Patterson Cake - 10 Things I Wish Every CISO Knew Before an Incident: A View from the IR Trenches

all right we're ready to go this is our first talk of the day and we're running a little behind so we're going to get going but please wrap up your conversations and give it up for Patterson cake presenting 10 Things I wish every CSO knew before a cyber event cyber intimate have you ever considered the Peril of choosing a walkout song if you choose a really Kick-Ass walkout song by the time you get to the stage the audience is thinking I wish he would shut up and sit down so I can listen to the rest of the song for those of you who are unfamiliar that was uh that was Mick Gordon mcgordon fans anybody okay we got a couple rip and tear Doom in any case again thanks for your patience this morning as we get started flexibility one of the things I love about b-sides is how casual it is to be really honest besides is among my favorite security conferences to attend low-key fun low-cost high quality all the really cool things about the cyber security Community you look around the room and these are people who live in your neck of the woods uh very cool stuff touched on the sponsors at the outset I would also encourage you a ton of time energy and effort goes into making this happen you see somebody with a purple badge shake their hand and express your appreciation for all the time energy and effort that goes into making this happen it's huge huge and I really personally appreciate it you with me okay sweet excuse me so again uh this was my my concept slide once I chose my walkout music this was not part of my cfp so we'll go back into the more boring actual presentation material today I want to talk to you about 10 things 10 things math Wizards Among Us the 10 things that I wish every CSO knew before a security incident occurred you don't have to be a CSO it just made for a catchy title don't you think I'll talk to I'm going to ask you to use your imagination just a little bit a couple times throughout this conversation I know it's early yet but work with me the first thing I would like you to do for me is Imagine that you know that you have two weeks to 30 days and you're going to experience a major security incident your organization is going to have a breach sometime in the next two to four weeks what are you gonna do what actions can you take are you going to rapidly roll out micro segmentation in two to four weeks Implement zero trust intuitive actually it'll take me two to four weeks to figure out what that means but anyway what are you gonna do you might think I'll go to chat GPT chat GPT put yourself in the role of a beleaguered security professional understaffed and underpaid I know I'm going to have on outbreak major incident in 30 days what do I do update your resume yeah what I want to talk and talk to you about today is some practical things that I think you can legitimately do in the next days weeks most of which is free or almost free and fairly low effort tactical practical things that you can accomplish in a short period of time that can help you to be prepared if and when that day comes and you have a significant security incident just a tiny bit about me I I've spent the last just about two years in an active incident response digital forensic and incident response for an mssp called a verdium I have spent most of my days nights weekends responding to active security breaches very very very challenging I often wonder why I do it to be totally Frank I have two points on this slide one of them is that I am by Nature a tactician when you call me or my team out to help you respond to an active breach an active threat actor engagement you do not want me to wax philosophical let's talk about your Five-Year Plan that's not my bint and so that's going to color the entire remainder of this conversation I am absolutely intent on doing something right now to improve your security posture especially in the face of an active threat number two IR is a weird thing one of my favorite things about incident response is the clarity that comes from a breach we talk regularly about risk risk his likelihood times impact as a general rule How likely is something to occur and if it does occur how bad will it be how do you calculate likelihood a little bit of magic a little bit of guessing a little bit imagination when I come on scene that question is answered How likely is it that something really bad is going to happen 100 it just did and with that comes this Clarity this intense Clarity that I thrive on and that is the leadership in the organization is like what do we need to do to make sure this never happens again how many of you in your job role would love to be asked that by senior manager that is one of my favorite things about the job and my hope today in a brief period of time is to channel that and to help you see through that lens so that you can take action a few things that you can do practically to be prepared to set the stage I want to talk just a little bit about the current threat landscape now I have a narrow view of the current threat landscape s majority of the cases that I have worked in the last couple years have been fairly local so this is the East Tennessee threat report unofficially curated by me just a couple of quick tidbits again to set the stage for what we are up against and again some actions that we can take ransomware who's heard ransomware yeah whatever this is boring right everybody talks about it all the time there's really nothing new and exciting on this front except for that it gets uglier and harder all the time we do see kind of a dip in ransomware attacks in recent memory but it's I think it's just a lull starting to pick back up again significant decline in payments for lots of different reasons I think we're getting a little better at backups we're getting a little more skeptical of making payments there are of course Federal restrictions and regulations which just means that the threat actors are playing dirtier so double extortion of course is just the word of the day I'm going to encrypt your stuff and I'm also going to steal it and I'm going to publish it and I'm going to embarrass you and an effort to get some payments cloud cloud is a new thing in many ways relatively speaking anybody ever used a floppy disk five and a quarter there's some old people Among Us in any case cloud is new cloud is new and there is and we'll talk about this in just a minute there is just zero margin for error so Cloud misconfiguration means really bad day for you we see this a lot we like to throw around the trite phraseology that identity is the new perimeter and truthfully I think that it that it is so we'll talk a little bit about that moving forward last and uh certainly not least business email compromise this is huge rampant ongoing growing extremely frustrating extremely frustrating for the businesses and the security people in the room if you're not if you don't have MFA on all of your externally facing authenticated portals shame on you I'm sorry it's your due diligence it is not a silver bullet I'm afraid but this is just such a common and rampant inroad in today's wonderful modern world and this is just a quick snippet of the current Trend which we are seeing and that is I popped a mailbox in a company I hang out for a couple weeks I see who that company does business with then I take advantage of a trusted relationship with that external entity I send them an email message and because I'm extremely security conscious I do it in an encrypted mail message the user receives that from a trusted external entity they click the link it's a valid link to Microsoft they authenticate to Microsoft totally official totally normal and then there's an additional embedded link which escaped your email inbound filtering click the link prompted Delong it one more time not legitimate in this example through evil Jinx capture capture MFA session cookie I have a primary refresh token now and I can stay logged into your mailbox for oh ever bummer the next step in that process again and I'm speaking mostly in our neck of the woods just from my personal experience actions on objective for that business email compromise are obviously often Financial so I always throw this slide in here just to say multi-factor all the things please MFA as a technical control is a must it is not a silver bullet step two have multi-factor for other process in your organization please we work with an entity recently who does significant transactions all over the world financial services company through one email thread three four messages from a popped external mailbox transferred 1.6 million dollars to the wrong person there should be a process right I mean I'll go that's crazy it happens all the time so again multi-factor all the things if you're going to do a transaction over X number of dollars based on your risk tolerance involve two people involve three people 1.6 million dollars involve everybody all right that's what we're seeing and that's what we're encounting and having to roll back from on a continuum before we jump into the top ten I have a presupposition slide we all come to this conversation with presuppositions with preconceived notions based on our experience right and these are some of mine one is that we as an entity as cyber Security Professionals we often focus on the wrong things I'm sorry if that weren't the case I would have far less work second we have a tendency to over complicate everything I won't ask you to raise your hands because I know you I know me part of why we're good at what we do so we're going to work through the rest of this conversation to do a couple things one I'm going to use a little hyperbole everything I'm going to talk about today is first-hand relevant experience in the last 18 months all absolutely true I'm going to pull from extreme examples because I want to Rattle your cage just a little bit and get you to think slightly differently and if I can do that even just a tiny then it's a victory second I'm going to work to oversimplify again I'm a tactician it needs to work so I'm going to work again throughout this conversation to make things super stupid simple because that works for me I think it works for you complexity is the enemy of security thank you last but not least every business is a bit of a snowflake it just is you have unique requirements unique priorities unique resources at the same time I've noticed its snowflakes have a lot in common with one another so I'm going to give you some generalities today and I'm going to ask that you take those generalities and then apply them to your particular snowflake you know you far better than I know you the 10 things I'm going to walk through are not necessarily in prioritized list and of course I would love nothing more than at the end of this conversation for you to say I've already done all of that high five happy day major victory imagination again if you will imagine that you just started a new job in a large organization and I don't know do we have Cube Farms anymore it doesn't seem that long ago that we waited through Cube farms and major Enterprises I've been there I've done that so imagine if you will you're in a large unfamiliar new office environment you're the new person so you're working late naturally everyone else has gone home you're a little confused and disoriented about which way is up left right down but you're brand new so no big deal in the middle of that the fire alarm starts to go off and naturally you begin to panic a little bit I'm not exactly sure how I got into this building how am I going to get out I go to the nearest major door and to my great joy and amazement there's a little sign there's an emergency evacuation site sweet I'm saved and when you get there this is what you find [Music] why we need a fire escape plan let's talk about actually the definition of a fire let's talk about some common ways that a fire started let's do some run books let's do a lot of run books maybe 30 40 or 50 of them one of two things that's going to happen at this point you're going to die from smoke inhalation or you're going to be a sane human being and just run for a door this is what Enterprises do for their csirp and I find them to be largely useless out of all the incidents that I've worked in the last two years I can count nope nobody's ever ever leveraged they are our plan in the middle of active incident response I'm sorry it's just the reality of it that frustrates me it probably frustrates you in many instances the IRB is 70 pages long so many people it's an emergency guideline bad stuff just happened stand by stop it there may be some value in that plan but what I would like to suggest is that you have a useful tactical abbreviated plan to use actually in the event of an emergency keep it simple keep it 10 pages or less if you ask me 10 pages is still pretty long frankly if you need to have all these other additive components make it modular indexes it's not that complicated just a handful of things that I think belong in that plan things that you're actually going to want to know in the event of an emergency if your IR plan literally contains a section on what ransomware is you need to review that plan I work for an mssp part of the parallel is you pay us good money to develop a plan and it feels like if I give you a six page plan you're gonna be like what find that right balance find the right tension for your organization you must meet your awful quiet no nobody's with me sweet this slide hurts people's feelings sometimes the next thing when I roll into an engagement with a customer bad things just happen really bad things possibly the worst day of their professional lives one of the first questions I ask is do you have cyber security insurance and you want to know what the by Far and Away most common answer to that question is actually it's I I think so you think so might be a good thing to know in advance and then the next question is if you have it do you think maybe we should call them no no it's just a little dent plunger and some Vaseline I can rub it out do not call the insurance company you paid them a half a gazillion dollars a quarter I would like to suggest that your cyber security insurance provider should be your business partner and if you do not relate to them like that you either need to enhance that relationship or find a new provider critical component of your IR plan critical something you can do tomorrow okay not tomorrow Monday do you have cyber Insurance nail that one right out of the gate who do you contact when do you contact them develop a relationship with that person call them on Tuesday just for the heck of it develop that Rapport develop that understanding delineate these things this is one component of your IRP even if it's standalone third-party resources have these numbers handy have the names handy know when to call them these this is not sexy right you're super excited about this one I know you are I'm sorry have these things lined out how long does it take your organization to engage with a third-party contractor if you need me tomorrow how long is that going to take I have literally seen it take three four weeks for large Enterprises incident response is not a game of seconds and minutes I'm sorry but it absolutely is a game of hours and days get this stuff lined out before an emergency super simple not a big deal there are lots of zero dollar IR retainers now sometimes you get what you pay for but that is better than nothing to have a pre-arranged engagement with somebody to help you if you need help make sure that they are approved by your cyber security insurance company in advance legal again large Enterprises often have in-house legal and they are reticent to call on external resources they're probably really really good at their job this is not that sorry the legal requirements and involvement for a breach are very different I would strongly consider having those folks arranged ahead of time right all right I'm not going to say anything else until somebody else responds to me logging and auditing again not super exciting huge huge issue for me as a digital forensics and infant response professional so it worked a case very recently again a financial services company you got a mailbox popped threat actors hung out in that mailbox for a couple three weeks we get called in to ascertain how it happened and what went wrong and of course the business entity their credit card information their vendor information there's HR information in this mailbox and what's the burning question on the Enterprise's mind can you tell me exactly what the threat actor accessed to which I responded do you have is your mail in M365 and everybody goes yes almost everybody sorry it's just a fact the next question is do you have E3 or E5 licensing to which almost everybody responds E3 E5 is expensive it is indeed it also lacks mail item access to auditing in that particular scenario 125 000 mail messages in that mailbox and we have to assume the threat actor access all of them because we don't have the audit data to prove otherwise that's just one tiny example and this is the snowflake conundrum I need you to take this and I need to think about your critical data infrastructure things that are important to you whether it's email SAS infrastructure Erp CRM and make sure that the things that you need to be audited are audited please Microsoft really frustrating if you're not familiar if you're using M365 don't raise your hand but you are thank you and you're not familiar with the differences between E3 and E5 licensing you need to know and you need to make sure your management knows and the business leadership knows the things that are unavailable to you based on auditing and that applies to all of the above pay attention to that one and maybe you can't afford E5 licensing most of us candidates are legitimately significantly more expensive than E3 so buy a few licenses and assign them to your accounts payable your accounts receivable your HR people your admin assistants and then maybe your sea level exists that's fairly manageable usually I see people buy them and then apply them only to sea level and or I.T people for some odd reason and that's usually not the attack Vector to be honest again looking for the money so one more time make sure logging and auto auditing are adequate before you call me and I say I can't help you I literally have customers say I'll buy E5 right now will it be retroactive don't think so we touched on this at the very beginning and I keep saying zero margin for error you mess up on a local server configuration internal to your Enterprise it's not good might even have a bad day or two you mess up on cloud infrastructure and you expose S3 buckets or unauthenticated apis or or or or really really bad deal working with a healthcare Enterprise recently just making a move into Azure It's A Brave New World for healthcare pushing on-prem infrastructure to Azure they're smart enough to realize they don't have the internal expertise so they engage with Microsoft directly they send their engineers and their security Engineers to do this training Bravo that's know thyself and know your resources so they go to this training and a very well-meaning security engineer is sitting in that training learning all about nsg's network security groups effectively your firewall for Azure infrastructure playing around doing some testing thinks he's in the test tenant for their environment opens the firewall completely leaves it open to the entire universe for fortunately not an extended period of time for all their Healthcare infrastructure zero margin for error if you don't have internal expertise get help please on this one this is a big deal and most of these are pretty simple in a lot of ways do not expose S3 buckets publicly to not store your keys in GitHub etc etc finally on this side