Table Top Exercises

I did you know that 10+ 10 and 11+ 11 are the same 10 + 10 is 20 and 11 + 11 is

22 that's all I got you want more jokes they're gonna be just like that don't apologize all right let's get going So today we're going to talk about tabletop exercises um this is a talk I did at St con if you went to that it was fairly successful uh like I said before tabletops are something that everybody needs to do it's not a really hard concept it's not really a difficult thing to pull off but it's something that a lot of organizations don't do or do incorrectly or don't fully understand the importance of and the benefits of and don't put the time into making it happen so um I put together this talk because I feel strongly that tabletops

need to happen you need to do them and so I'm I threw it together to kind of get that word out and share share to people why why do you care about tabletops why does it matter um so really quick before we jump into this who am I I'm Matt lurmer I also known as zodiac if you do anything with s conon I've been involved with a lot of the local infosec organization groups for some time um I I you see there there's a DC Davis County I helped start and run that with uh several other people up in Davis County here in Utah uh DC 435 I grabbed on to Pope's coattails and got started helped St

start and found that group um like to ride bikes I like to ride bikes because I like hot chocolate and donuts and I need something to keep up with those I am losing that battle but I still like DED bikes mentioned I do a lot with s con I've been on the board there for or I guess I've been on the committee for St con for a long time like 12 years or something um if you've ever been to St con I do the communities and contest basically everything on the first floor is what I what I put on if you haven't been to St con it's time to rectify that this coming October usually

the last week of October it's a ton of fun um it anyway it's great I I put in there I threw t on there because uh everyone laughs and you heard harassment already about I it doesn't matter what's going on outside I'm going to be wearing sandals because why don't you want your feet comfortable and who wants sweaty gross feet all day when you can just wear T wear sandals I'm just saying you could be comfortable and happy or you could be on rwar shoes and stinky um last one there I put on my employer I do work for a local company that sells and does tabletops but that's this is not a marketing SL slide this is more of

just getting information out there so how how to do tabletop exercises we're all going to go this guy's done a lovely demonstration of what it's going to look like if everyone can get up out of their seat stand up bend over backwards and uh I want to see some I want to see this happen right here uh actually no um there's probably three people in this room that could do that and I'm not one of them um every pres I am a firm believer every presentation needs a too long didn't read and this sums up tabletops to uh right now if this is all you need if you get nothing else out of the slide right here I'm not going to

read the slides to you you're all competent humans you can read if it's too small I'll make it bigger but reading slides made dumb presentation so they're there at the end of the slide deck there's a QR code if you want to see what the slides re say later scan the QR code you get the full presentation with my notes with everything there um don't if if you want to take pictures you can but if you you don't have to um so anyway too long didn't read tabletops are there to help you practice your information security your IR process before you hit hit an actual incident Andi identify gaps and fix those gaps um I personally put tabletops into

two categories you have more of the Casual tabletops you have more of the official tabletops um informal tabletops generally are done in house they usually shorter as the name implies they are less formal but they are um they can be as simple as a game of back doors and breaches if you have not seen or played or don't know what back doors and breaches are this is a game by uh Black Hills information security presented and it's a card game that will let you simulate tabletop exercises it's really good because it kind of takes um you like everything else you can be more or less formal with it but it takes the tabletop and it takes some of the

difficulties of of leading a table tabletop and puts it into the cards the cards have the answers for you so if you're not experienced but you still want to lead a tabletop buy a deck of C back doors and breaches are 20 bucks um if you don't know come find me I've got the full all the decks everything if you want to see what they look like and what's involved in them it's pretty cool so the informal can be as simple as a game of back doors and breaches the formal is often um done by a third party but it doesn't have to be it's often so they come in and they will follow a full

step um when I do them I follow sisa who is the a federal cyber security agency I follow the sisa TBL toop exercise packet the catap is what they call it um this definition here um is from sisa this is like their definition what a tabletop is but um a lot of a lot of the content in this presentation this presentation mostly formal or follows formal tabletop exercises but the formal information will also apply to formal tabletops um kind of a disclaimer there you can read the words here on the board know what it is just I'm talking about formal which is what sisa is talking about up here and it'll also apply to informal ones um

this here this talks about some what do you need to make your tabletop successful what do you need to actually get benefit out of it and I would say even the informal ones where you don't do this stuff you're going to get benefit out of there's there's benefits across the board this is again formal just a tabletop what are you going to get out of it um it's not actually an incident take the stress out so everyone can feel comfortable everyone's going to participate uh this is important because a lot of times you go in and there's a lot of um more time is spent protecting jobs than uh actually answering the questions and if you give crap answers you're

going to get crap results you need to make sure that it is a place where people are comfortable and willing to admit to problems admit to faults uh the second one there don't get don't get buried in the weeds like uh I've been to tabletops where like okay tell me what your sim quy would be to find that in the Sim tell me what's your tell me what's going to happen in this piece when you get buried in the weeds everyone gets lost and it becomes a conversation between the Sim admin and the and the facilitator or between the CIS admin who you're talking about digging through logs and and the facilitator and you want it to be a

conversation with everyone in the room try to keep them a little bit more high level uh I find you get a lot more involvement as you keep everyone involved and stay out of the specifics and the weeds there uh the fastest way to lose participants is to choose a scenario that doesn't apply that next one there I I've seen it where uh people give Bank scenarios to hire an institution and they're like I don't care like it it doesn't apply and you can still gain but you're going to lose um everyone's encouraged to ask for more information in the process the tools available facilitators are encouraged com uh um facilitators are encouraged um to have conversations and

Discovery uh next one there the scenarios should change to keep things interesting I had an interesting one where I did a tabletop a couple weeks ago went out and spent two days doing tabletops with an organization and um it was a large Lo Logistics organization and um I so I'm actually going to pause and tell a story about this because this was a really cool experience for me as the facilitator to do this um shipping and receiving is not a new industry it's been going for decades and so we were given the challenge to meet with a operations person within the logistics company and an IT person and it was really easy for me with an IT background

to stump the IT people to give them challenges and give them scenarios that were like oh that's going to interrupt my process and this is what I need to restore services this is what I need to do but these shipping people they've been doing it for literally 2,000 years they've been moving goods from point A to point B and so you'd say okay this happens and you lose this resource okay and the operations people didn't miss a beat didn't miss anything like I'm going to go to this this is Plan B and I'd say okay plan B fails okay this is plan C and this is how I'm going to do it and I even push back to be like you don't

really know this tell me more about what's going to happen and this this operations person would outline what the proc like plan they were on Plan D at the time he's like outlining immed Ely off top of his head what plan d looks like and from an infos perspective I'm like dude this is awesome I'd love to get here where Plan D like my my sock analyst and my IR team know what Plan D is off the top of their head and they can just spout it off to me and it works and it doesn't you don't lose services and you don't lose data you don't get xfill this is amazing and so it was it

was awesome for me to see what the end goal of tabletops is through this uh sorry I didn't mean to go to the next slide through this watching these operations people this logistics company go because that's what tabletops are there for tabletops are to get you to where you understand not just how do you do the initial response but what compensating controls exist to make the effects of that compromise as minimal as possible um so but as a part of that with this company when we did it I had to do a lot of I call them injects people call them a whole bunch of different things but just be be ready to adapt the scen scario sometimes you get

in and you realize that the scenario is way over the head of the of the people that are participating and sometimes you realize that it's way too easy for them the scenarios need to be adaptable they need to change so that people stay engaged and stay interested uh the last point on this slide tabletops uh they're not there to prove a point I've seen tabletops where it's there and I I have been asked when we're scoping tabletops to say Can You just prove that this guy that runs a Sim is an idiot doesn't know what he's doing can we like have that be the point of this whole tabletop no no we can't that's not what we're going to

do um they it needs to be there and you're going to share information you're going to do things but it needs to be you go in with open and with the intent to discover all gaps in the process it's not to point out one person or to highlight one fault or to highlight one's strength I've also been asked can that you know I've had people come to me and say well my manager is going to be there and can you just make sure that I look really good can you like tell him that I'm amazing I mean if you're amazing then it'll show up pretty quick and if you're not I'm sorry we try to keep it polite and nice

and kind and not to call it out and say you're not doing a good job but the same time like if you have an agenda that's that's a good way to lose the tabletop and not get anything going okay I'm getting a little bit in the weeds and I'm trying to not to this is a little bit of a dry subject I promise if you actually do tabletops they're way more fun than this presentation the presentation is more more info and a little bit a little bit a little bit deep but um sisa has phases to their tabletop uh just like anything else you're going to have your initial scoping sisa is very very detailed it comes out of the

federal government it's based in run books it's based in procedure it's based in documentation which if you're doing this for the first time that is exactly what you need if you've never done a tabletop if you've never done anything like this find that CP it's free to download you just go to the sisa website download it there and it's phenomenal if you've never it has enough checks and balances I I don't know how many people have military backgrounds or no people with military backgrounds runbooks are designed to take the decisions and the thought process out of things CP is a runbook it's there they even outline scenarios for you if you don't know what scenarios exist um the four steps are

you Scope it you go and you create the initial deliverables you go and do the you do the tabletop and then you deliver the the post exercise deliverables or the after Action Report um not a whole lot to go into here not a lot of details s it gives four rolls to to a tabletop uh they're kind of boring that way so I put them like this um if you want to know what how a sister does their tabletop it's I I find it way easier think about the Avengers so the players players are the superheroes the players are the IR team the players are Captain America the captain or the players are um the the

you know the IR team is Captain America the leadership of the that's actually engaged in participating tabletop that's the Hulk um you know the interns there maybe are Gro but they're participating and they've got something to contribute to um The Observers that's the citizens of sovia they're not really adding anything to the whole show but they're kind of important for it uh facilitators that's kind of like Nick Fury he's there to pull the strings but really he's not the center of attention he's not there the whole time he's he's kind of behind the scenes you see him here here and there but the movie is really about Captain America and that's what a real this is what a

real tabletop is the facilitator isn't the superhero that's on the screen the whole time the facilitator will have a big impact but definitely not the main event data collectors are there they're the these are the you know Agent Coulson you know Phil Coulson Maria Hill from Shield they're there they get a lot of stuff done but you really don't even you see them for like 30 seconds in the whole movie um anyway that's this is sis tabletop rolls next slide everyone always asks who do you invite who comes to your tabletop exercise when I'm doing it who who should be in the room everyone uh you don't want a 100 people in a room for a tabletop you do want it

to be a discussion and 100 people can't have a discussion but within reason you want people representative across all things my favorite thing to do in a tabletop is you sit there and you start telling these stories and you see the management over on the side and Leadership and they're like they think they're observers and they're kind of enjoying watching people squirm and you turn to them and say press just called your desk what's your answer why are your services down they're like well this is a security incident I'm not security you're right it is a security incident okay if you don't want to answer I mean the intern over here he he's next on the

list of their calling tree and he' they would love to talk to the intern about the incident all a sudden Management's like no no no no no no no I'll talk about it let's have a conversation I'm like what do you say what do you do do you tell them no comment do you tell them we're down we're coming back who do you ask for information what do you do and all of a sudden it takes this for leadership and it's no longer a that's a security problem it's a that's an organizational problem this security incident is an organizational thing not a security thing and it it's good to get everyone in the room so that they do that but

also um like the cliffnotes version of the slide all of those things up though those are just random corporate roles I thought of it's not anything specific this isn't a checklist this is just a bunch of titles I thought to throw on a slide involve everyone across the organization regardless of their role you obviously need to have the I IR team the the instant responders you need the the the security analysts you need some of the CIS there are some roles that you need but really you want to involve as broad of an audience as you can um benefits of a tabletop this is I this the benefits of a tabletop are vared they're they're pretty solid this

is kind of a generic slide to say it really does good but really first part practice leads to familiarity you don't want the first time you read through your IR plan is when you have a ransomware event if you don't know what to do and you have to figure out IR while you're going through IR it's going to be a miserable process discussion and exploration leads to gaps and tool sets I was actually just talking a little bit little while ago with someone about how just how effective these are at finding problems that you know tools that you don't have skills that you don't have gaps in your program that need to be filled if you

aren't sure what you need to do next do a tabletop and it'll really quick float to the top that oh man if we had this problem we wouldn't you know we'd have no Telemetry inside of this whole Tech stack over here well that's probably the next problem you should solve in your organization uh it's a game friendships are made and strengthened trust is earned that I have seen a lot of team this is really good particularly when you get a diverse audience in the from different teams you get a lot of cooperation that collaboration leads to you're literally playing friend playing games with other people it'll lead to friendships it'll lead to um building those relation

ships regulatory requirements a lot of orgs have these uh they suck they don't need to be talked about a whole lot but it does mean you have to do them uh teams outside of infoset get some of the why of infosets this is huge you involve these other teams and all of a sudden the security this the um the developers were like you're the infos seex kind of hated in a lot of orgs because um again to replug Sean's talk like it was last time we're going to see if we can get this mentioned in every talk today it's on YouTube Sean Price gave a talk in St con about how a lot of infos SEC is a

hammer and they go and they beat on everything with a hammer and that leads to a lot of antagonistic relationships and a lot of people don't like the infosec team if you invite them to your tabletop exercise you're taking away the hammer and you're making it more a partnership and you're making it more a collaboration where you're saying this is why I'm asking you to do this because one day we're going to have ransomware and I'm going to need to look at those logs I'm not telling you to give me the logs because I just want to be in charge of you and tell you what to do I'm telling you I need the logs because we

need the logs here's why we need the logs I'm telling you you need to start testing your your supply your uh library dependencies because it matters and here is what not checking your library dependencies can do and that's where tabletops can really be beneficial is it makes that partnership and so instead of being uh a fighting relationship with the other uh areas of the organization it becomes a partnership with the other areas of the organization uh six and seven up here are mostly the same make sure everybody's doing the same thing in a consistent way I can't tell you how many times you get into a tabletop and you have one person who says oh this is easy

we do this this and this and the person three people down is like no no no no like we don't those aren't written down anywhere the IR process says we need to do these other things instead you're like you got a problem and let's talk about it and as a good facilitator you don't solve the problem you just sit and listen to them and say what is your IR process what are you going to do he says do that and he says do the other thing talk about it and really a good facilitator sits and listens and sits and lets the organization discuss the IR process discuss the incident discuss the tools um a lot of times I'll say oh we

have this tool and this tool will totally solve that will it you really think that your email Gateway is going to detect like endpoint compromise tell me how I'm interested in the story like let's talk about it um and sometimes they'll surprise you and actually have a valid reason behind it and sometimes they'll surp you'll be like I didn't think so but let the organization discussed this and figure that out on their own um number eight is pretty similar to number three if you can bring other in other teams they all get the benefits too uh right here in short if you do a tabletop you really will have rainbows unicorns puppy dogs and sandals for the

rest of your [Laughter] life but really it the benefits are huge it it is a very noticeable benefit it does help your organization helps make things better I want to throw this one in here we talked about how you can do these intern you can do informal ones you can do formal ones this is one of the things that I love to do is to help people um as I do them you shouldn't just do only informal or only formal tabletops you should do both you should do little games you know if you work on an infos team get together and play back doors and breaches once a week once a month once whatever have a formal

tabletop once a year once a whatever your requirements are I there's no solid answer of you need to do this or you need to do that outside of regulatory and compliance reasons you know if you're doing cmmc or something like that then it's very prescriptive of you will have this tabletop on at this interval and everything else aside from that this is just one more tool to have that's convenient that works for you but um if you're if you're doing these whether informal or formal and you are facilitating the tabletop you are leading the discussion these are some of the tips and tips and tricks that I've um had people share with me that I've

discovered that I've seen that really makes the tabletop more effective number One never ever stop the discussion if there if people are talking you just close your mouth let them talk and let them go within reason some some guy will talk for 20 minutes if you let him um but encourage conversation let people clarify next explore when when they have compensating controls ask asking and be like hey what are some of the you know they're they're like we would pull that out of the Sim okay let's talk about your sim what could cause your sim to go away what could cause by the way if I'm using terms like Sim that you don't know what they are that's a logging system

just don't hesitate to shout at me and tell me to stop talking and explain things better but um if you're saying oh we'd pull those logs out of the logging system and we'd be totally fine we'd get that I really like sometimes if the tabletops going really well I kind of turn it back and push it on to them and say so let's talk about your s what could cause that to go away sometimes it's a cloud-hosted Sim and they're doing software as a service and it happens cloud services have outages what could you know what could causes of that being AWS AWS West has gone down in the past it has happened it causes problems so yes your sim could go

down because Amazon has an outage it could be that your sim is running on some janky old jbod storage array in your data center that is 15 years old and hasn't been updated and you lose one more disc like there's 20 reasons and part of tabletop is exploring what failure points could be what could cause the outages what could cause the problems and so turn that to them and say what could cause your authentication system to go down what things could happen to to to do this these are tools you rely on so and you have the tools you have the pieces you know how to do the incident response let's talk about what could break your incident response

process what could cause this to have issues um The Prompt can be anything what some of my favorite prompts are you just started with you had you know it you don't have to lead them a lot of times particularly early in the tabletop process if it's your first one the way tabletops work is the facilitator will stand up front and they'll give you a prompt and the prompt is just it unfolds as the service desk finds it as it unfolds in your organization so you had a fishing attempt in your in your organization tell me what you do and you have them walk you through okay well we search the mail mailboxes we use safe

links to disable the link and we turn it off we pull the message from mailboxes we do this okay great do you look and see who clicked the link do you do you use that safe links Telemetry and that data to detect who followed the link and who's been compromised or who's at risk because of that fish okay what do you do with the with the other data what do you do with the information but some of the most fun ones if it's a more mature organization knows what they're doing you say okay you had a fishing link you lead them with fishing and uh the scenario has nothing to do with fishing the scenario is actually about an

Insider attack but if you look at real incidents that happen in the real world this is very common you start with a fish and as you're investigating a fish you start to say why is this data leaving the network over here what's going on on this weird thing over here had nothing to do with the fish the fish wasn't the attack Vector the fish wasn't involved but because you're looking in looking in and doing inant response looking at data looking at logs you all of a sudden notice hey this guy over in accounting he's been dumping our whole directory for like months he does a regular offsite backup of our entire Erp you should probably

look into that um and so this your prompts again this is the adaptability piece make sure that it it fits the org if they're a mature org give them a little deception lead them down wrong paths get help make them go through the process and see what what ential things but also when you're being successful you've mapped this out in your mind when I do when I do a tabletop my facilitator manual I have like written the entire story of what I think's going to happen I've written five different things of possible ways to make it harder or to make it easier so that when I'm sitting there I don't have to be like oh uh

you've got an answer to that one let me what can I do um John in accounting he's the one he's the one like I don't have to think about it because I've written it all out and it's all there you want to be prepared as a facilitator to make it as engaging as possible um next one lies are best hidden when they're based on the truth uh most of my scenarios that I do are based on Customer Events where I get pulled into a customer to go help them with actual IR we have a I you know what I did it once I had a investment firm get compromised and we got pulled in to

help them recover from a ransom more event and two weeks later guess what my scenario was for that tabletop I told the whole story minus names a few key details changed a few a couple things you couldn't tell who it was but those are by far the best the best stories and if you don't have stories that you've been involved in read the news uh you know Caesar's and MGM more and more details and information coming out of that if you don't know this MK did got compromised in 2018 and they were like phenomenally transparent about their entire process what happened how they found it what what went on through the whole process tell that story the logistics company I

used the mer scenario for two of those I talked to them and I adapted it to do two different ways and told them walk them through the mar supply chain or the Maris problems um city of Dallas was compromised earlier this year they released like an 87 page document on everything that happened in their compromise how the initial initial attack where it went for lateral movement what they did for Recovery how they found everything everything happened um um one of the other things I do for a facilitator I'm going over so I'm going to go quick now but um don't let them off easy most incident response I'll be honest I was I was I did sock

work I did IR before I started doing what I'm doing now most IR if you look at both either the nist or the Sans uh IR framework process I don't know if they're official actually Frameworks but if you look at the steps that nist and and sans's outline for an IR process most people do one one or two so nist and Sans have six steps for IR um I think Sans really has four but it's the same six things they just combine three of them into one step um but they have six steps and most people do one maybe two of those steps in their IR you see find something compromised and you re you wipe it out you you

completely um you eradicate the the uh infection or you eradicate the incident but really you need to make sure they're doing identification containment eradication recovery and Lessons Learned make sure you're getting all of the pieces in here for your IR don't let them off the hook and so as the facilitator say okay you identified what the compromise was did you look for lateral movement did you do containment did you um do recovery did you do lessons learned and make sure all of these steps are pro gone through because very often it's happened where oh sure you caught the initial compromise one of the things I did prior to this is I did pin testing people will catch one or two

of the things we did okay that's fine you sure you stole that are you the one computer I used to Pivot through to your to your data center you played wacka and you reinstalled that one one system that's awesome I'm glad you didn't look at lateral movement because now I have a foothold in your data center and you didn't check that and I can do whatever I want where I actually cared about doing things in the first place uh review findings at the end these conversations are very beneficial because everyone in the room gets something out something different out of the process and give everyone a time to say what they learned what they gained

um this one here the facilitator basically is a DM if you ever play D and D that's what you're doing people are going to come at you with weird crap this here she if I don't know that's I don't know if that's too small to read but uh he says you're a defensive Mage you can't walk enemies to death and her response is it doesn't say anything about where I can build my wall and um like so here the example I get here is I I talked four about fishing other things you think your VPN can identify a fish interesting tell me more well we use our VPN it's an always on VPN and we check all the logs and I

can tell you who clicked on the link because I have logs from every endpoint in the organization and we don't allow you know we've we've sandboxed off these different things I'm like oh you actually can get some Telemetry from the VPN for your fish I'm not saying you can detect it but you can actually get some information good let's go don't be don't be totally um this is not a buy the book event this is a adaptable event let people tell you stories let people do things that are that are creative and interesting um so any any questions or feedback before we're done

I try very hard to not roll my eyes at them um it it that happens every time every time and one of the things I do is I preface this with this I at the beginning of my tabletop I have a whole slide that talks about how this is all about hypotheticals this is not a real event I'm not saying you got you got compromised but I'm also not saying that I know everything about your organization this is an exp exploratory thing for you and I so if you say it can't happen tell me why it can't happen you know I say you got fished and you say you can't get fish say tell me why

and they'll be like because we have abnormal and we have proof point and we have mcast which you laugh but I have seen people have several mail email Security Solutions deployed it's you want to throw money go throw money fine whatever um and they're like I we decided we didn't want fish so we implemented these three or four solutions to prevent that I have seen all of those Solutions fail I have seen them fail in parallel in deployments and I and so you talk about and say okay let's just say that's great I'm glad you did that hypothetically let's just say a fish got through or let's say instead of fishing direct like that they fished your

personal Gmail account because tell me that nobody at your organization uses their personal email to to do work is there anyone in here that can say that they have no one in their or using personal email to do work like it happens all the time people do dumb things okay then let's say it wasn't a fish it was a smash you know they were doing SMS fishing what do you have to protect your SMS fishing okay it was uh social engineering call it was vising it was a social engineering call the help desk and so that's part of where the adaptability piece is if they're like well I've put all my eggs in this basket

and you're never going to get this okay let's adapt it right what are you doing for this it it wasn't and so it's a combination of pivoting to a different technology or a different piece but also communicating say tell me what you've done to protect because some orics have done amazing things to protect they've done really cool stuff and they really have mitigated and created layered security that is very hard to penetrate on that front so how are you going to get around it what are you going to do so it's both sides I guess is the answer your question any other questions

comments

Rel and that that's the hard balance like that that is that is the really hard part in the difference between a good facilitator and a bad facilitator um actually that's name good and bad that's good and mediocre uh most things tend to get into the um like the teacher relationship the just up there lecturing and so a good facilitator will keep a discussion going and sometimes I said stay out of the weed sometimes the answer is you've got somebody who's like oh I get that out of the Sim and you know that they can't get that out they don't have that skill set they don't have that and so knowing when to say okay tell me about it what table

would you look at what data set are you looking at what search you know what and I think that getting syntactically in there and being like show me the syntax gets deep in the weeds and that's an easy way to lose people but be like what are you going to search for what event code what events are you going to look for what knowing the balance of when to do that and when to say okay you looked in the Sim we're not going to do that because no one else gives a crap and we all know you're full of it or we all know that you're actually amazing and you've been like months of training for

Splunk or Sumo whatever your sim is you're amazing let's okay you say sim great let's do Sim what it leads us over here when do you move on when do you go and I think that's one of the good things about a facilitator is knowing how to how to push back to make sure that it's a real event but also how to let go so that it doesn't get stuck in a it it stays a conversation it keeps moving forward and you don't get stuck in the middle of an EV of the research what's

that that that's my favorite inject right there my favorite one I turned to the one guy well no what I say the one guy that has all the answers I come and I say PR has taking you they need you to explain the incident to them you can't answer for five minutes they're they are talking they are doing a press release tomorrow and they need all the details from you you can't talk for five minutes and then you watch the rest of room be like oh or you say your wife is sick and you need to go home you can't talk for 20 minutes what do you do now and because that's exactly right like there often is

one person who has all the answers who does all the Talking knows everything that's great until they get sick or the boss needs to talk to them or a hundred other things can the org survive that so that that's actually a really big

thing any any other comments thoughts okay this is if you want the slides this is the slides with all my notes with everything there feel free to grab those if you don't want them I won't be offended about that either whatever works for you uh thanks for your time it's been fun like really the whole point of this is to make you realize that table tops have value even if you're not doing you don't work for a company if you're a student and you want to learn about IR play back doors and breaches get this stuff going because you will learn Technologies you'll learn it makes you think through the process of how do I detect a fish what do I do

what do I care what does it matter if there's a fish how do I detect uh llmnr what do I how do I know if someone's doing trying to inject proxy responses into Microsoft how do I do this what do I detect what does it lead to what goes it's a great way to test processes test people and grow your experience so anyway thanks for your time I hope you learned something and I'm right on time now I think I thanks for catch