7 stages of advanced threats - fujitsu · security leaders to deploy appropriate controls, says...

7 Stages of Advanced Threats© 2013 Information Security Media Group

Jason Clark, James Robinson of Websense on Key Characteristics

7 Stages of Advanced Threats


What are the seven stages of advanced threats, and what can organizations

do to improve how they defend against them? Jason Clark and James Robinson of Websense share new insights and strategies.

How does one distinguish advanced threats from traditional? One key difference, says Robinson, security architect and strategy officer at Websense, is that classic threats target systems. Advanced threats are after intellectual property.

“The advanced threats are also getting much more complex,” he says. “They’re using many steps to actually become successful,” including social engineering and software exploits targeting the end-users.

The seven stages of advanced threats account for how threat actors are breaching organizations, as well as the methods they are using to steal data. This information helps security leaders to deploy appropriate controls, says Clark, chief security and strategy officer.

“We look at it as an architecture framework,” Clark says. “Now that we’ve broken down how they’re going to get in, how they’re going to get the data out and try to evade our security, [then] what’s the perfect architecture [to prevent] that?”

Read on to learn from Clark and Robinson:

• Distinguishingcharacteristicsofadvancedthreats;• Originofthesevenstages;• Newsecuritysolutions.

Robinson is the security architect and strategy officer at Websense. His key responsibilities are internal security strategy and innovation. He brings more than a decade of both IT and product engineering security leadership to Websense. He has previously held leadership positions with Fortune 150 and Fortune 100 companies including: Emerson Electric, Anheuser-Busch and State Farm Insurance.

Clark is chief security and strategy officer for Websense, Inc. In this role, Clark and his team are responsible for corporate strategy, information security, marquee account relationships, and providing strategic services to CIOs and CISOs worldwide. As a former CISO and vice president of infrastructure for Fortune 100 and 500 companies, Clark uses his business and security expertise to advise CXO executives on successful strategies to improve their IT infrastructure.


Advanced Threats vs. Tradi-tional Threats

TOM FIELD:James,whatdistinguishes

advancedthreatsfromtraditionalthreatsthat

organizationshavefaced?

ROBINSON:Thereareacoupleofdifferent

thingsthatreallychangethegamewith

advancedthreatscomparedtotraditional,

andthere’snotreallyasetdefinitionofwhat’s

atraditionalthreatandwhat’sanadvanced

threat,butthegameisdefinitelychanging,

andwe’reseeingthischangeoverthelast

coupleofyears.Traditionalthreatstypically

aregoingaftersystems,andwedidn’tseealot

oftraditionalthreats.Thiswouldbemorelike

thewormsthatwouldpropagate,goingafter

thedatainsideofyoursystems.

Theadvancedthreatsthatwe’reseeingtoday

arereallystartingtotargettheinformation

andtheintellectualpropertythatyouhave

insideofyourorganization.Theadvanced

threatsarealsogettingmuchmorecomplex.

They’reusingmanystepstoactuallybecome

successful,andthey’reusingthesestepsfrom

traditionalthreatsthatwe’veseen.Things

likesocialengineering,whichwasathreat

allorganizationshaveknownforalongtime,

dealtwithandhadvaryingdegreesofsuccess

withthat-that’sanaspectoftheadvanced

threat.

Anotherthingisexploitingsoftware

vulnerabilities,whichissomethingthatwe’ve

knownaboutforalongtimeasanindustry,

butnowit’sactuallybeingincludedinto

advancedthreats,thedifferentstagesand

beingexecutedagainstourend-users.That’s

oneofthedifferentchangesaswell.Inmy

historyofdoingpenetrationtests,I’dalways

beaskedtogoandfocusonawebserverand

focusonmaybewherethedatagoesafterthat,

butnotfocusontheend-users.Thatapproach

rightthere,thatmindsetofjustfocusingon

oneaspectandnottheentireecosystem,is

exactlywhatwe’vesetourselvesupforand

whattheadvancedthreatistakingadvantage

of,wherethey’retargetingtheend-usersand

thengoingafterthedataandgettingaccess

tothisdatathattheywanttostealfromthe

organization.

Theotherthingtheadvancedthreatsare

alsostartingtodiveinto[are]blindspots.…

Traditionalsecurityapproachesthatweuse

tosecureourselves,they’realsousingthose

tostealthedataandtoex-filtrateinformation

fromourorganizations.

7 Stages of Advanced Threats

FIELD:Jason,let’stalkabouttheseven

stages.What’stheoriginofthisseven-stage

approach?

CLARK:Probablyaboutfiveyearsago,[we

startedto]breakdownhowthebadguys

arebreakingin,whatthestepsarethat

they’retakingeachstepofthewayasthey

trytogettheirhandsonourdata,andthen

understandingwhatthecontrolsare.The

sevenstagesisreallymoreofafactof,“thisis

exactlythestepsthatthey’realltaking,”and

wewantedtounderstandhowthey’regetting

aroundthecontrolsandwheredothose

existingcontrolswehavewithtechnology

slidein.Howarewebeingprotected?

Ithasn’tbeentalkedaboutasthesevenstages

inthepast.Usingasanexampleyourhome,

if[abadguy]isgoingtobreakin,he’sgoing

totrytoeithercomethroughthewindow;

he’sgoingtocomethroughthedoor.What’s

thenextstepyou’regoingtodotoinvade

whateversecurityyouhave?It’sjustthe

variousstagesofthat.

However,atthesametime,welookatitasan

architectureframework.Nowthatwehave

brokendownhowthey’regoingtogetin,

howthey’regoingtogetthedataoutandhow

they’regoingtotryandinvadeoursecurity,

what’stheperfectarchitectureforthat?

Becauseeverythingelsetodayisverysiloedin

onestage,oroneandahalfortwostages,but

nothingwilllookatallsevenstagesandshare

informationofwhat’sgoingonandreally

maintainthestateofthatbadguy,alltheway

downfrominfiltrationtoex-filtration.We

startedthenbuildingthattechnologyintoour

[solutions]asaframeworkofunderstanding

theneedtosharethatintelligence.Everything

wedo,thisistheframeworkthatweuse.

Atthesametime,welookedatandwegot

togetherwithabraintrustofthetop30CISOs

intheFortune500thatwe’refriendswithand

“That mindset of just focusing on one aspect and not the entire ecosystem is exactly what we’ve set ourselves up for and what the advanced threat is taking advantage of.” -James Robinson


“It may not be that data theft is occurring while you’re on the corporate network, but when you’re off the corporate network, when you go home and you work at night.” -James Robinson

lookedatthisas,“Wecantakethistoanother

stageandwecanreallystartsayingthisisn’t

justabouttechnology.”Thisisaboutpeople

andprocessesaswell.Sincethisisthethreat

modelforhowthebadguygetsin,weshould

startdoingstrategyassessmentsandgrading

ourselvesonsuccessfulness.

It’sacollaborationofknowingthisishowit

works,howthebadguygetsinandgetsstuff

out.Thenwegotoourtechnologyasbeing

awareofthat,andatthesametimethenbuild

awholestrategyandframeworkaround

people,processandtechnology,andastrategy

assessmentaroundthesevenstages.

Breaking Down the Stages

FIELD:Let’stalkaboutsomeoftheseseven

stages,andJamesI’lltossthisquestionto

you.Let’sstartwithreconnaissanceand

lure.What’shappeninghereandhowisit

happening?

ROBINSON:Reconnaissanceandlureare

thefirsttwostagesoftheattack.There

aredifferentthingsthathappenhere.

Reconnaissanceisalotofinformation

gathering.That’sthesituationwherethe

attacker’sstartingtoputthemselvesina

positionwheretheywanttocompromisean

adversaryorsomeoneelse.Tom,ifIwanted

tocompromiseyou,whatIwoulddoisI’d

lookupyourname,I’dlookupwhereyoulive,

I’dlookupactivitiesandthingsthatyou’re

involvedinsoIcanthencraftalureoneway

oranother.Icouldsendyouane-mail.Icould

buildawebsitethatmaybeyou’dbeinterested

ingoingto,andI’dputtheseouttherewith

informationthat’srelevanttoyouwithdata

thatyouwanttoactuallyuse.

InThe New York Timesattack,itlaiditout

verywell;theydocumentedthingsandhad

allkindsofarticlesandpostsonit.There

wasthegentleman,David[Barboza].Hewas

actuallyputtinginformationoutthereand

thenwritinganarticleonChina.Bydoingso,

Chinafoundoutaboutthis.Whatdidthey


wanttodo?Theywantedtofigureoutwhere

Davidwasgettinghisinformation:what

connectionsdidhehave;whate-mails;how

muchinformationdidhehave?Theytargeted

David,andtheyspear-phishedane-mailto

him,basicallyluringhimtoclickonthelink

insideofthate-mail.That’sreallywhat’s

goingonthere.They’relookingforatarget,

they’reidentifyingatarget,identifyingthe

informationandthencraftingamessageor

craftingawayforthatpersontogaintrustin

thatsiteorgaininterestinit-maybenoteven

trust,justenoughinterest-togetthemtobe

baitedandruntherestoftheirattackonthat

person’ssystems.

Understanding Exploits

FIELD:Let’stalkabouttheexploit.What’s

newhere?

CLARK:Theexploitissomethingthat’s

interesting.It’ssomethingthatwe’veknown

foralongtime-theexploitgeneration.

Thingsthatarechangingarenotjustthese

vulnerabilitiesthatarenowbeingtaken

advantageof,butthesheervolume.Before

itusedtobesomethingthatwewantedto

sharethesevulnerabilities,andwewantedto

sharethisvulnerabilityinformationwitheach

other.Weknewthatwecouldputdefenses

inplace.Butnow,insteadofjustfindinga

softwarebugthatthenleadsintoasecurity

vulnerability,insteadofjustfindingthoseand

sharingthemsowecanfixthem,peopleare

goingoutandsearchingforthemsotheycan

actuallyleveragethosesoftwarebugs,those

vulnerabilities,andactuallyexploitthem.

Thedifferencenowisreallythatofvolume.

It’sthatvolume,andnowit’sbeingdoneat

alevelwheretheywanttofindtheseissues.

Theywanttofindthesezero-daysbefore

anyoneelseknowsaboutthemsotheycan

remainstealthy,sotheycanexecutecodeon

yoursystem,ortheycangetyoursystemto

dothingslikepulldownothervariancesof

malwareordropafile.

Ourlabgrouplooksatmalware,exploitfiles

andallkindsofdifferentthingseachdayand

theydetonatetheseandwatchandseewhat

theirbehaviorsare.Theyfindover1,000

adaythatanti-virusdoesn’tpickup.Now

it’sthevolumethat’sstartingtokillusand

overwhelmourtraditionalapproachesand

defenses.

Theotherthingistheexploitsaregetting

muchmoresophisticated.Theexploitand

dropperfilesnowadaysarestartingtodo

thingslikemaybetheyonlyexecute,callhome

ordocertainthingsinthehours,timesor

environmentswhereit’ssafeforthemtodoso.

Theymaylookandsee,“AmIbeingexecuted

onaVMwarestackorsometypeofvirtual

stack?AmIoff-networkoron-network?Am

Iathome?AmIonahotspot?”Nowthey

knowthere’sagoodchancethattraditional

capabilitiesandthingsthatanorganization

woulddeploytoprotectthecompanyaren’t

there.

Data Theft

FIELD:James,let’stalkaboutdatatheft.How

doyoufindthatit’sevadingdetectiontoday?

ROBINSON:Themainonethatwe’reseeing

atthispointistheuseofSSL.Wedeployed

SSLtohelpsecureusandactuallybea

mechanismtohelpprotectend-usersand

helpourselvesasasecurityorganization,and

thosesamethingsarebeingusedagainstus.

It’sadouble-edgedswordwherewedon’t

havethevisibility.Nowexploits,callshome,

theex-filtrationofdata,that’sbeingdone

overencryptedchannels.Soifyoudon’thave

visibilityintothat,you’llneverseethatdata

leave.

Theotherthingistraditionalapproaches

of,“Let’sjusttakeanimage.”Ithinkalmost

allofushaveprobablybeenonaWebEx,a

GoToMeetingorsomethinglikethat,andwent

aheadanddidascreencaptureandcaptured

whatwasonourscreen,andnowwehavethat

foronereasonoranother.Thatsametypeof

mindsetandmentalitytotakeascreenshotof

it,senditoutanditwillneverbedetectedis

alsobeingused.

Asmentionedearlier,nowdatatheftis

happeningatcertaintimes.It’sintelligent

whereitmaynotbethatdatatheftis

occurringwhileyou’reonthecorporate

network,butdatatheftwouldoccurwhen

“It’s the volume that’s starting to kill us and overwhelm our traditional approaches and defenses.” -Jason Clark


you’reoffthecorporatenetwork,whenyou

gohomeandyouworkatnight.Ifyoubring

upyoursystem,ifyourapproaches,your

people,processandtechnologydon’tprotect

youandletyouknow,“Hey,I’moffnetwork

andIneedtohaveadifferentmindset,”or,

“I’moffnetworkandIneedtohaveadifferent

control,”thenyou’llnevergetvisibilityinto

thatdatathat’sleaving.

CLARK:Asyoulookatthesevenstages,and

asJamesjusttalkedthroughsomeofthe

examples-thebeginning,themiddleandthe

endofthestages-themostimportantcontrols

todaymostpeopleareputtingmostofthem

ontheperimeter,whichisreallyprotecting

stagesone,twoandthree.Butthetruthis,you

getmuchmoreeffectivenessandreturnfor

yourmoneythecloseryouputyoursecurity

aroundwhatyou’reprotecting.Thebiggest

investmentsreallyshouldbeclosertothe

seventh,sixthandfifthstage,insteadofone,

twoandthree,whichistheoppositetoday.

I’mabigbelieverthatasthebadguystarts

tomovedownthestages,youactuallygain

somuchmorecontext.Inthebeginningyou

wouldjustsay,“That’sweird.It’sthefirst

timewe’veeverseenthisURL.Wedon’tsee

anythingbadyet.”Butatthetimesomeone

couldgettheirhandsonthedata,youcan

startsaying,“Waitaminute.Thisdatahas

nevertriedtoleaveviaSSLtosome.com

sittinginChina.”Or,“Iknowthisuserhas

neverevertouchedthistypeofdatabefore.”

Or,“Waitaminute.Thisuserisnowraw

encryptingthisdata.Rawencryptionisnot

astandardencryptiontechnology.Weuse

somethingelse.”Allofasuddenyou’vegotso

muchmorecontext-who,when,whereand

how-thatyoucanmakebetterdecisionsand,

unfortunately,aninvestmentortwoonthe

front-end-toomuchwhereyourpawnsare

inachessgameandnotenoughwherethe

kingis.

ROBINSON:I’dliketoaddonthat.Wewere

talkingtoapeerorganizationofoursand,

insideoftheircompany,theyfeelthatthey

can’tputanytypeofcontrolclosertothe

end-userortotheclient.Theyneedtouse

network-basedcontrolseverywhere,and

that’sexactlythemindset,exactlywhat’s

happening,that’susedagainstusassecurity

organizationsbecausetheattackersknowthat

interestingdevicesarenowcomingontothe

networkthatwehavenocontrolover.They

knowthatsystemsneedtobeonournetwork

toallowcertainorganizationstobecreative

ormaybedothingsthatwecan’tcontroland

wecan’thavevisibilityinto.Theyknowthat.

They’releveragingthatagainstus.

Human, Technical Resources

FIELD:James,whathumanandtechnical

resourcesdoorganizationsneedtosupport

defenseagainstthisseven-stageapproach?

ROBINSON:WhatI’lldoisI’llbreakthis

downintopeople,processandtechnology.I’m

atruebelieverinthatarchitecturalprinciple

orframeworkforguidingyourcontrols

andwhatyou’retryingtoachieve.Froma

technologyaspect,therehavebeensome

changeslately.Thetraditional“let’sprotect

ourfront-end,websense.com,”thatapproach

isstillathreatthatwehavetothinkabout.

Inthenewadvancedthreat,wherethey’re

targetingourend-users,tryingtogoafter

theintellectualpropertyanddatathatwe

haveinsideourorganization,thatchanges.

Thattraditionalapproachisn’tgoingtobe

aseffectiveinthatonethreat.Howdidthat

change?Nowweneedtoactuallylookat

wherethisuserisgoing.Weneedtolookat

DLP.Weneedtolookatthesetechnologies,

helpfeedintoprocessesanddiveintothe

processpiece.

Asanorganization,weneedtobeserious

aboutourincident-responsecapabilities.We

needtobeseriousabouthavinganeducational

awarenessprogramtolettheend-usersknow

[they’re]partofthis.You’reapartofthethreat

landscape.They’retargetingyou.They’re

nottargetingmysystemsthatI’mtryingto

build,protectanddeploy.They’retargeting

youandusingyouagainstus.They’redoing

adivide-and-conquertypeofattackonus.

Youcanbringtheusersin.Alotoftimes

nowadays,youcanusegamification,letting

usersknowthatthey’repartoftheattack.

Evensharingthingsthathavehappenedinside

oftheorganization[is]verypowerful.Alot

oforganizationsjustaren’tthere.Theydon’t

havetheeducationalawarenesscomponents.

They’restillusingtraditionalmethodsfor

that,whereeveryonegathersinaroom,goes

“The truth is, you get much more effectiveness and return for your money the closer you put your security around what you’re protecting.” -Jason Clark


throughaPowerPointandthey’renotusing

theseadvancedapproaches.Howdoweget

peopleinvolved?Howdowegetpeopleto

careaboutthis?That’sreallyabigquestion

thatwe’relookingatinternaltoIT,and

we’redoingsomecoolthingsinsideofITto

trytoanswerthat,workingwithpartnering

organizations.Howdowegetpeopletobe

partofthis?Howdowegettoknowabout

theseprocessesthatnormally,ifitwasona

PowerPoint,theywouldn’tremember,they

wouldn’tcareandtheywouldwalkoutofthe

roomandmaybetakeadonutwiththemon

thewayout?Howdoweactuallygetthisin

frontofthemandgetthemtobepartofour

team?

Theotherthingonthatend-usernoteis:

Howdoweincentivize?Usinggamification,

goingbacktothat,howdoweactually

rewardpeopleandgetpeopletobepartof

thisprogram?Hollywoodhasdoneagreat

jobofincludinghackingandthattypeof

thing.Canweleveragesomeofthosesame

things?Hackingisacoolconceptnow.It’s

somethingthatpeoplewanttoknowmore

about.It’ssomethingthatboardsofdirectors

aretalkingabout,allthewaydowntopeople.

DidyouhearFacebookgothit?Didyouhear

thatThe New York Timesgothit?Didyou

hearaboutthoseTwitterposts?Thosetypes

ofthingsareverypowerfulforustoleverage

andtoeducatepeopleon.Letthemknow

thisiswhat’shappening.Here’swhat’sgoing

onoutside,andyoucouldbesusceptibleto

this.Thatwouldbeprobablythesumofitall:

People,processandtechnologyareeverything

youneedtofocuson.

CLARK:AsJamessaid,peopleandprocess

isreallystrong.Onthepeopleside,imagine

you’resecuring10,000ofyourusersand

youhaveastaffofeight.Ifyoucouldget

those10,000employeestobeasecurityteam

memberfortwominutesoftheday,everyday,

incentivizingtobepartofthesecurityteam,

allofasuddenyouhaveavolunteerarmy,and

yoursecurityteamandresourcesjustgrewa

thousand-fold.

TheotherthingonthetechnologysideIurge

everybodyisyouhavetogofromthatgood-

enoughsecuritymentality,orthecompliance

securitymentality,tobebesttechnology.You

needtodemandthebestateverysinglething

youbuy,unlessit’sacommodity,unlessit’s

acheck-the-boxthing,likeAV.Thoseforthe

mostpartarecheck-the-boxstuff.Butwhen

itcomestomalware,whenitcomestodata

protectionandit’sreallythemosteffective

controlsyouhave,youcan’tjustdoit[like]the

olddays.

Backin’06and’07,I’vedonethisatother

companiesbypickingmyfavoriteAVvendor

andsaid,“TheeventsfortheAV,canyouwrap

inatthesamepricetheseotherfourorfive

technologies?”Igettocheck-the-boxandI

getabunchofgood-enoughsecurityfora

verycheapprice.OrIbuyfromaguywho’s

anetworkplayer.IbuyfromCiscobecause

they’rethearchitectureplaysoitjustmakes

“We need to … let the end-users know [they’re] part of this. You’re part of the threat landscape. They’re targeting you.” -James Robinson

DATA THEFT

Cybercrime reaches out into internal systems for data to steal.

CALL HOME

Calls home for more malware to expand attack.

DROPPERFILEFILE

If vulnerablity exists, malware dropper fi le is

delivered.

EXPLOIT KIT

User’s system is inspected for an

open vulnerability.

REDIRECT

Funnels and sends the user to a hidden server.

LURE

There are two types of lures:email and web.

RECON

Gather online information

to build targeted lures.

The Seven Stages of Advanced Threatsand Data Theft


sense,butthatdoesn’tworkanymore.You

havetohavethebesttechnologyandthemost

effectivetechnologynowateachstage.

Defending against Advanced Threats FIELD:Jason,let’stalkabouttechnology.

HowdoyouatWebsensesupportyour

customers’defenseagainstadvancedthreats?

CLARK:Thefocusiswehavetomakethem

successful.Theyneedtotrustus.Wehave

tobetheirtrustedadvisersothattheyopen

upandtelluswhatthey’reprotectingand

whatthey’reconcernedabout.Whataretheir

vulnerabilitiesandtheirweaknessessowe

cansitthere,havethatconversationandtryto

developastrategyforthemthat’sgoingtobe

themosteffective?

Thefirststepisgettingthattrustandfocusing

onensuringtheirsuccess,helpingthemalign

withtheirbusinessandhelpingthemalign

withtheexecutivesandtelltheexecutivesnot

thefunstuff,notthe,“Ohmygosh;everything

isonfire;wemightgetcompromised,”but

justbreakingdown,“Herearethethreats,

thewholethreat-modelingstuffwe’vetalked

about,andhereiswherewe’reat.We’re

compliant,buthere’swhatI’mworriedabout

today,”andthentakingthattothetechnology

spaceandunderstandingthat.

Wehavedevelopedanadvancedthreat

securityarchitecturethatweshareandhave

alotofothertechnologiesinit.Italked

aboutthe30CISOs,goodfriendsofoursin

theFortune500,andwegrabbedaCISO

thateverydaythey’resuccessfulagainst

advancedattacks.Theymighthavehada

compromise,butthey’vebeatenthebad

guysout.They’rewinninginthewar.We’ve

mappedhowthey’rewinningandwe’vebuilt

thisframeworkthatseemstobeconsistently

howthetoporganizationsarewinningthe

war.We’renowsharingthatframeworkwith

ourcustomers,or,forthatmatter,anyheadof

securityinaFortune1000thatreachesoutto

us.Wewanttoshareandwewanttohelpthe

securitycommunitybesuccessfultogether.

Thisframeworkbreaksdowntheten

differenttechnologiesthattheyneedto

dotobesuccessfulinthepeople,process

andtechnologystuff,andtrynewproducts

atWebsense.Ourweb-securitystuff,our

threatprotection,cloudprotection,andthe

endpoint,thelaptopsandthemobiledevices,

aswellasourspear-phishprotectionand

ourdata-theftprotectiontools,arevery,very

criticaltothoseFortune500customers.Many

ofthemwilltellyouit’sthesecret.It’sthe

number-onewaythatthey’recatchingthe

badguyseverysingleday,whetherthey’re

externalbadguysorinternalbadguys.n

Websense, Inc. is a global leader in protecting organizations from the latest cyber-attacks and data

theft. Websense TRITON comprehensive security solutions unify web security, email security, mobile

security and data loss prevention (DLP) at the lowest total cost of ownership. Tens of thousands

of enterprises rely on Websense TRITON security intelligence to stop advanced persistent threats,

targeted attacks and evolving malware. Websense prevents data breaches, intellectual property theft

and enforces security compliance and best practices.

LISTEN TO THE INTERVIEW

http://www.bankinfosecurity.com/interviews/7-stages-advanced-threats-i-1912

“You have to go from that good-enough security mentality, or the compliance security mentality, to be best technology.” -Jason Clark


4 Independence Way • Princeton, NJ • 08540 • www.ismgcorp.com

About ISMG

Headquartered in Princeton, New Jersey, Information Security Media Group, Corp. (ISMG) is a media company focusing on Information Technology Risk Management for vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries.

This information is used by ISMG’s subscribers in a variety of ways —researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.

Contact

(800) 944-0401 [email protected]

7 stages of advanced threats - fujitsu · security leaders to deploy appropriate controls, says...

Documents