Brksec 2112

The Thin Red Line:
Connecting Indicators of Compromise with

Cisco Umbrella and Cisco AMP Threat Grid
Paolo Passeri Consulting Systems Engineer Cloud Security

BRKSEC-2112
Abstract
As attackers find new ways to target their victims, providing accurate threat
attribution is a critical element for an effective response aimed to contain and
anticipate future attacks.
However, the challenge is to reveal the thin red line connecting the indicators
hidden into events detected at different layers.
This session will explain how to leverage the integration between Cisco
Umbrella and Cisco AMP Threat Grid to bi-directionally link the malicious Internet
infrastructures used by criminals with security events detected at the endpoint
level
BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
The world is full of obvious things which
nobody by any chance ever observes.
Sherlock Holmes
The Hound of the Baskervilles
Sir Arthur Conan Doyle
WHOAMI
CSE, passionate security enthusiast with
more than 15 years of experience.
Joined Cisco following the acquisition of
OpenDNS.
Author of hackmageddon.com, a blog
that publishes bi-weekly timelines and
statistics of the main cyber attacks.
Member of the ENISA Threat Landscape
Stakeholder Group.
Twitter: @paulsparrows
Agenda
Introduction
What is Cisco Umbrella Investigate
What is Cisco AMP ThreatGrid
Advantages of the Integration
A Day in the Life of a Security Analyst
Linking the Dots
Conclusion
Umbrella: a Single Global
Recursive DNS Service
ISP? ISP1
Enterprise
Home location A
users Internal InfoBlox
appliance
Benefits
Global internet activity visibility Enterprise
Roaming location B
ISP? ISP2
laptops
Network security w/o adding latency Internal Windows
DNS server
Consistent policy enforcement

Internet-wide cloud app visibility Remote Enterprise
sites location C
Internal BIND server
ISP? ISP3
Recursive DNS for internet domains
Authoritative DNS for intranet domains
With Data Centers Co-located at Major IXPs
25
data centers
worldwide
Gather intelligence and enforce security at the DNS
layer
Recursive DNS
Any device Authoritative DNS
root
com.
domain.com.
User request patterns Authoritative DNS logs
Used to detect: Used to find:
Compromised systems Newly staged infrastructures
Command and control callbacks Malicious domains, IPs, ASNs
Malware and phishing attempts DNS hijacking
Algorithm-generated domains Fast flux domains
Domain co-occurrences Related domains
Newly registered domains
Intelligence to see attacks before launched
Data
90B DNS requests resolved per day
Diverse dataset gathered across 85M users Security researchers
across 160 countries
Industry renown researchers across Cisco
Talos and Umbrella
Build models that can automatically
classify and score domains and IPs
Models
Dozens of models continuously analyze
millions of live events per second
Automatically score and identify malware,
ransomware, and other threats
Detect/Prevent Attacks at Different Stages
Pre-Compromise
Compromise
Post-Compromise
Our view of the internet
90B
requests
65M
daily active
12K 160+
enterprise countries
per day users customers worldwide
Determine guilt
by inference, 2M+ live events per second
association, 11B+ historical events
or pattern
Existing statistical models New statistical models
Spike rank Live DGA prediction
Natural Language Processing rank Sender rank
Predictive IP space
pDNS, WHOIS & Threat Grid correlations
Geo-location & -diversity New security categories
Co-occurrence Newly Seen Domains
Secure rank Potentially Harmful Domains
Live DGA detection DNS Tunneling VPN
Our efficacy
Discover Identify Enforce
3M+
daily new
60K+
daily malicious destinations
7M+
malicious destinations while
domain names resolving DNS
Agenda
Introduction
Linking the Dots
Conclusion
Investigate: a powerful analysis tool to uncover
threats
Key points
Intelligence about domains, IPs,
and malware across the internet
Live graph of DNS requests and

other contextual data
domains, IPs, ASNs, file hashes
Correlated against statistical models
API
Discover and predict malicious

Console SIEM, TIP domains and IPs
Enrich security data with global intelligence
And a single, correlated source of intelligence
Passive DNS database
WHOIS record data
Malware file analysis
ASN attribution
IP geolocation
Domain and IP reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Agenda
Introduction
Linking the Dots
Conclusion
Examine files with context-driven analysis
Static and Dynamic analysis execute automatically
Dynamic Analysis: Process tree visualization
Outside looking in approach
No presence in the VM
Proprietary techniques for static and dynamic analyses
Observing all changes to local host and network

communications
Capability to pivot on any data element
Downloadable analysis JSON, in minutes

Legend:
Process with additional activity

Accurately identify attacks, in near real time F File activity
Detailed report identifying key behavioral indicators and R Registry activity
threat score S Sample process
Identify and Prioritize threats
Easy-to-understand Threat Scores guide decision making
450+ behavioral indicators (and growing) Prioritize threats with confidence
Malware families, malicious behaviors, and more Enhance SOC analyst and IR knowledge and effectiveness
Detailed description and actionable information (and security product)
Leverage our global community and scale
Threat intelligence prepares you for tomorrows threats
Correlates each sample analysis with billions

Millions of samples analyzed every month
of malware artifacts
Near real time analysis
Exceptional scale and coverage for global threats
Agenda
Introduction
Linking the Dots
Conclusion
Malware File Analysis Data
Powered by Cisco AMP Threat Grid
IP
ASN
DOMAIN
DNS
BGP
AMP Threat Grid

Investigate
Intelligence about Intelligence about

attackers infrastructure attackers malware
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Speed Up Incident Response
Investigate + ThreatGrid: Complete View of Attackers Infrastructure
Artifacts IOCs IP
created identified ASN
DOMAIN
Network Registry & DNS

BGP
connections made system changes
Investigate
AMP Threat Grid
MALWARE FILE INTERNET INFRASTRUCTURE

INTELLIGENCE INTELLIGENCE
static & dynamic analysis to learn how the research domains, IPs, ASNs used in attacks and
malware file behaves on the system proactively uncover future threats
Agenda
Introduction
Linking the Dots
Conclusion
Will It Be a Good Morning?
Unfortunately It Looks Like Its Not!
Malicious Domains
Something Weird is Happening:
- Always the same two
domains
- At regular time intervals
There are also botnet
connections Someone got
infected off-network
And did not have the

Roaming Agent Installed!
Challenges a Proper Incident Response?
Limited Alert Effective Internet-wide Threat

resources priority threat intel use Visibility
Shortage of Flood of alerts daily Difficult to Identify Where attackers

experienced incident Difficult to prioritize operationalize threat stage attacks
responders and analysts investigations intelligence How domains, IPs,
Senior analysts need Difficult to identify the Often unreliable and ASNs, and malware
to be more efficient source of the threat out-of-date are connected
Lets Collect Some Information
Can I Identify the Patient Zero?
The Outbreak Started Here

The Destination Report
allows to identify the patient
zero
Useful to determine how the
infection spread inside the
organization
Is the Attack Targeted?
Lets see how it compares with the global traffic
Global Traffic %
The Global Traffic % can
compare the local activity
with the global trends to
identify if the attack is
targeted or opportunistic.
Useful to determine the
priority for IR
Well I am Unlucky
And I am getting the 50% of total requests
Maybe for my vertical

Unfortunately Local queries
count for 50%
Its time to Investigate
What Information can I collect to Remediate?
Lets have a glimpse into

the Umbrella Threat
Intelligence
Unfortunately Local queries
count for 50%
Notifications
High Level Overview for the Domain
Some High-Level Features

Notification alerts are intended
to call out attention to particular
information that may be useful
or relevant to the domain. The
notification alerts are grouped
by color: red, yellow, green and
blue.
DNS Query Graph
The DNS Query Graph is scaled against total Internet traffic globally
Well, this traffic shape is

weird
The DNS Query Graph showing
the number of queries per hour
from all Umbrella users over the
past 30 days.
Domain is Blocked!
Oh Well, At Least I am Safe
The Domain is Blocked

This alert pertains to a domain
that's been found to be
malicious and is currently in the
Umbrella block list (pretty
obvious!)
A Bad Neighbour
Suspicious ASN Score
The ASN has a

bad reputation
A suspicious ASN score is an
ASN score value that is less
than -2: if a domain resolves to
an ASN that has a poor
reputation, the score will be
more suspicious.
A Bad Infrastructure
Prefix Reputation
The prefix has a

bad reputation
A suspicious RIP score is equal
to or less than -50. The RIP is a
score given to domain based on
the IP address(es) it resolves to
and the reputation score of the
IP address(es).
SecureRank 2
Ranking of a Domain Based on The Lookup Behavior of Client IP
Bad Clients Behaviour

The SecureRank2 is the
ranking of a domain based
on the lookup behavior of
client IP for the domain.
SecureRank2 is designed to
identify domain names
requested by known infected
clients but never requested
by clean clients.
The Securerank2 score
ranges from -100
(suspicious) to +100 (benign)
How We Determine the Score of an IP/Prefix/ASN?
Say Thanks to the Bipartite Graph Theory
SecureRank
IP/Prefix/ASN Reputation Score
Malicious hosts often found in Infected hosts often connect to

the same areas known bad sites
Flags sketchy neighborhoods Domains requested primarily
based on the number of by infected host are most likely
malicious sites hosted there malicious
SecureRank and Bipartite Graph Theory
Destinations (Domains, IPs) Guilty by Inference
Bipartite Graphing of
Internet Activity DNS
DNS
DNS
DNS DNS
DNS
DNS
DNS
DNS
DNS
DNS
Good, Bad, or Insufficient Good, Bad, or Indifferent

DNS Requests per Identity Reputation Scores per DNS Neighborhood
Geo-Location
Ranking of a Domain Based on Where the Source Clients are Located
Observed requesters and

predicted requesters differ
A score representing the
number of queries from clients
visiting the domain, broken
down by country. Score is a
non-normalized ratio between 0
and 1
IP geo-location analysis
Host Infrastructure DNS Requesters

Location of the server Location of the network and off-network device
IP addresses mapped to domain IP addresses requesting the domain
Hosted across 28+ countries Only US-based customers

requesting a .RU TLD
Domain Generation Algorithms
There is an algorithm behind this and we will unmask it
Maybe there is not a human

behind this
This alert occurs when the DGA
(Domain Generation Algorithm)
score is -25 or lower.
DGA Section
DGA Score
This score is generated based
on the likeliness of the domain
name being generated by an
algorithm rather than a human.
This score ranges from -100
(suspicious) to 0 (benign)
DGA Detection
DGA Score
This score is generated based
on the likeliness of the domain
name being generated by an
algorithm rather than a human.
This score ranges from -100
(suspicious) to 0 (benign)
yfrscsddkkdl.com
N-gram analysis Entropy analysis
Do sets of adjacent qgmcgoqeasgommee.org Does the probability
letters match normal distribution of letters
language patterns? iyyxtyxdeypk.com appear random?
diiqngijkpop.ru
Live DGA Prediction
Automated at an unparalleled scale
a.com + b.com b.com
fgpxmvlsxpsp.me[.]uk
DGA beuvgwyhityq[.]info
a1.com DGA gboondmihxgc.com
a2.com + pwbbjkwnkstp[.]com
bggwbijqjckk[.]me
b1.com yehjvoowwtdh.com
c2.com ctwnyxmbreev[.]com
Configs upybsnuuvcye[.]net
quymxcbsjbhh.info
Configs vgqoosgpmmur.it
c.com, d.com,
Live DNS Automate reverse Predict 100,000s Automate blocking

log stream engineering of future domains pool of C2 domains
Identify millions of domains, Combine C2 domain pairs Combine newly-identified Used by thousands of
many used by DGAs and known DGA to identify configs with DGA to identity malicious samples now
and unregistered unknown configs C2 domains continuously and in the future
Predictive Classifiers
The score is not considered authoritative over the block list,
This is Risky!
A classifier prediction is a score based
on all the features of the domain and is
not tied to any single one. It is
intended to be predictive and serves
as an indicator that the domain may
require further investigation.
Predictive Detectors: NLPRank
Identifies malicious domain-squatting and targeted C2 or phishing domains
1 2 3 4
Analyse APT Patterns in domains Checked data & Built model and
reports used in attacks confirmed intuition continue to tune
Domain spoofing Dictionary & company Detects

used to obfuscate names merged fraudulent brand
Often saw brand Change small # of domains:
names and terms characters to
1inkedin.net
like update obfuscate
Examples: Domains hosted on linkedin.com
update-java[.]net ASNs unassociated
adobe-update[.]net w/company
Different webpage
fingerprints
NLP = natural language processing
Recommender: Using NLPRank to Detect Phishing
https://blog.opendns.com/2016/11/11/phishfinder-hook-line-sinker/ BRKSEC-2112 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Evolving the Recommender System to be Predictive
Predictive Detectors: SPRank
Challenge: Build scalable detection models that are:
Generic to rapidly catch a large number of malware domains/IPs of various types
Specific to provide context and details about detected threats
Design detection that is immune to evasion and obfuscation by adversaries
Focus on below the recursive DNS layer
Inspect DNS query features that are harder to change at global scale
Assimilate DNS traffic patterns to sound waves
Detect domains that show spike in traffic over a short time window (e.g. 1 hour)
Spike rank model
Patterns of guilt
DGA MALWARE EXPLOIT KIT PHISHING
Massive amount y.com
DNS REQUESTS
of DNS request y.com is blocked before
volume data is it can launch full attack
gathered and
analyzed
DAYS
DNS request volume matches known

exploit kit pattern and predicts future attack
SPRank DNS Features
Domain QTYPE RCODE Resolvers # of unique IPs
1A
15 MX
28 AAAA List of
0 Resolving
16 TXT Resolvers
99 SPF
255 ANY
Exploit Kit VS Spam
Exploit kit: you.b4ubucketit.com. 0.0 45 45.0 40 11
{((ams),13),((cdg),1),((fra),3),((otp),1),((mia),6),((lon),
6),((nyc),1),((sin),3), ((pao),1),((wrw),3),((hkg),7)}
{((1),45)}
Spam: www.tzd.tcai006.net. 0.0 26 26.0 1 1 {((lon),
26)} {((1),26)}
Difference is: EK domains have traffic from multiple
IPs spread across several resolvers
Traffic to spam, casino sites comes from a single IP
46.30.43.20, AS35415, Webzilla, https://eurobyte.ru/
Using SPRank in Combination with other Sources
(for instance Hashes)
SP-Rank Model w/ Predictive IP Space Monitoring
Identifies that an attack is underway and then expands intelligence
SPRANK
RESEARCH IDEA:
DNS Request
MALICIOUS PREDICTIVE
Name DOMAINS IP SPACE
Patterns over Time
Filter
Can We Reuse used by MONITORING
Concepts
Spikethat
Analyze Sound
Detection
History
Filter
Q Phishing
Malvertising 340x
Waves in Real more domains
Time Exploit Kits
Record
Malware includes
Filter
(e.g. Pandoras domain
Music Genome shadowing
Project)
IP Range Fingerprinting
Scan neighboring range for open services & versions,
OS version
Certain attack IPs share identical fingerprints
If we detect first seed domains by acoustic or other
model, then block similar IPs before they start hosting
domains
Map out IP space of Bulletproof hosting providers
IP Range Fingerprinting
The 5 IPs share the same fingerprint
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp open http nginx web server 1.2.1
Service Info: OS: Linux
4 more IPs in /24 have same fingerprint with no hosted
domains at the time of discovery. However, they are set up
in bulk to host EK domains in the next days. EK domains
could appear shortly
Co-Occurrences
Temporal Proximity of Related Malicious Domains
This domains could be part of

the same campaign!
The Co-occurrences feature
returns a list of domain names that
were looked up around the same
time as the domain being
checked.
The score next the domain name

in a co-occurrence is
measurement of requests from
client IPs for these related
domains. The co-occurrences are
for the previous 7 days and are
shown whether the co-occurrence
is suspicious or not.
Co-occurrence model
Domains guilty by inference
time - time +
a.com b.com c.com x.com d.com e.com f.com
Possible malicious domain Possible malicious domain

Known malicious domain
Co-occurrence of domains means that a statistically significant number of identities
have requested both domains consecutively in a short timeframe
The Co-Occurrence Probability Distribution Function
The histogram of |ti(c)tj(c)| for all clients
and all pairs of malicious domains (i,j)
appears to be gamma distributed.
This allows to calculate the probability that
two malicious domains are related.
The Co-Occurrence is the sum of this
probability for all the possible clients
connecting to both domains.
The model is normalized to take into
account legitimate co-occurrences (for
instance google-analytics).
https://labs.opendns.com/2013/07/24/co-occurrences/
Correlating DNS, WHOIS, and BGP Data Sets
xxx@x.x
igh.biz 1.2.3.4 ns.dyn.com AS 346 AS 781
x
def.co
12
abc.org 00:36 11 JAN JAN
00:35 10 4.3.2.1 8.7.6.5
JAN
ok.com
00:34
bot.ru 2 FEB 4 FEB
bad.cn bot.ru
CO-OCCURRENCES PASSIVE DNS & WHOIS INFRASTRUCTURES

domain-to-domain present & past relationships for domain-to-IP-to-AS
request sequences via domains-to-IP/nameserver/email relationships via
recursive DNS via authoritative DNS & DNS graphing BGP routing
registrars data
Agenda
Introduction
Linking the Dots
Conclusion
Now What?
The Umbrella detectors allow
to identify if a domain is
malicious (and block it)
thanks to the patterns related
to its global behaviour.
But how can you identify

which sample is actually
inside the organization and
trying to phone home?
162.17.5.245 suspicious.com
Connecting the Dots Request spike baddomain.com
The Thin Red Line Between Macro and

Micro IOCs
Hosted in 22
countries
Investigate
Intelligence about 173.236.173.144

Source & destination IP
attackers infrastructure
likelybad.com
HTTP/DNS traffic
creates .exe file in modifies registry

AMP Threat Grid admin directory entry
Intelligence about
attackers file
other file system
.doc file modifies activity and
WINWORD.exe artifacts created
Associated Samples (Threat Grid Integration)
Available Even Without a ThreatGrid Account
Threat Score
This section of the Investigate
report contains the SHA256 of
file samples that contained that
internet destination in the
network connection section of
the ThreatGrid Report.
File Analysis Section
Hash and Threat Score

We Know the hash, this
means we can hopefully
identify the file header or if
my AV Engine had a change
to get it (If I dont have A4E
Installed).
ThreatGrid Integration
ThreatGrid Integration
Ah, and by the way, I can
link Investigate with my
ThreatGrid Cloud based
account
Virus Total Lookup
VirusTotal Link
I can quickly look it up on
Virus Total
Well, it turned out I am one

of the 20 blind engines
Behavioral Indicators
Human Readable
Malicious Indicators
I can quickly look it up on
Virus Total
Lets Step Back a Little Bit
There Are Multiple

Malicious Connections
7ssneqrtef[.]ru
gvaq70s7he[.]ru
disorderstatus[.]ru
Can I use this information to

verify if the hash I detected is
exactly the one inside my
network?
Hint: the Sample Report has a

Network Connections
section
It's a Matter of Coincidences
7ssneqrtef[.]ru
gvaq70s7he[.]ru
disorderstatus[.]ru
Exactly the Three Domains in

my DNS logs
Now I can figure out why the

malware evaded my security
measuresAnd why the ERC
was not installed.
Agenda
Introduction
Linking the Dots
Conclusion
Conclusions
Limited Alert Effective Internet-wide Threat

resources priority threat intel use Visibility
Shortage of Flood of alerts daily Difficult to Identify Where attackers

experienced incident Difficult to prioritize operationalize threat stage attacks
Challenge responders and analysts investigations intelligence How domains, IPs,
Senior analysts need Difficult to identify the Often unreliable and ASNs, and malware
to be more efficient source of the threat out-of-date are connected
Information clear Get relevant Clear threat Visibility into

Solution and immediately context and attribution thanks attackers
actionable accurate to the integration infrastructures
information quickly with TG and trends
Call To Actions
Visit the Exhibition Zone for a Demo

Ask for an Investigate Demo License
Get your Free Umbrella License Now:
https://signup.umbrella.com/
Video
Demo
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
Continue Your Education
Demos in the Cisco campus
Walk-in Self-Paced Labs
Lunch & Learn
Meet the Engineer 1:1 meetings
Related sessions:
Thursday, Feb 23, 2:30pm: BRKSEC-1980 - Introducing Cisco Umbrella for cloud based
threat protection
Q&A
References
RSA 2016: https://www.rsaconference.com/events/us16/agenda/sessions/2336/using-large-scale-data-to-provide-attacker
Kaspersky SAS 2016: https://www.youtube.com/watch?v=6jFtobVNgMI&feature=youtu.be
Flocon 2015: http://resources.sei.cmu.edu/library/asset-view.cfm?assetID=450345
BruCon 2015: https://www.youtube.com/watch?v=8edBgoHXnwg
Kaspersky SAS 2015: https://www.youtube.com/watch?v=QbCCLXFhuls
BotConf 2014: https://www.youtube.com/watch?v=eC2jPNU0NZI
Virus Bulletin 2014: https://www.virusbtn.com/conference/vb2014/abstracts/Mahjoub.xml
BlackHat 2014: https://www.youtube.com/watch?v=UG4ZUaWDXSs
PhishFinder: Hook, Line and Sinker: https://blog.opendns.com/2016/11/11/phishfinder-hook-line-sinker/
Discovering Malicious Domains Using Co-Occurrences: https://blog.opendns.com/2013/07/24/co-occurrences/
Thank You

Brksec 2112

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Brksec 2112

Hochgeladen von

Copyright:

Verfügbare Formate

The Thin Red Line:

Connecting Indicators of Compromise with

Paolo Passeri Consulting Systems Engineer Cloud Security

Consistent policy enforcement

Recursive DNS for internet domains

Authoritative DNS for intranet domains

association, 11B+ historical events

Secure rank Potentially Harmful Domains

Live DGA detection DNS Tunneling VPN

Discover Identify Enforce

Live graph of DNS requests and

Discover and predict malicious

Enrich security data with global intelligence

Proprietary techniques for static and dynamic analyses

Observing all changes to local host and network

Capability to pivot on any data element

Downloadable analysis JSON, in minutes

Process with additional activity

Detailed report identifying key behavioral indicators and R Registry activity

threat score S Sample process

Correlates each sample analysis with billions

AMP Threat Grid

Intelligence about Intelligence about

Network Registry & DNS

MALWARE FILE INTERNET INFRASTRUCTURE

And did not have the

Limited Alert Effective Internet-wide Threat

Shortage of Flood of alerts daily Difficult to Identify Where attackers

The Outbreak Started Here

Maybe for my vertical

Lets have a glimpse into

Some High-Level Features

Well, this traffic shape is

The Domain is Blocked

The ASN has a

The prefix has a

Bad Clients Behaviour

Malicious hosts often found in Infected hosts often connect to

Good, Bad, or Insufficient Good, Bad, or Indifferent

Observed requesters and

Host Infrastructure DNS Requesters

Hosted across 28+ countries Only US-based customers

Maybe there is not a human

Live DNS Automate reverse Predict 100,000s Automate blocking

Domain spoofing Dictionary & company Detects

DGA MALWARE EXPLOIT KIT PHISHING

Massive amount y.com

DNS request volume matches known

Domain QTYPE RCODE Resolvers # of unique IPs

Map out IP space of Bulletproof hosting providers

This domains could be part of

The score next the domain name

a.com b.com c.com x.com d.com e.com f.com

Possible malicious domain Possible malicious domain

CO-OCCURRENCES PASSIVE DNS & WHOIS INFRASTRUCTURES

But how can you identify

Connecting the Dots Request spike baddomain.com

The Thin Red Line Between Macro and

Intelligence about 173.236.173.144

creates .exe file in modifies registry

Hash and Threat Score

Well, it turned out I am one

There Are Multiple