July 26, 2021

The Cyber Rants Podcast

Episode #36 - Covering the "What Ifs" with Incident Response Planning

What's the difference between having an Incident Response Plan and just "winging it"? This week the guys talk about their real-world cybersecurity incidents and share their knowledge about proper planning and preparation. Having an incident response plan for cybersecurity is important. Learn what goes into incident response planning, who should be involved, and how to ensure everyone is on the same page for quick response and minimizing damage during a cyber-attack.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

Mike's Headlines:

740 Ransomware Victims Named on Data Leak Sites in Q2 2021: Report

“Seven or Eight” Zero-Days: The Failed Race to Fix Kaseya Vsa, With Victor Gevers, Lock and Code S02e13

In case you thought you were safe with Linux

Sequoia: A Local Privilege Escalation Vulnerability in Linux’s File System Layer (CVE-2021-33909)

Or safe with Oracle…

Oracle Warns of Critical Remotely Exploitable Weblogic Server Flaws

In Other News..

Atlassian Asks Customers to Patch Critical Jira Vulnerability
Thousands of Humana Customers Have Their Medical Data Leaked Online by Threat Actors
Microsoft shares workaround for Windows 10 Zero Day SeriousSAM vulnerability

welcome to the cyber wrath podcast where we're all about sharing the forbidden

secrets and slightly embellished truths about corporate cyber security programs

we're ranting we're raving and we're telling you the stuff that nobody talks about on their

fancy website and trade show giveaways all to protect you from cyber criminals

and now here's your hosts mike rotondo zach fuller and lauro chavez hello and welcome to the cyber

ants podcast it is a glorious day and we have a glorious topic for you on incident response and my

number one goal with this topic is not to give lauro any flashbacks so i apologize in advance

lauro i know this can be a difficult thing to talk about um but uh dealing with those

those long nights um but that said why don't we before we go into the nightmares why don't we

talk about the news mike you want to kick us off we've got some news tailored towards

instant incidents so we'll dovetail into our instant response conversation today

740 ransomware victims named on data league sites in q2 2021 report more than 700 organizations were

attacked with ransomware and had their data posted to leak data leak sites in q2 of 2021 according to

new research from digital shadows out of almost 2 600 victims listed on ransomware daily 740 of them

were named in q2 2021 representing a 47 increase compared to q1 of that more than 350 of the

organizations were based in the us i think that's a small number i i think that we can guess they

probably got 80 of the accuracy for the ones that were reported to that site so yeah i mean that's

just those report of the site there's those that aren't reported to the sites those are just pay

it's it's going up seven or eight zero days the failed race to fix cassaya vsa with victor gibbers

uh victor gebbers is a dutch security researcher so anyway this is on off of malwarebytes cassette

vsa include at least seven or eight privately known zero-day vulnerabilities before it

suffered a widespread ransomware attack that impacted hundreds of businesses and security

governs revealed that cassaya vsa vulnerabilities represent just one data point in a far larger and

more worrying trend the internet facing remote administration tools are rife with flaws and that

as organizations increasingly rely on such tools for working from home environments cyber criminals

will increasingly discover target and exploit those flaws um that's something i think we've been

talking about for a while we you know with the msp issues and and those sort of things that we need

to be concerned about it's definitely covered in the book so and in case you were safe with linux

there is a new vulnerability called sequoia a local privilege escalation vulnerability like

linux's file system layer uh successful exploitation of this vulnerability allows

any unprivileged user to gain root privileges on a vulnerable host quality security researchers

have been able to independently verify the vulnerability to develop an exploit and obtain

full root privileges on default installations of 1 2 2 20.04 20.10 21.04 db and 11 and fedora 34.

so oracle isn't safe either oracle warns of critical remotely exploitable weblogic server

flaws uh oracle on tuesday released its quarterly critical patch update for 2021 with 342 fixes

including some that will allow a remote attacker to take control of an affected system

and lastly just three additional headlines i'll at last see and ask customers to patch critical

jira vulnerability thousands of humana customers have their medical data leaked online by threat

actors and finally our buddies at microsoft share a workaround for windows 10 zero day called serial

san sirius sam so those are all things that would be considered incidents when they happen

and we'll talk about how to deal with those later laurel yeah i know that was all good stuff a lot

of alliteration in the news this will make it seem like gosh all right well for exploitation

this week if you happen to be a company that is hanging out with that 50 year old bachelor

that still dresses like a 20 year old i'm talking about wordpress well let me tell you they're still

dating that prostitute that does heroin and crack cocaine and all that because we've got a lot of

plug-ins this week for uh exploitation so for wordpress if you're using the simple post there's

a stored cross-site scripting for that if you're using the fixture title plug-in there's a stored

cross-site scripting for that if you're using the memetic books plug-in there's a default publisher

id field that's also a stored cross-site scripting and if you've got learn press or 326 or 327

you've got a privilege escalation on 326 and on 327 you've got a sql injection

from an authenticated perspective and if you're using the um plug-in popular post you've got a

remote code execution for that and i'm sorry not finally but finally if if you've got current book

one of the uh the book sharing uh plugins there is a author field stored site scripting for that so

you are living in the data zone if you're dealing with wordpress today so watch out for that stuff

and make sure you got your plugins updated and that's all for exploitation the wordpress exactly

of technology pretty much we've got the meats we got the meats we we need to do

something and uh welcome any ideas from the listeners but we need to do something if we

get and go for more than three weeks without any significant exploits from wordpress and microsoft

so if we could go for three weeks and have nothing significant we should throw a party we should do

something that will never happen you gotta lower your expectations you gotta make it like

three days i know but kind of like one of those kind of a game you know of some of sorts

you know like in a manufacturing plant when they have it's been 15 days since any incidents

or whatever and then they they get to keep adding if they hit a hundred days

you know oh i get it i get it i'm just saying you got to make the game winnable i mean at least

somewhat achievable i think three weeks is there's no way i don't i wouldn't give them seven days

it doesn't have to be no exploits at all just know nothing serious you know just minor trivial things

uh i thought i'd be even be okay with that right just

just nothing serious but yeah you're probably all right i mean probably

it might be a lost cause it's like one of those games that you just never get to win

throwing the controller at the screen well we'll see we'll see sad to hear about oracle this time

you know that that's hey it's something different so well i'll put that in there because you know

why not we haven't talked about tasking either for a while and oracle's got their share of

messes as well well they're all i think that's that's important because they're all with all

of this stuff happening they're all in the middle of incident response pretty much right yeah well

that was a little idea and then that 740 people in the mall on the ransomware you know that's all

incidents and uh at what point does incident response no longer become incident response

but just a way of life operations yeah yep wake up today deal with the breach yeah use this as usual

i imagine that wordpress has like an incident operations department that's like this that's

all they do i don't know how they handle that stuff i mean because it's being all open source

i wonder who yeah i guess it's the community but there's got to be somebody there dealing with this

stuff i would hope but i love the fact that microsoft positions themselves as a security

vendor and you know has all this influence with the government on security yet you can't go a day

without a microsoft issue yeah i'm not letting the barber with a bad haircut touch my hand

well said yeah want even more cyber ants be sure to subscribe to the cyber rants podcast

get your copy of our best-selling book cyber rants on amazon today this podcast is brought to you

by silent sector the firm dedicated to building world-class cyber security programs for mid-market

and emerging companies across the us silent sector also provides industry-leading penetration tests

and cyber risk assessments visit silentsector.com and contact us today well why don't we talk about

incident response and and uh hopefully share some knowledge that helps people and and uh the

goal behind all this of course is that you don't have to ever deal with it right so that's that's

the the proactive side that's what we spend a lot of time talking about building an effective

cyber security program and all that but even with all that there will be incidents right i

mean that certain things can happen it doesn't have to be a breach it can just be something is

going on with your technologies that you need to investigate right so what do we talk about first

i was going to ask you know why do you need an incident response plan for those people that are

um fairly new to this and are you know thinking about building this stuff for the first time

but um rather than why because i think that's blatantly clear in today's environment um

do you have any stories you guys are willing to share not to put you on the spot no no pressure

but any stories about any organizations without naming names uh that have had a major incident

that did not have an incident response plan and which wish they did afterwards anything you're

willing to share oh dirty laundry okay you want to pull out do you want the dirty sock or would

you rather have a dirty pair of drawers i mean no details you know no dvd i don't even need to know

of course just a high level just i just know it's dirty right that's all i that that's sufficient

okay well it's it's dirty okay yeah so you know or organization they're they're they're in a in a

very specific part of the i guess the job families here and business families here in the united

states so anyways got a lot of data and um they they put in some pretty cool security technologies

but they hadn't turned them on which i i think is is interesting and then they they also um you know

kind of kind of leveraged windows defender in its base form right like old-school windows defender

like the windows defender that like came on windows 7 like that windows defender

and they've got that kind of as a you know as a their their daily you know anti-malware and so

when they when they got hit they got they had you know absolved the hemitek variant and so when that

happened to them um it you know no documentation there they were like a small i you know they

had a good it team right maybe 10 or 12 people solid solid individuals but no maturity around

cyber security program or doing you know doing these incident response or trying

to understand business continuity um plan of actions any of that none of it done and so um

you know i mean it you know it what so what do they do that you have to call for help

right and they had to learn the hard way the the benefits of you know having these things in place

and then also practicing with your technologies that you purchase you know i think that happens

a lot is it the business doesn't trust some of the technologies that go in you know and um

and it's a i don't i don't want to contribute to the vaccine situation that's happening but

you know these there's some really cool technologies that that you

can install that can can use artificial intelligence decision making to help you

and to alleviate attacks that are they're happening but i think what what happens is a

lot of organizations are reluctant to turn those devices on and that's what will happen right and

so in this case no incident response no planning led to a mass takeover with a ransomware variant

that ended up costing the organization um lots of money they didn't end up having to pay ransom

because of some clever individuals but um i think that you know all of the all the

other stuff and the cyber insurance and all of the time it took to bring

everything back because they had to come back from square one high dollar attorneys

territories so are you saying if you have a if you're paying for a security platform for say

six months or a year that you should actually turn it on

yeah probably okay i probably should probably good advice make makes decent sense i'd say

yeah but more so than that i think that you know had they um you know they had they practiced some

of this stuff or kind of understood what to do when things happened it would have put them in

a better place right i mean it was a you know most of the time it's either there's there's two things

right and i think this attributes back to pretty much anything in life that people who practice

things you know and you can call them um we'll go we'll go for like the preppers and the bug

out right that whole genre of individuals right they go and practice things or maybe they have i

watch this on netflix right and so this guy had a boat and like he took it down the river and he had

this like little like little hut way out in the middle of the woods and he had like this device

where he would blow the tree and the tree would fall in the river so he could stop people from

chasing him and they would practice this like you know a couple times a year okay that that

same thing what it does and you know for for the military people you understand that there's a

repetition of practice builds this sort of kind of a comfortability under a high stress time

i mean it just you know you just like paramedics everybody else they train right in that and that's

something that you you sort of inherit from seeing that or playing these like games out over and over

again right and then when finally the real time happens it's sort of a second nature to react now

you know what to do you don't have to think about right in this particular case how long so tell us

how long they were this the organization was down basically people couldn't work

and basically operations stopped um as it stood as it happened and then how how much

quicker could they have responded and been back online had they had an appropriate plan in place

sure um so i i want to say it happened on a i want to say it happened on like a thursday

uh they they didn't really figure out what was going on until friday and by saturday they were

in a panic mode basically asking for help at that point and so when

i want to say it was i think it was a saturday afternoon that i got involved

um it was i mean so here's the thing is that they're you know for the techy guys out there

this is an organization that relies on active directory okay so as you've got your domain

controllers you know that they kind of are a very fundamental piece in an active directory

core structure so they had you know 14 or 15 of them all of them are compromised with ransomware

okay so they're down i mean it's in so this week so we're rolling into you know sunday and mondays

you know still just kind of a chaotic couple days to try to trying to contain right

and we'll talk about those processes probably here in a minute right like the containment part

of incident response but we're trying to contain this from happening right because it's you know

ransomware so it's replicating itself over and over again to different systems um and so we're

we're trying to um you know basically just contain this at the same time trying to rebuild because

the first thing that that happened was all for whatever reason to me it was very structured

but the domain controllers were pretty much the first thing that happened in the attack

because because after the ransomware got a domain admin account that was the first thing it went for

right that was the first thing that they did they deployed to the domain controller so the

domain controllers are completely wiped down as well as other servers okay so rolling into

monday team realizes this is a pay week so they they have i don't know a couple hundred maybe

two or three hundred employees and contractors that are expecting to get paid this week

so that's not going to happen they're going to have to write paper checks right it's not ah

ach and all that stuff's not going to go down this week so they've got away at least they've got a

mitigating factor they can bring people in but they've got a whole huge work remote for us now

right so now we've got five or six or seven hundred um laptops and maybe they were bigger than

that maybe there were more maybe there's more like 800 or so people but they have all these laptops

now that are in various places that are all on the active directory vpn that are now have the

ransomware as well so now there's this mass call that goes out for employees to start bringing

their their workstations in to get re-imaged and reissued um so that they could you know continue

to do some of their consulting gigs so that that pretty much wiped out the first like from that

monday to the next like tuesday or wednesday and so it was probably i want to say that it was about

we were we were able to bring back active director controllers and core business systems probably

within six to seven days and then i want to say that um from once we got them to a stable point

i want to say they still had about a month and a half to two months before they were back to

normal operations wow zach so i want to say it was about it might have taken them two and a

half months total to maybe three months to to recover i wouldn't even say 100 i'd say that

that's probably 80 recovery um and then they're still trying to figure out what they don't know

and had they had a a proper plan in place with backups tested and everything else what do you

think that would have shortened the time to probably a day or two maybe less because

what was happening here is that they were a virtualized environment i know people are

thinking why did they back up they didn't really have a backup strategy they were taking snapshots

okay so they they had some snapshots but it wasn't like core data it was like operating system based

snapshots right for con for for building systems and you know for in dev and test so

some of the things you know like were they had the capabilities to do it but to answer your question

specifically had they been you know thought this process out and said okay what happens if

the active directory controllers go down how do we rebuild they would have worked themselves through

this kind of problem reaction solution scenario where they find you know what what's happening

what are we going to do about it and then how do we resolve back to normal and then would

have realized that the snapshot methodology that we're using wasn't sufficient enough to bring back

core computing systems in a short amount of time um so they would have you know seen that in the

demonstration of this exercise and been like okay well that's not gonna work we need to we need to

think of something else right well maybe if we take system state data and then you know move it

offline to this or write you know something else or increase the frequency of the snapshots and

then provide an offline backup so there's you know there were things that they could have maybe done

through exercise and thinking through the process of incident response than business continuity

that would have helped them recover because the proper technologies like in a docker or something

like that would have helped them recover hours they could have been back up now that's not i'm

talking about the laptops that that part of the collateral damage is what it is right the physical

assets you have to repair that's just going to be the time it takes for people to bring their

things in right unless you've got some form of advanced malware that can you know do some

really incredible sandboxing and remote you know removal um otherwise you're going to be bringing

those machines in probably and you may still want to do it even if you know your your malware says

it's contained but you need to take a manual step to remove the rest of the you know the malware

so you're going to want to bring those physical assets in anyway but for core business operations

right your service your databases your you know core systems for the business that stuff should be

99 uptime like if things hit it you should be able to tear down and rebuild within hours and

so that running those exercises and having that documentation i think would have greatly greatly

increased their recovery time critical critical well let's talk about i mean that perfect example

um i think it's crystal clear why an incident response plan is is needed and not just a plan

on paper but tested and such so let's talk about the development of an incident response plan

from the point of view of an organization that's never put one in place let's just say

start from the ground up we need to build an incident response plan

what do we do what's the process how should we be thinking about that um and mike i know

you love to write this type of stuff up and plan these types of things any thoughts well i

mean you have to start with identifying your key resources and then you need to identify your key

components that may be affected and then you're gonna have to you know do the research

to determine what kind of instance may happen um one of the flaws that i see a lot of these instant

response plans is they get so into the weeds on some of this stuff that they take everything into

account and turn a document that should be 12 or 15 pages into something that's 60 pages long

and cumbersome and i'm basically use unusable because they've you know they put everything into

there instead of trusting into the knowledge of some of their people so i mean yeah identify your

people develop your racy properly understand who needs to be involved and who doesn't and decide

you know what instances need the most attention um and when we talk about instant let's let's just be

clear we're not talking about a single point of ransomware someone opens a phishing email

and the you know the antivirus software you know carbon black or whatever that's on there happens

to grab it and it's done that is an incident but that's we're talking about major incidents here

we're not talking about minor incidents right so anything that could be handled by your tier one at

your help desk is is not really truly an incident so i mean that's your plan you write it out you

decide who's who needs to be involved and then you put together certain scenarios you put together

a workflow decide who has to be engaged from a non-technical perspective uh for anything major

that occurs start from there so you just have to think it through and then the other the other key

piece is testing it make sure it works make sure people know what they're doing the worst tabletop

exercises we have for ir is when one person is the only one that speaks and it's the director

and then you know we go through tabletop exercise we have these technical people here

and no one talks as the director because he's the only he's the only ones ever ever seen

the ir document yeah not a good position to be in how how would you guys suggest

setting up so you have your incident response plan in place documented you have your workflows

you have severity level classifications your points of contact right how would you recommend

disseminating it getting everybody that needs to be involved on board and making sure that

they understand what it is they're supposed to do tabletop exercises i think is what

what we see the most um has the most value and i think it it it's the most fun part of it i think

but uh you know to kind of add into what mike said you know when you're developing this documentation

you know get your you know start thinking through like okay so great example right

just to you you're dependent on on um office 365 okay what what happens if if for whatever

reason office 365 gets some dns attack in the future right and it's down what what is your

backup method of communication with your employees right that sort of thing right how are employees

supposed to communicate with each other little simple activities like that right um are are part

of this right not just you know someone clicks on a link and we get ransomware or you know amazon

east goes down right i mean if something like that happens there's probably bigger issues but

the tabletop exercises i think are how everybody can really get involved and you know not only

are they required for compliance we don't need to talk about that right this is just like good

practice right if you if you're if you're out there in your gun guy you like to go to the range

if you're out there in your golf you know you like to go to the you like to go to the range you know

if you if you whatever sport you play you like to go and you hone your skill right you at least

keep up with your skill and that's what incident response is it's a skill that everybody needs to

to practice at and those tabletop exercises you get all of your people that are going to be in

that emergency response team right likes to get all your critical people together if you've got

two network guys and they're the ones that manage everything they both probably need to be on the

instant response team one of them might be sick one of them might you know go away um and so you

want to have both of those but if you've got a larger team maybe only you know you need two out

of ten right to be on that that emergency response team but pull from your critical business areas

get everybody in a room and um come up with a with a with a scenario um it's real easy you know

you can do it on a whiteboard you can do it we do it in a spreadsheet you know with zoom calls and

we say okay the time is 1101 am and we just got notified from a client that our website is sending

out um malware is serving out malware the business website serving malware what do we do ready go and

then start trying to induce that critical thinking in your people and that's it starts right there i

think to get everybody involved yeah i know i mean that's a very good point and you always

want to learn the secondary for every every type of contingency so even even from the accounting

department you want a primary in the secondary and from hr you want a primary and secondary

it also all ties into the bia the business impact analysis as well that'll help you identify what

applications are the most critical um and that would really warrant function and actually note

in your instant response document so one of the things that you do need to make sure that

you update your documents regularly because if you're referring to your secondary communication

as the on the on-call pager i don't know anybody that has pagers anymore so hit me up 143. yeah

when you have to pull out the scrolls and unroll them you have to identify the horsemen that will

take the message yeah well yeah that's that's uh definitely a problem i think um people are are

relying on still relying on documentation incident response plans that have been built by people that

left the company five years ago you know and it hasn't hasn't been pulled out and dusted

off since then so well these things every year at least yeah the living document idealism we need to

start talking about that because there there's two types of documents there's a dead document

right that's that's something that's like a a law or something you know a memo and then there's a

living document which is falls under all these standards policies incident response included

right these documents need to be updated regularly they need to be looked at regularly i mean

and mike and i know that in some organizations there's a team of people that manage the documents

yeah and you know honestly from a sock 2 perspective from a pci perspective

uh from any compliance perspective those documents could be updated a minimum every year and after

every major change and that that's really what needs to happen yeah because a good auditor is

going to look at something that you've got running on the infrastructure and they're

going to look at the document and cross-reference to you know validate that the evidence you know

as substantiates as you're doing the right things both programmatically and technology

and we're going to see a difference right somebody's going to see a difference be like well

you're doing this but how come the document doesn't say this or vice versa right the

document says you're doing this but i we haven't located a technology that provides this function

yeah just like in your instant response document dealing with your 2008 servers probably isn't all

that important in the year 2021. now before we wrap up to i want to share something that i think

a lot of people miss or don't understand going into this from the beginning um if you have an

incident and you're just randomly calling a incident response company googling for

people to help you um you're all you're already it's already failed right because you haven't

set yourself up properly so of course there's your your planning and such but you need to have

you need to have cyber insurance i mean i think that's pretty obvious in this day and age

and you you need to go through your cyber insurance firm in advance to understand

their approved vendors for incident response talk with those vendors pick one or two have the their

contact information that documentation all that make sure these are companies that specialize in

incident response that have you know 24 7 people on the line ready to go when something happens

and approved through your insurance provider otherwise your insurance provider if you just go

out randomly chances are most of them are going to pay probably half or less of the actual cost

versus if it's a pre-approved vendor they're going to pay a lot more so have your go through your

cyber insurance provider to get yourself prepared for this and also you need to have an attorney

you need to have an attorney involved when an incident occurs an investigation is underway

by a third party the attorney is there to protect you so have an attorney identified again one that

either specializes or does an a tremendous amount of work in incident response and understands it

and the reason for that is in the the capital one breach was a clear case of this and and i'm not an

attorney by any means never even played one on tv but to paraphrase what happened essentially

mandiant was a cyber security service provider for uh capital one on an ongoing basis well they were

also brought in to do the incident response in the breach and basically the court deemed that um

because they had been providing ongoing services uh that this work that was done was really between

capital one and mandiant and was basically subpoenaed right so the opposing counsel

could get access to all the details of the breach investigation that was performed by mandiant so

when you go about this you don't you don't want to have your evidence you don't want to have your

breach investigation information handed over to opposing counsel in the event of a lawsuit because

then they can say oh they can point at anything they want really say oh this is negligence this

is negligence negligence you know and really try to use that against you so have an attorney the

attorney engages the um engages the incident response firm you don't engage the incident

response from the attorney does right because that way you maintain client attorney privilege

um for those findings right so again it's not not legal advice but this is this is what we

know through experience and having dealt with these types of things in the past you need to

have those parties involved a pre-selected couple of incident response firms a good attorney or two

and and your cyber insurance provider all together and have that documented ready to go so

hope that helps just because you know again so many people reach out at random when an incident

occurs and they need help but they're they're already going about it the wrong way and could

get themselves in a lot of trouble down the road so not to make it too serious of a conversation or

anything but that's i think that's important for people to know well totally that's right

yeah i mean especially if they're gonna if they're gonna try to get damages you know

refunded through insurance claim right so you gotta you gotta play by the insurance rolls

so it's good enough absolutely one of the things that you need to be mindful of as well is that

some of these contracts for insurance do require forensic work and some don't and you need to be

sure that you know which one you have before you can bring a laptop in that's been exposed and has

ransomware on a malware on it and you wipe it and you've just avoided your cyber security policy

because they've actually sold a point yeah a chain of evidence yeah you've got to maintain that

so yeah they're going to require so yeah but again incident response plan practice and you

know it you know one of those first steps should be do we have cyber insurance yes or no the answer

is yes we need to contact them yeah and sorry i didn't mention this really but the simplest thing

to do is i think you brought this up lauro is just getting a room you know like we do a lot of things

and just interview key resources and say all right what do you do here what do you do here and then

you develop your document from there the bobs yeah what you're referencing yep what do you do here

what would you say you do here bob excellent talk any final smart remarks or questions ideas

thoughts for the audience requests before we jump off no i i think i don't know i hope this was a

good talk i hope you enjoyed it you know again i think if if you know you're you're just starting

in this like mike say get in a room start going through all of your critical technologies critical

services and the people that the critical people that manage those critical services and then

go through some scenarios and what happens when you check one off and and how did everybody react

you can always engage an outside company to interrogate your people i mean you can always

you know buy eight 10 12 hours of consulting practice for someone to help you develop it

if you don't want to develop it internally let them conduct the interviews yeah mike and i

will come in and do the inquisitions that's fine but you still have to bring the bagels

and donuts and coffee absolutely we we only work when there's bagels and donuts and coffee

that's that's part of it part of the requirement so yeah have a uh have a good uh pizza a local

you know pizza shop on your incident response plan too because your people are gonna get hungry

so that's my advice yeah it's gonna be a long night it's gonna be a long couple week nights

you need to have you got breakfast lunch and dinner planned for your teams because you may be

five days 24 hours a day the dot com area when we were still trying to bust stuff out to market and

we'd work 18 24 hours a day straight multiple days in a row and the executives thought it was it was

okay as long as they provided us pizza you know that that was you know would satisfy all our needs

to do that for a month straight and it's like no dude we're not like no it needs red bull too yeah

and that's why scripting took off so you automate the tasks thank goodness well thank you everyone

for listening and joining us if you bought a copy of the book on amazon please give it a rating

let us know what you think and let us know what you think of the podcast reach out

anytime uh cyberantspodcast.com there's a web form there you can do different requests or reach out

on linkedin let us know what's on your mind what we can talk about and what types of information

you'd like us to share or stories or just ranting so thank you again and have a

wonderful day

Episode #36 - Covering the "What Ifs" with Incident Response Planning

Send Us Your Questions & Rants!