December 22, 2025 • 46 mins
A single convincing email can move real money. We break down how Scripted Sparrow and other BEC crews spoof reply chains, impersonate trusted service providers, and slip under approval thresholds to nudge finance teams into wiring funds. The threat isn’t flashy malware; it’s pressure, process gaps, and the illusion of internal approval. We talk through the red flags that matter, from sudden vendor banking changes to realistic W9 attachments and urgent payment timelines, and then lay out the safeguards that stop these scams cold.
From there, we zoom out to the full incident management lifecycle and make it practical. You’ll hear how we define an incident by its impact on confidentiality, integrity, and availability, and why that clarity speeds action. We map the steps—detection, response, mitigation, reporting, recovery, remediation, and lessons learned—and explain what they look like in a real company: one-click phishing reporting for employees, prepared legal statements for regulators, isolation choices that protect revenue, and documentation habits that pay off when auditors and insurers start asking questions.
We also get honest about today’s attack surface. Cloud sharing, APIs, and over-permissive identities push sensitive data to the edge, making containment harder if an attacker lands. Expect persistence: backdoors, credential reuse, and lateral movement thrive when local admin rights and flat networks remain. The antidote is a blend of stronger finance workflows, pre-briefed legal and communications teams, and regular tabletop drills that involve everyone who touches money, systems, or messaging.
If you’re serious about preventing wire fraud and surviving security incidents with your business intact, this conversation gives you a focused plan you can adopt today. Subscribe, share with your finance and HR leaders, and leave a review with the one control you’ll implement first.
Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.
Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_00 (00:00):
Welcome to the CSP Cyber Training.
Hi money with Shung Herbert.
We can provide the informationyou need.
CSP and roll your cybertrickery.
SPEAKER_01 (00:25):
Good morning everybody.
It's Sean Gerber with CISSBCyber Training and hope you all
are having a beautifully blessedday today.
Today we are getting close tothe Christmas holidays, and
we're excited about that.
We're probably about three daysaway, so it's pretty awesome.
My grandkids are coming intotown, so that is an awesome
piece of this.
It's going to have a littletwo-year-old and a five-year-old
(00:46):
running all over the place.
So exciting, exciting.
They they love this time ofyear.
And uh for me as a Christian, Ilove it as well.
It's an amazing time for me.
I just, it just, it's like superspecial.
So it will become and it willgo, and then it'll be in January
and it'll be cold.
Then you have to deal with thecold.
Uh depending on where you're at,it may not be cold if you're in
the southern hemisphere.
(01:06):
It might be actually kind ofwarm.
But for us, it's going to bequite, quite chilly.
So, but before we do that, oractually not before we do that,
we're going to quickly get intotoday's is again over domain
7.6.
I don't know if I mentioned thator not.
Domain 7, we're in a 7.6conducting incident management.
That's the overall plan fortoday.
So as you're listening to thisat home with a book by the fire
(01:29):
and you're wanting to fallasleep, you will turn on this
podcast.
Else you might be still goinginto work before the Christmas
holiday, so you may want tolisten to it then.
But if before we get into that,we wanted to talk about an
article that I saw in InfoSecmagazine or InfoSecurity
magazine, I should say.
And this is around a thingcalled the scripted sparrow,
sends millions of BECs orbusiness email compromise emails
(01:53):
each and every month.
So as you guys are well aware,and you've probably we've talked
about it numerous times on CISSPCyber Training, is a business
email compromise a big thingthat most corporations are
struggling with.
And it's real, relativelyspeaking, it can be an easy fix
depending upon what you put inplace.
But there's still tons oforganizations that are falling
(02:16):
victim to this business emailcompromise, uh social
engineering attack.
So who is this scripted sparrow?
Now, scripted sparrow, they'rean active BEC threat group that
is basically being tracked byForda.
And they operate in basically acollective group of sharing
templates, infrastructure, andtechniques.
So it's a group of individualsaround the globe that are doing
(02:39):
this.
And with social media and withthe capabilities of now having
various servers around theglobe, they can do this and they
don't really have to be in thesame location.
Now the people that areattacking folks around the
different countries are fromSouth America, Nigeria, Turkey,
Canada, and in the United Statesas well.
So they're using thesetemplates, they're targeting
individuals, and they'rebasically trying to impersonate
(03:01):
executive coaching orprofessional service firms.
So if you have an executivecoaching or professional
services group within yourorganization, or you've worked
with some outside consultants onthat, this you might be one of
the targeted entities around it.
So they target the accountspayable and their finance teams.
Well, and why do they do that?
Because they're the ones thatcontrol the money.
(03:22):
So they will target them.
So I've done this in the pastwhen I was a CISO.
I highly recommend, I stronglyrecommend, that you go talk to
your finance teams and your HRfolks and get with them and walk
through what a business emailcompromise is.
Step them through step by stepby step and what they should be
worried about and what theyshould be concerned about as a
(03:43):
business, as a company, worryingabout the business email
compromise aspects.
Now, they're as they'retargeting pay accounts payable
in the finance teams, they'rewanting to basically get those
folks that are going to besending money.
They're usually the gatekeepersthat keep the money and for the
business.
They're the ones that do all themoney transfers.
So why do they target them?
Because they're the moneymovers.
They're the folks that willallow the money to actually
(04:05):
leave the organization.
And they use realistic emailreply chains to simulate that
there has been some level ofinternal executive approval.
And they just basically say yes.
They find out information aboutBill, who's the CEO or whomever.
Uh, and Bill then has this emailback and forth with air quotes
them, saying that, yes, I'veagreed to have you send some
(04:25):
money.
Please send some money.
And then they send this to thefinance team saying, hey, Bill
has allowed us, wants to getpaid, why, or wants us to be
paid, why are you not paying us?
And they always put in a senseof urgency.
They do all kinds of differentthings to make you want to get
it done very quickly.
However, it is a scam.
And because of the scam, youshould think twice about any
sort of money that's leaving theorganization.
(04:47):
Now they'll send fake invoiceswith W9 PDFs.
Now, if you're in the UnitedStates, a W9 PDF basically all
it does is confirm your businessidentity.
And you have to send in, uh wecall it an EIN number, but it's
the employee identificationnumber, and that number will
then be tied to a business.
And so usually most companieswill say, hey, send me your W9.
And you can make a W9 anyway youwant to make it.
(05:10):
And you can make it veryfictitious, you can do all kinds
of crazy things.
Ideally, a company, when theysee a W9, they should pull your
EIN.
They should then compare it towhat is out there and what the
IRS has or your state and localentity.
If they don't do that, thenyou're now in a situation where
you could just make up an EIN.
It doesn't really matter.
So they send out these W9srequesting that an ACH or a wire
(05:33):
transfer, and the transactionamounts have often just set
below the approval thresholds,which most companies have, which
may be around$50,000.
So an approval threshold ismaybe you have a second party.
So you have separation ofduties, SOD is what it's
typically called, and you mayhave someone in your company
that has to approve an amountbelow or above a certain
(05:54):
threshold.
They've set$50,000.
So they've, I guess they've seenenough of these situations where
$50,000 is the threshold inwhich it must be sent for
approval.
So they'll send it below thatamount.
It might not be$50, it could be$25.
The point doesn't really matter.
They're just trying to getreally reduced the amount of
barriers that people have to beinvolved in that actually have
(06:16):
to approve the email being sent.
So again, that's an importantpart.
When you get with your financeteam, ask them if there's a
threshold amount, what is thatthreshold amount and get to know
what that is?
Uh there might not be athreshold amount.
It might be where if any emailcomes in, it has to get approval
from a second person.
And I would highly recommend youdo that.
(06:36):
Uh the a petty cash amount,like, well, it's a thousand
bucks.
You know, death by a thousandcuts when they're a thousand
dollars, that can really hurtyou.
Uh so you just want to make surethat you have that worked out
with them.
Uh, and they may say, you knowwhat, if we lose a thousand
dollars, it's a big deal, butit's not a big deal, and they're
willing to accept that, thenthat's okay too.
So again, education is reallytruly the key on all of this.
(06:59):
So they have a newer tactic thatthey're using where they delay
sending payment details untilthe victim actually replies,
confirming the engagement.
And this is a marketingstrategy.
Uh I mean, I have marketingstrategies with CISSP Cyber
Training, they have them aswell.
So if you don't answer, thenthey don't send it out right
away.
Uh now, if they probably have athreshold in which, you know
what, if you don't answer it,we'll send out a tickler, like a
(07:20):
number a second email or a thirdemail.
Um, and then if you don'trespond, they'll probably just
send it to you anyway, just tosee if you'll click on it.
So for them, the cost of entryis extremely low, right?
It's just an email and sometime.
And with AI, they can make itsuper good.
They don't even have to have alot of time invested.
So it's easy money for theseattackers.
And so that's why, guess what?
(07:40):
There's gonna be more and moreof it.
Uh, so we talked about wherethey're actually from.
Uh, they demonstrate how the BECwill remain one of the most
financially damaging attacktypes, despite how technic the
technical I can't even say that,despite how low it is from a
technical standpoint, right?
It isn't hard to create anemail.
And the BECs are they can bevery damaging, uh, especially
(08:02):
because most people think, well,if you're in business, you make
lots and lots of money.
Uh, I will tell you flat out,no, that is not the case.
Now, there's probably bigcorporations that make gobs of
money, but let's put it inperspective.
So if you're a business and youmake 12%.
Now, I worked at CokeIndustries, and one of the big
things we wanted was you had tohave a business that made at
least 12%.
So if you were your businessevery year had to make 12%.
(08:23):
Some years it made 12%, someyears it made 20%, some years it
made 6%.
So you just didn't know.
It had to make at least 12%, iswhat they wanted.
Well, so if your business ismaking, say, 12%, that's pretty
darn good.
Now you have 100%, say you solda million dollars in whatever,
and at the end of the day, aftereverybody's paid, you made uh
(08:44):
$120,000.
So that's not you as a person,that your company made$120,000.
So you have to go and sell lotsof stuff to make significant
amounts of money.
And most companies, I'll say 12%with Coke, most small businesses
and many businesses outside ofsmall businesses, their margins
are around six to less than 10%.
(09:06):
So you real quickly have to gothrough a lot of stuff and sell
a lot to be able to make anysort of profit as a company is
expected to make.
So you have to go through a lotof stuff just to make any money,
is what a company is expected tomake.
So again, margins are tight.
And if you go out and lose$50,000, and let's just say, for
(09:28):
example, your margin for theentire year was$120,000, but you
just lost$50,000, you lost 50%of your margin.
That could end up in somebusinesses putting them out of
business.
So it's really important for youto understand that, or you guys
get it, but that their impactfor some of these small
businesses, especially, it canbe catastrophic.
(09:49):
It can be just very, verydamaging.
So some key defensive aspectsyou need to be considered about.
Email-based payment requestsmust always require out-of-band
verification.
So if someone comes in and says,hey, I want an email, you got to
have a second uh person thatlooks at this.
And that would be a separationof duties piece.
So if you get it, the secretarygets it, the finance person gets
it, they send it to theexecutive um council, they have
(10:13):
to approve it.
Or even better, you don't sendit to them because you could
assume that the emails might becompromised.
You get on the phone and youcall them.
So there's lots of differentways you need to put in place
around that.
So finance workflows, again,they also could be important.
This is not just securitycontrols, they're the primary
attack service.
So you need to really trulyunderstand your finance
workflows.
Talk with your finance folks andmake sure that they understand
(10:35):
them and you understand them aswell, especially as a security
professional.
Okay, that's enough aboutScripted Sparrow.
Before we get into the trainingtoday, I wanted to quickly talk
about CISSP Cyber Training.
Head on over to CISSP CyberTraining and get access to all
of the content that's there.
It's available to you.
So if you're if you're actuallyinterested in studying for your
(10:55):
CISSP and you're listening tothis podcast, so you must be
interested in your CISSP, headon over to CISSP Cyber Training
and get access to all my freecontent that is available to you
as well.
And that free content will helpyou in your self-study plan.
Uh, it's going to give you someof the key things that I wish I
would have had when I took theCISSP exam.
It was stuff that I wasstruggling with.
I put it all in my free contentto help you with that.
(11:18):
One thing I did do though is Ialso created a blueprint, and my
blueprint will step you throughthe CISSP exam step by step by
step.
Now, this is all part of my paidproducts that are available to
you, and these products willhelp speed up even faster your
self-study plan with utilizingmy blueprint and the other
aspects around it that are tiedto it.
I've got over 1,700 CISSPquestions.
(11:41):
I've got a 250 uh question examthat's coming out here in the
next couple weeks.
I have a lot of stuff that'sfree and available to you.
It's also got mentoring that'savailable.
You can get mentoringspecifically around your career,
as well as if you are aprofessional that is looking for
CISSP or cybersecurity uhresources, I have that available
as well at CISSP Cyber Training.
(12:04):
So head on over there, get yourfree content, sign up for my new
for my newsletter and all myemails, and you'll get free
questions and so forth.
Uh, and on top of that, I'm hereto help you pass the CISSP exam
the first time.
Okay, so let's get into whatwe're gonna talk about today.
So, incident management, what isincident response?
Now, we'll talk about thisroutinely through this program.
(12:24):
Incident response is a keyfactor in what you need to do.
As I'm working as a consultantright now for a company, I am
working in building out theirincident response process.
An incident response is whatexactly is an incident?
Oh, you need to know what thatmeans.
Because the reason I say that isyou're gonna have regulatory
requirements that are gonna befocused on the incident
themselves.
And you need to understand howis an incident defined within
(12:47):
your company and what should youdo related to that.
So you're defining an incident,it is a negative effect on the
CIA triad.
So your confidentiality,integrity, and availability.
Anything that is affecting thosethree would be considered an
incident.
Now we talk about you haveevents, you may have situations,
you may have different termsthat you're gonna call up, but
(13:08):
if you have an incident, it hasa dramatic negative effect on
your confidentiality, integrity,and availability within your
company.
It's also considered anunplanned interruption, such as
you could be a patch that youpushed out that was not good.
Uh, it could be a naturaldisaster that could happen.
It could be the air quotes straybackhoe.
And if you are heard me say thistime and time again, the stray
(13:31):
backhoe is your nemesis.
Yes, they will put you in astate of fervor because these
guys that are digging andfilling, they will hit
invariably a fiber optic lineand then everything goes down.
So, yes, your stray backhoe willdo that to you.
I've seen it time and timeagain.
And actually, I have moreproblems with backhoes or people
doing construction than I havewith anything else as it relates
(13:54):
to outages, unplanned outages.
Now, outside of a cyber attack,right?
So, computer security incident,you again, you want to
understand the common result isof an attack that's coming in
from somebody that's going afteryou or your products.
So the NIST definition of 861 isa violation or imminent threat
of violation of computersecurity systems and policies,
(14:15):
acceptable use policies, orstandard security practices.
That would be an attack, right?
So you're understanding thatyour incident is occurring.
You've got a good plan of whatis in an incident defined by
you, and not just defined by youas a security professional, it
is defined by you and your teamof lawyers and your HR folks and
every compliance folks, allthose individuals are all
(14:37):
involved with you.
So that is why the incidentresponse process is such an
important part that you need tohave it defined, well defined
and well exercised.
So there's some different typesof steps that are tied into your
incident response process.
We've got detection where you'refocused on getting something
that's gone on.
How do I detect it?
How do I deal with it?
How do I manage it?
(14:58):
Your response, what are yougoing to do from responding to
this situation?
How do I respond to it?
You know, I go and I have anarea that comes up and I go,
what do I do?
I don't know.
Uh your mitigation comes intowhat are you doing to mitigate
the situation after you'veresponded to it?
You're reporting, who do youtalk to?
Is there compliance requirementsrelated to regulators that you
have to talk to?
(15:19):
Do you talk to your seniorleaders?
I don't know.
You have to decide which onesare the folks that you have to
end up interacting with to letthem know a situation has
occurred.
How do you recover from thesituation?
So when an incident occurs,recovery is most important.
It just truly is.
You can have all these greatthings, you detect it, you
mitigate it, you respond it.
(15:39):
But if you don't know how toactually recover from it, you're
just sit there stuck in a brokenstate.
And that is not a good place tobe, believe me.
Then you want to remediate.
How do you remediate the threatafter it's occurred?
And then lesson learns or hotwash.
In the flying in the B1s, weused to have a hot wash every
time we flew.
And when you flew, you went out,you did your flight, you we
(16:00):
would take off, we do ourlow-level bombing missions, we
land, we drop the bombs, we hadtargets we had to hit, we come
back, we then land, we put thethe airplane to bed, we then
come back and talk about it inour debrief.
And a hot wash for us from justa so we'll typically put it in a
situation, is about a four and ahalf to five hour mission.
We would go out, we would haveabout an hour, hour and a half
(16:21):
hot wash at the end, and wewould walk through what did we
do?
Okay, here's we went in, we tookoff, we went and did uh we flew
this altitude, we took a tanker,we then talked about the tanker,
we went into the low-levelroute, okay.
From here, we came back, yadayada yada.
We went through the entire flowof the approach to landing or to
take off to landing with our theB1.
(16:43):
And we went through each one ofthose to determine where are
some areas we made mistakes at.
We took notes on what we mademistakes on, and we therefore
then implemented changes so thatthose we could make changes to
those mistakes that we made.
Same concept in the event of anincident.
Now, the thing you have to keepin mind is you want to make sure
that you do a lessons learned,not just for all incidents, for
(17:03):
for all of your exercises aswell.
You want to take a very programprogrammatic, programmatic,
programmatic, yeah.
You want to take a step-by-stepapproach.
Yeah.
You want to take a step-by-stepapproach on how you look at the
lessons learned from your event,whether it is planned or
unplanned.
Because by doing that, you get areally good grasp of what you
need to do different for thenext event.
(17:25):
Now, some key aspects aroundthis.
You ended you have your initialindications of an event.
Now, this can be extremelynarrow.
You may not even know what isactually going on when you first
get this incident or event thatoccurs within your organization.
It could be very small andinsignificant to the point of
going, you know, it's just ablip on the radar.
(17:46):
Now, the tools have gotten muchbetter.
AI has been very helpful.
In the past, it's been so muchnoise that's there.
You don't even know what's realand what's not.
But what ends up happening is byhaving these different types of
uh uh tools that are there, itcan help give you a little bit
better indication of what issomething that could be
occurring, or is it just noise?
(18:07):
So, ransomware, I've had thissituation occur.
It pops up in an organization uhway down in the bowels of my
company.
And an individual will go andsay, Oh, well, let's just not
let's not do anything about it,let's just ignore it.
And in the process of ignoringit, what happens?
It starts to spread.
And next thing you know, I'vegot a full-on for alarm fire
(18:27):
going on in one of my facilitiesin a location that's not real
easy to get to.
It's on the other side of theplanet.
And because of that, now I'mgetting delayed responses on the
incident that's occurring.
So again, they can be very smalland insignificant, but they can
bring the house down.
Those ransomwares are bad, badjuju.
Uh so the network goes down.
(18:48):
All of a sudden, now you have abigger problem, right?
So you have a ransomware pop-up,you're now your site goes quiet,
and now your network goes quiet.
Now you've got so manychallenges you're gonna have to
kind of unravel.
So the detection mechanisms, youneed to have various ones in
place.
Now, ideally, I'm and I'm gonnado a podcast around this company
here in the future because Ithink there's a lot of great
tools that are out there thatare available to people.
(19:10):
People just don't know what todo with them or how we should
how you should manage them.
So there's a company out therecalled Centripetal, and what
they do is they take all theintelligence feeds and they will
get them ahead of time.
So if something comes into yourorganization, they will actually
stop it from even hitting yourcompany.
So it's kind of like a atailored DDoS protection in some
respects, uh, more of a aspearfishing, a tailored
(19:33):
spearfishing uh attack kind ofthing.
I don't know how to explain it,but bottom line is they're a
really good company.
Centripetal.
That's if you go out there, yougoogle it, you'll see what you
can find about it.
But they there's there's a wayto help stop uh the attackers
from coming in from the front.
There's also intrusion detectionand prevention systems, IDS
IPSs.
You have honeypots, these willflag for possible intruders
(19:54):
within your company.
You have automated rules to flagon different types of log files,
especially as it relates to youruh If you have AWS or Azure
environments, how do thosedifferent ones work with your
different types of logaggregation tools?
Individual user reporting.
These are all the differentpieces that are tied to that.
Are individuals being able toreport that there's a problem?
Do they have an easy button tomash and say, hey, we have a
(20:16):
problem?
Click on the link.
So all of those are differentthings that can be done for
detection mechanisms to helpyou.
I would highly recommend that ifyou have an email provider of
some kind, that you build thatinto your email that there is an
easy button where employees canactually go push a button and
say, I want to report a phishingincident that might be occurring
within your company.
(20:38):
By doing that, they're the firstset, usually are the first sets
of sensors for you to see thatthere might be a problem.
So I'd highly recommend that youwork with uh whatever company
you have to come up with that ifthey don't already have it.
Now there's a company I knowknow before is one of them.
They actually already have thissituation where they can
incorporate it within your Gmailaccounts or your Outlook
(20:58):
accounts where they can justhave a report to phishing button
in place.
Now, you process is vital.
You need to really have somesort of processes in place when
you're dealing with detectionbecause if you don't, you'll be
chasing ghosts all the time.
Uh and these ghosts are in yournetwork, they are real and they
are also phantoms.
So you may have an individualwho's there that are that's
(21:19):
acting like um going againstyour company, and people are
seeing issues, and so they aregoing to report them.
But you also gonna have thesethings that pop up that are kind
of unique, and people will maybebe trigger happy and say, Oh, I
see a ghost, I see something,something's going on, and they
let you know.
And then nothing is you go andyou dig into it, and there's
nothing there.
And then they let you knowagain, and you dig into it, and
(21:41):
there's nothing there.
But if you don't have a goodprocess on how to handle this,
you're going to understand thatyou're gonna have problems.
You're gonna end up chasing allthese rabbits and you'll never
catch any of them.
The ancient Chinese proverb thatI talk about on the podcast is a
man who chases two rabbitscatches none.
And I think it's been twistedand moved in different,
different ways, but bottom lineis if you chase too many
(22:03):
rabbits, you're not gonna catchthem.
So you want to make sure thatyou understand what are the
processes for your company sothat you know how to deal with
these situations when they dopop up.
Now, the ghosts that are outthere, um, one of the comments
was, I was the ghost.
Yes, I was.
And I would be very careful onwhat I did when I was within
your different companies'organizations.
(22:24):
And the point was was to thenjust to hide in plain sight.
I was very careful with what Idid within your company, not to
uh trigger too many alarms andbe very stealthy and very
stable.
Uh so to keep in mind that thedifferent perspective is that an
attacker gets in yourenvironment, there is a rush to
get into your company as fast asyou possibly can.
(22:44):
However, and get your toehold.
But once you're in, then it'sit's a low and slow approach.
You want to make sure that youare taking your time and that
you don't burn the credentialsthat you have.
You don't want to give them anysort of sense that you are there
for them to start implementingand doing lockdown on you.
So again, small instances getoverlooked as noise.
(23:04):
You do want to make sure thatyou're watching for the noise.
There's third-party services.
Uh, do you have third partieswithin your company?
And in most companies, they areoutsourcing many different
things.
Do you have a process to dealwith your third parties?
That's an important part of allof this.
So when you're dealing withresponse aspects, response will
vary depending upon theincident.
(23:25):
Resp the process to respond, youneed to have built for this
specific incident you're goingto have.
So when it basically comes out,not for each incident, but you
should have that, okay, ifsomething comes in, what is the
next process?
What are we going to do?
Once that happens, what is thenext process?
What are we going to do?
At any point, you can get anoff-ramp on any of these
processes so that you can thenend and terminate the incident
(23:47):
where it's at.
If you do you go chase a ghostand you find out there's nothing
there, you end the process.
If you chase a ghost and itfinds a little bit more of a
breadcrumb, you continue on theprocess.
So the goal is you need to havea overall situation, a system
set up to respond to all of yourincidents that you have.
Your legal and crisis teams needto be pre-positioned and ready
(24:08):
to go.
What does that mean?
It means you need to have talkedto them.
You should have talked to atleast your crisis team and your
legal team at least once priorto having an incident within
your company.
Uh, because if you don't, youwill be talking to them a lot
and you will probably beconfusing and making each other
unhappy.
So you want to make sure thatyou would you talk to them
before you have a situation.
(24:29):
Uh, don't address this in themiddle of the crisis.
You want to do it ahead of time.
Now, your cyber computerincident response teams, your
basically CIRT or CSIRT, theseare teams that are set up
specifically to deal with theoverall incident.
They could be people that areinternal to your company.
They could be outsourced.
Uh, there's people that are on abat call, bat phone, uh, to be
(24:51):
able to answer and respond toany sort of situation you may
have immediately.
Now, they come at a high price,but they are there for you.
Um, there is a company I workedwith on as a coke, and I can't
remember the name of it.
Uh, there's various companiesthat do this.
They are on the hotline, whatready for you in the event that
you have a situation.
Now, these are typically goingto be involved from the
(25:13):
beginning of the situation, ofthe incident, of the process to
the end of it, to when youfinally declare we are done.
Uh, and then once we are done,that's even after the hot wash,
they would be involved in thatas well.
So once you put you put a bow onthis thing, you wrap it up, and
you're getting ready to shovelit into a uh shelf for
posterity, that's when they aredone.
(25:35):
Now, you can a third partyretainer, again, if you're going
to be dealing with a third partyto help you with this, I highly,
strongly, increasingly stress,do this now.
Get with your legal teams andtalk to them today.
Uh, don't wait, talk to themtoday and say, hey, we need to
do this because the challengeyou're gonna run into is if you
want a third party to help youwith this, you're gonna need to
(25:56):
get the legal paperwork doneahead of time.
And you're probably gonna haveto put them on retainer of some
kind or fashion, which basicallymeans you're gonna have to pay
them a bunch of money for themjust to kind of sit there and
wait for you to call them.
And you may never call them andyou're just gonna continue to
keep paying them a bunch ofmoney.
And the purpose, though, is thatif you do that, you now have the
ability to call them and theywill immediately come and help
(26:18):
you with the situation.
Now, if you have a team that canhandle this, then I would highly
recommend that you, if you'regonna like it, say you're in the
initial birthing uh place forthis and you're you're standing
up your security operationsteam.
I would, in the short term,probably pay for somebody like
that while you are building upthat capability within your own
company.
So it's just something toconsider.
(26:39):
I would probably pay the money,put them on retainer, have them
ready to go, but then have aplan in the next two years,
you're gonna put yourself in aposition where you have a team
that's dedicated by your ownprofessionals in your company.
And they don't have to all besecurity people that are gonna
help you with this, becauseideally, most of your security
people don't deal with thenetwork like your infrastructure
(26:59):
folks do.
So you're gonna have a team ofmany different folks that are
involved in this, but you can dothis with an internal team.
You just have to have a plan onhow to do it.
So in the short term, I wouldhighly suggest that you get a
company to help you with this inyour in your third parties to do
the overall just having them onphone call on retainer, but
until then, uh, and then buildout your team and just have a
(27:22):
one to two year plan, dependingon what you're going to do.
Evidence preservation is a keyfactor.
You want to have chain ofcustody in case the procedures
are and have these proceduresdefined within your company as
well.
So if you are gonna say someoneattacks you and you feel that,
you know what, we mighteventually have to sue somebody
or take somebody to court, ifyou don't have evidence
preservation and you don't havea process to deal with it, it
(27:43):
didn't occur.
You just spend a lot of moneyand you're not gonna get any
love out of it.
You're gonna be really, really,really upset.
So, you're what you're gonnahappen is you're gonna be super
upset because you spent all thismoney, and then you're gonna be
even more upset because youcan't go after these people
because you didn't preserve anyof the evidence.
So just keep that in mind.
You wanna make sure that youhave a evidence preservation
process.
(28:04):
Trained personnel.
We talk about internal andexternal.
Again, they need to be able toassess the damage, collect the
evidence, report the incident,and recover procedures, right?
All these things are animportant factor in what they
do.
If they're looking at it andthey can't assess what's
actually broken, it's reallyhard as uh to know what you
should fix if you don't knowwhat's broken.
They also should be the peoplethat are trained in your chain
(28:24):
of custody process aroundcollecting of the evidence.
If you don't, if they can'tcollect the evidence, then you
have a big problem.
Uh so you just, again, this isjust training.
This isn't rocket science, guys.
This is truly not hard.
You can do this.
You can come up, especially nowwith the different chat GPTs and
Gronks and everything else thatare out there from an AI
(28:45):
standpoint, you can come up witha decent training plan for your
people around these differenttopics.
And then it will do a good jobof giving them the information
they need to be successful.
But you need to have ability tocollect the evidence that's
going on.
You want to report an incidentthat's going on.
How do you report it?
Okay, so do you just report itto your CEO and say, huh, not my
(29:05):
problem anymore?
Um, probably not.
In today's world, we are highlyregulated.
And so if you are dealing in anysort of the financial industry
or healthcare industry, you havereporting instructions you have
to do.
I had to do it in themanufacturing space as well.
So it doesn't really matterwhere you go, you are going to
have to have some level ofreporting.
Just plan on it.
Do the it's not the norm, Ishould say it's it's what is
(29:27):
that?
It's normal to report to aregulator.
It's not, it's uncommon toreport to not report to
somebody.
So I would just have a plan onwho you're gonna report to.
It may just be that you have agood plan to report to the
board.
That's fine, but you just needto have a good reporting process
in place.
Recovery procedures, what areyour recovery procedures and how
do you gonna deal with gettingyou back online?
This comes down to resilience.
(29:48):
You need to have a goodresilience plan related to you
organization to keep it up andgoing.
Now, mitigation.
What are some key aspects aroundthis?
Is that the goal of it is tolimit your scope and the effect
of the incident as well.
So it comes in and it startsnuking part of your business.
You want to keep it contained.
Just if it's got to nukesomething, only nuke a part of
(30:09):
it.
Only take out a small section.
Because the part is if you are abusiness owner and or that your
company's a business and itmakes money, well, it has to
make money, otherwise, youwouldn't be employed.
You want to limit the amount ofdamage to the business units
that are actually making incomefor your company.
So if this thing is starting tospread like a virus, you may
have to cut off your foot tosave the body.
(30:29):
And one example I had was we hadmultiple companies around the
globe, and we had a plan that ifif a ransomware attack took out
one of our facilities, whatwould we do for the rest of the
body?
We were willing to cut off thefoot to save the body.
And this is a big factor thatyou're gonna have to deal with
with your CIO and your CISOs,uh, is that which is that part.
(30:50):
If you don't have thatleadership and you are that
leadership, you need tounderstand all of your remote
locations and which ones, ifsomething were to occur, how can
you sever that connection andstill keep business operational?
This will come down to yourbusiness impact analysis that
you'll have to do, and this willhelp you kind of analyze that as
well.
This is a this is a process,guys.
This is totally so this is sofar beyond the CISSP that I'm
(31:14):
not beyond it.
It's the fact that these are thethings you're gonna need to know
for the CISSP, but you're alsogonna need to know as a security
professional.
These are really good nuggetsthat are gonna help you in your
experience.
In real time, you need to avoidthe attacker from gaining
additional access, and then youalso need to avoid the attacker
from knowing you are aware.
Again, once they know you know,then it gets now you're in a
(31:34):
game against time.
They may have logic bombs set upthroughout your organization
that if they know that you know,they will set off.
And if they set those off, thenit brings the house of cards
coming down.
So if you are aware thatsomeone's within your
organization, you're gonna needto take steps quickly to
mitigate them, to shut themdown.
But knowing full well the momentyou flip, you show your cards,
(31:56):
right?
So the moment you show yourcards, then this game is afoot.
They are going to be trying todo everything they can to
ransomware or to shut you downcompletely.
So just again, they they maystart the destructive aspects of
it, so just be ready.
Have your A game going.
And I would highly recommend ifyou know someone's in your
network and you're working tomitigate them, get your third
(32:16):
party that you have contractedon the bat phone and get a hold
of them as quickly as youpossibly can.
After the fact, you assume theattacker is still in your
network.
Even this is the thing thatpeople struggle with, even if
you've mitigated them andthey're gone, assume they are
still in your network.
Because guess what?
They probably are.
So that means you're gonna haveit's gonna cost you even more
money, right?
(32:36):
You're gonna have to replace allthese systems, you're gonna have
to blow away new systems, you'regonna have to actually end up
spending even more time dealingwith this.
So it's just bad.
Uh, there'll be backdoors thathave been created.
I would tell you this, and thisis just from personal
experience.
When I got a toehold within anetwork, I put in a minimum of
six backdoors.
That was me.
(32:57):
Now, they didn't all happenright away.
As you're starting to go throughthe area of the network, you're
looking for different other waysin.
And then once you find someplacecool, you go and you put in
another back door.
And if it's a different way thatyou think, okay, well, if they
shut me down, I still shouldhave this way in.
I'll go and put a backdoor here.
So I had a minimum of sixbackdoors within my company or
(33:18):
within any sort of engagement Idid as a red teamer.
Then you can only assume thatthe bad guys and girls are doing
the same thing.
Now, put it in this perspective: they're lazy. (33:25):
undefined
Um, I was not lazy because itwas what we did for a job.
But a lot of the attackers arelazy.
They may not put as many in, butI don't think you want to bank
on that.
So just know there's backdoorsprobably created, at least one
or two.
Engage all resources.
Again, fire drill, all hands ondeck.
If something was to happen,you're bringing everybody in for
(33:47):
their A game.
Your infrastructure folks, youruh your HR folks, your legal
folks, everybody in the companythat has any sort of decision
rights is brought into the mixon this because it is an all
hands on deck.
You are a uh a World War II boatin the middle of the Pacific and
you're getting shot at by bysubmarines.
You want to make sure thateverybody's aligned and
(34:07):
everybody's heightened on how todeal with this specific
situation.
Because if the company goesdown, you go down, your
livelihood goes down, it allgoes down.
It burns to the ground.
So again, everybody is involved.
So reporting, you want to makesure that you have key aspects
related to this because yourCEO, your owners, your CIOs, all
the company leadership needs tobe involved.
How are you going to report tothem?
(34:28):
Legal compliance requirements.
Again, don't try to downplaythis, what's going on.
That's what happened withEquifax.
It's okay.
No worries.
We got this, we're undercontrol.
You just keep doing your CEOstuff, we'll do ours.
Okay, I did that in a differentvoice.
It was kind of weird.
But that being said, uh itagain, it's what happened with
them.
They just said, you know what,don't worry about it.
(34:50):
We got it.
And they didn't have it.
So you need to make sure thatyou are everybody involved with
what's going on.
Legal and compliance need to beready to put out statements.
Uh, depending on the companyyou're in, they statements may
be pre-canned, may not bepre-canned.
I recommend you have them donealready.
Have them pre-canned, havemultiple statements, have
multiple scenarios, and thenthey have all been through the
(35:11):
legal vetting, they've beenthrough the HR and compliance
vetting.
Everybody is happy with thosestatements, and then they're
ready to go.
Now, hopefully you never needthem, but they're done.
If they situation comes up andyou have to modify it and morph
it a little bit, that's okay.
At least they're done.
So get something already builtout.
Uh formalized notificationprocess.
(35:32):
You need, if you're dealing withany sort of regulators, who is
the notification person?
Does it come from the board?
Does it come from the CEO?
Who does it go to within thegovernment?
All of those need to be workedout and defined, and those need
to be agreed upon.
Again, legal language isimportant in this spot,
especially when you're dealingwith the governments of wherever
you are operating.
Legal language is everything.
(35:53):
You can really you can give astatement to the media, and it
can be a little bit wrong,right?
Say because you didn't knowwhat's going on.
Not that you're lying.
No, we're not lying, but justyou didn't really truly know
what was going on.
You released a statement, andit's a little bit in error.
You cannot do that with thelegal entities.
You need to make sure you haveyou're on your A game, and
everybody has to be aligned.
So again, you need to have thatprocess defined.
(36:15):
Cyber insurance companynotification, uh, this is a big
factor of are they gonna be youlet them know what's going on?
What have you done?
They're gonna get in your chili.
They're gonna be in it, they'regonna be asking you all kinds of
questions, and you are gonna getpulled in 10 different
directions trying to answer allthese questions.
They're gonna make sure thatyou're doing what they feel you
should be doing in order thatthey're gonna do a payout.
(36:35):
They don't just arbitrarily go,oh, okay, cyber incident, here's
your money.
They don't do that.
Uh, they are going to be askingyou lots of detailed
information.
Legal compliance, again, sureyour team is prepped in advance.
They need to know what's goingon.
Your legal compliance and publicaffairs all need to be aware,
they need to be involved, andthey need to be in the game
plan.
I will tell you, I've had someof my hardest conversations I've
(36:56):
had with public affairs, legal,and compliance.
Well, not so much legal, theyget it, but compliance and
really mostly public affairssaying, hey, this is the plan.
If we get a ransomware attack,this is what we need to do.
Really?
Seriously, we don't need to dothat.
Uh yeah, you do.
No, no, we don't need to dothat.
Yeah, you do.
And so that's a back and forth.
I've had to escalate it up tothe CEO numerous times to go,
(37:17):
will you please get your peopleon board here?
This isn't hard.
Let's just do it, be done withit.
And then they finally come andacquiesce.
Uh, but the bottom line, I alsosend them a bunch of email uh of
different breaches that haveoccurred and said, okay, how
would you handle this?
That usually helps bring them,get them on board.
All right, continuing on, legaland compliance again, to have
them evaluate any contractualaspects you have prior to the
(37:38):
breach.
What do you report?
Who should the vendors or whatshould you what vendors should
you report to?
Uh you have vendors that areproviding critical services.
Do you need to let them know?
Laws that require breachnotification.
There's the list is long anddistinguished, and there's lots
of them.
You have GDPR, cyber law, many,many, many others.
There's all kinds, and there'smore and more all the time.
There's the Chinese or thefinancial uh aspects around it,
(38:02):
NYDFS, you name it.
They all have notificationbreach notification laws.
They all vary in differentdirections as far as how long,
from 24 hours to 72 hours, butthey're all of difference that
are out there.
U.S.
state laws will vary as well.
These uh suites may occur basedon the company's facilities.
Uh depending on where you're at,your U.S.
laws may be involved as well.
So you just don't know.
(38:22):
You you really need to make surethat you have a good plan.
And even with plan that youhave, moment something happens,
you it is what Mike Tyson says,you have a plan going into a
fight until you get hit in theface.
And then that plan goes out thewindow and you start figuring it
out.
Same concept.
You'll have a plan in placeuntil you get hit in the face
with a cyber attack, and thenthat plan goes out the window.
But the key is that you'vedrilled it, you've planned it,
(38:45):
you at least have a good idea ofwhat you're going to do.
Uh, so it makes those overallpieces go much smoother than if
you had no plan whatsoever.
Government law enforcement, youwant to determine if you want to
get with the FBI, you want toget with Interpol to help you in
these situations.
So all of them can help youdepending upon what you have to
do.
And when I say help, just let'sput it in perspective.
(39:06):
The FBI is not gonna help you.
They're just not.
If you're a small business,forget it.
They ain't gonna do it.
Uh, even small localorganization, local uh police
forces aren't gonna help you.
They're gonna collect evidenceand then they're gonna say,
Thank you, have a nice day.
They're building their own casesagainst easy individuals outside
of you.
So they're not gonna be a wholelot of help.
But you have to decide if youwant to bring them into the
conversation or not.
(39:27):
Sometimes if you bring them intothe conversation, they will not
take over the situation theincident.
They they definitely won't dothat, but they may start giving
you inputs on it, uh, whichcould be helpful or which could
maybe be hurtful depending uponthe situation you're dealing
with.
So just got to kind of decidewhat you want to do when you're
relating to uh if bringing inlaw enforcement.
(39:48):
You need to let law enforcementknow.
You just need to also couch.
I would highly recommend you gotalk to law enforcement, ask
them hey, if we have anincident, what does this look
like for you?
How do you get involved?
Uh how would that impact?
Our incident and to just see,have a good understanding of
what they're going to gothrough.
So when you're dealing withrecovery, some other key aspects
is where you want to return thefunctionality as best you can as
(40:09):
quickly as you possibly can.
It could be as simple as youjust reboot reboot.
Um you could have images thatare in place, that these images
you just bring up new images andyou're in business.
It's not a big deal.
It's all very resilient and goodto go.
And that's great in the cloudenvironment.
And I will tell you that there'splenty of opportunities for you
to be able to do that in thecloud space.
However, one thing to keep inmind is that your cloud space
(40:33):
usually has infrastructure aswell.
Unless you're fully cloud, ifyou have any sort of
infrastructure, that can beimpacted by a ransomware attack
as well.
So you want to understand how doI return my functionality and
get it back and operating to atleast a point where I can start
making money again.
You need to document all ofthis.
Documentation is the issue thathappens so often in these
(40:54):
situations.
You nobody has it.
I'm dealing with this withcompany after company as a
consultant.
Um, if you they don't, they'renot documenting it.
They don't document stuffbecause why?
They're trying to make money andthey're going 100 miles an hour
and they look at security as acost, as a cost, right?
So I don't want to deal with it,I gotta get this stuff done.
And that's true.
But the moment something badhappens, they're gonna be
(41:14):
wishing they had documented allof this stuff.
Address all your systems,unaffected systems as well.
This includes firewall rulesthat it may be opened up during
an incident.
Uh, where could those be?
How does that look for yourcompany?
And then utilize backup andrecovery procedures as well.
All of those things need to bedone and understand what
procedures would you use in theevent that you'd have to bring
everything back.
(41:36):
Remediation.
So this comes down to theincident investigation.
You need to determine your rootcause for what actually
occurred.
How did it happen?
Where was it at?
Well, what was who clicked onthe link?
How did this get into ourenvironment?
Could we have seen this sooner?
Evaluate all your exposedsystems.
Start with your internet-facingsystems first.
This isn't hard.
Start with stuff that peoplesee.
(41:57):
If people see it, they're goingto attack it.
So go with everything that'sinternet-facing to begin with.
Now, the other thing you need tokeep in mind is, especially now
with APIs, oh my goodness, andthe cloud services, such as like
let's just say Microsoft's uhSharePoint, whatever.
All of this stuff is already inthe cloud.
It's already sitting on the airquotes edge.
You as an owner, in many cases,I'll use SharePoint as an
(42:18):
example.
If you give them the rightpermissions, the owner of the
SharePoint site can make thisdiscoverable by the internet.
Yeah, by clicking a button.
In the past, you had to gothrough lots of gatekeepers.
Everything went in and out of acentral point.
Not anymore, baby.
It's all available on theinternet.
And it's why for conveniencesake, which is always the end of
(42:39):
it.
Society is for convenience.
We all want to be convenient.
And then we all get taken overby the Huns.
Um went dark quick there, sorry.
Uh but that's the case, youknow, and that's the truth.
So the point of it is that youneed to be aware of all of the
external things that areavailable within your company.
APIs, oh my goodness, those arethe they're wonderful, but they
also can be very, very bad.
(43:01):
And you have to have goodcontrol of your APIs and
watching those out, watching forall of those.
You know, evaluate all yourexposed systems, uh, additional
data and systems that are allaffected.
This includes employees, emails,phishing, malware installed,
attacker who have pivoted duringopen shares, all of these things
you need to be aware of, right?
Admin accounts compromise.
Do you allow your people to uselocal admin to install software
(43:25):
on their computers?
Oh my gosh, don't do that.
All of those things, right?
You need to be aware of becausethose are all pieces where
people can gain access to yourcompany.
And they can start with small,with you know what, I send you a
phishing attack, you have localadmin, your local admin will
take as part of a securitygroup.
The security group has thedomain admins that are tied to
it as well.
(43:45):
I now leapfrog over and stealthe domain admins credentials,
and now game over.
It could be about a five-stepprocess, and we are over and you
are mine, right?
So you just hear the cackling inthe background, you are mine,
and yes, that is it.
You are done.
Uh, so those are pieces that youneed to be aware of.
And you just need to understandthat if you don't have a good
plan on how to deal with it, ityeah, it's just gonna go
(44:08):
sideways.
So I think I've I think I'vebeaten that horse to death.
So lessons learned again, thehot wash after action.
This is also anything that couldaffect employees and third
parties.
So if it came in through a thirdparty, you better have a hot
wash with the third party.
Don't just take the fact, factthat the third party goes, uh,
yeah, we fixed our problem.
We're done.
No, you get legal and you gohave a conversation with a third
(44:30):
party and you say, I want thiswritten, what you've done, where
you what you did with it, I wantto know how you did it, all of
those things.
Get with your legal teams andmake sure that anything that
happens with a third party isdocumented and it is obviously
taken care of by all of you.
You all have looked at it.
Evidence preservation is a keyfactor as well.
How are you keeping it?
Okay, I've beaten this drumabout four or five times.
(44:52):
Uh, you need to make sure thatyou preserve your evidence
because if you don't, it didn'texist.
That's the problem.
And then incorporate all ofthese lessons learned into
tabletop exercises andscenarios.
And this is where you do atabletop at least once a year.
Uh, many of the regulators, uh,financial regulators will
require you to do tabletops atleast annually.
Um, but I would highly recommendyou do them at least maybe once
(45:13):
a quarter if you're doing somesort of tabletop.
So it's an important part ofevery person's cybersecurity
program is doing tabletopexercises and making sure that
they have everybody involved.
Okay, that is all I have for youtoday.
Thank you so much for joining metoday at CISSP Cyber Training.
Head on over to CISSP CyberTraining.
(45:35):
There's a lot of great contentout there for you.
I am so excited about the stuffthat's coming this next in 2026.
I've been building out the plan.
I'm super fired up about that.
And I know you guys are gonna beexcited too for 2026 with CISSP
Cyber Training.
If you're looking to get yourCISSP done, let's get her done
in 26.
It's a brand new year, justright around the corner.
Let's knock this out.
(45:55):
If you're getting ready to takeyour test, good luck.
Hey, I hope you've been usingthe CISSP cyber training stuff,
and I hope that you have a goodplan in place that you're gonna
pass it going into 26 so thatyou can increase your income,
increase your status, increaseanything you want to do with
getting your CISSP certificationcomplete.
All right, thank you so much andhave a wonderful day.
And we will catch you on theflip side.
(46:16):
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube, and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
(46:36):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Welcome to the CSP Cyber Training.
Hi money with Shung Herbert.
We can provide the informationyou need.
CSP and roll your cybertrickery.
SPEAKER_01 (00:25):
Good morning everybody.
It's Sean Gerber with CISSBCyber Training and hope you all
are having a beautifully blessedday today.
Today we are getting close tothe Christmas holidays, and
we're excited about that.
We're probably about three daysaway, so it's pretty awesome.
My grandkids are coming intotown, so that is an awesome
piece of this.
It's going to have a littletwo-year-old and a five-year-old
(00:46):
running all over the place.
So exciting, exciting.
They they love this time ofyear.
And uh for me as a Christian, Ilove it as well.
It's an amazing time for me.
I just, it just, it's like superspecial.
So it will become and it willgo, and then it'll be in January
and it'll be cold.
Then you have to deal with thecold.
Uh depending on where you're at,it may not be cold if you're in
the southern hemisphere.
(01:06):
It might be actually kind ofwarm.
But for us, it's going to bequite, quite chilly.
So, but before we do that, oractually not before we do that,
we're going to quickly get intotoday's is again over domain
7.6.
I don't know if I mentioned thator not.
Domain 7, we're in a 7.6conducting incident management.
That's the overall plan fortoday.
So as you're listening to thisat home with a book by the fire
(01:29):
and you're wanting to fallasleep, you will turn on this
podcast.
Else you might be still goinginto work before the Christmas
holiday, so you may want tolisten to it then.
But if before we get into that,we wanted to talk about an
article that I saw in InfoSecmagazine or InfoSecurity
magazine, I should say.
And this is around a thingcalled the scripted sparrow,
sends millions of BECs orbusiness email compromise emails
(01:53):
each and every month.
So as you guys are well aware,and you've probably we've talked
about it numerous times on CISSPCyber Training, is a business
email compromise a big thingthat most corporations are
struggling with.
And it's real, relativelyspeaking, it can be an easy fix
depending upon what you put inplace.
But there's still tons oforganizations that are falling
(02:16):
victim to this business emailcompromise, uh social
engineering attack.
So who is this scripted sparrow?
Now, scripted sparrow, they'rean active BEC threat group that
is basically being tracked byForda.
And they operate in basically acollective group of sharing
templates, infrastructure, andtechniques.
So it's a group of individualsaround the globe that are doing
(02:39):
this.
And with social media and withthe capabilities of now having
various servers around theglobe, they can do this and they
don't really have to be in thesame location.
Now the people that areattacking folks around the
different countries are fromSouth America, Nigeria, Turkey,
Canada, and in the United Statesas well.
So they're using thesetemplates, they're targeting
individuals, and they'rebasically trying to impersonate
(03:01):
executive coaching orprofessional service firms.
So if you have an executivecoaching or professional
services group within yourorganization, or you've worked
with some outside consultants onthat, this you might be one of
the targeted entities around it.
So they target the accountspayable and their finance teams.
Well, and why do they do that?
Because they're the ones thatcontrol the money.
(03:22):
So they will target them.
So I've done this in the pastwhen I was a CISO.
I highly recommend, I stronglyrecommend, that you go talk to
your finance teams and your HRfolks and get with them and walk
through what a business emailcompromise is.
Step them through step by stepby step and what they should be
worried about and what theyshould be concerned about as a
(03:43):
business, as a company, worryingabout the business email
compromise aspects.
Now, they're as they'retargeting pay accounts payable
in the finance teams, they'rewanting to basically get those
folks that are going to besending money.
They're usually the gatekeepersthat keep the money and for the
business.
They're the ones that do all themoney transfers.
So why do they target them?
Because they're the moneymovers.
They're the folks that willallow the money to actually
(04:05):
leave the organization.
And they use realistic emailreply chains to simulate that
there has been some level ofinternal executive approval.
And they just basically say yes.
They find out information aboutBill, who's the CEO or whomever.
Uh, and Bill then has this emailback and forth with air quotes
them, saying that, yes, I'veagreed to have you send some
(04:25):
money.
Please send some money.
And then they send this to thefinance team saying, hey, Bill
has allowed us, wants to getpaid, why, or wants us to be
paid, why are you not paying us?
And they always put in a senseof urgency.
They do all kinds of differentthings to make you want to get
it done very quickly.
However, it is a scam.
And because of the scam, youshould think twice about any
sort of money that's leaving theorganization.
(04:47):
Now they'll send fake invoiceswith W9 PDFs.
Now, if you're in the UnitedStates, a W9 PDF basically all
it does is confirm your businessidentity.
And you have to send in, uh wecall it an EIN number, but it's
the employee identificationnumber, and that number will
then be tied to a business.
And so usually most companieswill say, hey, send me your W9.
And you can make a W9 anyway youwant to make it.
(05:10):
And you can make it veryfictitious, you can do all kinds
of crazy things.
Ideally, a company, when theysee a W9, they should pull your
EIN.
They should then compare it towhat is out there and what the
IRS has or your state and localentity.
If they don't do that, thenyou're now in a situation where
you could just make up an EIN.
It doesn't really matter.
So they send out these W9srequesting that an ACH or a wire
(05:33):
transfer, and the transactionamounts have often just set
below the approval thresholds,which most companies have, which
may be around$50,000.
So an approval threshold ismaybe you have a second party.
So you have separation ofduties, SOD is what it's
typically called, and you mayhave someone in your company
that has to approve an amountbelow or above a certain
(05:54):
threshold.
They've set$50,000.
So they've, I guess they've seenenough of these situations where
$50,000 is the threshold inwhich it must be sent for
approval.
So they'll send it below thatamount.
It might not be$50, it could be$25.
The point doesn't really matter.
They're just trying to getreally reduced the amount of
barriers that people have to beinvolved in that actually have
(06:16):
to approve the email being sent.
So again, that's an importantpart.
When you get with your financeteam, ask them if there's a
threshold amount, what is thatthreshold amount and get to know
what that is?
Uh there might not be athreshold amount.
It might be where if any emailcomes in, it has to get approval
from a second person.
And I would highly recommend youdo that.
(06:36):
Uh the a petty cash amount,like, well, it's a thousand
bucks.
You know, death by a thousandcuts when they're a thousand
dollars, that can really hurtyou.
Uh so you just want to make surethat you have that worked out
with them.
Uh, and they may say, you knowwhat, if we lose a thousand
dollars, it's a big deal, butit's not a big deal, and they're
willing to accept that, thenthat's okay too.
So again, education is reallytruly the key on all of this.
(06:59):
So they have a newer tactic thatthey're using where they delay
sending payment details untilthe victim actually replies,
confirming the engagement.
And this is a marketingstrategy.
Uh I mean, I have marketingstrategies with CISSP Cyber
Training, they have them aswell.
So if you don't answer, thenthey don't send it out right
away.
Uh now, if they probably have athreshold in which, you know
what, if you don't answer it,we'll send out a tickler, like a
(07:20):
number a second email or a thirdemail.
Um, and then if you don'trespond, they'll probably just
send it to you anyway, just tosee if you'll click on it.
So for them, the cost of entryis extremely low, right?
It's just an email and sometime.
And with AI, they can make itsuper good.
They don't even have to have alot of time invested.
So it's easy money for theseattackers.
And so that's why, guess what?
(07:40):
There's gonna be more and moreof it.
Uh, so we talked about wherethey're actually from.
Uh, they demonstrate how the BECwill remain one of the most
financially damaging attacktypes, despite how technic the
technical I can't even say that,despite how low it is from a
technical standpoint, right?
It isn't hard to create anemail.
And the BECs are they can bevery damaging, uh, especially
(08:02):
because most people think, well,if you're in business, you make
lots and lots of money.
Uh, I will tell you flat out,no, that is not the case.
Now, there's probably bigcorporations that make gobs of
money, but let's put it inperspective.
So if you're a business and youmake 12%.
Now, I worked at CokeIndustries, and one of the big
things we wanted was you had tohave a business that made at
least 12%.
So if you were your businessevery year had to make 12%.
(08:23):
Some years it made 12%, someyears it made 20%, some years it
made 6%.
So you just didn't know.
It had to make at least 12%, iswhat they wanted.
Well, so if your business ismaking, say, 12%, that's pretty
darn good.
Now you have 100%, say you solda million dollars in whatever,
and at the end of the day, aftereverybody's paid, you made uh
(08:44):
$120,000.
So that's not you as a person,that your company made$120,000.
So you have to go and sell lotsof stuff to make significant
amounts of money.
And most companies, I'll say 12%with Coke, most small businesses
and many businesses outside ofsmall businesses, their margins
are around six to less than 10%.
(09:06):
So you real quickly have to gothrough a lot of stuff and sell
a lot to be able to make anysort of profit as a company is
expected to make.
So you have to go through a lotof stuff just to make any money,
is what a company is expected tomake.
So again, margins are tight.
And if you go out and lose$50,000, and let's just say, for
(09:28):
example, your margin for theentire year was$120,000, but you
just lost$50,000, you lost 50%of your margin.
That could end up in somebusinesses putting them out of
business.
So it's really important for youto understand that, or you guys
get it, but that their impactfor some of these small
businesses, especially, it canbe catastrophic.
(09:49):
It can be just very, verydamaging.
So some key defensive aspectsyou need to be considered about.
Email-based payment requestsmust always require out-of-band
verification.
So if someone comes in and says,hey, I want an email, you got to
have a second uh person thatlooks at this.
And that would be a separationof duties piece.
So if you get it, the secretarygets it, the finance person gets
it, they send it to theexecutive um council, they have
(10:13):
to approve it.
Or even better, you don't sendit to them because you could
assume that the emails might becompromised.
You get on the phone and youcall them.
So there's lots of differentways you need to put in place
around that.
So finance workflows, again,they also could be important.
This is not just securitycontrols, they're the primary
attack service.
So you need to really trulyunderstand your finance
workflows.
Talk with your finance folks andmake sure that they understand
(10:35):
them and you understand them aswell, especially as a security
professional.
Okay, that's enough aboutScripted Sparrow.
Before we get into the trainingtoday, I wanted to quickly talk
about CISSP Cyber Training.
Head on over to CISSP CyberTraining and get access to all
of the content that's there.
It's available to you.
So if you're if you're actuallyinterested in studying for your
(10:55):
CISSP and you're listening tothis podcast, so you must be
interested in your CISSP, headon over to CISSP Cyber Training
and get access to all my freecontent that is available to you
as well.
And that free content will helpyou in your self-study plan.
Uh, it's going to give you someof the key things that I wish I
would have had when I took theCISSP exam.
It was stuff that I wasstruggling with.
I put it all in my free contentto help you with that.
(11:18):
One thing I did do though is Ialso created a blueprint, and my
blueprint will step you throughthe CISSP exam step by step by
step.
Now, this is all part of my paidproducts that are available to
you, and these products willhelp speed up even faster your
self-study plan with utilizingmy blueprint and the other
aspects around it that are tiedto it.
I've got over 1,700 CISSPquestions.
(11:41):
I've got a 250 uh question examthat's coming out here in the
next couple weeks.
I have a lot of stuff that'sfree and available to you.
It's also got mentoring that'savailable.
You can get mentoringspecifically around your career,
as well as if you are aprofessional that is looking for
CISSP or cybersecurity uhresources, I have that available
as well at CISSP Cyber Training.
(12:04):
So head on over there, get yourfree content, sign up for my new
for my newsletter and all myemails, and you'll get free
questions and so forth.
Uh, and on top of that, I'm hereto help you pass the CISSP exam
the first time.
Okay, so let's get into whatwe're gonna talk about today.
So, incident management, what isincident response?
Now, we'll talk about thisroutinely through this program.
(12:24):
Incident response is a keyfactor in what you need to do.
As I'm working as a consultantright now for a company, I am
working in building out theirincident response process.
An incident response is whatexactly is an incident?
Oh, you need to know what thatmeans.
Because the reason I say that isyou're gonna have regulatory
requirements that are gonna befocused on the incident
themselves.
And you need to understand howis an incident defined within
(12:47):
your company and what should youdo related to that.
So you're defining an incident,it is a negative effect on the
CIA triad.
So your confidentiality,integrity, and availability.
Anything that is affecting thosethree would be considered an
incident.
Now we talk about you haveevents, you may have situations,
you may have different termsthat you're gonna call up, but
(13:08):
if you have an incident, it hasa dramatic negative effect on
your confidentiality, integrity,and availability within your
company.
It's also considered anunplanned interruption, such as
you could be a patch that youpushed out that was not good.
Uh, it could be a naturaldisaster that could happen.
It could be the air quotes straybackhoe.
And if you are heard me say thistime and time again, the stray
(13:31):
backhoe is your nemesis.
Yes, they will put you in astate of fervor because these
guys that are digging andfilling, they will hit
invariably a fiber optic lineand then everything goes down.
So, yes, your stray backhoe willdo that to you.
I've seen it time and timeagain.
And actually, I have moreproblems with backhoes or people
doing construction than I havewith anything else as it relates
(13:54):
to outages, unplanned outages.
Now, outside of a cyber attack,right?
So, computer security incident,you again, you want to
understand the common result isof an attack that's coming in
from somebody that's going afteryou or your products.
So the NIST definition of 861 isa violation or imminent threat
of violation of computersecurity systems and policies,
(14:15):
acceptable use policies, orstandard security practices.
That would be an attack, right?
So you're understanding thatyour incident is occurring.
You've got a good plan of whatis in an incident defined by
you, and not just defined by youas a security professional, it
is defined by you and your teamof lawyers and your HR folks and
every compliance folks, allthose individuals are all
(14:37):
involved with you.
So that is why the incidentresponse process is such an
important part that you need tohave it defined, well defined
and well exercised.
So there's some different typesof steps that are tied into your
incident response process.
We've got detection where you'refocused on getting something
that's gone on.
How do I detect it?
How do I deal with it?
How do I manage it?
(14:58):
Your response, what are yougoing to do from responding to
this situation?
How do I respond to it?
You know, I go and I have anarea that comes up and I go,
what do I do?
I don't know.
Uh your mitigation comes intowhat are you doing to mitigate
the situation after you'veresponded to it?
You're reporting, who do youtalk to?
Is there compliance requirementsrelated to regulators that you
have to talk to?
(15:19):
Do you talk to your seniorleaders?
I don't know.
You have to decide which onesare the folks that you have to
end up interacting with to letthem know a situation has
occurred.
How do you recover from thesituation?
So when an incident occurs,recovery is most important.
It just truly is.
You can have all these greatthings, you detect it, you
mitigate it, you respond it.
(15:39):
But if you don't know how toactually recover from it, you're
just sit there stuck in a brokenstate.
And that is not a good place tobe, believe me.
Then you want to remediate.
How do you remediate the threatafter it's occurred?
And then lesson learns or hotwash.
In the flying in the B1s, weused to have a hot wash every
time we flew.
And when you flew, you went out,you did your flight, you we
(16:00):
would take off, we do ourlow-level bombing missions, we
land, we drop the bombs, we hadtargets we had to hit, we come
back, we then land, we put thethe airplane to bed, we then
come back and talk about it inour debrief.
And a hot wash for us from justa so we'll typically put it in a
situation, is about a four and ahalf to five hour mission.
We would go out, we would haveabout an hour, hour and a half
(16:21):
hot wash at the end, and wewould walk through what did we
do?
Okay, here's we went in, we tookoff, we went and did uh we flew
this altitude, we took a tanker,we then talked about the tanker,
we went into the low-levelroute, okay.
From here, we came back, yadayada yada.
We went through the entire flowof the approach to landing or to
take off to landing with our theB1.
(16:43):
And we went through each one ofthose to determine where are
some areas we made mistakes at.
We took notes on what we mademistakes on, and we therefore
then implemented changes so thatthose we could make changes to
those mistakes that we made.
Same concept in the event of anincident.
Now, the thing you have to keepin mind is you want to make sure
that you do a lessons learned,not just for all incidents, for
(17:03):
for all of your exercises aswell.
You want to take a very programprogrammatic, programmatic,
programmatic, yeah.
You want to take a step-by-stepapproach.
Yeah.
You want to take a step-by-stepapproach on how you look at the
lessons learned from your event,whether it is planned or
unplanned.
Because by doing that, you get areally good grasp of what you
need to do different for thenext event.
(17:25):
Now, some key aspects aroundthis.
You ended you have your initialindications of an event.
Now, this can be extremelynarrow.
You may not even know what isactually going on when you first
get this incident or event thatoccurs within your organization.
It could be very small andinsignificant to the point of
going, you know, it's just ablip on the radar.
(17:46):
Now, the tools have gotten muchbetter.
AI has been very helpful.
In the past, it's been so muchnoise that's there.
You don't even know what's realand what's not.
But what ends up happening is byhaving these different types of
uh uh tools that are there, itcan help give you a little bit
better indication of what issomething that could be
occurring, or is it just noise?
(18:07):
So, ransomware, I've had thissituation occur.
It pops up in an organization uhway down in the bowels of my
company.
And an individual will go andsay, Oh, well, let's just not
let's not do anything about it,let's just ignore it.
And in the process of ignoringit, what happens?
It starts to spread.
And next thing you know, I'vegot a full-on for alarm fire
(18:27):
going on in one of my facilitiesin a location that's not real
easy to get to.
It's on the other side of theplanet.
And because of that, now I'mgetting delayed responses on the
incident that's occurring.
So again, they can be very smalland insignificant, but they can
bring the house down.
Those ransomwares are bad, badjuju.
Uh so the network goes down.
(18:48):
All of a sudden, now you have abigger problem, right?
So you have a ransomware pop-up,you're now your site goes quiet,
and now your network goes quiet.
Now you've got so manychallenges you're gonna have to
kind of unravel.
So the detection mechanisms, youneed to have various ones in
place.
Now, ideally, I'm and I'm gonnado a podcast around this company
here in the future because Ithink there's a lot of great
tools that are out there thatare available to people.
(19:10):
People just don't know what todo with them or how we should
how you should manage them.
So there's a company out therecalled Centripetal, and what
they do is they take all theintelligence feeds and they will
get them ahead of time.
So if something comes into yourorganization, they will actually
stop it from even hitting yourcompany.
So it's kind of like a atailored DDoS protection in some
respects, uh, more of a aspearfishing, a tailored
(19:33):
spearfishing uh attack kind ofthing.
I don't know how to explain it,but bottom line is they're a
really good company.
Centripetal.
That's if you go out there, yougoogle it, you'll see what you
can find about it.
But they there's there's a wayto help stop uh the attackers
from coming in from the front.
There's also intrusion detectionand prevention systems, IDS
IPSs.
You have honeypots, these willflag for possible intruders
(19:54):
within your company.
You have automated rules to flagon different types of log files,
especially as it relates to youruh If you have AWS or Azure
environments, how do thosedifferent ones work with your
different types of logaggregation tools?
Individual user reporting.
These are all the differentpieces that are tied to that.
Are individuals being able toreport that there's a problem?
Do they have an easy button tomash and say, hey, we have a
(20:16):
problem?
Click on the link.
So all of those are differentthings that can be done for
detection mechanisms to helpyou.
I would highly recommend that ifyou have an email provider of
some kind, that you build thatinto your email that there is an
easy button where employees canactually go push a button and
say, I want to report a phishingincident that might be occurring
within your company.
(20:38):
By doing that, they're the firstset, usually are the first sets
of sensors for you to see thatthere might be a problem.
So I'd highly recommend that youwork with uh whatever company
you have to come up with that ifthey don't already have it.
Now there's a company I knowknow before is one of them.
They actually already have thissituation where they can
incorporate it within your Gmailaccounts or your Outlook
(20:58):
accounts where they can justhave a report to phishing button
in place.
Now, you process is vital.
You need to really have somesort of processes in place when
you're dealing with detectionbecause if you don't, you'll be
chasing ghosts all the time.
Uh and these ghosts are in yournetwork, they are real and they
are also phantoms.
So you may have an individualwho's there that are that's
(21:19):
acting like um going againstyour company, and people are
seeing issues, and so they aregoing to report them.
But you also gonna have thesethings that pop up that are kind
of unique, and people will maybebe trigger happy and say, Oh, I
see a ghost, I see something,something's going on, and they
let you know.
And then nothing is you go andyou dig into it, and there's
nothing there.
And then they let you knowagain, and you dig into it, and
(21:41):
there's nothing there.
But if you don't have a goodprocess on how to handle this,
you're going to understand thatyou're gonna have problems.
You're gonna end up chasing allthese rabbits and you'll never
catch any of them.
The ancient Chinese proverb thatI talk about on the podcast is a
man who chases two rabbitscatches none.
And I think it's been twistedand moved in different,
different ways, but bottom lineis if you chase too many
(22:03):
rabbits, you're not gonna catchthem.
So you want to make sure thatyou understand what are the
processes for your company sothat you know how to deal with
these situations when they dopop up.
Now, the ghosts that are outthere, um, one of the comments
was, I was the ghost.
Yes, I was.
And I would be very careful onwhat I did when I was within
your different companies'organizations.
(22:24):
And the point was was to thenjust to hide in plain sight.
I was very careful with what Idid within your company, not to
uh trigger too many alarms andbe very stealthy and very
stable.
Uh so to keep in mind that thedifferent perspective is that an
attacker gets in yourenvironment, there is a rush to
get into your company as fast asyou possibly can.
(22:44):
However, and get your toehold.
But once you're in, then it'sit's a low and slow approach.
You want to make sure that youare taking your time and that
you don't burn the credentialsthat you have.
You don't want to give them anysort of sense that you are there
for them to start implementingand doing lockdown on you.
So again, small instances getoverlooked as noise.
(23:04):
You do want to make sure thatyou're watching for the noise.
There's third-party services.
Uh, do you have third partieswithin your company?
And in most companies, they areoutsourcing many different
things.
Do you have a process to dealwith your third parties?
That's an important part of allof this.
So when you're dealing withresponse aspects, response will
vary depending upon theincident.
(23:25):
Resp the process to respond, youneed to have built for this
specific incident you're goingto have.
So when it basically comes out,not for each incident, but you
should have that, okay, ifsomething comes in, what is the
next process?
What are we going to do?
Once that happens, what is thenext process?
What are we going to do?
At any point, you can get anoff-ramp on any of these
processes so that you can thenend and terminate the incident
(23:47):
where it's at.
If you do you go chase a ghostand you find out there's nothing
there, you end the process.
If you chase a ghost and itfinds a little bit more of a
breadcrumb, you continue on theprocess.
So the goal is you need to havea overall situation, a system
set up to respond to all of yourincidents that you have.
Your legal and crisis teams needto be pre-positioned and ready
(24:08):
to go.
What does that mean?
It means you need to have talkedto them.
You should have talked to atleast your crisis team and your
legal team at least once priorto having an incident within
your company.
Uh, because if you don't, youwill be talking to them a lot
and you will probably beconfusing and making each other
unhappy.
So you want to make sure thatyou would you talk to them
before you have a situation.
(24:29):
Uh, don't address this in themiddle of the crisis.
You want to do it ahead of time.
Now, your cyber computerincident response teams, your
basically CIRT or CSIRT, theseare teams that are set up
specifically to deal with theoverall incident.
They could be people that areinternal to your company.
They could be outsourced.
Uh, there's people that are on abat call, bat phone, uh, to be
(24:51):
able to answer and respond toany sort of situation you may
have immediately.
Now, they come at a high price,but they are there for you.
Um, there is a company I workedwith on as a coke, and I can't
remember the name of it.
Uh, there's various companiesthat do this.
They are on the hotline, whatready for you in the event that
you have a situation.
Now, these are typically goingto be involved from the
(25:13):
beginning of the situation, ofthe incident, of the process to
the end of it, to when youfinally declare we are done.
Uh, and then once we are done,that's even after the hot wash,
they would be involved in thatas well.
So once you put you put a bow onthis thing, you wrap it up, and
you're getting ready to shovelit into a uh shelf for
posterity, that's when they aredone.
(25:35):
Now, you can a third partyretainer, again, if you're going
to be dealing with a third partyto help you with this, I highly,
strongly, increasingly stress,do this now.
Get with your legal teams andtalk to them today.
Uh, don't wait, talk to themtoday and say, hey, we need to
do this because the challengeyou're gonna run into is if you
want a third party to help youwith this, you're gonna need to
(25:56):
get the legal paperwork doneahead of time.
And you're probably gonna haveto put them on retainer of some
kind or fashion, which basicallymeans you're gonna have to pay
them a bunch of money for themjust to kind of sit there and
wait for you to call them.
And you may never call them andyou're just gonna continue to
keep paying them a bunch ofmoney.
And the purpose, though, is thatif you do that, you now have the
ability to call them and theywill immediately come and help
(26:18):
you with the situation.
Now, if you have a team that canhandle this, then I would highly
recommend that you, if you'regonna like it, say you're in the
initial birthing uh place forthis and you're you're standing
up your security operationsteam.
I would, in the short term,probably pay for somebody like
that while you are building upthat capability within your own
company.
So it's just something toconsider.
(26:39):
I would probably pay the money,put them on retainer, have them
ready to go, but then have aplan in the next two years,
you're gonna put yourself in aposition where you have a team
that's dedicated by your ownprofessionals in your company.
And they don't have to all besecurity people that are gonna
help you with this, becauseideally, most of your security
people don't deal with thenetwork like your infrastructure
(26:59):
folks do.
So you're gonna have a team ofmany different folks that are
involved in this, but you can dothis with an internal team.
You just have to have a plan onhow to do it.
So in the short term, I wouldhighly suggest that you get a
company to help you with this inyour in your third parties to do
the overall just having them onphone call on retainer, but
until then, uh, and then buildout your team and just have a
(27:22):
one to two year plan, dependingon what you're going to do.
Evidence preservation is a keyfactor.
You want to have chain ofcustody in case the procedures
are and have these proceduresdefined within your company as
well.
So if you are gonna say someoneattacks you and you feel that,
you know what, we mighteventually have to sue somebody
or take somebody to court, ifyou don't have evidence
preservation and you don't havea process to deal with it, it
(27:43):
didn't occur.
You just spend a lot of moneyand you're not gonna get any
love out of it.
You're gonna be really, really,really upset.
So, you're what you're gonnahappen is you're gonna be super
upset because you spent all thismoney, and then you're gonna be
even more upset because youcan't go after these people
because you didn't preserve anyof the evidence.
So just keep that in mind.
You wanna make sure that youhave a evidence preservation
process.
(28:04):
Trained personnel.
We talk about internal andexternal.
Again, they need to be able toassess the damage, collect the
evidence, report the incident,and recover procedures, right?
All these things are animportant factor in what they
do.
If they're looking at it andthey can't assess what's
actually broken, it's reallyhard as uh to know what you
should fix if you don't knowwhat's broken.
They also should be the peoplethat are trained in your chain
(28:24):
of custody process aroundcollecting of the evidence.
If you don't, if they can'tcollect the evidence, then you
have a big problem.
Uh so you just, again, this isjust training.
This isn't rocket science, guys.
This is truly not hard.
You can do this.
You can come up, especially nowwith the different chat GPTs and
Gronks and everything else thatare out there from an AI
(28:45):
standpoint, you can come up witha decent training plan for your
people around these differenttopics.
And then it will do a good jobof giving them the information
they need to be successful.
But you need to have ability tocollect the evidence that's
going on.
You want to report an incidentthat's going on.
How do you report it?
Okay, so do you just report itto your CEO and say, huh, not my
(29:05):
problem anymore?
Um, probably not.
In today's world, we are highlyregulated.
And so if you are dealing in anysort of the financial industry
or healthcare industry, you havereporting instructions you have
to do.
I had to do it in themanufacturing space as well.
So it doesn't really matterwhere you go, you are going to
have to have some level ofreporting.
Just plan on it.
Do the it's not the norm, Ishould say it's it's what is
(29:27):
that?
It's normal to report to aregulator.
It's not, it's uncommon toreport to not report to
somebody.
So I would just have a plan onwho you're gonna report to.
It may just be that you have agood plan to report to the
board.
That's fine, but you just needto have a good reporting process
in place.
Recovery procedures, what areyour recovery procedures and how
do you gonna deal with gettingyou back online?
This comes down to resilience.
(29:48):
You need to have a goodresilience plan related to you
organization to keep it up andgoing.
Now, mitigation.
What are some key aspects aroundthis?
Is that the goal of it is tolimit your scope and the effect
of the incident as well.
So it comes in and it startsnuking part of your business.
You want to keep it contained.
Just if it's got to nukesomething, only nuke a part of
(30:09):
it.
Only take out a small section.
Because the part is if you are abusiness owner and or that your
company's a business and itmakes money, well, it has to
make money, otherwise, youwouldn't be employed.
You want to limit the amount ofdamage to the business units
that are actually making incomefor your company.
So if this thing is starting tospread like a virus, you may
have to cut off your foot tosave the body.
(30:29):
And one example I had was we hadmultiple companies around the
globe, and we had a plan that ifif a ransomware attack took out
one of our facilities, whatwould we do for the rest of the
body?
We were willing to cut off thefoot to save the body.
And this is a big factor thatyou're gonna have to deal with
with your CIO and your CISOs,uh, is that which is that part.
(30:50):
If you don't have thatleadership and you are that
leadership, you need tounderstand all of your remote
locations and which ones, ifsomething were to occur, how can
you sever that connection andstill keep business operational?
This will come down to yourbusiness impact analysis that
you'll have to do, and this willhelp you kind of analyze that as
well.
This is a this is a process,guys.
This is totally so this is sofar beyond the CISSP that I'm
(31:14):
not beyond it.
It's the fact that these are thethings you're gonna need to know
for the CISSP, but you're alsogonna need to know as a security
professional.
These are really good nuggetsthat are gonna help you in your
experience.
In real time, you need to avoidthe attacker from gaining
additional access, and then youalso need to avoid the attacker
from knowing you are aware.
Again, once they know you know,then it gets now you're in a
(31:34):
game against time.
They may have logic bombs set upthroughout your organization
that if they know that you know,they will set off.
And if they set those off, thenit brings the house of cards
coming down.
So if you are aware thatsomeone's within your
organization, you're gonna needto take steps quickly to
mitigate them, to shut themdown.
But knowing full well the momentyou flip, you show your cards,
(31:56):
right?
So the moment you show yourcards, then this game is afoot.
They are going to be trying todo everything they can to
ransomware or to shut you downcompletely.
So just again, they they maystart the destructive aspects of
it, so just be ready.
Have your A game going.
And I would highly recommend ifyou know someone's in your
network and you're working tomitigate them, get your third
(32:16):
party that you have contractedon the bat phone and get a hold
of them as quickly as youpossibly can.
After the fact, you assume theattacker is still in your
network.
Even this is the thing thatpeople struggle with, even if
you've mitigated them andthey're gone, assume they are
still in your network.
Because guess what?
They probably are.
So that means you're gonna haveit's gonna cost you even more
money, right?
(32:36):
You're gonna have to replace allthese systems, you're gonna have
to blow away new systems, you'regonna have to actually end up
spending even more time dealingwith this.
So it's just bad.
Uh, there'll be backdoors thathave been created.
I would tell you this, and thisis just from personal
experience.
When I got a toehold within anetwork, I put in a minimum of
six backdoors.
That was me.
(32:57):
Now, they didn't all happenright away.
As you're starting to go throughthe area of the network, you're
looking for different other waysin.
And then once you find someplacecool, you go and you put in
another back door.
And if it's a different way thatyou think, okay, well, if they
shut me down, I still shouldhave this way in.
I'll go and put a backdoor here.
So I had a minimum of sixbackdoors within my company or
(33:18):
within any sort of engagement Idid as a red teamer.
Then you can only assume thatthe bad guys and girls are doing
the same thing.
Now, put it in this perspective: they're lazy. (33:25):
undefined
Um, I was not lazy because itwas what we did for a job.
But a lot of the attackers arelazy.
They may not put as many in, butI don't think you want to bank
on that.
So just know there's backdoorsprobably created, at least one
or two.
Engage all resources.
Again, fire drill, all hands ondeck.
If something was to happen,you're bringing everybody in for
(33:47):
their A game.
Your infrastructure folks, youruh your HR folks, your legal
folks, everybody in the companythat has any sort of decision
rights is brought into the mixon this because it is an all
hands on deck.
You are a uh a World War II boatin the middle of the Pacific and
you're getting shot at by bysubmarines.
You want to make sure thateverybody's aligned and
(34:07):
everybody's heightened on how todeal with this specific
situation.
Because if the company goesdown, you go down, your
livelihood goes down, it allgoes down.
It burns to the ground.
So again, everybody is involved.
So reporting, you want to makesure that you have key aspects
related to this because yourCEO, your owners, your CIOs, all
the company leadership needs tobe involved.
How are you going to report tothem?
(34:28):
Legal compliance requirements.
Again, don't try to downplaythis, what's going on.
That's what happened withEquifax.
It's okay.
No worries.
We got this, we're undercontrol.
You just keep doing your CEOstuff, we'll do ours.
Okay, I did that in a differentvoice.
It was kind of weird.
But that being said, uh itagain, it's what happened with
them.
They just said, you know what,don't worry about it.
(34:50):
We got it.
And they didn't have it.
So you need to make sure thatyou are everybody involved with
what's going on.
Legal and compliance need to beready to put out statements.
Uh, depending on the companyyou're in, they statements may
be pre-canned, may not bepre-canned.
I recommend you have them donealready.
Have them pre-canned, havemultiple statements, have
multiple scenarios, and thenthey have all been through the
(35:11):
legal vetting, they've beenthrough the HR and compliance
vetting.
Everybody is happy with thosestatements, and then they're
ready to go.
Now, hopefully you never needthem, but they're done.
If they situation comes up andyou have to modify it and morph
it a little bit, that's okay.
At least they're done.
So get something already builtout.
Uh formalized notificationprocess.
(35:32):
You need, if you're dealing withany sort of regulators, who is
the notification person?
Does it come from the board?
Does it come from the CEO?
Who does it go to within thegovernment?
All of those need to be workedout and defined, and those need
to be agreed upon.
Again, legal language isimportant in this spot,
especially when you're dealingwith the governments of wherever
you are operating.
Legal language is everything.
(35:53):
You can really you can give astatement to the media, and it
can be a little bit wrong,right?
Say because you didn't knowwhat's going on.
Not that you're lying.
No, we're not lying, but justyou didn't really truly know
what was going on.
You released a statement, andit's a little bit in error.
You cannot do that with thelegal entities.
You need to make sure you haveyou're on your A game, and
everybody has to be aligned.
So again, you need to have thatprocess defined.
(36:15):
Cyber insurance companynotification, uh, this is a big
factor of are they gonna be youlet them know what's going on?
What have you done?
They're gonna get in your chili.
They're gonna be in it, they'regonna be asking you all kinds of
questions, and you are gonna getpulled in 10 different
directions trying to answer allthese questions.
They're gonna make sure thatyou're doing what they feel you
should be doing in order thatthey're gonna do a payout.
(36:35):
They don't just arbitrarily go,oh, okay, cyber incident, here's
your money.
They don't do that.
Uh, they are going to be askingyou lots of detailed
information.
Legal compliance, again, sureyour team is prepped in advance.
They need to know what's goingon.
Your legal compliance and publicaffairs all need to be aware,
they need to be involved, andthey need to be in the game
plan.
I will tell you, I've had someof my hardest conversations I've
(36:56):
had with public affairs, legal,and compliance.
Well, not so much legal, theyget it, but compliance and
really mostly public affairssaying, hey, this is the plan.
If we get a ransomware attack,this is what we need to do.
Really?
Seriously, we don't need to dothat.
Uh yeah, you do.
No, no, we don't need to dothat.
Yeah, you do.
And so that's a back and forth.
I've had to escalate it up tothe CEO numerous times to go,
(37:17):
will you please get your peopleon board here?
This isn't hard.
Let's just do it, be done withit.
And then they finally come andacquiesce.
Uh, but the bottom line, I alsosend them a bunch of email uh of
different breaches that haveoccurred and said, okay, how
would you handle this?
That usually helps bring them,get them on board.
All right, continuing on, legaland compliance again, to have
them evaluate any contractualaspects you have prior to the
(37:38):
breach.
What do you report?
Who should the vendors or whatshould you what vendors should
you report to?
Uh you have vendors that areproviding critical services.
Do you need to let them know?
Laws that require breachnotification.
There's the list is long anddistinguished, and there's lots
of them.
You have GDPR, cyber law, many,many, many others.
There's all kinds, and there'smore and more all the time.
There's the Chinese or thefinancial uh aspects around it,
(38:02):
NYDFS, you name it.
They all have notificationbreach notification laws.
They all vary in differentdirections as far as how long,
from 24 hours to 72 hours, butthey're all of difference that
are out there.
U.S.
state laws will vary as well.
These uh suites may occur basedon the company's facilities.
Uh depending on where you're at,your U.S.
laws may be involved as well.
So you just don't know.
(38:22):
You you really need to make surethat you have a good plan.
And even with plan that youhave, moment something happens,
you it is what Mike Tyson says,you have a plan going into a
fight until you get hit in theface.
And then that plan goes out thewindow and you start figuring it
out.
Same concept.
You'll have a plan in placeuntil you get hit in the face
with a cyber attack, and thenthat plan goes out the window.
But the key is that you'vedrilled it, you've planned it,
(38:45):
you at least have a good idea ofwhat you're going to do.
Uh, so it makes those overallpieces go much smoother than if
you had no plan whatsoever.
Government law enforcement, youwant to determine if you want to
get with the FBI, you want toget with Interpol to help you in
these situations.
So all of them can help youdepending upon what you have to
do.
And when I say help, just let'sput it in perspective.
(39:06):
The FBI is not gonna help you.
They're just not.
If you're a small business,forget it.
They ain't gonna do it.
Uh, even small localorganization, local uh police
forces aren't gonna help you.
They're gonna collect evidenceand then they're gonna say,
Thank you, have a nice day.
They're building their own casesagainst easy individuals outside
of you.
So they're not gonna be a wholelot of help.
But you have to decide if youwant to bring them into the
conversation or not.
(39:27):
Sometimes if you bring them intothe conversation, they will not
take over the situation theincident.
They they definitely won't dothat, but they may start giving
you inputs on it, uh, whichcould be helpful or which could
maybe be hurtful depending uponthe situation you're dealing
with.
So just got to kind of decidewhat you want to do when you're
relating to uh if bringing inlaw enforcement.
(39:48):
You need to let law enforcementknow.
You just need to also couch.
I would highly recommend you gotalk to law enforcement, ask
them hey, if we have anincident, what does this look
like for you?
How do you get involved?
Uh how would that impact?
Our incident and to just see,have a good understanding of
what they're going to gothrough.
So when you're dealing withrecovery, some other key aspects
is where you want to return thefunctionality as best you can as
(40:09):
quickly as you possibly can.
It could be as simple as youjust reboot reboot.
Um you could have images thatare in place, that these images
you just bring up new images andyou're in business.
It's not a big deal.
It's all very resilient and goodto go.
And that's great in the cloudenvironment.
And I will tell you that there'splenty of opportunities for you
to be able to do that in thecloud space.
However, one thing to keep inmind is that your cloud space
(40:33):
usually has infrastructure aswell.
Unless you're fully cloud, ifyou have any sort of
infrastructure, that can beimpacted by a ransomware attack
as well.
So you want to understand how doI return my functionality and
get it back and operating to atleast a point where I can start
making money again.
You need to document all ofthis.
Documentation is the issue thathappens so often in these
(40:54):
situations.
You nobody has it.
I'm dealing with this withcompany after company as a
consultant.
Um, if you they don't, they'renot documenting it.
They don't document stuffbecause why?
They're trying to make money andthey're going 100 miles an hour
and they look at security as acost, as a cost, right?
So I don't want to deal with it,I gotta get this stuff done.
And that's true.
But the moment something badhappens, they're gonna be
(41:14):
wishing they had documented allof this stuff.
Address all your systems,unaffected systems as well.
This includes firewall rulesthat it may be opened up during
an incident.
Uh, where could those be?
How does that look for yourcompany?
And then utilize backup andrecovery procedures as well.
All of those things need to bedone and understand what
procedures would you use in theevent that you'd have to bring
everything back.
(41:36):
Remediation.
So this comes down to theincident investigation.
You need to determine your rootcause for what actually
occurred.
How did it happen?
Where was it at?
Well, what was who clicked onthe link?
How did this get into ourenvironment?
Could we have seen this sooner?
Evaluate all your exposedsystems.
Start with your internet-facingsystems first.
This isn't hard.
Start with stuff that peoplesee.
(41:57):
If people see it, they're goingto attack it.
So go with everything that'sinternet-facing to begin with.
Now, the other thing you need tokeep in mind is, especially now
with APIs, oh my goodness, andthe cloud services, such as like
let's just say Microsoft's uhSharePoint, whatever.
All of this stuff is already inthe cloud.
It's already sitting on the airquotes edge.
You as an owner, in many cases,I'll use SharePoint as an
(42:18):
example.
If you give them the rightpermissions, the owner of the
SharePoint site can make thisdiscoverable by the internet.
Yeah, by clicking a button.
In the past, you had to gothrough lots of gatekeepers.
Everything went in and out of acentral point.
Not anymore, baby.
It's all available on theinternet.
And it's why for conveniencesake, which is always the end of
(42:39):
it.
Society is for convenience.
We all want to be convenient.
And then we all get taken overby the Huns.
Um went dark quick there, sorry.
Uh but that's the case, youknow, and that's the truth.
So the point of it is that youneed to be aware of all of the
external things that areavailable within your company.
APIs, oh my goodness, those arethe they're wonderful, but they
also can be very, very bad.
(43:01):
And you have to have goodcontrol of your APIs and
watching those out, watching forall of those.
You know, evaluate all yourexposed systems, uh, additional
data and systems that are allaffected.
This includes employees, emails,phishing, malware installed,
attacker who have pivoted duringopen shares, all of these things
you need to be aware of, right?
Admin accounts compromise.
Do you allow your people to uselocal admin to install software
(43:25):
on their computers?
Oh my gosh, don't do that.
All of those things, right?
You need to be aware of becausethose are all pieces where
people can gain access to yourcompany.
And they can start with small,with you know what, I send you a
phishing attack, you have localadmin, your local admin will
take as part of a securitygroup.
The security group has thedomain admins that are tied to
it as well.
(43:45):
I now leapfrog over and stealthe domain admins credentials,
and now game over.
It could be about a five-stepprocess, and we are over and you
are mine, right?
So you just hear the cackling inthe background, you are mine,
and yes, that is it.
You are done.
Uh, so those are pieces that youneed to be aware of.
And you just need to understandthat if you don't have a good
plan on how to deal with it, ityeah, it's just gonna go
(44:08):
sideways.
So I think I've I think I'vebeaten that horse to death.
So lessons learned again, thehot wash after action.
This is also anything that couldaffect employees and third
parties.
So if it came in through a thirdparty, you better have a hot
wash with the third party.
Don't just take the fact, factthat the third party goes, uh,
yeah, we fixed our problem.
We're done.
No, you get legal and you gohave a conversation with a third
(44:30):
party and you say, I want thiswritten, what you've done, where
you what you did with it, I wantto know how you did it, all of
those things.
Get with your legal teams andmake sure that anything that
happens with a third party isdocumented and it is obviously
taken care of by all of you.
You all have looked at it.
Evidence preservation is a keyfactor as well.
How are you keeping it?
Okay, I've beaten this drumabout four or five times.
(44:52):
Uh, you need to make sure thatyou preserve your evidence
because if you don't, it didn'texist.
That's the problem.
And then incorporate all ofthese lessons learned into
tabletop exercises andscenarios.
And this is where you do atabletop at least once a year.
Uh, many of the regulators, uh,financial regulators will
require you to do tabletops atleast annually.
Um, but I would highly recommendyou do them at least maybe once
(45:13):
a quarter if you're doing somesort of tabletop.
So it's an important part ofevery person's cybersecurity
program is doing tabletopexercises and making sure that
they have everybody involved.
Okay, that is all I have for youtoday.
Thank you so much for joining metoday at CISSP Cyber Training.
Head on over to CISSP CyberTraining.
(45:35):
There's a lot of great contentout there for you.
I am so excited about the stuffthat's coming this next in 2026.
I've been building out the plan.
I'm super fired up about that.
And I know you guys are gonna beexcited too for 2026 with CISSP
Cyber Training.
If you're looking to get yourCISSP done, let's get her done
in 26.
It's a brand new year, justright around the corner.
Let's knock this out.
(45:55):
If you're getting ready to takeyour test, good luck.
Hey, I hope you've been usingthe CISSP cyber training stuff,
and I hope that you have a goodplan in place that you're gonna
pass it going into 26 so thatyou can increase your income,
increase your status, increaseanything you want to do with
getting your CISSP certificationcomplete.
All right, thank you so much andhave a wonderful day.
And we will catch you on theflip side.
(46:16):
See ya.
Thanks so much for joining metoday on my podcast.
If you like what you heard,please leave a review on iTunes.
I would greatly appreciate yourfeedback.
Also, check out my videos thatare on YouTube, and just head to
my channel at CISSP CyberTraining, and you will find a
plethora or a conocopia ofcontent to help you pass the
CISSP exam the first time.
(46:36):
Lastly, head to CISSP CyberTraining and sign up for 360
free CISSP questions to help youin your CISSP journey.
Thanks again for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Two Guys, Five Rings: Matt, Bowen & The Olympics
Two Guys (Bowen Yang and Matt Rogers). Five Rings (you know, from the Olympics logo). One essential podcast for the 2026 Milan-Cortina Winter Olympics. Bowen Yang (SNL, Wicked) and Matt Rogers (Palm Royale, No Good Deed) of Las Culturistas are back for a second season of Two Guys, Five Rings, a collaboration with NBC Sports and iHeartRadio. In this 15-episode event, Bowen and Matt discuss the top storylines, obsess over Italian culture, and find out what really goes on in the Olympic Village.