GF - Nothing Went to Plan..... Because You Didn't Have a Plan

all right so imagine that you're a ciso and one day you wake up to news let's say on a Monday because all the fun things happen on a weekend right uh you wake up news to news Monday that your company was breached and you check your emails and find that teams were busy without you at work um in an email thread legal forwarded to you the night prior you could see everyone making decisions arguing taking bold action and the uh and the chief of operations decided to make a statement to the press that statement to the Press uh apparently uh was filled with inaccuracies it gives way more information that should have been released your security team also seemed

to be unaware of the matter and just received emails themselves about this matter and now the CEO is calling you and wanting an update for the board and your audit Department are Fielding questions for third parties that need your attention welcome to a Monday but everything went to plan or rather things didn't go to plan cuz you didn't have a plan and uh things never go to plan when you don't have a plan so that's uh that's kind of the name the the name of this talk and how we how we came here but they didn't have a plan so we're going to make one now so um basically uh I'm ajob and uh my laptop really wants

you to know that it is disconnected from Wi-Fi um but I'm odd job I've been hacking for 12 years uh I'm a Noob uh my uh my first Defcon was uh 20 uh every time I hear someone say like oh yeah Defcon 6 it's like NOP someone's always in the room was at an earlier Defcon than you um I you might remember me from such talks at bsides Las Vegas as uh busting biases and infos sex so that was a was a fun talk I think uh from a couple years ago it's uh also stram and also recorded um I also like to brew meat um so if you have questions about that happy to share that hobby I also host

the uh a YouTube channel called a glass of zero J I basically just talk about interesting things I have probably stayed away from the crow strike stuff because we're still finding all sorts of fun nuggets of information and things that we got wrong and I like to have information correct before I just go ahead and uh say a bunch of stuff about it but uh need to get on that soon uh and I'm also the senior director uh of detective response for a health company um but I'm not here in that capacity so even if you know what that company is uh I'm here in my own personal capacity uh but that is kind of more of a level of

my experience and uh where I've been in uh different companies uh throughout my career so far um so you know when we need to think about this as uh by the way enjoy the lovely AI art um lot of interesting things totally not related to this talk but totally interesting things while I was creating like little bits of AI like oh yeah ceso wondering uh you know how where to start on building a cyber incident response plan that that hand is cursed That Elbow is cursed um but uh every time you ask for just a person uh it always gives you a white man uh so then I asked for someone androgynous and I still always give you

someone white uh when you ask for a non-white person they always give you a black person so never have anyone of any other um uh potential ethnicity uh lot of interesting things with AI image generation but these are the cursed AI images that I came up with uh that one also uh how many fingers are merged into his skull there um which is actually an accurate depiction of what that ceso was probably doing at that time merging the fingers into his brain um uh so basically uh you know where to start with a cyber incident response plan right uh you actually may find out that uh you already have one uh your predecessor uh even if you're not a ceso

you may just be an incident response uh lead or director um you may already have one uh that you didn't write someone else did and maybe they didn't do the best job at it or maybe what they did is it's 80 pages long and is you know they took niss they took cisa they took 12 other standards or other things they could possibly do and just crunched them all into one thing they said that looks good that looks good let's put it all into one document that is not the way to write a Ser at all and you may think oh it just needs to pass compliance if your compliance people are worth their salt they're going to say

yeah this is not good this there's no way anybody can follow this and know how to work with this um but that's that's what I find with a lot of people's cyberin response plans way too long way too many details not the right details um usually too many details about the wrong things you need to actually be worried about um but hey it's a place to start uh that may already have approvals by your compliance department or quality depending on what all you need to uh get approvals for um so that may be a place to start you may decide that I can chuck all of this away you may actually look at some of the roles and

responsibilities and figure out oh there's some people here that may need to be involved in incidents I wasn't even aware of so kind of do some reconnaissance uh if you do have a cyber incident response plan that's poorly written or maybe suboptimally and start there and see what you can salvage but what we need to do when we start with a cyber incident response um plan is we need to start with people so I like the framework people process technology does everybody know has everybody heard people process technology all right okay so it's a way of thinking um really I was kind of thinking about this earlier today even like just people process technology that's the way in which you should

really set up your organizations you should look for good people you should put give them good processes to follow and tools that you give them should would be able to align to those processes I see so many people start Information Security Programs with we're going to get tools hey and then we're going to we're going to figure out how to use those tools and then we need to hire people who know how to use those tools so then you get job descriptions that say I need someone with like 15 years of this particular tool not just firewalls in general foret specifically uh even though foret may not have 20 years of existence out there or maybe they're in

NSE licenses haven't been out there forever um you still have to have that and so that's where you get these job descriptions that are just overloaded and overburdened with tool specific things that you don't need um but that's where you start with tech and go backwards uh think about it you know Tech really Drive allows your processes to work your processes allow your people to work so you can really start from anything and understand how each part processes the other but really we need to think about the who we need to think about our people um and not just our people people outside of our organization as well because we have to report to people as well outside of our

organization in a in an incident especially nowadays with the SEC uh knocking on people's doors wanting to know uh about that breach that you should have reported on your uh what is it 8K or 10K um so uh one of the first things I like to to go and do is get your key contacts um so getting to understand your folks like your technology smmes now I put technology smmes there first because I think it's the most relatable to us they're probably not the first people you even need to go talk to you may actually want to talk to some other things and and figure out some other people like your lines of business in product and

Manufacturing and sales uh you may not have OT or skada in your environment um but I'm just putting it in there just to kind of help you understand where these folks are um customer success and service can be very important to understand where they are um your business support in HR right so if we're doing an incident that involves an Insider threat do you have authorization to go prying into their personal lives and go prying into the data that may or may not be their browsing history and start uncovering things that they may need to be doing after all an Insider could be taking information from the company and putting it into their own Google drive or proton mail or something

else um do you have authorization do you know you have author ization to go ahead and start seeing what are they putting into these personal things um maybe they are even using platforms such as uh Health platforms to uh um have notes because usually Health platforms for instance have an err of privacy around them you actually don't want to uh start decrypting um you know Network traffic out to health platforms because that's someone's Phi and now you might have to be responsible for that um so you have to probably involve HR to understand at least what's your kind of your standing orders what can you do what are clear clear engagement points you can do or

criteria to do that and where do you need to say hm before we go further let's make sure HRS clued in and you know what let's throw legal in there too because we're probably dealing with laws especially if you're a global company uh how you handle a German citizen is going to be very different than the way you handle American citizens how you handle a chin citizen is going to be very different than how you handle uh an Indian citizen they all have very different privacy expectations and especially where that data is allowed to go you may have to keep all of your evidence or data if it's about people in a particular location so those are

important things to kind of keep in mind again these are great people to have you don't know even what technology what process to put into until you start talking to these people that's why people are so important let's talk Finance right so in the middle of an incident you think at some point you're going to need to do probably one of two things you're going to need to either tell your insurance about something your finance department usually handles insurance so you're probably going to need to partner first of all probably go talk to them before an incident and ask them about insurance but you also maybe have an incident response retainer right and so how do you pay for that most

incident response for retainers are pretty good and that you know they don't want money up front uh they they they figure that out out after the fact but you're going to still need to make sure Finance is in the loop so that they understand what really is going on here what's the contract here what's the velocity of the cost you know are we talking you know we have to do 40 hours at minimum at $300 an hour what are we talking here and how much is this going to cost and do we want to actually engage in that cost right um they're going to help make that decision facilities facilities and physical security can be very interesting what

happens if you're in a situation uh where you have for whatever reason abandoned an office uh evacuated it but you still need to go in someone needs to go in and be able to pull out hard drives uh and do forensic examination on those how do you get in and access to these places to get your hands on things or get somebody's hands on them right so those are people you'll probably want regulatory quality pretty obvious there uh you've got laws to comply with you have laws and organizations that are going to be coming after you wanting to know about things you need to know what clocks exist and when those clocks start ticking again legal reads these

contracts and laws as well they're going to help you with these definitions sometimes legal well hopefully most of the time legal's the one making the decision when a clock starts for your company um but keep in mind uh and talk to your Le legal team about what does the contract language say for instance does it say uh within 24 hours of a suspected compromise of data you are to notify me as the customer what's a suspected compromise every Sim alert in my experience is a suspected compromise it's being brought up for a reason we have an alert in that for some reason it could be false positive but right now it is a suspected event it is a spefic

suspected incident at any time so you know they may uh you know they may not be so happy to be uh getting subscription uh or uh notifications from your sim every day hey we we got an incident we got a we got a we got an event we got an event well that's probably not what they mean they probably mean something else confirmed compromise or confirmed incident is language that I know I prefer and some other folks I've worked with prefer because that now is this is the time we can document it this this is the time we actually have confirmed there is impact that is impact that is defined as to the parameters of these contracts these laws

these regulations so pay very close attention to that of course your legal team should be but this is always a good talking point because someone may look at that and not know that you know some of these things and they may go like yeah sure suspected compromise what does that mean you may have to help educate them and help them understand that and of course your technology Ms uh smmes I kind of went in reverse order there um you are not the expert in everything right you may have come from database you may have come from application you may have come from uh identity access management or even privacy but you do not know all of those things uh even if

you're a database person you may have just been a pro postgress database person have you ever touched Oracle there are interesting nuances there hey who all what all uh queries did uh you know user a make on this Oracle database from this time to this time may take you a while sure you can Google may take you a while or you need to know who your technology smmes are to be able to contact in the middle of an incident right and get get people especially in technology but in some of these other areas too get a primary and a secondary because guess what some people are on PTO and in some countries depending on if your is in uh like I

said Germany or Europe uh PTO is sacred you don't come off PTO uh you you you're on vacation and you don't have to answer your phone or anything so who else is going to take that call hopefully right and then hopefully they're not on vacation at the same time uh but have a process for escalation to get somebody else who can direct you to anotherme right um and really all of these people don't need to be involved in the same types of incidents right and so what we really do have is we have you could possibly break C sock andert out to two groups I know people who do that but really two groups exist here you've got the people who are

more boots on the ground handling the incident dayto day so this is your Security operation Center these are also your extended teams more in a not executive leadership capacity but in a leadership capacity in their various lines or departments um and so they're going to make decisions like what does a communication to our customers need to look like what language should we avoid hey we're going to make a statement to the Press first of all why but we're going to make a statement to the Press is everybody good with what's being said here um and so you know if you're a ceso or you have a ciso they're going to want to definitely be on on that uh you know customer success

is probably going to want to be on it if you have corporate comms or external comms you may even be engaging an external party uh such as uh crisis Communications and things like that they may come in and say we recommend you make a statement like this stay away from this language um so you you'll definitely want the those types of things but generally that's what I mean when I say sock insert and the sock of course in involves your uh your your your usual suspects your tier one through three your incident response folks uh your Security Management and also it management and uh the smmes there as well um again kind of those usable suspects um technical tasks

you're trying to eradicate the threat and restore uh restore the functions of the business um executive committee okay this is the O crap moment this company could be gone tomorrow uh or maybe it's not that bad but it still is something that requires uh you know the CEO or that person's direct uh um reports attention and so uh you know so we we talk about making decisions at a more strategic level about how to handle things um a lot of times uh hopefully uh whether or not to pay a ransom for instance um is probably well above your pay grade uh hopefully is uh and is is more so at a board level or at an

executive leadership team level so uh definitely those people need to be involved at that point uh but it's very important to kind of keep these roles separate there's usually for every line of business there's somebody up at that level who has ultimate ownership of that area so it's Chief legal counsel you may have legal who you deal with day-to-day in your socker but you also have the chief legal counsel um so that person can be different or maybe they're the same right so it depends on your your company and uh what they're doing I want to make sure I have all my notes here oh good fantastic so there's a there there's a little bit of an example and by the way

there will be a QR code at the end to scan uh that will take you first of all to our lovely friend Rick Roll but also uh will take you to my gitlab where you can see the slides as well as an example Ser to get you started um don't just copy paste uh There Are Places to replace your company name but also other places to uh uh fill in more information but you're going to see like this roles and responsibilities you're going to see titles you're going to see names some of the titles are more functions within an incident like incident leader that's not a maybe it's a t maybe instant response leader is a uh title at your company but

in this case it's more of the who's actually running this incident it could be different people but it is a role nonetheless for a given incident that needs to be fulfilled um legal ethics and compliance right that that probably is going to be assigned to a particular person in that situation but anyway this is in the document I just want to show you what that what that generally looks like you'll have responsibilities and of course how to get a hold of those people um we come to the process part right so people we now have our people understood now we need to start laying out process and kind of when you start figuring out process you start doing

boring things like talking about scope and definitions uh so let's talk about definition um one of the first definitions you're probably going to want to craft is what is a security event what is a security incident what's a breach what's a compromise those are very important things especially the B- word breach is a very important word uh there's a lot of contractual things that talk about breach there's a lot of regulatory and legal things that talk about breach consult very carefully with your data privacy Regulatory and legal folks they are going to probably tell you what breach means you probably get some input on it but your opinion does not matter as much as theirs in this Arena but very

important though is what is the difference between a security event and a security incident to me incident is where we start looking at confirmation we have a confirmed event here a security event could be anything a security event could be a third party just told us that there's compromise credentials on the dark web okay can we verify that um it could be uh you know somebody you found uh an event where Microsoft told you someone clicked on a fishing link well was that link actually fishing I've seen false positives right so how do you go and and take care of that so everything coming into your sim every time someone clicks on that fish alert

button every time someone says Hey something funky just happened on my laptop I think it may be compromised those are security events we then go through a process that we'll talk about in a little bit to determine is it actually an incident or is this and how bad is it so incident severity this is where we already start kind of telling uh the boundaries of what an incident is um this is very high level there's more details about incident severity in the example serp it is suggestions uh you can put more definition in there you can even add a fourth severity and I've seen some people put a fifth severity level in there three is probably a good minimum

you have a high medium or low right um I like to have a fourth one is critical two is high and the real difference between Sev 2 and Sev 1 to me and in in serps I like to do is am I getting the CEO out of bed on a 2 a.m. 2 a.m. on a weekend that's a Sev one if I'm not it's probably a S2 we might reevaluate and see if it's a s one later right so that's generally my little gut check it's not written in the in the Ser that way hey if I'm waking up the Caso at 2 am on a on a Saturday doesn't get written that way but that's the idea

that's the feeling behind it um but here is just generally right we have low impact right and impact can be anything impact could be Financial right maybe you had a business email compromise and someone walked away with $33,000 if you're a multi-billion dollar company $3,000 you lose track of that you know every every hour you lose track of $3,000 every hour every transaction you don't care probably it may be a low severity impact based purely on the financial aspect but if it's maybe a$ million loss because of some transaction that was going down someone got in the middle of then that may go towards a high impact right so there's materiality to look at too uh as far as impact and

we are finding out with some of these lawsuits that are going on um we don't really know what the definition of materiality is with the SEC uh so the jury uh literally is still out on that um and uh we're still figuring that out but uh definitely talk to your lawyers on what they think materiality means for your company uh because again they get to say on that you're you have input but their opinion matters yours doesn't on that matter so go with what they say um you'll also be more protected in that way too it's like you're at the viice of council I defined it this way um we'll talk about privilege in a bit too also kind of

think about severities who's getting involved at a severity 3 there's no reason to get the CEO even involved there's probably not even a reason to call your Chief technology officer up or you know someone else your CFO there's no reason probably to bother them most likely except for maybe after the fact maybe on a quarterly basis you say here's the incidents we had and a summary of those um so severity 3 I add that fourth level on there for kind of your everyday things I like adding a fourth one to say hey malware got installed on this person's machine it didn't do anything we caught it in time it was prevented we have cleaned the

machine or maybe we've even got a laptop uh swap out going on we're good confirmed that yes an event happened but nothing of impact happened to us and we prevented further you know thing bad things from happening I don't need legal involved in that unless there's some I don't know maybe bound that was crossed as far as what device it was what data was potentially on there I don't really have to go further into that right um so you may want to add that fourth one in there otherwise severity 3 is pretty severity 3 2 and one give you pretty good ideas on how to delineate um you also have incident categories right and these incident

categories do a lot of things they give you tags for instance to start figuring out hey how many uh malware events did I have this year how many uh Insider threat events did we happen oh by the way Insider threat um you may be thinking disgruntled employee who's going to sell data to another place maybe some corporate Espionage maybe you hired North Korea and didn't realize it um no before if that's not a publicity stunt um and so uh you know you have DOS uh but Insider threat also is people who click fish links uh people who accidentally download the wrong file Zilla if there's a right file Zilla even um but uh uh but people who download

those types of things um that is an Insider threat user error user mistakes uh that is what's considered Insider threat it does not necessarily call malicious intent right okay um you know compromise credentials fishing a lot of these things can be the same incident you know you could have a Mau incident that involves compromised credentials as well you could have a zero day exploit that uh also involves business email compromise it allows you to understand the complexity and the multi multifaceted nature of a particular incident I've even seen people use categories along with the miter attack uh framework to kind of figure out at what point or kind of where did the attack or get to if your incident is

purely more on a a reconnaissance level or maybe initial access level and nothing further that may be good data to Keyon later right right in an incident okay we had a lot of initial access events and we're stopping those from getting further uh oh we had someone get lateral movement how do we make sure that we don't get lateral movement to these people in the future you don't do that unless you categorize your incidents so being being able to not only determine if it's an incident assign its severity and get the right people involved and make sure you have categories so that after the fact and even during the fact you understand what is the nature of this uh incident very

quickly helps a lot um we also have as part of our process we have incident phases right

um yeah Okay cool so yeah so we have incident phases first of all is identifying right we have identifying incidents uh this is anything this could be third parties talking to you you know your sim alerts uh we have triage and escalation this is where you really start saying what is the severity of this incident and then depending on that severity who do I need to call to start actually an incident Bridge right so does an incident Bridge even need to be started and who needs to be on it um that that's where your sock is going to start realizing very quickly how how big this is and get the right people involved um and you know again this is

also where you know legal might say okay we need to start preserving evidence we're going to start uh privilege um that's very important to make sure legal can establish privilege you don't get to establish privilege you're not a lawyer uh this is attorney client privilege right things that are said to your attorney as far as the matters concerned and the advice that they give you is not something that's generally subpoena without certain exceptions I'm sure especially if it's of a criminal nature uh that generally well to cover up a crime uh for inance uh would possibly not go for um uh go for privilege but I'm not a lawyer um but uh you know privilege is very important you can't

just invoke privilege usually you can't just invoke privilege by copying your lawyer in there that's just not how that works they they are the ones to invoke privilege and give instruction that this is to remain only with these parties if you talk to someone else do not give them information unless by a need to know basis only again at the direction of Council uh contain and erad um containment and eradication so now we're trying to stop the bad people we're trying to kick them out of our environment as well right so this is also where you've probably called in your incident response retainers depending on how bad this is uh you've maybe isolated people's machines reset

their credentials kick people out of their accounts for a time being um and that's where that starts happening uh you have your restoration of recovery pretty much what it sounds like we're getting the business back up and going we're getting users access sometimes it may have to be crappy access maybe they had a nice laptop with everything they needed now they're going to have to deal with a vdi for a while uh until you can get them a laptop so they may have degraded um uh degraded experience but experience nonetheless and recovery so you may also notice that you aren't really responsible usually for recovering data right you are not the B BCP nor are you the Dr uh specialist but

those people are also a part of your incident response um probably the most important step in this entire process I would say is your postmortem and uh your your PO incident activities these are this is where you learn every step of the way where did we go wrong what could have been better what things did go well what saved our bacon here from this being even worse situation very important to call out especially to Executive leadership uh you know imagine your board and saying yeah we had these severity t or severity one incidents here's the thing though because you invested in these things you got our people involved uh and paid for you got you know the right resources we're now

we were able to uh keep this from becoming an even worse uh a worse matter so your investment is working but maybe a change in strategy maybe moving this PRI this strategic item up in priority uh may help us in the future to avoid this situation also do you need to uh improve your Ser uh hey we didn't understand really if this was a Sev 2 or a Sev 3 so we didn't know what to do so we just called a Sev 3 what we should have called a sev2 what do you do in those situations well you might want to go back in the ser and you might want to add some clarifications or some hey you

can also kind of uh escalated a little beyond what it probably is to get to get initial action urgently going and then you can back off later right so those are different types of things you might have in your uh postmortem um along with each phase of these right you're going to have very specific tasks and again this is in the Ser that's in the example at the end with the QR code um you basically have what phase we're in you're going to have the type of activity that is going to be carried out and then who is going to carry that out so this is a very important thing where an executive for instance should be able

to look at your serp should be able to see okay where am I in this oh okay who where are my peers involved in this legal other people who makes the decision about this okay I could see that and then where do I make decisions oh there's me there's me there's me and now I understand what I'm here to do where are we oh we're here down in the escalation phase okay we've We've Just Begun basically fantastic now we understand where we are you know it's a big old map that says you are here um you should be able to do that within like 10 minutes of reading a Ser understand those things and if it's 60

to 80 pages long that that that's not going to happen so you got to make sure we keep this brief lastly we have the technology part of our incident response so there's all kinds of areas here right um we've got things like how are we going to even track this incident so we've got a nice we've got a nice Ser it's a great process but how are we going to document and how are we going to keep these things together yes even saying I'm going to type this up in a one note notebook or I'm going to type this up and put it into snow or jira or a super secret SharePoint that only some

people have access to it's very important to say here's where information about this goes here's where we're tracking this here's where we're tracking po incident activities very important to keep that documented and understood um and again understanding you know you may even need external incident response platforms because what happens when all of a sudden uh a particular kernel uh level uh softare Ware ends up taking out your entire business um what happens with something like that or a airplane crashes into your data center you know what happens when something happens that you know really disables your ability to do business even the business of security you may even need a thirdparty system to track and work that incident even

bringing in those Communications which kind of brings me too out of ban Communications um let's say you can't trust talking to your CEO on teams or your Chief legal on teams or even your ceso or your team members on teams maybe you see that somebody now has 0365 admin they can read everything they can get into everything and see it so now you need to go someplace they don't have access to that is already pre- ranged and understood and the and the best time the worst time to decide to use out ofand Communications and what you're going to do is during an incident okay how are we gonna how are we going to do this um quick and dirty many times

people will go signal signal is a great way to do that well yes and no first of all you already need to know that we're going to use signal and here's how we're going to do maybe we have a maybe you even have a super secret Treehouse club uh you know a password and a challenge response phrase uh that you're going to use but you have to have something already pre-arranged so that people understand what you're trying to do even within your own sock team um but you might need to do that just initially to uh get some things going um the problem with signal is it is the beauty of signal is it's endtoend encrypted signal

doesn't have a copy of any of these things the bad thing about signal is it's end to-end encrypted and your device now becomes toenable if a lawsuit is involved potentially again I'm not a lawyer talk to your lawyer about this strategy um in a pinch it could probably work for some things to at least maybe get some things going but I wouldn't want to discuss too much on Signal um I'd want to go to maybe a Google workspace right if I'm a Microsoft shop or if I'm a Google shop maybe a Microsoft space completely separated from SSO and I can whip up these accounts really quick and get people involved maybe through their signal um I

can get them into their environments we can do we can do our own call bridging over there there are also platforms that literally just are geared towards being an incident response platform where you can bring people in securely and you can also then have communications uh that are that are encrypted secure uh and The subpoena goes to that right you don't have it on your phone where you may have content and other things you don't want courts uh potentially getting access to uh even if it's just to market as not responsive um so forensics uh who in here uh has a forensics arm of their company oh one cool awesome it's not something now you all probably do a

little bit of forensics you know figuring out what artifacts are going on or how did this attack happen on this machine but you're probably not whipping out end case every day you're probably not doing a lot of other you know memory memory analysis whipping out volatility every other day to do this you're going to need to bring in the experts it is such a ridiculously specialized field out there not only that but how many people in this room can give expert testimony in court and are certified to do that yeah no that's your incident response retainer they have people like that on St who who literally are are are built to do that and can say yes I know

that image of the hard drive is the is the same copy unmodified because of this and yes they're going to use check sums and other things but they're going to be able to give that witness test witness witness testimony hopefully not with hard drives witness testimony to it uh you can't do that um all right I'm going to make sure on my on my little laptop it kind of kind of goes crooked so have to kind of go like this one um all right cool so wrap it up already we've been talking a long time about incident response plan um all the things you need to go in I think there's uh there's a basic process to

writing this here and I think you can get this in five pretty easy steps figure out your roles and responsibilities who your key contacts are um also have a little conversation with them you're not going to do the road show yet have a conversation especially with those more key contacts like legal HR finance and even get their insight into hey let's say tabletop a couple things with them real quick say we had this say we had a beat business email compromise and this happened when do you want to be notified about that when do you think you need to get involved they may be wrong uh but they're more than likely going to be right uh in what what they think um so

have those little conversations to help understand where where in the process you need to accommodate them get your definitions right make sure everybody's on the same page with it right and understanding when are we actually in a breach or not uh too many times someone will just use the word breach very half-hazard with a customer or a regulator those ears perk up especially if they're compliance or audit people and go well you didn't notify us well you use the wrong word you did that wasn't a breach that was just a m event that uh was quickly remediated um get uh get the incident process laid out you may you may use nist maybe you're a nist

organization and you have to use nist completely fine to do so there may be other Frameworks you want to use this is suggestion it is malleable I did take nist and just tweak it to my own little uh heart's content uh because there are a couple little items I'm like ah you can merge those two um to make it a little easier roads show this during an incident is not the first time these people should know what the incident response plan is you need to Road show it and say you're part of this plan and oh by the way you're also the person who's doing business continuity planning you are doing business continuity planning right um you know you need to

have your own process because guess what this Ser is not your business continuity plan it may trigger and engage those plans but this isn't your your BCP and then test it right let's do unit testing on this uh let's uh in user acceptance testing let's do a tabletop let's get the execs down let's get the the technical folks down get your technical folks on a separate tabletop have them run through it this is interesting and do it before the executive tabletop why cuz now you're going to find all the tools and capabilities you think you theoretically have at your disposal oh but actually yeah you you have no idea how to use them or or do that oh hi this

database goes out what do we do well restore from backup yeah we haven't backed that up in three years okay cool write it down exec hey we do that well restore from backup yeah unfortunately that hasn't been backed up in three years there may be some surprises but it's very important to tabletop these things so that people start understanding and realizing what are the capab ilities we have what are we missing what are our gaps and how do we need to prepare more for an incident kind of a a phase of cyber incident response planning I left off was that preparation phase it's a big cycle right we're always preparing um yeah and do this annually do it every

year bring you can bring it internally but you can also bring in external a lot of times your uh incident response retainers have hours left over or have money left over at the end of the year here some people use that for their pentest sometime just go ahead and say let's do a tabletop this year instead let let's pay for a pen test separately but let's use this for a let's use this for a tabletop this year let's get someone else on our pentest let's have let's have someone else have a crack at us um the very important thing been when writing is don't get in the Weeds on Tech U this is much more about business

process um so if you if you have screen captures of security tools or Network Tools or firewall rules and a whole bunch of other things uh you're doing it wrong uh there may be some appendices that that might go into those are probably more um uh uh standard operating procedures or standard work instructions that you want as playbooks that might uh that might follow on to a serp right um also like I said before Executives should be able to read this in 10 minutes and also you should be able to to read it fairly quickly and kind of skim it and understand what's going on um again stay high level you're going to be able to

keep 20 to 25 Pages maximum and that's including the title page and the table of context and the scope and obje uh uh objective of this paper um and and again it's not inclusive of every single other process but you may want to have an appendix item that calls out other business processes that this may call out as well uh most importantly start talking and writing right so uh I I will have given you a very good start on it uh but start talking to other people and in six months you actually can have a Ser drafted revised and approved and ready for testing and Road showing uh so hopefully this helps you hopefully it's

giving you some good thoughts this isn't one of those talks where it's like super technical I'm showing you how to do something major and amazing this is a journey I've gone through in the past couple roles I've been in and so kind of just sharing some of my lessons learned and uh trying to keep it simpler and and easier to start and don't let perfect get in the way of good regardless there's always a better way to write a serp and you'll find those make that version two make that version three you got to start with version one though well technically zero but you'll you got to start with version one right um and that's where we where we find

ourselves here at the end of uh the end of this presentation uh that QR code does lead to my gitlab you will see both a bsides Fort Wayne as well as bsides Las Vegas folder uh the LV folder shows this exact slide deck you'll know because I have a colorful uh kimone here uh versus uh more of a a black and white one for the other one uh and it also had a couple uh of those example uh screen caps in there as well um and then it'll also have the um um I think a Word document or a PDF of the act or no a Word document of the actual uh uh example serp um so and it's got I think

company and bold words so you can find a replace and put your own company name in it and you probably a good way on the way to writing your Ser but do give it a thorough read over change things change language have at it but it'll give you a good framework to start um I had to I had to really look and scrap scrimp and scrape together to find to to get a good template going for myself so hopefully that's a shortcut for you uh any questions oh we got a mic gentleman second row you go first of all thank you for a wonderful will talk and two things what you have on is that for um

image recognition countering actually very good this probably is a fairly decent image recognition uh um uh a thing that could probably fool some things uh but no it is not it's just some face jewelry uh this is since we're spooky themed Halloween themed here uh at uh at bsides Las Vegas I was like oh let's be a Raven Lord and let's uh just have some fun and let's explore uh some occults and other types of uh themes here okay second uh you mentioned signal yes um I assume that you're familiar with disappearing messages on Signal yes I don't know how effective they would be uh with regards to subpoena so can you address that spoliation of evidence is another thing

that uh you know you're going to want to talk to your lawyer about because if you destroy Communications that could be part of a legal investigation at some point that could be considered spoliation of evidence some lawyers have told me before that if you spoil evidence the jury or judge can use that to say uh there's there's an adverse judgment or Prejudice now against you with regards to what there're so if the other side is saying these things are what those said it's probably they're going to assume that's probably more in their ballpark rather than yours so again talk to your lawyer about using disappearing messages in a signal chat uh if you're doing incident response out

of bandn good point thank

you um you talk about tabletop exercises yes um so I'm familiar with uh cisa has a bunch but do you know of any other resources um so I can be kind of be like a tabletop dungeon master yeah yeah so uh you also have the card game back doors and breaches from Black Hill security actually doesn't do too bad of a job you can play it online you don't need to buy a deck you go online and play that not a plug for Black Hills I just really like it and you can just almost like tarot cards you can deal yourself out uh a scenario and then you go hm how would we handle a scenario

like that how do we envision that would happen here um you can also go to bad things daily uh on uh formerly the artist formerly known as Twitter um bad things daily has a whole bunch of injects or so this just happened and it's literally just to get you thinking uh tabletop scenarios um but the cisa packages are actually really good and they cover various sectors I was looking at three of them just this past week uh and supply chain and they they do a lot of different things so uh again another great way to take that and just modify it how you need it to to help your folks um couple of slides back there's a

one to five list of things to do how bad testings at the end how bad an idea de Reon it would be to do what the software Engineers do and write the tests first um and use that matters like a understanding how far or how well the rest of it's going so you said write the test first yeah so like a test driven development approach has some you know nice benefits would that sort of thing work here or maybe so so if I understand correctly maybe you write a tabletop or see a tabletop first and then you write the Ser kind of as you go through that tabletop is that yeah that could be one

way to do it yeah I think there's value in doing that again there's even a possibility if you've drafted a Ser take the Ser that I have here and just go through one of those maybe cisa cisa documents or another tabletop you've seen before and say okay can I answer these questions via the Ser do I know what to do in this case via the Ser that's actually a fantastic way to just kind of do those little comparisons and see uh where some improvements need to be made without getting everybody together um again even going to bad things daily and looking through and saying like hm would it cover that would it cover that would it cover that those

are very good points uh there so yeah definitely iterative testing is probably uh open here uh hi um so how would you adjust this for like uh we're a managed stock and we have many customers they have different legal stuff yeah so uh so do I have to make one for each one of them or I don't know fun yeah so it depends on the customer I'm sure and I've not worked in a managed service sock so uh very much not uh experienced in that um but I would definitely say you probably want one that you have generally available you want to probably work with each customer and say here is our general cyber incident response plan uh

do you have one you prefer Wei use you may have to make some account decisions as to how much you really want to get into their cyber incident response plan and understand the specifics of it but there's probably nuggets in there about what is a breach for us what is a compromise you probably per account want to understand and know those already so you're probably already starting to C your cyber inser response but it really just depends is it cyber inser response from the fact that the MSP is getting breached or uh have an incident or is it cyber instant response from your your customer who is using your service just got breached and now you're needing to

respond to their incident with them and so those may be two very different cyber inent response plans right so yeah so just to start going to be a nice template yeah General template and then we'll just fill it in I think that could be a good start yeah all right thank you yeah all right uh one more question

okay um I have a question about people because process technology is easy like we Define our process you know we can buy technology but people is the most difficult part so my question is from your experience how do you get people excited about instant response um legal Engineers PR system how you get them involved and how make them excited about the incident response if if people want to be excited about their company existing the next day they'll get excited about incident response it doesn't need to be all scare the children though right um I think uh you know the people aspect again um they see enough news they already know how important this is I don't I haven't

really seen too many companies out there in my personal experience that you put hey we need to practice cyber inent response they that they're not going to say oh yeah we we don't need to do that um I don't think there's going to be too many people who need to do that if so uh maybe arrange a purple team uh in engagement where you stage a breach and then start getting them involved you see the chaos ensue and go oh by the way this was a drill as part of our our purple team engagement right and then they might get the uh hint kind of like pentesting right was at one point just to scare the board into understanding oh

yeah take security seriously um you know again the people side of it get them excited events and response it does take a particular person to engage an inant response actually I don't want people to be excited during an incident I want them cool as cucumbers sometimes you have a nothing Burger an executive is at an eight and you're like I need you at a four but the temperature's really at a two but I need you back down at a four at least because that's where I can handle you you need as an incident leader to be the coolest person in the room right now we're working the problem we're not working people we're not working blame gaming or anything like

that so actually you want people to not be excited uh during an in cool minds and heads and all that okay all right thank you everybody