Time
52 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hello. My name is David Visor, and welcome to post incident response.
00:06
We are going through after actions. Um,
00:11
so I wanted to do a bit of a follow up because the lessons learned slash after actions are near and dear to my heart on. And I see them as extremely important for the entire incident Handler
00:23
field. And it's in a responsible on, and I've seen them ignored. I've seen them skipped over. Andi, I've seen bad effects from that. And I hope, um,
00:35
exhort you
00:38
as we come through this to do about a jump with this kind of information and this part of the incident response process,
00:48
I'm not gonna apologize for it because it is extremely word. But what I wanted to do
00:53
was share a couple of templates with you here as well, and walked through them with he, um really quickly to sort of give you some tool that you can use Help your after action meetings and were your table top exercises. Because tabletop exercises,
01:11
you are important for companies to perform, uh, where a wide variety of reasons. We don't really have time to delve into them in this course, but I can't stress enough that they are very, very important. So let's take a look.
01:27
This is a sample tabletop report for you.
01:32
It's one that I've used in the past. If I can zoom the same here a little bit closer,
01:38
we walked through it together. Now a CZ you can see or use the Acme Corporation. Um,
01:46
just to make it more generic, Um, this isn't a word for match that you can change it around any way you want on again. This is for a table top exercise. But
01:59
because tabletops emulate incidents I've always incorporated after actions were lessons learned into my table top exercises to that way, it kind of
02:13
preps people to expect an after action. It also perhaps them to be thinking, as they're going through the whole process of where they can improve, what needs improvement but for them and for their team, and for the tools and then
02:30
thinking on how they can present that to others so that
02:36
they can learn from either mistakes or from experiences that they went through rather than just ignoring them.
02:46
So you always almost every single reporter digital, See how summary, which is basically a short narrative overview of what was done during the tabletop here in this example. So as you can see, we we pointed out three separate scenarios in
03:05
wanted to test different aspects of the instant response plan in the procedures.
03:10
So if you're going to get into the world of tabletops and all that, it always helps to have someone that you could grow from
03:17
in order to keep it very realistic. Now,
03:21
Mel, this is a really outside track, but
03:27
I've seen table pops that were set up, Um,
03:30
for failure,
03:32
um, between couldn't win. It was it was an exercise in frustration. And that's not what the purpose of a table up is. It is. It's not, too
03:44
be totally and completely evil. It's built to be a learning process. And if you've done any kind of education, you'll know that if all you do is train your students to failure than in real world, gotta become failures in the same things. Very true when it comes to buy that her actions and also table tops
04:02
so crappy things. Realistically,
04:04
One thing that I found those buildings did pops out was interaction with security thing with vital because It gave me insight into their network fireman tools that they used a day basis so that I could actually apply it to them
04:20
and help them learn as they went. So you write up your summary do include you know what happened? How it was built out was designed, if necessary, compliment where he can. Same thing should be true to your after action report your system or higher level member of the use of response team.
04:41
Don't withhold praise for your people. They need it. Remember, we talked about morale will use that response team if your morale was like And you really think those people are gonna be doing their utmost to help protect your data network?
04:56
Easy answer. That is now they're gonna be looking for ways to get out of work rather than trying to do or on. One thing that I have found in this field is that most people that have come into it are very passionate about, and they will work harder than in most normal people even in all duty hours. There,
05:15
they're doing things that helping improve themselves.
05:17
So don't wash that in them.
05:23
Help them develop that and build it up. Not only do you want to do the praise, but you also need to remember that there may be some negative recommendations
05:32
as well. That may come out. So craft that anyway, that isn't totally did denigrating the team. People in bowl use it as a learning lesson. Help build them up. Same thing's true. And after actions, I sounded one after action when I was working as a consultant where
05:53
the entire team came into the room.
05:55
Um, we were included as the third party
05:58
10 assists. Okay, man, and started screaming
06:01
and the entire
06:05
atmosphere became toxic in hostel on. There was actually no learning. There was the improvement made. Uh, it was hard it again. I don't want you to be that person so they don't fall into that trap. Always identify objectives
06:25
so that you have points out which that you want to shoot
06:29
so that you can clearly document it back to where we talked about metrics. This is would be your metrics for table carpet. After actions
06:38
help give you but guidance to lead you on. Some people are able to do this free flow. Um, very little guidance, Very little
06:46
structure but yet can still guide in the law. Other people needed a lot more detail, and it just depends upon your personality type and your background. And when you do that but always identify objectives so that when you're sitting down to write up your reports,
07:04
you're able to address the objectives and also layout format,
07:10
and then your observations come into play. The same thing could be true when you're doing after action. So one thing that we did here was proactive Vitale scrubbing the Adidas pax um, feeling ransomware and other types of threats.
07:29
Uh, quick side note. Here we were doing a ransom where people talk at a company financial company, and it was more for the higher, higher level, the image of the teens and sea levels. And there were about 30 people in a room as we went through the table top
07:48
and we're going along.
07:50
We get the point where we came up with a ransom note. Say, 10 bit goings. Justice. I'm not up on exactly what the exchange rate is with Bitcoin. There would have been roughly that's a $15,000 U S.
08:05
Um, this is the CEO of the company was in. The rooms are taking into the dock years for that, and he's like, Well, do we ve this illegals like
08:16
now? I don't think we can afford to pay that. And a little voice from the four corners of the room spoke up and said, You know, our cyber insurance policy covers up $30,000 for ransom payment, and that sparked off an entire conversation
08:33
about their cyber germs. Policy CEO had no idea what was cyber jurors.
08:39
That kind of thing could be discovered,
08:41
and it's better to know before an incident. So put that kind of thing in trying to hit on different topics that directly deal with your team. And as you can see, we get to separate topics What's working well, So here's a cuter section, and where can improvements to be made?
09:01
And
09:03
that was from our third party perspective. You could get at it early as well, and then you write up a nice, nice short conclusion, highlighting if things that recovered throughout the rest of the report Excuse me.
09:18
Another thing I like for my table tops is what's called a player booklet. Um,
09:24
this a little nobody. An example this up on our site as well, so that you could pull it down and you realize that if you want. But basically it gives the people sitting around the table something to refer to and
09:35
right on. Tell them, remember. And if you're like me, you need all the help you can get remembering different things, especially when you're going through a multi tier exercise
09:45
moving from. We broke this down by days, so each day a different event happened and then they had to actually deal with it. We like to put in screen shots to help
09:58
make it a little more realistic course receive full stop. I'm sure everyone seems kind of thing for school, too. And then we increase the complexity on dhe information as each day passed and then increased also the technical knowledge that would be needed adequately respond to it. And then they could keep these books
10:16
and utilize them however they wish.
10:18
It's just a couple of examples for you if you want to see one in that was done live by me and some other people. But I know there's a program of one gap in d dot com that you could go out and watch. It's about 46 minutes long.
10:35
Where we gonna do a live tabletop into do lessons learned at the end?
10:39
Um, you have any questions or comments or insights to share? I'm on cyber TV 13 pot. Have a fantastic day.

Incident Response Recovery

Incident Response Recovery covers the actual recovery process from an incident that was identified and managed. It goes over the proper documentation necessary after the incident is handled, the legal concerns associated with the incident, and the lessons learned.

Instructed By

Instructor Profile Image
David Biser
Incident Response Engineer at Iron Mountain
Instructor