EMS and IR Professionals Have a Lot More in Common Than Just a Bunch of Acronyms

doing today? All right. All right. Before we start the second talk, I just want to give a short announcement. If y'all have not already registered or signed in, go to the registration desk outside of the track one room. I'll send you a text. Go ahead and do that after this talk. Right now, we have a talk called EMS and IR professionals have a lot more in common than just a bunch of acronyms given by Emily over here. EMS and I are professionals are the first responders to incidents that people never want to happen. Whether the incident is a ransomware infection at your local hospital or a respiratory infection caused by a virus that spreads through the air, people on the front

lines responding to both of these incidents share many similarities in their work. Moreover, even NIST used an ambulance to symbolize the containment and recovery step in the computer security incident and handling guide, which inspired this talk, which shall now give

now. I'll get out of the way. Howdy y'all. Can you hear me online right now? You're good? Awesome. Thank you all for coming. Just as he gave an introduction, this is my talk on EMS and incident response professionals. To give you an introduction on myself, who am I? My name is Emily Skaggs. I am a cybersecurity engineer in the incident response space. I'm a DEFCON goon. I am a physical penetration tester, so I test the physical security controls of different corporate and office manufacturing buildings and stuff. And I'm a Dallas hacker and DC214 member. If you've not been to DC214 or Dallas hackers or DC9... 4-0 or whatever the Denton area code is. I live in Denton, I don't know the area code. But

we have our own hacker group now and it's awesome and Phil does it. So please go and join your community events. It really helps to, you know, bring more knowledge to the area and share your knowledge with other people. So what are you going to learn today? Well, we're not going to learn anything crazy like endotracheal intubation. We will cover

Incident Management Basics and Incident Response. The Incident Management Basics including, we will be focusing on Incident Management Basics including discussing traditional Incident Management Practices and comparing them to the NIST Incident Response Standard. Secondly, we will learn the similarities between the jobs of cyber incident responders and EMS professionals. We will learn traditional triage strategies as there are tips that can be useful in the tech space and not just in the hospital. And finally, we will also learn about soft skill enrichment and strategies of operating under pressure. We in the tech space have a lot to learn from people who troubleshoot humans during some of the worst moments of their lives. And yes, and most important thing will be that

Every type of incident responder agrees that everything is a dumpster fire. And yes, it may be a dumpster fire, but the strongest steel is formed in the fire of a dumpster. So remember that. So content warning, I will preface my talk with a content warning that some of this content may be upsetting to some of you who are watching this talk. We'll be discussing topics like death, natural disasters, medical emergencies, and some people may not have the capacity to hear that kind of stuff at this time. No skin off my back. If you need to leave at any time during this presentation, please feel free. So, to lighten the mood a little bit, now we'll talk about the knights who say

we woo, little Monty Python and the Holy Grail reference there. And actually I did this talk at Blue Team Con earlier this year in September in Chicago. And I don't know if it was like divine intervention or some kind of karmaic force getting at me, but the fire station was right outside of my room. So I heard all of the ambulances and fire trucks going out from right here. Literally this is the view and I zoom in and there's the ambulances and fire trucks. So just added to the vibe. So, let's get started. What is incident management and incident response? Well, first, we'll discuss an incident management. Well, through these two terms are commonly used interchangeably in the

cybersecurity space. They signify different yet interconnected aspects of handling a security incident.

Incident management and incident response. I assume some of you in this room have worked an incident and encountered a scenario where you're trying to figure out what has just happened while you have a client or manager constantly asking for updates on what's going on and it's incredibly difficult to perform the technical forensic skill needed to contain the source of an incident while also balancing coordinating teams updating stakeholders and keeping track of activities, taking notes, and trying to maintain a grasp on the last shreds of your own sanity. That's why handling an incident is not a solo sport. These two complementary roles drive an efficient and thorough security program. Incident response is all of the technical

components required to analyze and contain an incident. Incident management, however, is the logistics, communications, coordinations, and planning functions needed to resolve an incident in a calm and efficient manner. Though some people may possess skills that fulfill either role, typically this should not be the same person doing both at the same time. The worse things get during an incident, the greater the requirement for these two individual roles becomes. So,

let's go into the phases of incident response. I imagine most, if not all of you are familiar with the phases of an incident response plan, whether it be NIST or SANS. So when we talk about the SANS framework, that one's a six phase process and this is a four phase process. For those in the audience who are new to the security space may not know, SANS stands for sysadmin, audit, network and security. And just to like walk you through how all these steps kind of correlate together, preparation is, which is the planning phase, involves developing policies, procedures and standards to aid in the incident response process. Identification is finding indicators of compromise, monitoring systems like your SEM

and maintaining good and actionable logs. Containment with limiting damage to the environment during an incident, eradication usually also goes hand in hand with recovery. So in SANS, it's two separate steps and NIST, they push them together. But eradication and recovering is restoring harm systems to their functioning state prior to the incident. And lessons learned, which are your post-incident activities, which is where you're learning from your past mistakes and the past things that you learned during the incident to aid in future investigations. NIST's framework, NIST standing for National Institute of Standards and Technology, is the four-phrase framework, like I showed you previously, like if you see how we push eradication and recovery together. If you notice, both of these are cyclical in nature. So it develops

on itself. Like each time you've gone through an incident, each one of these steps complements each other in a future incident. And we'll go into that more a little bit later. But just keep that in mind as we're seeing this. Each thing improves on each other in a cyclical nature. But why we're talking about all this is because of NIST's containment and eradication and recovery step. As you can see, it's a little ambulance. That's actually what inspired this talk. Containment eradication and recovery is where a lot of similarities between the work of cyber incident responders and EMMS professionals really starts to show. This is also where the bulk of active incident response takes place. The primary objectives in this phase are to

contain the threat, eradicate it, and recover effective systems to resume normal operations. Now that we've talked about all the cyber stuff, acronyms, what is EMS? EMS is Emergency Medical Services, also known as ambulance services and paramedic services. These professionals are the first responders who provide urgent pre-hospital treatment to people with serious injuries or illness. When a call dispatches to EMS to the scene of an emergency, they will initiate medical care upon arrival and if deemed necessary, transport the patient to the next point of care, which could be a hospital, emergency departments, what have you. So,

These, they just provide the pre-hospital treatment stabilization, but also the training for these employees varies widely between municipality, and unlike fire and police services, EMS is only deemed an essential service in 15 U.S. states, including the District of Columbia. My last two points on this slide regarding EMS being not, deemed an essential service means that the care received by those who call 911 varies very widely based on your municipality. These same themes can also be seen probably in your local city cybersecurity program, a fractured state of implementation, lack of proper funding, et cetera. as I'm sure all of you are now curious that I said that frightening state statistic in my last slide, here is

all the states and territories who designate EMS as an essential service, and yes, the state we are standing in right now does not deem EMS an essential service. So good luck, everyone. Drive safely on your way home.

More acronyms. we're gonna now talk about the National Incident Management System. Just like cyber incident responders, these first responders also have standardized policies and procedures in place to help aid an efficient resolution of incidents. And as you can see, just like ours, their workflow is cyclical in nature. So they build upon lessons learned each time through each incident, every event. NIMS is a standardized approach slash framework for incident management developed by Homeland Security in the early 2000s under George W. Bush. If you can think about maybe things were really starting to pop off then. They thought things, a lot of coordination between local and federal services needed to start happening. So this system was intended to facilitate coordination between

all responders and public sector and private. So within this system

system there is also another subset through NIMS called incident command system like this is the overall way that they manage all incidents like through mitigation prevention all of that but when an incident is actually popping off that's where the incident command system comes in ICS this is a pretty basic diagram of the incident command system which seems pretty straightforward but having this type of stuff written out and defined clearly becomes invaluable in cases of an emergency.

If there's clear hierarchy and direction in an incident, it's a lot easier to establish accountability and respond in an orderly and efficient way. When there's not clear delegation of duties during these really conflicting times, phrases like many hands make light work can quickly become too many cooks in the kitchen if there's not clear delegation of duties and responsibilities among responders.

So how are these two professionals similar. So one thing early on I noticed in my research is how much EMS professionals also enjoy memes. Maybe it's like dark humor transcending competencies, but I certainly appreciate it. So I really feel like we get a lot of, I feel a lot of people in this audience especially can feel this guy right here when somebody tells you the same IP address 5011 times and you still don't remember it when they keep repeating it to you. I can only imagine how hard that is when someone's telling you and screaming at you during a crisis situation on the phone. So

how are they similar? So we have the human element, stress, communication, and labor. Human element. EMS professionals cannot stop people from lighting fireworks while still actively holding said firework in their hand. Click it or ticket initiatives cannot stop people from driving without their seat belt on. Similarly, incident responders cannot physically tackle every single employee before they download and execute a malicious attachment.

So we are constantly at the mercy of the human element. Though we can prepare systems to make these unpredictable incidents less impactful when they do happen, it's important that we put all of those pieces into our minds. Communication. How a responder communicates with their patient in the EMS space or their client in the digital forensics and incident response space can change the entire direction of an incident. If report is built early and clear, honest communication can flourish and really assist speeding up the resolution or stabilization. If your patient doesn't trust you, they're not going to tell you what drugs they took. If you're, Like entire client staff doesn't trust you. They're not going to tell you what they

clicked on and how long it actually took them to tell you. And all of that can really help build and contain different parts of an incident. Stress. Both professionals operate in high stress roles daily, which makes self-care even more important. Accidents happen when people are stressed and we have to make sure we're all taking care of ourselves and our fellow employees. Labor. and labor is the last one, which budgeting for cybersecurity is usually an afterthought or reactive within an organization. The same issue is present in EMS. If you thought the cybersecurity skills shortage was bad, Times that by too, and that is how hard it is to bring people into the new field of EMS and retain the ones who are

currently working professionals. Funding is a big part of this, as the municipality cannot pay the staff adequately if there is no budget to do so.

strategies. So both EMS and IR professionals need to triage incidents appropriately to choose the best course of action when responding to an incident. I was doing, as I was doing research for this talk, a common theme that was brought up to me by EMS professionals was the weakness and triage skills among new medics. I actually spoke to one gentleman who's a SANS instructor who wasn't an EMS professional previously. I know, they always hear me. Like, the knights who say we woo.

Exactly. But I spoke to this one gentleman who's a SANS instructor, and he also said that SANS testament is very apparent in a lot of his new students is they don't know confidently how to triage things with confidence and just at least to start out in the situation. And I'm hoping by discussing this today as we like we as cyber defenders can think outside the box and bridge some of these concepts across industries. So simple triage and rapid treatment start triage system. Yes, this is an algorithm in case this workflow seems similar to some of you in here with computer science degrees. START is a triage method used by first responders during a mass casualty incident, otherwise known as MCI, to classify victims based on the severity of their

injuries. This method breaks victims into four basic categories based on color. Minor, which is minor injuries, They also call that walking wounded. Delayed, which is yellow. Injury needs further treatment, but the patient transport can be delayed. Could include serious life-threatening injuries, but status of patient is not expected to deteriorate significantly over several hours. Red, immediate. Victim needs to be transported immediately to the hospital or have immediate work done on them to whether it is tracheal intubation to get them to the hospital, or deceased expectant, which patient is not likely to survive, palliative care and pain relief should be provided. So we will, just like we saw in this prior slide, these same four categories also have physical tags or markers for patients during these

MASH casualty incidents. They like the four different categories that I was talking about earlier. There's a show, well, like they call it a mini series now called Five Days at Memorial, where you can see the system in use. This show was about the crises faced by ICU and ER staff at Memorial Hospital in New Orleans after Hurricane Katrina when the levees broke and flooded the first two floors of the hospital, knocked out all the generators. Imagine how dire of a situation that is when you're already also dealing with the natural disaster. The hospital was flooded for five days at the time. And as you can imagine, things became very dire before any of the patients were rescued. And in the show, you can see the nurses changing

some of the patients tags from yellow to red or even to black because they as the time is going on they can see the patient status is deteriorating and even through such a stressful situation these professionals are making sure to use all of their training during those dire circumstances even when resources are at an all-time low and stresses at an all-time high so I'm bringing the algorithm back up to walk through how a system that seems so very, very simple can still make or break an incident. Things can go wrong with the way a responder follows or doesn't follow this strategy. Starting at the top and asks, are you able to walk? Yes. Green tag. Good day. No spontaneous

breathing. If you open their airway, uh, then they may become a red tag. If they aren't breathing, you try to open their airway, they may become a red tag. But if you try to open their airway and they're still not breathing, you'll file them with a black tag. If you got with a red tag, they get prioritized for transport. Black tag, you kind of already made the assumption that they're not going to make it. Here's the caveat. People, the person who's performing the triage is a human. So steps can be missed. And it's important that we trust, but verify. Quick story of triage gone wrong in the field. It was New Year's Eve in the early 2000s. A car with

four young adult drivers was struck by a drunk driver. The driver in the four young adult vehicle was not wearing a seatbelt and was ejected 20 feet from the vehicle through the windshield. The fire department, who's trained in basic life support, was the first to deploy and performed triage on the wounded. The driver, who I just stated was ejected 20 feet, was pronounced expectant, dead, on scene by the first responder that was the firefighter. A few minutes later, EMS shows up, who's trained in more advanced life support strategies, arrives on scene, and a paramedic goes up to double-check all of the prior triaged patients. The one that was filed with the black tag, the patient was going back through all of The triage strategy is just to

double check because he is technically the more senior person behind the firefighter. He goes through, are you able to walk? No. Can you breathe? No. He then positions the airway. The gentleman takes a breath. He's actually going to live. He's still alive today. That's actually my stepbrother. So. You want to trust but double check these types of situations. Even though he would have originally been pronounced dead on scene because a more trained professional came and checked on him, they were able to save his light, transport him to the hospital, and he's still alive today. He's 37. So the paramedic realized that the first, ah, my stupid, patient, ah, paramedic realized, there it is, that the first patient

The first triage person skipped a step, but that's why in all situations you trust but verify. He did trust another one of his professionals, followed the triage strategies, but being the more senior person, he's like, let me just go through it. Same with you're responding to an incident. Did they reboot? Did you get all the information from the client? Did you get the timestamp? Did you get all of these things that are important, little caveats that you wanna assume that someone had done all of those steps before they escalated it to you, but you wanna trust but verify. And it's very important for seasoned responders to not allow themselves to get tunnel vision and miss

important details or get too focused on a minor detail so that they're not prioritizing their time efficiently during an incident. After that, another meme. So...

Speaking of pigeonholing versus zooming out to see the full picture, here's another good one from the EMS meme repository. It's from burnt out memes for EMS teams. I thought it was cute. So like we were talking about the walking wounded earlier, you could immediately see something get really stuck in a pigeonhole thinking it's Smithy-Durwin-Jakobson syndrome, but honestly, you should have just seen if the guy could walk. Couldn't he walk? Great, because you got other people you need to worry about right now. Same types of situations when you're even triaging during a cyber incident. So, benefits of applying triage strategies to digital forensics in incident response, efficient use of time, every moment counts when a cyber security incident is impacting business operations and I'm

sure anyone who's worked one can tell you that right now. Efficient use of labor, classifying impacted devices and services properly will allow incident managers to delegate work appropriately to their responders to avoid burnout and use responders to their strengths in times of need. And clear communication of priorities. When impact is clearly triaged and prioritized, there's less of a chance for miscommunication. So...

I feel like it's a good time now to transition to the most important slide, soft skills. Being nice finally comes in handy. You can work study this one, but instead of paying sand to learn these skills, you'll be pouring into yourself and the communication with those around you. So what exactly are soft skills? Soft skills are personal attributes needed for success on the job. These skills are often overlooked in technical positions. However, I wanted to amplify how important these skills really are. I listed a few that I believe are relevant for roles in incident management and emergency management. But if you can't build rapport with your patient or your client, then it will hamper your ability to resolve the incident in a timely and

efficient manner. If you're, like I said earlier, if your patient didn't Trust you, they won't tell you what drugs they took, nor will they tell you that they clicked on the link. And these character traits and interpersonal skills will carry a responder through any stressful incident, especially the empathy and conflict resolution one. Empathy specifically, I want to amplify that. as you start to build in your cybersecurity career, you're reaching out to other business members. A lot of people don't like being reached out to by cybersecurity. They immediately think it's like getting pulled over by the police. Even though you know you've done nothing wrong, you immediately start thinking of everything you've ever done wrong in your entire life. So talk nicely to them. Like

even though you are sometimes trying to find out specific information, these are also your peers. You work with them. So don't, don't, act too much like the police because then they may not be truthful to you. You know, no one's ever lied to the police. But I wasn't speeding officer, I swear. I wasn't speeding. So a big part of emotional intelligence is being able to feel an emotion without having to act on it. And besides, in coast, In case empathy is emotional intelligence, I won't get through all of the concepts of emotional intelligence in a 35 minute presentation. However, I do wanna amplify how important this skill really is. Emotional intelligence involves the ability to recognize, understand, and manage your own emotions. And

unlike traditional intelligence that focuses on logic and problem solving and technical elements related to an incident, emotional intelligence is about navigating social situations and building strong relationships. A major part of emotional intelligence is self-awareness. This means being aware of your emotions, strengths, weaknesses, and understanding how they affect and impact others. By recognizing your emotional triggers, you can control your reactions more effectively and avoid hasty decisions or misunderstandings. So, like, to the point of hasty decisions or misunderstanding, when you are also stressed, you have to start to give yourself those pep talks, even to yourself. Hey, it's OK. Everything may be on fire, but I am physically not on fire right now. So what can I do? What deep breaths can

I take? What can I handle? And what can I actually deal with what's in my control at the time? It's important to work on your emotional intelligence. It's a constant thing. You can never get a degree for it. So constantly working with yourself and others is a very important soft skill. And so now that we've used all of our lovely soft skills to build rapport with our client or patient, you've gathered lots of valuable information about the incident. How are you going to remember all this stuff? Mnemonic devices. So if you've ever taken a music theory class, you've probably heard some iteration of these mnemonic devices and to help you retain what the lines and spaces are on a sheet of music.

I haven't picked up my trombone in seven years, but I remember all the lines and spaces right now. So the mnemonic devices are great for remembering really complicated things and making them into an easier to digest data set. In the EMS world, there are many recognized mnemonic devices for helping responders retain this information. Each responder I spoke to said these devices are how they can remember what's important about their patient when they've turned away to walk back to the truck to get their paper to start filling out the report. I wanted to bring up this concept during my talk in hopes that we as responders can start to develop some of our own mnemonic devices. Each of us start to

develop a rhythm or a recipe for how we remember things and maybe we should start standardizing them and sharing with others. Collaboration and sharing is key. Why else am I even up here? So I know there are, in the different professions, they have their own mnemonic devices, but we don't have a lot of standards yet. So I'm just bringing this up. There are a lot of creative people out here, I'm sure, that are listening or even online that are listening right now. If you can think of any, share them. Share them in the chat. Let us know. That's how we all start to develop new things and new standards in this industry. So these types of demonic devices are very useful for when you do a lot of

repetitive workflows, like checking on multiple devices and remediating them.

So before... end this presentation I do want to present you with a lovely way to help you remember some of the triage concepts I shared with you today please enjoy this lovely musical rendition of how to perform triage and a mass casualty incident if the audio will come out otherwise I would probably just poke the button well let me do it maybe it will oh escape

Nope.

Good to see you.