Secure AF - A Cybersecurity Podcast
Think like a hacker. Defend like a pro.
Welcome to the Secure AF Cybersecurity Podcast — your tactical edge in the ever-evolving cyber battlefield. Hosted by industry veterans including Donovan Farrow and Jonathan Kimmitt, this podcast dives deep into real-world infosec challenges, red team tactics, blue team strategies, and the latest tools shaping the cybersecurity landscape.
Whether you're a seasoned pentester, a SOC analyst, or just breaking into the field, you'll find actionable insights, expert interviews, and unfiltered discussions with Alias team members and top-tier guests from across the cybersecurity spectrum.
Stay sharp. Stay informed. Stay Secure AF.
Secure AF - A Cybersecurity Podcast
Incident Response 101: What to Do When You’re Under Attack
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Got a question or comment? Message us here!
What actually happens when a company gets hacked?
In this episode, we break down real-world incident response, from initial access and ransomware tactics to forensic investigation and common mistakes that make things worse. If your organization had an incident tomorrow, would you know what to do?
Watch full episodes at youtube.com/@aliascybersecurity.
Listen on Apple Podcasts, Spotify and anywhere you get your podcasts.
What are common mistakes organizations make during incident response?
SPEAKER_03Uh turning the computer off. Wow. And that's a good one. Any anything that results in you us losing logs. Yeah. Don't do that. Um don't do that. We see that all the time.
SPEAKER_00You are now listening to the Secure AF Podcast.
SPEAKER_03Good morning, good afternoon, Internet. I'm Donovan Farrow, CEO at Alias. Today we're going to be discussing everything you need to know about incident response. I have uh another fearless leader here who's seen some wild stuff. This is Andrew Peters. He does forensics, IR, threat hunting, all that good stuff. Did I miss something? No. It was mostly everything. Perfect. So today, like I said, we're going to talk about incident response to kind of get some information out to the public. Incident response is basically when a company gets some type of breach or even an event occurs. We're going to talk about some of the uh threat actors and kind of how they can conduct business if they do attack your organization, things you should do, things you should not do. And then also kind of uh scaling out with some maybe some recommendations for training and stuff like that. So you want to fast forward to that part, you can. It's not gonna hurt my feelings. Whatever. All right. So, so Peters, uh, you kind of follow a lot of the um the APTs, the advanced persistent threats. Um, what's the latest one you've been seeing today and what do they do?
SPEAKER_02Well, obviously the one that's really big in the news right now is uh Shiny Hunters. Um we just had the uh That's right. The Canvas Canvas. Canvas. So they're they're very popular.
SPEAKER_03And that's the that's the website, right, where you do all the other marketeers. I always like to call up break the third wall and look at Sam in the back. Yeah. She gave us a thumbs up. Okay. Here you go.
SPEAKER_02Yeah, so it's it's the uh the education platform that colleges use to uh post assignments, tests, and grades, uh discussion posts. Um they were able to hit that, and then of course uh Quillin, um they are still posting dozens of companies. Is that how you say that? I don't know. You all know what I'm talking about. Um pretty intense. Is that is that China, the Chinese? Um we think Eastern Europeans. Some people speculate China. Um they think Eastern European because some of the um I guess documentation about them was found in Cyrillic. Oh okay. Um but no one really knows for sure.
SPEAKER_03Gotcha. Okay. And what type of uh for for Canvas, what kind of attack was that? I mean, you can say, you know, incident response, like how do you was it I don't know, there's so many attack vectors.
SPEAKER_02Uh reportedly that one was social engineering. Um so uh it's my favorite. R reportedly um there was there was speculation that they fell victim to a a fishing attack. Okay. Um what is that? No, that is uh calling people on the cell phone and and socially engineering them and fishing with like with the V though.
SPEAKER_03Um yeah, so they had the kind of the popular attack um scattered spider that did MGM um was pretty cool. So I would say social engineering. Um do you know it once they got past, I guess got access through uh voice. Do you know what they did after when they were inside? Was it just a straight up ransomware or do we even know?
SPEAKER_02Um there's speculation. Um, but if anything's been confirmed, I'm not I'm not aware of it at this point in time.
SPEAKER_01Did they pay the ransom?
SPEAKER_02Um I don't uh I don't know if there was a ransom for cancer.
SPEAKER_03Okay. Okay. Did they just so what what I guess then what happened? If it wasn't ransomware, was it just uh data steal and maybe threat for exposure or was it like a DDoS?
SPEAKER_02Um I think it was um well it was visible to students. Gotcha were attempting to log into it. So um it could have been for marketing as to if any data was actually exfiltrated from that. I don't think that we know that yet. Oh man.
SPEAKER_03Okay. Um and then let's talk about uh Quillin. I think that's how you say that. We don't know. What what kind of attacks do they do on their victims? Um bunch of different stuff.
SPEAKER_02Um they are one of the most prevalent um ransomware organizations right now. Yeah. And they have a lot of different um attack vectors and IOCs because they have so many different people that are partnered with them. Um they pay out a much higher percentage of their ransom to their affiliates. Gotcha. So there's a lot more different methods and techniques that we're we're seeing. Gotcha. So the affiliates, what's what's their role with Quillin? Um basically they're licensing the ransomware software from Quillin, and uh once they get access to an organization, they purchase that uh Quillin ransomware software so yeah, they can execute on the organization.
SPEAKER_03Ransomware as a service. Yeah, vertical, perfect. See new business ideas happen all the time with these guys. Very exciting. So uh you've worked quite a few incidents um with our company. Can you give me like a from the beginning breakdown? How does that typically work? I'm sure that's probably it's pretty intense. Um I know we get a uh the audience that comes to us whenever it happens. I mean, kind of go through that because it it gets pretty deep. Yeah, absolutely.
SPEAKER_02Well, usually, uh unfortunately for us, most of the time, if it's not a customer that we have that we already have a well-established relationship with, if it's somebody that we've never worked with before, uh by the time we get the call, they've already had uh full encryption execute on their environment. Yeah. So they're hard down, everything doesn't work, it's all encrypted, and they don't know what to do.
SPEAKER_03What what is uh so ransomware, that's an encryption, right? Yes. Do they do they they typically steal the data first, right?
SPEAKER_02Yes, they typically steal the data first, and then they will ransom or encrypt all of the remaining devices on the network as many as they can, and then they will threaten to release the data that they stole if you do not pay. Interestingly, though, um we've kind of seen them move to not even bother encrypting uh data. Um they just take it and then threaten to publish it.
SPEAKER_03I wonder if I mean it sounds maybe that's easier. There's like, ah, you know what, we're just too lazy, we don't care, we're just gonna threaten to release it. I guess they probably get paid more that way, would be my guess.
SPEAKER_02I would guess as well. Um I think it's less effort uh for them and less chance of getting caught since they're not executing encryption on a bunch of endpoints. Yeah. And I think it's I guess that's true. At the end of the day, the threat of it being publicized is what's going to make people pay.
SPEAKER_03And I assume blindsiding somebody like that might be a little more tactically better for them than, like you said, them knowing the ransomware because it could be stopped or blocked, and then they know that it happened, and they may actually be able to remove their hooks they have in an environment. Okay. I think about that. Um I do know when we have a lot, we have the ransomware teams come out, one of my favorite things is our team typically will physically go on site. I mean, it's pretty rare. Um, can you kind of explain that process? Like, hey, we've been, well, ransomware, or we've had an event of uh we have an actor that says they've stolen our stuff. Um, what what's the first thing that we do?
SPEAKER_02Absolutely. So the first thing we want to do is we want to get in touch with the customer and get basically as much background information from them as possible. Yeah. Um, what machines are impacted? Um, is it all the machines? Is there a subnet or a VLAN that isn't impacted? Uh that's important information, you know. Uh what type of networking appliances that you had in place, what versions they were running.
SPEAKER_03Right. And they always have all this information ready. No, never, never, never turn. Maybe, maybe 1% of the time. I think 1%. I try to figure it was. It was a pretty big company. But yeah, like uh network diagram. No, yes, no, nope, never. I've never seen one. Um that's really hard for us to troubleshoot if we don't have a network diagram. Um, really hard to troubleshoot if uh you don't have access to all your devices or even an asset list, I think is pretty, pretty important, which we don't typically have that. Um one of my favorite correlations for this is uh we usually get called on a Thursday afternoon because typically they've been fighting it for a few days and then they're like, oh man, tomorrow's Friday. This sucks. I'm not gonna have a weekend. And then we come in, the first thing we do, this is he's technically he's correct, is we we make sure that everyone eats food. Yeah. Yep. Because they haven't slept and they're probably uh like shaking from just drinking all of this non-sponsored stuff that's right here. And we bring pizza stuff like that because they're they're pretty worn out by then. They bring us in to uh kind of help work through the weekend and kind of add some non-technical information. Is we have our team set in about two to three teams, depending on what the situation is, and we just kind of grind for 24-7. We get our own little chat group so we can jump on videos. We just leave it open for the team, and we have um, I guess, rotative uh communication to the on-site team and management. So it's pretty exciting. It it is really tough. The team actually enjoys it, which is weird, but these guys would they enjoy that time. So um we talked about um I guess what happens, kind of what we ask for when we go on site so we kind of get a scope of what has happened. Um let's kind of go back on the encryption part. Um, if if someone says, hey, we're gonna pay or we want to pay, um, what would be your first recommendation for that? Pay the ransomware actor, sorry.
SPEAKER_02Um well, generally speaking, uh, we don't recommend it. Um these groups are criminals, and not only do we not want to encourage them to continue doing this to people, but we can't guarantee that they will actually keep their word and that they will not publish your files or that they will actually give you the decryptor key for the answer.
SPEAKER_03No honor amongst thieves. Yeah. Um Let's say, you know what? I'm Bob the plumber and all my stuff's there my entire life. So I will be happy to pay this because allegedly the uh it's covered by my insurance and the deductible is way less than my entire company stolen.
SPEAKER_02Um yeah, it's uh it's a gamble. Um that is ultimately that is something that uh for most businesses, your um chief information security officer and CEO are going to have to have a conversation about what is the um cost to benefit ratio of paying them.
SPEAKER_03Yeah, and maybe most of you guys don't have those, that's which is fine. Um we would be kind of part of that discussion. Some sometimes they are successful, sometimes they are not successful. Um, what we typically recommend on, I would say more on the management side than the technical side, we're gonna go to that next, is make sure if you do achieve that, we usually will we'll bring in the tool that you've purchased to decrypt these, and we'll make sure there's no malware or any other hooks inside of it to re-attack you and make sure it works. Because you can upload even to their their whatever website or Telegram or whatever it is, um, their tour website. They'll say, if you would like us to show we have the keys to it, upload two documents or one document. Highly recommend that might be the most important document to have. It could be like some hook them to a database or maybe your heavy customer list you can put and they'll decrypt it for you. That's how you can verify uh that they actually have the right keys. Um, a lot of attackers just have the ransomware, but they don't have the keys. So you'll be paying for absolutely nothing. It's a good thing to test on the front end. But technically, um, let's say you get in there, what's the what's and we say probably visibility, but how do how do we go about that?
SPEAKER_02So uh one of the first things that we'll do is if the customer has a uh EDR or XDR solution like CrowdStrike, Sentinel One, Huntress, um, we will get access to that. We will begin looking at or we'll have our SOC analysts start looking at any alerts that have come through recently. We'll start having them look at the actual um policies that they're set to. We've had uh as before, where they had all the tools in place. Uh they had sentinel one, but it was set to detect only.
SPEAKER_03Oh, right. Yeah. Alert only, uh no no stopping. Yep. Perfect. And wait, hold up though. Alert, where were the alerts going? Oh, that's because they were clearly getting them.
SPEAKER_02Uh no.
SPEAKER_03No, they weren't.
SPEAKER_02No one was looking at them. Fantastic. So we'll look at the configuration and any any recent alerts. If they don't have an EDR, we will deploy one. Okay, so we'll deploy CrowdStrike on all their endpoints. We'll set up a DFIR site in CrowdStrike and we'll deploy it to all their endpoints.
SPEAKER_03Yeah, and that's and I would say kind of adding to that, and that's because it sounds silly, but a lot of people unintentionally will purchase um an EDR or even a SIM or something like that, and no one's watching the alerts. Um, even in, I would say in this sector, there's a lot of people who do IT or they did security, but they go somewhere else, and all those changes, all the settings configurations are left the same, and they go to a mailbox to someone who doesn't even work there or hasn't worked there for years. Um that's why on our services, uh, we uh monitor a lot of monitor and respond threat hunt as well on these on these tools. It's it's the alias team. So the CrowdStrike, ArmorPoint, other tools we use. Um, we do the research, we do the reconnaissance. If we need to freeze the machine so it can't contact the network, we do that, isolate depending on what product you have, and we will let you know if it's good or bad. Um and we kind of have 24-7 support because my guys don't sleep. We have a staff that kind of assists with that as well. Um okay, so we got the EDR, we have the information. Um, I guess we have some red team that helps in this too. How do they help us on the investigative side?
SPEAKER_02So our red team guys, our offensive security team, um they have an incredibly high success rate of basically looking at the customer's organization as an attacker would and thinking, you know, if I was going to hack this organization, what would I do? They have a vulnerability in their SSL VPN. What would what would happen if I were to attack that? What would I have access to?
SPEAKER_03About 90%. It is actually kind of annoying, honestly. Yeah. I'm talking you guys. Annoying, it's fine. You're you're you're right, Claryl. I'm the forensics guy. They figure out what happened before I do. Yeah, yeah, yeah. Yeah, but yeah, they don't really collect data, so it's fine. We we we we get to be the heroes at the end of the day, I'm just saying. Um as a blue taper. Um yeah, but they do every time. So they basically evaluate the outside of your sorry external network that's connected to the internet. They typically use their own tools created in-house or even a few scanners, and like I said, 90% of the time they can usually tell. But you know, some of that data, which my favorite part is when people are able to basically breach a firewall, the things that make me not really it's it's funny now, but it's not funny in the moment, is you know, everyone's like, oh, well, our logs are in the firewall. Like, that's perfect. We want to go check out those logs. Not all the time, but I'd say 50% of the time, they're either not logging at all or they have seven days of logs, which typically doesn't ever help us. Um, I think average attacker, I'm guessing like 60 to 90 days access before they actually pull breach.
SPEAKER_02Yeah, I think the shortest that I've seen is same day. Um, I'd say average time is usually somewhere between like five to fifteen days. Yeah. And the longest of all time we've seen is we we don't actually know. We speculate up to six months.
SPEAKER_03Okay. Yeah, and that's that's the one thing that that we assist with on that. Sometimes people may not have a a true attack on your environment, which may want to know if something bad is in your environment. Um, us obtaining logs or just running logs over a certain amount of days and um investigating those, we can typically tell if there's some type of heartbeat out to an advanced persistent threat that we can determine and shut down those connections so they don't uh take control of your uh company. So so pretty exciting. Um I guess kind of going down that the investigation, any other details about that and and I guess what makes us different than other IR people, uh kind of leading into the documentation talked about is a forensics G.
SPEAKER_02Yeah, absolutely. Um well, based on the um questions that we ask the um client organization and what we see in the EDR once we've either gotten access to theirs or we've deployed it. Yeah. Um by this point, we usually have a pretty good idea of what patient zero is. Okay. Um and that's where we start forensic analysis on. Um so um at that point we What's a forensic analysis? Uh forensic analysis, we're going to basically uh drill into the binary on that machine and we're going to figure out as much information as possible.
SPEAKER_03So he's so he's he's being facetious, it's fine. Listen, he gets in there and he's ripping pay, we'll see, even deleted events, deleted occurrences on the machine. He's he's pulling memory, so he's doing memory forensics, he's doing actual digital forensics, task forensics, startup forensics, all this stuff that's in the machine. And I only say that to other people who say they do it, those are more of an and cybersecurity company than a cybersecurity company. Their IT guys, I would say us, what we do, we're more of like a brain surgeon than like a general aesthetic doctor from like a like a computer guy. And you can call computer people that just work at like an MSP. They can't get as deep as we can. And what they'll typically do is um basically offer you to buy whatever EDR they have and also buy new computers because you're scared now. So we have the opportunity to go in there and find patient zero, figure out what happened, potentially what was stolen, and validate if it did or did not happen. There are a few cases where um it's basically scareware. They are threatening you with data that may have been free on the internet that they they scraped, and they're saying, hey, we broke into your company, we have all your data, here's proof. And they actually don't have anything and people pay, and the whole time they were not at risk at all. So something to kind of highlight. And then kind of going forward, like this is more of a another what makes us different. Um what if we what if we have to go to court? What if we have to talk to FBI? What if we have to submit stuff like we didn't the other day to that um was that guy? FBI? Who was he? The one that was talked to our marketing guy?
SPEAKER_02Yeah, yeah, that was that he was FBI. Okay, FBI.
SPEAKER_03So that happens. So how do what m what what do we do that's different than other companies?
SPEAKER_02Um well we have uh you know, we basically follow all the standard forensic processes that are taught by organizations um like IACIS, SWIGD, um SANS. Yeah. So we follow all the standard um, you know, digital forensic procedure. And I think we have three expert witnesses uh here um in cybersecurity, incident response, and digital forensics.
SPEAKER_03As far as I know, I think we actually might have the most like in like the middle of the United States. East Coast, West Coast, I don't know, but we're pretty we're pretty well up there. Um and we've worked uh well over probably 2,800 cases now. Yeah, 2,800 cases, certified expert witness in court. And we don't get too much beef, especially if we're on the side for an investigation, because we do work in 10 with the FBI sometimes on trying to obtain the attack, or at least they're getting evidence or information about it to try to recover. Um, because we are talking about you know ransomware and incident response, but incident response, I'm gonna kind of take a sidestep here, besides us being experts uh f expert witness to the court. Um, because we even have let's talk about some internal threats, like a rogue IT guy or a a rogue person in school or something, or an incident happens. It's there was a few schools um that we worked that were in the news that there were some inappropriate relations with kids. Um we worked a in a company that the IT guy was running payroll for some reason. Can you kind of explain that? Because that's not your typical attack. I don't think people understand that would be an incident response as well. How does that how does that connect?
SPEAKER_02Yeah, it's uh it's very different. Um not only is it going to be more complicated just due to the nature of this person being an employee at the organization, um, but also a lot of the people that we're going to be working with probably had personal relationships with these people. Um and unfortunately, it's a really bad situation sometimes, particularly when you have um IT administrators that are uh working at these very small companies and they have all of the keys to the kingdom and there is no oversight um over them.
SPEAKER_03Um and that's kind of uh what what kind of kind of weirds me out like a lot of companies, and you guys may or may not know this for your group, is they're also kind of afraid to let people go that are in IT that have been there forever. And they're typically, I'm not saying they're all malicious or have bad intentions, but if you're if you're if you're afraid to let them go, or some you get some weird vibe if they ask if you want to hire someone or change your vendor, um, that's something where we would come in, kind of change the direction is and we've not only you know helped them figure out what happened with the CFO, what happened with the CEO, happened with a principal. Let's talk about um an IT person that the company's afraid to let them go. How do we help in that situation? Because that's still an incident response.
SPEAKER_02Well, I think that the the reason why they're afraid to let them go is because uh they think that nobody else is going to understand the actual IT infrastructure, which is probably true. Yep. Um so you need to get someone in there to learn it. Aaron Powell So how do how do we assist with that? Um well, uh there's a lot of different things that we've done in the past, um, without without revealing too much. Um, usually um if it's like just somebody retiring and they need help uh taking over, then of course it's no problem for us to just come in and just you know learn the infrastructure and be able to help somebody else take ownership of that as they hire a new employee. Um if they're not going to be around much longer and it's for uh less than amicable circumstances. Then we have had several cases where we've basically had to go in and do a hostile takeover and um kind of covertly.
SPEAKER_03Yeah. We did that for Yeah, to give you an example, we did that for a government uh agency, and I can be pretty, it was actually it's open record, so if you want to look for it, you can. Um basically had to go in there. The IT person was activating video cameras, uh sending spoof emails to his new boss, um, was turning on like uh cameras, had access to it. And was running a World of War Warcraft server on the backup ISP that was also connected to his house. So we were able to get those that information. So when they let this person go, because he he was causing a lot of damage to the agency itself. And we were able to give the king the keys back to the kingdom, if you will. Um, very, very successful. But yeah, if if anyone you feel like you're afraid of your IT doing stuff like that, that would be an incident response situation that we can we can assist with. Or someone's retiring as well. Um, we've also had a horrible situation where the IT person just got sick and they didn't come back to work and they didn't know what to do. So we're able to get access back to the servers and get the passwords back. Very unfortunate, but it it does happen. So um always have a good backup plan. Um I guess uh going on next, like you've had a lot of you've had a lot of training. Well, you dull on jobs too here, though. Five years, by the way. Let's go. That's crazy town. That makes you old. Um I guess in your your career here, and also um I want to talk about obviously there's I feel like you've had both, hands-on. Um, you're pretty much gonna graduate very soon. With is it is it digital forensics degree?
SPEAKER_01Yeah, proper okay.
SPEAKER_03And then you have certifications. Can you talk about those three and how kind of they fit in?
SPEAKER_02Yeah, absolutely. Um I think that um all of them are incredibly valuable. Um, the hands-on experience and training um that I had here of just actually getting hands on a keyboard and just learning how all the software works um was incredibly valuable. Um, but I do think that there is something to be said for certifications and even maybe depending on the school um academic education as well. Sure. Um and the reason why the certifications, so the ones that I have, um it is the uh the at least the the most important one is the IACS uh CFC certified forensic computer examiner. And that um certification is a six-month process with four practical examinations. Yeah. Um sounds awful. And most of it is on the hex level.
SPEAKER_03Is it like um is is that one you have to pass on at a certain point, or is it you have to how what's what's a passing rate, I guess?
SPEAKER_02I I didn't know uh so the first phase they call it the peer review phase. So you have another certified examiner. Um, you have one month to analyze a forensic image, answer about 50 to 100 questions on it, and then write a report about you bindings, and that has to be all peer-reviewed by another uh certificate.
SPEAKER_03Aaron Powell Gotcha. Just starting there, I mean we're gonna continue on, but that's why we would probably want someone who's already been vetted in that capital, uh that vertical, and not just an IT guy or someone who works here because they can do things and I'll I promise I'll step back. I was called the S-word, which is the bad word that attorneys don't like. It's called spoliation. See, gotcha. Um and then so I mean, that's they don't know what that means. So kind of going through that through the class, um, I mean, you learn about that and you go into the details. So you do that, you make sure everything's good to go, so you send it to them, then what happens?
SPEAKER_02Um well, so uh the sorry, are you talking about the certification? Yeah, certification. Yeah, sorry, certification. Yeah. Um so after you complete that uh peer-reviewed examination, which you have a month to do, um, you either get approved or have to uh go back for revisions. Yeah. Um you can do as many revisions as you want as long as you get everything right within 30 days. Sure. Um but then you have to do that four times. Okay. And then after that, you have to do a final non-peer-reviewed uh mock examination of a drive and then a written exam. And once you pass all that, um, you'll be certified. And that was a very valuable because it forced you to learn. And I always tell people um forensics, if if your idea of forensics is just using the software and just telling people what the software says, that's wrong. You have to be able to articulate how the software is parsing that data.
SPEAKER_03And it's you have to explain the technology on the stand. And just so you know, if you're on the stand, you get subpoenaed either by maybe because here's what could happen, right? You do, uh you have this technician do an IR thing. They allegedly do some digital forensics. Now they're on the stand because I don't know, the companies that they work for suing the insurance company, and you got to be careful because you can be held personally liable just because you say something that's not true, and does not say you're lying, but you can get per you can be personally liably sued for a false statement based off digital forensics, which is terrifying. Yep. So sorry, and we're gonna go, I'm gonna hear talk about the the degree real quick. Um, uh just kind of finishing up on that one.
SPEAKER_02Yeah, um, I think that most colleges unfortunately um don't do digital forensics properly. Um, I would say that my situation was a little bit different. Going to University of Central Oklahoma that has a very well established forensics specific program. Agreed. And they actually teach all of their digital forensic classes basically in guidance with the IACS certifications. So it is more directed at, you know, this is how a NTFS file system works. This is how a computer actually functions, and you need to understand all of this before you can actually even use the software. They don't let you use the software until like the fourth or fifth class. Good. Ones and zeros. Yeah. Yeah.
SPEAKER_03That made you do it all in hex. Yeah. So and kind of that's kind of separating different investigators, especially incident response. Um, is there any other situation that um we've been used in? Maybe, maybe we jump in and they may see something like happen, like we definitely didn't get a call two weekends ago and and kind of uh he called in. I don't know if this is weird. Like, how do we handle that? They see something weird. What is our response to that?
SPEAKER_02Uh yeah, absolutely. We basically uh um if it's one of our established customers, chances are we're probably already doing SOC monitoring for them. Um so we'll just jump in and begin an investigation um using the workflows that we have in our SOC and uh make a determination on if we think it's um suspicious or not.
SPEAKER_03Yeah, and just kind of say like, um, you know, we're we're not our pricing can be based off the situation. We don't have to do like a full engagement if you just have questions about what is incident response, like do I have something going on? We do 10-hour stuff all the time just to like kind of make sure everything's okay. Sometimes we may have to deploy some tools that are a little louder, a little longer, but um that we can jump in and respond in case we can show you that nothing's wrong. It could be a false pause that we could help you out with. That's kind of all thing. You don't have to be a current customer to get that the those services as well. Um, I guess kind of uh rotating up here, uh, anything else on instant response that um we've already leaned in, uh, we took care of them. After that, we give them a report. What do they need to do internally to help maybe be better or more reactive to the incident in case it does occur or an event happens?
SPEAKER_02Um It's going to depend on the organization and their level of maturity. I always tell people have an actual incident response plan. If you don't have one, get a consultant, have them help you make one. Um, have a list of critical assets, have a network map, and actually practice your incident response and data recovery plans with tabletop exercises.
SPEAKER_03Yeah, and that's uh tabletop exercise is something we do for incident response. We typically, and it's uh go with me, this may sound silly at first, but we ask that any C-level people's there. We have one, the CEO, the CFO, director of HR, uh chief counsel, because those decisions are critical during an emergency time. Why does HR need to be there? I get that one all the time. Okay, you if you've been ransomware or your payroll system's down, no one's getting paid. Yep. And if you miss a payroll, if you've been compromised and you miss a payroll, uh your employees get really sketched out. They get pretty afraid that they might, they might, they may not get paid. And you could promise and promise, but what is the plan B for HR? Legal as well. What legal implication implications do they have with their customers or their employees? Because there are contracts. There's also data breach clauses in them having uh either customers or vendors that they need to respond to. Different states have different um compliance regulations. It has to be if someone, I think one state is over 50 people that's been compromised, one's 100. Depends on the state you live in. Um, our our compliance gangster, Jonathan Kemet, knows pretty much all of it jumps on. We always lean on him for his expertise on that one. Um, so tabletop exercise is if you so we have some people that have an IO retainer that they hold. If they need us, we respond. We don't have to do the contracts, we're ready to go. We can jump in in, you know, uh 30 minutes, 10 minutes. And then if they don't use that, we'll come in and do external services, we'll do like an external pen test or a tabletop exercise. We can write the whole plan down. We draft it up, we have you guys approve it, and we kind of come in and test that yearly, which is which is pretty exciting. So whether you're um in a current incident response or concerned about something happening or need an incident response plan built, or just need an overall uh kind of test of the of your environment, uh, we can do that, and we have been doing that for 16 years. That's crazy. It makes you feel super old. That's good. It's good though, 16 years. And then we would also have the the techno the technical background to kind of have that. Um, I guess on all that, you said a lot of things they can do to help prepare just in case something does happen. Is there anything else that people should be aware about um an incident response or an event um kind of in their their company that they could could do better today?
SPEAKER_02Yeah, absolutely. Uh budget for it. It costs a ridiculous amount of money.
SPEAKER_03It does. I mean, I would even say just from R from the hip, those go from anywhere to 150 to 300 grand. That's just the ones I'm aware of, and that's kind of on the technical side. That doesn't count for the attorneys, and that doesn't count for the downtime of the business. Um, and retainers are way cheaper than that, and kind of locking in those rates with us are better. So um incident response, they happen. I think they're getting bigger, just like we talked about the um the social engineering, um, which I this is kind of related to that. Uh deep fakes are coming in pretty pretty heavy. Um, voice, uh, we've seen those. Um right now we can do deep fake stuff. Um, even for I think it's good to practice with this stuff. We need 15 seconds of your voice. We can deepfake and do the uh multi-factor authentication through voice um authentication um as today. And that's just our our company. So I think even having exercise on that to protect from um social engineering would be probably a good uh uh practice as well.
SPEAKER_02Yep. Social engineering is always probably going to be one of the biggest risk factors because people are stubborn. You can't you can't patch a human. Yeah. Uh that's funny.
SPEAKER_03Anyway, so we have some questions from from the I don't know, the internet. If you want to read any of those, that's fine. We'll do like two and then we'll wrap this up.
SPEAKER_02Uh what are common mistakes organizations make during incident response? Uh turning the computer off.
SPEAKER_03Wow, and that's a good one. Um I have such a long list for that. Yeah. Um uh unplugging the firewall. Um anything that results in you us losing logs. Yeah, don't do that. Um don't do that.
SPEAKER_02I see that all the time.
SPEAKER_03Yeah. I used to say that uh anytime there's an event and a you pull the plug of uh you you erase memory on the machine and angel loses its wings. You guys heard that? Just the opposite. Don't do that. Don't do that to us because you're erasing historical stuff. So you have a server that got breached or compromised. That data on that could be for months. And it's critical because you probably don't have logs. And if we don't have your logs, we don't have your memory, we might be able to tell maybe how they got in. We'd be guessing we can plug the holes, but we don't have like definitive, like like actual evidence of that. Also, don't have your attorneys lie. That's a bad idea. Yep. We've had that before. And don't tell me, I'm not gonna do that either. Um, that was that was that was interesting. That was fun. Yeah, fun. What else? I could just keep going. What else? Don't do that. Um, oh, don't ignore it. Don't don't say when they specifically show you they've hacked your data, we validated that they've compromised you, and then your response is it never happened. That's a bad idea. Yep.
SPEAKER_02It's a bad idea. That's also a bad idea. Uh not reporting it to OCR or the Department of Education or any other government agencies that you might have a responsibility to report to.
SPEAKER_03Yeah, personal liability comes back. I don't know if you guys heard of this, but it's happening. Uh all the C levels and schools are you're personally liable for not doing that. So that's is it a felony? It's more of a chemic question. Yeah, I'm not sure. It's a crime. That's it. I don't know. Choose your own adventure. What else? I feel like there's gonna be one more for you on that one.
SPEAKER_02And you know, as the forensic sky, it's really just stop pulling the plug on computers. Yeah. Um, the only time you should ever pull the power plug on a computer during an incident response is if you look at it and either the disk is being formatted or the disk is being encrypted. Then pull the plug. If not, just pull the Ethernet cable out.
SPEAKER_03Absolutely. Yes, there you go. That's the answer. Just unplug the Ethernet cable or turn off the Wi-Fi. Let's do one more question. That was a good one. I like that one.
SPEAKER_02Um What level of automation should be incorporated into incident response workflows?
SPEAKER_03Man, I don't know.
SPEAKER_01I want to say zero, but uh uh what level of automation? So we use we use quite a bit of automation. Yeah um mostly with But it's inside the program.
SPEAKER_02Yeah, mostly with the tools that we use for visibility. We we will pretty much always either get access to or deploy EDRXCR in a sim solution.
SPEAKER_03I guess changing the template, right? So that would be I guess say the what am I saying? You know, uh rule set inside the Yeah.
SPEAKER_02So so we'll have different um workflows inside of CrowdStrike that either we have for our environment or we'll configure for a customer's environment. Yeah. Um where basically we'll go through, we'll take all the IOCs and we'll um add them into that.
SPEAKER_03Yeah, and I think that'd be hard harder for like uh not consultants in our because we see this, this is our job on the daily. So we have a pretty hard tested um configuration, if that makes sense to you guys, in a tool that we can give to you when we come on site. Because it's already we've tested our environment. Um we even see how pen testers uh can combat against it. So that's pretty good. And also we do the the we immediately start kicking firewall stuff out the door, uh logs, so we can start evaluating firewall logs if we can. So that that works pretty well. Um yeah, I guess uh any other questions or anything else on that one.
SPEAKER_02Um yeah, I I think at least for us, most of the automation is either gonna come from from like CrowdStrike or ArmorPoint, um, with just the automated workflows for uh alerts. And then of course, uh some automated tools that we might use for the red team side of things, like uh we might do some automated vulnerability scans and stuff like that. But most of the actual like investigation we do is manual.
SPEAKER_03Okay. Well, cool. That's kind of ending our uh AF Secure AF podcast today. This one will have been on incident response. If you have any other questions, feel free to give us a call or just email us. Thank you so much for tuning in. See ya, internet.
SPEAKER_00The Secure AF Podcast is a production of Alias Cybersecurity. Visit us online at aliascybersecurity.com. All rights reserved.
Podcasts we love
Check out these other fine podcasts recommended by us, not an algorithm.
