Be Prepared with an Incident Response Plan

Unsecurity Podcast

An incident response plan has become one of the most pertinent conversation pieces in the information security world. Many organizations are starting to realize that it’s important to be prepared for what to do when a breach occurs— because we can’t prevent all incidents from happening.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:23] Brad Nigh: Good morning. Today is June three by the way. Evan. How’s it already June already?

[00:00:29] Evan Francen: I know. Yeah. What?

[00:00:33] Brad Nigh: It’s nuts. So they almost halfway through the year old.

[00:00:35] Evan Francen: This june oh my gosh. All right.

[00:00:38] Brad Nigh: All right. Well, it’s time for another episode of the insecurity podcast. I’m brian and I, and I’ll be hosting this week and with me again as you heard is Evan Good morning. Evan.

[00:00:47] Evan Francen: Good morning. It’s good to be here. Monday. The weather is beautiful. It

[00:00:52] Brad Nigh: Is gorgeous. This would be like 80° every day this week. Can

[00:00:55] Evan Francen: we do the podcast from outside? I think could be great. How do we do it? I don’t know. Okay. Well maybe not.

[00:01:03] Brad Nigh: We’ll see your it out anyway. So what do you do over the weekend Evan? Probably

[00:01:10] Evan Francen: about the same thing you did. We had nice weather and I’m 48 years old. So my body doesn’t do the stuff that’s supposed to do. I don’t think maybe it does at this age. I, um, what do you call that stained a fence. My daughter helped me. She’s 14. It was really cool. What were you doing?

[00:01:29] Brad Nigh: Like the karate kid with her wax on pain up and down.

[00:01:33] Evan Francen: No, She’s not ready for karate. Well, maybe she is, I don’t know. They did that clean gutters mowed the lawn. Um You know a lot of work around the house.

[00:01:45] Brad Nigh: Yeah. Talking before it was I did a lot of work outside and then I was doing some painting. My wife was like all right. I gotta get rid of. You can’t I can’t stand the builder paint anymore. She couldn’t stand it.

[00:01:59] Evan Francen: Do you have the original paint? It was

[00:02:01] Brad Nigh: the original. That

[00:02:02] Evan Francen: kind of like eggshell

[00:02:03] Brad Nigh: like that. No. Yeah, like the kind of like the tan ish, generic color. And she’s like, I’m done. So I was painting all weekend and I hate my arms hurt and

[00:02:17] Evan Francen: I hate painting hate staining fences to very similar.

[00:02:21] Brad Nigh: Yeah. So So uh what I’m hearing is no fun for either of us this weekend.

[00:02:27] Evan Francen: Well yeah, you know I had some fun after that. I had some friends over we had a birthday party for my buddies and let some stuff on fire. I live in a small town so we can’t like blow things up. But if I lived on a farm we would have done that.

[00:02:44] Brad Nigh: It’s probably for the best.

[00:02:46] Evan Francen: I don’t know. I like blowing stuff up 10 or eight or something. I don’t know. Pro painting. Well, I’ve never shot a propane tank. What would that be like?

[00:02:57] Brad Nigh: It feels I don’t know.

[00:03:00] Evan Francen: Mhm. Maybe someday I have some friends who live in the country. I could try that. You’re not far from it. Not know. It would be cool though. Not at all.

[00:03:13] Brad Nigh: All right. It’s weird. Well there you go. That’s our, that’s our exciting weekend. Is that

[00:03:18] Evan Francen: control our

[00:03:19] Brad Nigh: control are exciting weekend was yard work and painting and staining and

[00:03:24] Evan Francen: yeah, security life isn’t as sexy as much piers, is it? No, I did tweet some stuff. I tweeted, uh, you saw kevin Poulsen, uh, he doxed uh, the dude that the guy who created the Pelosi oh, drunk video. The fake kevin Poulsen docks. The dude on what’s his, what’s his news site? I can’t remember. Um, but that sort of ticked me off kevin Poulsen should know better than that. I mean, we don’t docks people because their political leanings, especially something like that. I mean the guy’s a forklift driver for kind of, but anyway, read up on

[00:04:08] Brad Nigh: that. No, I haven’t seen that.

[00:04:10] Evan Francen: That’s interesting. I’m not a big kevin Poulsen fan anyway, but you know, you read that and you’re like, man, any respect I had for you is sort of gone now.

[00:04:20] Brad Nigh: That’s a tough one.

[00:04:22] Evan Francen: So yeah, I read up on on that. So I, that I commented on yesterday, I was expecting a bunch of, uh, you know, because it’s like politically charged, right? Anything with politics nowadays? You just sort of expect fallout? Somebody to just give you a bunch of crap number. Which side of the fence? You fall on? Nobody has any tolerance for anybody anymore. That’s that’s that. So what else is new? What’s our, what’s our show today, we’re

[00:04:51] Brad Nigh: talking incident response, but I know we don’t have any of those ever. You

[00:04:57] Evan Francen: have, How many last week did you have? Just one? Just one. Just one defer defer

[00:05:03] Brad Nigh: defer today? No, anyway, we’ll talk about that. Uh So I wanted to start with your Denver I. S. S. A workshop that you did a couple of weeks ago. Incident management, panic or plan. So tell me a little bit about that. I looked at all the material you had.

[00:05:24] Evan Francen: Well, first off the that Denver I. S. S a chapter is awesome. I mean, I was just really impressed with how welcoming they were. Um Just it’s the largest s a chapter in the world. So if you’re in the Denver area, you know, I highly suggest you joined that chapter. Just everybody was welcoming that it wasn’t. Sometimes you go to some groups and there’s like you just feel kind of like a fish out of water. You feel like you’re not part of the group. They instantly made me feel part of the group, which was super cool. Yeah. So uh yeah, I was in Denver, I flew out in the morning. Got their uh the things started at noon. I got there at 12:05. That’s what I do. Um I didn’t waste any time. You know, I took uh took a lift their uh it’s funny because I was there to give an incident response and sent management workshop And on the way there one of our clients calls with an incident. No, no. Yeah, so it’s like, okay, well this is good maturity.

[00:06:31] Brad Nigh: Yeah. Really?

[00:06:33] Evan Francen: So that incident, you know, it was not very impactful so I didn’t have to stop or anything. Um but it started out, you know, you have three hours, three hours man.

[00:06:50] Brad Nigh: Yeah, but you think you here, oh my gosh, I got three hours. But then if you can get a good audience or a good group that actually has any sort of feedback, it goes so

[00:07:01] Evan Francen: fast. That’s true. So it was uh, you know, I’d say there was probably 100 people there. It was, I brought, you know three or four books in my book bag. So I could share with people that I just kind of pick people out, you know, people that you know, I think look good

[00:07:20] Brad Nigh: participated. No, looks, looks, looks solely looks,

[00:07:23] Evan Francen: yeah, like like a cool dude, I’ll give you a book now. It was totally what they did to participate. But anyway, So uh it was funny we got there, um lunch was from 12 to 1245, 1:00 was kind of the time to talk 1 – four. Um and during the introduction, you know, it’s funny how some people think you’re more like uh famous then others, but then you are then you actually are because it was funny because she started off with like yeah and we’re so you know excited to have Evan francine here and uh, how many guys have, have heard of heaven before? I read his book, one person in and out of 100 people. What you

[00:08:14] Brad Nigh: in your place ground you

[00:08:15] Evan Francen: I love it. I’m already grounded, you know? And I was just like, all right, well I said you’re gonna get three hours to know me now, you know? So it was we started off, we did a lot of the trick I think for a three hour workshop where really it’s not it turns out it’s not really workshop either. Because when I think of a workshop, I’m like, all right, everybody get open, you know, in your laptops, we’re going to work through some problems and so I sort of sort of create, I didn’t do a lot of up front on this thing. Um but I wrote my presentation sort of like that like we were going to work together,

[00:08:54] Brad Nigh: right? Yeah, I was looking through it. I like it.

[00:08:56] Evan Francen: Thank you. Nobody brought their laptops saw so I was like, alright, here we go. Um and it was it was cool because I think they were all, you know, I did a lot of truth mm stuff, you know, just kind of laying it down. I mean this is what the current state is of incident response in our industry. This is um most organizations, you know that I see, you know, you can read studies, but you always have to take every study you read with a grain of salt, like who sponsored this thing? What’s the sample error rate? You know, don’t just take your things spoon fed and believe them is truth. Right? So based on what I’ve seen what you see too. I mean, just a lot of people, most people don’t have an incident management

[00:09:48] Brad Nigh: program. No.

[00:09:50] Evan Francen: And so I kind of laid out here are the numbers here. Here’s what, what the industry says. This is what I see. So you know, Canada just get us level set. There was some interesting interaction during that part of the talk because that’s sort of where I started um where people debated uh you know the numbers. Well, it just seems low, it seems high like these aren’t my studies, right? I said if if these were my studies, you’d all agree with

[00:10:21] Brad Nigh: it. I was wondering what the so You’ve got, you know, top 10 statistics in there and meantime to identify by a data breach is 197 days. And yeah, it’s about that’s probably about right? Although sometimes you get lucky, right? We had the one we were talking about last week that happened, they identified it within a week. However, that was kind of easy because their MSP they switched SPS and the MSP forgot to turn on the firewall

[00:10:55] Evan Francen: and any any any, well, you know, it depends on what you define to as a breach. Right? I mean if it’s a ransomware attack. Yeah, it’s not 197 days, it’s like 197 seconds.

[00:11:08] Brad Nigh: Well, you’ll see actually, we’ve seen it quite a few times where they get in and they’ve been in for a while before they launch. Right, okay. We’ve got what we can out of it. Now. It’s time to

[00:11:22] Evan Francen: Yeah, I mean no to tax are the same. You know, there’s there’s common characteristics for sure. And I think one of the classic errors that people make when they respond to an incident is they make assumptions, you know, they make assumptions based on other attacks. You know, we think that the attacker was going this way or that way. Whereas just being objective about it and letting the evidence take you where it takes you, you know? Right? But I think, you know, to assume, you know is a dangerous thing, you know? Right?

[00:12:00] Brad Nigh: Yeah, that’s one of the, excuse me. One of the things we talked about in every single call, you know, that comes in for an incident is, okay, well, we think this is what you you’ve told us is what we know. However, we’re not gonna make any assumptions. We’re gonna investigate. We’re going to look and see because as soon as we can start making those assumptions, you miss things, you’ve already you’ve tainted your thought process to okay, I’m only looking for this and now if it turns out it, that’s all it was. That’s great. But you can’t, you can’t go in with that mindset.

[00:12:36] Evan Francen: No, no, not at all. And so this, uh, the workshop was about, you know, planning. So how do you plan for an incident response? How do you plan for an incident? So it’s not, how do you conduct an investigation? How do you conduct? How do you do forensics? That’s part of the plan. I mean, knowing how you’re going to do that, who

[00:12:58] Brad Nigh: do I call? What? Which I do is part of it, But

[00:13:01] Evan Francen: I don’t have to have necessarily an incident. I don’t necessarily have to have a forensic investigator on staff to have a good incident management. No

[00:13:11] Brad Nigh: plan. Right. And, I mean, realistically, for the majority of companies, it’s not something that they could do

[00:13:18] Evan Francen: right or afford to have sitting on the bench, right.

[00:13:22] Brad Nigh: That it may happen.

[00:13:24] Evan Francen: Yeah. So it was, you know, planning for an incident. How do you prepare your environment? You know, what’s the proper, uh, you know, how do I set logs? Um, how do I protect the logs? We go into so many incidents where, you know, there’s just no evidence and it doesn’t matter how good you are at forensics. If there’s no evidence, there’s no evidence, we don’t just make stuff up. There’s no magic pill. You know, it’s either there, it’s not.

[00:13:54] Brad Nigh: We had that reminded me of one of our newer analysts was going through doing an assessment for someone and they were arguing with him about the sim solution and the fact that it was running his domain admin and that that was like, that’s no bad.

[00:14:10] Evan Francen: Right? But it’s easier to manage well. And those and those are some of the things that we can learn from previous incidents. You know, the typical, you know, if there as much as there is something, you know, the typical attack sequence, right. Includes you certainly in in an attacker with any sophistication, the destruction of locks, the described the destruction of evidence. Right. Right. And so if I have the same authentication with the same solution that I do for the domain, if the domain admin account or accounts, alright. Target, which they probably will because another thing in the typical attack sequences to elevate privileges, um, you know, that puts my logs at risk,

[00:14:55] Brad Nigh: right? Yeah. Because the first thing we’re gonna do is hide where they’re at.

[00:15:00] Evan Francen: And I love the people that say, well, that’s never gonna happen. It’s like, okay, it’s all right. You know, I’m sure

[00:15:07] Brad Nigh: we’ll talk to you. And uh, at some point it’s going to

[00:15:09] Evan Francen: well, and you’ve, we’ve seen, you know, the sad thing is, you know, every time there’s an incident, every time we planned poorly somebody suffers that didn’t need to suffer, including companies going out of business. Right. I mean, that’s in our own recent practice. We’ve seen companies not be able to survive. Right? So that’s the sad thing. And so we kind of went through the truth, you know, laid it out there and, and hopefully, you know motivated some people. And then I went into uh, you know, an assessment tool that crest um provides free love free.

[00:15:50] Brad Nigh: And it seems like a pretty, pretty good tool. It really

[00:15:53] Evan Francen: is. I mean I’ve been through that tool before. There’s two versions of the tool. So you know, if you want to look at all this stuff, it’s uh, you can go to my blog Evan francine dot com and I just posted yesterday afternoon a summary of this essay event including where you can get all the materials, the presentation, the two tools, you know the crest assessment tools, some sample stuff, you know from our own practice here. And uh, but so we went through the tools and I said uh it doesn’t matter where you’re at in your incident response plan. You need to do assessments regularly just to assess how, how robust your plan actually is. Um, you know, because even if you don’t have anything documented, you still have an incident response plan. It’s not like an incident happens and you’re just going to stop doing anything. You have a plan. Your plan might suck. But there’s a plan, your plan might be to update your resume and you go and try to find another job. But you have a plan, whether it’s documented whether it’s repeatable, whether other people can participate in it. I mean all those other things are that’s why we try to make it better. So yeah, that we went through the assessment tool, I told people, you know, go through the detailed one. Don’t go to the summary one, the summaries too subjective. Um It’s what’s the official name of that crest cybersecurity incident and just had a response maturity tool or something like that like that. Hang on. But it’s a it’s a good tool. So I go through that and so I challenged all of them. Um I said, you know, so many times when we sit here, we give a talk and you see a bunch of head nodding, right? That’s what you saw here. I mean everybody is nodding their head, everybody’s in agreement. There was a few good questions, but generally everybody in the room agreed. And I get sort of tired of people just agreeing, nodding their heads and then as soon as they leave the presentation of the workshop, nothing happens. Nothing. Right. And so I said we’re here at an essay chapter. We’re all part of this group. So why don’t we just why don’t we do do something like this pair up find somebody that will hold you accountable to just doing at least the assessment, right? It’s free. It’s going to take, you might take you six hours, but you know, you’re going to be grateful that you did it and maybe bring together your team, get different perspectives, debate. You know, some of those characteristics that are assessed in that tool, uh and come up with a plan, figure out what you’re doing, come up with a plan for the plan. And so that went really well. And then I shared just kind of some, you know, some stories, there was lots of stories along the way, you know, of incidents that we’ve responded to. Yeah, people like people,

[00:19:00] Brad Nigh: they do they but it kills me. They love the stories, but still are like, it’ll never happen to me, right? How many stories do we have? Where it’s

[00:19:10] Evan Francen: like, that’s a good point. You know? Yeah, some of these stories were people like you, I mean, people sitting out there in the audience nodding their head, being entertained by the story and then you realize, oh my God, I’m I’m a story now.

[00:19:27] Brad Nigh: Yeah. I always wonder if if uh you know, we talked through these stories we tell them and you know, we keep the companies that we’re working with its confidential, right? We don’t talk to give away information that will explain

[00:19:40] Evan Francen: at least on the podcast. Okay. Yeah, I’ve been tweeting

[00:19:43] Brad Nigh: them. Yeah. Well, you know, but it’s good. You know, you always wonder if if somebody’s going to hear themselves. Yeah. As an example and what they would do,

[00:19:53] Evan Francen: even though we know, even though we keep an anonymous, if you’re the person we’re talking about? you know who we’re talking about, how does

[00:20:01] Brad Nigh: that, how would that make you feel? I don’t know. Anyway.

[00:20:04] Evan Francen: Oh yeah, so that was and then we finished up with just some sample, You know how to what an instant response to this response plan looks like how to operationalize it. You know, it’s one thing to create a plan, check the box. And actually I actually started kind of with that too. I said if um if you’re here, I mean you have to figure out your why? Right. I’m a big white guy. If you’re, why for instant response planning is to be compliant to check the box, you can leave. Yeah. Why? Why waste three hours here?

[00:20:38] Brad Nigh: Right. He didn’t go download a plan and say, oh well we’re all

[00:20:41] Evan Francen: set. And that was one of the truths to was like, if that’s your why I can give you a template now, put your logo on it and you’re done. If your why is you really do want to be prepared for an incident should it occur? And you know, all that stuff will then stick around. And I think everybody did. I don’t think I saw anybody like, oh okay, I can leave peace.

[00:21:04] Brad Nigh: Yeah.

[00:21:05] Evan Francen: And I had to use to dad jokes for three hours or so to do that

[00:21:11] Brad Nigh: to keep them engaged to say that. I think the pluses, you can do some stories in there. Right? So you can kinda, we’ve those in.

[00:21:22] Evan Francen: Yeah, we took one break at like 2 15, you know, we started at 1 to 15. We were done at four. Um some really, really good questions, some good afterwards. Um They clapped for me twice, which was weird. I don’t know why that was. He’s done. Yeah, Yeah, probably because you’re leaving. Yes. Uh and then um yeah, there’s maybe a dozen people afterwards that we just talked and then I had to run, which I felt bad about because um I would have, if it had I done this again, I would I would have stayed the night, you know, so I could have dinner with some of the people and you know, he

[00:22:04] Brad Nigh: flew in did the event and flew out that same.

[00:22:07] Evan Francen: Yeah, I had no time. I got a lift from the airport to their got there at 12:05, got a lift at four. My flight leaving I think like yeah, six Maybe. Yeah. Remember it’s tough. Yeah, but it was overall, man, it was just it was an amazing, it was really, really good and it was because of the quality of the people that were there. It wasn’t, you know, they were just, it was just a great group, loved it every minute of it. And hopefully they learned some things about incident response. I know that afterwards. There were lots of downloads of the materials. Yeah, somebody that available to everybody. There you

[00:22:50] Brad Nigh: go. So you know when we’re talking incident response and you know, well, let me see, how do I want to put this? Yeah, there’s a lot of plans out their plans. A lot of, lot of templates, a lot of things. How do we tell if I’m thinking of this as, as the end user, how do we know what’s a good plan? How do we know, how can you tell the difference between something that’s overly complicated versus maybe something that’s overly simplified? You know, what makes a good plan?

[00:23:33] Evan Francen: Well, I mean, just looking at the plan, I don’t think you can tell all that much. I mean you can see that if it has the common sort of sections and structure, but it seems like it won, it needs to be socialized. So, you know, I was last week, I was in um New Jersey and we developed their plan, we’ve been working on their plan, it’s operational. Um, but it was obvious. So we did a few tabletop exercises while we were, there was like, hey, it’s been, you know, a month or two since the plan was, you know, sort of put in place. Let’s, let’s go through some scenarios just as the security team. We don’t need to bring a bunch of people in here, let’s just talk through it. And so we talked through the first one that we talked through. Um, I like to start with, you know, what was the first indicator of something, uh, you know, was wrong, was a miss and then try to figure out how would that get into our process, Like how would we know about this thing? So take, take for instance um unauthorized charges on credit cards um in a retail environment or in a kind of distributed environment. Um how would we know? Well, okay, you know, so we started playing that. Okay, well You get 10 calls or this, you know, this retail uh this retail site Gets 10, you know, 10, 15 calls, 20 calls, whatever from clients claiming that their cards have been fraudulently charged. Okay, Okay, great. So then what happens next? So the person who received that call, what would they do? Well they would whatever. So we started playing through that and we realized that that in a couple of these scenarios that they would never ever get into our incident response process because we would never have found out. So that told me well we need to communicate then ready to socialize this better. So we need to reach out to these people that are in these other locations and let them know uh and keep them aware that this is where you report incidents, these are common incidents that you need to be aware of. And if you get one of these calls called service desk or call the security team or email this email address. So that’s one way, you know, it’s just kind of this table topping. It’s playing through the scenario. Um that’s, you know, so I always think of like socializing and operationalize ng if it’s socialized meaning, everybody knows about it and it’s operationalized meaning it will actually function.

[00:26:29] Brad Nigh: That’s, it’s good. I think with the tabletop, one of the things that you can do your own, it’s always good. But I think having, you know, an independent facilitator really helps. And I think the biggest reason is, and it’s, I don’t, not that anybody is trying to, you know, quote unquote cheat or anything, but you make assumptions. Right. Right. It’s, oh well I know I would do this or these things are in place, but nobody calls it out and it’s not in the plan anywhere. So you know, with an independent person you go, oh, time out. How did you get from a to F where? That’s, there’s, that’s not in the plan.

[00:27:11] Evan Francen: Yeah, that’s why I love doing them too. You know, I call it book ending. So you know, I had done so in defining how we’re going to do a test, um you know, first I start with kind of like what, what’s the source? So let’s say git hub, source code gets compromised. Well how would that potentially happen? Well, you know, even if they have two factor authentication, maybe there’s a phishing attack, Maybe it’s a disgruntled um, developer.

[00:27:40] Brad Nigh: It could be the user clicks on the, yeah, okay, that’s mine just go away, which we’ve seen,

[00:27:46] Evan Francen: right? But even in two factor, I can still do a sim swap. Right? I mean, there could be,

[00:27:51] Brad Nigh: well, we had the one incident where the they had multifactor enabled, somebody got the password and kept spamming trying to log in and the user was just like, yes, it’s go away. Even though it wasn’t him logging in. Yeah, there’s that too. You know, so it goes back to the user. They’re not paying attention.

[00:28:10] Evan Francen: Right? And so book ending that. So if I if I’m going to identify the source and then, you know, how would we potential, you know, how would you potentially find out about that, you know, a source code compromise and then bring that all the way to um, so you have the source and then how would we find out? And then there’s a whole bunch of stuff that happens in the middle. So, present to the development team or whoever is going to be involved in this tabletop exercise. Here’s what we know, right, uh, Secret Service called, Found, you know, a a database of customer information that appears to be from you. Or maybe it’s the, you know, UK Information Commissioner’s office or something, right? You get this call, go what happens because you already identified the source? So, you know, kind of where you want them to eventually get to. But watching them work through the path of, you know, they should get their, you know, according to, you know, kind of following the structure of the plan, You should get there in, you know, maybe maybe hours, but you know, when you’re sitting there going through the tabletop exercise and then you find out like, oh my God, you guys are never going to get there and then, you know, modifying those plans to fit them better or to training, you know, I

[00:29:31] Brad Nigh: think that the hardest part is yeah, is getting them to not just jump to assumptions and actually talk through okay, what are you doing or what are you doing next? What? No, no, you don’t get to just say, you know, we’re doing uh oh well the china virus found it. So we know well, okay, let’s go through every step. What happens when it gets alerted, who looks at it? How did you know that was the issue, you know?

[00:30:05] Evan Francen: Yeah, it’s interesting because you know, it’s interesting that you chose intent response for this, this podcast because you know, I mean I guess I didn’t really realize it until you know, I saw your show notes that I mean I had the incident response workshop last week when I was working with the, you know, the global company, we’re talking about incident response and some tabletop exercises. I have another one with another global company what we’re doing, we had to design to tabletop exercises in in september we have the next tax and hops, which is incident response, you guys have been working on an incident response thing.

[00:30:45] Brad Nigh: Yeah. So well, and that was part of it. I won’t lie. It was part of the reason we chose this was, is we kind of breaking the news here. We will be rolling out a new incident response management retainer service. So that’s a big part of, you know, kind of why we chose that to kind of roll into that as well. But

[00:31:09] Evan Francen: yes, I mean instant responses like everywhere right now. I mean, I guess I didn’t really until I took a step back. I didn’t realize like that’s all I’ve been doing like lately, even though I don’t, didn’t even realize I was, that’s all I was doing. I

[00:31:22] Brad Nigh: mean, well what’s crazy is like february was the worst month for at worst for for that. I think we had at one point I had five active I. R. S that were in various stages of, you know, identification to kind of close out status but were easily getting two or three yeah, a month of yeah, of incidents going on where we need to come in and do some sort of either clean up at the end or active.

[00:31:59] Evan Francen: Yeah. And read the news. Right, Baltimore. I mean, yeah. Right. It’s like, my God. So, um, yeah, I’m and I’m happy about the way you guys did the new instant response retainer service for fr secure. Um, because we, we pulled that back. Right? I mean, our initial sort of, uh, you know, play on that didn’t didn’t fit. Exactly right. You know, but this new one, I really like the way you guys put it together you and, and Oscar the lead for technical services here. Um, so I’m excited to see how that works out. I’m excited to see the value that clients get and you know,

[00:32:42] Brad Nigh: hopefully it works. I think, uh, we, we pretend we know what we’re doing. No, uh, you know, I think we’ve got a pretty good good plan. Right? And a lot of it is around trying to prepare clients that they don’t need us for that. Right? It’s, hey, we’re, there is an insurance situation when you

[00:33:04] Evan Francen: guys definitely know what you’re doing. I mean when you got you from the, you know, kind of the planning, administrative perspective, you know, with the technical background and then you’ve got Oscar, you know, who has plenty of experience, you know, in the incident response, you know, in big companies, uh, yeah, it’s a, it’s a very good service and plan. I’m excited. I think, you know, and you know how I roll man, if that thing, if I didn’t think it was going to provide service, we wouldn’t do it. Right, Right. If there’s no value.

[00:33:33] Brad Nigh: Well, and yeah, so we’ll go through kind of, you know, when you look at this, the steps are identification is clearly that you’ve got to start there and I think uh, in for March, no, March when you were out when we kicked you out, I spoke with Renee about this a little bit and, and it kind of ties, you know, luckily it matches up with what we talked about back then. But you know, identification, this is where we, we have to figure out what exactly are we dealing with and prioritizing and saying, okay, what’s the severity of the incident? Do you have a formal way to actually do that and making a consistent, you know, classification every time I think a lot of people struggle with that because everybody goes up. It’s critical immediately.

[00:34:28] Evan Francen: Well, I’ve been in, I mean Being in enough incidents, you know, a couple of things. one people don’t make the greatest decisions. They’re not, they’re not in the right frame of mind to make really good decisions. No. So judgment comes into panic. Yeah. And I also know, you know, in dealing with enough incidents that people don’t read. So having objective criteria where, you know, just selecting certain things about an event or an incident than having it automatically classify is really important because then It’s important for a couple reasons. one you don’t call my judgment into question, which, you know, I may classify something totally different. Then you would and we both have experience, right? Somebody who is a novice who’s never done this before. How will they classify?

[00:35:26] Brad Nigh: Make it as objective as possible. Not you think as much of the subjectivity out of it as we can

[00:35:34] Evan Francen: and then use colors, big, bold, bright colors. Because if some things are high and make it as red as possible, so that people, I mean, I don’t have to read to see that this is high, it’s red, so go to the other red parts.

[00:35:49] Brad Nigh: Yeah. And so we we’ve really gone down to, we have four priority levels that we’ve identified. And as we work with people that build out their plans, this is what we’re going to do. And, You know, I think when we do it, we did uh P1, we’ve classified that as a critical incident or likely breach. And that’s that’s a very the wording is very intentional. So when you hear it’s a P one, everybody, you know, everybody always, I think things are, their problem is always the most important, but when you say, okay, it’s a critical incident. Okay? So you’re telling me you’ve likely had a breach now, you’ve got people’s attention. Well, no, no, I don’t, I don’t want to have a breed, right? So it makes them, I think stop and think a little bit about, okay, what, what is this level? Is it truly drop everything right now and go now, examples of that raid somewhere. I think absolutely you’ve like you’ve been,

[00:36:49] Evan Francen: You’ve been P one,

[00:36:50] Brad Nigh: right? Exactly, um denial service attack where you’re down hard, some things like that, um, you know, you’ve maybe gotten unauthorized access and you’ve verified, you know, like this one that we were talking about. Uh they came in last week and somebody’s machine was logged in and locked within a user account that they didn’t know and it’s a relatively small company so they knew this is not an employee. Well, that’s that’s unauthorized access to your information. Mhm. You know, p to being a serious incident or a possible breach. So, Alright, my guess is a lot of them are going to fall into that P. Two, right? We don’t know for sure, but we’re pretty, we feel like there’s the possibility that that we’ve been breached. Um You know, brute force attacks social engineering. Uh you know, maybe a uh malware outbreak but not Reince um where we’re out locked out uh P three moderate event, little likelihood of a breach. So um

[00:38:01] Evan Francen: Yeah, so you say P two P two if we both drank a lot of water. Yeah, I’d have to P. Two.

[00:38:09] Brad Nigh: There you go. Okay, I get it. Well, I mean, you do have just stolen kidney, so I don’t know how that

[00:38:14] Evan Francen: works, right? It works awesome.

[00:38:17] Brad Nigh: Um

[00:38:18] Evan Francen: So I only need one. Mhm. Um P three,

[00:38:23] Brad Nigh: P three is a low likelihood of a breach and P4 is the security event or non incident and I think it was important that we included. No, it’s just an event in the classification and you know, there’s maybe, you know,

[00:38:37] Evan Francen: she coached them through the characteristics to classify right,

[00:38:42] Brad Nigh: building out a plan and because

[00:38:44] Evan Francen: even where we do it, data breach people debate, I don’t think everybody knows what breach means. You know, Well that’s not a breach well, but you know, have your customer databases online. I think that’s a breach. Well defined breach. God, really?

[00:39:01] Brad Nigh: Well, and that’s a big part of the plan is defining an event versus an incident and then defining what really each of these mean

[00:39:13] Evan Francen: because it just sucks in an incident response when we’re sitting here debating terms and words, right?

[00:39:19] Brad Nigh: You guys are completely down and you don’t understand how

[00:39:23] Evan Francen: come, I don’t know, it might be a So maybe AP three. Yeah, yeah. But that also, you know, emphasizes the importance of preparation and testing, right?

[00:39:35] Brad Nigh: Yeah.

[00:39:35] Evan Francen: And around a beating these things.

[00:39:37] Brad Nigh: So part of our service would be, you know, you get a dedicated, I are like a virtual iron Manager uh and it’s going through the plan and it’s doing a tabletop.

[00:39:50] Evan Francen: Does the virtual iron Manager get to carry a taser?

[00:39:53] Brad Nigh: I don’t see why not.

[00:39:55] Evan Francen: Excellent. I would like to be a virtual iron manager.

[00:39:59] Brad Nigh: Um, but yeah, so going through the plan coaching them, making sure we’re on the same page that going speaking the same language. Right? So if something happens, are we both on the same page and understanding what each other is saying. Uh once we get to the plan, we’re doing, you know, an annual tabletop walking through it, understanding it just ongoing touch points. Um uh just where we at with this stuff, you know, cause the latest things going on, how where are you at with making progress on your logging? It’s not an overnight thing.

[00:40:34] Evan Francen: Oh no, no. I mean in order to really prepare your environment for an incident, there’s a lot of work, I mean you should have standardized configurations for a lot of your systems and servers, standardized logging settings, you know, making sure you’re logging the right information, you’re keeping it long enough. I think it’s not just create the plan and be done with it. Right?

[00:40:55] Brad Nigh: I was like dropping when, when you go in and talk to people about and they’re like, yeah, we got good logging, you’re you’re an active directory. Windows environment. Yeah. Do you have powershell logging? Turn on, What do you mean?

[00:41:08] Evan Francen: Right.

[00:41:09] Brad Nigh: You know, Microsoft doesn’t log that by that by default, you have to turn it on. Oh well

[00:41:18] Evan Francen: yeah. And then, and if you talk to, you know, uh like jake Williams malware, jake, you know, on, on twitter. Um uh you mean he’s taught at sands for years on, you know, D. F. I. R. Uh the guy knows what he’s talking about and everyone who I hope will drop a good nugget of preparing an environment for an incident and he would, you know, he’s got all kinds of good stuff about proper log settings, right. And you just hit on one. Yeah and it’s not logged, I mean I this is what I told them to in in Denver you can’t just make up evidence. It’s either there or it’s not if you’re not collecting the evidence it’s not there. Right. I mean it’s just that’s just it.

[00:42:04] Brad Nigh: Yeah. Yeah you can’t

[00:42:06] Evan Francen: and there’s no pixie dust, you know, a D. F. I. R. Analyst or whatever doesn’t have a vial of pixie dust that they bring with them in there, you know, forensic toolkit.

[00:42:16] Brad Nigh: Right. Guess what? It doesn’t exist. I can’t tell you what happened.

[00:42:22] Evan Francen: Yeah. That’s hard to get people to people to get. Which then brings us back to and this is where I hit, you know numerous times to with these people in Denver was just asset management. Yeah. That there’s there’s asset management again and everybody loves asset management, right? You know, I think because nobody’s doing it.

[00:42:44] Brad Nigh: Yeah. I think the problem is people do 2/3 of it right. We’ve talked about this.

[00:42:50] Evan Francen: I mean I’ll take 2/3 of our no thirds

[00:42:52] Brad Nigh: they’ll get hardware and maybe software but the data assets are always, well we kind of know where things are but we know our laptops and what’s installed or you know servers or hardware, you know what where we have it and but I’m gonna talk myself out of it because even then it’s like okay, that’s great. You know who’s where it is, who’s the owner? Uh

[00:43:17] Evan Francen: Well and other things to to inventory in the environment. You know, you certainly have the hardware, software and data. Um but you know, like an identity and access management perspective too. I mean, do you have an inventory of your accounts? Do you know whose privileged access management in too many organizations is just non executable? Right, well, an attacker, what do you think an attacker is going to go

[00:43:41] Brad Nigh: after? It’s your

[00:43:42] Evan Francen: privileged accounts.

[00:43:43] Brad Nigh: Yeah. Which it what blows my mind is I put in place in Gosh, 2000 11 2012 Monitoring for right domain admin group backup operator. Like all those privileged account. And it was just like, well this is what you do. I didn’t right. It just blows my mind that we’re here seven years later and people still don’t get it. And it was I don’t know, I don’t want to sound it just was the right, it’s what you do. How do you not

[00:44:15] Evan Francen: monitor this? You’re starting to sound like me now. So you get fired? What did I do to

[00:44:21] Brad Nigh: you? I

[00:44:22] Evan Francen: I r start rubbing off on, you know. No, I agree man. It uh it just blows my mind. Well let’s take last week’s podcast. Right? I mean you’re listening to loft, you know give that testimony um

[00:44:33] Brad Nigh: 20 years ago and it could have been

[00:44:35] Evan Francen: we’re still talking about some of the same things, man. Yeah and then we keep we just keep adding stuff.

[00:44:41] Brad Nigh: It’s just yeah I don’t know this is what gets me me going is

[00:44:46] Evan Francen: and some people do do good jobs. Right? I mean I have seen good incident response plans. I have seen good incident response teams. It’s and that’s that’s awesome. It just we need more you know if you’re small to mid sized company which is usually the ones that don’t have ones

[00:45:03] Brad Nigh: and the majority of our calls get it come in from You know 20 person company to a couple 100. you

[00:45:12] Evan Francen: know because regulators you know the checkbox people um we’re pushing really hard on disaster recovery right?

[00:45:20] Brad Nigh: But not Ir

[00:45:21] Evan Francen: right? Which is like but I may never get to my D. R. Because you know that there’s a gap in between and

[00:45:29] Brad Nigh: what’s more likely to happen right, catastrophic failure of

[00:45:35] Evan Francen: so drop your D. R. Right now and get your I. R. Down and do them independently to. That was another tip that I gave them even though your I. R. On your D. Are need to be integrated with each other, build them independently and then marry them together.

[00:45:50] Brad Nigh: See where the missus are

[00:45:51] Evan Francen: well and and then the gaps because what happens is we see a lot of people developing an incident response plan thinking about the disaster recovery plan or vice versa and then they never actually get it done because they’re they get so wrapped around the axle about this or that just create your IR create your D. R marry them up afterwards. Right? The integration between the two plans because you have different audiences probably creating those plans to write some will be cross

[00:46:20] Brad Nigh: over some. Right?

[00:46:24] Evan Francen: That’s good. I mean seriously we could talk about Ir

[00:46:27] Brad Nigh: well for days I think we’ll still, you know, we’ll definitely be talking more over the summer.

[00:46:34] Evan Francen: I have a good I think I have an instant response testing exercise this week or maybe next.

[00:46:40] Brad Nigh: So what do you use for that? Because I always like to using my brain, your brain, I liked using the And it was at least 861 or two. The Appendix a or whatever. Yeah. And starting with that and then customizing it for for the organization. Right? Why why reinvent the wheel?

[00:47:01] Evan Francen: Yeah, this one um that I prepared just we just talked about what kind of what kind of scenario do we would it be applicable, what would be really impactful to your business. And we sort of, we created both of these ones actually it’s three custom uh and that, you know, kind of book ended, you know, that’s why I was saying before so created like what’s a potential compromise or a threat that could compromise something that would be impactful enough to where you would call this an incident. And in this case we we chose um compromise of your source code. This is a large, corporate large. Yeah. And this is a large, large environment. And uh and how would you know about it. So if we’re going to go there because we wanted to get the attention of the developers and kind of some of their practices, some of the sec ops stuff. So we started with that compromise and then how you know, blew that up to where would we find out what would a potential impact be? And here it was basically it affects all their stores across the globe thing because they have this code and I don’t want to, you know, give off too much to who it is but their source code, one of their applications controls door access. Gotcha

[00:48:28] Brad Nigh: globally. Yeah, that would be a problem. I got

[00:48:34] Evan Francen: out. So the so the the scenario is a disgruntled developer who who who understands access, who understands the code and it’s not and if you know developers it’s not hard to disgruntled one. Sometimes I can disgruntled a developer pretty fast. So uh disgruntled developer wants to get back at them. So this is a person that would then know the culture. No, a phishing attack that might be more successful than another one. He’s going to fish Another developer already know source called may already have a back door built to just, you know, he just

[00:49:13] Brad Nigh: needs that last piece.

[00:49:15] Evan Francen: Yeah. So that’s kind of the scenario we walk we’re going to walk through this week and what I’m going to start with is you get we’re getting thousands of calls from every store across the globe and nobody can get access into their you know or you know you start with whatever part of the world is going to call first they seem to be like Australia or something. Yeah so yeah I do like the N. S. D. Stuff I think you know as your incident response uh planning gets more sort of sophisticated then it then it’s time to start creating some of those customs test scripts. No

[00:49:54] Brad Nigh: but I’m thinking you know like to use it for because if you haven’t looked at it for those that haven’t it’s really good because it’s got questions around it around kind of and so it gives you a good scenario and and all that and I like to use it and say walk through it and then at the end come back to those questions and say okay did we answer this? Did we answer this? Did we answer that and kind of make sure that we’ve hit all of the main points so.

[00:50:24] Evan Francen: No. Yeah it’s definitely good good guidance

[00:50:28] Brad Nigh: sam. All right well there you go. It’s in response so much. We struggle with uh you know.

[00:50:38] Evan Francen: Yeah I think if you’re if you’re a logical thinker who thinks step by step by step which I guess would be cereal too. But logic for sure. Um It’s easier I think

[00:50:52] Brad Nigh: yeah I think one of the things yeah, that makes you know good for being a good instant responder. You know when you when you hit an incident it’s chaos, right? And

[00:51:05] Evan Francen: sometimes Yeah.

[00:51:06] Brad Nigh: Well, a lot of times, especially when customers are calling in or you’re dealing with things because you don’t know especially the beginning, you don’t know what’s going on. Finding those people that can kinda it slows down. And you know, I was I was enjoyed the chaos because it’s okay. Put it together and well you

[00:51:25] Evan Francen: stay calm and you know the saying right? I mean this is this is my panic face. This is my super exciting face. I mean, it’s just which is nice when you go to an instant response calming.

[00:51:37] Brad Nigh: Yeah. For for everyone. Yeah, like uh Right. Well you’re you’re totally boned.

[00:51:44] Evan Francen: Uh We’ll have I have said before uh you might have been in that incident um right? Where I joked, I was like, all right, so step one of our plan, Everybody’s got their resumes updated. It didn’t go over well, last time it’s gone over well before, but you know, obviously it’s a joke because you you know, you gotta loosen things up sometimes. You gotta break things up a little bit chill. Just relax a second. You know, it’s like be nice to if you could walk in like a glass of cold water and just splash it on the side of his face. You know, I was freaking out. But you can’t do that

[00:52:24] Brad Nigh: Taser. Well we’ll get it right they’re calling. They’re not coming down. Just hates them

[00:52:31] Evan Francen: now.

[00:52:33] Brad Nigh: All right so quick hit on some news. Um uh These were pretty interesting. Um you know so they’ve come out with another exploit for note pad to pop a shell of a threat post. Um That was I thought that was interesting to read uh you know not not anything. I don’t know what we can really do about it but

[00:52:58] Evan Francen: well and there’s still a lot of debate on what the you know how exploitable it actually is because no pad is so you know it doesn’t have a lot of functionality right? There’s no D. Com there’s no um So

[00:53:12] Brad Nigh: it’s still kind of fun to read.

[00:53:14] Evan Francen: Oh yeah for sure. It’s definitely fun to read and I think it’s newsworthy. Um And I thought you know as you read that post or read that article um So it’s Tavis Ormandy part of the google project Zero is the one. And he thought and he posted on linkedin, am I the first one to pop a shell and no pet. And I thought it was interesting because she Chaouki Bekar he’s the What is he from? He’s from 00 d. um Did they buy zero days? Right? Um He’s like well no you’re not the first person but you’re the first person that reported it to Microsoft and I thought what a jerk kind

[00:53:56] Brad Nigh: of yeah

[00:53:58] Evan Francen: yeah whatever. And it’s just no, you’re not the first one we were, you know,

[00:54:04] Brad Nigh: Right? Yeah. Well what goes back to that whole ego thing we talked about a couple of weeks ago, whenever.

[00:54:09] Evan Francen: Right. I mean you guys excited. He found something and he gets to report it and he did go through responsible disclosure. Yeah, yeah. You know, whatever this is the political stuff in our industry. But you know, it’s interesting dan Kaminsky, who, you know, is a sort of a pioneer in a lot of respects in, you know, in our field had some good comments on it to um,

[00:54:35] Brad Nigh: yeah, it’s a good read. It’s interesting to kind of read the, basically the, you know, ends up being a memory corruption. But yeah,

[00:54:43] Evan Francen: it’s good. And did you hear the name? He, he was going to give it. So he was asked by, you know, our mandy was asked what he would call the bug. No, bad note, bad. Seriously. Well, if it’s got a name, it exists I guess. Yeah.

[00:54:58] Brad Nigh: Uh, second one is definitely a little bit scarier. Uh, over almost a million devices vulnerable to Blue Keep, which is the Windows rdp worm were mobile, uh, vulnerability that was released, Microsoft released a patch in May still over almost a million devices. Again, it doesn’t seem like a lot, but I mean, it seems like a lot, but it’s a small percentage of devices, but a million explainable war mobile. Right.

[00:55:32] Evan Francen: But that’s that’s a little scary when we see a lot of configurations to where our gps actually on, you know. Yeah it’s exposed to the internet but it’s on an internal network to right where there are maybe hundreds of other RTP systems. So yeah, that just doesn’t account for those internal systems that

[00:55:53] Brad Nigh: if you get in now all of a sudden. Yeah, this is internet facing million machines.

[00:56:00] Evan Francen: Yeah. I thought um you know the blue keep scanner project, you know, and now it’s in medicine plate. So yeah, you know, this is a module municipal it for testing Um only affects XP Vista and Windows seven machines. Windows eight and 10 boxes are yeah, affected um But it also affects Windows Server 2003 and 2008 systems 2008 systems I think are still in uh to the end of this year. Yeah are still in uh support maybe. But I mean this was big enough for Microsoft to issue an actual patch for Windows XP with Invista. So it’s a big deal. This is a patch, patch or upgrade or isolate if you can’t patch or upgrade then isolate.

[00:56:48] Brad Nigh: Right? Yeah. I mean turn off RTP.

[00:56:53] Evan Francen: Right. And if you have to have already p and then you know, use some uh you know, network level authentication or you know, block it.

[00:57:00] Brad Nigh: Yeah I think the million.

[00:57:04] Evan Francen: Oh no um

[00:57:06] Brad Nigh: people have that many people already be open to the internet anyway.

[00:57:11] Evan Francen: Well yeah, I don’t mean having already be open to the internet alone is like someone should slap your wrist if that’s like the only architecture that would work you know, than two factor authentication and you know, make sure it’s updated, make sure it’s patch. I mean anything that you’re putting on the internet better be hardened, right? Didn’t

[00:57:29] Brad Nigh: it wasn’t blue keep like it basically it doesn’t matter if you have the multi factor.

[00:57:34] Evan Francen: No it doesn’t but it does matter if it’s patched, right? Yeah. So I mean harding those hardening those systems but if you have an RDP system that is patched that’s using single factor expect that to be tipped to. I mean those are such attractive targets.

[00:57:50] Brad Nigh: We had we had somebody to argue with us on a pin test that having RdP was opening the internet wasn’t a high risk because they had multi factor like

[00:58:02] Evan Francen: well

[00:58:04] Brad Nigh: this was like

[00:58:05] Evan Francen: less or high risk maybe, but high risk but

[00:58:07] Brad Nigh: it was yeah, it’s still a high risk. It’s still a risk but there’s other options anyway. All right. Um

[00:58:16] Evan Francen: So I just wonder when that exploit is coming.

[00:58:19] Brad Nigh: Oh I know

[00:58:20] Evan Francen: and then it hits because that’s gonna be a it’s already there. It just hasn’t gone yet. Excuse

[00:58:28] Brad Nigh: Next couple here, 93% of companies are over confident of their ability to stop data breaches. This is from Info Security Magazine. Um and it was talking more about privileged access management abuse. Um but You know, I think they said 80% of organizations were found not to have a mature approach to combating Pam cyber attacks. But the 93% of those organizations surveyed believed they were somewhat prepared. So ah see They don’t take the simplest of measures saying they don’t use a 52% said they don’t use a password vault And they said they did 1300 organizations across 11 verticals. Uh 43% were identified having quote unquote, non existent pam approach. So All right, wow. Yeah. Yeah. Good luck.

[00:59:21] Evan Francen: Those are the keys to the kingdom of people. Yeah. Well, there’s mhm. It takes work. You know, and I think, you know what, it’s a there’s a lot of things take a lot of work and you know, it comes down to doing a good assessment, prioritizing your approach and not being afraid to do work. Stop looking for easy buttons on everything. I mean, you’re actually going to have to work believe it or not. And

[00:59:49] Brad Nigh: yeah, I see this. Look at this is where I get some

[00:59:52] Evan Francen: people might get offended, Some people might be resistant, but you know, you just have that’s part of our game, right? Is working around with through those things to get them to happen. But I mean

[01:00:05] Brad Nigh: if you do it, you know, going back, I was using password vaults for service counts and domain, you know, level accounts backup accounts seven years ago. Come on, there’s no excuse at this point. Anyway,

[01:00:23] Evan Francen: uh, in the, in the study, I mean, I always look at these studies because I’m such a skeptic now. I mean, I’ll probably always have been, but the study was, it was also commissioned by Central Fi. Well,

[01:00:34] Brad Nigh: yeah, I’m sure they had some leading questions, but, but, but I mean, realistically those numbers from what I’ve seen, it’s not, probably not that far off. It’s not surprising given what we see. It’s rare and yeah, there’s so many good options and it doesn’t have to be, Yeah, it’s work, but it’s not, yeah, it’s a lot less work than recovering from an incident.

[01:01:02] Evan Francen: Oh yeah. Hell yeah,

[01:01:04] Brad Nigh: for sure. Anyway. All right. Uh, two more real quick checkers and rally’s victims of the data breach. This is on info, security magazine.

[01:01:14] Evan Francen: What’s a data breach to find breach? No, I’m just kidding.

[01:01:17] Brad Nigh: Yeah, data security issues involving malware at certain locations. So yeah, they, they had their point of sales system compromised. Yeah,

[01:01:31] Evan Francen: yeah. We don’t have any checkers or rallies here in Minnesota, do we? I don’t

[01:01:35] Brad Nigh: think so. I know a lot more kind of in the south and lower midwest.

[01:01:40] Evan Francen: Yeah. In these breaches, you know, it’s kind of funny now credit card breaches, it seems like nobody really cares anymore. But you know, because I don’t have to pay anything as a victim right, directly out of my pocket. But the thing that people don’t realize is that banks and financial institutions are not in the business of losing money.

[01:01:58] Brad Nigh: It’s going to get passed along,

[01:02:00] Evan Francen: right? So they’re going to raise fees, raise rates something to cover those costs. So you should care because you pay more for stuff because of this. So it’s not like you stop going at checkers but you know certain I don’t know, expecting some accountability somewhere for some of this

[01:02:22] Brad Nigh: you think uh And then last one uh of of naked security just a minor issue on this one potentially unpatched docker bug allows read write access to host. Os.

[01:02:35] Evan Francen: Oops. Yeah that’s another. Oops. So we should call this the ups podcast.

[01:02:40] Brad Nigh: Um But yeah that was it was interesting read if if you want to kind of go through it. But you know, it’s basically the way that they, let’s see, I’ve got to find it here. Um There’s a follow sim link in scope which resolves file pass given to the docker container system. So it creates basically created a race condition and if you could interfere with that, you get read write as root user on the host. Os. So. Uh huh.

[01:03:18] Evan Francen: Yeah. Well in the N. V. D. You know ranked ranked the bug severity is high. Um But dr security engineer Justin Cormack uh did put some context on it. So it’s not like run for the hills but you know, be aware of it.

[01:03:34] Brad Nigh: It exists. You have to know that. Yeah, probably the likelihood is fairly low, but right. The impact would be really high. It would suck some anyway. There we go. I. R. News, that’s it, that is it. So I think uh yeah, we could as it says in the notes, we could talk I. R. Every week and may just make us the I. R. Podcast but uh never run out of material, especially news stories, because it took me five minutes to find what multiple breach reports

[01:04:13] Evan Francen: which raises awareness. You know, in, you know, sometimes you look at the news and you’re like, oh my God, the sky is falling. But you know, it’s not it’s just there’s just a lot of work to do. And and uh some of that work is preparing for when these bad things happen. Don’t be caught with your with your pants down. So

[01:04:31] Brad Nigh: do do the hard work up front and it’s a lot less painful then, you know,

[01:04:39] Evan Francen: pays dividends. And that was another thing. So if you just walk through the logic, right? You know that no matter what you do, you cannot prevent all bad things from happening. Right, okay. So everybody agrees with that. So then what is your plan? Should something bad happen?

[01:04:53] Brad Nigh: I’m calling you?

[01:04:54] Evan Francen: That was another question. Yeah. Well that was another question I had asked to is like has anybody here been deposed? Yeah. And nobody, nobody in the audience raised their hand and I was like, well, let me tell you what it’s like. You know, you’re sitting across from opposing counsel asking you difficult questions about the series of events that took place. And one of the questions they might ask is you realize that no matter what you do, you can’t prevent all bad things from happening, correct, correct. So knowing that uh, tell me about your incident response plan, I don’t have one. Oh, when you call yourself an expert. Yeah. I mean it just there’s just all kinds of ways, you know, so build these things, do these things to the best of your ability to not only help your organization, the people that actually pay your salary, not to mention the customers who pay the company that pays your salary. But yeah, I mean think about yourself to in terms of your defense ability. And I’ve heard some people say, well, I don’t really care. I’ll be fired. Anyway. That’s a that’s a really that’s a cop out and some smack you

[01:05:56] Brad Nigh: that No. Yeah, I would I recommend replacing that person sooner rather than later

[01:06:03] Evan Francen: and hopefully out of the industry,

[01:06:05] Brad Nigh: wow. Alright, so thank you Evan. Um, don’t forget you can follow myself or Evan on twitter. I’m @BradNigh and Evan is @EvanFrancen and email us at unsecurity@protonmail.com as rap and have a great week.

[01:06:22] Evan Francen: Let’s have a great week.

[

/by