CISSP Cyber Training Podcast - CISSP Training Program

CCT 308: Scripted Sparrow BEC and CISSP Incident Response - Domain 7.6

Shon Gerber, vCISO, CISSP, Cybersecurity Consultant and Entrepreneur Season 3 Episode 308

Share episode

Send us a text

A single convincing email can move real money. We break down how Scripted Sparrow and other BEC crews spoof reply chains, impersonate trusted service providers, and slip under approval thresholds to nudge finance teams into wiring funds. The threat isn’t flashy malware; it’s pressure, process gaps, and the illusion of internal approval. We talk through the red flags that matter, from sudden vendor banking changes to realistic W9 attachments and urgent payment timelines, and then lay out the safeguards that stop these scams cold.

From there, we zoom out to the full incident management lifecycle and make it practical. You’ll hear how we define an incident by its impact on confidentiality, integrity, and availability, and why that clarity speeds action. We map the steps—detection, response, mitigation, reporting, recovery, remediation, and lessons learned—and explain what they look like in a real company: one-click phishing reporting for employees, prepared legal statements for regulators, isolation choices that protect revenue, and documentation habits that pay off when auditors and insurers start asking questions.

We also get honest about today’s attack surface. Cloud sharing, APIs, and over-permissive identities push sensitive data to the edge, making containment harder if an attacker lands. Expect persistence: backdoors, credential reuse, and lateral movement thrive when local admin rights and flat networks remain. The antidote is a blend of stronger finance workflows, pre-briefed legal and communications teams, and regular tabletop drills that involve everyone who touches money, systems, or messaging.

If you’re serious about preventing wire fraud and surviving security incidents with your business intact, this conversation gives you a focused plan you can adopt today. Subscribe, share with your finance and HR leaders, and leave a review with the one control you’ll implement first.

Gain exclusive access to 360 FREE CISSP Practice Questions at FreeCISSPQuestions.com and have them delivered directly to your inbox! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success.

Join now and start your journey toward CISSP mastery today!

SPEAKER_00:

Welcome to the CSP Cyber Training. Hi money with Shung Herbert. We can provide the information you need. CSP and roll your cyber trickery.

SPEAKER_01:

Good morning everybody. It's Sean Gerber with CISSB Cyber Training and hope you all are having a beautifully blessed day today. Today we are getting close to the Christmas holidays, and we're excited about that. We're probably about three days away, so it's pretty awesome. My grandkids are coming into town, so that is an awesome piece of this. It's going to have a little two-year-old and a five-year-old running all over the place. So exciting, exciting. They they love this time of year. And uh for me as a Christian, I love it as well. It's an amazing time for me. I just, it just, it's like super special. So it will become and it will go, and then it'll be in January and it'll be cold. Then you have to deal with the cold. Uh depending on where you're at, it may not be cold if you're in the southern hemisphere. It might be actually kind of warm. But for us, it's going to be quite, quite chilly. So, but before we do that, or actually not before we do that, we're going to quickly get into today's is again over domain 7.6. I don't know if I mentioned that or not. Domain 7, we're in a 7.6 conducting incident management. That's the overall plan for today. So as you're listening to this at home with a book by the fire and you're wanting to fall asleep, you will turn on this podcast. Else you might be still going into work before the Christmas holiday, so you may want to listen to it then. But if before we get into that, we wanted to talk about an article that I saw in InfoSec magazine or InfoSecurity magazine, I should say. And this is around a thing called the scripted sparrow, sends millions of BECs or business email compromise emails each and every month. So as you guys are well aware, and you've probably we've talked about it numerous times on CISSP Cyber Training, is a business email compromise a big thing that most corporations are struggling with. And it's real, relatively speaking, it can be an easy fix depending upon what you put in place. But there's still tons of organizations that are falling victim to this business email compromise, uh social engineering attack. So who is this scripted sparrow? Now, scripted sparrow, they're an active BEC threat group that is basically being tracked by Forda. And they operate in basically a collective group of sharing templates, infrastructure, and techniques. So it's a group of individuals around the globe that are doing this. And with social media and with the capabilities of now having various servers around the globe, they can do this and they don't really have to be in the same location. Now the people that are attacking folks around the different countries are from South America, Nigeria, Turkey, Canada, and in the United States as well. So they're using these templates, they're targeting individuals, and they're basically trying to impersonate executive coaching or professional service firms. So if you have an executive coaching or professional services group within your organization, or you've worked with some outside consultants on that, this you might be one of the targeted entities around it. So they target the accounts payable and their finance teams. Well, and why do they do that? Because they're the ones that control the money. So they will target them. So I've done this in the past when I was a CISO. I highly recommend, I strongly recommend, that you go talk to your finance teams and your HR folks and get with them and walk through what a business email compromise is. Step them through step by step by step and what they should be worried about and what they should be concerned about as a business, as a company, worrying about the business email compromise aspects. Now, they're as they're targeting pay accounts payable in the finance teams, they're wanting to basically get those folks that are going to be sending money. They're usually the gatekeepers that keep the money and for the business. They're the ones that do all the money transfers. So why do they target them? Because they're the money movers. They're the folks that will allow the money to actually leave the organization. And they use realistic email reply chains to simulate that there has been some level of internal executive approval. And they just basically say yes. They find out information about Bill, who's the CEO or whomever. Uh, and Bill then has this email back and forth with air quotes them, saying that, yes, I've agreed to have you send some money. Please send some money. And then they send this to the finance team saying, hey, Bill has allowed us, wants to get paid, why, or wants us to be paid, why are you not paying us? And they always put in a sense of urgency. They do all kinds of different things to make you want to get it done very quickly. However, it is a scam. And because of the scam, you should think twice about any sort of money that's leaving the organization. Now they'll send fake invoices with W9 PDFs. Now, if you're in the United States, a W9 PDF basically all it does is confirm your business identity. And you have to send in, uh we call it an EIN number, but it's the employee identification number, and that number will then be tied to a business. And so usually most companies will say, hey, send me your W9. And you can make a W9 anyway you want to make it. And you can make it very fictitious, you can do all kinds of crazy things. Ideally, a company, when they see a W9, they should pull your EIN. They should then compare it to what is out there and what the IRS has or your state and local entity. If they don't do that, then you're now in a situation where you could just make up an EIN. It doesn't really matter. So they send out these W9s requesting that an ACH or a wire transfer, and the transaction amounts have often just set below the approval thresholds, which most companies have, which may be around$50,000. So an approval threshold is maybe you have a second party. So you have separation of duties, SOD is what it's typically called, and you may have someone in your company that has to approve an amount below or above a certain threshold. They've set$50,000. So they've, I guess they've seen enough of these situations where$50,000 is the threshold in which it must be sent for approval. So they'll send it below that amount. It might not be$50, it could be$25. The point doesn't really matter. They're just trying to get really reduced the amount of barriers that people have to be involved in that actually have to approve the email being sent. So again, that's an important part. When you get with your finance team, ask them if there's a threshold amount, what is that threshold amount and get to know what that is? Uh there might not be a threshold amount. It might be where if any email comes in, it has to get approval from a second person. And I would highly recommend you do that. Uh the a petty cash amount, like, well, it's a thousand bucks. You know, death by a thousand cuts when they're a thousand dollars, that can really hurt you. Uh so you just want to make sure that you have that worked out with them. Uh, and they may say, you know what, if we lose a thousand dollars, it's a big deal, but it's not a big deal, and they're willing to accept that, then that's okay too. So again, education is really truly the key on all of this. So they have a newer tactic that they're using where they delay sending payment details until the victim actually replies, confirming the engagement. And this is a marketing strategy. Uh I mean, I have marketing strategies with CISSP Cyber Training, they have them as well. So if you don't answer, then they don't send it out right away. Uh now, if they probably have a threshold in which, you know what, if you don't answer it, we'll send out a tickler, like a number a second email or a third email. Um, and then if you don't respond, they'll probably just send it to you anyway, just to see if you'll click on it. So for them, the cost of entry is extremely low, right? It's just an email and some time. And with AI, they can make it super good. They don't even have to have a lot of time invested. So it's easy money for these attackers. And so that's why, guess what? There's gonna be more and more of it. Uh, so we talked about where they're actually from. Uh, they demonstrate how the BEC will remain one of the most financially damaging attack types, despite how technic the technical I can't even say that, despite how low it is from a technical standpoint, right? It isn't hard to create an email. And the BECs are they can be very damaging, uh, especially because most people think, well, if you're in business, you make lots and lots of money. Uh, I will tell you flat out, no, that is not the case. Now, there's probably big corporations that make gobs of money, but let's put it in perspective. So if you're a business and you make 12%. Now, I worked at Coke Industries, and one of the big things we wanted was you had to have a business that made at least 12%. So if you were your business every year had to make 12%. Some years it made 12%, some years it made 20%, some years it made 6%. So you just didn't know. It had to make at least 12%, is what they wanted. Well, so if your business is making, say, 12%, that's pretty darn good. Now you have 100%, say you sold a million dollars in whatever, and at the end of the day, after everybody's paid, you made uh$120,000. So that's not you as a person, that your company made$120,000. So you have to go and sell lots of stuff to make significant amounts of money. And most companies, I'll say 12% with Coke, most small businesses and many businesses outside of small businesses, their margins are around six to less than 10%. So you real quickly have to go through a lot of stuff and sell a lot to be able to make any sort of profit as a company is expected to make. So you have to go through a lot of stuff just to make any money, is what a company is expected to make. So again, margins are tight. And if you go out and lose$50,000, and let's just say, for example, your margin for the entire year was$120,000, but you just lost$50,000, you lost 50% of your margin. That could end up in some businesses putting them out of business. So it's really important for you to understand that, or you guys get it, but that their impact for some of these small businesses, especially, it can be catastrophic. It can be just very, very damaging. So some key defensive aspects you need to be considered about. Email-based payment requests must always require out-of-band verification. So if someone comes in and says, hey, I want an email, you got to have a second uh person that looks at this. And that would be a separation of duties piece. So if you get it, the secretary gets it, the finance person gets it, they send it to the executive um council, they have to approve it. Or even better, you don't send it to them because you could assume that the emails might be compromised. You get on the phone and you call them. So there's lots of different ways you need to put in place around that. So finance workflows, again, they also could be important. This is not just security controls, they're the primary attack service. So you need to really truly understand your finance workflows. Talk with your finance folks and make sure that they understand them and you understand them as well, especially as a security professional. Okay, that's enough about Scripted Sparrow. Before we get into the training today, I wanted to quickly talk about CISSP Cyber Training. Head on over to CISSP Cyber Training and get access to all of the content that's there. It's available to you. So if you're if you're actually interested in studying for your CISSP and you're listening to this podcast, so you must be interested in your CISSP, head on over to CISSP Cyber Training and get access to all my free content that is available to you as well. And that free content will help you in your self-study plan. Uh, it's going to give you some of the key things that I wish I would have had when I took the CISSP exam. It was stuff that I was struggling with. I put it all in my free content to help you with that. One thing I did do though is I also created a blueprint, and my blueprint will step you through the CISSP exam step by step by step. Now, this is all part of my paid products that are available to you, and these products will help speed up even faster your self-study plan with utilizing my blueprint and the other aspects around it that are tied to it. I've got over 1,700 CISSP questions. I've got a 250 uh question exam that's coming out here in the next couple weeks. I have a lot of stuff that's free and available to you. It's also got mentoring that's available. You can get mentoring specifically around your career, as well as if you are a professional that is looking for CISSP or cybersecurity uh resources, I have that available as well at CISSP Cyber Training. So head on over there, get your free content, sign up for my new for my newsletter and all my emails, and you'll get free questions and so forth. Uh, and on top of that, I'm here to help you pass the CISSP exam the first time. Okay, so let's get into what we're gonna talk about today. So, incident management, what is incident response? Now, we'll talk about this routinely through this program. Incident response is a key factor in what you need to do. As I'm working as a consultant right now for a company, I am working in building out their incident response process. An incident response is what exactly is an incident? Oh, you need to know what that means. Because the reason I say that is you're gonna have regulatory requirements that are gonna be focused on the incident themselves. And you need to understand how is an incident defined within your company and what should you do related to that. So you're defining an incident, it is a negative effect on the CIA triad. So your confidentiality, integrity, and availability. Anything that is affecting those three would be considered an incident. Now we talk about you have events, you may have situations, you may have different terms that you're gonna call up, but if you have an incident, it has a dramatic negative effect on your confidentiality, integrity, and availability within your company. It's also considered an unplanned interruption, such as you could be a patch that you pushed out that was not good. Uh, it could be a natural disaster that could happen. It could be the air quotes stray backhoe. And if you are heard me say this time and time again, the stray backhoe is your nemesis. Yes, they will put you in a state of fervor because these guys that are digging and filling, they will hit invariably a fiber optic line and then everything goes down. So, yes, your stray backhoe will do that to you. I've seen it time and time again. And actually, I have more problems with backhoes or people doing construction than I have with anything else as it relates to outages, unplanned outages. Now, outside of a cyber attack, right? So, computer security incident, you again, you want to understand the common result is of an attack that's coming in from somebody that's going after you or your products. So the NIST definition of 861 is a violation or imminent threat of violation of computer security systems and policies, acceptable use policies, or standard security practices. That would be an attack, right? So you're understanding that your incident is occurring. You've got a good plan of what is in an incident defined by you, and not just defined by you as a security professional, it is defined by you and your team of lawyers and your HR folks and every compliance folks, all those individuals are all involved with you. So that is why the incident response process is such an important part that you need to have it defined, well defined and well exercised. So there's some different types of steps that are tied into your incident response process. We've got detection where you're focused on getting something that's gone on. How do I detect it? How do I deal with it? How do I manage it? Your response, what are you going to do from responding to this situation? How do I respond to it? You know, I go and I have an area that comes up and I go, what do I do? I don't know. Uh your mitigation comes into what are you doing to mitigate the situation after you've responded to it? You're reporting, who do you talk to? Is there compliance requirements related to regulators that you have to talk to? Do you talk to your senior leaders? I don't know. You have to decide which ones are the folks that you have to end up interacting with to let them know a situation has occurred. How do you recover from the situation? So when an incident occurs, recovery is most important. It just truly is. You can have all these great things, you detect it, you mitigate it, you respond it. But if you don't know how to actually recover from it, you're just sit there stuck in a broken state. And that is not a good place to be, believe me. Then you want to remediate. How do you remediate the threat after it's occurred? And then lesson learns or hot wash. In the flying in the B1s, we used to have a hot wash every time we flew. And when you flew, you went out, you did your flight, you we would take off, we do our low-level bombing missions, we land, we drop the bombs, we had targets we had to hit, we come back, we then land, we put the the airplane to bed, we then come back and talk about it in our debrief. And a hot wash for us from just a so we'll typically put it in a situation, is about a four and a half to five hour mission. We would go out, we would have about an hour, hour and a half hot wash at the end, and we would walk through what did we do? Okay, here's we went in, we took off, we went and did uh we flew this altitude, we took a tanker, we then talked about the tanker, we went into the low-level route, okay. From here, we came back, yada yada yada. We went through the entire flow of the approach to landing or to take off to landing with our the B1. And we went through each one of those to determine where are some areas we made mistakes at. We took notes on what we made mistakes on, and we therefore then implemented changes so that those we could make changes to those mistakes that we made. Same concept in the event of an incident. Now, the thing you have to keep in mind is you want to make sure that you do a lessons learned, not just for all incidents, for for all of your exercises as well. You want to take a very program programmatic, programmatic, programmatic, yeah. You want to take a step-by-step approach. Yeah. You want to take a step-by-step approach on how you look at the lessons learned from your event, whether it is planned or unplanned. Because by doing that, you get a really good grasp of what you need to do different for the next event. Now, some key aspects around this. You ended you have your initial indications of an event. Now, this can be extremely narrow. You may not even know what is actually going on when you first get this incident or event that occurs within your organization. It could be very small and insignificant to the point of going, you know, it's just a blip on the radar. Now, the tools have gotten much better. AI has been very helpful. In the past, it's been so much noise that's there. You don't even know what's real and what's not. But what ends up happening is by having these different types of uh uh tools that are there, it can help give you a little bit better indication of what is something that could be occurring, or is it just noise? So, ransomware, I've had this situation occur. It pops up in an organization uh way down in the bowels of my company. And an individual will go and say, Oh, well, let's just not let's not do anything about it, let's just ignore it. And in the process of ignoring it, what happens? It starts to spread. And next thing you know, I've got a full-on for alarm fire going on in one of my facilities in a location that's not real easy to get to. It's on the other side of the planet. And because of that, now I'm getting delayed responses on the incident that's occurring. So again, they can be very small and insignificant, but they can bring the house down. Those ransomwares are bad, bad juju. Uh so the network goes down. All of a sudden, now you have a bigger problem, right? So you have a ransomware pop-up, you're now your site goes quiet, and now your network goes quiet. Now you've got so many challenges you're gonna have to kind of unravel. So the detection mechanisms, you need to have various ones in place. Now, ideally, I'm and I'm gonna do a podcast around this company here in the future because I think there's a lot of great tools that are out there that are available to people. People just don't know what to do with them or how we should how you should manage them. So there's a company out there called Centripetal, and what they do is they take all the intelligence feeds and they will get them ahead of time. So if something comes into your organization, they will actually stop it from even hitting your company. So it's kind of like a a tailored DDoS protection in some respects, uh, more of a a spearfishing, a tailored spearfishing uh attack kind of thing. I don't know how to explain it, but bottom line is they're a really good company. Centripetal. That's if you go out there, you google it, you'll see what you can find about it. But they there's there's a way to help stop uh the attackers from coming in from the front. There's also intrusion detection and prevention systems, IDS IPSs. You have honeypots, these will flag for possible intruders within your company. You have automated rules to flag on different types of log files, especially as it relates to your uh If you have AWS or Azure environments, how do those different ones work with your different types of log aggregation tools? Individual user reporting. These are all the different pieces that are tied to that. Are individuals being able to report that there's a problem? Do they have an easy button to mash and say, hey, we have a problem? Click on the link. So all of those are different things that can be done for detection mechanisms to help you. I would highly recommend that if you have an email provider of some kind, that you build that into your email that there is an easy button where employees can actually go push a button and say, I want to report a phishing incident that might be occurring within your company. By doing that, they're the first set, usually are the first sets of sensors for you to see that there might be a problem. So I'd highly recommend that you work with uh whatever company you have to come up with that if they don't already have it. Now there's a company I know know before is one of them. They actually already have this situation where they can incorporate it within your Gmail accounts or your Outlook accounts where they can just have a report to phishing button in place. Now, you process is vital. You need to really have some sort of processes in place when you're dealing with detection because if you don't, you'll be chasing ghosts all the time. Uh and these ghosts are in your network, they are real and they are also phantoms. So you may have an individual who's there that are that's acting like um going against your company, and people are seeing issues, and so they are going to report them. But you also gonna have these things that pop up that are kind of unique, and people will maybe be trigger happy and say, Oh, I see a ghost, I see something, something's going on, and they let you know. And then nothing is you go and you dig into it, and there's nothing there. And then they let you know again, and you dig into it, and there's nothing there. But if you don't have a good process on how to handle this, you're going to understand that you're gonna have problems. You're gonna end up chasing all these rabbits and you'll never catch any of them. The ancient Chinese proverb that I talk about on the podcast is a man who chases two rabbits catches none. And I think it's been twisted and moved in different, different ways, but bottom line is if you chase too many rabbits, you're not gonna catch them. So you want to make sure that you understand what are the processes for your company so that you know how to deal with these situations when they do pop up. Now, the ghosts that are out there, um, one of the comments was, I was the ghost. Yes, I was. And I would be very careful on what I did when I was within your different companies' organizations. And the point was was to then just to hide in plain sight. I was very careful with what I did within your company, not to uh trigger too many alarms and be very stealthy and very stable. Uh so to keep in mind that the different perspective is that an attacker gets in your environment, there is a rush to get into your company as fast as you possibly can. However, and get your toehold. But once you're in, then it's it's a low and slow approach. You want to make sure that you are taking your time and that you don't burn the credentials that you have. You don't want to give them any sort of sense that you are there for them to start implementing and doing lockdown on you. So again, small instances get overlooked as noise. You do want to make sure that you're watching for the noise. There's third-party services. Uh, do you have third parties within your company? And in most companies, they are outsourcing many different things. Do you have a process to deal with your third parties? That's an important part of all of this. So when you're dealing with response aspects, response will vary depending upon the incident. Resp the process to respond, you need to have built for this specific incident you're going to have. So when it basically comes out, not for each incident, but you should have that, okay, if something comes in, what is the next process? What are we going to do? Once that happens, what is the next process? What are we going to do? At any point, you can get an off-ramp on any of these processes so that you can then end and terminate the incident where it's at. If you do you go chase a ghost and you find out there's nothing there, you end the process. If you chase a ghost and it finds a little bit more of a breadcrumb, you continue on the process. So the goal is you need to have a overall situation, a system set up to respond to all of your incidents that you have. Your legal and crisis teams need to be pre-positioned and ready to go. What does that mean? It means you need to have talked to them. You should have talked to at least your crisis team and your legal team at least once prior to having an incident within your company. Uh, because if you don't, you will be talking to them a lot and you will probably be confusing and making each other unhappy. So you want to make sure that you would you talk to them before you have a situation. Uh, don't address this in the middle of the crisis. You want to do it ahead of time. Now, your cyber computer incident response teams, your basically CIRT or CSIRT, these are teams that are set up specifically to deal with the overall incident. They could be people that are internal to your company. They could be outsourced. Uh, there's people that are on a bat call, bat phone, uh, to be able to answer and respond to any sort of situation you may have immediately. Now, they come at a high price, but they are there for you. Um, there is a company I worked with on as a coke, and I can't remember the name of it. Uh, there's various companies that do this. They are on the hotline, what ready for you in the event that you have a situation. Now, these are typically going to be involved from the beginning of the situation, of the incident, of the process to the end of it, to when you finally declare we are done. Uh, and then once we are done, that's even after the hot wash, they would be involved in that as well. So once you put you put a bow on this thing, you wrap it up, and you're getting ready to shovel it into a uh shelf for posterity, that's when they are done. Now, you can a third party retainer, again, if you're going to be dealing with a third party to help you with this, I highly, strongly, increasingly stress, do this now. Get with your legal teams and talk to them today. Uh, don't wait, talk to them today and say, hey, we need to do this because the challenge you're gonna run into is if you want a third party to help you with this, you're gonna need to get the legal paperwork done ahead of time. And you're probably gonna have to put them on retainer of some kind or fashion, which basically means you're gonna have to pay them a bunch of money for them just to kind of sit there and wait for you to call them. And you may never call them and you're just gonna continue to keep paying them a bunch of money. And the purpose, though, is that if you do that, you now have the ability to call them and they will immediately come and help you with the situation. Now, if you have a team that can handle this, then I would highly recommend that you, if you're gonna like it, say you're in the initial birthing uh place for this and you're you're standing up your security operations team. I would, in the short term, probably pay for somebody like that while you are building up that capability within your own company. So it's just something to consider. I would probably pay the money, put them on retainer, have them ready to go, but then have a plan in the next two years, you're gonna put yourself in a position where you have a team that's dedicated by your own professionals in your company. And they don't have to all be security people that are gonna help you with this, because ideally, most of your security people don't deal with the network like your infrastructure folks do. So you're gonna have a team of many different folks that are involved in this, but you can do this with an internal team. You just have to have a plan on how to do it. So in the short term, I would highly suggest that you get a company to help you with this in your in your third parties to do the overall just having them on phone call on retainer, but until then, uh, and then build out your team and just have a one to two year plan, depending on what you're going to do. Evidence preservation is a key factor. You want to have chain of custody in case the procedures are and have these procedures defined within your company as well. So if you are gonna say someone attacks you and you feel that, you know what, we might eventually have to sue somebody or take somebody to court, if you don't have evidence preservation and you don't have a process to deal with it, it didn't occur. You just spend a lot of money and you're not gonna get any love out of it. You're gonna be really, really, really upset. So, you're what you're gonna happen is you're gonna be super upset because you spent all this money, and then you're gonna be even more upset because you can't go after these people because you didn't preserve any of the evidence. So just keep that in mind. You wanna make sure that you have a evidence preservation process. Trained personnel. We talk about internal and external. Again, they need to be able to assess the damage, collect the evidence, report the incident, and recover procedures, right? All these things are an important factor in what they do. If they're looking at it and they can't assess what's actually broken, it's really hard as uh to know what you should fix if you don't know what's broken. They also should be the people that are trained in your chain of custody process around collecting of the evidence. If you don't, if they can't collect the evidence, then you have a big problem. Uh so you just, again, this is just training. This isn't rocket science, guys. This is truly not hard. You can do this. You can come up, especially now with the different chat GPTs and Gronks and everything else that are out there from an AI standpoint, you can come up with a decent training plan for your people around these different topics. And then it will do a good job of giving them the information they need to be successful. But you need to have ability to collect the evidence that's going on. You want to report an incident that's going on. How do you report it? Okay, so do you just report it to your CEO and say, huh, not my problem anymore? Um, probably not. In today's world, we are highly regulated. And so if you are dealing in any sort of the financial industry or healthcare industry, you have reporting instructions you have to do. I had to do it in the manufacturing space as well. So it doesn't really matter where you go, you are going to have to have some level of reporting. Just plan on it. Do the it's not the norm, I should say it's it's what is that? It's normal to report to a regulator. It's not, it's uncommon to report to not report to somebody. So I would just have a plan on who you're gonna report to. It may just be that you have a good plan to report to the board. That's fine, but you just need to have a good reporting process in place. Recovery procedures, what are your recovery procedures and how do you gonna deal with getting you back online? This comes down to resilience. You need to have a good resilience plan related to you organization to keep it up and going. Now, mitigation. What are some key aspects around this? Is that the goal of it is to limit your scope and the effect of the incident as well. So it comes in and it starts nuking part of your business. You want to keep it contained. Just if it's got to nuke something, only nuke a part of it. Only take out a small section. Because the part is if you are a business owner and or that your company's a business and it makes money, well, it has to make money, otherwise, you wouldn't be employed. You want to limit the amount of damage to the business units that are actually making income for your company. So if this thing is starting to spread like a virus, you may have to cut off your foot to save the body. And one example I had was we had multiple companies around the globe, and we had a plan that if if a ransomware attack took out one of our facilities, what would we do for the rest of the body? We were willing to cut off the foot to save the body. And this is a big factor that you're gonna have to deal with with your CIO and your CISOs, uh, is that which is that part. If you don't have that leadership and you are that leadership, you need to understand all of your remote locations and which ones, if something were to occur, how can you sever that connection and still keep business operational? This will come down to your business impact analysis that you'll have to do, and this will help you kind of analyze that as well. This is a this is a process, guys. This is totally so this is so far beyond the CISSP that I'm not beyond it. It's the fact that these are the things you're gonna need to know for the CISSP, but you're also gonna need to know as a security professional. These are really good nuggets that are gonna help you in your experience. In real time, you need to avoid the attacker from gaining additional access, and then you also need to avoid the attacker from knowing you are aware. Again, once they know you know, then it gets now you're in a game against time. They may have logic bombs set up throughout your organization that if they know that you know, they will set off. And if they set those off, then it brings the house of cards coming down. So if you are aware that someone's within your organization, you're gonna need to take steps quickly to mitigate them, to shut them down. But knowing full well the moment you flip, you show your cards, right? So the moment you show your cards, then this game is afoot. They are going to be trying to do everything they can to ransomware or to shut you down completely. So just again, they they may start the destructive aspects of it, so just be ready. Have your A game going. And I would highly recommend if you know someone's in your network and you're working to mitigate them, get your third party that you have contracted on the bat phone and get a hold of them as quickly as you possibly can. After the fact, you assume the attacker is still in your network. Even this is the thing that people struggle with, even if you've mitigated them and they're gone, assume they are still in your network. Because guess what? They probably are. So that means you're gonna have it's gonna cost you even more money, right? You're gonna have to replace all these systems, you're gonna have to blow away new systems, you're gonna have to actually end up spending even more time dealing with this. So it's just bad. Uh, there'll be backdoors that have been created. I would tell you this, and this is just from personal experience. When I got a toehold within a network, I put in a minimum of six backdoors. That was me. Now, they didn't all happen right away. As you're starting to go through the area of the network, you're looking for different other ways in. And then once you find someplace cool, you go and you put in another back door. And if it's a different way that you think, okay, well, if they shut me down, I still should have this way in. I'll go and put a backdoor here. So I had a minimum of six backdoors within my company or within any sort of engagement I did as a red teamer. Then you can only assume that the bad guys and girls are doing the same thing. Now, put it in this perspective: they're lazy. Um, I was not lazy because it was what we did for a job. But a lot of the attackers are lazy. They may not put as many in, but I don't think you want to bank on that. So just know there's backdoors probably created, at least one or two. Engage all resources. Again, fire drill, all hands on deck. If something was to happen, you're bringing everybody in for their A game. Your infrastructure folks, your uh your HR folks, your legal folks, everybody in the company that has any sort of decision rights is brought into the mix on this because it is an all hands on deck. You are a uh a World War II boat in the middle of the Pacific and you're getting shot at by by submarines. You want to make sure that everybody's aligned and everybody's heightened on how to deal with this specific situation. Because if the company goes down, you go down, your livelihood goes down, it all goes down. It burns to the ground. So again, everybody is involved. So reporting, you want to make sure that you have key aspects related to this because your CEO, your owners, your CIOs, all the company leadership needs to be involved. How are you going to report to them? Legal compliance requirements. Again, don't try to downplay this, what's going on. That's what happened with Equifax. It's okay. No worries. We got this, we're under control. You just keep doing your CEO stuff, we'll do ours. Okay, I did that in a different voice. It was kind of weird. But that being said, uh it again, it's what happened with them. They just said, you know what, don't worry about it. We got it. And they didn't have it. So you need to make sure that you are everybody involved with what's going on. Legal and compliance need to be ready to put out statements. Uh, depending on the company you're in, they statements may be pre-canned, may not be pre-canned. I recommend you have them done already. Have them pre-canned, have multiple statements, have multiple scenarios, and then they have all been through the legal vetting, they've been through the HR and compliance vetting. Everybody is happy with those statements, and then they're ready to go. Now, hopefully you never need them, but they're done. If they situation comes up and you have to modify it and morph it a little bit, that's okay. At least they're done. So get something already built out. Uh formalized notification process. You need, if you're dealing with any sort of regulators, who is the notification person? Does it come from the board? Does it come from the CEO? Who does it go to within the government? All of those need to be worked out and defined, and those need to be agreed upon. Again, legal language is important in this spot, especially when you're dealing with the governments of wherever you are operating. Legal language is everything. You can really you can give a statement to the media, and it can be a little bit wrong, right? Say because you didn't know what's going on. Not that you're lying. No, we're not lying, but just you didn't really truly know what was going on. You released a statement, and it's a little bit in error. You cannot do that with the legal entities. You need to make sure you have you're on your A game, and everybody has to be aligned. So again, you need to have that process defined. Cyber insurance company notification, uh, this is a big factor of are they gonna be you let them know what's going on? What have you done? They're gonna get in your chili. They're gonna be in it, they're gonna be asking you all kinds of questions, and you are gonna get pulled in 10 different directions trying to answer all these questions. They're gonna make sure that you're doing what they feel you should be doing in order that they're gonna do a payout. They don't just arbitrarily go, oh, okay, cyber incident, here's your money. They don't do that. Uh, they are going to be asking you lots of detailed information. Legal compliance, again, sure your team is prepped in advance. They need to know what's going on. Your legal compliance and public affairs all need to be aware, they need to be involved, and they need to be in the game plan. I will tell you, I've had some of my hardest conversations I've had with public affairs, legal, and compliance. Well, not so much legal, they get it, but compliance and really mostly public affairs saying, hey, this is the plan. If we get a ransomware attack, this is what we need to do. Really? Seriously, we don't need to do that. Uh yeah, you do. No, no, we don't need to do that. Yeah, you do. And so that's a back and forth. I've had to escalate it up to the CEO numerous times to go, will you please get your people on board here? This isn't hard. Let's just do it, be done with it. And then they finally come and acquiesce. Uh, but the bottom line, I also send them a bunch of email uh of different breaches that have occurred and said, okay, how would you handle this? That usually helps bring them, get them on board. All right, continuing on, legal and compliance again, to have them evaluate any contractual aspects you have prior to the breach. What do you report? Who should the vendors or what should you what vendors should you report to? Uh you have vendors that are providing critical services. Do you need to let them know? Laws that require breach notification. There's the list is long and distinguished, and there's lots of them. You have GDPR, cyber law, many, many, many others. There's all kinds, and there's more and more all the time. There's the Chinese or the financial uh aspects around it, NYDFS, you name it. They all have notification breach notification laws. They all vary in different directions as far as how long, from 24 hours to 72 hours, but they're all of difference that are out there. U.S. state laws will vary as well. These uh suites may occur based on the company's facilities. Uh depending on where you're at, your U.S. laws may be involved as well. So you just don't know. You you really need to make sure that you have a good plan. And even with plan that you have, moment something happens, you it is what Mike Tyson says, you have a plan going into a fight until you get hit in the face. And then that plan goes out the window and you start figuring it out. Same concept. You'll have a plan in place until you get hit in the face with a cyber attack, and then that plan goes out the window. But the key is that you've drilled it, you've planned it, you at least have a good idea of what you're going to do. Uh, so it makes those overall pieces go much smoother than if you had no plan whatsoever. Government law enforcement, you want to determine if you want to get with the FBI, you want to get with Interpol to help you in these situations. So all of them can help you depending upon what you have to do. And when I say help, just let's put it in perspective. The FBI is not gonna help you. They're just not. If you're a small business, forget it. They ain't gonna do it. Uh, even small local organization, local uh police forces aren't gonna help you. They're gonna collect evidence and then they're gonna say, Thank you, have a nice day. They're building their own cases against easy individuals outside of you. So they're not gonna be a whole lot of help. But you have to decide if you want to bring them into the conversation or not. Sometimes if you bring them into the conversation, they will not take over the situation the incident. They they definitely won't do that, but they may start giving you inputs on it, uh, which could be helpful or which could maybe be hurtful depending upon the situation you're dealing with. So just got to kind of decide what you want to do when you're relating to uh if bringing in law enforcement. You need to let law enforcement know. You just need to also couch. I would highly recommend you go talk to law enforcement, ask them hey, if we have an incident, what does this look like for you? How do you get involved? Uh how would that impact? Our incident and to just see, have a good understanding of what they're going to go through. So when you're dealing with recovery, some other key aspects is where you want to return the functionality as best you can as quickly as you possibly can. It could be as simple as you just reboot reboot. Um you could have images that are in place, that these images you just bring up new images and you're in business. It's not a big deal. It's all very resilient and good to go. And that's great in the cloud environment. And I will tell you that there's plenty of opportunities for you to be able to do that in the cloud space. However, one thing to keep in mind is that your cloud space usually has infrastructure as well. Unless you're fully cloud, if you have any sort of infrastructure, that can be impacted by a ransomware attack as well. So you want to understand how do I return my functionality and get it back and operating to at least a point where I can start making money again. You need to document all of this. Documentation is the issue that happens so often in these situations. You nobody has it. I'm dealing with this with company after company as a consultant. Um, if you they don't, they're not documenting it. They don't document stuff because why? They're trying to make money and they're going 100 miles an hour and they look at security as a cost, as a cost, right? So I don't want to deal with it, I gotta get this stuff done. And that's true. But the moment something bad happens, they're gonna be wishing they had documented all of this stuff. Address all your systems, unaffected systems as well. This includes firewall rules that it may be opened up during an incident. Uh, where could those be? How does that look for your company? And then utilize backup and recovery procedures as well. All of those things need to be done and understand what procedures would you use in the event that you'd have to bring everything back. Remediation. So this comes down to the incident investigation. You need to determine your root cause for what actually occurred. How did it happen? Where was it at? Well, what was who clicked on the link? How did this get into our environment? Could we have seen this sooner? Evaluate all your exposed systems. Start with your internet-facing systems first. This isn't hard. Start with stuff that people see. If people see it, they're going to attack it. So go with everything that's internet-facing to begin with. Now, the other thing you need to keep in mind is, especially now with APIs, oh my goodness, and the cloud services, such as like let's just say Microsoft's uh SharePoint, whatever. All of this stuff is already in the cloud. It's already sitting on the air quotes edge. You as an owner, in many cases, I'll use SharePoint as an example. If you give them the right permissions, the owner of the SharePoint site can make this discoverable by the internet. Yeah, by clicking a button. In the past, you had to go through lots of gatekeepers. Everything went in and out of a central point. Not anymore, baby. It's all available on the internet. And it's why for convenience sake, which is always the end of it. Society is for convenience. We all want to be convenient. And then we all get taken over by the Huns. Um went dark quick there, sorry. Uh but that's the case, you know, and that's the truth. So the point of it is that you need to be aware of all of the external things that are available within your company. APIs, oh my goodness, those are the they're wonderful, but they also can be very, very bad. And you have to have good control of your APIs and watching those out, watching for all of those. You know, evaluate all your exposed systems, uh, additional data and systems that are all affected. This includes employees, emails, phishing, malware installed, attacker who have pivoted during open shares, all of these things you need to be aware of, right? Admin accounts compromise. Do you allow your people to use local admin to install software on their computers? Oh my gosh, don't do that. All of those things, right? You need to be aware of because those are all pieces where people can gain access to your company. And they can start with small, with you know what, I send you a phishing attack, you have local admin, your local admin will take as part of a security group. The security group has the domain admins that are tied to it as well. I now leapfrog over and steal the domain admins credentials, and now game over. It could be about a five-step process, and we are over and you are mine, right? So you just hear the cackling in the background, you are mine, and yes, that is it. You are done. Uh, so those are pieces that you need to be aware of. And you just need to understand that if you don't have a good plan on how to deal with it, it yeah, it's just gonna go sideways. So I think I've I think I've beaten that horse to death. So lessons learned again, the hot wash after action. This is also anything that could affect employees and third parties. So if it came in through a third party, you better have a hot wash with the third party. Don't just take the fact, fact that the third party goes, uh, yeah, we fixed our problem. We're done. No, you get legal and you go have a conversation with a third party and you say, I want this written, what you've done, where you what you did with it, I want to know how you did it, all of those things. Get with your legal teams and make sure that anything that happens with a third party is documented and it is obviously taken care of by all of you. You all have looked at it. Evidence preservation is a key factor as well. How are you keeping it? Okay, I've beaten this drum about four or five times. Uh, you need to make sure that you preserve your evidence because if you don't, it didn't exist. That's the problem. And then incorporate all of these lessons learned into tabletop exercises and scenarios. And this is where you do a tabletop at least once a year. Uh, many of the regulators, uh, financial regulators will require you to do tabletops at least annually. Um, but I would highly recommend you do them at least maybe once a quarter if you're doing some sort of tabletop. So it's an important part of every person's cybersecurity program is doing tabletop exercises and making sure that they have everybody involved. Okay, that is all I have for you today. Thank you so much for joining me today at CISSP Cyber Training. Head on over to CISSP Cyber Training. There's a lot of great content out there for you. I am so excited about the stuff that's coming this next in 2026. I've been building out the plan. I'm super fired up about that. And I know you guys are gonna be excited too for 2026 with CISSP Cyber Training. If you're looking to get your CISSP done, let's get her done in 26. It's a brand new year, just right around the corner. Let's knock this out. If you're getting ready to take your test, good luck. Hey, I hope you've been using the CISSP cyber training stuff, and I hope that you have a good plan in place that you're gonna pass it going into 26 so that you can increase your income, increase your status, increase anything you want to do with getting your CISSP certification complete. All right, thank you so much and have a wonderful day. And we will catch you on the flip side. See ya. Thanks so much for joining me today on my podcast. If you like what you heard, please leave a review on iTunes. I would greatly appreciate your feedback. Also, check out my videos that are on YouTube, and just head to my channel at CISSP Cyber Training, and you will find a plethora or a conocopia of content to help you pass the CISSP exam the first time. Lastly, head to CISSP Cyber Training and sign up for 360 free CISSP questions to help you in your CISSP journey. Thanks again for listening.

Contributor

Shon Gerber

Host