764 Navigating the Cyber Incident "Boom"

[Uncle Marv]
Hello friends, Uncle Marv here with another episode of the IT Business Podcast, the show for IT professionals and managed service providers, where we talk about all the things tech, the that help us support our customers and help you run your business better, smarter, and faster. The show tonight is our weekly live stream. We're here Wednesdays at 8 p.m. Eastern. Join us on all of the social platforms, YouTube, LinkedIn, and the Facebook. Tonight, it's going to be a little different show because this is part two of a little cybersecurity series put together by our friend Matt Fisch from Fort Mesa, and he'll be joining us in just a minute. We are doing part two of a cybersecurity incident response when disaster strikes.

This is the boom portion of that. We always talk about the left of boom and the right of boom. Tonight, we're going to try to figure out the boom and what things we should be doing at that time.

Before we get to that, I want to do just one recap. I know that last week, when I talked about my project that I was in, I will give you just a quick update with a little bit of tips. The SharePoint migration where we tried to move data and we kept running out of space on the system drive and the mailboxes all of a sudden filled up on the target side because we didn't know how big the mailboxes were on the source side.

Well, we finally got that figured out. There were three mailboxes that were almost 70, 80 gigabytes. Of course, they were over the 50 gig limit.

I found out how much they were. We got the licenses, and those are in the process of being migrated. The data, well, that's another story, but we got it figured out.

The biggest thing in all of this was to get PowerShell scripts. You guys know I'm not a PowerShell guy. At some point, I'm going to do a show about all the PowerShell scripts that I used to make all of this stuff happen.

I think it'll be interesting. Some of you probably already know it because you're super techs, but I'm not. Just a man in the van.

That's going to do it. If you were here watching the video, you saw we've got sponsors showing up here. Rythmz, of course, is back for this year.

They are our powered internet box. Whenever we are on-site doing live streams, we'll have their box. You guys should check them out, the portable internet in a box.

We've got a new sponsor that you're going to be hearing about, Design Ready. They do website hosting. Been hosting mine for over a year, so it's time to get them on the show and give them kudos.

Of course, our legacy premier sponsor, NetAlly. You guys know all about them. Head over to the website and check them all out.

We are going to clear up the entry here and make way for our guests because I want to make sure that we give them a lot of space. First, I want to let you know we've got, again, Matthew Fisch, the founder and CEO of Fort Mesa, and Christopher Regan, a seasoned legal attorney. We're going to be talking about all the cybersecurity stuff.

Gentlemen, welcome to the show.

[Matthew Fisch]
I love your introduction, Marv. I got to say. Which one?

Just the whole narration. I need to up my game. I think I tend to fall right into the show without any preamble.

I'm telling people what to expect. I can't wait to talk about boom because I think you're right. As an industry, we use these terms, left of boom and right of boom.

I know right of boom is this catch-all label for well after disaster strikes, but there is actually the moment. Then there's the afterward, and there's the before. Really, it's this continuum.

The moment of scariness is something that people need to know how to navigate.

[Uncle Marv]
That is true. For people that may have seen this and wondered, what are we talking about part one and left of boom? That was a show we did back on the Fort Mesa channel.

I'll have the link to that in the show notes so that if you are watching this and you need to go back and see that, you can do that. Then you should know that we are going to be doing a part three of this discussion, which is the right of boom. That will be Friday, February 14th at 2.30 p.m. Eastern Time. We'll have the links for that as well so you can come back and catch us there. Matt, you started to talk about it. There's always this discussion, left of boom, how to prep, how to get done.

Then there's always right of boom. What do you do after the fact? There isn't a big discussion happening at boom time.

We should probably start with, what is boom time?

[Matthew Fisch]
Well, if I was just going to sum up this whole episode, the thing that I would start with is don't panic. I think that a lot of bad things happen when people panic. If you can just do one thing right, it's basically to slow down and think.

We'll talk about what you should be thinking about. There's so many missteps you could make in a moment that you can't take back. I think it's important that we talk about that moment of discovery.

How do you respond? How do you get through it? I know Chris, who's sitting in a law library tonight, is actually somewhat of a subject matter expert.

I'm the security guy. Marvin, you're the MSP guy. We actually have a privacy attorney on the call.

Not only that, but you, Chris, if you could just fill people in on your background, because I know that you've been in deep incident, basically. Yeah. I'll start with, hi, I'm Chris Regan.

I'm a cybersecurity and privacy lawyer. I've been doing this law for, I mean, specifically privacy and cybersecurity for five years. Before that, I did work like that in economic crimes for Bronx DA's office, but I've worked defending the city of New York and Fortune 500 companies.

I'm with a law firm right now. I've got a lot of experience doing incident response, everything from minor incidents to ransomware and everything in between. I'll have to say this, views and opinions expressed in this podcast are solely my own and do not reflect those of any of my current or former employers, clients, or affiliates.

For me, at least, this podcast is for informational educational purposes only, does not constitute legal advice. It is not tailored to your specific situation in listening to this podcast, does not create an attorney client relationship. If you need legal advice regarding a specific matter, please consult a qualified attorney.

Sorry, I have to get that out of the way as the lawyer in the room. I've handled tons of incidents, project managing them, helping create playbooks for teams, and doing tabletop exercises on how to handle things. And yeah, I mean, what you were saying about the stay calm is so true.

The first thing that I almost always have to tell people when I'm running the situation is it's the chicken little story of the sky is not falling. We're going to be okay. And I can usually say that because I've been there and done that and seen things.

And that's why a lot of the stuff that we talked about in the before the boom thing is important. You need to have the right people set up and go through and prep these things ahead of time. And if you do that, you generally don't have to worry.

You can take your time, make sure you handle things right. Because if you've done your prep work, boom is not as bad as people will make it out to be. So what do you mean by that?

You mean like the financial impact, just like the fact that you don't sleep a day is like what? I mean, it depends on what kind of boom you're dealing with and what kind of impact it's having. If you set up things right ahead of time, if you've done the right, you have the right teams on it, you have the right backups and failovers and things like that set up.

I mean, oftentimes the business impact can be relatively minor. And most of the stuff that they end up doing is more regulatory than anything else. If you haven't set up enough failovers, if you haven't set up enough and quality enough backups, yeah, you'll have some recovery to do, some containment.

If things go out in a bad way and bad guys have acquired your information, you may have some issues to deal with there. But I mean, more often than not, how bad things are and how much it impacts you has mostly to do with how prepared you are for when it's going to happen. Because I mean, as bad as it is to kind of have this view in today's day and age, you kind of have to assume that it's going to happen at some point.

You're going to be hit by something. It's just a matter of when and how bad.

[Uncle Marv]
Now, one of the things that I was thinking of is we probably need to define boom for some people. Because boom is kind of different whether you're the company that got hit, you're the IT professional supporting them, or the remediation team. Because boom could happen at 2 in the afternoon or 2 in the morning.

And people may not see it until 8 a.m. Or you could have a thing where boom happens at 2 in the afternoon, but nobody notices it until 4 because that ransom note didn't pop up, those encryptions, people didn't touch those specific files at the time because sometimes boom takes a long time to happen. It's interesting. In terms of boom as a cycle from start to finish, how do you guys define that?

[Matthew Fisch]
Well, I use jargon. Boom is like the catch-all word we all joke about in the security industry, because it's sort of a joke, this idea that it's sort of meaningless. What does that even mean?

Well, clearly it's bad. And it's a moment in time. But other than that, it's meaningless.

And the reality is people do treat it like getting struck by lightning. And unfortunately, that's not too helpful for them. There's nothing I can do about it.

It's unstoppable. It's really fast. But the reality is none of those things are true.

There's all these stages of an incident. And you start with the pre-detection phase, which really, there could be an attacker living off the land in an environment for weeks. Let me back up.

Weeks to months is normal. It's not exceptional. Weeks to months is normal.

Before, boom feels like the day you got the ransom note, but actually boom happened like five weeks ago. And it's just been echoing around and finally it landed on your desk. And it's weeks to months because sometimes it is literally months.

The attacker is rooting around your systems, actually a little bureaucratic. There's teams of people that do this and teams of people do that. It goes from desk to desk, like paperwork.

And yeah, it can happen like lightning, but that's actually pretty exceptional. Usually what happens is there's an anomaly. There's an anomaly.

And what I mean by anomaly is something has happened that doesn't normally happen. It's usually someone getting access to something they shouldn't have access to, if we just want to have the simplest version of this story. And there's an anomaly and sort of this question mark.

And if we have all the tools in place, it does leave a trail. And if we're looking for those things, we can start an investigation when that anomaly pops up. And so I use words like anomaly or even event, because sometimes something's a normal event.

It's only an anomaly if that event's not normal. And you might even have normal events that happen, but for whatever reason, it's happening more frequently or at a time it doesn't usually happen. So you have event, anomaly, hopefully there's a detection.

But we all, in the IT industry, we have lots of detections. That happens all the time. Our alarms are going off and hopefully that doesn't happen too frequently, because if it happens too frequently, you lose vigilance.

But then that alarm should lead to an investigation if the IT department or if the security people are going to catch something. But sometimes it's the user. Unfortunately, it's oftentimes the user that like their screen's all blacked out or that file they're trying to open is actually all locked up, or they get a message on their phone with some kind of ransom demand.

And they are reporting the incident because as a security organization or an IT organization, you missed the chance to detect it. So then there's a report. At some point, someone raises their hand and said, hopefully this happens.

Someone says, oh, this is an incident. Some businesses that doesn't happen. I have totally seen businesses just sweep things under the rug and say, not so bad, nothing to see here.

And then they just keep going. And then a few weeks later, it just gets worse, because they ignored it. And then dot, dot, dot, there's lots of things that we should talk about.

In my mind, in the security world, there's all the protection stuff you're doing to prep. But a singular incident starts at the moment that someone says, they declare it. They say, look, this is serious.

There's real potential impact here. We need to get a larger group of people involved. This has gone beyond a casual investigation.

And that's usually where I start the story. But I've actually heard difference of opinion on this. And Chris, I would love to hear your opinion, because some people say, I've heard people say, well, you as an IT person or you as a security person should never declare incident.

And I waffle on this a little bit, because on the one hand, there's some pushback in declaring incident, because it sets some dominoes going on the legal side that may be unnecessary or too early. But on the other side, I feel as a security professional, if we wait till the house is burning down once a year or once every three years to declare an incident, that means we never get to try out our incident muscles. And I really like to try out those muscles and work them out.

So I'm curious, Chris, I've heard people go either direction on that. What do you feel there? So first off, you definitely should try out your incident muscles.

Everyone should. And you shouldn't wait for incidents to do it. Red teaming and tabletop exercises and things like that.

Everyone should be doing those, because regardless of whether you've been hit or not, you'll never know if your procedures, if your plans are going to work unless you've tried them out. I would generally say don't declare an incident, because yeah, there can be lots of legal ramifications that can happen from declaring an incident. You need to look through what your organization's nomenclature for things are.

Some people will use terms like a significant event, or they may use incident for certain things, they may use breach for certain things, but different words depending on what organization you're in and what types of words you guys use in your contracts, what legal regulations, what industry groups you're a part of may use certain terms for certain things. And if there's any sort of audits or investigations or lawsuits that go into things and they see certain key words that have certain meanings, then those words may get interpreted in that way by whoever's looking into it. So yeah, whatever Tim's asking for us to define incident, it's going to depend on your organization.

An incident could be as minor as I sent an email that has the contact information of one of our clients to someone that I wasn't supposed to. I typed in the first two letters and it was not actually who I meant to send it to and it was just an incorrect thing. That's a relatively minor thing.

You talk to the person, the person deletes it. It could be something as extreme as a ransomware that has completely Stuxnet and taken down your entire system, causing explosions and truly terrible things and everything in between. But there's actually some laws that...

There's a lot of laws actually and more every day that define what needs to happen based on whether something's an incident. And that's why that's important, I would presume. It depends because different places use different words for what triggers things.

Most of the laws trigger based on the word breach, the B word that some people will call it. But yeah, breaches is the most common term. There are some laws that'll use incident.

There are some that use other words instead, but breach is the most common legal word for it. And I just went through a few of them earlier to kind of get some of the differences between them. But a breach could be, depending on the law, either requires access or use or acquisition by the bad actor of your information, or maybe just the reasonable belief, or maybe just some combination of that.

Some places it has to be an acquisition. If they don't actually get the information from you, then it's not enough if they don't exfiltrate it. In some, they need to actually use the information.

In some, they only need to access the information. In some, you only need to have a reasonable belief that they access the information. It can be lots of combinations of that.

The types of information that's included varies depending on the law. Some of them have exceptions for certain good faith acquisitions where something happened a certain way. Some of them require the bad actor to have certain intent to use the information in a bad way.

In some of them, the acquisition has to be an illegal acquisition. In some, it only has to be a non-authorized acquisition. There's tons of variations of what counts.

[Uncle Marv]
Before you ask a follow-up, Matt, let me say this from an MSP perspective. I'm in the trenches. Something happened.

I don't care what you call it. I've got to identify it. I've got to fix it.

And I've got to tell the client, we've got to either do A, B, C, D, or whatever it is. And the client, all they're going to want to know is, how quickly can we get back up and running? So from my perspective, the legal stuff is all on the attorney.

Yes, there are things that we shouldn't say. I can't say the B word until I know something. Well, in the middle of the incident, I don't know, which is why I tell my clients, think of it like a fire.

The fireman isn't there to figure out the ramifications. He's there to put the fire out. The investigator is going to come in afterwards and figure it all out.

So right now, we've got a little fire. Let's put it out, and then we'll deal with it afterwards. Does that sound fair?

[Matthew Fisch]
Yeah. Well, I've been educated over and over and over again to educate other people over and over and over again, to be really careful with that B word, which I've deleted from my lexicon because it gets really serious. Not only are there some implications behind what that word means, but people can assume a lot of things that may not be true.

So someone reports an anomaly, and then there's an investigation, and then sometimes it's super clear because everything's locked up and there's a ransom note. But even then, it's not super clear how far it goes beyond the screen you're looking at. But that's basically the moment where you need to start getting people involved.

And hopefully, there's a plan, and the plan has contact information for the client, contact information maybe for their clients in the case of some regulated data, contact information for law enforcement or regulators or other parties, contractual contact notification sometimes. And then there's the insurers, right? And they want to be at the front of the list too.

They want to really be at the front of the list because they want to deal with the fallout from the beginning, and they want to be able to sprinkle their incident people in there to stop the loss, at least from their perspective. Do you want their incident people in there because that's what you're paying for? Yeah.

Yeah, you really are. Because I think there's some misunderstanding in the cyber insurance marketplace that what you are paying for is someone to write you a check if things go bad. And yeah, that might happen, but mostly what you're getting are firefighters to stop the loss because they really don't want to pay out, and they don't want to pay out so bad that their smoke jumpers will land on your organization and right into the middle of a fire and put it out.

And that's really what you want. Yeah. And they're people who, this is all they do.

They go from incident to incident to incident, and they triage and they deal with whatever is most important and worst first. And they, yeah, that is, I mean, the biggest reason to have the cyber insurance is to have already set up all of those contacts and those deals with the attorney, with the forensic team, with any sort of cyber team that you might need in order to handle things, ransomware negotiator, or yeah, ransom negotiators. There are all sorts of experts that they have contacts with because they have to use them constantly.

And all of that, those lists of contacts that you gave earlier, always remember, you want a copy of that that is either on a completely 100% air gap computer or printed out. Because if whatever the boom is that you're dealing with locks up your systems and you can't access those lists, then it's almost like you never made those lists in the first place. I understand a lot of people, a lot of attackers are targeting that information specifically these days, the contact lists and the policy information, because they can use that for leverage, basically.

They can use it to figure out how much to charge you. And if they can stop you from communicating with the people you need to communicate with even better, right?

[Uncle Marv]
Well, that's what I was going to talk to, Chris. You had brought us back to the things that we need to make sure are happening during the boom, making sure we have access to all of that. The stuff about who to contact, that's after the boom, in my opinion.

You're still in the middle of the boom. You've still got to contain it. You've got to figure out point of origin.

If there's a machine you got to lock down or do whatever. You've got to secure logs, forensic data.

[Matthew Fisch]
I mean, that's all part of it while it's That all depends on who you are, because if you have a team or you have a person who can do that, and you have the right logs and you have people who have the ability to access that, then cool. That's all part of boom and you can deal with that yourself. But most organizations don't have that.

They don't have people who have the training and experience to deal with those during boom time. They may have the training experience to, if they were given the log files or if they were given a system that's in fine order to go in and access and get what they need from it. But a lot of those people that you need to contact are people so that you can get those, as we were saying that the smoke jumper team to come in and be like, okay, we know how to contain this.

We know how to deal with this. We know how to get the logs that we need to track where the origin was and what the weakness was that allowed them to get in in the first place. Because I mean, if you go in and you try to remediate and you try to contain, it's kind of like with wildfires.

They say that a wildfire is 80% contained. Well, that means that there's still a wide opening that it can still keep moving and still keep going. And until it's 100% contained, and you won't know it's 100% contained if you don't have people who have the right training and experience to be able to be sure that they actually fully contained it.

Because sometimes those threat actors, if they see what you're doing, if they still have an eye in your system and they see what you're doing, they're like, oh, they're trying to shut us out this way. And they think that this is how we got in. That's not how we got in.

Let them do that. We'll go quiet for a little bit. And then we'll come jump back in and re-screw everything up in a way that's helpful to us.

And that sort of second wave hit can be even more devastating because they'll take their time. It all depends on how bad the group is that you're dealing with or how vulnerable your system is.

[Uncle Marv]
True. But the reason I'm saying this from a MSP perspective, and Matt, you may have a little different opinion. We're on the front lines and we're being told by, not you, Matt, but by vendors, install this software and all of this stuff will be taken care of.

We're left on the front lines to make sure all of that's in place. And yes, if we had done our left of boom and prepared and all of this stuff, usually when boom happens, we're the first point of contact. So we've got to at least do the lockdown and do some of the first part of that investigation.

Sure, afterwards, when it's a full-blown investigation, we're going to bring in all the real experts and stuff. But there's still a lot of stuff on our shoulders that the expectation of our clients is you're going to take care of this.

[Matthew Fisch]
I think it really depends on the client relationship and your operational maturity as a service provider. I think it really matters. And even if you have a high operational maturity, not all your client relationships are going to be at the same level of service.

So as a really great example, there's this concept of backup isolation, which 15 years ago, we used to just call these offsite backups. Someone brought those tapes because they were tapes. Someone would bring the tapes home and put them in their sock drawer.

And we would know that those tapes would be safe if the building burned down because they're at home in whatever manager's sock drawer. We know that they're offsite. I think that as a service provider, if you've got that really great backup isolation and you know that and you're sure that that incident is contained to a specific client, let's just presume that that's the case.

Lacking other information, let's also presume as a service provider, you're locked down. You're doing all the right stuff. You're probably more secure from an architectural and a process maturity standpoint than your client.

And they're the weak point. They've been impacted. You may have those backups isolated and you may be able to even lock them down further or take copies, whatever you need to do.

But much of the time, we don't have that in place. Or you have those backups, but the client also has access. And the client CEO has got it on his MacBook file called backups.txt. Who knows? He's got the password right in there. And the attacker's in there and they've got it too. And they've got root access to whatever.

So it does matter. What is your protocol? How do you protect those things?

In addition to that, what tools do you have in place to lock down a client environment? If you drilled into your architecture methods for an emergency lockdown, the way we do on buildings, you might have an easy button. But if you haven't architected that easy button, it's probably not easy.

Because we've got service accounts, we've got cloud accounts, we've got security keys all over the place that have access to things. We've got SaaS talking to cloud, talking to on-prem, talking to laptop, talking to phone. If you don't know how someone got in, how do you isolate all that?

At the very basic though, you know, there may be a protocol you set up with a client that's at a higher maturity level to have a lockdown process, but that's a fairly sophisticated thing. So I think Marvin, I'm curious if you've been in a situation of chasing containment where, I think it's, you know, if you've got a piece of malware on a specific machine, you've got like a localized detection, the simplest basic thing you should do is just disconnect that thing from the network. Don't even power it off.

Just make sure it's disconnected from the network. Disconnect it from Wi-Fi, pull the cable out, whatever you need to do there. That's a really great way to isolate that.

But you don't really know, unless you know exactly how that malware got on that machine, you don't really know where it came from. Did it come from this other machine right next to it? Right.

So I'm curious, it's been a long time since I was chasing malware, like personally, like a firefighter around the network, because I'm on the proactive side these days. But I'm curious in recent times, have you gone beyond isolating a machine to say, I'm going to lock down an infrastructure company and then we're going to go into like, like turtle mode?

[Uncle Marv]
So I can tell you, so I've had two boom events in my career. One goes a few years back, probably 2015. And it was a fairly easy, fairly simple thing where files were starting to be encrypted.

And I was alerted because of the backup that we had that would, you know, it wasn't real time backup, but it wasn't like we didn't wait till 8pm at night to back up. We were backing up periodically throughout the day and had a system in the backup that alerted, hey, there's encrypted files in this backup. So we were able to identify it pretty quickly.

We're able to track it back to the workstation, shut that user out, and everything was fine. And it wasn't really, you know, that big of an incident. And yes, we had backups, we restored those backups in just a few minutes, they were fine.

I did have a recent event where they weren't a client yet. And I have to stress that because it was in the midst of the transition where they had let go of their previous provider, were bringing us in, but had not yet signed the agreement. But had an incident that happened overnight.

And they came in on a Friday morning with nothing. And it was a big deal. And that was a situation where we couldn't trace it.

We didn't have anything in place to trace it. But they were yelling and screaming, like, you know, well, we hired you to take care of this. I'm like, you hadn't signed this paperwork for us to even put stuff on, blah, blah, blah.

It was a whole mess. So I don't know how that turned out because we hadn't engaged 100% with them. So we basically were like, look, you're screwed.

That's not the right example to use.

[Matthew Fisch]
It's not a normal client relationship for that to happen. But it's also not that unusual for an organization to realize they're underinvested, maybe even suspect something's not right, go hunting for solutions, but it's way too late.

[Uncle Marv]
It's too late, yeah.

[Matthew Fisch]
And it's possible that someone knew something was wrong, and that's why they were talking to you. And maybe we'll never know.

[Uncle Marv]
No, and that's a whole different case where that whole left to boom discussion has to happen. I mean, these are the things that have to be put in place in order to do business properly and be prepared for a boom, which nobody thinks will ever happen. Even if they did have something happen, you mentioned lightning strike.

Lightning never strikes twice in the same place. We're never going to get hit again, which is different.

[Matthew Fisch]
You don't need to drop the whole lightning thing. It is so much more like an earthquake with aftershocks and tsunamis. The boom may happen, and you may not know, but a week later, that tsunami just comes and just devastates you.

And it may be happening to someone else, and the aftershock ends up hitting you later. You're not the one who actually got hit by the earthquake itself. I mean, people don't want to hear it, but where these types of events happen, they tend to keep happening because bad actors see a weak spot, and they like to keep hitting the same people.

[Uncle Marv]
Yeah, that's what I tell clients. Look, if a burglar hits your home because you didn't lock your door, bet they're going to come back and see if you locked your door. And if you didn't, they're going to come in again.

And if you did lock the door, they're going to check the windows.

[Matthew Fisch]
Because maybe- Marvin, that story you told about the crypto-ware, I think that that... I have this nostalgic memory of a simpler time when they were just breaking in and encrypting systems at random, because it is so much more sophisticated these days. That was basically the beginning of an industry, right?

Yes. That was when the cybercrime industry was basically working out of their garages, right? And these days, they're all billion-dollar corporations, and they don't naively, randomly encrypt things after they break in these days.

They get a toehold, they shine around with their flashlight. Here's the difference.

[Uncle Marv]
They start mapping things. Yeah. The difference is, back then, they were just spray-washing everything.

Now, they're much more surgical, where they can go in and look and see, is there stuff here that's worth something?

[Matthew Fisch]
Well, not just look, wait. Because they'll get in, they'll look around, they'll map the network, they'll map the assets, they'll find everything there is to find with highest possible access everywhere, which might take months. And if there's nothing interesting there, if there's not actually any value to extract, they're just going to hang out.

They're going to hang out, and they're going to wait for something interesting.

[Uncle Marv]
Yeah. They're going to leave a tracker, and one day it may alert them.

[Matthew Fisch]
Yeah. I mean, it could be that day that you log in online banking, that you don't normally log in on that computer. It could be any number of things.

It could be the day after you signed that really amazing contract and got that first check. You're not looking for them. They're not setting off alarms that a normal user would see.

And even some of these, we've got really sophisticated detection tools out there right now that really struggle to detect an attack until it's moderate to late stage. Because sometimes the attack code, like the malware type code, is not implanted in a system until the attacker is ready to strike. When they're just in wait and see mode, there may be no specialized code, no specialized commands, no specialized scripts.

They're acting as much like a normal user as they possibly can, because they don't want to set off any alarms. And then at the moment that they want to strike, at that point, it's a race. But there's that whole period of time before that where the anomalies are really difficult to detect.

And you need to do a lot to be able to distinguish normal user from not normal user.

[Uncle Marv]
They're in learning mode, kind of like a lot of the tools that we deploy, where we say, okay, put this in place, let it scan for 30 days before you lock it down. They're doing the same thing, but on the other side, they'll go in, scan around, and wait until they can deploy. So we got a very long pop-up here.

I got to pull the glasses out for this. Bruce writes, have been through some booms. We often get cold call during boom, either by a prospect we had yet to sell or some new company who literally searched for our help.

Frustrating, but fascinating. Companies often don't think it will happen to them. Some MSP clients sign risk acceptance forms because something is inconvenient, like limitations on admin accounts or even MFA.

Then they get got and realize how hard it is. The months of infiltration, the hanging out in your environment.

[Matthew Fisch]
Yeah. Looks like Bruce ran out of room. Yeah.

[Uncle Marv]
Well, that's what happens with the boom, right? Sometimes it just goes on and on and on.

[Matthew Fisch]
Yeah. So, okay. We talked about that moment, but should we do a one, two, three, what you should do in the moment other than don't panic?

Because we're going to presume that that's the table stakes, right? Not panicking. Yeah.

Go for it, Chris.

[Christopher Regan]
What's step one?

[Matthew Fisch]
Step one is whoever notices it first has to reach out to your SOC or your response team, because regardless of how mature an entity you are, you should have whoever from your organization is going to be involved in the response. People in marketing, whatever, who are not going to be involved, but there are going to be some people from your company who are going to be involved with working with the response. If it's people who are technical, who are going to handle things, that's great.

If you need to bring people in from the outside to be part of that, those people need to be a part of it. You need to contact and get those people on. And hopefully it's not random, like whoever's hanging around, right?

It's like a specific list of people. You should have a preset list of people of who would be involved if something happens. And you may, per the incident, bring in some people who aren't typically a part of it, because maybe it impacts some specific business segment that you didn't have as the part of every incident team.

And so it affects their team, but you need to assemble your team and you need to start having regular meetings about what is happening. And you need to know what your requirements are. Some countries, some contracts that you're involved in may require you to tell certain people that something has happened at a certain point in time.

And you want to make sure that you are following through with whatever those timelines and requirements that you're going to be held to are. And so that's where you're going to want your attorney brought in, just to make sure that people are going to follow whatever it is that you're required to do. And you don't screw that up, because the last thing that you want is to be dealing with fixing an incident and a legal problem on top of that.

So you bring them in to help with that. You get, you know, if you have to bring in, you know, a forensic team or whoever, you have them start looking, you want to start pulling any logs, anything like that, you can get immediately because sometimes boom is not just the lightning strike, it is a, you know, rolling thing that keeps on happening and things keep on getting worse and worse. And the bad guys haven't gotten to everything.

And sometimes they haven't gotten to some of the logs yet. And you can get those, you know, exfiltrated from wherever, you know, has been infiltrated by them, and get it to somewhere that you can start examining before the bad actors get to it, if they're going to keep on going. And that way, you can figure out how long they've been in your system and what sort of things they've gotten access to, because all of that will have an impact on what you're doing and how bad it is of what you're doing.

Because if you roll back to a backup, and the backup is something that, you know, is from 24 hours ago, but they've been in your system for 12 months, rolling back to, you know, to 24 hours ago, isn't going to get you much of any sort of a real help. Well, the rollback, that's a dangerous thing, right? If at all possible, you don't roll back, right?

You take a copy, and you redeploy, hopefully on spare equipment, spare cloud resources, something like that. You don't shred the system with all the evidence in it, right?

[Uncle Marv]
Well, before even considering the rollback, you've, you know, first got to isolate, you know, what's affected and make sure that there's no more movement, you know, lateral movement or anything like that. So you've got to do all of that before you even consider the rollback.

[Matthew Fisch]
Yeah. Yeah. Containment.

And I mean, to do containment, you have to, you have to know what systems you have. You have to know where they could have gone, where they could have laterally moved. Inventory is something that a lot of companies are, are lacking on.

And if you have that in place, doing the containment is a lot easier. By inventory, you mean like lists of devices, lists of users, lists of software, lists of- Yeah. I mean, lists, yeah.

Lists of devices, lists of users, lists of accounts, lists of data that you have, you know, a data inventory is something that, you know, plenty of companies don't have. What kinds of data do you actually have and what systems are they on? Because if, let's say you have social security numbers, but they're only on one type of system that you have.

If you can identify that, you know, they, the bad actors didn't get to that system, they haven't laterally moved to that place yet, then you don't have to worry about that. And some of your requirements for, you know, notifications or certain legal things that you need to do because of that, you don't have to worry about. And your, the impact to you may be less, or if they're getting into certain, you know, accounting things that you have, you may have less worry if the information they're getting to, or they have access to is less sensitive than, you know, your issues with either doing a, you know, a rollback or doing, you know, whatever method of remediation will be less constrained if what they've gotten to isn't as important. So you, you talked about some really important things, but there's some pre-reqs here that I just want to bring up. One is when you've got the team, the incident team, right?

The handling team. It's really important that everyone knows how to contact each other. So it's not just names of people, it's modes of contact.

And this is something you need to think through really carefully. So like a company email address is not particularly useful if you can't trust the company email server. So this is actually tricky because on the one hand, you want to make sure you have multiple ways of getting ahold of people.

But on the other hand, you want to make sure that those modes that you're using during the incident, the attackers can't just watch the whole incident communication while it's happening in real time, which they totally want to do and will try to do and they seek out. I've seen that happen multiple times where you have business email compromise situations where they're going in and they're sending emails out on your behalf. And I mean, in some of them you have no access to your emails anymore.

They've changed all the passwords, they've changed all the MFA or added MFA when you never had it, which everyone should have MFA. The people who are against MFA, you're wrong, just get MFA. But yeah, they can make it so you have no access to it or they may have it so that you still have access, but they see everything that you're doing.

And if they see everything that you're doing, they can stop you or they can use it to their advantage. I normally don't recommend encrypted messengers for business communication, but this is one of those places where a signal group chat maybe belongs in your organization's planning process. The other thing you mentioned there where there's a pre-rec is you talk about socking away backups, copies of logs and stuff that presumes, and hopefully you've thought through in advance where that place you're going to put things safely is, that you know is safe before you put the things there.

You certainly don't want to put them in a place that the attacker has access to. And then you need to make sure that there's some way to get information there. And so that's sort of a pre-rec as well.

And that's one of the reasons that when these booms happen, if it's something like that, where it's a more significant type of incident, you know, using your cybersecurity insurance and getting the outside forensic teams involved is such a big help because when you can bring in a team like that, they will have access to their own systems as a place where the logs can go and places where it's safe.

All right.

[Uncle Marv]
One other thing I want to throw in there, a big thing to do is to document everything during whatever it is you're doing.

[Matthew Fisch]
So from the time, right?

[Uncle Marv]
Yeah. I mean, you've got to say, okay, this was, you know, noticed at this time, this was our response. We started the incident response deal.

We blocked the machine. I mean, putting all of that stuff in a documented form will save a lot of time and probably headache later.

[Matthew Fisch]
And one thing to that as well is if you have put any sort of public or quasi-public notices about what you will do in certain circumstances, any sort of procedures or safeguards or things like that, that you're going to do, you've got to follow them because you can be held so responsible for going out and saying, we're putting in these protections or we're, you know, going to follow these procedures under these types of incidents and then not doing it.

Yeah. That's a big pet peeve of mine, actually, is when people lift policy templates because someone asks them for their policies and they're like, oh, we need policies. And they go and buy like a template package and they barely read them.

And they're like, here's our policies. And I've been handed many of these policy books and looked at them and said, there's no way the organization is doing half of this stuff, right? Or a quarter of it, you know?

And really all that policy has done is get them in trouble if they ever need it.

[Uncle Marv]
All right. So we are coming up. We've got five minutes till the top of the hour.

Matt, you and I can stay, but I know that Chris, you're going to have to bolt on us here. So let me give you a little bit of time. Do you have anything else, you know, that you're thinking of that people should know what to do during boom?

[Matthew Fisch]
So the main thing that I'll say that hasn't been mentioned is, you know, Matt mentioned earlier that like, you know, some companies when there's like a minor incident or something that they think that they can handle on their own, they try to sweep it under the rug. You really shouldn't do that. And oftentimes your cyber insurance policy is going to require you to notify the insurer of it, even if you don't actually make a claim on it, even if you don't use anything from that, you may still need to tell them that even something minor has happened just so that you are continued to be covered.

Because if something bigger happens down the road, or if this minor thing turns into something bigger and they find out that you didn't tell them, then they can say, yeah, but you didn't follow the terms of your policy. And they can pull the rug out from under you, which if you're in the middle of an incident, really don't want to be losing your cyber insurance coverage during an incident. So make sure that you, you know, cover yourself and figure out what the requirements that your cyber insurer is going to be putting on you and that you're following those.

[Uncle Marv]
All right. Thank you very much. I'm going to go ahead and let you get ready to head out, Matt, if you'll hang with me.

We have a last thing that we'll do here that my regular viewers and listeners will want to hear. We are going to do our Florida Man segment, and it's not your normal segment. But I should also tell you, March 1st, the Florida Man games will be happening here in Florida.

I will be there and filming, not actually filming, on Netflix right now, Florida Man series. And I just found out today, I'm going to have to make a graphic for it for next week. If you want to be a part of Florida Man, HBO is going to start filming in April.

They are going to have tryouts. If you have a Florida Man story, HBO wants to hear from you. But in the meantime, our Florida Man story, I'll just say this.

If you ever hear of a place called Pasco County, Florida, you know that there's going to be a Florida Man story that comes out of there that is just going to be ridiculous. So in a bizarre turn of events that could only happen in Florida, a Florida Man dressed in a Dalmatian onesie led authorities on a wild chase. On January 27th, 36-year-old Dylan Keith Devereaux decided to take his spotty attire for a joyride that quickly turned into a full-blown police pursuit.

Just after midnight, FHP Patrol, which is the Florida Highway Patrol, attempted to pull him over for reckless driving and speeding. Instead of stopping, he floored it, pausing briefly only to drop off a passenger. The chase ended abruptly when he crashed his vehicle into a tree.

But undeterred, our spotted suspect leaped from the car and prompting troopers to deploy their tasers. Despite being brought to the ground, Devereaux managed to wrestle with officers in the road. As they were putting handcuffs on them, he escaped and sprinted into the nearby woods.

A K-9 was called in and they tracked him to his home and at the house, his girlfriend refused the officer's entry, citing concerns about drugs on the premises. So the next morning, they came back with a warrant and apprehended him. So he faces this laundry of charges.

Fleeing to elude, escaping, reckless driving, leaving the scene involving property damage, battery on a law enforcement officer, assault on a law enforcement officer, resisting an officer with violence, resisting an officer without violence, depriving law enforcement officer of equipment, drug equipment possession, possession of a new legend drug, I have no idea what that is, possession of methamphetamine and petty larceny.

Nothing related to that onesie he had on.

[Matthew Fisch]
I'm confused. How did they stop to take a photo of him in the middle of that somehow? That's before he escaped, right?

[Uncle Marv]
Yes, I think that's when they were attempting to arrest him the first time and then he escaped. And then the other pictures you saw were his flip-flops he left in the road and his drug paraphernalia and his car crashed into the woods.

[Matthew Fisch]
So well, thanks for having me on, Marv. I got to tell you, I've got a Florida Man versus story for you.

[Uncle Marv]
Yeah.

[Matthew Fisch]
Next time.

[Uncle Marv]
Okay.

[Matthew Fisch]
Yeah. I'm going to save it.

[Uncle Marv]
All right. We'll do that on another time. But for now, folks, thank you.

For those that, uh, we're here watching. Remember this was part two of our cyber incident corner. We will have part three, uh, Friday, February 14th at 2 30 PM Eastern and Matt Fisch will be back.

Chris Regan will be back and I will be back. And Chris, we're doing this on your platform, right?

[Matthew Fisch]
So we're, we're on mine.

[Uncle Marv]
Okay. Yep. So we'll be on the Fort Mesa, uh, LinkedIn live.

Uh, I do want to thank my sponsors net ally Rythmz and design ready. And of course the patrons, uh, for anything else you guys want to see, head over to itbusinesspodcast.com. Follow us there.

That's going to do it for tonight's episode. We'll see you soon. And until next time, Holla!