 --> 00:10:04,000
You can also use it for enrich the data that you collect with multiple threat intelligence providers.

62
00:10:04,000 --> 00:10:13,000
So, for example, there is modules to connect your data with VirusTotal or any kind of other threat intelligence provider, for example.

63
00:10:13,000 --> 00:10:24,000
And you can also plug MysticPy to Azure Resource if you have some kind of information that you would like to investigate and analyze as well.

64
00:10:24,000 --> 00:10:30,000
And I think the most powerful feature of MysticPy is the visualization.

65
00:10:30,000 --> 00:10:35,000
So there is some modules that you can, you know, directly use.

66
00:10:35,000 --> 00:10:43,000
It's built in the application and you can directly use against your data to visualize different kind of trends,

67
00:10:43,000 --> 00:10:48,000
also creating some interactive timelines, make some process trees.

68
00:10:48,000 --> 00:10:54,000
And this is very powerful and useful when you are doing this kind of investigation,

69
00:10:54,000 --> 00:11:03,000
because in a single glance, you can have a tool that will help you to analyze all your different data,

70
00:11:03,000 --> 00:11:07,000
but also visualize them and enrich them with multiple tools as well.

71
00:11:07,000 --> 00:11:15,000
So this is really, really for me, it's one of the best tools today for doing threat intelligence research,

72
00:11:15,000 --> 00:11:20,000
because this is super versatile and also very easy to use.

73
00:11:20,000 --> 00:11:27,000
I'm going to ask as someone who is not an amazing coder, how much Python do you need to know?

74
00:11:27,000 --> 00:11:31,000
Well, the thing is with Python is pretty easy to use, you know,

75
00:11:31,000 --> 00:11:37,000
it's probably the language the most used in the cybersecurity industry.

76
00:11:37,000 --> 00:11:42,000
And the reason is because it's not so difficult to learn it and to use it.

77
00:11:42,000 --> 00:11:47,000
So I would say if you have some basic knowledge of Python and if you know the basics,

78
00:11:47,000 --> 00:11:55,000
you know, such as the structures of the code and how to create some loops, some functions and so on,

79
00:11:55,000 --> 00:11:57,000
I think it's fairly easy to use it.

80
00:11:57,000 --> 00:12:05,000
The documentation also helps a lot, understanding the features of MysticPy and how to use it directly.

81
00:12:05,000 --> 00:12:11,000
And also there is a lot of examples on the GitHub repository.

82
00:12:11,000 --> 00:12:15,000
So there is some notebook as well that you can directly reuse and adapt with your own data.

83
00:12:15,000 --> 00:12:20,000
So you don't even know, you don't even need to know really how to code in Python.

84
00:12:20,000 --> 00:12:27,000
You can just reuse the code that we already built and just adapt it with your own data.

85
00:12:27,000 --> 00:12:32,000
So you mentioned you can query various types of data, including your own data.

86
00:12:32,000 --> 00:12:34,000
Can you give examples of data?

87
00:12:34,000 --> 00:12:39,000
So for example, I work in the Azure SQL Database team or Azure Database team, I should say.

88
00:12:39,000 --> 00:12:45,000
I do Cosmos DB, Azure SQL Database, MySQL, Postgres SQL and so on.

89
00:12:45,000 --> 00:12:51,000
I mean, those examples of logs that you could use and, you know, W3C logs from a web server.

90
00:12:51,000 --> 00:12:55,000
I mean, what sort of typical logs you're sort of looking at?

91
00:12:55,000 --> 00:12:57,000
Well, it really depends actually.

92
00:12:57,000 --> 00:13:06,000
So you can connect it, for example, to an Azure cluster and make some requests to KQL, for example.

93
00:13:06,000 --> 00:13:13,000
So with that, you can actually put any kind of data into KQL and then request the information using MysticPy.

94
00:13:13,000 --> 00:13:16,000
So it's really versatile.

95
00:13:16,000 --> 00:13:18,000
So I have actually a good example.

96
00:13:18,000 --> 00:13:22,000
Last year, I'm not sure if you heard about the Conti leaks.

97
00:13:22,000 --> 00:13:34,000
Conti was a famous ransomware group and some of the internal leak chat, some of the internal chat have leaked last year.

98
00:13:34,000 --> 00:13:39,000
And I did some experimentation using MysticPy and analyzing this kind of data.

99
00:13:39,000 --> 00:13:46,000
So it was basically JSON file with all the information related to the discussion of the members of the group.

100
00:13:46,000 --> 00:13:56,000
And what I did actually, I just used MysticPy to load all this information and started to analyze them.

101
00:13:56,000 --> 00:14:06,000
So I used MysticPy to extract indicator of compromises, such as, for example, IP address, URL, Bitcoin address as well.

102
00:14:06,000 --> 00:14:16,000
I also used MysticPy to enrich that information using the threat intelligence provider, but also navigate through the data and extract the information that I wanted.

103
00:14:16,000 --> 00:14:20,000
And the thing is with MysticPy, you can use Jupyter Notebook.

104
00:14:20,000 --> 00:14:23,000
So you can also build your own dashboard.

105
00:14:23,000 --> 00:14:27,000
So with Jupyter, you can create, for example, like Button and so on.

106
00:14:27,000 --> 00:14:30,000
So it's part of Python and Jupyter.

107
00:14:30,000 --> 00:14:36,000
And you can basically create a notebook that will be interactive to your data.

108
00:14:36,000 --> 00:14:43,000
I actually wrote a blog post on the Microsoft blog last year and there is a Jupyter Notebook as well available.

109
00:14:43,000 --> 00:14:47,000
So you can just reuse it, load the data.

110
00:14:47,000 --> 00:14:59,000
And for example, I build kind of a map with the connection between the different members where you can visualize the number of discussions between two members and so on.

111
00:14:59,000 --> 00:15:05,000
So pretty much you can really load any kind of data through MysticPy.

112
00:15:05,000 --> 00:15:14,000
And there is some built-in modules that help you to connect directly to some specific interface, such as KQL or Azure Data Explorer and so on.

113
00:15:14,000 --> 00:15:22,000
But you can also use your own data from an Excel file, a JSON file or any kind of other format of files.

114
00:15:22,000 --> 00:15:25,000
What about for things like on-prem like with Windows?

115
00:15:25,000 --> 00:15:29,000
Could you read Windows event logs or do they need to be extracted in a certain form first?

116
00:15:29,000 --> 00:15:31,000
You will need to extract them.

117
00:15:31,000 --> 00:15:37,000
But if you have them in some places, you can totally do that as well.

118
00:15:37,000 --> 00:15:46,000
So, Thomas, I know that well, I am very familiar with Microsoft Sentinel and there are some other products that use workbooks.

119
00:15:46,000 --> 00:15:56,000
Now, workbooks do do visualizations, but that's just based on the queries in the logs that are within the product.

120
00:15:56,000 --> 00:16:03,000
But some people might be asking, what's the difference between a workbook and MysticPy?

121
00:16:03,000 --> 00:16:05,000
So why would you use one over the other?

122
00:16:05,000 --> 00:16:08,000
I don't know if you've got any thoughts on that.

123
00:16:08,000 --> 00:16:16,000
Yeah, I think MysticPy is a bit more versatile to use, especially because you can use it with Python.

124
00:16:16,000 --> 00:16:27,000
So you can code your own modules, add your own information and your own features, something that you cannot really do with a workbook.

125
00:16:27,000 --> 00:16:41,000
And also with MysticPy as well, you have some built-in features that can help you enrich the data and some specific features that are really specific to investigation.

126
00:16:41,000 --> 00:16:53,000
Such as, for example, we have full modules used for pivoting, such as getting one information and pivoting through that information to uncover more and so on.

127
00:16:53,000 --> 00:17:04,000
So MysticPy is just a bit more versatile and it's not only dedicated to Sentinel, but to multiple kinds of data and information.

128
00:17:04,000 --> 00:17:16,000
Makes sense. Now, we talked a bit a lot about MysticPy, but I also know that you are a very busy bee and do lots of other security research projects.

129
00:17:16,000 --> 00:17:25,000
Now, the one that I wanted you to tell us a little bit about was your Unprotect project, because I'm not sure if people will be familiar with that.

130
00:17:25,000 --> 00:17:29,000
So can you tell us about it and what it is and what you do?

131
00:17:29,000 --> 00:17:39,000
Yeah, sure. So the Unprotect project is basically an open database that aims to document every malware evasion techniques.

132
00:17:39,000 --> 00:17:45,000
So it's a very, very daunting task because there is a lot of different mechanisms and so on.

133
00:17:45,000 --> 00:17:55,000
But basically we tend to we try to document that information and in the database you can get information about, for example.

134
00:17:55,000 --> 00:18:04,000
So we are classifying the evasion techniques by different categories, such as, for example, anti-debugging, anti-disassembling.

135
00:18:04,000 --> 00:18:13,000
It could be also network evasion, sandbox evasion and so on. And the goal is to provide a full detailed classification about this technique.

136
00:18:13,000 --> 00:18:24,000
So if you go to the portal and you search for a specific evasion technique, you will get information about this specific technique, such as the descriptions.

137
00:18:24,000 --> 00:18:30,000
And also we provide the code snippet that can be reused for detection purpose or even retemming.

138
00:18:30,000 --> 00:18:36,000
And we also offer YARA rules, Sigma rules and Kappa rules when it's available.

139
00:18:36,000 --> 00:18:46,000
And the goal is really to help a malware analyst or an investigator or security professional to understand more about a specific evasion technique.

140
00:18:46,000 --> 00:18:55,000
So the project is community centric, meaning everyone in the community can participate and contribute to the project.

141
00:18:55,000 --> 00:19:00,000
And we actually have at the moment 24 contributors from the community.

142
00:19:00,000 --> 00:19:12,000
And you can just make a submission, improve an existing description, or also just upload YARA rules or a code snippet and so on.

143
00:19:12,000 --> 00:19:22,000
So I started this project in 2015. And at that time I was working as an incident responder for different customers.

144
00:19:22,000 --> 00:19:38,000
And each time I went on site, I realized that the customer didn't really understand why a specific piece of malware wasn't detected by the antivirus engine or wasn't really analyzed by the sandbox and so on.

145
00:19:38,000 --> 00:19:51,000
So I started to document the evasion techniques just to help them understand how malware can bypass the security in place and the analysis and so on.

146
00:19:51,000 --> 00:20:00,000
And so at first the project was just an Excel sheet and then it became a wiki, an open wiki.

147
00:20:00,000 --> 00:20:10,000
And today it's a much more bigger platform where we have all the techniques and all the information.

148
00:20:10,000 --> 00:20:17,000
One of my friends, Jean-Pierre Le Sueur, is also one of the core contributors of the project.

149
00:20:17,000 --> 00:20:22,000
So we are actually two people maintaining this project at the moment.

150
00:20:22,000 --> 00:20:29,000
But since it's community-centric, there is also multiple people that are contributing to the project from time to time.

151
00:20:29,000 --> 00:20:40,000
But basically this is the place to go if you want to learn more about malware evasion techniques and understand how to analyze it and improve your detection in place.

152
00:20:40,000 --> 00:20:46,000
So word on the street is that you've got a book out on this kind of topic. Do you want to talk a little bit about that?

153
00:20:46,000 --> 00:20:53,000
Yeah, sure. I just released a new book. I'm super proud of it. It was a lot of work, actually.

154
00:20:53,000 --> 00:21:00,000
So the name of the book is Visual Threat Intelligence, an illustrated guide for threat researchers.

155
00:21:00,000 --> 00:21:07,000
And I really wanted to offer something different. So it's not your typical computer science book.

156
00:21:07,000 --> 00:21:19,000
It's more like a visual guide with illustration, graphics and so on. So I wanted to provide something which is very digestible to understand, easy to read,

157
00:21:19,000 --> 00:21:25,000
but also can serve as a reference in your daily job or for a starting learning point, for example.

158
00:21:25,000 --> 00:21:34,000
So it's a book about threat intelligence. And in this book, I talk about the fundamentals of threat intelligence,

159
00:21:34,000 --> 00:21:45,000
such as, for example, the threat intelligence life cycle, the traffic light protocol, the different types of intelligence, open source intelligence as well.

160
00:21:45,000 --> 00:21:54,000
I'm also talking about threat actors and operating methods. So I will talk about tactic, technique and procedures, the attack matrix.

161
00:21:54,000 --> 00:22:08,000
Also, the unprotected project is part of this book. Then I'm also talking about how to track an adversary, a threat actor using indicator of compromise,

162
00:22:08,000 --> 00:22:18,000
using pivoting techniques and so on. And I also talk about some different tools, such as Yara, Sigma and also MysticPy in this book.

163
00:22:18,000 --> 00:22:28,000
And the last part of this book is about the notorious cyber attacks that have shaped the cyber security industry for the past decade

164
00:22:28,000 --> 00:22:40,000
and some of the investigation that I did along my career. So I'm also writing about, I'm also discussing about my past experience

165
00:22:40,000 --> 00:22:52,000
from the front line of some of the biggest cyber attack of the past decade and so on. So it's really a practical book with visualization.

166
00:22:52,000 --> 00:23:03,000
I think it's really different to what currently exists on the market today. And this actually was my goal. I really wanted to propose something different.

167
00:23:03,000 --> 00:23:16,000
I didn't want to have a big book which is very heavy to read and understand. This one is fairly easy to understand and to read because of the visualization,

168
00:23:16,000 --> 00:23:29,000
but because also of the specific structures that I put in place. And I think it's kind of innovative in our industry because I don't think there is a similar book in the market at the moment.

169
00:23:29,000 --> 00:23:38,000
You often find books that are either academic, very dry, hard to read. Then at the other extreme you've got Malware 101.

170
00:23:38,000 --> 00:23:47,000
It's nice to see by the sound of it you're reaching a middle ground which I think is... I'm actually a fan of because a lot of stuff that I work on,

171
00:23:47,000 --> 00:23:58,000
I tend to write a lot of that middle ground documentation to bridge the gap between people understanding it and people who are super duper technical.

172
00:23:58,000 --> 00:24:10,000
You want to bridge that gap on a regular basis. That way you're meeting a very large population of people. So yeah, that's great to see. I hope we do well. I hope the book does really well.

173
00:24:10,000 --> 00:24:16,000
I've got a question for you, Thomas. Did you draw all the pictures in the book?

174
00:24:16,000 --> 00:24:21,000
Yeah, all of them. All of them. Yeah, all of them.

175
00:24:21,000 --> 00:24:31,000
For those of you, you should go and check out Thomas' book. Thomas draws really lovely visual diagrams and I'm very jealous of the skill that I do not have.

176
00:24:31,000 --> 00:24:34,000
Yeah, that makes two of us.

177
00:24:34,000 --> 00:24:42,000
It's very complicated when you... Sometimes when you see the final illustration you say, okay, it's very easy.

178
00:24:42,000 --> 00:25:00,000
It's very complicated, the process and the reflection to think about a technical concept and think about how to illustrate that technical concept in a simple way without removing any important information.

179
00:25:00,000 --> 00:25:16,000
So it's kind of very complex to start with an idea and starting to draw the illustration and to have something really useful and really complete without removing some really crucial information.

180
00:25:16,000 --> 00:25:29,000
So the process of reflection is super heavy and it's actually... Writing a book is super complicated because you have to write every day and go to your routine and so on.

181
00:25:29,000 --> 00:25:41,000
But adding illustration on top of that is another challenge as well because every illustration takes days to create and to put in place.

182
00:25:41,000 --> 00:25:54,000
And during the process of writing the book, I always recreated some part of the illustration because my mind evolved during the process of writing.

183
00:25:54,000 --> 00:26:01,000
And at some point I get new ideas and so on. So I had to redo some part of some of the illustration and so on.

184
00:26:01,000 --> 00:26:11,000
So it was a constant work and at some point you have to say, okay, now it's okay. I need to stop and I need to release the book at that time.

185
00:26:11,000 --> 00:26:22,000
Well, Thomas, I know that when I need drawings doing, I know who I'm going to come to because clearly you're not busy enough already.

186
00:26:22,000 --> 00:26:29,000
But yeah, that's probably it. I actually might hit you up for drawings. I'm not lying. That's a true thing, but not yet.

187
00:26:29,000 --> 00:26:37,000
All right, this has been good. So one thing we ask all our guests is if you had just one final thought to leave our listeners with.

188
00:26:37,000 --> 00:26:46,000
As a final thought, like if someone wants to start in straight intelligence, I think the best way is probably...

189
00:26:46,000 --> 00:26:57,000
Today there is a lot of information on the Internet. So I think the best way is probably to be aware of what's going on in the world, in the cybersecurity world as well,

190
00:26:57,000 --> 00:27:03,000
but also in geopolitics because straight intelligence is very tied to geopolitics as well.

191
00:27:03,000 --> 00:27:09,000
And also just be informed, go to security conferences, meet people and so on.

192
00:27:09,000 --> 00:27:19,000
And I think that's the best starting point today in this industry because if you meet the different people, you will potentially have new opportunities and so on.

193
00:27:19,000 --> 00:27:26,000
So I think that's the best way to do so. Yeah, just be aware of what's going on. Meet people and share your knowledge.

194
00:27:26,000 --> 00:27:30,000
Thomas, thanks so much for joining this week. I kind of stayed on the periphery of MysticPy,

195
00:27:30,000 --> 00:27:37,000
but it's good to see MysticPy being explained by someone who is actually actively involved. I certainly learned a great deal from it.

196
00:27:37,000 --> 00:27:43,000
And to all our listeners out there, we hope you found this episode of use. Stay safe and we'll see you next time.

197
00:28:07,000 --> 00:28:10,000
You