Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall

Episode #36 - Covering the "What Ifs" with Incident Response Planning

What's the difference between having an Incident Response Plan and just "winging it"? This week the guys talk about their real-world cybersecurity incidents and share their knowledge about proper planning and preparation. Having an incident response plan for cybersecurity is important. Learn what goes into incident response planning, who should be involved, and how to ensure everyone is on the same page for quick response and minimizing damage during a cyber-attack.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

740 Ransomware Victims Named on Data Leak Sites in Q2 2021: Report

“Seven or Eight” Zero-Days: The Failed Race to Fix Kaseya Vsa, With Victor Gevers, Lock and Code S02e13

In case you thought you were safe with Linux

Sequoia: A Local Privilege Escalation Vulnerability in Linux’s File System Layer (CVE-2021-33909)

Or safe with Oracle…

Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws

In Other News..

Atlassian Asks Customers to Patch Critical Jira Vulnerability
Thousands of Humana Customers Have Their Medical Data Leaked Online by Threat Actors
Microsoft shares workaround for Windows 10 Zero Day SeriousSAM vulnerability



welcome to the cyber wrath podcast where  we're all about sharing the forbidden  
secrets and slightly embellished truths  about corporate cyber security programs  
we're ranting we're raving and we're telling  you the stuff that nobody talks about on their  
fancy website and trade show giveaways  all to protect you from cyber criminals  
and now here's your hosts mike rotondo zach fuller  and lauro chavez hello and welcome to the cyber  
ants podcast it is a glorious day and we have a  glorious topic for you on incident response and my  
number one goal with this topic is not to give  lauro any flashbacks so i apologize in advance  
lauro i know this can be a difficult thing  to talk about um but uh dealing with those  
those long nights um but that said why don't we  before we go into the nightmares why don't we  
talk about the news mike you want to kick  us off we've got some news tailored towards  
instant incidents so we'll dovetail into  our instant response conversation today  
740 ransomware victims named on data league sites  in q2 2021 report more than 700 organizations were  
attacked with ransomware and had their data posted  to leak data leak sites in q2 of 2021 according to  
new research from digital shadows out of almost 2  600 victims listed on ransomware daily 740 of them  
were named in q2 2021 representing a 47 increase  compared to q1 of that more than 350 of the  
organizations were based in the us i think that's  a small number i i think that we can guess they  
probably got 80 of the accuracy for the ones that  were reported to that site so yeah i mean that's  
just those report of the site there's those that  aren't reported to the sites those are just pay  
it's it's going up seven or eight zero days the  failed race to fix cassaya vsa with victor gibbers  
uh victor gebbers is a dutch security researcher  so anyway this is on off of malwarebytes cassette  
vsa include at least seven or eight privately  known zero-day vulnerabilities before it  
suffered a widespread ransomware attack that  impacted hundreds of businesses and security  
governs revealed that cassaya vsa vulnerabilities  represent just one data point in a far larger and  
more worrying trend the internet facing remote  administration tools are rife with flaws and that  
as organizations increasingly rely on such tools  for working from home environments cyber criminals  
will increasingly discover target and exploit  those flaws um that's something i think we've been  
talking about for a while we you know with the msp  issues and and those sort of things that we need  
to be concerned about it's definitely covered in  the book so and in case you were safe with linux  
there is a new vulnerability called sequoia a  local privilege escalation vulnerability like  
linux's file system layer uh successful  exploitation of this vulnerability allows  
any unprivileged user to gain root privileges on  a vulnerable host quality security researchers  
have been able to independently verify the  vulnerability to develop an exploit and obtain  
full root privileges on default installations of  1 2 2 20.04 20.10 21.04 db and 11 and fedora 34.  
so oracle isn't safe either oracle warns of  critical remotely exploitable weblogic server  
flaws uh oracle on tuesday released its quarterly  critical patch update for 2021 with 342 fixes  
including some that will allow a remote  attacker to take control of an affected system  
and lastly just three additional headlines i'll  at last see and ask customers to patch critical  
jira vulnerability thousands of humana customers  have their medical data leaked online by threat  
actors and finally our buddies at microsoft share  a workaround for windows 10 zero day called serial  
san sirius sam so those are all things that  would be considered incidents when they happen  
and we'll talk about how to deal with those later  laurel yeah i know that was all good stuff a lot  
of alliteration in the news this will make it  seem like gosh all right well for exploitation  
this week if you happen to be a company that  is hanging out with that 50 year old bachelor  
that still dresses like a 20 year old i'm talking  about wordpress well let me tell you they're still  
dating that prostitute that does heroin and crack  cocaine and all that because we've got a lot of  
plug-ins this week for uh exploitation so for  wordpress if you're using the simple post there's  
a stored cross-site scripting for that if you're  using the fixture title plug-in there's a stored  
cross-site scripting for that if you're using the  memetic books plug-in there's a default publisher  
id field that's also a stored cross-site scripting  and if you've got learn press or 326 or 327  
you've got a privilege escalation on 326  and on 327 you've got a sql injection  
from an authenticated perspective and if you're  using the um plug-in popular post you've got a  
remote code execution for that and i'm sorry not  finally but finally if if you've got current book  
one of the uh the book sharing uh plugins there is  a author field stored site scripting for that so  
you are living in the data zone if you're dealing  with wordpress today so watch out for that stuff  
and make sure you got your plugins updated and  that's all for exploitation the wordpress exactly  
of technology pretty much we've got the  meats we got the meats we we need to do  
something and uh welcome any ideas from the  listeners but we need to do something if we  
get and go for more than three weeks without any  significant exploits from wordpress and microsoft  
so if we could go for three weeks and have nothing  significant we should throw a party we should do  
something that will never happen you gotta  lower your expectations you gotta make it like  
three days i know but kind of like one of  those kind of a game you know of some of sorts  
you know like in a manufacturing plant when  they have it's been 15 days since any incidents  
or whatever and then they they get to  keep adding if they hit a hundred days  
you know oh i get it i get it i'm just saying  you got to make the game winnable i mean at least  
somewhat achievable i think three weeks is there's  no way i don't i wouldn't give them seven days
it doesn't have to be no exploits at all just know  nothing serious you know just minor trivial things  
uh i thought i'd be even be  okay with that right just  
just nothing serious but yeah you're  probably all right i mean probably
it might be a lost cause it's like one of  those games that you just never get to win  
throwing the controller at the screen well we'll  see we'll see sad to hear about oracle this time  
you know that that's hey it's something different  so well i'll put that in there because you know  
why not we haven't talked about tasking either  for a while and oracle's got their share of  
messes as well well they're all i think that's  that's important because they're all with all  
of this stuff happening they're all in the middle  of incident response pretty much right yeah well  
that was a little idea and then that 740 people  in the mall on the ransomware you know that's all  
incidents and uh at what point does incident  response no longer become incident response  
but just a way of life operations yeah yep wake up  today deal with the breach yeah use this as usual  
i imagine that wordpress has like an incident  operations department that's like this that's  
all they do i don't know how they handle that  stuff i mean because it's being all open source  
i wonder who yeah i guess it's the community but  there's got to be somebody there dealing with this  
stuff i would hope but i love the fact that  microsoft positions themselves as a security  
vendor and you know has all this influence with  the government on security yet you can't go a day  
without a microsoft issue yeah i'm not letting  the barber with a bad haircut touch my hand  
well said yeah want even more cyber ants be  sure to subscribe to the cyber rants podcast  
get your copy of our best-selling book cyber rants  on amazon today this podcast is brought to you  
by silent sector the firm dedicated to building  world-class cyber security programs for mid-market  
and emerging companies across the us silent sector  also provides industry-leading penetration tests  
and cyber risk assessments visit  and contact us today well why don't we talk about  
incident response and and uh hopefully share  some knowledge that helps people and and uh the  
goal behind all this of course is that you don't  have to ever deal with it right so that's that's  
the the proactive side that's what we spend a  lot of time talking about building an effective  
cyber security program and all that but even  with all that there will be incidents right i  
mean that certain things can happen it doesn't  have to be a breach it can just be something is  
going on with your technologies that you need to  investigate right so what do we talk about first  
i was going to ask you know why do you need an  incident response plan for those people that are  
um fairly new to this and are you know thinking  about building this stuff for the first time  
but um rather than why because i think that's  blatantly clear in today's environment um  
do you have any stories you guys are willing to  share not to put you on the spot no no pressure  
but any stories about any organizations without  naming names uh that have had a major incident  
that did not have an incident response plan and  which wish they did afterwards anything you're  
willing to share oh dirty laundry okay you want  to pull out do you want the dirty sock or would  
you rather have a dirty pair of drawers i mean no  details you know no dvd i don't even need to know  
of course just a high level just i just know it's  dirty right that's all i that that's sufficient  
okay well it's it's dirty okay yeah so you know  or organization they're they're they're in a in a  
very specific part of the i guess the job families  here and business families here in the united  
states so anyways got a lot of data and um they  they put in some pretty cool security technologies  
but they hadn't turned them on which i i think is  is interesting and then they they also um you know  
kind of kind of leveraged windows defender in its  base form right like old-school windows defender  
like the windows defender that like came  on windows 7 like that windows defender  
and they've got that kind of as a you know as a  their their daily you know anti-malware and so  
when they when they got hit they got they had you  know absolved the hemitek variant and so when that  
happened to them um it you know no documentation  there they were like a small i you know they  
had a good it team right maybe 10 or 12 people  solid solid individuals but no maturity around  
cyber security program or doing you know  doing these incident response or trying  
to understand business continuity um plan of  actions any of that none of it done and so um  
you know i mean it you know it what so what  do they do that you have to call for help  
right and they had to learn the hard way the the  benefits of you know having these things in place  
and then also practicing with your technologies  that you purchase you know i think that happens  
a lot is it the business doesn't trust some  of the technologies that go in you know and um  
and it's a i don't i don't want to contribute  to the vaccine situation that's happening but  
you know these there's some really  cool technologies that that you  
can install that can can use artificial  intelligence decision making to help you  
and to alleviate attacks that are they're  happening but i think what what happens is a  
lot of organizations are reluctant to turn those  devices on and that's what will happen right and  
so in this case no incident response no planning  led to a mass takeover with a ransomware variant  
that ended up costing the organization um lots  of money they didn't end up having to pay ransom  
because of some clever individuals but um  i think that you know all of the all the  
other stuff and the cyber insurance  and all of the time it took to bring  
everything back because they had to come  back from square one high dollar attorneys
territories so are you saying if you have a if  you're paying for a security platform for say  
six months or a year that you  should actually turn it on  
yeah probably okay i probably should probably  good advice make makes decent sense i'd say  
yeah but more so than that i think that you know  had they um you know they had they practiced some  
of this stuff or kind of understood what to do  when things happened it would have put them in  
a better place right i mean it was a you know most  of the time it's either there's there's two things  
right and i think this attributes back to pretty  much anything in life that people who practice  
things you know and you can call them um we'll  go we'll go for like the preppers and the bug  
out right that whole genre of individuals right  they go and practice things or maybe they have i  
watch this on netflix right and so this guy had a  boat and like he took it down the river and he had  
this like little like little hut way out in the  middle of the woods and he had like this device  
where he would blow the tree and the tree would  fall in the river so he could stop people from  
chasing him and they would practice this like  you know a couple times a year okay that that  
same thing what it does and you know for for the  military people you understand that there's a  
repetition of practice builds this sort of kind  of a comfortability under a high stress time  
i mean it just you know you just like paramedics  everybody else they train right in that and that's  
something that you you sort of inherit from seeing  that or playing these like games out over and over  
again right and then when finally the real time  happens it's sort of a second nature to react now  
you know what to do you don't have to think about  right in this particular case how long so tell us  
how long they were this the organization  was down basically people couldn't work  
and basically operations stopped um as it  stood as it happened and then how how much  
quicker could they have responded and been back  online had they had an appropriate plan in place  
sure um so i i want to say it happened on a  i want to say it happened on like a thursday  
uh they they didn't really figure out what was  going on until friday and by saturday they were  
in a panic mode basically asking  for help at that point and so when  
i want to say it was i think it was a  saturday afternoon that i got involved  
um it was i mean so here's the thing is that  they're you know for the techy guys out there  
this is an organization that relies on active  directory okay so as you've got your domain  
controllers you know that they kind of are a  very fundamental piece in an active directory  
core structure so they had you know 14 or 15 of  them all of them are compromised with ransomware  
okay so they're down i mean it's in so this week  so we're rolling into you know sunday and mondays  
you know still just kind of a chaotic couple  days to try to trying to contain right  
and we'll talk about those processes probably  here in a minute right like the containment part  
of incident response but we're trying to contain  this from happening right because it's you know  
ransomware so it's replicating itself over and  over again to different systems um and so we're  
we're trying to um you know basically just contain  this at the same time trying to rebuild because  
the first thing that that happened was all for  whatever reason to me it was very structured  
but the domain controllers were pretty much  the first thing that happened in the attack  
because because after the ransomware got a domain  admin account that was the first thing it went for  
right that was the first thing that they did  they deployed to the domain controller so the  
domain controllers are completely wiped down  as well as other servers okay so rolling into  
monday team realizes this is a pay week so they  they have i don't know a couple hundred maybe  
two or three hundred employees and contractors  that are expecting to get paid this week  
so that's not going to happen they're going to  have to write paper checks right it's not ah  
ach and all that stuff's not going to go down this  week so they've got away at least they've got a  
mitigating factor they can bring people in but  they've got a whole huge work remote for us now  
right so now we've got five or six or seven  hundred um laptops and maybe they were bigger than  
that maybe there were more maybe there's more like  800 or so people but they have all these laptops  
now that are in various places that are all on  the active directory vpn that are now have the  
ransomware as well so now there's this mass call  that goes out for employees to start bringing  
their their workstations in to get re-imaged and  reissued um so that they could you know continue  
to do some of their consulting gigs so that that  pretty much wiped out the first like from that  
monday to the next like tuesday or wednesday and  so it was probably i want to say that it was about  
we were we were able to bring back active director  controllers and core business systems probably  
within six to seven days and then i want to say  that um from once we got them to a stable point  
i want to say they still had about a month and  a half to two months before they were back to  
normal operations wow zach so i want to say it  was about it might have taken them two and a  
half months total to maybe three months to to  recover i wouldn't even say 100 i'd say that  
that's probably 80 recovery um and then they're  still trying to figure out what they don't know  
and had they had a a proper plan in place with  backups tested and everything else what do you  
think that would have shortened the time  to probably a day or two maybe less because  
what was happening here is that they were  a virtualized environment i know people are  
thinking why did they back up they didn't really  have a backup strategy they were taking snapshots  
okay so they they had some snapshots but it wasn't  like core data it was like operating system based  
snapshots right for con for for building  systems and you know for in dev and test so  
some of the things you know like were they had the  capabilities to do it but to answer your question  
specifically had they been you know thought  this process out and said okay what happens if  
the active directory controllers go down how do we  rebuild they would have worked themselves through  
this kind of problem reaction solution scenario  where they find you know what what's happening  
what are we going to do about it and then how  do we resolve back to normal and then would  
have realized that the snapshot methodology that  we're using wasn't sufficient enough to bring back  
core computing systems in a short amount of time  um so they would have you know seen that in the  
demonstration of this exercise and been like okay  well that's not gonna work we need to we need to  
think of something else right well maybe if we  take system state data and then you know move it  
offline to this or write you know something else  or increase the frequency of the snapshots and  
then provide an offline backup so there's you know  there were things that they could have maybe done  
through exercise and thinking through the process  of incident response than business continuity  
that would have helped them recover because the  proper technologies like in a docker or something  
like that would have helped them recover hours  they could have been back up now that's not i'm  
talking about the laptops that that part of the  collateral damage is what it is right the physical  
assets you have to repair that's just going to  be the time it takes for people to bring their  
things in right unless you've got some form  of advanced malware that can you know do some  
really incredible sandboxing and remote you know  removal um otherwise you're going to be bringing  
those machines in probably and you may still want  to do it even if you know your your malware says  
it's contained but you need to take a manual step  to remove the rest of the you know the malware  
so you're going to want to bring those physical  assets in anyway but for core business operations  
right your service your databases your you know  core systems for the business that stuff should be  
99 uptime like if things hit it you should be  able to tear down and rebuild within hours and  
so that running those exercises and having that  documentation i think would have greatly greatly  
increased their recovery time critical critical  well let's talk about i mean that perfect example  
um i think it's crystal clear why an incident  response plan is is needed and not just a plan  
on paper but tested and such so let's talk about  the development of an incident response plan  
from the point of view of an organization  that's never put one in place let's just say  
start from the ground up we need  to build an incident response plan  
what do we do what's the process how should  we be thinking about that um and mike i know  
you love to write this type of stuff up and  plan these types of things any thoughts well i  
mean you have to start with identifying your key  resources and then you need to identify your key  
components that may be affected and then  you're gonna have to you know do the research  
to determine what kind of instance may happen um  one of the flaws that i see a lot of these instant  
response plans is they get so into the weeds on  some of this stuff that they take everything into  
account and turn a document that should be 12  or 15 pages into something that's 60 pages long  
and cumbersome and i'm basically use unusable  because they've you know they put everything into  
there instead of trusting into the knowledge of  some of their people so i mean yeah identify your  
people develop your racy properly understand who  needs to be involved and who doesn't and decide  
you know what instances need the most attention um  and when we talk about instant let's let's just be  
clear we're not talking about a single point  of ransomware someone opens a phishing email  
and the you know the antivirus software you know  carbon black or whatever that's on there happens  
to grab it and it's done that is an incident but  that's we're talking about major incidents here  
we're not talking about minor incidents right so  anything that could be handled by your tier one at  
your help desk is is not really truly an incident  so i mean that's your plan you write it out you  
decide who's who needs to be involved and then you  put together certain scenarios you put together  
a workflow decide who has to be engaged from a  non-technical perspective uh for anything major  
that occurs start from there so you just have to  think it through and then the other the other key  
piece is testing it make sure it works make sure  people know what they're doing the worst tabletop  
exercises we have for ir is when one person is  the only one that speaks and it's the director  
and then you know we go through tabletop  exercise we have these technical people here  
and no one talks as the director because he's  the only he's the only ones ever ever seen  
the ir document yeah not a good position  to be in how how would you guys suggest  
setting up so you have your incident response  plan in place documented you have your workflows  
you have severity level classifications your  points of contact right how would you recommend  
disseminating it getting everybody that needs  to be involved on board and making sure that  
they understand what it is they're supposed  to do tabletop exercises i think is what  
what we see the most um has the most value and i  think it it it's the most fun part of it i think  
but uh you know to kind of add into what mike said  you know when you're developing this documentation  
you know get your you know start thinking  through like okay so great example right  
just to you you're dependent on on um office  365 okay what what happens if if for whatever  
reason office 365 gets some dns attack in the  future right and it's down what what is your  
backup method of communication with your employees  right that sort of thing right how are employees  
supposed to communicate with each other little  simple activities like that right um are are part  
of this right not just you know someone clicks on  a link and we get ransomware or you know amazon  
east goes down right i mean if something like  that happens there's probably bigger issues but  
the tabletop exercises i think are how everybody  can really get involved and you know not only  
are they required for compliance we don't need  to talk about that right this is just like good  
practice right if you if you're if you're out  there in your gun guy you like to go to the range  
if you're out there in your golf you know you like  to go to the you like to go to the range you know  
if you if you whatever sport you play you like  to go and you hone your skill right you at least  
keep up with your skill and that's what incident  response is it's a skill that everybody needs to  
to practice at and those tabletop exercises you  get all of your people that are going to be in  
that emergency response team right likes to get  all your critical people together if you've got  
two network guys and they're the ones that manage  everything they both probably need to be on the  
instant response team one of them might be sick  one of them might you know go away um and so you  
want to have both of those but if you've got a  larger team maybe only you know you need two out  
of ten right to be on that that emergency response  team but pull from your critical business areas  
get everybody in a room and um come up with a  with a with a scenario um it's real easy you know  
you can do it on a whiteboard you can do it we do  it in a spreadsheet you know with zoom calls and  
we say okay the time is 1101 am and we just got  notified from a client that our website is sending  
out um malware is serving out malware the business  website serving malware what do we do ready go and  
then start trying to induce that critical thinking  in your people and that's it starts right there i  
think to get everybody involved yeah i know i  mean that's a very good point and you always  
want to learn the secondary for every every type  of contingency so even even from the accounting  
department you want a primary in the secondary  and from hr you want a primary and secondary  
it also all ties into the bia the business impact  analysis as well that'll help you identify what  
applications are the most critical um and that  would really warrant function and actually note  
in your instant response document so one of  the things that you do need to make sure that  
you update your documents regularly because if  you're referring to your secondary communication  
as the on the on-call pager i don't know anybody  that has pagers anymore so hit me up 143. yeah  
when you have to pull out the scrolls and unroll  them you have to identify the horsemen that will  
take the message yeah well yeah that's that's uh  definitely a problem i think um people are are  
relying on still relying on documentation incident  response plans that have been built by people that  
left the company five years ago you know and  it hasn't hasn't been pulled out and dusted  
off since then so well these things every year at  least yeah the living document idealism we need to  
start talking about that because there there's  two types of documents there's a dead document  
right that's that's something that's like a a law  or something you know a memo and then there's a  
living document which is falls under all these  standards policies incident response included  
right these documents need to be updated regularly  they need to be looked at regularly i mean  
and mike and i know that in some organizations  there's a team of people that manage the documents  
yeah and you know honestly from a sock  2 perspective from a pci perspective  
uh from any compliance perspective those documents  could be updated a minimum every year and after  
every major change and that that's really what  needs to happen yeah because a good auditor is  
going to look at something that you've got  running on the infrastructure and they're  
going to look at the document and cross-reference  to you know validate that the evidence you know  
as substantiates as you're doing the right  things both programmatically and technology  
and we're going to see a difference right  somebody's going to see a difference be like well  
you're doing this but how come the document  doesn't say this or vice versa right the  
document says you're doing this but i we haven't  located a technology that provides this function  
yeah just like in your instant response document  dealing with your 2008 servers probably isn't all  
that important in the year 2021. now before we  wrap up to i want to share something that i think  
a lot of people miss or don't understand going  into this from the beginning um if you have an  
incident and you're just randomly calling  a incident response company googling for  
people to help you um you're all you're already  it's already failed right because you haven't  
set yourself up properly so of course there's  your your planning and such but you need to have  
you need to have cyber insurance i mean i  think that's pretty obvious in this day and age  
and you you need to go through your cyber  insurance firm in advance to understand  
their approved vendors for incident response talk  with those vendors pick one or two have the their  
contact information that documentation all that  make sure these are companies that specialize in  
incident response that have you know 24 7 people  on the line ready to go when something happens  
and approved through your insurance provider  otherwise your insurance provider if you just go  
out randomly chances are most of them are going  to pay probably half or less of the actual cost  
versus if it's a pre-approved vendor they're going  to pay a lot more so have your go through your  
cyber insurance provider to get yourself prepared  for this and also you need to have an attorney  
you need to have an attorney involved when an  incident occurs an investigation is underway  
by a third party the attorney is there to protect  you so have an attorney identified again one that  
either specializes or does an a tremendous amount  of work in incident response and understands it  
and the reason for that is in the the capital one  breach was a clear case of this and and i'm not an  
attorney by any means never even played one on  tv but to paraphrase what happened essentially  
mandiant was a cyber security service provider for  uh capital one on an ongoing basis well they were  
also brought in to do the incident response in  the breach and basically the court deemed that um  
because they had been providing ongoing services  uh that this work that was done was really between  
capital one and mandiant and was basically  subpoenaed right so the opposing counsel  
could get access to all the details of the breach  investigation that was performed by mandiant so  
when you go about this you don't you don't want  to have your evidence you don't want to have your  
breach investigation information handed over to  opposing counsel in the event of a lawsuit because  
then they can say oh they can point at anything  they want really say oh this is negligence this  
is negligence negligence you know and really try  to use that against you so have an attorney the  
attorney engages the um engages the incident  response firm you don't engage the incident  
response from the attorney does right because  that way you maintain client attorney privilege  
um for those findings right so again it's not  not legal advice but this is this is what we  
know through experience and having dealt with  these types of things in the past you need to  
have those parties involved a pre-selected couple  of incident response firms a good attorney or two  
and and your cyber insurance provider all  together and have that documented ready to go so  
hope that helps just because you know again so  many people reach out at random when an incident  
occurs and they need help but they're they're  already going about it the wrong way and could  
get themselves in a lot of trouble down the road  so not to make it too serious of a conversation or  
anything but that's i think that's important  for people to know well totally that's right  
yeah i mean especially if they're gonna if  they're gonna try to get damages you know  
refunded through insurance claim right so you  gotta you gotta play by the insurance rolls  
so it's good enough absolutely one of the things  that you need to be mindful of as well is that  
some of these contracts for insurance do require  forensic work and some don't and you need to be  
sure that you know which one you have before you  can bring a laptop in that's been exposed and has  
ransomware on a malware on it and you wipe it and  you've just avoided your cyber security policy  
because they've actually sold a point yeah a  chain of evidence yeah you've got to maintain that  
so yeah they're going to require so yeah but  again incident response plan practice and you  
know it you know one of those first steps should  be do we have cyber insurance yes or no the answer  
is yes we need to contact them yeah and sorry i  didn't mention this really but the simplest thing  
to do is i think you brought this up lauro is just  getting a room you know like we do a lot of things  
and just interview key resources and say all right  what do you do here what do you do here and then  
you develop your document from there the bobs yeah  what you're referencing yep what do you do here  
what would you say you do here bob excellent  talk any final smart remarks or questions ideas  
thoughts for the audience requests before we jump  off no i i think i don't know i hope this was a  
good talk i hope you enjoyed it you know again i  think if if you know you're you're just starting  
in this like mike say get in a room start going  through all of your critical technologies critical  
services and the people that the critical people  that manage those critical services and then  
go through some scenarios and what happens when  you check one off and and how did everybody react  
you can always engage an outside company to  interrogate your people i mean you can always  
you know buy eight 10 12 hours of consulting  practice for someone to help you develop it  
if you don't want to develop it internally let  them conduct the interviews yeah mike and i  
will come in and do the inquisitions that's  fine but you still have to bring the bagels  
and donuts and coffee absolutely we we only  work when there's bagels and donuts and coffee  
that's that's part of it part of the requirement  so yeah have a uh have a good uh pizza a local  
you know pizza shop on your incident response  plan too because your people are gonna get hungry  
so that's my advice yeah it's gonna be a long  night it's gonna be a long couple week nights  
you need to have you got breakfast lunch and  dinner planned for your teams because you may be  
five days 24 hours a day the dot com area when we  were still trying to bust stuff out to market and  
we'd work 18 24 hours a day straight multiple days  in a row and the executives thought it was it was  
okay as long as they provided us pizza you know  that that was you know would satisfy all our needs  
to do that for a month straight and it's like no  dude we're not like no it needs red bull too yeah  
and that's why scripting took off so you automate  the tasks thank goodness well thank you everyone  
for listening and joining us if you bought a copy  of the book on amazon please give it a rating  
let us know what you think and let us know  what you think of the podcast reach out  
anytime uh there's a web form  there you can do different requests or reach out  
on linkedin let us know what's on your mind what  we can talk about and what types of information  
you'd like us to share or stories or just  ranting so thank you again and have a  
wonderful day