Security Done Different
Security Done Different is a cybersecurity podcast hosted by CloudGuard experts, featuring conversations with leading industry professionals. In each episode, our team of specialists speaks with cybersecurity thought leaders and innovators to explore strategies, emerging threats and practical solutions.
Security Done Different
#4 What to Do When Sh*t Hits the Fan (Real Incident Response Stories & Lessons)
Cyberattacks aren’t what they used to be. It’s not just ransomware anymore. We’re seeing full-on extortion campaigns, with attackers naming and shaming victims on public forums. We break down real examples, including high-impact breaches in healthcare and critical infrastructure, showing how quickly things can spiral without a solid incident response plan in place.
We also look at how AI and automation are changing the game. Not just for attackers, but for defenders too. These tools can help you respond faster, cut through the noise, and make smarter decisions when every second counts.
This conversation isn’t only about tech. We talk about the human side of breaches, the stress, the public scrutiny (thanks, social media), and the pressure to meet regulatory demands quickly and cleanly.
If you take one thing from this episode, it’s this: start simple, build from there, and don’t overcomplicate it. Whether you're running a team of 10 or 10,000, having a clear, tested plan and knowing who does what and when can make all the difference in a crisis.
Expect practical takeaways, a no-BS tone, and a healthy dose of “get real” advice for anyone responsible for keeping their organisation safe and sane when the heat is on.
Stay up to date:
👉 Yak
👉 Conor
In cybersecurity, it's not a question of if, it's a question of when. So when that moment hits, when your systems go quiet and alerts light up and the pressure skyrockets, what exactly do you do? On today's episode of Security Done Different, we're diving deep into incident response, the last line of defense when prevention fails. I'm your host, Jakob, Head of Engineering at CloudGuard, and joining me is Connor, our COO. He's a veteran incident responder, and someone who's helped organizations recover from some of the most chaotic high-stakes moments. Together, we'll explore what makes a solid IR plan, the emotional weight of healthcare breaches, and the real-world implications of attacks on operational technology. Whether you're starting your IR plan from scratch or pressure testing an existing one, this episode will get you thinking differently. Let's get into it. Connor, would you like to introduce yourself?
SPEAKER_01:Yes, thanks Jaak. Really looking forward to a conversation about AR today. So just a quick background. I spent the last decade building and running different security operations centers, leading some incident response operations and helping our customers and organizations recover from, in their words, some of the worst days that they have ever had, understandably. I started on the front lines as a SOC level one analyst, as you do, traditional junior analyst. and worked my way through different traditional tiered SOC teams. And eventually then became a SOC leader and then moved into head of operations and then I'm now the CEO at CloudGuard. And I think maybe what I've learned throughout the different times of being involved in security from the very early days and as a junior working my way through that is that Technology matters, the tools matter, but during an incident, it's really how you coordinate, how prepared you are, how well you communicate, how you bring everyone together through an incident, and how you respond to that is super important. So really looking forward to today's episode, Jarek.
SPEAKER_00:Yeah, that's amazing. So it goes to show not only is incident response and how you deal with an incident important, but also communication throughout the entire incident. IR is also very important. So let's talk a little bit more about incident response. What is incident response and why is it a core part or why should it be a core part of your cybersecurity strategy?
SPEAKER_01:Yeah, absolutely. So I think for those in the industry, IR is the thing that happens when things go bad. Those not in the security industry, it's a very... unknown world of what happens out there we don't know anything about it but to me instant response is really just how we structure our approach to managing a cyber security incident so we think something's happened we now need to confirm this has now happened and then declare that we have an incident and now we need to respond to that incident it's really it's the last level of defense. So whenever you're in a security operations center or you're a SOC analyst, you are there trying to protect and defend someone's environment. IR is where you don't really want to be, but at some point you will be there. And that's really the last stand of, okay, how do we now get us back to a healthy state? I always find IR very simply is, it's not going to drive revenue of a business. It's not going to improve the efficiency. It's not the engine of a car, but instead it's the seatbelt. So it's the things that actually protects us when we go through an incident, how prepared we are, how ready we are, how planned we are. in terms of technical responses, coordination, stakeholder engagement, et cetera, et cetera, et cetera.
SPEAKER_00:I guess, yeah, a lot of organizations will focus on keeping their assets and their estate secure. But what do you do when it goes wrong, when shit hits the fan? Because, I mean, it's scary when it happens. You've got a lot going through your mind and pressure is on. That's probably the most pressure you'll feel, right? inside of an environment. I'd say it's almost like your boiler, for example. You do maintenance on it all the time, but no one ever really prepares for what am I supposed to do when my boiler dies, right? The stress is on. You've got no hot water. How do you wash the dishes? How do you take a shower or have a bath? And then the expense behind it, you've got to call someone in. Who do you call? How do you get this fixed as soon as possible? And it's very similar, isn't it? It's how do you recover from an incident as quickly as possible so you can resume your usual business. So in your opinion, why does IR matter now more than ever? I guess it's always mattered, but now more than ever, right? We are seeing so many articles on the news about various different businesses being attacked. I mean, just this week, it's M&S and a bunch of others as well. What are the important things to consider? So there's rising attacks, there's you know, your regulatory pressure, you know, your reputation is at risk, all this kind of stuff. Let's delve into that a little.
SPEAKER_01:I think for me, I think like you said, yeah, it's not that it's more important and it's not, it's always been there and it's rising through the ranks in terms of if you look to 20 years ago versus now, there is that incline of attacks of different variations of different threat vectors. But I think it's one becoming more prominent because people are talk about it more and are far more aware now of what a cybersecurity incident is versus what it would have been 10 years ago. And also, like everything else in cyber, as you well know, attacks are faster. AI is now in the picture. They're more automated. all of that just amplifies how an incident happens, where it comes from, what the attacker can actually do now compared to what they could do before. So, you know, years ago it was very much a lot of work for an attacker. Now things are simplified massively by being able to use things and tools like AI You've also got ransomware as a service, which has just became even bigger and bigger and bigger as things go on. As people pay ransoms, they continue to fund and monetize that industry. And there's just so much more things happening now. In my opinion, nothing's really changed as to how they work. They're using AI to enable themselves more to do things faster, to understand the customer environment better. But the principles are all very much the same, how they do it, the way they get into an organization, how they find out about them originally, why they want them, the tactics, the techniques, all that sort of stuff are all very much similar. And hence why there shouldn't be this huge disparity in terms of attackers and defenders, attacker and defenders, because it all... is quite similar. It's really just how the defenders are responded to it, in my opinion. So how are we keeping track of TTPs? How are we making sure we're using things like threat intelligence to understand how attacker is changing their ways? What way are they moving? Have they done this before? Are they now doing that? And you'll find that consecutively, it's relatively similar as time goes on. And they just keep finding new ways victims to target and then the victim doesn't have a plan they don't have the tools in place to detect and respond effectively and then that's just it's an ongoing cycle I
SPEAKER_00:think another interesting thing there is IR has always been a thing people have been constantly being breached for many years now and Yeah, things are getting faster. The way customers are breached is more and more automated and just getting more and more efficient. And as things evolve, that is just going to continue, right? But I think what's interesting is how aware people are these days of incidents that occur, right? And partly because consumers as individuals are becoming more and more reliant on online services, right? So let's say about 10 years ago, online shopping, not that popular. Now it's almost like part of your life, you know, online shopping, getting deliveries in, click and collect and all these kinds of things. We've become so reliant on the digital world that when a business has an interruption and, you know, IR is a part of that, customers are aware of these things and then customers have all these questions and We as consumers are just more aware now because we are just more reliant on digital than we were before. And that's an interesting conversation because reputation now, the more consumers that are using those online services means you've got more of a reputation to uphold. And so if there's a disruption, people are going to know about it quicker and faster. But now with the rise of social media, it's almost like as soon as something happens, the news spreads like wildfire, right? It's all over Twitter. It's all over Instagram and YouTube and everywhere as well. And it just makes it more and more difficult doing the whole IR side, right?
SPEAKER_01:And it makes it so much harder for an organization, especially if they're customer-facing, if they're a SaaS platform, or they're a large retail, like we've seen with M&S, where... it's out there very quickly, which if you don't have a plan and you're not ready and you don't have predefined comms and you maybe don't have these things sitting ready to go if something was to happen, you're already on the back foot because someone internally tells someone else, we tell someone else, we suddenly, like you said, it's on Twitter, for example, and then the next thing, you have to respond. You're forced to respond, maybe quicker than you want it to. But it's like... You know, five years ago, you'll be exactly the same. You tell someone you worked in cybersecurity or you're doing computer science, you're doing cyber degree, and they're like, what's that? What does that do? And you're trying to explain to the world what cybersecurity actually is. Whereas now, you say, I work in cybersecurity or, you know, like CloudGuard, we're doing this and we're doing that and we're automating and we're democratizing cyber and people get it. more than they used to they maybe don't fully get it now but they definitely are like i get i understand and that is the good thing about i guess about the media is that it's helping spread awareness to other people and organizations and just people like humans in general that this is serious like it can be seriously impactful if you are affected by this It's not just the huge corporations or the large organizations that are turning over hundreds of millions of pounds. It's also the small companies. It's also the medium-sized, the hundred seats, who are equally as targetable and equally as lucrative to the attackers as potentially a large company. But yeah, I think all that. And then you mentioned regulations as well, which... is a good thing in a way because the industry, as we know it, is becoming more regulated. So you've got the likes of GDPR, you've got DORA, you've got the sector-specific industry regulations, which is a good thing because it's now helping people realize that you need to have this. It's not just a, I'll see you in two years' time, depending on how business growth is, and we've got these other priorities. It's okay to have this business in place. I actually need to have some protection and the regular bodies are helping us, I guess, fight that good fight in terms of it's not just a nice to have anymore. It's okay, you must actually have that. We will, you know, regulate that and it has to be in place to a certain point. I think that's helping us as well in terms of how fast IR is advancing and then how we're trying to keep up with that as well.
SPEAKER_00:And we've also seen attackers change tactics now, right? So ransomware was a thing and now ransomware we're seeing them shift towards extortion. We've got your data. And where before it was a case of, say companies would actively try and limit the fallout as much as possible and try to minimize the amount of information that gets out there and hide behind the guise of, oh, we're just having some system issues as opposed to we've been breached. And now attackers are taking up on public forums and saying, yep, we've breached this company. We've got their data. If they don't meet our demands, we're going to release all of the data. And it just adds to that pressure, doesn't it?
SPEAKER_01:Yeah, they're keeping us on our feet in many ways. But I think, yeah, this is a large part of it too. And they're now probably going and saying, hey, we've done this. This was us. We're proud of this. And yeah, Organization X, yeah like good luck and trying to respond and let's you know but pay us this instead and then we'll just slowly move out of the way and this will all be forgot about but yeah that is just one of the ways that they are absolutely keeping people like us on our feet in terms of how fast we need to respond it can't just take three weeks anymore because suddenly someone knows about it sooner and it's not just like you said the initial hey here's a demand, pay it, and that's it. It's okay, here's a demand. Oh, but we also have this. Oh, but we're also going to release this. And then we've also told people about this too, and it's just a string. And that makes it difficult, really, really difficult for organizations who maybe don't have security functions, of which there's so many of them out there, to really understand and grasp the gravitas of a ransomware type, for example, and maybe aren't fully up to speed in terms of what actually could happen or what will they do until potentially you're, the one at the other side of a ransomware note, which is an awful place to be. But yeah, I think massively they're changing in so many different ways, tactics, techniques, doing similar things, but just lots more pressure on top of those for organizations.
SPEAKER_00:So put yourself in the shoes of an organization. You've just been breached. You've got to take care of the fallout of that. So you've got to go and figure out how you were breached. How did they get into your network? How are they staying in your network? What information did they take? And on top of that, now you've got to manage the social media side of things. So how do we relay this to our customers? How do we tell them we're doing everything that we are doing to make sure this is contained? And then you've got the regulatory pressure as well. On top of that, who do I need to notify? How much time do I have to disclose? What information do I need to disclose to them? And then also you've got to figure out what have the attackers got hold of? What is impacted? There is so much happening during an incident response. And so stay tuned because at the end of this episode, we'll talk about some expert recommendations and insights when it comes to preparedness and readiness, right? Because when it comes to the time, what matters most is how prepared you are and what plans you have and how thorough they are, because that is what's going to keep you grounded and make sure you get through an incident response as quickly and efficiently as possible.
SPEAKER_01:And I think these simple things too, right? So they don't need to be these huge initiatives that need board approval and that need lots of different stamps for them to be put in place. It can be very, very simple stuff that we'll share. It's just about starting somewhere. having a conversation, talking about something, writing something down. Like you said, yeah, you made a great example about the boiler already. If we had never thought about that before, we've just talked about the implications of the boiler going down. So now we're starting to think about, okay, well, I can't do my dishes. I can't have a nice hot shower. I can't have this and I can't have that. Now I'm starting to think about, okay, well, what could we do to put in place? That's it. That is the very basics of an IR plan, but in a very different perspective.
SPEAKER_02:Yeah.
SPEAKER_00:So let's move on to some stories about incident response. Connor, I've heard you've been involved in a number of incident responses. I have as well, but just mainly on the investigation side of things. But hey, let's talk about some real world sort of horror stories and examples of incident response.
SPEAKER_01:I've got a few key stories that just always stick with me because... I don't enjoy incident response. It's not a fun place to be. But what I do get out of it is the fact that you're helping people and you're in a hugely chaotic, emotional environment. And what I usually, and the rest of the team that are with you, in those instances bring is some calm and control and a collective responsibility to, okay, we're here. What does good look like again? And how do we then take responsibility steps are needed to get us to there because as you can imagine and as i would be if it is your company that is being affected and you're going through this you will of course be emotional even if you have a plan in place you will be emotional and you will find that a difficult situation to be in we see it every day it's very different for us we can be a little bit we can take a step back from the emotional aspect of it and say okay What do we need to do? Who needs to be where? What steps do we put in place? And how do we get there as incident responders? We responded to an incident for a managed customer. This time it was a healthcare provider. And that bit for me is very difficult in terms of the ethics behind it and the morals and everything of healthcare and all the support and amazing work that they do. But you've still got people that would like, you know, are going to try and attack these organizations and that is quite infrequent they don't usually go towards that because you've got risk of life and someone like a health care provider they are doing work to keep people alive potentially and surgeries and different things that are happening routine appointments clinics etc and that is very different in my opinion that industry especially and a lot of attackers are don't usually go towards that area, depending on who they are and lots of different stuff behind. Attackers have huge profiles, so we profile attackers. We understand how they work and we try. That's a huge, that's separate to incident response and threat intelligence and threat modeling and lots of different stuff and doing huge and amazing work in that aspect of security. So in this case, we had a healthcare provider who... We monitor lots of different parts of the healthcare provider's environment and we start to see in their PAC system, PAC system is a platform that stores and use your x-rays, CT scans, all that sort of stuff. And they have obviously huge infrastructure in a hospital and healthcare environment. And the PAC system had been vulnerable and the attacker had been made their way into the system and started to spread ransomware through the healthcare environments. Now, that is very different. When you start to see that, you respond a lot quicker. Now, they also had an IR plan in place, and they also had escalation paths, as you would expect, because they're responding to the potential of, if this system goes down, we can't potentially monitor our prescription rates. prescription methods we can't potentially monitor our patient notes etc and we done a bridge with the internal IT team and they had some cyber individuals as well and the healthcare provider and the SOC team that I was in at the time and now it's about okay what's actually happened But then you also have some representatives from the healthcare provider and they're updating us on what's happening on the ground. So on the ground it's things like we can't read patient notes, we can't view images, we're trying to do emergency CT scans and we can't access those. And that alone is hugely different. Even for an incident response team, it's okay, we really need to take a step back here because not only is healthcare obviously hugely monetary and financial and a day being died is a huge loss for a healthcare provider. It's more about the people behind it and the humans that are receiving the care in somewhere like that. In this case, the ransomware was obviously spreading through and it's not, this isn't just like a server that sits in a server room. This is a huge piece of infrastructure for diagnostics that's used on day to day. And, um, we were able to start finding out somewhere professional what was happening, isolate some systems, block labor traffic, the usual stuff that we would do and something like ransomware and how to contain the spread and stuff. But every minute really does matter in that instant. It does in every organization, but in something like that, it really does matter.
SPEAKER_00:So I can add some here. So I was in a previous life an imaging systems manager. So PAX, Pitch Archiving and Communication System is the system that is used to not only store data, scans, but also view them, report on them, bring up the worklists at the scanner for patients that are being scanned as well. And the implications of APACs going down are the following. So you can't view images. If you can't view images, you can't report on those images. If you can't view images, you can't operate on a patient because oftentimes you will view the images during the operation. If you can't view the reports, you can't plan on the healthcare plan for that patient as well. And that has major implications. We're talking about cancer pathways being disrupted. There's MDTIs that take place. They can't happen anymore because they are based around viewing of images and the reports related to those images. And then there's booking those scans or even something as simple as the patient comes in for a day for the scan and They're not on the system anymore. You can't view the list of patients that you need to scan. So now you've got to fall back to other methods. You've got to look at your paper documentation and trying to carry on without having the system in place is incredibly difficult. You are obviously going to be emotionally invested in it as responders, though. seeing something like this day in and day out, it's a lot easier for us to overcome this, the emotional side. And we know that it is X, Y, and Z that we need to do. We know that we need to help keep the customer on track. Do you feel that's different when it affects healthcare? Because if I was responding to that incident, I would be effing and fleeing all over the place thinking, why the hell would What could overcome you that you'd want to go and attack the healthcare system? Absolutely. I
SPEAKER_01:think a majority of people in those circumstances, whether you're a responder or you're actually involved in the organization or you're a patient or whatever, would absolutely feel that. But I think part of it is what we're here for and what customers are paying for is for us to put that aside and just come up with the answers. So come up with the plan, come up and help us get to a point of resolution where we're fully operational. But absolutely, I think I still remember that time and getting the call and that happened and thinking, why would anyone do that and do this? But yeah, It's not a question for the there and then. It's something to think about after. And then once you look in and you really understand attackers' mindsets and why they do what they do, there are some select groups that target industries like that. And like any attacker, I think you could talk, we could probably talk in a whole separate session around attacker mindsets and everything. And it's just, they're very different. And... There's reasons for that in terms of largely financial and also getting their name out there as to we were the ones that done X, Y, and Z and we're the ones that attacked them. And it's like we talked about earlier, that sort of proudness of it was me that got to M&S or it was me that found this vulnerability. And I guess that's why the whole incident response roles and defenders exist because it's really about trying to balance that out. Yeah. We'll never get on top of it, in my opinion, but it's about how do we stay in place. And I think, yeah, there's a time and place for the emotion, but it's not when you're in the midst of a chaotic environment and things are happening. But absolutely, initial few minutes and then into the zone and just focus on getting the job done.
SPEAKER_00:And it really highlights the importance of having an IR plan, doesn't it? Because when you get emotional, it is... oftentimes difficult to think clearly and to think, what should I do next? You know, systematically, how do we carry on with this now? And having the IR plan is just, it's nice because you've got something with set steps that you can follow and have some structure and, you know, keep focusing on what matters. Even though you are emotionally invested, it's there, you know, okay, yeah, bad this happened, they shouldn't have done this, especially in healthcare. not to say it's any different for any other businesses, but we've got a plan. Let's just stick to that and let's just carry on dealing with this piecemeal and just keep moving forward with this scenario. The
SPEAKER_01:big benefit of a plan is we roughly know what to do, but some organizations are very different. Some organizations say you can't touch this, you can't touch that, that needs approval, and the plan helps with that. So rather than in that really chaotic emotional environment trying to get an answer from someone, if it's in the plan and it's there, we just go and that's for us. So it also helps save us time in terms of What was that server that we can't touch? What was that thing that needs board approval if you're going to lock everything down? That's all predefined whenever it's thought through versus trying to make that decision. It's like pre-canned responses. Now, they will change in my opinion you cannot pre-can your response to every incident but at least if you have something there around we'll roughly say this and it's roughly what everyone agrees with then we'll change it in the circumstances it just means that it's not because it saves us time or being lazy it's because we want people to understand where we're at and what we can actually release at that time we want people to know about it in a timely fast manner so if we've got that there it's just a starting point to telling people about what's happened so it's not because cause let's make all these pre-canned responses because it's easy for us just to copy and paste it we want people to really understand the position that we're in in a way that makes sense to the business and the person that we're releasing the statement to so if that is there and predefined everyone just gets to hear about it faster and easier
SPEAKER_00:right and on to the last story i believe this one has to do with ot right
SPEAKER_01:which again critical infrastructure I can understand it more in terms of why attackers when you really get into attackers mindset that is the sort of stuff they go for critical infrastructure stuff that really will make a difference stuff that you feel like you have to pay a ransom because of what is held at the other side and the critical infrastructure is a huge thing to authorities and to some different countries so This one was a council authority and they had some large amounts of OT infrastructure that we monitored and we started to get alerts in. So really late at night, strange readings started to flood in and off those readings, it's translated into the same in terms of OT, so operational technology around what was starting to happen. So that doesn't give us the details of The levels are changing, temperature sensors are changing. It's more things are being modified. This is acting differently. These sensors are performing very erratically than they usually would. That's the stuff where we would then contact the OT team, the organization. All of these sort of authorities have large OT teams to help monitor the infrastructure that's in place. And within that time period, We brought in the OT team of the council authority, and it was very close to the decision of do we close this plant or not. So we then found out together with them that there was someone changing levels of different sensors, which is huge when you think about the infrastructure behind it and what potentially could be a result or risk of that. And again, down to the decision of should we close a plant or not. Things like that affect us day to day and how we do things and the different things that we do day to day. So that is also a huge one in terms of OT technology, which is just an ever-evolving space with the advances of AI and advances of automation. OT has become at the front of a lot of organizations as well. being able to help segment systems, block different traffic, understand the risks, et cetera, to public supply is hugely important. And that was what we were involved in then. So again, not a nice place to be. Public safety is hugely at the forefront of that. And we're just a bit of a piece really trying to help make sure that it doesn't go somewhere it shouldn't.
SPEAKER_00:So a little background to OT. OT is operational technology. Think of it as the hardware and software that makes these big plants run, water processing facilities, electrical facilities, so on and so forth. And a lot of this is around, yeah, if you think about it simply, it is sensors monitoring things and then hardware reacting to those readings to keep things in check. Let's say in a water treatment facility, for example, chemicals are added. say, chlorine and other chemicals, and they're added before they come to your tap for additional benefits, wherever they may be. If we looked at an OT setting where, let's just say the fluoride levels, for example, coming off of a sensor are incredibly low, what's going to happen? Well, actually, the fluoride is fine, but someone's manipulating those levels to make them low. So usually they go low. I'm going to add a bit more just to keep it within the baseline of our specs, right? What if someone goes and manipulates that fluoride level to show that it is a lot less than what it actually is? And now you're injecting more of something than should be in the water, which is going to potentially cause harm. And it means you have to cut your water supply to customers. Going back to that boiler analogy, right? You've got hot water in this case, actually, there's thousands of customers that have no water at all. And the impact of that is, it's scary to think of because it's now not just digital, it's not just data. This is having a real world impact on actual plants and physical consumables, right? There's plenty of stories out there as well about OTs that do like gas production, chemical production, and you're in this environment and it's scary because the readings being given are for wrong and the wrong mixture could result in poisoning, explosion, gas leaks and so yeah it highlights the importance of incident response in OT as well like it is just dialed up to the nines it is you've actually got to be as quick as possible reacting to these threats
SPEAKER_01:and I think whenever you're responding to incidents that do have an impact on public safety and do have an impact on public risk it just heightens you that little bit more but Like any of those examples, and you said it, Jack, it's not that one company is less important than the other or one industry is super more important and we only really care about that industry. I think what you can take from all those three different stories, of which there's many more, and lots of people, like you said, have many more stories as well from their experiences, is just that it comes from the control So you start off with a really chaotic environment and then you need some control. And that doesn't just come from luck or hope that controls there. It comes from the preparation. It comes from the predefined playbooks. It comes from the simulations, the rehearsal, the tabletop exercises, and back to that plan and place that you can follow and the trust in your team that we've got this. We do know how we're going to respond back to this. Yes, we're not in a good place, but we knew this was going to happen at some point and we're ready for it. And I think that's the collective insights to take from those different stories. It's about how do we respond? Not to think that you've heard this many times as of I, it'll never happen to us. We're too small or they're not going to come for us. Why would they? We're just a small fish here in a big pond. And that's not the way to think about it.
SPEAKER_00:It's more of a case of when, not if, right?
SPEAKER_01:Yeah, exactly. And being ready as well, just having some preparation in place.
SPEAKER_00:So let's move on to the next topic. What are some challenges that either responders or organizations face when it comes to IR? I've got a very specific example here from my experiences, and that is it all comes down to readiness again. When an IR occurs, obviously, everyone is all hands on deck, right? And I've been involved as a investigator on a fair few of these, trying to figure out what's happened, what's going on right now. And oftentimes you find we have a lot of exposure to different environments. And we're talking about like on-prem and cloud environments as well. So we know what normal traffic looks like. If you looked at logs for an enterprise environment, you will see that there are a lot of logs. And if you don't have the right context or the right lens on, everything can look suspicious, especially if you've not seen this activity before. And what I often found challenging was I'm carrying out an investigation, I'm trying to figure out what's going on, trying to figure out the anomalies from the normal, and then The customer's also doing the same thing. They've got an IT team and they're also investigating because they know what's normal in their environment better than we do. And so what they don't know is what's normal in an enterprise environment in general, right? So you've got lots of authentication packets going on between different servers, between AD, between users. There's just an awful amount of traffic that just happens on a day-to-day basis, which... We are exposed to, but the IT team of businesses usually aren't exposed to. And so when they've got this lens on, we've been breached, we need to find suspicious activity and everything is suspicious. And that for me is the biggest challenge is investigating, but also asking the customers to see if there's anything anomalous from their side. And there is just so much noise that comes from there. And sometimes it's just like, okay, Let me continue. You guys carry on and then we'll filter through that and we'll say, okay, look, all of this stuff, brilliant findings. That's actually normal. It's just how servers talk. And you can't just say it's normal and carry on. You have to give an explanation as well and find that sometimes it takes up a little energy and it's just like, you know... we know what's normal, just let us deal with that side of things. But equally, yeah, the customer wants to be helpful. I just find that a bit challenging sometimes.
SPEAKER_01:Yeah, and we look at everything with the wide lens on. So we look at things, okay, well, how has that happened before? Or we have very similar customers, for example, and we can really uncorrelate that sort of activity too. We've seen that before. That's happened. Well, it has to be this, right? Because we've seen that. So the benefit to us is that we get to see lots of different things happen. But the challenge to an organization is they don't have the exposure that we've got. They don't have the insights and they don't do it day to day. And I think a lot of it for them is around maybe clarity on roles and why they would even need something like this. Why would I need it? It's sort of like we talked about the small fish. But I don't need that. That's largely what I see. We've never had a breach before, okay? So if it happens, we'll deal with it then. We're all good, thanks. And then it happens. And it's not also, oh, yeah, we told you so. It's not that. It's a very much... This is serious. And you do have to take, and organizations are different. An organization of 10 people does not need to have the same setup as a 5,000 enterprise company. It's very different. They've got very different levels of infrastructure. They've got very different numbers of people. And the response can be very different, and that's fine. It's just about having clarity on, well, yes, I know I need this, but what suits my organization and what is realistic for us? That bit's super important to me because I think in the cyber industry, people are told they need everything. You need to have this. And of course you need that. But if you're going to have that, then take this too. And for me, I've found it's challenging when you talk to potential customers or prospects or just people in organizations that want to know more about cyber because they've maybe been missold that before. They've been burnt in terms of you have to have everything if you don't have the budget for it. then don't have anything at all. And that's not the case whatsoever. You can do very simple things. You can start very small. It's about a journey. Cyber is all about, okay, doing something better than you did yesterday. So we were here yesterday. We're here today. We're going to be here in six months and look at the maturity and the growth that we went on over that time. That to me is true. Cyber, it's about putting something in place rather than doing nothing at all. What
SPEAKER_00:other challenges could an organization face?
SPEAKER_01:In terms of operational challenges, if you don't have a plan in place, if you don't have an escalation path, if you have never thought about what your critical applications are, that just opens up a whole different area of, okay, let's just start from the start again. And then that wastes time, and then it takes more time for us to detect and respond appropriately to an event. Whenever you don't have your... understanding of what potentially could be affected or who's downstream or upstream and where it could have came from. And that's why we urge people to just think about what's really important for your business. I always say, so I do a lot of these tabletop exercises and simulations with customers and I spend a lot of time trying to understand their environment because it has to be tailored as well. is to make sense for you there's no point like we said a 10 person organization copying an ir plan from an enterprise 5000 seat it's not going to fit and you're going to look at that and you'll just be overwhelmed and you'll just put it in the bin and then you'll have nothing versus it needs to be realistic and it needs to work for your organization so how do can we respond to X, Y, or Z? Okay, well, we would do this and we might need some help from this partner or we might need to rely on this other partner, but that's okay. At least we know who they are, what's their contacts. That's usually the challenges I find in terms of people just aren't really sure who to speak to, who to get hold of, especially out of hours. And since ours usually get someone on Teams or on Slack or will message them, and they might have a delayed response, but out of ours, it's wildly different. I've had so many experiences, even with managed SOC customers, where you follow an escalation path, you call them, 60 minutes later, they've got stuff running through their environment, you've got no one on the other end of the phone, and that is not also a nice place to be either. So it's usually those operational challenges that I find, and it's the small things as well.
SPEAKER_00:Yeah, that's interesting, because in order to respond, you need to communicate. And if you can't communicate, it adds an interesting challenge, doesn't it? Because people are often nine to five, right? You've got a breach in the middle of the night. What if your IA plan has contacts and it turns out both of them are on annual leave or in a different country and it just adds additional pressure, doesn't it? Like, what am I supposed to do next? I can't communicate with the people I've been told to. And then you find who you're just ringing. Just find any number for the business and try and get it through to someone, right?
SPEAKER_01:I've honestly had it before where you're looking up the company on the internet to try and find contacts, try and find an office number, try and find something that might direct you towards. Now, there's challenges with that. And in my opinion, that's why customer success is so important to me because... they drive the relationship with the customer and they build up a knowledge base around the customer and who they are and who the contacts are and they know people that maybe the SOC team don't know and the responders don't know and then that helps that's why I think they work so well together because they build up this huge picture of the customer and Everyone says in cyber, oh, we're like an extension of your IT team. And most of them really aren't. But it isn't until you truly build up that picture that you really can be an extension because it's like two colleagues, right? They have each other on their phone or they WhatsApp each other. If we're an extension to your IT team, we need to be aware of who else is there. So who runs the place? Who's the CEO? Who's the MD? If we need to, we'll just call them because they will truly care and there's not going to be a, well why did you wake me up at 8 o'clock in the morning it's because we've seen this and this is super important and your two contacts are with an annual leave so point us towards someone else that's where it becomes important in terms of having that relationship with the customer and that makes it more difficult if you don't have a SOC provider or you don't have any maybe technical assistance at all for those smaller organisations as well in terms of how do we respond back to this and they're usually the challenging ones we're super super small and this has happened, but we've still got actually really good business and we've got really good revenue and really good growth ahead, but we've been affected by this and we're at a corner where we're not sure how to move forward. And then it's about dealing with that and you've got no telemetry, you've got no insights into their environment. That's a different side to IR. How do we quickly get something in place to really understand what's happened and they get you to a better place too.
SPEAKER_00:Yeah. I see an interesting question pops to mind. pen testing and IR right I often get conflicted between this because some businesses will let their security provider know there's a pen test happening just look out for it and some don't and I think it's the latter is correct don't let them know because that's the whole point of a pen test right is How are you going to react or how is your environment going to react to a security incident? And if you have a SOC, then that is a part, for all intents and purposes, it is a part of your environment. It's a part of your infrastructure. It has the ability to go and stop things from happening. What's your take on pen testers and being notified of it's happening? I mean, I can see it as a good thing for the SOC being notified.
SPEAKER_02:But
SPEAKER_00:at the same time, it's like, would we have reacted or would the suck have reacted in the same way had they not known that there was a pen test going on, right?
SPEAKER_01:Yeah, I think it's an interesting one. I've came across this so, so many times over the years to the point now where I'm not fussed. I don't mind either way. I think this answers the question, to be honest. I think at the very start of your journey in cyber, you want to know because you feel like you need to be prepared and you feel like the customer needs to know right away. I know that is true, but if you really are a good SOC provider and you really can provide the service you say, it shouldn't matter if you know or don't because if that was in real life and that was realistic and actually happened in a real world, it wasn't just a pen test, you're not going to know about it. So, I honestly don't mind either way. I find that some customers like to tell you because they don't want to hear all the noise that comes out of it. They don't want the panic phone call. They don't want the tickets that are sent over and they just want, hey, this is the IP address it's happening from. Let's talk about it after. And that's equally fine too. It's entirely a customer preference. But I think that either way, any SOC, it doesn't matter who you are, shouldn't really care what happens because either way you should respond to it. I think if you're in the presence of you have to tell me probably a reason for that. And it's potentially around we're nervous that we might not find it. And then nervous about the customer's reaction. What I think is super important there though as well is sharing the findings. So let's make sure, let's actually learn from this too. It's a simulation in a way too, right? So we can use that as instant responders to learn from, did we find the activity that happened? If not, why not? And I think taking it as a collaborative approach to how do we then together make sure we better the system. Now, As long-standing SOC, a lot of people maybe think differently, but that's my take on it in that you shouldn't have to know if the customer wants to tell you. That's fine with me. The customer doesn't and wants to keep it secret, equally fine, because if anything, it's a bit of practice for the SOC team, right? But yeah, oh, that comes up. Yeah, that happens.
SPEAKER_00:I have some friends that are pen testers as well, and it's an interesting conversation because they always say, well, I've got this task, I need to pen test this environment, but your security team keeps stopping me. And it's like, well, where do you draw the line? Because the security team stopping you is a good thing because you couldn't progress. But at the same time, the argument can be put forward, well, we're never going to know what vulnerabilities, other vulnerabilities that system poses if your security team is stopping us. And it always leads to a very interesting conversation. Yeah.
SPEAKER_01:As a stock provider, I like to be involved in pen test conversations where possible because it's good for us to understand that and it's good for us to potentially be okay if the customer wants to go that little bit further and wants to maybe hypothetically think that we're not here just to understand the impact or really to understand the impact of the application or the resource that they're pen testing. I think that's important too and I'm also fine with that as well. But I like to see the findings to make sure that we're all in agreement. And it does give the customer usually some confidence and clarity that, okay, I have something in place. Because it's hard when you don't see things happen to really believe that it's there. And whenever you do some sort of pen test and the SOC team message you, it's a bit of a, okay, a bit of relief in terms of, okay, they get it, they see this stuff, and then I'm fully in now, I understand.
SPEAKER_00:Yeah, I just have those intrusive thoughts. What if you're being hacked during a pen test? That's always my argument. What if that system is being hacked at the same time you're pen testing it? Would you rather we let you through or just kill it off there and then? Oh, but that's almost impossible. Almost impossible.
SPEAKER_01:You can easily make lots of assumptions in all of cyber, but especially in things like that, it's trust and verify, I think, as well. in those sort of circumstances. And that's hard for especially new analysts or junior analysts or people that are sort of moving through their career in cyber that haven't. And a lot of, in my experience, I was very lucky in terms of I got very raw SOC experience in terms of IR. A lot of SOCs don't get that. A lot of SOCs that are very segmented have a team for IR a team for response team for ticket and a team for escalations and that is very hard when you're in somewhere like that to get some cross team collaboration exposure to everything I was very very lucky and grateful that I got a very open SOC environment in my careers to be honest and that gave me the exposure and it gave me some time with these amazing people who were some of the best instant responders I've ever seen and learn from them. I think it also heightens the exposure that as a sock analyst, you need to understand what happens in IR. You need to understand why this is the way it is and why that firewall having that activity results in a bad thing, et cetera, and just heightens the need for some cross team collaboration. And there's a lot of socks out there that just don't have that because operationally it's too difficult for them. They're too large. They've got too many customers, et cetera. as well.
SPEAKER_00:We've got two more points to discuss but let's whistle these because we've spoken a lot and Jen's going to be swearing. Lots of editing to do producer Jen. Okay. So let's move on to automation. We love automation here. What could in the future the role of automation be potentially when it comes to incident response, right? So there's a number of facets when it comes to IR. You've got your communications, you've got your investigations. A lot of the investigations, there's forensic analysis and all sorts that can happen as well. I think it is difficult to get into all of those areas. But if we just thought of it briefly, how could automation help incident response in the future?
SPEAKER_01:I think we've definitely came a lot better and people are more receptive to using automation and IR. So IR, and understandably, IR is the time where you want a person, in my opinion. And I am in full agreement of that. It's the time where you don't want to speak to a bot or a piece of AI. It's where you want someone with really good experience that knows what they're doing, that can manage the stakeholder communication. But I think what it, could be improved with is enabling that person or those set of individuals to get the information they need faster. And that's where automation comes in. And we're, I know we're on CPI Jack about this and always have been, but we want to use the automation and the AI to be able to then enable those incident responders to understand what gets rid of the problem faster. Tell me what is, help me understand the, the the vector that it got through help me understand the attackers mindset why they done this what have they done before who else have they attacked have they been involved in this industry so many questions that were almost through your head whenever you're trying to triage an incident for any answer responder they'll do a very similar thing but because it is quite repetitive there's lots of opportunities for automation to take over different ways but i think And I think there's different levels of IR, right? There's something like ransomware, which is really up there. But then there's something like a BEC, a business email compromise, where you can automate most of that and you don't really need to be constant communication. It doesn't need to be a huge board level thing at that point, as long as it stops there and it doesn't spread. But so I think the... containment, the eradication, the recovery, those steps are where everyone just focuses on. And rightly so in terms of how we can automate the response, how we can automate the way that we isolate a device, how we decide which device gets isolated and a lot of severity but then I think the other aspect to it is like we mentioned so enabling the incident responders so in the detection and analysis phase how can we do all that quicker how can we give the incident responders and SOC teams that data and those information and even the context and potentially make the decision for them and hand it to them to maybe verify
SPEAKER_02:yeah
SPEAKER_01:especially on the larger incidents, so that things are just done so much faster. Customers get to hear about what's happened to their environment quicker, and there's just that bit of confidence brought around a very chaotic bridge or war room. That's my thoughts on... What's your thoughts
SPEAKER_00:as well? Yeah, so I guess it's not automation in the traditional sense, but tooling to carry out the steps that would be carried out just a lot quicker, right? So when it comes to like disabling workstations or isolating them or getting logs, like you can certainly write tools that you can just pop a machine ID into and it'll go, you know, here's your actions. Listen, what do you want to do? Bang, bang, bang, done. As opposed to having to navigate to the correct portal and find the machine or a list of machines even that you're going to carry out the same action on. So tools to help with that. I think we're also, insert a sponsor for anyone because Incidents that occur are wildly different. But having been involved in a number of investigations, also on forensic evidence courses and stuff like that as well, there is actually a trend and a pattern that you follow when it comes to carrying out your investigation. So you are actually, a lot of the times, going and doing the same investigations. The outcomes of that and how you interpret that are wildly different. But the investigations that you do and the things that you look for are often the same or very similar, at least until you get to a pivot point and then you're like, okay, Now I know I have to concentrate on this. And that's where maybe the tooling can't really help as much because that's where the scenarios change wildly. But it's things that we could make automation or tooling that can make those steps easier. Go and carry out a bunch of actions on a bunch of machines or go find the activity that is uncommon. For example, here's a bunch of logs. Find stuff that is uncommon from here. That can help you start your investigation. I feel like, yeah, those tools would help. For a seasoned responder, it's a, let's take five to 10 minutes, you're given the right tooling to find those events that are juicy and that can start the proper investigation, right? The pivot points and stuff like that. And so why can't we make tooling and automation that can help just identify these things quicker for them, carry out the actions they need to do quicker for them. Communication, different story. You know, that's all different. But why can't we use automation to aid in keeping that communication structure up to date as possible as well, right? You have an IR plan. It's got contacts on it. People leave, people move around often. And so how often are you updating your IR plan? That's a big question. How often are you updating the contacts? You could use automation to just poke the customer once a quarter to say, hey, just letting you know you've got these people down. If you want to update them, just click here. And that could result in a conversation with the CSM or a portal where they can go and manage these things themselves as well, right? So I guess it extends beyond the scope of just IR, but you could really use the tool to impact IR, but also readiness and preparedness and the IR plan itself as well.
SPEAKER_01:Absolutely. And I think even, I hope that's amazing, and some of the stuff there, I guess make me think of things like when you're in a war room and you're taking things like situation updates or instant logs that takes time and it takes you know you really have to be in the zone to make sure you're really having clarity on what's happening next what time was that at who done that and those sort of minutes as such even having a helping hand with those that becomes really important if you're passing on to a forensic party or or you're going to a regular body. So they will want to have a record of that sort of information and maybe having some help with automation and AI to maybe take your minute notes and help fill in your situation updates and file it into your portal and make sure it's there and who done what and who was involved and what the rules were and link it back to the IR plan and the contact list and the escalation chain. But I think you're right in terms of it's not about replacing data. these seasoned defenders. It's about giving them time and enabling them to do the stuff that really matters and the stuff that they can do with automation doing everything else a lot faster.
SPEAKER_00:So let's think of this from a lens of a new business, right? We have a business. It is growing at a rapid pace. They've got an online presence. They've got a lot of infrastructure or minimal, but they've got an online presence, right? If you are this business and you're starting from scratch, how would you build a functional incident response plan? And let's consider things like BCP, DR as part of the IR plan as well. What would be the best approach or the things to consider at least when it comes to building an IR plan?
SPEAKER_01:Yeah, that's a great question. And I think start with the basics. I am a huge... advocate for be realistic about what it is you're trying to do and if you don't have an ir plan you're starting from scratch so first of all start with the basics don't over complicate it and it doesn't need to be perfect it just needs to be usable for your organization for the incidents that you potentially might come up across i think i would focus it if i was building one from scratch on five, six sort of key areas and follow a framework at the NIST or SANS. So for example, detection analysis, I would ask myself questions like, how do I know something bad has happened? How do I make sure that alerts are coming from the right place? How do I make sure that I've got some sort of logging in place so I know when something's happened? Otherwise, you'll have to be told about it. So detection analysis is very much a, is this actually an incident? Is it an event? Is it just something that's happened? Or is this actually an incident? Is this something that's now taking place? How do I know about that? Where could I hear about it? Could it be through my supply chain? Could it be through my customers? Could it be through my employees? Could it be through a technical partner? Thinking of a bit of an incident activation. So where does it activate or where does your incident potentially start from? So that's the first thing I would start off and ask myself those questions. Very simply, in a Word document, Detection analysis, how do I really know something's happened? Where could I hear it from? Is someone watching those areas? Or do I maybe need some other help? Then in terms of things like containment. So we've now confirmed something has happened. How do I limit how far that goes? How do I contain it? Ask yourself those questions. And can I isolate a device? Do I need to get approval for that? Can I shut a user account down really quickly if I need to? Do I need to go to board? Do I need to go to the CISO? Do I need to go to the COO? Whoever make those decisions and build a lot of flow, build something out very simply in a document under the containment stage. Who is authorized to make these calls? Is it me or is it someone else? Have the contact information there. Understand who the roles and responsibilities are. Then move on to eradication. So how do I, so something's happened. I've now became aware of it. I've now confirmed that it's happening. How do I get rid of it? So how do I make sure that attacker is not in my environment anymore? So do I need to restore from backups? Do I need to patch a vulnerability? Do I need to wipe an endpoint, for example? Then recovery. So how do I bring something back? up to operational state again safely. So is there, like you mentioned, Jack, is there business continuity steps that need to take place here? Is there other plans that I need to integrate to? But how do I make sure that I'm back at a known state? What does that include? And then the last step is lessons learned. So after everything that's happened, could we have done something better? What didn't go right? What did go right? Who didn't maybe know the roles or responsibilities? What is our feedback loop to make sure that we have real resilience in our IR plan? That's it. That's a very, that's a very basic one. But if you have something like that, in my opinion, your mind's ahead of other organizations and it gives you a starting point.
SPEAKER_00:Is there anything or any help that businesses can get to help shape their plan or test their plan?
SPEAKER_01:There's lots of different providers out there that if you want to go the step further. So, we just went through the basics, right? That is some very, very simple steps as to how you could build a plan. Go and integrate. So I spend a lot of time sitting with customers, for example, understanding their business. We go through some Tell me about your business. What does it do? How does it do that? Et cetera, et cetera, et cetera. Really, really understand the nitty gritty details and then formulate a plan for you. And let's build it together in terms of what does that approach look like? Do you agree with what I put there? Does that scenario make sense for you and your business and tailor it? And then let's test it. So really it's who does what to identify in a crisis? Who really does what? map out your top three risks and oils so what are you likely to face so if you're in x industry i'm probably going to be most susceptible to this that or the other what are your critical applications so what does your organization really use if that went down you're not operational anymore and then just test it sit down in a room it can be very simple you can go and do full-blown tabletop exercises like we do or you can sit down in a room with the people in there that do things in a crisis in your organization and just ask them the question, we've just been breached, what happens now? That alone will start to just formulate so much in terms of ideas and gaps, especially if this is your first time doing it. But that's fine. How do we now improve from this? How do we maybe go back to that very simplistic and basic IR plan and just start to add things in? Okay, well, we realized actually the containment has to be done by this person or by this team or in this way. We'll put that in your IR plan there and detail it, put contact information in. That's, in my opinion, just as simple as it needs to be. You can go and obviously get people to help you out and do all that sort of stuff. And there's value in that, but it really depends on what a customer is looking for. I
SPEAKER_00:love that. I just want to, right now, just get around the room, lock a bunch of people in it, pen and paper. We've been breached. What are we going to do? Come on, guys, let's go.
SPEAKER_01:You'll get so much value from that, so much value than having no conversation at all, waiting until the day it happens and everybody being chaotic. And yeah, everyone should try that.
SPEAKER_00:Thanks, Connor, for your time. Some brilliant stories you've shared there and some amazing tips as well. I'm sure the listeners will benefit hugely from this.
SPEAKER_01:Thanks, Jack, for being a fantastic host. It was an absolute pleasure.
SPEAKER_00:Well, that's a wrap for today's episode on Incident Response. Thanks for tuning in. A huge thanks to Connor for the stories, strategies and clarity on what it really takes to stay composed and effective during an incident. From life-threatening healthcare disruptions to tampered infrastructure in the OT environments, preparation is everything. If you're just getting started with IR planning or you've got gaps to fill, remember, start simple. Think detection, containment, recovery and communication and never underestimate the power of a tabletop exercise. If this episode sparked ideas, questions or aha moments, we'd love to hear them. Reach out through our website at www.cloudguard.ai. That's www.cloudguard.ai. Or find us on social. Links are available in the show notes. Until next time.
