September 15, 2025 • 26 mins
The threat landscape is moving faster than ever—and traditional response playbooks aren't keeping up. In this live Field Notes episode, Eric Brown and Nick Mellum dive into the surge of recent cyberattacks hitting state governments, transit systems, and critical infrastructure across the U.S.
From Nevada's complete state office shutdown to Maryland's Metro Transit paralysis, the hosts explore why organizations still "clam up" during breaches instead of sharing crucial threat intelligence. Drawing from their firsthand experience with the St. Paul incident and military-grade preparedness principles, they reveal the uncomfortable truth: you're not building higher walls anymore—you're planning for someone who's already inside.
Key Topics Covered:
- Recent state-level cyberattacks in Nevada and Maryland
- Why threat intelligence sharing fails when we need it most
- The human cost of breach response chaos and endless meetings
- How AI is being weaponized in sophisticated supply chain attacks
- Military mindset for cybersecurity: "Semper Gumby, always flexible"
Don't wait for the next headline. Subscribe for more unfiltered cybersecurity discussions that bridge the gap between technical reality and human preparation.
#cybersecurity #infosec #breach #threatintelligence #fieldnotes #livecast #CISO #cybersecuritynews
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Morning Nick, how you doing.
Speaker 2 (00:06):
Good sir, how are you ?
Speaker 1 (00:07):
Doing well.
So we're coming with a newpodcast here.
Right, We've got the FieldNotes and it's live.
We're live right now, 7.30 inthe morning, Thursday.
Nick, what's the thought behindField Notes here in the morning
, thursday, nick.
Speaker 2 (00:26):
What's the thought behind Field Notes here?
Yeah, I think around IT, out ofLabs, we always want to build
community, bring people together, share knowledge throughout the
space, and I think this isanother one of those mediums to
do that.
So when we're doing, that isbringing everybody together,
having a cup of coffee in themorning before you get your day
(00:48):
started, maybe spark some newthoughts and ideas, and we can
do that in a space where peoplecan ask questions and we can
just have free-flowingconversation.
So I think that's just anevolution of growing the
community.
Speaker 1 (01:00):
Awesome.
Speaking of that, we did gamenight last night here.
So we do the monthly game nightfirst Wednesday of every month.
We had a great turnout lastnight.
I think we had like 20 or somepeople and we played a game
called Blood on the Clock Tower,which is a social deduction
game, and there's a murder thathappens in a town.
And there's some bad peoplemixed into the group and the
(01:25):
group's trying to figure outwho's good, who's bad.
Happy to say, I was on the teamof the bad guys and we won.
Speaker 2 (01:34):
So what's the art of this game?
Is there a little bit of socialengineering?
Speaker 1 (01:38):
Yeah, it's all social engineering and misdirection
and trying to figure out whatrole people are playing, so kind
of like a real world securityteam.
Speaker 2 (01:51):
I got a couple of text messages from fellow game
night attendees with somepictures of you guys playing and
I think they said it's a prettyintense game.
It takes a long time, you're inthe game for a while, so it's
not a simple game to play.
Speaker 1 (02:04):
You're in it.
Yeah, you're in it for a while.
Speaker 2 (02:11):
It took.
I think about three and a halfhours To play one game.
I think I'd be a spectator.
I'd be watching you guys play.
It's a long time to becommitted to a game, nick, we do
you.
Speaker 1 (02:26):
We've got a couple coffee themes right, so he's
doing a coffee-themed podcast,cyber Sips.
It's going live this week.
I think the first one A lot ofcoffee themes.
We're talking a little bitabout coffee today.
What are you drinking, nick,today?
Actually?
Speaker 2 (02:46):
we switched it up.
My wife and I got some TimHortons coffee that we brewed
this morning, but I think themost important thing is drinking
it out of our Victory mug fromthe CTF, not that long ago, if
everybody remembers.
So I thought I'd taste likevictory, would be the perfect
(03:10):
theme of the morning.
So the coffees, so-so.
I mean, I prefer my Black Riflecoffee from America, but we'll
give a nod to our neighbors tothe north, but the cup is what
we care about.
Nice, how about yourself?
Speaker 1 (03:26):
well, um, I've got, uh, I do um kind of this mail
order coffee, um, from, I thinkit's a company called atlas
coffee company, and today I'mdrinking something from Ecuador.
But let's go back to that thingthere, nick, because part of
(03:49):
this podcast I think we want totalk about is the other side of
security, right.
So I mean, you know, we'rehumans, we work in teams with
other humans and there's thathuman side of the interactions
that we all have.
We talk about game night, right, and it's that community
bringing people together anddoing this work that we do in
(04:13):
the field.
Speaker 2 (04:15):
I think you hit the nail on the head that we're
still humans.
We're reading the news, likeeverybody else.
We're trying to stay in frontof these things.
We're trying to stay in frontof these things and I think one
of the topics we want to talkabout today is how much, or the
ramp, that these attacks havebeen coming in.
I don't know if everybodyshares the same thought as we do
(04:35):
, but it seems over the pastmaybe year or less, a little
less, it seems like the attackshave attacks or breaches.
We hate to say the B word, buthas picked up up speed and so
kind of wanted to chat aboutthat.
There's a couple articles thatwe can spin off of that.
There was one I think it wasfrom nevada and this was from a
(04:56):
week ago or so where they thestate offices shut down their
networks because of a an attackthey had.
They closed the state offices,the websites are offline, the
phone lines were offline, sothey had a major outage.
And then we had another one.
Eric, I think you found both ofthese.
There's another cybersecurityincident in Maryland affecting
(05:18):
Metro Transit, where I think,from what we were reading here,
the mobility all of MTA was shutdown.
They couldn't schedule newtrips, they couldn't send trips,
they couldn't take bookings forupcoming trips and any existing
trips that were currentlyhappening, so they couldn't
schedule anything.
There was a major outage there.
(05:39):
So obviously big deals for boththese states to be dealing with
.
Speaker 1 (05:46):
Yeah, and we're coming off of the work here in
Minnesota with the St Paulbreach and the ramifications of
that that are still being dealtwith, and Nick, one of us was on
the news a couple times talkingabout it.
But you know, and there's lotsof things that you want to say,
(06:06):
but you really, you really can'tsay, uh, the floor is yours,
well, oh boy, um, I'll get tothat, but, and I think what we
want to talk about on on thispodcast is that opportunity to
really maybe share some of thehuman insights of things, some
(06:26):
stuff about our personal lives.
We'll probably talk a littlebit about aviation, because I do
some flying, talk about coffee,talk about other activities
that we're doing outside of work, just to bring some of that
human element in it, and you didmention that contest.
(06:48):
You and I had a bet outside ofwork just to bring some of that
human element in it, and you didmention that contest.
You and I had a bet.
Your team came in first, we didnot.
I don't remember exactly wherewe came in, but it wasn't first
and I think we're going to havea rematch on that aren't we,
nick?
Speaker 2 (07:02):
We're going to figure out a time for a rematch, yep,
and we'll probably do the samething we did last time.
We won't train very much, we'lldo our normal things, we'll
come in and we'll.
Speaker 1 (07:12):
We'll try to take first again.
So you said you didn't train,but I heard that you had reached
out to the ctf manufacturer andwere this might make news, but
continue up here.
You were getting some coaching.
Speaker 2 (07:28):
I can't say this is true.
I can't say this is true.
No, we do know the CTF owners,though, of this, but I can't say
there was any communicationwith them prior to testing
Interesting or competition.
Speaker 1 (07:43):
Interesting.
So, on these breaches, right,it's um, it is frustrating that
we don't learn what the iocs orthe indicators of compromise are
early on.
Right, we're, we're in thespace, we're working with
customers, we're running teamsin the space, and it's really
(08:05):
difficult to get information,just as simply as what were the
IOCs, what were you seeing, sothat we can all react to it?
And it's unfortunate that itseems, 99% of the organizations
involved in a breach clam up.
And Nick, you were real closeto the last one.
(08:27):
You were working side by sidewith some of the folks on the
mitigation piece.
Did you have any direction thatyou really couldn't share?
What was going on at the time?
Speaker 2 (08:42):
I think we had a little bit I don't want to say
information that we couldn'tshare what was going on at the
time.
I think we had a little bit.
We had a I don't want to sayinformation that we couldn't
share, but you know, we werepeople were keeping things a
little close to the vest becausewe were getting information
siphoned to us I would saybroken comms, right Like we're.
They were telling us somethings but we weren't getting
clear guidance.
So we had to go into adefensive posture because we had
(09:02):
intersecting points with StPaul, so, you know, siphoning
off some information, going tothese meetings that were being
set up by the state as well, andany other organization was
welcome as well in the area thatthey could go to.
But yeah, we didn't have Iwouldn't say we had special
information, but some of ourleaders were a little bit closer
(09:23):
than I think others might havebeen allowed.
But I would agree, I think thatwas some of our and this isn't
just for the St Paul incident.
I think this is we see this alot where and you said it
perfectly they clam upinformation getting out,
(09:44):
especially for organizationslike us that are hosting or
helping many different companieswith their cybersecurity that
have intersecting points, andthis could be anybody any breach
besides St Paul and you know.
We need to get this informationso we can understand what we
need to secure Right and then areturn.
If we know what the problem is,we can turn around and help the
organization that's having acurrent issue.
Speaker 1 (10:04):
Yeah, and we've got close relationships with
Homeland Security, cisa, fbi,with InfraGard, and even folks
in those communities weren'tgetting great details about what
was going on.
I think we learned what theIOCs were maybe 12 hours before
they were posted out by the VCAor the Bureau of Criminal
(10:26):
Apprehension in sort ofbroadcast out to the people that
are part of that group whichget those IOCs.
I think we didn't really havemuch time to react to it either.
So, yeah, that is frustrating.
I think Evan Francon over at FRSecure a while ago was starting
(10:53):
a series during the pandemic ofhow do we fix a broken industry
, and I think this is one of thethings that continues to be
broken in the industry and Ithink this is one of the things
that continues to be broken inthe industry is just that lack
of communication where we'retrying to help each other right.
See so, to see so, and we'rejust not there yet.
Speaker 2 (11:11):
Yeah, you want to all band together in time of crisis
and do you have any thoughts onwhy that would be?
Do you think it's fear ofpublic?
You know people coming outsaying you know, why did this
happen?
Speaker 1 (11:27):
You know what's happening or what are you doing
about it, or are they just notprepared for that conversation
at all?
So at a previous organizationthat I was a fractional CISO of,
I'd been there for three orfour years.
During that time we wereinvolved in a breach.
It was one of our partners wasbreached.
(11:48):
They had some of our data.
That data was getting.
They had gotten ransomed.
They were real closed off aboutexactly what was happening.
Subsequently, they did sharehow the threat actors got in,
but it was the way in which theorganization that I was involved
(12:11):
with reacted was interesting.
It was just tons of internalmeetings about not just on the
technical side, about how do wemake sure that the data that
could have been exfiltrated,didn't contain any sensitive
information or it was allencrypted or what have you, but
(12:31):
it was just around thecommunications out.
What are we going to say?
Who's going to say it?
How do we say it?
I probably spent in the firstweek it was probably a 70 hour
work week.
I don't think any less than 30hours of that were around the
optics of internally messaging,external messaging, posturing,
(12:59):
and it was like we we got a lotof work to do.
I don't have time to sit inthese meetings, but you know
there was probably threedifferent meetings about the
same topic with different groupsthroughout all levels of the
organization.
Speaker 2 (13:15):
Instead of spending that all that time in the
meetings, you want to be bootson the ground with the guys and
girls doing the work to eithercome back from breach or uh,
protect the walls.
You want to be on the frontlines yeah it's, it's that
constant um.
Speaker 1 (13:31):
You know there's something going on.
Technical teams are trying towork on it and then um, the, the
, the.
Some of the leadership team aretrying to get information, so
it's that constant, okay, well,you know what do we know Well?
we know about the same amountthat we knew 15 minutes ago.
Another 15 minutes, right, andI think, where organizations
(13:55):
that haven't drilled this andpracticed it through tabletop
exercises just get into thatcycle of it's just kind of chaos
and panic.
So you've got do the drills,you got to do the tabletop
exercises so that when somethinghappens, you know how to react
to it.
And you know, nick, I think I'mjust seeing that more and more
(14:19):
as these breaches are justbecoming more and more prevalent
.
The need to do the tabletopexercises small ones as a team,
the infrastructure team, allright, how are we going to
restore from backup?
Are the backups immutable?
How do we get to them?
How do we recover?
What if there's maliciouscontent in the backups?
(14:39):
Just kind of drilling that.
So it's not when you get wokenup at 4 am saying you need to
restore these four servers rightnow, and then you have 15
people calling you about thesame thing.
You've already rehearsed it andyou have your playbooks.
Without that right, it's uh,it's just chaos.
Speaker 2 (14:57):
Yeah, and yeah, I totally agree.
You got to do tabletops.
Uh, hopefully annually, um ormore.
But uh, you know we, if wecontinue to train these things,
muscle memory is what you wantand if you can get your whole
team to have that muscle memory,people just kick in and do work
instead of people lining upbehind the leader for you to
shuffle them around, so you'vewasted less time doing that.
(15:18):
That even cuts out a meeting.
You could designate somebodyfor communication, sending that
upwards, or set up times forcommunication.
Hey, you'll get updates atthese times, this.
But you kind of led me tosomething I was thinking about
last night and I was thinkingabout the culture we're in for
cybersecurity and I kind of cameup with this loose quote, but
it was and I wrote it down hereand I was thinking security
(15:41):
isn't about building higherwalls, it's about knowing
somebody's already inside andbeing ready for them.
And I think that is exactly whatwe need to be doing is, you
know, practicing, assumebreaches, that potentially
somebody is already inside, butwe're so confident in our
systems and our operators thatyou know we're always ready for
(16:02):
something.
And I always draw back to mymilitary experience.
We trained constantly, alwaysdoing training missions in the
field, live fire training soyou're ready.
You don't just get sentsomewhere into harm's way, not
knowing those weapon systems ortactics that we would use in
(16:22):
that theater.
So it's's the same thing here.
We can.
We've seen we have a goodthreat landscape of previous
IOCs and what we can do to betraining and we need to do that
so we can come in with atabletop exercise to any
organization and help them train.
But we need to be talking toeverybody at that organization,
not just the operators you knowyou want to train and practice
(16:43):
with them, but also talking tothe people you know around the
organization you know thejanitor, to see you know what
they know and what they can doand help and getting people in
these right sections to do thegood work that they can do to
help out with an in time ofcrisis.
Speaker 1 (17:01):
This reminds me a conversation we had last night
with one of the folks that wasat game night and he was dealing
with an incident that hadhappened a few days prior.
But the attack vector was alittle different.
He's a reverse engineer bytrade and he had seen a.
The organization that he wasworking with had seen an attack
(17:24):
come in through a compromisedvendor update and that's not all
that unusual.
But this was the first timethat he saw an AI tool involved
in exfiltration of data.
So the malicious update fromthe vendor was able to run some
(17:51):
AI commands or essentially useAI cloud to create prompts to go
out and collect certaininformation off of that system,
package it up and send it out inan encrypted way, I think, to a
(18:13):
GitHub repository.
So it was just interesting tojust hear about how
sophisticated and smart andcrafty the threat actors are,
and we know that right.
But there's always going to beanother attack vector that we
haven't even thought of.
(18:34):
So there's only so muchdrilling and training that you
can do for specific attackvectors.
But, like you, said thatdrilling and training, for you
know what do you do in the eventof there's something happening
now.
How do we work together toreact to it?
And, nick, I'll leave with astory that's kind of reminded me
(18:58):
of my childhood.
(19:19):
I was raised by my mom and shewas going to getting higher
education, going through herbachelor's or associate's and
then bachelor's and theneventually her master's degree
and at the time going back andforth between the coasts to, to,
to go to the college that shewanted to go to, and, um, and I
traveled a ton I think I maybe16 times before I graduated
college.
It was just a ton of back andforth between the East coast and
the West coast, cause we hadsome relatives on the on the
(19:41):
West coast and it was a littlekid at the time of of this story
.
Uh, but we're traveling from Ithink it was Maryland at the
time, or maybe I was in thirdgrade and we were traveling to.
California over the summer anddriving an older Chevy pulling a
(20:04):
U-Haul going across the country.
My mom and I I'm real young andwe would always drive sunup to
sundown, find a hotel and staythe night, get up bright and
early.
As a kid driving 13 hours a day.
It's really boring.
So I'd always be like all youknow when are we going to stop.
(20:27):
And this is before satellitesor commercially available
satellites and navigationsystems.
So it's all paper maps.
It's the rand mcnally map bookand we're driving across.
I think it was um wyoming andit's it gets pitch dark at night
(20:51):
, as you can imagine.
Right, you know you're inbetween towns and it's just a
really dark road and I think wewere trying to get to.
There's a place called littleamerica which is like this big
gas station, um like I don't 100or so pumps or something crazy,
but anyway, we're probably like45 minutes from there.
(21:11):
The sun's down and my mom'slike, yeah, we're just going to
get to this stop.
And there's a car in front of usand in front of that car is a
tractor trailer and in front ofthat car is a tractor trailer
(21:31):
and it's just the three of usgoing on this black stretch of
highway and you can see thetractor trailer hit his brakes a
couple times right, Probablyall going pretty fast, maybe 70,
80.
And the tractor trailer thenslams its brakes on, pulls
(21:52):
across the highway, blockingboth lanes.
So cars coming towards us andthere wasn't any.
And then us, and there's nobodybehind us, and there wasn't any.
And then you know, us andthere's nobody behind us and
there's just the tractor trailer, the car in front, and then us,
and then the driver of thetractor trailer gets out of the
(22:18):
cab and you can see all this inthe headlights of the car in
front of us.
Reaches behind his seat, comestowards the car with a tire iron
.
Tink smashes out the leftheadlight of the car in front of
us.
Tink smashes out the rightheadlight of the car in front of
(22:43):
us.
Now there's no lights, just thebrake lights of that car and
our lights and the truck'slights which are across the
highway and the whole truck'skind of lit up with their lights
.
The driver gets back in the cab,shuts the door, drives off and
(23:06):
the way my mom tells the storyis we're just sitting there
right, just stunned, shocked,shocked.
And then finally, when thetractor trailer lights are way
off in the distance, my mompulls forward again and keeps
driving and you know, at thetime we're like, well, do we
(23:30):
help the people?
Right, I was a little kid.
You know she's a womantraveling alone with a little
kid.
You know what do you do and youknow we kept going, stayed way
far behind the tractor trailer.
But the point of the story isthat car in front one didn't
(23:50):
recognize that he was followingthe tractor trailer too close
with his brights on and thetractor trailer driver had
enough of it, took care of theproblem, right.
But after we left that personin that car, those people in
(24:10):
that car, just you know then,were stranded with no lights
right.
It's impossible to drive becauseit's just pitch dark.
There's no street lights, right, it's just you know, a black
highway.
So then you know where, um, sothen you know where's, where's
the, the playbook for that,where there isn't one, and it
just reminds me of.
We get put into thesesituations like this all the
(24:33):
time.
How do we react to it?
What do we do?
And by situations like this Idon't mean a tractor trailer
driver knocking out yourheadlights, but just the
unexpected and the unknown, likethe AI attacks that you know.
Yesterday you wouldn't haveeven thought it was an attack
factor, but you know, here youare dealing with a vendor update
(24:53):
.
That was a bad update, so it'sjust being able to plan for the
unplanned.
Speaker 2 (25:00):
Semper Gumby always flexible, yeah, no, it's a good
story that we can draw back umto the things that we're doing
and repetition training.
You know, invest in youroperators, make sure they're
continuing to train, uh,training, uh, that they can go
during the day, uh, practice, doCTFs, uh, tabletop exercises.
(25:20):
There's so many things that wecan, can do, but we need to also
train our staff.
You know, uh, phishing emails,right, sending those things out,
newsletters, all kinds ofthings we can do.
But, um, we're probably up ontime here.
Speaker 1 (25:32):
Let's get out of here we got you, I do, uh, yeah,
good one, we'll see.
When are we doing this?
Is it monthly?
Speaker 2 (25:40):
I think we're gonna.
We're gonna try monthly.
Uh, we might play with thetimes too to see what uh
everybody likes.
Uh, we can do mornings, we cando afternoons, so we'll, uh,
we'll, take a poll made from theaudience and see, uh, if
lunchtime or morning's better.
Have a great day, nick.
Yep, you too, sir, we'll seeyou.
Yeah, thanks all.
Morning Nick, how you doing.
Speaker 2 (00:06):
Good sir, how are you ?
Speaker 1 (00:07):
Doing well.
So we're coming with a newpodcast here.
Right, We've got the FieldNotes and it's live.
We're live right now, 7.30 inthe morning, Thursday.
Nick, what's the thought behindField Notes here in the morning
, thursday, nick.
Speaker 2 (00:26):
What's the thought behind Field Notes here?
Yeah, I think around IT, out ofLabs, we always want to build
community, bring people together, share knowledge throughout the
space, and I think this isanother one of those mediums to
do that.
So when we're doing, that isbringing everybody together,
having a cup of coffee in themorning before you get your day
(00:48):
started, maybe spark some newthoughts and ideas, and we can
do that in a space where peoplecan ask questions and we can
just have free-flowingconversation.
So I think that's just anevolution of growing the
community.
Speaker 1 (01:00):
Awesome.
Speaking of that, we did gamenight last night here.
So we do the monthly game nightfirst Wednesday of every month.
We had a great turnout lastnight.
I think we had like 20 or somepeople and we played a game
called Blood on the Clock Tower,which is a social deduction
game, and there's a murder thathappens in a town.
And there's some bad peoplemixed into the group and the
(01:25):
group's trying to figure outwho's good, who's bad.
Happy to say, I was on the teamof the bad guys and we won.
Speaker 2 (01:34):
So what's the art of this game?
Is there a little bit of socialengineering?
Speaker 1 (01:38):
Yeah, it's all social engineering and misdirection
and trying to figure out whatrole people are playing, so kind
of like a real world securityteam.
Speaker 2 (01:51):
I got a couple of text messages from fellow game
night attendees with somepictures of you guys playing and
I think they said it's a prettyintense game.
It takes a long time, you're inthe game for a while, so it's
not a simple game to play.
Speaker 1 (02:04):
You're in it.
Yeah, you're in it for a while.
Speaker 2 (02:11):
It took.
I think about three and a halfhours To play one game.
I think I'd be a spectator.
I'd be watching you guys play.
It's a long time to becommitted to a game, nick, we do
you.
Speaker 1 (02:26):
We've got a couple coffee themes right, so he's
doing a coffee-themed podcast,cyber Sips.
It's going live this week.
I think the first one A lot ofcoffee themes.
We're talking a little bitabout coffee today.
What are you drinking, nick,today?
Actually?
Speaker 2 (02:46):
we switched it up.
My wife and I got some TimHortons coffee that we brewed
this morning, but I think themost important thing is drinking
it out of our Victory mug fromthe CTF, not that long ago, if
everybody remembers.
So I thought I'd taste likevictory, would be the perfect
(03:10):
theme of the morning.
So the coffees, so-so.
I mean, I prefer my Black Riflecoffee from America, but we'll
give a nod to our neighbors tothe north, but the cup is what
we care about.
Nice, how about yourself?
Speaker 1 (03:26):
well, um, I've got, uh, I do um kind of this mail
order coffee, um, from, I thinkit's a company called atlas
coffee company, and today I'mdrinking something from Ecuador.
But let's go back to that thingthere, nick, because part of
(03:49):
this podcast I think we want totalk about is the other side of
security, right.
So I mean, you know, we'rehumans, we work in teams with
other humans and there's thathuman side of the interactions
that we all have.
We talk about game night, right, and it's that community
bringing people together anddoing this work that we do in
(04:13):
the field.
Speaker 2 (04:15):
I think you hit the nail on the head that we're
still humans.
We're reading the news, likeeverybody else.
We're trying to stay in frontof these things.
We're trying to stay in frontof these things and I think one
of the topics we want to talkabout today is how much, or the
ramp, that these attacks havebeen coming in.
I don't know if everybodyshares the same thought as we do
(04:35):
, but it seems over the pastmaybe year or less, a little
less, it seems like the attackshave attacks or breaches.
We hate to say the B word, buthas picked up up speed and so
kind of wanted to chat aboutthat.
There's a couple articles thatwe can spin off of that.
There was one I think it wasfrom nevada and this was from a
(04:56):
week ago or so where they thestate offices shut down their
networks because of a an attackthey had.
They closed the state offices,the websites are offline, the
phone lines were offline, sothey had a major outage.
And then we had another one.
Eric, I think you found both ofthese.
There's another cybersecurityincident in Maryland affecting
(05:18):
Metro Transit, where I think,from what we were reading here,
the mobility all of MTA was shutdown.
They couldn't schedule newtrips, they couldn't send trips,
they couldn't take bookings forupcoming trips and any existing
trips that were currentlyhappening, so they couldn't
schedule anything.
There was a major outage there.
(05:39):
So obviously big deals for boththese states to be dealing with
.
Speaker 1 (05:46):
Yeah, and we're coming off of the work here in
Minnesota with the St Paulbreach and the ramifications of
that that are still being dealtwith, and Nick, one of us was on
the news a couple times talkingabout it.
But you know, and there's lotsof things that you want to say,
(06:06):
but you really, you really can'tsay, uh, the floor is yours,
well, oh boy, um, I'll get tothat, but, and I think what we
want to talk about on on thispodcast is that opportunity to
really maybe share some of thehuman insights of things, some
(06:26):
stuff about our personal lives.
We'll probably talk a littlebit about aviation, because I do
some flying, talk about coffee,talk about other activities
that we're doing outside of work, just to bring some of that
human element in it, and you didmention that contest.
(06:48):
You and I had a bet outside ofwork just to bring some of that
human element in it, and you didmention that contest.
You and I had a bet.
Your team came in first, we didnot.
I don't remember exactly wherewe came in, but it wasn't first
and I think we're going to havea rematch on that aren't we,
nick?
Speaker 2 (07:02):
We're going to figure out a time for a rematch, yep,
and we'll probably do the samething we did last time.
We won't train very much, we'lldo our normal things, we'll
come in and we'll.
Speaker 1 (07:12):
We'll try to take first again.
So you said you didn't train,but I heard that you had reached
out to the ctf manufacturer andwere this might make news, but
continue up here.
You were getting some coaching.
Speaker 2 (07:28):
I can't say this is true.
I can't say this is true.
No, we do know the CTF owners,though, of this, but I can't say
there was any communicationwith them prior to testing
Interesting or competition.
Speaker 1 (07:43):
Interesting.
So, on these breaches, right,it's um, it is frustrating that
we don't learn what the iocs orthe indicators of compromise are
early on.
Right, we're, we're in thespace, we're working with
customers, we're running teamsin the space, and it's really
(08:05):
difficult to get information,just as simply as what were the
IOCs, what were you seeing, sothat we can all react to it?
And it's unfortunate that itseems, 99% of the organizations
involved in a breach clam up.
And Nick, you were real closeto the last one.
(08:27):
You were working side by sidewith some of the folks on the
mitigation piece.
Did you have any direction thatyou really couldn't share?
What was going on at the time?
Speaker 2 (08:42):
I think we had a little bit I don't want to say
information that we couldn'tshare what was going on at the
time.
I think we had a little bit.
We had a I don't want to sayinformation that we couldn't
share, but you know, we werepeople were keeping things a
little close to the vest becausewe were getting information
siphoned to us I would saybroken comms, right Like we're.
They were telling us somethings but we weren't getting
clear guidance.
So we had to go into adefensive posture because we had
(09:02):
intersecting points with StPaul, so, you know, siphoning
off some information, going tothese meetings that were being
set up by the state as well, andany other organization was
welcome as well in the area thatthey could go to.
But yeah, we didn't have Iwouldn't say we had special
information, but some of ourleaders were a little bit closer
(09:23):
than I think others might havebeen allowed.
But I would agree, I think thatwas some of our and this isn't
just for the St Paul incident.
I think this is we see this alot where and you said it
perfectly they clam upinformation getting out,
(09:44):
especially for organizationslike us that are hosting or
helping many different companieswith their cybersecurity that
have intersecting points, andthis could be anybody any breach
besides St Paul and you know.
We need to get this informationso we can understand what we
need to secure Right and then areturn.
If we know what the problem is,we can turn around and help the
organization that's having acurrent issue.
Speaker 1 (10:04):
Yeah, and we've got close relationships with
Homeland Security, cisa, fbi,with InfraGard, and even folks
in those communities weren'tgetting great details about what
was going on.
I think we learned what theIOCs were maybe 12 hours before
they were posted out by the VCAor the Bureau of Criminal
(10:26):
Apprehension in sort ofbroadcast out to the people that
are part of that group whichget those IOCs.
I think we didn't really havemuch time to react to it either.
So, yeah, that is frustrating.
I think Evan Francon over at FRSecure a while ago was starting
(10:53):
a series during the pandemic ofhow do we fix a broken industry
, and I think this is one of thethings that continues to be
broken in the industry and Ithink this is one of the things
that continues to be broken inthe industry is just that lack
of communication where we'retrying to help each other right.
See so, to see so, and we'rejust not there yet.
Speaker 2 (11:11):
Yeah, you want to all band together in time of crisis
and do you have any thoughts onwhy that would be?
Do you think it's fear ofpublic?
You know people coming outsaying you know, why did this
happen?
Speaker 1 (11:27):
You know what's happening or what are you doing
about it, or are they just notprepared for that conversation
at all?
So at a previous organizationthat I was a fractional CISO of,
I'd been there for three orfour years.
During that time we wereinvolved in a breach.
It was one of our partners wasbreached.
(11:48):
They had some of our data.
That data was getting.
They had gotten ransomed.
They were real closed off aboutexactly what was happening.
Subsequently, they did sharehow the threat actors got in,
but it was the way in which theorganization that I was involved
(12:11):
with reacted was interesting.
It was just tons of internalmeetings about not just on the
technical side, about how do wemake sure that the data that
could have been exfiltrated,didn't contain any sensitive
information or it was allencrypted or what have you, but
(12:31):
it was just around thecommunications out.
What are we going to say?
Who's going to say it?
How do we say it?
I probably spent in the firstweek it was probably a 70 hour
work week.
I don't think any less than 30hours of that were around the
optics of internally messaging,external messaging, posturing,
(12:59):
and it was like we we got a lotof work to do.
I don't have time to sit inthese meetings, but you know
there was probably threedifferent meetings about the
same topic with different groupsthroughout all levels of the
organization.
Speaker 2 (13:15):
Instead of spending that all that time in the
meetings, you want to be bootson the ground with the guys and
girls doing the work to eithercome back from breach or uh,
protect the walls.
You want to be on the frontlines yeah it's, it's that
constant um.
Speaker 1 (13:31):
You know there's something going on.
Technical teams are trying towork on it and then um, the, the
, the.
Some of the leadership team aretrying to get information, so
it's that constant, okay, well,you know what do we know Well?
we know about the same amountthat we knew 15 minutes ago.
Another 15 minutes, right, andI think, where organizations
(13:55):
that haven't drilled this andpracticed it through tabletop
exercises just get into thatcycle of it's just kind of chaos
and panic.
So you've got do the drills,you got to do the tabletop
exercises so that when somethinghappens, you know how to react
to it.
And you know, nick, I think I'mjust seeing that more and more
(14:19):
as these breaches are justbecoming more and more prevalent
.
The need to do the tabletopexercises small ones as a team,
the infrastructure team, allright, how are we going to
restore from backup?
Are the backups immutable?
How do we get to them?
How do we recover?
What if there's maliciouscontent in the backups?
(14:39):
Just kind of drilling that.
So it's not when you get wokenup at 4 am saying you need to
restore these four servers rightnow, and then you have 15
people calling you about thesame thing.
You've already rehearsed it andyou have your playbooks.
Without that right, it's uh,it's just chaos.
Speaker 2 (14:57):
Yeah, and yeah, I totally agree.
You got to do tabletops.
Uh, hopefully annually, um ormore.
But uh, you know we, if wecontinue to train these things,
muscle memory is what you wantand if you can get your whole
team to have that muscle memory,people just kick in and do work
instead of people lining upbehind the leader for you to
shuffle them around, so you'vewasted less time doing that.
(15:18):
That even cuts out a meeting.
You could designate somebodyfor communication, sending that
upwards, or set up times forcommunication.
Hey, you'll get updates atthese times, this.
But you kind of led me tosomething I was thinking about
last night and I was thinkingabout the culture we're in for
cybersecurity and I kind of cameup with this loose quote, but
it was and I wrote it down hereand I was thinking security
(15:41):
isn't about building higherwalls, it's about knowing
somebody's already inside andbeing ready for them.
And I think that is exactly whatwe need to be doing is, you
know, practicing, assumebreaches, that potentially
somebody is already inside, butwe're so confident in our
systems and our operators thatyou know we're always ready for
(16:02):
something.
And I always draw back to mymilitary experience.
We trained constantly, alwaysdoing training missions in the
field, live fire training soyou're ready.
You don't just get sentsomewhere into harm's way, not
knowing those weapon systems ortactics that we would use in
(16:22):
that theater.
So it's's the same thing here.
We can.
We've seen we have a goodthreat landscape of previous
IOCs and what we can do to betraining and we need to do that
so we can come in with atabletop exercise to any
organization and help them train.
But we need to be talking toeverybody at that organization,
not just the operators you knowyou want to train and practice
(16:43):
with them, but also talking tothe people you know around the
organization you know thejanitor, to see you know what
they know and what they can doand help and getting people in
these right sections to do thegood work that they can do to
help out with an in time ofcrisis.
Speaker 1 (17:01):
This reminds me a conversation we had last night
with one of the folks that wasat game night and he was dealing
with an incident that hadhappened a few days prior.
But the attack vector was alittle different.
He's a reverse engineer bytrade and he had seen a.
The organization that he wasworking with had seen an attack
(17:24):
come in through a compromisedvendor update and that's not all
that unusual.
But this was the first timethat he saw an AI tool involved
in exfiltration of data.
So the malicious update fromthe vendor was able to run some
(17:51):
AI commands or essentially useAI cloud to create prompts to go
out and collect certaininformation off of that system,
package it up and send it out inan encrypted way, I think, to a
(18:13):
GitHub repository.
So it was just interesting tojust hear about how
sophisticated and smart andcrafty the threat actors are,
and we know that right.
But there's always going to beanother attack vector that we
haven't even thought of.
(18:34):
So there's only so muchdrilling and training that you
can do for specific attackvectors.
But, like you, said thatdrilling and training, for you
know what do you do in the eventof there's something happening
now.
How do we work together toreact to it?
And, nick, I'll leave with astory that's kind of reminded me
(18:58):
of my childhood.
(19:19):
I was raised by my mom and shewas going to getting higher
education, going through herbachelor's or associate's and
then bachelor's and theneventually her master's degree
and at the time going back andforth between the coasts to, to,
to go to the college that shewanted to go to, and, um, and I
traveled a ton I think I maybe16 times before I graduated
college.
It was just a ton of back andforth between the East coast and
the West coast, cause we hadsome relatives on the on the
(19:41):
West coast and it was a littlekid at the time of of this story
.
Uh, but we're traveling from Ithink it was Maryland at the
time, or maybe I was in thirdgrade and we were traveling to.
California over the summer anddriving an older Chevy pulling a
(20:04):
U-Haul going across the country.
My mom and I I'm real young andwe would always drive sunup to
sundown, find a hotel and staythe night, get up bright and
early.
As a kid driving 13 hours a day.
It's really boring.
So I'd always be like all youknow when are we going to stop.
(20:27):
And this is before satellitesor commercially available
satellites and navigationsystems.
So it's all paper maps.
It's the rand mcnally map bookand we're driving across.
I think it was um wyoming andit's it gets pitch dark at night
(20:51):
, as you can imagine.
Right, you know you're inbetween towns and it's just a
really dark road and I think wewere trying to get to.
There's a place called littleamerica which is like this big
gas station, um like I don't 100or so pumps or something crazy,
but anyway, we're probably like45 minutes from there.
(21:11):
The sun's down and my mom'slike, yeah, we're just going to
get to this stop.
And there's a car in front of usand in front of that car is a
tractor trailer and in front ofthat car is a tractor trailer
(21:31):
and it's just the three of usgoing on this black stretch of
highway and you can see thetractor trailer hit his brakes a
couple times right, Probablyall going pretty fast, maybe 70,
80.
And the tractor trailer thenslams its brakes on, pulls
(21:52):
across the highway, blockingboth lanes.
So cars coming towards us andthere wasn't any.
And then us, and there's nobodybehind us, and there wasn't any.
And then you know, us andthere's nobody behind us and
there's just the tractor trailer, the car in front, and then us,
and then the driver of thetractor trailer gets out of the
(22:18):
cab and you can see all this inthe headlights of the car in
front of us.
Reaches behind his seat, comestowards the car with a tire iron
.
Tink smashes out the leftheadlight of the car in front of
us.
Tink smashes out the rightheadlight of the car in front of
(22:43):
us.
Now there's no lights, just thebrake lights of that car and
our lights and the truck'slights which are across the
highway and the whole truck'skind of lit up with their lights
.
The driver gets back in the cab,shuts the door, drives off and
(23:06):
the way my mom tells the storyis we're just sitting there
right, just stunned, shocked,shocked.
And then finally, when thetractor trailer lights are way
off in the distance, my mompulls forward again and keeps
driving and you know, at thetime we're like, well, do we
(23:30):
help the people?
Right, I was a little kid.
You know she's a womantraveling alone with a little
kid.
You know what do you do and youknow we kept going, stayed way
far behind the tractor trailer.
But the point of the story isthat car in front one didn't
(23:50):
recognize that he was followingthe tractor trailer too close
with his brights on and thetractor trailer driver had
enough of it, took care of theproblem, right.
But after we left that personin that car, those people in
(24:10):
that car, just you know then,were stranded with no lights
right.
It's impossible to drive becauseit's just pitch dark.
There's no street lights, right, it's just you know, a black
highway.
So then you know where, um, sothen you know where's, where's
the, the playbook for that,where there isn't one, and it
just reminds me of.
We get put into thesesituations like this all the
(24:33):
time.
How do we react to it?
What do we do?
And by situations like this Idon't mean a tractor trailer
driver knocking out yourheadlights, but just the
unexpected and the unknown, likethe AI attacks that you know.
Yesterday you wouldn't haveeven thought it was an attack
factor, but you know, here youare dealing with a vendor update
(24:53):
.
That was a bad update, so it'sjust being able to plan for the
unplanned.
Speaker 2 (25:00):
Semper Gumby always flexible, yeah, no, it's a good
story that we can draw back umto the things that we're doing
and repetition training.
You know, invest in youroperators, make sure they're
continuing to train, uh,training, uh, that they can go
during the day, uh, practice, doCTFs, uh, tabletop exercises.
(25:20):
There's so many things that wecan, can do, but we need to also
train our staff.
You know, uh, phishing emails,right, sending those things out,
newsletters, all kinds ofthings we can do.
But, um, we're probably up ontime here.
Speaker 1 (25:32):
Let's get out of here we got you, I do, uh, yeah,
good one, we'll see.
When are we doing this?
Is it monthly?
Speaker 2 (25:40):
I think we're gonna.
We're gonna try monthly.
Uh, we might play with thetimes too to see what uh
everybody likes.
Uh, we can do mornings, we cando afternoons, so we'll, uh,
we'll, take a poll made from theaudience and see, uh, if
lunchtime or morning's better.
Have a great day, nick.
Yep, you too, sir, we'll seeyou.
Yeah, thanks all.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
New Heights with Jason & Travis Kelce
Football’s funniest family duo — Jason Kelce of the Philadelphia Eagles and Travis Kelce of the Kansas City Chiefs — team up to provide next-level access to life in the league as it unfolds. The two brothers and Super Bowl champions drop weekly insights about the weekly slate of games and share their INSIDE perspectives on trending NFL news and sports headlines. They also endlessly rag on each other as brothers do, chat the latest in pop culture and welcome some very popular and well-known friends to chat with them. Check out new episodes every Wednesday. Follow New Heights on the Wondery App, YouTube or wherever you get your podcasts. You can listen to new episodes early and ad-free, and get exclusive content on Wondery+. Join Wondery+ in the Wondery App, Apple Podcasts or Spotify. And join our new membership for a unique fan experience by going to the New Heights YouTube channel now!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com