WEBVTT

1
00:00:00.160 --> 00:00:02.480
<v Speaker 1>Welcome to the deep dive. We're here to cut through

2
00:00:02.480 --> 00:00:05.000
<v Speaker 1>the noise and really get to the core of complex topics.

3
00:00:05.440 --> 00:00:08.800
<v Speaker 1>Today we're tackling something absolutely vital, though maybe a bit

4
00:00:08.839 --> 00:00:13.480
<v Speaker 1>technical sounding, cybersecurity incident response. We're diving into erics E.

5
00:00:13.560 --> 00:00:19.199
<v Speaker 1>Thompson's book Cybersecurity Incident Response, How to Contain, Eradicate, and Recover,

6
00:00:19.839 --> 00:00:23.120
<v Speaker 1>you know, the whole nine yards. Our goal to pull

7
00:00:23.160 --> 00:00:25.920
<v Speaker 1>out the key insights, give you that clear understanding of

8
00:00:25.960 --> 00:00:29.600
<v Speaker 1>how organizations actually handle cyber attacks. Think of it as

9
00:00:29.600 --> 00:00:32.079
<v Speaker 1>a shortcut to grasping the digital battle plan.

10
00:00:32.200 --> 00:00:35.079
<v Speaker 2>Yeah, battle plan is a great way to put it, because, honestly,

11
00:00:35.119 --> 00:00:36.960
<v Speaker 2>it's not just about the tech. It really comes down

12
00:00:36.960 --> 00:00:41.079
<v Speaker 2>to strategy, people, processes. Get the response right, you protect

13
00:00:41.079 --> 00:00:44.159
<v Speaker 2>your reputation, your bottom line. Get it wrong well.

14
00:00:44.000 --> 00:00:46.679
<v Speaker 1>Well, and getting it wrong can be incredibly public, can it.

15
00:00:47.039 --> 00:00:50.000
<v Speaker 1>Why is this response phase just so critical beyond the

16
00:00:50.039 --> 00:00:50.840
<v Speaker 1>immediate fix?

17
00:00:51.039 --> 00:00:53.719
<v Speaker 2>Well, think about it. Even the best defenses aren't foolproof.

18
00:00:54.200 --> 00:00:57.759
<v Speaker 2>Something eventually gets through. When that happens, how the company reacts,

19
00:00:58.039 --> 00:01:00.960
<v Speaker 2>that becomes the public face of their entire security effort.

20
00:01:01.079 --> 00:01:03.399
<v Speaker 2>We saw it with Target back in what twenty fourteen

21
00:01:03.759 --> 00:01:07.840
<v Speaker 2>and Equifax in twenty seventeen. Huge breaches, sure, but the

22
00:01:07.879 --> 00:01:12.239
<v Speaker 2>criticism that lasted was about the response itself. Core communication

23
00:01:12.799 --> 00:01:15.519
<v Speaker 2>seemed unprepared. That stuff sticks.

24
00:01:15.680 --> 00:01:18.480
<v Speaker 1>So it's the handling the grace under pressure almost as

25
00:01:18.560 --> 00:01:22.359
<v Speaker 1>much as stopping the attack itself. Where do organizations typically

26
00:01:22.400 --> 00:01:23.680
<v Speaker 1>stumble when they're hit? Oh?

27
00:01:23.719 --> 00:01:27.760
<v Speaker 2>The pitfalls are pretty common, often organizational, not just technical.

28
00:01:27.840 --> 00:01:30.959
<v Speaker 2>Big one, lack of real planning. They might have a document,

29
00:01:31.000 --> 00:01:33.079
<v Speaker 2>but it's not an actionable playbooks, just.

30
00:01:33.079 --> 00:01:34.120
<v Speaker 1>A checklist pretty much.

31
00:01:34.319 --> 00:01:37.120
<v Speaker 2>Then there's lack of preparation, no practice, no muscle memory.

32
00:01:37.400 --> 00:01:42.719
<v Speaker 2>So when things get real panic, bad decisions and leadership

33
00:01:42.760 --> 00:01:46.319
<v Speaker 2>is key. Lack of decisive leadership or worse management, criticizing

34
00:01:46.359 --> 00:01:49.120
<v Speaker 2>necessary steps like you know, taking critical systems offline mid

35
00:01:49.159 --> 00:01:50.359
<v Speaker 2>crisis disaster.

36
00:01:50.920 --> 00:01:54.560
<v Speaker 1>Yeah, undermining the team right when they need support most exactly.

37
00:01:54.599 --> 00:01:56.760
<v Speaker 2>It shows instant response isn't just an IT thing, it's

38
00:01:56.760 --> 00:02:00.159
<v Speaker 2>a core business function. These constant attention, testing, improvement just

39
00:02:00.200 --> 00:02:00.920
<v Speaker 2>an annual drill.

40
00:02:01.000 --> 00:02:04.000
<v Speaker 1>That makes total sense. So to avoid those pitfalls, you

41
00:02:04.079 --> 00:02:07.319
<v Speaker 1>need a solid foundation. Where does an organization even start

42
00:02:07.359 --> 00:02:10.080
<v Speaker 1>building that? What are the must have right?

43
00:02:10.120 --> 00:02:12.520
<v Speaker 2>You can't just bolt on incident response. It has to

44
00:02:12.520 --> 00:02:16.400
<v Speaker 2>sit on top of good basic security hygiene think NIST

45
00:02:16.599 --> 00:02:21.759
<v Speaker 2>cybersecurity framework, the identify and protect functions, strong access control,

46
00:02:21.919 --> 00:02:26.919
<v Speaker 2>protecting data, properly secure hardware, managing vulnerabilities, decent network protection

47
00:02:27.080 --> 00:02:31.240
<v Speaker 2>like firewalls, the fundamental the fundamentals. Without those, your response

48
00:02:31.280 --> 00:02:33.680
<v Speaker 2>team is fighting with one hand tied behind their back.

49
00:02:33.919 --> 00:02:36.319
<v Speaker 1>Okay, And there's a specific guide for the response part

50
00:02:36.400 --> 00:02:39.919
<v Speaker 1>itself right NIST SP eight hundred and sixty.

51
00:02:39.599 --> 00:02:42.199
<v Speaker 2>One YEP Special Publication eight hundred and sixty one. That's

52
00:02:42.240 --> 00:02:45.280
<v Speaker 2>the blueprint. It helps set up the capability, defines how

53
00:02:45.280 --> 00:02:48.840
<v Speaker 2>to handle incidents. It stresses that it's not just technical.

54
00:02:48.400 --> 00:02:49.800
<v Speaker 1>Because it's a business problem.

55
00:02:49.639 --> 00:02:54.319
<v Speaker 2>Ultimately precisely, and it clarifies terms people often mix up.

56
00:02:54.439 --> 00:02:57.639
<v Speaker 2>Like an event that's just anything unusual, a weird email

57
00:02:57.680 --> 00:03:01.120
<v Speaker 2>gets quarantined. Maybe an adverse event is more serious system

58
00:03:01.280 --> 00:03:04.199
<v Speaker 2>out It could be accidental, could be malicious, But an

59
00:03:04.240 --> 00:03:08.680
<v Speaker 2>incident that's a confirmed violation policy, broken assets threatened, like

60
00:03:08.960 --> 00:03:11.719
<v Speaker 2>an insider walking out with data they shouldn't have.

61
00:03:12.000 --> 00:03:15.360
<v Speaker 1>Getting those distinctions right must be crucial for knowing how

62
00:03:15.520 --> 00:03:19.280
<v Speaker 1>seriously to take something. Absolutely triage depends on it, and

63
00:03:19.319 --> 00:03:22.560
<v Speaker 1>the guide also pushes for clear policies a solid plan,

64
00:03:22.879 --> 00:03:26.560
<v Speaker 1>even a mission statement. I like that healthcare example, relentlessly

65
00:03:26.599 --> 00:03:31.360
<v Speaker 1>protect our patient's health information. That clarity seems vital. Okay,

66
00:03:31.400 --> 00:03:34.479
<v Speaker 1>we've got frameworks, tech basics, but you mentioned people. This

67
00:03:34.560 --> 00:03:36.960
<v Speaker 1>feels like where things get really interesting. Best tech in

68
00:03:37.000 --> 00:03:39.319
<v Speaker 1>the world won't help if the team or culture isn't right.

69
00:03:39.400 --> 00:03:42.159
<v Speaker 1>What makes a strong leader here, it's a.

70
00:03:42.080 --> 00:03:44.759
<v Speaker 2>Mix of things, really. First passion, You got to care

71
00:03:44.919 --> 00:03:48.120
<v Speaker 2>deeply to push through budget fights, new threats, long nights sure.

72
00:03:48.400 --> 00:03:52.800
<v Speaker 2>Then humility knowing you don't know everything, empowering the specialists

73
00:03:52.800 --> 00:03:54.840
<v Speaker 2>on your team, not trying to be the hero who

74
00:03:54.840 --> 00:03:55.199
<v Speaker 2>knows it.

75
00:03:55.159 --> 00:03:58.159
<v Speaker 1>All, so trusting the experts, trusting.

76
00:03:57.759 --> 00:04:01.199
<v Speaker 2>Them and listening. That's the next one. Listening, building that

77
00:04:01.240 --> 00:04:05.599
<v Speaker 2>trust before a crisis hits. Hearing concerns daily, not just

78
00:04:05.639 --> 00:04:09.840
<v Speaker 2>when alarms are blurring. And when you've listened, you need decisiveness,

79
00:04:10.439 --> 00:04:12.719
<v Speaker 2>make the call based on the facts, even if it

80
00:04:12.759 --> 00:04:13.919
<v Speaker 2>means disrupting the business.

81
00:04:14.280 --> 00:04:18.600
<v Speaker 1>Instills confidence even the tough calls, like taking things offline.

82
00:04:18.199 --> 00:04:23.399
<v Speaker 2>Especially those, And finally, emotional intelligence managing your own stress,

83
00:04:23.480 --> 00:04:27.600
<v Speaker 2>your own reactions, and understanding your team stress empathy basically,

84
00:04:27.879 --> 00:04:29.120
<v Speaker 2>but also keeping a levelhead.

85
00:04:29.360 --> 00:04:32.759
<v Speaker 1>That's a powerful combination. It's about character as much as competence,

86
00:04:33.480 --> 00:04:36.959
<v Speaker 1>and the culture piece the book mentions open Myers above

87
00:04:36.959 --> 00:04:38.160
<v Speaker 1>the line, how does that fit?

88
00:04:38.519 --> 00:04:41.560
<v Speaker 2>It's about creating a culture focused on clear purpose like

89
00:04:41.680 --> 00:04:45.879
<v Speaker 2>protect our assets relentlessly, then driving intention focus and continuous learning,

90
00:04:46.319 --> 00:04:48.879
<v Speaker 2>being purposeful and skillful, especially under pressure.

91
00:04:48.959 --> 00:04:51.600
<v Speaker 1>So it's embedding that mindset exactly.

92
00:04:51.279 --> 00:04:54.000
<v Speaker 2>And change models like Cotter's or LUNs can help. They

93
00:04:54.040 --> 00:04:56.959
<v Speaker 2>provide frameworks to make incident response a core value, not

94
00:04:57.000 --> 00:04:58.519
<v Speaker 2>just you know, an IT department task.

95
00:04:58.720 --> 00:05:01.600
<v Speaker 1>Okay, leadership and ca culture sorted, Let's get into the

96
00:05:01.600 --> 00:05:05.079
<v Speaker 1>plane itself. What's the core strategy? What are we actually

97
00:05:05.120 --> 00:05:07.360
<v Speaker 1>trying to achieve with an incident response plan?

98
00:05:07.600 --> 00:05:10.879
<v Speaker 2>Well, the big goals are pretty clear. Protect the company's assets,

99
00:05:11.079 --> 00:05:15.000
<v Speaker 2>meet compliance rules, minimize bad press, limit financial damage, and

100
00:05:15.120 --> 00:05:18.680
<v Speaker 2>keep customer disruption low. It's the playbook for hitting those

101
00:05:18.720 --> 00:05:22.160
<v Speaker 2>targets during chaos, and typically it breaks down into phases.

102
00:05:22.639 --> 00:05:27.279
<v Speaker 2>First identification, spotting the event quickly. This uses everything from

103
00:05:27.360 --> 00:05:31.480
<v Speaker 2>fancy intrusion detection systems and sims to even just an

104
00:05:31.480 --> 00:05:35.399
<v Speaker 2>alert employee noticing something weird. Automation's key here. That data

105
00:05:35.480 --> 00:05:36.319
<v Speaker 2>volume is huge.

106
00:05:36.399 --> 00:05:38.040
<v Speaker 1>Okay, detect it fast, Then what.

107
00:05:38.439 --> 00:05:42.959
<v Speaker 2>Containment, Stop the bleeding, limit the damage spreading it. Then eradication,

108
00:05:43.199 --> 00:05:45.199
<v Speaker 2>get the attacker and everything they left.

109
00:05:45.000 --> 00:05:47.000
<v Speaker 1>Behind out clean sweep right.

110
00:05:47.399 --> 00:05:51.360
<v Speaker 2>Fourth is recovery, get systems back online, working properly and

111
00:05:51.480 --> 00:05:55.120
<v Speaker 2>hopefully stronger than before. And finally, the crucial bit that

112
00:05:55.160 --> 00:05:59.120
<v Speaker 2>often gets skipped post incident, review the lessons learned, what work,

113
00:05:59.160 --> 00:06:00.759
<v Speaker 2>what didn't? How do we update the plan?

114
00:06:01.040 --> 00:06:04.040
<v Speaker 1>You mentioned these phases aren't always neat and linear. That

115
00:06:04.079 --> 00:06:04.879
<v Speaker 1>seems important.

116
00:06:05.240 --> 00:06:08.839
<v Speaker 2>Oh definitely. You might be containing one thing while still

117
00:06:08.879 --> 00:06:12.600
<v Speaker 2>identifying other compromise systems, or you might need to loop

118
00:06:12.639 --> 00:06:15.800
<v Speaker 2>back during recovery if eradication wasn't complete.

119
00:06:15.959 --> 00:06:18.720
<v Speaker 1>It's dynamic and everyone needs to know their role right,

120
00:06:18.800 --> 00:06:19.879
<v Speaker 1>not just the tech team.

121
00:06:19.800 --> 00:06:25.639
<v Speaker 2>Absolutely, legal, compliance, pr senior management. Everyone has a part.

122
00:06:26.079 --> 00:06:29.360
<v Speaker 2>The plan needs to define that clearly. Going off script,

123
00:06:29.480 --> 00:06:31.839
<v Speaker 2>as the book says, just leads to chaos.

124
00:06:32.040 --> 00:06:35.600
<v Speaker 1>Okay, so that's our plan, But effective defense means understanding

125
00:06:35.680 --> 00:06:40.680
<v Speaker 1>the attackers plan too. How do organizations anticipate what the

126
00:06:40.759 --> 00:06:41.600
<v Speaker 1>adversary will do?

127
00:06:41.800 --> 00:06:44.160
<v Speaker 2>Yeah, you need to think like the attacker. Frameworks like

128
00:06:44.160 --> 00:06:46.560
<v Speaker 2>the Mandy and cyber attack life cycle used to be

129
00:06:46.600 --> 00:06:48.920
<v Speaker 2>called the kill chain. Help here they map out the

130
00:06:48.959 --> 00:06:50.639
<v Speaker 2>typical stages an attacker goes through.

131
00:06:50.759 --> 00:06:52.240
<v Speaker 1>Okay, break that down for us, It's.

132
00:06:52.120 --> 00:06:55.920
<v Speaker 2>Usually seen in three broad phases. Phase one is initial compromise.

133
00:06:56.480 --> 00:07:00.279
<v Speaker 2>Starts with reconnaissance, googling you, checking LinkedIn, scanning network with

134
00:07:00.319 --> 00:07:04.360
<v Speaker 2>tools like SHOWDAN, maybe harvesting emails exactly. Then the initial

135
00:07:04.399 --> 00:07:07.519
<v Speaker 2>compromise itself. Maybe a fishing link gets flicked, maybe they

136
00:07:07.519 --> 00:07:11.360
<v Speaker 2>exploit a known vulnerability. Once they're in, they establish a foothold,

137
00:07:11.560 --> 00:07:14.040
<v Speaker 2>plant some malware, steal some credentials to ensure they can

138
00:07:14.040 --> 00:07:14.600
<v Speaker 2>get back in.

139
00:07:14.879 --> 00:07:16.680
<v Speaker 1>Okay, they're inside, what's phase two?

140
00:07:16.839 --> 00:07:19.759
<v Speaker 2>Phase two is iterative. This is where they work to

141
00:07:19.839 --> 00:07:23.279
<v Speaker 2>expand their access. They try to escalate privileges, get admin rights.

142
00:07:23.680 --> 00:07:26.360
<v Speaker 2>They do intro a reconnaissance map out your network from

143
00:07:26.399 --> 00:07:29.759
<v Speaker 2>the inside. They move laterally, jump from system to system,

144
00:07:30.120 --> 00:07:34.800
<v Speaker 2>and they try to maintain persistence, set up more ways

145
00:07:34.800 --> 00:07:36.600
<v Speaker 2>to stay in even if one gets.

146
00:07:36.319 --> 00:07:38.519
<v Speaker 1>Found spreading out, digging in deeper.

147
00:07:39.160 --> 00:07:41.839
<v Speaker 2>Then phase three is complete the mission. This is the

148
00:07:41.839 --> 00:07:46.920
<v Speaker 2>objective could be stealing data, exultration, changing data, or just

149
00:07:46.959 --> 00:07:48.600
<v Speaker 2>destroying it, whatever their goal was.

150
00:07:48.879 --> 00:07:52.319
<v Speaker 1>Understanding that whole sequence must help defenders know where to look,

151
00:07:52.399 --> 00:07:55.120
<v Speaker 1>what kind of activity signals which phase precisely.

152
00:07:55.319 --> 00:07:58.879
<v Speaker 2>It helps prioritize alerts and it links straight into risk assessment. Remember,

153
00:07:58.959 --> 00:08:01.600
<v Speaker 2>risk is about a threat hitting a vulnerability and causing

154
00:08:01.600 --> 00:08:04.800
<v Speaker 2>an impact confidentiality, integrity, or availability.

155
00:08:05.160 --> 00:08:08.000
<v Speaker 1>Like that server example, an unpatched Windows two thousand and

156
00:08:08.000 --> 00:08:11.519
<v Speaker 1>three server in a locked closet low risk, same server

157
00:08:11.560 --> 00:08:15.560
<v Speaker 1>connected to the internet high risk. Context is everything exactly right?

158
00:08:15.879 --> 00:08:18.639
<v Speaker 2>And think about practical examples like the OWAS Top ten

159
00:08:18.720 --> 00:08:22.800
<v Speaker 2>for web apps. Things like injection flaws, broken authentication, exposing

160
00:08:22.839 --> 00:08:26.399
<v Speaker 2>sensitive data. These are the common vulnerabilities attackers target in

161
00:08:26.439 --> 00:08:29.920
<v Speaker 2>phase one or two. Knowing them helps you prioritize defenses.

162
00:08:30.160 --> 00:08:34.000
<v Speaker 1>It sounds like detection alone needs a whole arsenal of tools.

163
00:08:34.080 --> 00:08:35.480
<v Speaker 1>How many layers are we talking about.

164
00:08:35.440 --> 00:08:37.759
<v Speaker 2>It's definitely multi layered. You need things like Data loss

165
00:08:37.759 --> 00:08:41.440
<v Speaker 2>prevention DLP that watches for sensitive data going where it

166
00:08:41.440 --> 00:08:45.159
<v Speaker 2>shouldn't leaving via email being saved to a USB drive

167
00:08:45.440 --> 00:08:46.960
<v Speaker 2>sitting unencrypted.

168
00:08:46.360 --> 00:08:48.159
<v Speaker 1>Somewhere, trying to plug the leaks right.

169
00:08:48.360 --> 00:08:52.960
<v Speaker 2>Then, endpoint Detection and Response EDR that monitors laptop servers

170
00:08:53.000 --> 00:08:56.240
<v Speaker 2>looking for weird changes, processes acting suspiciously. It's like a

171
00:08:56.279 --> 00:09:00.159
<v Speaker 2>security camera on each device. You also need network traffic analysis,

172
00:09:00.519 --> 00:09:03.639
<v Speaker 2>watching the data flow looking for strange patterns, maybe huge

173
00:09:03.679 --> 00:09:07.200
<v Speaker 2>uploads or spikes in DNS traffic which can signal malware

174
00:09:07.200 --> 00:09:10.240
<v Speaker 2>calling home and the big one SAM security, Incident and

175
00:09:10.279 --> 00:09:15.600
<v Speaker 2>event management. This pulls logs from everywhere firewalls, servers, applications, databases,

176
00:09:15.759 --> 00:09:18.720
<v Speaker 2>and tries to correlate events, find patterns that match known

177
00:09:18.759 --> 00:09:21.639
<v Speaker 2>attacks based on predefined rules or use cases.

178
00:09:21.960 --> 00:09:24.039
<v Speaker 1>That sounds like finding needles in haystacks.

179
00:09:24.120 --> 00:09:27.080
<v Speaker 2>It can be. Tuning is critical to avoid alert fatigue.

180
00:09:27.519 --> 00:09:30.879
<v Speaker 2>But you also can't forget the humans empowering end users

181
00:09:30.919 --> 00:09:34.320
<v Speaker 2>through training phishing simulations. They're often the first to spot

182
00:09:34.440 --> 00:09:36.600
<v Speaker 2>something fishy literally.

183
00:09:36.279 --> 00:09:39.639
<v Speaker 1>So it's tech and people a whole ecosystem.

184
00:09:39.039 --> 00:09:44.759
<v Speaker 2>Definitely, plus logs from firewalls, intrusion detection systems, basic OS logs,

185
00:09:44.799 --> 00:09:45.960
<v Speaker 2>everything feeds.

186
00:09:45.679 --> 00:09:49.480
<v Speaker 1>In okay detection triggers an alert, Now the clock sticking containment?

187
00:09:49.720 --> 00:09:51.360
<v Speaker 1>How do you stop the spread? First?

188
00:09:51.480 --> 00:09:54.519
<v Speaker 2>You hunt for indicators of compromise IOCs. These are the

189
00:09:54.559 --> 00:09:59.519
<v Speaker 2>attacker's fingerprints, specific filelashes, IP addresses, they use, weird registry keys.

190
00:10:00.159 --> 00:10:02.960
<v Speaker 2>Intel feeds often provide these. Find the badness, find it

191
00:10:03.000 --> 00:10:06.039
<v Speaker 2>and find all of it. Then you isolate unplug the machine,

192
00:10:06.039 --> 00:10:09.320
<v Speaker 2>maybe put it in sleep mode to preserve memory. Often

193
00:10:09.320 --> 00:10:13.080
<v Speaker 2>better for forensics, use network rules firewall DNS to block

194
00:10:13.120 --> 00:10:14.399
<v Speaker 2>its communication.

195
00:10:14.600 --> 00:10:17.200
<v Speaker 1>Definitely while preserving evidence crucial.

196
00:10:17.759 --> 00:10:21.120
<v Speaker 2>You need forensic images, exact copies of the disk and

197
00:10:21.159 --> 00:10:25.080
<v Speaker 2>memory for later analysis. And you correlate data from EDR

198
00:10:25.600 --> 00:10:27.879
<v Speaker 2>seam network traffic to see how far.

199
00:10:27.720 --> 00:10:32.000
<v Speaker 1>The infection spread and the strategy changes depending on the attack,

200
00:10:32.120 --> 00:10:34.279
<v Speaker 1>right like malware versus a doss attack.

201
00:10:34.320 --> 00:10:37.960
<v Speaker 2>Absolutely for malware or ransomware, you verify it, maybe upload

202
00:10:38.000 --> 00:10:41.720
<v Speaker 2>a sample to virus total, run in a sandbox, identify

203
00:10:41.759 --> 00:10:45.320
<v Speaker 2>its command and control C two traffic, then use eedarcium

204
00:10:45.360 --> 00:10:47.080
<v Speaker 2>to find every machine infected.

205
00:10:47.320 --> 00:10:47.679
<v Speaker 1>Okay.

206
00:10:47.799 --> 00:10:50.879
<v Speaker 2>For denial of service, you're mapping the attack traffic, finding

207
00:10:50.919 --> 00:10:53.240
<v Speaker 2>the source ips, blocking them at the edge, maybe even

208
00:10:53.279 --> 00:10:56.759
<v Speaker 2>calling your ISP for help. Sometimes you temporarily disable the

209
00:10:56.799 --> 00:10:59.120
<v Speaker 2>service under attack or scale up resources.

210
00:10:59.120 --> 00:11:01.399
<v Speaker 1>What about physical like a laptop.

211
00:11:01.200 --> 00:11:04.200
<v Speaker 2>Report it, assess the data sensitivity, try to track it

212
00:11:04.320 --> 00:11:07.039
<v Speaker 2>or wipe it remotely if you have that capability. And

213
00:11:07.080 --> 00:11:10.559
<v Speaker 2>this is often where forensic investigators come in, especially external specialists.

214
00:11:10.679 --> 00:11:13.440
<v Speaker 2>They know how to collect evidence properly. For potential legal action,

215
00:11:13.799 --> 00:11:16.080
<v Speaker 2>you need those relationships set up before you need.

216
00:11:15.919 --> 00:11:18.200
<v Speaker 1>Them, makes sense, pre approved contracts.

217
00:11:17.879 --> 00:11:21.080
<v Speaker 2>Exactly, And all this time the team lead is probably

218
00:11:21.080 --> 00:11:25.279
<v Speaker 2>dealing with executive expectations, trying to provide updates without speculating,

219
00:11:25.559 --> 00:11:28.440
<v Speaker 2>sticking to the facts. That's a tough balancing act.

220
00:11:28.519 --> 00:11:32.639
<v Speaker 1>Okay, the attacks contained damage stopped. Now getting rid of

221
00:11:32.639 --> 00:11:33.480
<v Speaker 1>it and getting back to.

222
00:11:33.480 --> 00:11:38.120
<v Speaker 2>Normal, right radication, removing every trace of the attacker, malware files,

223
00:11:38.200 --> 00:11:42.360
<v Speaker 2>registry changes, dodgy user accounts that they created. Sometimes for

224
00:11:42.519 --> 00:11:46.399
<v Speaker 2>really deep infections like rootkits, wiping and restoring from a known,

225
00:11:46.440 --> 00:11:48.759
<v Speaker 2>good backup is the only safe way.

226
00:11:48.960 --> 00:11:50.919
<v Speaker 1>Don't want leave anything behind, Nope.

227
00:11:50.960 --> 00:11:54.039
<v Speaker 2>Then recovery, patch the vulnerability they exploited, maybe with an

228
00:11:54.039 --> 00:11:57.279
<v Speaker 2>emergency change request, scan again to be sure it's fixed,

229
00:11:57.879 --> 00:12:00.879
<v Speaker 2>Restore data from backups. The aim is to come back

230
00:12:00.919 --> 00:12:02.240
<v Speaker 2>online more secure than you.

231
00:12:02.200 --> 00:12:05.399
<v Speaker 1>Were before, building back better. Essentially, that's the goal. And

232
00:12:05.440 --> 00:12:07.759
<v Speaker 1>then that step you mentioned earlier, the post mortem, the

233
00:12:07.759 --> 00:12:08.759
<v Speaker 1>post incident review.

234
00:12:08.799 --> 00:12:12.679
<v Speaker 2>The lessons learned so vital yet so often skipped because

235
00:12:12.720 --> 00:12:15.120
<v Speaker 2>everyone's exhausted and wants to move on. But this is

236
00:12:15.120 --> 00:12:18.480
<v Speaker 2>where you ask what went right? What went wrong? How

237
00:12:18.480 --> 00:12:21.840
<v Speaker 2>do we update our plan? Our tools are training.

238
00:12:21.519 --> 00:12:23.000
<v Speaker 1>And metrics help there.

239
00:12:23.120 --> 00:12:27.159
<v Speaker 2>Huge help, time to detect, time to respond, contain eradicate

240
00:12:27.639 --> 00:12:31.200
<v Speaker 2>tracking those drives. Real improvement stops you making the same

241
00:12:31.240 --> 00:12:32.000
<v Speaker 2>mistakes twice.

242
00:12:32.120 --> 00:12:34.759
<v Speaker 1>Let's make this concrete. The book has that story about

243
00:12:34.799 --> 00:12:37.120
<v Speaker 1>American Widget. Can you walk us through that? It really

244
00:12:37.240 --> 00:12:38.480
<v Speaker 1>highlights some of these points.

245
00:12:38.559 --> 00:12:42.000
<v Speaker 2>Yeah, it's a great cautionary tale. So American Widget makes

246
00:12:42.080 --> 00:12:47.720
<v Speaker 2>high end stuff, has wealthy clients, celebrities, politicians, very sensitive

247
00:12:47.720 --> 00:12:50.360
<v Speaker 2>customer data, valuable manufacturing secrets.

248
00:12:50.399 --> 00:12:52.120
<v Speaker 1>Okay, high states definitely.

249
00:12:52.320 --> 00:12:55.159
<v Speaker 2>It starts kind of small. A finance manager's laptop keeps

250
00:12:55.159 --> 00:12:59.519
<v Speaker 2>crashing blue screens annoying but maybe just hardware. Then a

251
00:13:00.120 --> 00:13:04.120
<v Speaker 2>manufacturing calls his main database is locked ransomware. They won

252
00:13:04.159 --> 00:13:04.879
<v Speaker 2>a million bucks.

253
00:13:04.960 --> 00:13:05.360
<v Speaker 1>Ouch.

254
00:13:05.679 --> 00:13:09.159
<v Speaker 2>The information security manager the ism is actually relieved when

255
00:13:09.159 --> 00:13:11.879
<v Speaker 2>they find they can restore the database from backups. He

256
00:13:11.960 --> 00:13:15.039
<v Speaker 2>thinks youugh dodged a bullet and focuses all his effort

257
00:13:15.080 --> 00:13:18.679
<v Speaker 2>on figuring out the ransomware. The cisso though, is uneasy,

258
00:13:18.919 --> 00:13:22.360
<v Speaker 2>knows those manufacturing plans are gold. Ransomware seems messy for

259
00:13:22.399 --> 00:13:23.480
<v Speaker 2>stealing plans.

260
00:13:23.639 --> 00:13:27.399
<v Speaker 1>And disconnect and understanding the assets exactly. Ah.

261
00:13:27.679 --> 00:13:31.600
<v Speaker 2>Fast forward a few months suddenly VP customers get blackmail

262
00:13:31.639 --> 00:13:35.960
<v Speaker 2>emails pay up or we release your purchase history. It

263
00:13:36.000 --> 00:13:38.240
<v Speaker 2>contains real sensitive account data.

264
00:13:38.440 --> 00:13:39.000
<v Speaker 1>Oh no.

265
00:13:39.200 --> 00:13:43.120
<v Speaker 2>Annextations the second incident response kicks off. Logs show a

266
00:13:43.159 --> 00:13:46.360
<v Speaker 2>sales manager downloaded all those customer histories at two AM

267
00:13:46.480 --> 00:13:50.519
<v Speaker 2>weeks earlier. Then a sharp analyst remembers that sales manager's

268
00:13:50.600 --> 00:13:54.480
<v Speaker 2>laptop also had weird blue screen issues on the same

269
00:13:54.559 --> 00:13:57.240
<v Speaker 2>day as the finance managers, right before the ransomware hit.

270
00:13:57.320 --> 00:13:58.879
<v Speaker 1>AH. Connecting the dots.

271
00:13:58.759 --> 00:14:02.159
<v Speaker 2>Right, forensics comes in digs deep the truth. The ransom

272
00:14:02.159 --> 00:14:04.840
<v Speaker 2>war was a complete diversion smoke and mirrors. While the

273
00:14:04.879 --> 00:14:08.039
<v Speaker 2>security team was frantically restoring the database, the real attack

274
00:14:08.120 --> 00:14:11.080
<v Speaker 2>was happening silently. The attackers used the initial foothold on

275
00:14:11.120 --> 00:14:14.480
<v Speaker 2>those manager's laptops to steal the customer data, likely exfiltrating

276
00:14:14.519 --> 00:14:17.159
<v Speaker 2>it slowly using something subtle like DNS tunneling.

277
00:14:17.279 --> 00:14:19.399
<v Speaker 1>Wow, So they focus on the loud bang missed the

278
00:14:19.440 --> 00:14:20.399
<v Speaker 1>quiet theft.

279
00:14:20.480 --> 00:14:24.279
<v Speaker 2>Precisely, they lacked a formal IR plan. They didn't grasp

280
00:14:24.360 --> 00:14:27.919
<v Speaker 2>the true criticality of different data types. That customer list

281
00:14:28.039 --> 00:14:32.120
<v Speaker 2>was arguably more valuable than the manufacturing dB. In this context,

282
00:14:32.679 --> 00:14:35.639
<v Speaker 2>the ism got tunnel vision on the ransomware and the

283
00:14:35.679 --> 00:14:38.600
<v Speaker 2>company paid a huge price in reputation in customer trust.

284
00:14:39.000 --> 00:14:42.919
<v Speaker 1>That's a powerful lesson. The aha moment is realizing how

285
00:14:42.919 --> 00:14:46.960
<v Speaker 1>easily attackers can misdirect and why knowing your real crown

286
00:14:47.039 --> 00:14:48.519
<v Speaker 1>jewels is paramount.

287
00:14:48.559 --> 00:14:49.639
<v Speaker 2>Couldn't say it better.

288
00:14:49.759 --> 00:14:52.159
<v Speaker 1>And that American widget story drives home that this isn't

289
00:14:52.159 --> 00:14:55.200
<v Speaker 1>a one time setup. It's ongoing, continuous.

290
00:14:55.720 --> 00:14:59.240
<v Speaker 2>Absolutely that brings us to continuous monitoring. Nissed SP eight

291
00:14:59.360 --> 00:15:02.799
<v Speaker 2>hundred one THIRSTS seven talks about this. It's about constantly

292
00:15:02.879 --> 00:15:05.120
<v Speaker 2>checking if your controls are working is expected, if their

293
00:15:05.200 --> 00:15:08.399
<v Speaker 2>meeting management's risk tolerance, are they effective? Are they producing

294
00:15:08.440 --> 00:15:10.559
<v Speaker 2>the right outcomes. It's keeping your finger on the pulse.

295
00:15:10.679 --> 00:15:13.960
<v Speaker 2>It's never done, never done, And things like network segmentation

296
00:15:14.000 --> 00:15:16.639
<v Speaker 2>play into this too. Making it harder for attackers to

297
00:15:16.639 --> 00:15:19.360
<v Speaker 2>move laterally isn't just prevention. It creates more trip wires,

298
00:15:19.399 --> 00:15:22.799
<v Speaker 2>more places where you're continuous monitoring can actually detect them sooner,

299
00:15:23.519 --> 00:15:26.720
<v Speaker 2>better data points for response, So it all interconnects.

300
00:15:26.759 --> 00:15:29.639
<v Speaker 1>Prevention, detection, responds, continuous improvement.

301
00:15:29.879 --> 00:15:34.759
<v Speaker 2>It's a cycle, and leaders need to keep growing to technically, yes,

302
00:15:35.360 --> 00:15:39.279
<v Speaker 2>but also in their leadership skills, Balancing budgets, priorities, team morale.

303
00:15:39.600 --> 00:15:40.960
<v Speaker 2>It's a constant juggling act.

304
00:15:41.000 --> 00:15:43.480
<v Speaker 1>Well, we've certainly covered a lot of ground, from the

305
00:15:43.519 --> 00:15:46.600
<v Speaker 1>shock of a breach, through the planning, the leadership, the tech,

306
00:15:46.639 --> 00:15:50.200
<v Speaker 1>the phases of response. It's complex, it really is.

307
00:15:50.480 --> 00:15:53.360
<v Speaker 2>I think the key takeaway is that effective incident response

308
00:15:53.559 --> 00:15:58.039
<v Speaker 2>is holistic. It needs strong leadership, a clear strategy everyone understands,

309
00:15:58.600 --> 00:16:01.879
<v Speaker 2>constant practice that muscle man, and a really deep knowledge

310
00:16:01.879 --> 00:16:04.200
<v Speaker 2>of your own assets and how attackers think.

311
00:16:04.399 --> 00:16:07.159
<v Speaker 1>So for everyone listening, maybe the question to reflect on

312
00:16:07.320 --> 00:16:10.240
<v Speaker 1>is what are the real hidden risks in your world,

313
00:16:10.320 --> 00:16:12.919
<v Speaker 1>the things you might overlook if focused on the obvious,

314
00:16:13.039 --> 00:16:15.840
<v Speaker 1>and how ready are you really to respond when that

315
00:16:15.919 --> 00:16:18.960
<v Speaker 1>unexpected incident hits. Thank you for joining us on this

316
00:16:19.039 --> 00:16:21.120
<v Speaker 1>deep dive. We hope you feel better equipped to think

317
00:16:21.159 --> 00:16:23.559
<v Speaker 1>critically about cybersecurity incident response.