Lessons Learned Part 2

00:00

Hello. My name is David Visor, and welcome to post incident response.

00:06

We are going through after actions. Um,

00:11

so I wanted to do a bit of a follow up because the lessons learned slash after actions are near and dear to my heart on. And I see them as extremely important for the entire incident Handler

00:23

field. And it's in a responsible on, and I've seen them ignored. I've seen them skipped over. Andi, I've seen bad effects from that. And I hope, um,

00:35

exhort you

00:38

as we come through this to do about a jump with this kind of information and this part of the incident response process,

00:48

I'm not gonna apologize for it because it is extremely word. But what I wanted to do

00:53

was share a couple of templates with you here as well, and walked through them with he, um really quickly to sort of give you some tool that you can use Help your after action meetings and were your table top exercises. Because tabletop exercises,

01:11

you are important for companies to perform, uh, where a wide variety of reasons. We don't really have time to delve into them in this course, but I can't stress enough that they are very, very important. So let's take a look.

01:27

This is a sample tabletop report for you.

01:32

It's one that I've used in the past. If I can zoom the same here a little bit closer,

01:38

we walked through it together. Now a CZ you can see or use the Acme Corporation. Um,

01:46

just to make it more generic, Um, this isn't a word for match that you can change it around any way you want on again. This is for a table top exercise. But

01:59

because tabletops emulate incidents I've always incorporated after actions were lessons learned into my table top exercises to that way, it kind of

02:13

preps people to expect an after action. It also perhaps them to be thinking, as they're going through the whole process of where they can improve, what needs improvement but for them and for their team, and for the tools and then

02:30

thinking on how they can present that to others so that

02:36

they can learn from either mistakes or from experiences that they went through rather than just ignoring them.

02:46

So you always almost every single reporter digital, See how summary, which is basically a short narrative overview of what was done during the tabletop here in this example. So as you can see, we we pointed out three separate scenarios in

03:05

wanted to test different aspects of the instant response plan in the procedures.

03:10

So if you're going to get into the world of tabletops and all that, it always helps to have someone that you could grow from

03:17

in order to keep it very realistic. Now,

03:21

Mel, this is a really outside track, but

03:27

I've seen table pops that were set up, Um,

03:30

for failure,

03:32

um, between couldn't win. It was it was an exercise in frustration. And that's not what the purpose of a table up is. It is. It's not, too

03:44

be totally and completely evil. It's built to be a learning process. And if you've done any kind of education, you'll know that if all you do is train your students to failure than in real world, gotta become failures in the same things. Very true when it comes to buy that her actions and also table tops

04:02

so crappy things. Realistically,

04:04

One thing that I found those buildings did pops out was interaction with security thing with vital because It gave me insight into their network fireman tools that they used a day basis so that I could actually apply it to them

04:20

and help them learn as they went. So you write up your summary do include you know what happened? How it was built out was designed, if necessary, compliment where he can. Same thing should be true to your after action report your system or higher level member of the use of response team.

04:41

Don't withhold praise for your people. They need it. Remember, we talked about morale will use that response team if your morale was like And you really think those people are gonna be doing their utmost to help protect your data network?

04:56

Easy answer. That is now they're gonna be looking for ways to get out of work rather than trying to do or on. One thing that I have found in this field is that most people that have come into it are very passionate about, and they will work harder than in most normal people even in all duty hours. There,

05:15

they're doing things that helping improve themselves.

05:17

So don't wash that in them.

05:23

Help them develop that and build it up. Not only do you want to do the praise, but you also need to remember that there may be some negative recommendations

05:32

as well. That may come out. So craft that anyway, that isn't totally did denigrating the team. People in bowl use it as a learning lesson. Help build them up. Same thing's true. And after actions, I sounded one after action when I was working as a consultant where

05:53

the entire team came into the room.

05:55

Um, we were included as the third party

05:58

10 assists. Okay, man, and started screaming

06:01

and the entire

06:05

atmosphere became toxic in hostel on. There was actually no learning. There was the improvement made. Uh, it was hard it again. I don't want you to be that person so they don't fall into that trap. Always identify objectives

06:25

so that you have points out which that you want to shoot

06:29

so that you can clearly document it back to where we talked about metrics. This is would be your metrics for table carpet. After actions

06:38

help give you but guidance to lead you on. Some people are able to do this free flow. Um, very little guidance, Very little

06:46

structure but yet can still guide in the law. Other people needed a lot more detail, and it just depends upon your personality type and your background. And when you do that but always identify objectives so that when you're sitting down to write up your reports,

07:04

you're able to address the objectives and also layout format,

07:10

and then your observations come into play. The same thing could be true when you're doing after action. So one thing that we did here was proactive Vitale scrubbing the Adidas pax um, feeling ransomware and other types of threats.

07:29

Uh, quick side note. Here we were doing a ransom where people talk at a company financial company, and it was more for the higher, higher level, the image of the teens and sea levels. And there were about 30 people in a room as we went through the table top

07:48

and we're going along.

07:50

We get the point where we came up with a ransom note. Say, 10 bit goings. Justice. I'm not up on exactly what the exchange rate is with Bitcoin. There would have been roughly that's a $15,000 U S.

08:05

Um, this is the CEO of the company was in. The rooms are taking into the dock years for that, and he's like, Well, do we ve this illegals like

08:16

now? I don't think we can afford to pay that. And a little voice from the four corners of the room spoke up and said, You know, our cyber insurance policy covers up $30,000 for ransom payment, and that sparked off an entire conversation

08:33

about their cyber germs. Policy CEO had no idea what was cyber jurors.

08:39

That kind of thing could be discovered,

08:41

and it's better to know before an incident. So put that kind of thing in trying to hit on different topics that directly deal with your team. And as you can see, we get to separate topics What's working well, So here's a cuter section, and where can improvements to be made?

09:01

And

09:03

that was from our third party perspective. You could get at it early as well, and then you write up a nice, nice short conclusion, highlighting if things that recovered throughout the rest of the report Excuse me.

09:18

Another thing I like for my table tops is what's called a player booklet. Um,

09:24

this a little nobody. An example this up on our site as well, so that you could pull it down and you realize that if you want. But basically it gives the people sitting around the table something to refer to and

09:35

right on. Tell them, remember. And if you're like me, you need all the help you can get remembering different things, especially when you're going through a multi tier exercise

09:45

moving from. We broke this down by days, so each day a different event happened and then they had to actually deal with it. We like to put in screen shots to help

09:58

make it a little more realistic course receive full stop. I'm sure everyone seems kind of thing for school, too. And then we increase the complexity on dhe information as each day passed and then increased also the technical knowledge that would be needed adequately respond to it. And then they could keep these books

10:16

and utilize them however they wish.

10:18

It's just a couple of examples for you if you want to see one in that was done live by me and some other people. But I know there's a program of one gap in d dot com that you could go out and watch. It's about 46 minutes long.

10:35

Where we gonna do a live tabletop into do lessons learned at the end?