BSidesGVL 2021 - Ransomware Roundtable

i wasn't complaining for sure so all right well it looks like it's that time so let's go and get started i appreciate everybody for um coming to the round table for on ransomware uh i also see um definitely want to thank of course the the folks that are sitting on the panel today so a special thanks to ryan for pulling everybody together and this was was definitely his his brainchild we're hoping for next year we'll bring back the uh the round table or the firing squad for the uh the pintest firing squad um but this was a very timely topic and and builds off of uh chris's conversation uh in his session earlier so uh we're gonna

assume that not everybody was able to attend the session and and kind of start over from scratch so definitely if you weren't able to make chris's session earlier and you are interested in a better understanding of the landscape and how to protect against ransomware and what that breach response process looks like uh while we'll definitely touch on a lot of that in in this session i'm sure we won't get to all of those uh aspects that he covered so definitely make sure to check out the recording on the the youtube channel once it's posted in the next day or two and then we have alex and and adam who joined us as well so while we start with

introductions real quickly uh we'll go around uh just let us know who you are what you do right now and then uh we'll kick off so ryan you wanna go first sure thanks mike uh ryan basley here uh information security cyber security strategy ir consultant i've done a lot in my time glad to have fellow colleagues here joining us today so i'll i'll jump right out send it over to chris yeah thanks ryan so i'm chris furtick i'm director of instant response and security engineering at fordla solutions my day-to-day role is to oversee our instant response practice so i meet with folks in the middle of ransomware uh cases and malware outbreaks and things like that really happy to be here on the

panel thanks chris and alex good afternoon everyone i'm alex koski i'm a shareholder with baker donaldson in our atlanta office i uh co-chair our firms financial services data privacy and cyber security team and then i'm also part of our incident response team and i've handled a numerous amount of data incidents across the country so glad to be here great thanks for joining us and adam madam smith uh located in chicago i'm on claims council for coalition joined that team in may uh previously it was on the cyber team at cna um and just responsibilities of coordinating uh response from a claims perspective happy to be here great i appreciate that thanks thanks uh thanks for uh coming

so i thought we'd kick off with just a general overview of how everyone on the panel sees the ransomware landscape today at a high level and then and then we'll kind of be digging in uh deeper as we go throughout the conversation so i thought um uh when we just go in order uh and uh that we just did and uh kind of go from there so ryan you want to give us uh your thoughts at a high level on the ransomware landscape today from your perspective yeah thanks mike i mean i think we can all see that you know every week every other week it feels like there's a new new actor coming out to play you know

colonial pipeline back in may june time frame really really picked up i guess the press of what was going on and we saw a lot transpire after the whole colonial pipeline incident dark side being taken down we've seen a lot of new threat actor groups that have kind of splintered off we've seen resurrected threat actor groups come back and they are they are out there and they are trying to i would say we saw a lull during the summer i felt like for a lot of folks there was kind of this lull in the july august maybe even in the september time frame um but i know from from talking to folks that there's been a significant uptick

over the past month and there's projected to be more going into november and december so ransomware is as as real as ever for folks and they are they are out there making a lot of cash chris those are great points ryan and two things that i that we're seeing change uh in the landscape and kind of a pivot one is the reluctancy of threat actors to work with negotiators we're seeing that uh be become an increase we're also seeing an increase in extortion tile attack so a threat actor siphons your data off instead of going through and encrypting all of your devices they still put your your data on dark web to compel you to

pay that way so that's a little bit of a pivot and that's where i think things are moving so alex what are you saying yeah chris that's a great point i was actually going to echo that um i i've seen a real uptick in the type of of attacks where they are not actually encrypting systems but they are they're sending emails to the companies informing them that they've excellent traded data and they'll either publish it on the dark web or have already done that uh in exchange for ransom so definitely that's definitely a new tactic and then you know from the legal standpoint is outside counsel we're obviously paying attention to a lot of the guidance

that's come out from ofac and some of the other regulators on on ransom payments and clearly with with all the headlines clients are certainly paying attention to this and just wanting to be more in tune with with what what they can do and what they can't do if they're hit with a ransomware attack yeah that transition really from you know the more typical encrypting your data to kind of holding your your data ransom um is definitely the trend that we've been seeing and that's kind of difficult from a claims perspective because you're looking at coverage from you know obviously when the insured is completely down and their system is encrypted yeah we need to pay to make

that but if if they have their data held ransom that's okay we need to figure out how valuable that is is that going to affect day to day i mean beyond that you look i remember not too long ago the average ransom demand was 450 000 and now it's we're starting at an average of about 1.2 million so that completely shifts the landscape and really has you know the attention of the insurance side for sure you see inflation across the board in all things apparently right definitely all right that makes sense you know when especially chris when you when you were talking you know this shift about you know when we go from uh you know encrypt to in in x-star to

um expel and and extort you know i uh some of you know that i you know teach at greenville tech and greenville tech got got hit about a year and a half ago and i still don't have any background on on the actual situation uh itself i can only guess basically based off of what i've read in in the press um but it sounded like um you know the attackers had had come in they probably sat on the network for for quite some time um i suspect probably through vpn device that wasn't protected by multi-factor authentication and [Music] they took their time found all the sensitive data the the crown jewels exfiltrated everything and then

came back and deployed ransomware right so i think that the school had thought it looked like a traditional ransomware infection and so once they cleaned that up they thought all was said and done and was like hey look at us we stopped the the big bad hackers and then announced to the world what what had happened and and the attackers came back and said oh well no we just didn't deploy ransomware and you're right we stole all of your information we took terabytes of data in fact here's the w-2 for the school president and here's the w-2 for your cfo and have that conversation again [Music] so obviously not a conversation anybody wants to have but

in the different cases that you guys work you know what percentage of those cases are more traditional ransomware where it's just deploying malware to encrypt files or systems versus now the you know where we've seen that shift to not only encrypting systems but exfiltrating data in and blackmailing to the uh targets you may want to take that one what about you chris yeah i'll go first so uh it's rare for us to see a case where they're not exfiltrating data right that it's rare for us to see someone come in and just encrypt the environment and hope you pay like they have this other um aspect to to to compel you to pay and that's what they do so i would say over

the last six months i can't think of one what where we worked that they they didn't expel data so and most that's going to dark web as well right i would say at least 80 percent once they get data out it's on the dark web they're not just saying emailing you and telling you that we've got your data they're putting it out for the whole world to see right yeah what about you alex yeah i would agree with that i'd say 12 to 18 months ago there there might be a 50 50 split as to whether there was excel tradition or not in addition to encryption but now it's i would say it's four out of five cases that i have where

there's there's definitely signs of excellation and then to chris's point you know the overwhelming majority of those end up having data that's published on the dark web i said it's the really simple the simple fact that they know that sometimes you know a victim will have backups and be able to restore from that but that's not a factor if they just have your data they know that they are going to get paid for that so i mean it's it's kind of an obvious next step or evolution of these attacks that they would you know be focusing more on the exfil yeah definitely there's always that what where's the next evolution coming from i know i was reading yesterday

about um a group going through you know once during the environment they're scanning for vulnerabilities on systems they're talking about finding vulnerabilities and unpatched vmware servers and then launching a python script to shut down all of your vms and then they go back and they encrypt all of your vms so now not only are you losing files but you're losing those entire systems and in the blink of an eye about you ryan yeah i would think so two two things i think so we've obviously kind of what chris mentioned is is threat actors really kind of being i see more bold and audacious and and saying that if you engage a negotiator um that they will just you know flat out

publish your data um you know we got to remember we're dealing with criminals here and you know i had a colleague who would always say whatever's coming out of their mouth is is a lie so they say they're not going to publish it they may not publish it right away but down the road it's likely to get sold um so you obviously need to be monitoring you know the dark web paste spin whatever it may be after you go through an incident like that i mean i think that's a great point where council can come in and really advise on what your potential legal risks are um alex obviously can talk to that and we had mentioned earlier about kind of

data for classification and data mapping and such but you know i think the other point mike you mentioned is obviously that encryption of whether it's vmdk files really going after the backups as well most backup systems you know whether it's you know veeam netapp whatever you're using you know a lot of people think those are hardened systems and often more often than not they are are really unsecured and are easy targets for bad guys to get in and encrypt the library files and the index files that you would need to actually make a restore and once that happens people think their their golden ticket out of a a problem has really you know gone up in ashes

yes i have a couple follow-up questions there but before i kind of go down that rabbit hole i thought because we only have a short amount of time with everybody so i thought we kind of go to the get the biggest bang for our buck and want to go around real quickly and visit with everybody and get your idea what's the one thing that you believe organizations should know about defending against ransomware chris you want to start us off with that one yeah that's a huge question um so uh there's so many things one one thing for right now my mind is blowing right now the biggest thing i would say you've got to be this tall to get on the right

you've got to have multi-factor right you've got to be doing multi-factor on your vpn you've got to be doing multi-factor on your email you've got to be doing multi-factor everywhere if i could go out and coach everyone and give them multi-factor tomorrow my caseload would drop and i would be able to have more cocktails it would be amazing um but yeah i think multi-factors is the biggest issue that we've seen definitely i mean that's a great point i think i think again i don't have that background information that but that probably would have saved the save that school and i i've definitely talked with others that have been organizations where you know attackers came through vpns and uh

yeah multi-factor would have would have saved them so definitely without doubt and other types of breaches right not just ransomware so great i think another i i think i'm going to piggyback on that so if you if you've got multi-factor down and in place i'm going to say the next next probably thing you're going to want to have in place is it is a solid edr solution you know we have one as a sponsor they're probably one of my favorite um there's others out there you obviously as an organization have to figure out what is is best and most economical for you and adam can talk to this about you know what they do from a coverage perspective

if there's a loss claim or whatever but mfa and edr are two of the leading controls that insurers are looking at so there's others but i know those are two big ones yeah it's the first question i ask when i have a new matter come in and i can't tell you how many times like you know you asked do you have mfa implemented and as well yeah we do on all devices like except for this one and that's the one where you know it all started for um of course so kind of making sure you're going through and diligently monitoring making sure everyone has that implemented and i guess one thing i would add is you know everyone

has a backup system in place but you need to test those backups make sure you kind of run through a fire drill and be like okay if we were hit with a situation could we restore um you know just having the backups and testing it are two different things so i think that kind of separates and insured into a different category if they're regularly okay if we needed to right now could we restore our system from backups right yeah definitely going going through those steps making sure that they're working making sure our team members understand those processes and they can do it as quickly as possible and and you don't want to get you know run

around with the chicken with the the your head cut off when in the middle of a response trying to restore and then find out you don't have the data you thought you did or you have team members that don't even know how to use the restore function in in in the platform so which i think we've oh yeah and if you're not familiar with the three two one model for backups three copies of your data two mediums and one offline you really probably should familiarize yourself with that and making sure you fully understand your backup strategy um you know if you are pulling something offline if something is immutable uh you know i have colleagues who will

say immutable backups are one of probably the leading ways that if you know your backup can't change after a certain time for a certain period you know that's a good indicator that you may be able to do a solid restore great i'll just i'll add something outside of the the technical aspect of this is on the proactive side make sure in addition to testing your backups make sure you're doing a tabletop exercise to test what what your incident response team looks like in responding to a ransomware attack you know do you have certain protocols in place as to how your it team is going to respond do you do you understand what data you have

in certain locations have you classified that and then from from my perspective as outside council and helping respond to this i always recommend trying to to identify who your vendors might be in responding to an incident ahead of time and make sure that you're getting those engagements lined up because if you get hit with an attack a time is of the essence obviously and and the more that you can identify and be proactive and identify and in identifying who's going to help you respond whether that's outside counsel forensic company uh crisis communications firm whoever else uh the more efficient you're going to be in responding to something and defending and mitigating the potential damage that

might result from that yeah that's a great point we can kind of build off of that when i think of having even something as simple as as a retainer right how how many of you work with clients that that don't have ir retainers in place so when they do get hit uh they're scrambling around i know like for us at floor if if we had an incident right knock on wood and we didn't have a retainer in place with an organization it probably would take us two or three weeks to get all the legal paperwork taken care of before we could have somebody come in to actually do the response yeah i we see that a good bit too mike

and what i i like to recommend to is you know negotiating with the fire department on the front lawn when your house is on fire right you want to have that situation in place beforehand and i think it's really critical also you want to have identified uh who your insurance broker are who you should contact and who counsel is right i go into these rooms sometimes with a lot of it folks and we're all very technical then we start talking about what does it look like if this thing has to go from an incident to the the b word that ends with reach like who gets to say that it becomes the breach right and who how do

we deal with our clients at that point and the technical folks we can talk to you about technical all day but i don't have a way to advise you on what this means from a legal standpoint so having either internal external counsel coming into bios tonight has been really critical yeah definitely i mean that's great a great point and we talk about instant response and having you know kind of the idea of those incident response teams internally um that also makes me and this is just one of those questions that i'm more curious about a personal perspective how many organizations you know what percentage of the engagements that that everyone works with where there isn't

some type of formalized incident response process or or formalized incident response team and they want to throw some numbers out there so so i i i'll take that i i think it obviously depends on the size of the organization your your more mature organizations are obviously going to have some type of irp i you know i would challenge probably most mid-sized organizations to pull that irp out on monday and look in there and see where step one or step two is call cyber insurance um because if you know adam can talk to this if you want you know that claim potentially covered you've got to engage them really kind of out of the gate and i feel like from the irp's i've

written and done you know until i was kind of in the space working with claims counsel and claims coverage really wasn't a consideration so um and then obviously once you engage claims council whether you're calling an aig a chub whoever your your coverage is you know council is going to get engaged you know basically immediately once you hit that hotline um so adam any comments on that and maybe yeah alex if he's got anything sure it's it's you know when you're when you're facing an incident it's not always your first instinct to call um call the insurance carrier you know if there's a if your car is on fire or anything the first index i need to call

geico right now but it's different in the cyber world um we want to be your first call as soon as you get a hint of anything a couple reasons for that one is you know we are kind of the experts in terms of coordinating what vendors are going to be good for this specific situation it's not easy to get on our panel like at coalition for example um we've seriously vetted all of the vendors involved okay so we get something and we know okay this is the breach coach that we want on it this is the you know forensics team we want um so from like an expert expertise point of view we know how to

coordinate it and if coverage is a concern which you know maybe some of the bigger the bigger companies it's not as much and we're just dealing with the incident but most companies especially mid-size it coverage is a concern and the later you call your carrier the less likely anything any of the decisions any of the dollars you spent before they were involved is going to be covered so it's it's important um to make sure that that your cyber carrier is if not your first one of the very first calls you make when an incident comes across um but the first thing i do is i send it over to you know to breach coach to get them involved

right away so i think alex could kind of piggyback on on that thought yeah i would say to ryan's original point about it it depends upon the size of the company and whether or not they have an incident response plan i would say you know and that's absolutely true but then when we think about ransomware context and essentially three out of four attacks are against companies with a thousand or fewer employees i'd say that i find that it's about 60 40 those companies that don't have an incident response plan um and then to to the point about structuring that and the order of calling we absolutely write in there one of the first two steps the first two

steps essentially need to be call your insurer if you have cyber insurance and then make sure you're calling your outside counsel um and as we get a matter in that those are the questions that we ask too have you already contacted your insurer um and and so yeah i think that those are steps that just everyone's in such a panic mode whenever ransomware attack comes in that's why it's so important to have that plan to outline those steps to kind of keep everybody on track and the things that you know when we talk to our clients about incident response planning you don't necessarily need to follow every single step in order because facts are different it's all factually

dependent and so you might go out of order but those are really the contacting of your insurance company and your outside counsel are really the two most critical steps that you have to follow definitely definitely so there's a couple definitely follow-ups there as well but i kind of want to take a a step back i think chris is probably for you at the group the most qualified and and kind of look at it from a technical perspective and then come back and and talk with with everyone else from more you know kind of that external perspective as well but for those on the call you know can you give everybody at a high level uh kind of walk through what

a general ir engagement for a ransomware attack would look like yeah so from a purely technical perspective the very first thing that we do when we're engaged with a ransomware situation is we get on a scoping call right and it typically has some technical folks involved it also has some leadership often we'll have counsel on as well and scoping call is just that we want to understand your environment you want to understand what's been impacted do we have an edr in place kind of adam's point earlier do you have mfa do we have we tested our backups right do we know that we could restore from them so the scoping call is critical in helping us

understand who the players are and how big the field is after that we typically work through a containment strategy right so that's typically how can we lock down the environment how do we shut off external [Music] ingress points into the network how do we set up safe zones and and clear uh vlans so that we can do triage devices then we start talking about active directory right most everyone has active directory in their environment how we're going to rebuild from that do we have backups are we going to have to do from replication so then it moves through that process right and that process can take days or weeks depending on the size of the company but the scoping is the very

first time that we get engaged and we understand who all the players are and that's critically important to make sure that we've got are we working at the direction of council at that point right and do we have insurance and good because they dictate a lot of the the ways that we move forward after we get a true uh scoping of the incident and and scoping is always the most difficult because there's always something that oh this vlan over here i forgot about or no one knew was over here and that thing is still infected and we have a clean network over here and they come over and encrypt the entire environment again so i've been on more than one call

saying now we have to start over because we didn't realize that was there so after we get into the containment that's when we start moving into the recovery right we want to eradicate and recover from it somewhere in between that is when you start talking about negotiating the ransoms right are we going to pay are we not going to pay and that's what we typically would bring in the negotiators and again insurance and council can advise on that ultimately we want to get to recovery right but recovery is not the final stage recovery means we're going to inform the next time so once we're back up and running a lot of folks like to say okay we're good now we can go back

and go grill out or whatever that's not the end because you're just opening it yourself up tab this happened again we have to inform the irp or at least get an irp for the next time so the the the nist instance of incident response life cycle there's five six steps in there that's what we try to work through and it's important to have a framework right we have to have a common nomenclature so that's a lot of information mike but it really it gets really technical it can go really deep inside of it but i will tell you having leadership on board having counsel uh having insurance they can all advise along the way and that really

helps the technical responders because they're typically here on fire having leadership above them pushing down and giving them solid information is always helpful yeah definitely you have to have that top-down support otherwise it's you're just going to flounder so i appreciate that especially a few comments on that so i think i think chris covered kind of the ir aspects very well so there's also i would say you know the the forensics aspects where you know from an investigation standpoint people are going to want to image machines potentially people are going to want to identify a root cause you know in an investigation you're going to kind of take that and that investigation step like chris said from

a containment step you know could take several weeks going through analysis you may have to data mine information to see what data was leaked you know at some point near the end you're going to come up with the decision of do we write a report or not and there's many considerations i think that an organization needs to consider do you have recommendations done do you have an actual report drafted and written and some of the legal ramifications that and council can advise on that um you know there's been a lot of changes recently that if you're not aware of you probably should be aware of alex can talk to those about the eroding of privilege because a lot

of people kind of think you know you know if we get counsel involved it's all privileged well you know certain pieces yes certain pieces no and it really depends on kind of the engagement so yeah i can appreciate all of this too and i have a follow-up couple follow-up questions but we might not get to them right now but i do want to because we only have about 10 more minutes left so and that's probably why i wanted to focus on you kind of the technical overview so so thank you both to chris and ryan um and then want to circle back so i think you know one of our first calls is definitely to the the legal team so i

wanted to ask adam especially for since most everybody here is much more of the technical persuasion right what what do us as technical practitioners really need to understand about the the legal aspect to ransomware i know you touch a little bit on it but i might give you some more time to to be able to dig a little bit deeper into it and again what what do we really need to know and how best to you know especially work with our legal teams difference between internal and external uh council for some of the larger organizations and anything else you think we need to know right and starting off the back um you know alex and his team are going to be

able to provide more of the legal advice you know while i am an attorney it's important i'm representing you know as the coalition claims council i can't really give specific legal advice to the insureds right but you know i mean ultimately it's figuring out you know the forensics team is kind of you know focused on the investigation afterwards and it's our job really and it will be alex and like baker donaldson's job to determine okay we now we know what data was accessed what obligations does that trigger what organizations whether government organizations or individuals need to be notified as a result of you know that data being access a lot of people when they're thinking of the ransomware it's

really their only focus is okay getting back up and running making sure we can get our business restored and back on track and they're not really thinking of like kind of that second tier of okay we're back up and running but whose pii was accessed during this event right that's kind of like the background thoughts okay now that we're fully back and going we need to figure out who we need to notify because of of this ransomware attack what was that threat actor whether they were exfiltrate um you know phi also as well is a huge factor but you know that's kind of how we shift the focus after you know after we get everyone back online and alex can expand

on that yeah i'll just from from our perspective as breach council and outside counsel uh one i'd say one of the first things that we always say is that uh you need to engage your vendors through us as outside counsel ryan talked about some of the holdings recently over the last year and a half or so that have really eroded the attorney client privilege over forensic investigations and in particular over forensic reports so it's really really critical that your outside counsel retains those vendors on your behalf number one and the number you know in addition to that we wear a lot of different hats we're working with the forensic team to understand uh what we're triaging the incident

understanding what has happened has there been exfiltration of data are systems encrypted do we are we going to start negotiating potentially negotiating with the threat actor for the ransom demand and thinking through those considerations in addition to that are we are we going to notify law enforcement here whether that's through an ic3 complaint online are we contacting somebody with the secret service how are we approaching this and what information are we going to be sharing with them at that time so we're thinking through those um you know and and then obviously i say as the the forensic investigation starts to wind down and we start to have some conclusions that's when you know our job

really kicks in and we're thinking about what notifications uh do we need to do and that that really falls in three different buckets from our perspective one to regulators depending upon the type of industry that the the company is in you know there are some really short deadlines for you know financial companies or things like that depending on who they're regulated by where you need to provide notice to them so we're thinking through uh to making sure that we're meeting those deadlines two you may have contractual obligations to your business customers or somebody else where you need to report uh an incident to them so we're thinking about who do we need to notify and then lastly the most

important one would be the individual notifications and and that falls into the conclusions and the forensic investigation and things like that but you know as we we think about all that the big role that we've also played too is in communications and and working with either your internal comms team or through crisis communications and and thinking through all the stakeholders that you may need to notify here whether that's your employees your customers uh your business customers your and and you know thinking through what goes on paper and not just evaluating the legal risk that comes with that but then the reputational risk um and and obviously we look at things from the perspective of we if you're putting it

in writing and sending it out it's going to be made public at some point whether that's in litigation down the road or through the media or something like that and so we really work closely with with those teams as well uh to on on the messaging and crafting it to make sure that we're both accurate and and conveying a message that controls it for the company to manage their reputation so um it's a lot of different hats and then i guess lastly i'll just add uh from the legal perspective in particular to paying a ransom i mentioned the the ofac guidance earlier and and making sure that we're we're having a ransom negotiator if we're

using one do that compliance check to if we're making a payment obviously working with the insurance company as well to get their approval if that's needed uh to make that type that type of payment and then on the back end uh working with the mailing house and call centers and things like that if we're sending out notifications and helping with the scripting and obviously the notification letters to make sure that they're all compliant with the state laws no all great points i wanted to add quickly especially in light of the new ofac advisory you know last week um getting that ic3 filed and involving the fbi from the get-go is very important um it's something that i mean we're

definitely emphasizing right now even reaching out to our personal fbi contacts it's it's crucial and i'm glad i brought that up because that's going to play a big role moving forward i think a lot of organizations still are at that point where oh i heard that i'm not allowed to pay a ransomware or am i allowed to pay a ransomware or you know ransom and i can sometimes and i can yeah there's a lot of confusion still and i think that's one that that still kind of will evolve continue to evolve over time and i appreciate alex talking about communication as well i think that's a strong focus i know no for us at floor

you know controlling as you mentioned you controlling that narrative and whether it's you internally uh within our employees and then making sure of course the you know only those employees that need to know about an incident i mean thankfully ours are fear very few far far between but you know if if we had something more significant happen that you know we do control that narrative internally and then like you mentioned you know with with the reputational hit that can come and the risks that are there um you know we're very engaged as part of our incident response program with public relations and investor relations to to make sure we communicate you know that that information in that

controlled manner to to the outside world so i appreciate those those thoughts as well uh so we only have a couple more minutes i thought we'd go around one more time and see you know what's one other thing that we didn't get to mention uh that you each feel that organizations need to be putting in place today to make sure that they're defending against ransomware or at least they're prepared in the event that that they become compromised so we'll go back to the top of the order so ryan you want to kick us off yeah you know i'm trying to think of something here and you know as cliche as it sounds and i think it's

kind of been emphasized you know but think of it as a holistic program is really that idea concept model of defense and depth you know layered security perimeter endpoint identity whatever it is that your organization has from you know identification detection all the way to response you really need to you know have those conversations tabletop exercise it out as an organization and just be ready because you know it really is in my opinion it's not a matter of if it's going to be a matter of when definitely and i would say for those tabletops try to add a technical component as well where possible it's a more purple team rather than just blue team because sender you can have a lot

of great table top conversations but if there's no hands-on component it seems to me at least that that a lot gets lost at least for you know technical um employees and team members yeah just one quick comment on the tabletop item sorry um if you're like oh we can't afford a tabletop or we can't come up with a script cesa just came out with i saw a link saw it on linkedin sisa just came out with a variety of different templates and scripts that they've written out for you to use for those tabletop exercises ransomware and others oh that's awesome and google i think sans has some out there uh for any gardener clients that are out there and

they have has some great templates so yeah definitely check out for those resources but those are great so thanks for for mentioning that definitely all right chris any last thoughts yeah just really quickly it's hard to to to follow what ryan says right defensive depth is critical but i would tell you the biggest thing that i think we can do is equip our users so like security awareness training you know 40 of ransomware starts with a business email compromise right so the gray matter that sits for the monitor and the keyboard can be a huge threat or it could be a huge asset we have to make them an asset right we have to make them an ally and

we have to make them our first line definitely those most incidents where i end up can be actually detected and reported by our users rather than all the maybe the hundreds of thousands or millions of dollars we spend on security controls and it just comes down to somebody having kind of that gut feeling that something's off absolutely appreciate that all right alex yeah i just to piggyback up off those two things i mean we all know that human error is really the biggest risk so that training piece is is critical but then the the training that you're going to do with your team through tabletop exercises and then the other thing i'll mention i talked about communications

earlier understanding as you plan and defending against a potential attack understanding the different groups of stakeholders that your organization may need to communicate with because i feel like we get so focused on the individual side of things that that we lose track of all the different groups that we may need to uh communicate with in responding to an incident or or a potential threat great point i i just even think of it as a client perspective and then what how should i interact with my clients i remember when the rsa breach happened and we had our you know sales rep contacting us and letting us know what happened or or even with you know fire iron mania with solar

wednesday i remember when they contacted us to let us know hey we've been breached before they realized how big it actually was so i appreciate those thoughts and then adam and quickly from an insurance perspective um you know the market is clearly hardening as the carriers try to figure out you know how how do we you know evaluate this risk i mean you're seeing a lot of co-insurance and sub limits and all that um and it's basically figure out how you can become the best insured it's not a complex um you know formula echoing what these guys have all said having that you know robust response plan ready to go closing up vulnerabilities viable backups

closing rdp um and making sure you know the first thing i was mentioned it's so easy make sure across the board you have that mfa so it's it's things like that just kind of the idea of having a regular you know making sure your organization is regularly thinking about how can we get better how can we become the best and most secure version of ourselves um is is what we look for got to be more secure today than we were yesterday yeah for sure absolutely i appreciate that definitely well thank you everybody for joining the the panel for everybody that had uh sat in on the session so special thanks for ryan for putting everything together and pulling

everybody together and and chris uh we say our resident uh besides greenville and isa chapter ir expert and then alex and adam thank you both for uh for joining us i really appreciate the time and the conversation i'm sure everybody who sat in took a lot can take a lot from the conversation and if you're just joining us for the ending remarks uh definitely be sure to check out the recording uh once it's on the youtube channel up over the next day or two everything should be up by monday so just keep an eye out there so i appreciate it again thank you everybody for for being here for the the round table you