So first we're going to do introductions. We're with Apollo information Systems. I'm Andy Bennett. I've got with me JT, Jeremy Thompson. And we're going to be talking about some perspectives on incident response, mostly from a leadership perspective. This is not a nitty gritty technical incident response talk. This is about trends we've seen from at the high level, at the management level. Be on the lookout in the future for more technical talks if you're after those as well, and we'll make sure that we put those out for you. JT, give us a little background about yourself. Yeah, so, thanks. Jeremy Thompson, go by JT. I'm the director of instant response for Apollo right now. Had a lot of clients this year, and that's what this slide was basically built off of. Before that, I did a short couple decades stint in the air Force, starting with it and ending in cyber operations, working for Cybercom, doing cool stuff that is now in the news. So it's been a lot. It was a lot of fun. That time was over, and now I'm out here helping the civilians as a civilian. So we'll go with that. That's a good way to put it. Yeah. We are keeping this green fully, fully, fully shareable in the community here. So what I like to say is, I used to be with the government, and now I'm here to help. That's not to say the government doesn't do good work, because we absolutely did do good work, and the people who are still serving in government in all capacities are doing the same. But don't let the truth get in the way of a good joke. So I used to be with the government. Now I'm here to help. I've been doing incident response since 2003 in one capacity or another. I'm most well known for the largest attack against local government in us history, which was the attack against 23 municipalities in Texas back in 2019. I was the incident commander for that effort and also wrote the foundational draft of the statewide incident response plan that led to the successful, uh, response to that incident. And unlike a whole lot of other, uh, people who got hit that year and the following year, we paid nothing in ransom. And instead of having millions in damages, it cost us about $300,000 in total costs to push those guys back. But I've also worked hundreds of ransomware cases and other cyber incidents. I've helped counties, school districts, cities, smaller municipalities, quasi governmentals, county appraisal districts, national brands that you have 100% heard of, and also international high tech manufacturers that you probably have. Not the largest, most impactful incident I've ever worked. I worked with JT, and it wasn't the 23 in Texas. It was an international incident that the downstream effects of which were felt in the GDP to the tune of $250 billion. And so been around the block and we've seen some, some trends that have emerged over time and things that people need to be aware of. There are many wrong ways to do this, and there's only one shared factor across every incident I've ever worked, and that is that bad guys do bad things. Right up front, I want to dispel this whole myth that if you get hit, it's your fault. It's no more your fault. If you leave your keys in your car to go into the gas station and somebody steals your car, they still stole your car. Should you have probably taken your keys? Yes. Did the criminal still do a bad thing? Yes. Are you still a victim? Yes. Now, I want to put the victim mindset out and give you some with JT, some angles on how to not be a victim and the things to consider from a leadership perspective and what you're going to run into through the anatomy of an incident. So let's go to the next slide. Check out the agenda. Sure. There we go. As we said, this is the leadership perspectives on incident response. We're going to cover containment, exfiltration, restoration of operations. But the thing that so many people hang their hat on is cyber insurance. And JT is going to talk a lot about the considerations around cyber insurance, how you can know if you're set up for success or failure right up front, which means you can then either keep going the way you're going or adjust. And then we'll highlight some best practices and move into questions. JT, take it away, man. All right, thanks, Andy. So, yeah, let's get started. So the first thing we're going to talk about is these leadership perspectives. And as I've done incidents, and as Andy's done incidents, we've seen different types of executive leaders or team leaders that have either hindered, honestly or very much helped move through an incident in a good way so that the organizations recover successfully. That's kind of the entire focus of this, as Andy said. Right, you're a victim, but let's move out of that. Let's take some authority over it. Let's take some ownership. And as a leader, either a technical leader in a team or an executive leader, here's what we've seen throughout the incidents for the past couple of years. So first there's the everything is good guy, right? You're Michael Scott. Happy to be here. Everything's going well. They just assume things are good. They don't ask hard questions, they're not getting into the details. Or, and the other part here is maybe that's not the point of that executive. That executive also hasn't built a team to do those things, to ask those hard questions or give them those details and explain it to them in a way that makes sense. This is somebody that's collecting a paycheck, loves the business travel, right, and just doesn't really take any ownership of the cybersecurity of the organization they're in. And that's our. Everything is good. That's our ignorant bliss person, right? Just kind of there taking up space, but wants to be the leader, you know, when it hits the fan or there's time for a decision, or if there's decision authority that needs to get made, the next one we'll call it willful disregard. And we've all, I'm sure we've all had to deal with individuals like this in our working lives, right? These are the one, the individuals that delegate everything but don't delegate any authority with it. They don't delegate any. They delegate the responsibility but not the power to affect change. Right? So we've seen this in a couple incidents where there's a CIO that appoints a CSO, but that CISO has no budget, has no team, has no tools, but they're expected to perform all the functions of a system. And that is an. It can delve into a talking environment. That's just a very hard environment to work in. And when a crisis hits, like an incident, it's a very hard time to respond effectively and restore in a good manner. That's the rule for disregard. And we have the last one, which is steady progress, which I think is the right way to look at cybersecurity in today's day and age. You're never going to just install a firewall and be good. There's always steady progress to move forward, either in a vulnerability management program, in policy and procedure documentation. There's always things to do moving forward. And this individual has empowered the team. Right. They've gone, they've built a team around them that works and they've allowed them, one to attempt things and fail. Right. And documented that failure and move back from that failure, but to keep those conversations going and to make sure that there isn't. Oh, sales is only sales, and sales doesn't have to worry about the cybersecurity stuff. That's only for the it folks right there. Look at this as a communications leader and a team, a team builder that moves the cybersecurity journey forward. So I like to go ahead. I like to add some, some flavor, Andy, flavor there. The first guy is it can't happen to me. Second guy says, it's not me if it does happen. And the last one just wants to be ready when it happens. Yeah, that's a really good way to put it. Thanks, Andy. So, and as we've done ransomware events, if you've had an incident, you're going to see these two popping up more and more, especially in probably the next decade. Right. Versus insurance, that's kind of a cornerstone of this conversation as well, of, you know, what does that look like for insurance? What is insurance care before an incident? If you have insurance, they may ask for proof of a cybersecurity posture in the incidents that we've dealt with. Most, not all, but most of these are self reported controls, self reported policies, and self reported procedures. Do you do domain purging and you just say yes? Right. Some firms do require evidence of that, but generally there's not like an ongoing risk review that the insurance firm cares about until the policy is due again. Risks are underreported because it's not in the policyholders best interest to be 100% honest of where all the bad is. I know I have, honestly. But it's a good example. I've forgotten to tell my car insurance folks when I've gotten speeding tickets and they remind me when my renewal comes up and they find out. So it's kind of the same, it's the same scenario there. And then the other part for insurance before an incident is, timelines are generally understated. Right. They'll say, we will get to you within 24 to 48 hours. Okay, well, 24 hours, the minimum is probably not where they're going to meet you. In our experience, that's not where it's at. It's usually at that 48 hours minute mark. And it's just in their interest to write it that way. Right. That gives them more time. And then certifications provided by an audit are generally, like I said, time and place only. So if you go to an insurance company with a, you know, SoC audit or CMMC or something else, that's for that point in time, right. Until it comes up again. It's not an ongoing, continuous thing. So insurance is very much not a lever or framework that is going to guarantee that you have a good cybersecurity response in case there's an incident or some other kind of procedure. And then government. Right. So government is, this is acting weird. Sorry. You know, government is limited by the regulations that are in place. Right. They can only do what is required. And the government, for the most part, just is not concerned with your prep ahead of time. They have started to, and we've had this, which has been really excellent. FBI, Secret Service, other organizations are now reaching out to compromised or which has happened this year, soon to be compromised or soon to be impacted. Organizations that are already compromised to provide warnings, technical data on what the threat actor may have done and other assistance. But they're not going to help you get your environment prepared. They're like, oh, you now have a virus. Here's what that virus is going to do unless you do something right. So they are starting to look more executive liability. We'll talk about that some with the SEC's ruling for material breaches, which comes in right there. There is some discussion about what that means and there's some politics around it, but that's supposed to take effect day after tomorrow. So. And then the other piece outside of the SEC, of course, is the state by state rules. Andy knows the Texas rules really, really well. So if there's questions on that, and Andy can provide some flavor. As far as before an incident, you know, you have to keep abreast of where your customers are at and what their states require as far as preparatory, you know, your preparatory steps for an incident. Andy, do you have anything on these? Absolutely. Well, first we had a question that I think is relevant right now. Darren asked, do you agree that cyber insurers are typically looking for mean time to innocence slash to limit their financial exposure? They absolutely are looking to limit their financial exposure. Meantime, to innocence. I usually associate with network teams, no shade, but meantime to innocence is you always blame the network team. So they're looking for mean time to innocence, but they, the insurance guys are absolutely looking for, for example, JT's reference of not telling them if you got a speeding ticket. If you know that you are at material risk, you have 65,000 vulnerabilities and half of them are critical and they were all patchable, et cetera, et cetera, and you just didn't do it. When they find out they're going to not pay. Right, because you didn't do the bare minimum that you were supposed to do or even put in the effort you should do. And they're absolutely looking for reasons not to pay if you haven't followed the, held up your end of the agreement. Now, if you have, they're stuck. Because that's how insurance works. Just like when you have a car accident, as long as you didn't like, and possibly depending on your coverage, even if you did intentionally run the thing into a wall at 40 miles an hour, they're going to pay for the accident. The SEC rules, we will dig into those a little more farther down. But the SEC rules that go into effect in a couple days are new. They establish a four business day time frame for the reporting to the SEC via an eight k for publicly traded entities as the new requirement. And it sets this nebulous standard of materiality. And I will tell you that it's not going to be good enough for those of you who will fall under this or a similar future reporting requirement. To have a determination formula for materiality after you've had an incident, you have to determine, you need to have considered what a material breach would look like for you and your organization before you have one to be able to have something to fall back on. And then there's reporting requirements from state to state. Texas, for example, if you have a breach, no matter what type of entity you are, if you have a breach under the law in Texas that impacts 250 or more Texans personally identifiable information, then it has to be reported to the Texas attorney general. And they recently stood up a portal for those reports. Awesome. Thank you, Andy. Yeah, we'll dig into those more as well. So you have an incident site. You know, it's a ransomware, somebody's just stolen your ip. It's an insider threat that's decided, you know, decided to delete your entire domain, whatever your incident is, right. It may not even be a threat actor, right. It could be a bad patch that's taken down your entire network. But we'll focus more on threat actors here because that's more fun for me. So first we get back to our ignorant bliss guy, right? They don't know what to do, right? They're Joffrey, just around screaming at people that they're the king and they need to make the decision, but they haven't done the hard work ahead of time to figure out what their environment is or to build the team that does that and advises them correctly, constantly blaming others for the situation and constantly playing catch up. It really, really extends the timeline to get through the phases of an incident, right. To get through containment, to get through eradication. Because those decision points, we've had incidents where I've said, okay, we are now in containment, right? We're moving along. It's taken a while, weeks actually, to get through containment. And we are at a point to where we are ready to start restoring your business operations. What is your critical path? What is your critical functions that we need to return? And they don't know that's a problem, right? That's, that's somebody that is, again, just ignorant bliss and they've got to go figure it out then. And you don't want to do it when half your network's encrypted. So that's your ignorant bliss person. So your other leader here we get back to is the willful disregard and Searcy's perfect example of this. Right? Blame someone. Right? And this blame goes, I'll say, well above the blame. The ignorant bliss person does everything. Every failure is somebody else's fault. They inject a lot of toxicity into the meetings, into the emails. There's a lot of anger, there's a lot of frustration that takes place with this type of leader that makes it very hard to communicate. Either they're yelling during meetings or they're being sarcastic. And I'm describing the person. But that attitude overall will filter throughout the entire incident and significantly reduce the ability to address what the decisions that are required to restore from an option. Those decision points like we talked about, don't turn into what's good for the organization. Don't turn into, hey, how can we grow from this and move forward? It's generally face saving activities. How do I not look bad? How do I keep my job? How do I get rid of whoever I want to get rid of and the whole strategic opportunity, which sounds very weird to say in an incident there often, there's always opportunities in crisis, good opportunities, I might add, are lost, to be frankly, honest. And then your steady progress. Right. Tyrion's great collaborate is a good way to look at it. He's definitely not going to win a battle against the mountain or anything like that. But there's a very collaborative approach to restoral. Right? There's really not a discussion of failure. There's not a discussion of failure or blame. Upfront decisions are informed because one, either the individual already knows or, and I want to keep coming back to this, right. You don't have to be a technical expert, but you build a team that can inform you or can inform your boss or whoever that would be on the decisions they need to make so they can make those risk decisions, those strategic decisions to recover from the incident in a way that leverages whatever opportunities you may have. And again, there's failures. There's always going to be failures in an incident. I've had incidents where somebody's deleted logs from the machine. We were just talking about pulling, and it was an accident. Guy had been up for 36 hours and fat fingered some commands or deleted some things he shouldn't have deleted. The logs were gone. And that was a learning environment. That was a collaborative environment. He owned up to it, and there was a discussion, but it wasn't, oh, this guy's terrible. Look, now we've lost all this information. It was, how do we find a way around this and work together? And that incident resolved very, very quickly. That was for a hospital. So that's kind of the way to think during incident of these three leadership types that we've seen and what the incident response is like under those incident types. Andy, did you have anything you wanted to add for these? Andy's network has crashed and he will be joining back as soon as he can. All right, well, we will proceed and if he. He will definitely have input and we'll go from there. Thanks, Mark. Okay, go to the next slide. Okay, so we've talked about the three leadership types we've seen. Now let's talk about the changes that we're seeing from insurance and government. We'll talk about vendors here a little bit as well, though. They're not on the slide. Right. I forget that individual who asked, but yeah, insurance asked, how do we pay as little as possible. Right. I've been on the calls with a client when they're talking with their insurance company about, hey, are you guys going to pay for this or that? And you can, I mean, you don't hear the rustling of papers anymore because it's all online. But you can you just hear the pregnant pause while they're searching through the policy to figure out if that is or isn't covered. What will happen during an incident with your insurance company? So the insurance company will call a law firm, and that law firm will then hire a incident response firm. Now, the thing to think here is that law firm doesn't work for you. They work for the insurance company. And we've seen this time and again where there's been a few times where the incident response report doesn't get sent to the client. It just gets sent to the insurance company, and the client has to ask the insurance company for it, which is interesting way to do things. But that insurance company doesn't work for you, right? That law firm doesn't work for you. They're there to advise the insurance company to keep everything under privilege for litigation and to make sure that the policy is executed as cheaply as possible. That's not to say don't bring in good IR farms, it's just the focus of that is to fulfill the insurance policies function. That is not to make sure that you respond and recover from the incident quickly. They will do a policy review and we've seen this where somebody will attest to, we are using a modern EDR in our environment and the incident happens. And that modern EDR is the base level install of Microsoft defender that is probably going to get flagged for an issue, for example. And then they do take a long time to respond. Right. And it feels, even though it may only be four or 5 hours, obviously, for them to call you back on the initial call, they do have that time. They got to hire a law firm. That law firm has to hire an incident response firm. There's paperwork that takes place. Right. And it's going to feel even longer when you're in the middle of an incident. So just keep that in mind during an incident and they could be great partners and you could have a good insurance firm. I'm obviously not saying they're all bad. So let's talk about the government side. So there's really limited regulatory guidance during an incident on what the government is going to do. The SEC is starting to mandate those requirements. Like Andy mentioned with the eight k and four day, four business day for material breaches. What is a material breach? That's for you to decide and preferably before the incident itself. You can contact FBI, state and local law enforcement, the Secret Service maybe as well, and they can assist a little bit. But keep in mind what their job is. Right. You know, once the data is turned over to them, they're not going to update you. They're doing an investigation into the bad guys. They're not here to help you help you respond. And remember, their overall goal for the government is not to return you to operations. It's whatever their mission statement is. And the mission statement for the FBI, the Secret Service isn't, you know, help Apollo recover from an incident. Right. Is to catch bad guys, blue collar, white collar, threat actors or other. So I've got a little. You're back. I'm back, yes. We'll see how long I stay. Apparently they're jacking not just with my, my landline, but also the infrastructure that runs the cell towers in my area. So fantastic timing, which is why you have two people, everything. So the banks know all of this, by the way. They know that it can take a couple days for your insurance company to respond. They know the FBI is going to come into the picture potentially. They know all of these things. They, depending on where they are in the world and who are part of their network, they attend webinars like this. It happens. So I have seen ransom demands where you have 48 hours to pay this ransom or it's off the table. And they typically mean it when they say it. And they know that because that's how they do that, not, they know that they do that because that's how long it takes your insurance company to get engaged in some places. And so they're not interested in getting jerked around. And they want to have as much pressure on the insurance company and you to pay when the timeframes line up as possible. So it takes a day to get the law firm engaged, the law firm that only has 24 hours left in the ransom demand to decide whether, with the client, whether or not it's, they're going to pay or not. And it's all about amping up the pressure and then to pile on to JT's commentary about the FBI, the ransomware incident of the 23 entities in Texas in 2019, the municipalities, the FBI came in at their evidence worked with us and we coordinated to make sure they got what they needed because we wanted to see somebody go to jail at some point. And it took years. I had already left the government, been back in the private sector for a couple of years when I got an email saying, you should check out this Department of Justice announcement. And that Department of Justice announcement was a couple of my bad guys from that incident in 2019 had finally, in 2022, I think it was, been captured and brought to justice. And that's only part of the group. And there's still, one of them is still awaiting extradition in Poland, last I checked, because I do follow up on it. It's not swift. You're not going to get any kind of catharsis out of the FBI's involvement, but do know that they don't stop working. Yeah. Thank you. All right, so let's talk after an incident. So you've gone through it, you're recovering. What does that look like? So obviously the first, it's the children that are wrong. If you get that skinner meme right, ignorant bliss. They don't know what the entire impact is. They didn't do the work upfront. They don't have the team up front to tell you. Oh, being encrypted for two weeks means this much money is gone. Or maybe they may know that, but they don't understand what the long term effects are. That for the business itself, not just for stockholders, but for your employees, that's something that's often overlooked. You got to issue laptops to 300 new employees. That's hitting a couple different work lines. You know, this is usually a severe impact just because there's no grasp overall over the infrastructure and the requirements necessary to recover from an incident. And, you know, ignorant bliss. Was I wrong? No. No, I wasn't wrong. We did okay. Right? Somebody else caused this. It was threat actors. Nothing I could have done. It's just the way it is. So for willful disregard, right. This is an extreme, at minimum, severe business impact, if not extreme business impact. And we've had a couple clients that have gone through this. Right? And it's not for this one in particular. It's not just to the business, it's not just to the bottom line, but you will see it inside the organization's personnel as well. We're seeing this with a large client that we had. They've had folks that have had heart attacks, multiple heart attacks, actually. People have fallen and just from being tired and distracted and hurt themselves. A lot of resignations, like entire teams resigning, happens in this Wolfville disregard side. Right. And that's just the personnel. So you come out of an incident, you've got recommendations, you've got things you need to do to recover. Now you don't have the people for it, and the technical items just don't get addressed, period, for various reasons. Right. Either you don't have the people, you obviously don't have the morale motivation anymore. And any. Any fixes that are suggested generally die in the process bureaucracy of the organization. And finally, a steady progress. Right. We talked about this as a collaborative individual. Build a team around them. If they don't know, asks really hard questions, allows failure, you know, appropriate failure, and it really speeds the restoral and recovery process. We've seen this a few times where, you know, having people in a meeting when you're talking about an incident, scared to bring things up that may be pertinent to the incident is a hallmark of these first two items, of these first two individuals in leadership styles. It's not a hallmark of this last one. Right. People being willing to speak up because they know they're not going to get their head cut off is a really great place to be in the middle of an incident because you're going to fix more problems that way. Okay, then. That's for those. Yeah, I'd like to jump in. Leave it on this page because these are great graphics. There's so many of us who would like to think that we are part of the steady progress crowd. After the incident is when we find out which crowd we were actually in, because there's a whole lot of challenge across cybersecurity to actually function as a business partner and with a full understanding of the business. And we can, through our own ignorance of how the business works, remain in the first bucket no matter how hard we want to be making steady progress. And so you got to take a step back and make sure that you actually understand the business impacts, not just the system impacts, to make sure that you are not part of the ignorant bliss crowd. Just as the sales team or the manufacturing team or the policy team or whatever other team you might have has an obligation to security, we as cybersecurity professionals have an obligation to the business. And if we don't take that obligation personally and learn the business we support to be a part of it, we're stuck in that first box no matter how much work we do to make steady progress. Yep. Yep. Thanks, Andy. And that's what I said in the beginning. Right? The Andy just foot stomped it. Great. That steady progress person is going to sales, talking to sales and going and talking to the other business units and getting buy in. So thanks. All right, so this should say after the incident, but we'll fix that in post. We'll get AI to do it. So for insurance. Right. So they're, they're going to do a review. Right. You've now had an incident. It's the same thing as when you get an accident in your car. Hey, are these rates going to go up? Is the, you know, maybe there's a three, four, six months follow up. Did you implement the findings? The incident response team and the incident response team report required they may drop you after paying out as well. We've seen that also. That is something that happens. And the other thing to focus on here is they may not pay for all the activities related to the incident. We've had. We've had some where there's been a ransomware incident and the owner, you know, wanted all the, you know, all the endpoints got ransomed bad enough to where they wouldn't work anymore. They needed to replace them. And the owner's like, great, we're going to replace them. You know, these machines were three years old. We're getting modern machines. The insurance company was like, oh, no, like, we pay for where they were at that moment in time, right? Equal capability, maybe slightly better, but we're not, you know, we're not buying new gaming machines or anything like that for the users, so keep that in mind. And then, like I said, their upgrades and additional services are likely not to be covered through the insurance. So you have to be really careful working with the instant response team or the vendors that you bring on, even for us of, you know, asking for, let's say you ask for us to do, you know, a scan of an environment that wasn't necessarily impacted by the incident. The insurance company may not cover that because it's not related to the incident that was insured at the moment. So there may be additional auditor's fees that come out as part of the incident, either through solidifying your position for a new policy or if you already had a certification. They may want, the auditors may want to review that which we are seeing through some of our clients right now. And then, you know, insurance may or may not engage with law enforcement if there's some type of fraud. So just keep that in mind as well. And then, so after the incident, for government. Right. We've talked about the SEC. You've got four days for material breach on an eight k. The FTC is also starting to leverage some regulatory authority here, not nearly as heavily or as advanced as the SEC's is. They've so far prosecuted the CEO of drizly under some of the new regulations that they are bringing forward. But the SEC is the one to really keep in mind. The other one is ransomware payment scrutiny. And this has come into a much more heated focus since Russia's invasion of Ukraine. Right. And a whole lot of the organizations are getting tied more and more to the russian state, and the, those are sanctioned. And there has been a lot of discussion amongst our clients about, hey, should we pay? Should we not pay? And you really, you don't want to get put into a spot where you're having to make a decision because you didn't prepare ahead of time of if you're going to pay a state sanctioned threat actor because you can't recover. It's a really legally tenuous place to be and it's not a good conversation to have. And then FBI and DHs are basically the same. The DHS and CISA provide. DHS and CISA specifically provide a lot of services that can help if you're part of the individual isacs that they support. And they do have assistance there. Andy, do you have anything on this one? Sure. I would say that to sum up the insurance side, things that you should have already been doing, like patching or like upgrading. Oh, we lost him again. All right, he's probably going to pack. Come back on in the middle of saying something. So we will proceed. Am I back? You're back. Yeah. It'd probably be better if you turn off your camera. I will turn off my camera. I'm not sure it actually makes a difference. It looks like it's hard resetting, so I will not be covered. And you're going to end up with regulatory audits and scrutiny regardless of what you do. And I can see that I'm lagging, so keep going. Okay. All right, so let's talk about perspectives and considerations through the incident response process. We're not going to hit every facet, but just the ones that are pertinent to the leadership and the insurance piece that we're talking about. So these are the different areas that the incident response process breaks down. You'll see some firms say, oh, there's six or there's seven, or there's less. But generally you've got your preparation, your detection, your containment, eradication, recovery. We put Apollo at the top. That could be any vendor, but it's our webinar, so we're your vendor, hopefully. And it breaks down into these individual roles where each one of these entities really has a part to play in this preparation piece. Right. So if you've already hired Apollo, our job in the preparation piece is to harden the environment. If you've got CiSO services to develop that policy and procedure, all of that. But you'll see insurance and government, there's parts there where there's no role. They have nothing to do. Insurance doesn't do anything with detection. Government doesn't do anything with eradication. Right. That's not. They may provide you information about where to eradicate, but they're not going to be hands on keyboards or in the calls with you helping getting them done. And then, like vendors, other, you know, sales, sales. Vendors are sales all the way throughout. I'm not a salesperson, but I know a few. And then the last one that a lot gets forgotten, even in the tabletops that we run, is the pr side. What is the public relations side of an incident? With the growing regulatory environment, four days to report to the SEC is four days. I would. Is four days from the start of an incident. Right. You get called at 01:00 in the morning, things are ransomed. You now have four business days. You know, if that's a Monday, you've got to have the report in to the SEC by Thursday. When are you going to tell your customers? When are you going to tell your vendors? When are you going to tell your partners? What does that message look like? Should that message come out before or after you do the announcement to the s? You know, you do the notification to the SEC. What if those messages don't agree with each other in time? So those are different areas to think where each one of these entities has to play it through the lifecycle process. And legal is the other one. Right. Advisory, alignment with regulations and then the end there, recovery regulation and litigation prep. It's always litigation prep. Even if there's very little chance of being sued, you still have to prepare for it and all the privilege and other issues that go on with that. So next slide. There we are. So containment, right? So this is the first one, when you go into it, you go into one of either one of those three leaders, right. Is a threat actor still in the environment? Right? What does that look like? Can they wreak further havoc? You know, these days with the ransomware, it's big business, right? It's, you're going to, Walmart is the same thing as somebody ransomware and you, they want to get in, they want to ransom, they want to, they want to steal data. Maybe that's not happening as much, but it still happens. They want to ransom, they want to drop the note, they want to get paid in and out. Right. But you know, every now and again, if you have an insider threat, which you've seen, you know, can they wreak further havoc? Right? Is the data intellectual property still at risk? Is there still a threat of more data getting lost or is it out on the dark web already? Like, how long do we have to pay the ransom before they, until it's released? And those are threat actor aligned ones and these last two are different. Do my people have the skills and knowledge to get somebody out of the environment to do the containment steps? Do we have a known enough environment? I'm talking about shadow. It has somebody built up their own side network that has Internet access that you don't know about. Right. Do you have the tools in place to see if that's a thing or not? And there's various ways to get around that, but that's a thought. Like if you don't have the people that can eradicate or, excuse me, that can contain the environment, now you've got to go out and either through the insurance company get someone or bring on a contractor on the side that aligns ideally with the insurance company so they can get paid. And then fast, again, how fast is insurance going to help me? What are their required timelines? They're going to follow the policy. They're going to hire a law firm. They're going to get an incident response firm. They may get a recovery firm on top of that. It all depends on what's in your policy, and it all depends on what they're required to do. You know, all of that. And again, this doesn't necessarily have to be a ransomware, but this could be a bad patch that borks 30% of your workforce. Endpoints, what are your escalation criteria? Because your escalation criteria to get to insurance or to get to some other assistance are critical items that have to be determined before you have that crisis, before you have that incident. Just trying to, in addition, like we said, for determining what a material breaches for the SEC's reporting requirements, determining what your escalation criteria to get to a material breach is something you have to do ahead of time. So, and we'll say it later, I'm going to start saying it now, but it's not, do I need a plan or do I need insurance? You need a plan, and you probably also need insurance. They're not exclusive, right? Have a plan and have insurance. All right. So then next is the exfiltration, right? Looking at what the threat actors may or may not have done. You know, what are my regulatory requirements for determining exfiltration? Right. Is it customer PiI, is it credit card numbers? Is it HIPAA related information? If you don't have the people to determine what was taken out, again, that just adds into that timeline for insurance reporting. Right. You're gonna have to wait for somebody to come in and figure out, oh, no, the threat actor went to this endpoint. It looks like they accessed these folders and we see a file being created that we are sure pretty strongly has been exfiltrated. How fast will, does the government or customers start to ask questions we're seeing now? I mean, obviously, social media things so much faster these days. But we had one client that had a significant ransomware event, and they kept it pretty hush hush on the corporate side until all their employees started putting on Facebook. Looks like I'm off for a week. We got ransomed. My computer's encrypted. Right. And that's just the kind of information that starts leaking out. And you could tell employees not to do that, but there's really no control over it. And did you have some? No, just that that was pretty amazing. They were planning on sweeping it under the rug if they could, right up until their employees out of them on Twitter or x, whatever it's called now. Yeah, yeah. And then again, how fast is these insurance going to respond? I'm going to keep talking about that because it's been a significant issue for the clients that have hired us of insurance, not just prior to the incident, getting back to them and solving questions, but once that law firms hired, and once the incident response for that law firm is hired, you know, getting back and asking insurance, hey, can we get a recovery firm to help, you know, boots on ground build laptops or computers? It, again, it takes time, it takes cycles. Based on the policy, there's one more timeline consideration, which is access. Not everybody who's going to be involved in the incident has a general everyday need to have access to the things they'll need to have access to during an incident. And so you either need to have built the coordination mechanisms to head off exfiltration and whatnot, or pre stage that access with a process to turn it on quickly. And depending on which regulatory schema you're under or what your internal policies are, 1 may work better for you than the other. In highly regulated medical environments where you've got HIPAA and various other things, you may have to have a regulatory obligation to disable or delete various accounts after x amount of inactivity. And so pre staging accounts that are just not active is not a good solution. In that environment, you're going to need to come up with a coordination approach, whereas in other environments that are massively SaaS, for example, pre staging response accounts that can then be assigned that nobody has access to until there's a need to break glass is a good option in a highly concentrated SaaS or cloud environment that isn't otherwise regulatorily prohibited from taking a pre staging approach. Awesome. Thanks, Andy. Yep. And the other piece there that I hit was the reporting timelines. Don't care how long you're supporting your support staff, how long you're supporting agencies, how long insurance takes to respond like that is a hard timeline. And if you, you can't just go and say, well, insurance take three days to get back to me, get an IR firm, they don't care. So keep that in mind. So, and then let's move to operations restoral. So operations are always impacted, right? It's not, may not necessarily be enough to impact cash flow, but you're going to have, you know, at least the people addressing to it, addressing the incident aren't working on whatever they were working on before. So you're going to have some slowdown somewhere. You know, there's just that opportunity cost that comes into it. You know, you may have your own, your payment systems are compromised, but you're definitely going to have some cash flow issues there. But if it's just, you know, some dev environment on the back end, you may not have a cash flow impact. It's just something to keep, you know, in mind. And then how much time, like it says, right, when we were dealing with these firms, large firms, small firms, they're not thinking about, oh, if these key critical systems get impacted, I'm going to be down for this many days or this many weeks or, you know, heaven forbid, this many months. How long can you keep working? Right. It's a very, it's a real conversation you need to have. And if you're a large organization, you need to have that conversation across multiple product units. Right? Because maybe, you know, you're selling widgets and that gets ransomed, but your sprockets can keep getting sold. Okay, well, what does that look like? How does that, now you're not going to be responding to the same IT support, that sort of thing. And then again, how fast is insurance going to respond? Right? Is it within that window that you've identified above? If not, maybe you need to pay more for faster timelines or partner with somebody else, Apollo or anybody else to get you through that initial process of determining if it's a material breach or not, or help you with that preparation of setting those escalation criteria. I would say that ransomware flipped the script. Disaster recovery has always been an IT issue, but business continuity belongs to risk or other areas of the business. How are you going to keep going if you can't do x, y or z? Cybersecurity made all of that. One discipline, cybersecurity is business continuity. It's not just a consideration, it's a core competency now, which means you have to understand and work with the business to know and something that is not part of many cybersecurity programs, but definitely needs to be when you get to operations. Restoral is an understanding of business impact. So you need to conduct business impact analysis on your systems. And it doesn't have to be the cyber team that does that analysis, but the cyber team, if you're not going to do it, needs to have access to it so that you can plan and prioritize how you're going to recover in a way that keeps the business solvent or keeps the government operations continuous. Yep. Yep. Very much so. And I don't know if I disagree with Andy on this, but I would say the cybersecurity team probably shouldn't lead those discussions. That should be the business unit forum. And the cybersecurity team provides insight, guidance and assistance to help build that process. That's. I don't disagree at all. That's how it works if it's working functionally. But. Yeah, but, but somebody else not doing it is not a reason not to. Not to jump in with both feet. Yep. Fair enough. All right, so let's talk a little bit more about cyber insurance. You're hearing me talk about timelines again, but just because that's what we've seen our customers deal with. So insurance realities. Right. It, it does not remove risk. There was an initial conversation, I remember I was still in the air Force, people were talking about this new cyber insurance and how it addresses risk and removes risk because somebody else is going to pay for it. That's ridiculous. Right. It, it just mitigates risk and it's not a plan. Right. It's part of an overall risk decision, but it doesn't remove any risk because if you're not doing the things to make yourself whole, to make yourself protected, the insurance may not pay out. And then it's just nothing. It's a check that you've written that you don't get the money back and now you're ransomed or otherwise impacted as well. And you pay for your policy areas you may have discussed ahead of time. But there's always, they get the report, they look at the report and they decide what they're going to pay. So you may have thought bringing in this other firm to assist with rebuilding your active directory environment, for example, falls within, under the insurance. And the insurance, they may say no. Right. And they may point to a spot in the policy that says our firms only. Right. Or they have to be approved by our law firm or something else which we've seen, and they won't cover it. And those are often hefty bills. Right. We've already spoken about this. They hire a law firm that works for them. When I talk with incident response clients, this is the part that I hammer the most, because they want to go and ask that law firm all kinds of questions about maybe regulatory requirements, announcements, you know, excuse me, pr notifications. And that law firm doesn't work for them. And so they need to go get another representation. Excuse me. 1 second. Dismiss. All right. Again, they return to as was. They're not going to pay for a lot of upgrades. They're not going to completely upgrade your virtual infrastructure that got hosed. You know, they may do a step up. They may go from windows ten to windows eleven. I've seen that. But they're not putting in brand new servers and en masse sort of thing. And then they also, that last piece, they have a known process for a breach, so they're not going to modify their process for you. Right. If you call us, we take a very partnership approach. We will work with you through the incident, and it doesn't always look like containment, eradication, and the rest that we'll push towards that. You know, you may want to get systems back up online immediately, and we will work through with you for that. The insurance companies don't care. They need to do a, then they need to do b, and they need to do c. So those are some of the insurance realities that we've seen dealing with clients that have had incidents. The timeline is actually where it gets dicey because there's companies like Apollo who we can be on site, engaged with a client in hours, not days, but we're not what's called on panel, and there's tons of companies like us out there that are not on panel with the insurance companies. And so we have been used to kick off incidents and then move along and use to fill the deductible of the policy in more than one instance, because we can respond quickly, and that's a very necessary function in the field. And while we'd love to stay on with every incident, the realities are what's on the page here. I've told our client we're good partners, and I mean that in a sense of the insurance says, no, we're not going to put Apollo on panel. Awesome. We give a full brief to the firm that comes in. We provide them all the data that we have. If they want it, we talk them through where they're at. And honestly, sometimes we've been retained as like, advisors to the clients as they go through it, in case they have any questions. But that's not billable to insurance. Right. So keep that in mind. So Darren had another good one in the, in the chat here, which was that a cyber, cybersecurity insurance rep said that they should never say breach, that it's always an incident. And then he said, there must be some terminology. There absolutely is terminology there, 100%. So there's events, which is, we noticed something happening. It may or may not be bad. There's incidents when you saw something happen. It probably is bad, but it may or may not have had an impact. And then there's breach. And a breach comes in with exfil or without exfil. And a breach means that somebody got access to systems and information, information being the key that they should not have had access to. And breach with exfiltration means not only did they see it, but they took it. And so we are assuming breach because we're having a full blown incident response in this presentation, in the scenario that underpins the premise for this presentation, but absolutely in the plan, you should have definitions of the various things. And the insurance company is not going to want to hear the b word until the b word has been determined, but you're also not going to want to use the b word in official correspondence until it's been determined, especially since the difference between an incident and a breach might be your organization's definition of what is and is not material. And so that's that whole consideration that we've been talking about. Kind of pins it together. Yep. I've had lawyers email me after I've given like a daily update and tell me to stop referring to it as a breach. I've even had him tell them to stop referring to it as an incident. Just call it an event, whatever will go along to get along. The terminology doesn't matter. So. Good question. Good comment. All right, so what are indicators of success failure related to the impacts to the business. Right. So it's really important to break up if you go through an incident and at this point it seems like everybody's going to. Right. You needed to look at both short term and long term factors for success and failure. Right. So your short term failure, generally within the incident or the brief time after an incident. Right. You know, did you lose data that would have been pertinent for the investigation. Right. Because maybe you didn't plan appropriately or, you know, you had your laissez faire leader or, you know, you just turned off endpoints. So now you've lost all the memory. We've had a client where their logs reset when they restarted endpoints, so we just lost all the logs they would have had. And then there's always the point, too, for that, where if you take three days to get a law firm and an IR firm coming on board, maybe your logs have overwritten by then. So that's something to think of, short term kind of failure for an incident, then you're going to see prolonged revenue loss and downtime and a lack of clarity in the restoral process that gets back to really hard decision points. Right in the middle of the incident, directly after the incident, you're trying to go through recovery. What does that look like? If you can't put a timeline on what you think your recovery is, and it should be fluid as things come up and change, just because you don't have a plan ahead of time, that's a failure. We'll be blunt about it. The other piece for the short term failure is extreme morale impacts. Right. If you've, we've seen this. If you're having four hour long meetings every 4 hours with your technical leaders, they do not have time to do the things they need to do to help recover your business. Right. And that just gets people tired, it gets them angry, and again, they get sick, they get hurt and they leave, is what happens there. And we've seen. We've seen clients that have lost employees, like, three days after an incident, they're just like, no, we're good. Here's my resignation. Burn my. Burn my vacation. I don't want to deal with this. We'll see you later. So your long term failure, right, that's where you start seeing your extreme business impacts, because you don't have any strategic thought moving forward from the incident. So you're going to see maybe product lines fail. You're going to see a lot of turnover, as it says there. It's going to take a long time to recover. And then the worst part is you're actually weakened for the next attack right there. You don't see this from private industry as much. And Andy can talk about it a little bit. We're coming up on time, but when you look at some of the governmental reports on incidents that have come through, if you don't address the first one, there's a really highly, a highly likely chance it's the right words of another attack. And we have a client that we're doing some other services for that they got ransomed earlier this year, and since then, there's been three additional attempts in the last two months to ransom and impact those environments. Again, because they've not done these things that we've advised them to do and just aren't going forward. Last there for success. You'll retain that data so that we can hopefully, or whoever the IR firm is tell you, oh, this is how they got in. This is what they touched, this is what they exfilled. We think, you know, we assess, um, you help build those critical timelines and decision points so your revenue loss and your downtime is much lower. And then I'm not going to say you're always going to have a negative morale impact when there's a crisis. Right. You're always going to feel bad if somebody steals your car, but if you're doing it in the right way, you're allowing failure, allowing people to succeed. You're allowing people to learn and grow and do these things. It will turn into a success later. Right. You're going to see those. That's going to be a significantly reduced business impact. You're going to come online much faster, that employee experience is going to get leveraged to protect you from the next attack, and your employees are going to be stronger technically and more robustly. And those are the kind of the two breakouts that we've seen both for short term and long term success. Any given ing on these as we. No, we're running out of time, so we'll just, we'll just wrap it up. But Brian had some great commentary in the chat. Anybody who hasn't read it, you should check that out. It was good commentary. And I would say that to add to the event versus incident versus breach discussion, that's a very simplistic way to look at it. There's also levels of response, levels of incident. Not every incident represents an existential threat to the operations of the organization, and not every breach constitutes an emergency. It can just be the exfil of a couple small records that are protected, but technically is a breach, so it's usually more of a matrix. And you have to build an escalation criteria to understand what level of response is warranted based on what's happening in the operations, which is why it's so important to understand the operations. Yep, we'll leave it here. We got a minute. Insurance can be a great partner. Just understand what they provide, what they don't provide, and what they do. Government regulations are going to increase just as the cybersecurity menace and the threats continue. They're going to build more regulation and you're going to see probably more executives being held accountable through that regulation. And then for victim, obviously, we say, do all the prep activities, do what you can, be upfront about what you can't ask for help. Give us a call if you have questions. And like it says, be realistic about your expectations with your vendors, with your partners, and with your employees, and be honest about what risks you're going to accept and how you're going to mitigate them either through insurance or through an IR retainer or through some CISO services or hiring a CSO. Just be upfront about it. And that's it. That's all of our slides and all of our stuff. Happy to have the conversation afterwards if you want to talk with me about stuff. I love talking about cyber security and incident response. Andy Jevon. Yeah. Just in the con, the chat over here, I got asked about templates. I usually point people, if you're interested in just a starting point for understanding incident response planning, the Texas Department of Information Resources has a great starting resource called the incident Response Redbook. If you just Google Texas dir Red book or incident response redbook, it'll come right up. And then if you, if you don't think that one meets your needs here at Apollo, we also have probably five other templates that are based on sector and stuff like that. Get a little more precise, but as a starting point, it's great. All right, thank you, everybody. I'm going to go read your comments now. Since I was talking.