Let's go ahead and switch to the next slide and rock through the agenda real quick. And so we're going to be covering tabletops and not just what a tabletop is and how to create a scenario or a script or whatnot. And we're going to. We're going to talk about some of the challenges that people are facing that should be addressed and how tabletops can support that. We're going to talk about some unique approaches to tabletops. We will throw a little Apollo flavor in there because it's our webinar and we can do that. And we'll talk about how we can, how we can move a program farther, faster than any other approach. Leveraging tabletops next slide. I am privileged to have, not just on my team, but here presenting. And I'm presenting with him. He's not presenting with me, and I get to introduce him. Nick Belgard is a phenomenal security professional. He's the manager of our security consulting practice. He has a awesome team he works with every day, and he has a massive background across a number of industries. We worked together at the state of Texas, where he led the Operation cyber operations for the attorney general child Support division, and he previously worked on some really fun projects that he'd probably have to kill you if he told you about with the DOD and a little trivia that he may not like public but is going to be recorded. Is he also in a long, long ago forgotten past, was a cruise ship musician? Yeah, he wasn't expecting that. So now everybody knows there are awesome pictures and. And it just goes to show, it speaks to the breadth of talent that Nick brings to the table. Go to the next slide. We're going to do a sing song after. After the. Absolutely. Absolutely. And of course, everybody's calling me now that. Now that we've started. They think I'm on lunch and in fact, we're on a webinar. So Nick has put together a slide deck that covers a really unique approach at the Apollo approach, but also best practices that anybody can implement around preparedness. And, Nick, you want to give us an intro, what you're going to talk about? Sure. Yeah. Thanks for that amazing intro. I can't think of another intro for me that's been as expansive and skeleton sharing, but yeah. So our title here is rethinking cybersecurity preparedness from theory to action. It's something a lot of folks don't contemplate, but how do we actually exercise and prepare more than just building up a series of technologies and configure those putting into practice, like your plans, understanding what those mean for your people and your organization. Moving from just a paper plan into more of a true preparedness strategy. We like to put tabletops, like other assessments in that preparedness bucket. It's moving more from something that's discretionary spending into what most would call like required spending, almost where if you're not doing these, you're probably leaving something on the table. You know, you may have a plan, but you've never used it. You don't have a plan. And maybe you're always reinventing the will, every security incident, because we're not socializing that plan or practicing it. Maybe there's just a lack of experience with certain types of incidents. You're well practiced in certain things, you guys get hit with certain types of things, but you've never had a truly major incident being fortunate enough, but something to practice the scope and scale of things during a massive incident. Are you prepared for that? Are your folks prepared? Go to the next slide. Because there's something that is talked about all over the place, right. I think this was the intro slide. There's something that's talked about all over the place, and it's resilience, it's defense in depth. It's the evolving threat landscape. We have lots of recurring themes. We also have one that's getting to know the business, and that seems to be the one that's the hardest for folks to get to. Tabletops can also help get to know the business, and we've got some, some direct examples of that. Anything you want to add? Because I was expecting the next slide to be. The next slide. Oh, the next slide. I wasn't paying attention. No worries. No worries. Well, yeah, so with this slide posing that question, we've got an image on one side that's more chaotic and sort of under duress. Looks well organized, but there's still some. Some maybe processes or pieces to the puzzle that aren't there. Some, you know, looming deadlines, decisions need to be made, people asking for updates, maybe not the most desired state for your organization. And on the other side, we've got, you know, what looks like a good team dynamic. Things are getting done. Not a lot of stress. It seems like they're successful. And would ask each of you, like, where, where do you feel today your organization sits? If something were to happen today or if something is going on regularly, which side of the slide do you typically find yourself on? And, and if it's not the more serene, like, well thought out, planned you know, side of the slide, what, what. What can you do and more. So what could we do to help get you there? You know? Have any of you actually experienced a significant challenge, uh, this year in just the last few months, uh, for instant response? And some of these will help maybe answer these questions? Our approach will help answer that. I will tell you that if you're not working towards the right hand picture, uh, you will be caught off guard and stay in the left hand picture. And I prefer to help people move from left to right as opposed to, uh, get called in because they stayed in the. In the frenzy side. So let's talk about what we mean. Go ahead and go to the next slide. By evolving threat landscape. People throw this out all the time, and they usually just imply things with it. They say the bad guys are changing their tactics. They say there's more cyber attacks than ever. So let's talk about some real numbers there. 33 billion accounts were compromised in 2023, with the average breach cost being $4.5 million. Now, that's average. Remember, these numbers cover a broad swath of incidents and organization types. There are 22, 38 daily breaches. Remember that not all events are incidents. Not all, but all incidents are events. Not all incidents are breaches, but all breaches are incidents. And so there are 22, 38 estimated breaches daily. And these are global figures. 97 individual accounts breached per hour with billions and billions and billions of accounts, as we said above, compromised every year and average of 39 seconds between cyber attacks. And cyberattack isn't like somebody port scanned you. You see a lot of organizations who report on their daily metrics or monthly metrics of how many attacks, and I'm going to air, quote, attacks that they've thwarted. We're not talking about the recon work. We're not talking about the general port scanning and casual activity. We're talking about actual attempts to perpetrate an attack. Basically, its traditional approaches are not working. And we've seen these numbers increase as a result of the evolution of the threat landscape. And I would like to throw out my first bit of controversy, which is, we've been following defense in depth since 2006, 2008, somewhere in there. And these numbers keep climbing, these numbers keep going up. And I'm going to throw out the controversial statement that is not my own, but I think I'm buying into that defense, and depth is dead. Which leaves us with not a lot of other good options. There aren't any good options. So the best bad idea is resilience. And so we'll. We'll work towards that. Thoughts, Nick? Yeah. Bang on. Bang on. Yeah, I stole that from the fifth domain, a book by Clark and Naik. If anybody's interested in it, I won't take credit for it, but I am buying in. All right, next slide, I think, is all you. Oh, okay. So, yeah. So, you know, the old practices, as Andy put, tend to be failing, and the data points to that. It's not enough just to have the. The best and latest technologies. It's really a combination, the aggregate of what defines security. That's people, processes, and technology. How well are you understanding how those are adapted for your organization, what each of those pillars mean to you, and how are they integrated? Again, like we talked about in that opening slide, sometimes the plan alone is not enough. So here, we've got several line items here that theoretical planning is limiting. Right? So you may develop those plans in a calm, controlled environment. No chaotic stress or, you know, real world attack scenarios being presented. Just kind of an amalgamation of. Well, we have this and that. So let's kind of wire those up. It doesn't really account for the on the fly, you know, adaptation that you may need to take under a real incident scenario. The human element under stress is that. Yeah. So, during a real incident, pressure and stress can significantly impact the decision making. So everyone may react differently under those stresses. If there's no practiced and well formulated plan, it sort of leads to that anxiety and the stress. If you're having to invent the answer to the questions as they're coming at you, that can be daunting. That false sense of security here. So, continuing down the left side of the slide, you know, you've got a plan, but it may lead to a false sense of security and complacency because you're leaning on the plan, maybe never having to execute it out of fortune, just pure luck. But one day, you will need that, and it may not suffice to recover and respond. Unidentified gaps and weaknesses. Right. So, through any assessment or preparedness, activity, therapy, that's what you're trying to suss out. Like, where are my gaps? Where are my most weakness? Right? And as another practitioner of ours likes to say, people like to misquote Sun Tzu all the time, right? But, you know, uh, part of the art of war is to know thyself. Um, you know, if you don't know yourself, you're gonna lose every battle. Um, don't know where you're strongest. You don't know where you're weakest, so you have no way to support where you may be failing during a potential attack. Overall lack of team familiarity. So the plan may be there, it may not be socialized. Other folks may be new to their roles. Other departments within your organization may have never experienced an incident. So this gives them an opportunity to sit at the table with you and see how you guys work, and vice versa, see how they work during a particular prescribed incident. The ineffective communication channels. This is also something. It comes up, really, in the exercises we perform, tend to find this more than we'd like. It's just these silos of communication where, again, different teams aren't used to talking to each other. You've got that horizontal communication, but also that vertical communication from the technical aspect of analysis up to CEO and other stakeholders and decision makers. How effective and efficient is that communication? How quickly is it happening so that we could get good intel to the decision makers so they make good decisions and then obviously reduced adaptability. If you don't know what right looks like, it's hard to see what wrong looks like. So in the heat of battle, the incident, you know, you don't want to be, again, answering questions that you maybe could have answered beforehand, giving your teams a chance to fight the unknown once you've been able to suss out what the kind of known variables are. One of my favorite quotes is not Sun Tzu, but is Eisenhower. And Eisenhower said that the plan is irrelevant. The planning is invaluable. He said a different word, but I like invaluable. It irreplaceably valuable to be going through planning cycles, and no plan survives contact with the enemy, the adversary, or the bad guys. And so making sure that you're going through the exercises, not just that you have a plan, but that you're testing them. Three weeks ago, I'll share that I met a person who I will not name because this is a little sensitive, but he literally told me that he doesn't care about the plan. Now, he's been in the same role for 25 years, but he doesn't care about the plan because his personal plan, if they get hit with a ransomware attack or major cyber incident, is to just retire. And I think that's a terrible plan. And I don't know how you. I don't. I don't know how you take that approach, except that you've probably been beaten down by getting told no. Whereas what should have been happening is communication across divisions. And where we see, where I've seen in my career, a lot of the breakdowns are, for example, in a full scale ransomware attack, you will probably not have access to payroll. You won't be able to run payroll. And we've talked with a number of organizations and in plans I've been involved with about how timing is everything. If the ATT and CK takes out payroll three days before payroll is running, it suddenly is a higher priority than some other systems. Whereas if we have in a state government organization that only cuts checks once a month and payday was yesterday, we have a little time to rerun that. But knowing how you're going to handle that matters significantly, and it's often not considered and leaves people on the frantic side of that planning versus no planning slide earlier. Having seen so many teams go through this, so many organizations get hit. I think I'm up to 120 ransomwares in my career now. I don't really know anymore. I've kind of lost track after 100, but it's probably about 120. So often the cybersecurity team that's tasked with getting the organization back on track and responding to the incident has never met the finance department, has never met the communications department. They usually have met general counsel at some point, but maybe not the response team. It's usually somebody on the GRC team or whatnot. Having a plan, exercising a plan that forces those connections and drives that business connectivity is crucial. All right, let's. Let's talk. Let's get into nuts and bolts of tabletops. Let's do it. Migo, you go. I'll start. Your goals and objectives. You have to know what you want out of your plan, right? What comes to mind when you think about the words exercise? When you think about, like, kinetic training, physical security and cybersecurity overlap significantly. When you think about the top level concepts, what are the goals of exercising the plan? What are the direct things? We're going to directly test the backups and our ability to exercise the demons that are the bad guys from our systems. But the indirect goals would be communicating out across the organization. We saw one incident where a government entity was taken down hard all the way across every aspect of service that they. That they controlled, and they didn't have a way to communicate with their employees. So their employees took to Twitter, and that is how the news media found out what was happening, because they. They said something along the lines of, well, not going to work today. Apparently the computer systems have been completely ransomed, and that is not how you want the media to get ahold of it. It's not how you want the rest of your employees. And you also have no way of knowing if you reached your employees. So, you know, considering these things, go ahead and talk about the outcomes from your perspective as somebody who actually does this. Nick. Oh, no, I mean, dead on, as always. Yeah. Just really from defining those words, the exercise, that ability to train procedural memory. Right. So you think for going to the gym, right. You're trying to get stronger without breaking your. Right. You don't want to go home, you know, limping or injured, but you do want to push yourself past your normal daily extremes to build growth, to build that muscle memory that ties in when you need it. As Andy was saying, like communication, understanding the parts of your plan that need to be implemented. Also the communication about what's happening. Does your organization understand the compartmentalization of some of the sensitive activity that, that would go on during an exercise or, or an incident where the exercise could, could kind of test that, understanding what should be shared, what can't be shared. Again, going back to that. Effective, efficient communication. Oversharing is a thing, especially in certain instances. And then, yeah, just overall, the goals and objectives can be both direct and indirect. So you've got the, the things that are on the nose, but also these intangibles. Just building relationships better, understanding these different departments that other teams may not interface with in a normal, you know, kind of daily routine, but understanding how they work together, how communication flows, what sort of things they're looking for in the heat of the incident. So Nick. Nick likes to use football to explain this, and I think he's going to do that on the next slide. And it's pretty effective. Go ahead. I'm. Yeah, um. Yeah, here comes a metaphor or a simile or thought experiment. I always get those confused, but it is about football. While I'm not the biggest sports ball fan, I think it does apply. It's one thing to, you know, take your time and resources to build a stadium, acquire the best team members and coaches, give them the best gear to operate with, but not prepare for the game. Right. That seems a little nearsighted. Do you have plays that you've developed or worse? You have them, but you've never practiced them. Have you developed alternate communication strategies for game daily that obfuscate the play that you're calling to the team to make sure they understand what's going on? But maybe the bad guys don't prepare for potential injury. Right. Your quarterback that's starting the game may get injured. You need the backup quarterback to come in and pick up where he's left off. Being able to fully communicate, run the plays be successful, communicate back and forth. It's. It's one of those things. Where is your plan ready for. For game day and is your team ready? Um. The team's understanding of that game plan is crucial for success. You would never just send your team out on the. On the field on game day with. With no practice or rehearsal beforehand. And in other ways, we've got this thing where we'll get into a little bit later, differentiating. But think of it, a football game, but also the difference between like a full dress rehearsal and like a table read for a script, some other metaphors that might come into play later. Yeah, both are very important. Right. You do have to make sure you understand the x's and circles and arrows and hooks and all those other things, but. But it's totally another thing to go out and run the plays on the field and then yet another one to run a full scrimmage. And each one has its place and its value. And then you watch the film afterwards, not just of the practice, but of the games, and you take every opportunity to bring the lessons learned in. I also really like the football metaphor. Not because I'm the hugest fan either. I'm a hockey fan, but I like it for the same reasons that I think hockey would apply here, too, which is that you also have no idea which player is going to get hurt or what's going to go wrong once you actually get to the game and having your emergency medical on the sidelines and having your contingency plans ready, your backup players, you know exactly who's going to step in. If your a player, your a team, your first string gets taken out. And that's something that a lot of organizations don't consider. You also have a escalation criteria, which is something that is left out of so many plans. If I were to say the number one thing that's left out of plans that I've seen, other than good communication plans, are escalation criteria, knowing exactly when to escalate to the next thing. So in football it would be when do I want to go ahead and punt? I could choose to keep powering through fourth down, but maybe it's time to punt. And having that defined criteria and selection of when to make that decision incredibly helpful and can make the difference between winning and losing absolutely speaks to something more in detail. But those thresholds built in, right. Is understanding that someone else could pick up and make the same decisions as close to the primary, maybe instant commander or responder or fill in the role. They would make a similar decision in the absence of your primary resource, and that's something that should be considered in all instances, harder to do with smaller organizations, but, you know, can make some sort of plan for those things. Maybe, you know, dual hat some folks, but there's answers to all these questions and challenges. But if you've never pressured yourself to answer those beforehand, it's, you know, it could come up to bite you on game day. Absolutely. So let's stop talking in metaphors and start talking about tabletops themselves and moving on to the next slide. Why do organizations need a tabletop exercise? And it's probably somewhat obvious how we feel about this from the previous slide and our chosen metaphors, but let's be specific. Go ahead. Absolutely. Well, trying to make it as intuitive here with these as we can. But first off, it's training in a safe learning environment where it's safe to fail. You know, we don't want to see failures, but I'd rather see them in a contained, controlled environment so I can learn and integrate. As Andy was speaking to before, create this feedback loop of lessons learned and reincorporate those into my plan and game day assessments. I say this a lot in other teams and stuff. I like to make mistakes. I don't like to make the same mistake over and over and over. I want to make new mistakes. Right, let's make new mistakes. I want to learn from what I failed at, but not continue to fail at that thing. So it's knowing. As we talked about before, adaptability is key, but giving the chance for resources to experience maybe an incident for the first time under controlled environment, introducing them to things. Maybe you've got a tier one, you know, new folks learning tool sets or whatever. This is the prime example, you know, asking the questions you might be scared to ask. In another scenario, we like to do a really good job to facilitating that environment and we take that very seriously. Identifying areas for improvement, right, which is pretty obvious there. Improve collaboration and communication between different departments and stakeholders. Again, pretty intuitive socializing, increasing the awareness of response procedures. So more than just the top team understand what should be happening at any given point, more people have an understanding, again what right looks like so we can know what wrong looks like and when we need to start adjusting again. Just establishing a baseline and continue to grow from there. Wanting to remove the silos of communication. Also determining the adequacy of all the combined resources. Like said before, people processing technology like there may be some gaps in skill sets, right? You may be lacking in resources in totality, like you just need an extra two people, right. These exercises and our assessments and report could help open those discussions and showcase kind of quantified response to that. And I think you, I think you have people, processes and technology down there at the end, and I'll just, I'll just double tap that. And very specifically, you need to test all three, but not just in a vacuum. The, the people, processes and technology do not function independently of each other. And you're probably, you're going to find resource gaps in your people, and it could be overcome with training, it could be overcome with outsourcing, it could be overcome with, you just need more people. It depends on what the exercise bears out. Your processes will undoubtedly have room for improvement, and they will always have room for improvement because your organization will change, the threat landscape will change. We already covered what, how the stressors are evolving over time and the volumes just keep going up. How do you handle a continually increasing attack volume and threat magnitude without a commensurately increasing resource stack? And there's a lot of people out there who say, oh, well, it's a losing battle because we'll never be able to keep up with that curve, except that in so many areas, we've already seen these same types of things happen in other areas of practice where challenges come up that seem insurmountable. But two years later, they're standard practice. And so that's really the way forward, is to work our way through these problems, socialize the solutions to where they become standard practice, to free ourselves up and give us the bandwidth to tackle the new emergent threats and problems that face us. And that may also mean that we need to adapt and change our technology. There's a lot of people who are faced with, when faced with traditional problems, meaning infrastructure. Let's take infrastructure, for example. They can throw a bucket of money at it and one hard effort once every five to 15 years, depending on the type of infrastructure we're talking about. And they don't have to worry about that problem for a long time, whereas cybersecurity changes every day and all the time, and you have to make sure you don't get caught up with that sunk cost fallacy. But you need a way to justify why you need to make changes, especially when they're used to not making changes after making big decisions periodically. And so these exercises that every organization should be going through are one of the means to test whether or not we still have what we need and, and what has become practice and what deserves focus. All right, so, so let's talk about standard tabletops and we're getting into the uniquely Apollo portion. We won't, we won't hit the sales piece hard, but we will hit practice hard. Standard tabletops you can get from lots of places. You can do them yourselves. You can contact CISa the if you're part of critical infrastructure and get on their waiting list to have them come and do a tabletop, you can find regional partners. There's all kinds of ways to do tabletops and you should be doing them. Go ahead, Nick. Absolutely. You definitely should be doing them. We'd like you to bring us in to help you do those, but absolutely, you should be doing those. We have two primary approaches here. Standard, which you're probably all familiar with, but we take a different approach than most, and ours are discussion based sessions, but they evolve in a particular way where it's more like choose your adventure. We'll lay it out in a series of injects that progress in phases. They can take on more of a coaching dynamic or more of an assessment approach, or both. We like to cater for you and we'll get into some of those specifics a little bit later. But the main takeaway here is this session allows the participants to think critically and creatively. That's key, along with communication, but getting folks to think critically about their organization, their tools and what they have at their disposal. So we could build plans and continue to evolve those, as we said before, in this risk free environment. Right. Overall leading to that more robust and resilient posture and strategy. Absolutely. And every single organization starts with tabletops somewhere. The oldest, most traditional is to just walk through a scenario and say, okay, what would happen? And this is the normal lunch and learn where there's no preparation, there's no injects. It's just a thought exercise that you do over a brown bag lunch. Those are a great starting point. They will not get you down the road as far or as fast as you probably need, which is why you need to get into this more adaptive type of exercise that is built around the organization and pushes and encourages and all that guarantees critical thinking. Yeah, we've got a little breakdown. More detail here in a couple slides for how we like to get into that. Next would be our kinetic tabletop, which is uniquely Apollo. This adds to the standard tabletop where we utilize tool sets to basically perform attack simulations, adds incredible insights to your environment with live fire simulations that mirror the real world attacks that are constantly evolving. So the backend of our tool sets, continually updated basically daily and multiple times every day, depending on new attack vectors and such. We are very experienced facilitators, as Andy mentioned, the team here at Apollo, incredibly talented. We like to work with people, which I think is also a differentiator for us. Right. We like to present and create an educational environment. I think that's really one of the key aspects of the value we bring. And then with that, more of a technical approach, assessing your infrastructure as well as your response. We've got performance metrics with that post exercise analysis. So there'll be some examples a little bit further into the deck here. Really great reporting. Gives you a really good insight into your organization. So what this looks like is a few weeks of preparation and learning and mapping the organization, understanding the processes, leaning on experience to identify exactly the scenario that's likely to stress the organization to the degree that the stakeholders agree is appropriate. And then we stress test, and I like to call it getting the it wouldn't happen that way guy out of the room. In every standard tabletop, there's a sunk. There's an assumption that has to be made that we all agree that this happened, and somebody, usually somewhere in the room, says it wouldn't happen that way. And so the kinetic tabletop approach is specifically and uniquely designed to make that not the case, because we're focused on a scenario and we use the simulation tool to prove that it does happen exactly the way the scenario says it happens. And that makes such a huge difference because it allows people to get the what ifs out of the way and focus on the this if is happening now. It makes all the lights blink, and then afterwards, we're able to do some leave behinds that I think Nick already mentioned, we're going to show you what some of those leave behinds look like. 100%. Yeah. I mean, in every. I think, you know, to add to what you were talking about, that guy or gal in the room, that it couldn't happen. There's also some of us on the team that say, that guy is also in every call when we come in for instant response. This should not have happened. We have a tool for that. Right? So it happens again. One of the bullets early is that sense of the false sense of security leading to a complacency, because we haven't actually pressure tested your scenario. Um, you know, you haven't, you know, uh, pressure tested the organization, um, you know, before something really bad happens and, you know, really want to encourage folks to start doing deeper dives in that area, how we come in and help, uh, help, help you guys and how we prepare for these tabletops. Andy mentioned. Right. Identify overall what your engagement objectives are. A lot of times these are regulatory or just kind of framework. We need an annual tabletop. Um, in other instances, these are, we want to legitimately increase and improve our security posture. We want to know more about ourselves, our technology, our processes, and our people. Scale and scope. How long do you need these to be? How many teams would you like to attend? Again, we could start small, one or two teams you want to bring in. We've done just small teams, like just your security operations team, and do some evolutions there before leading to a larger audiences as that team feels confident and comfortable. So, yeah, we really wanted to find the scope and scale of these engagements. Selecting the participants and stakeholders is key. And that fourth bullet there under the standard, I think is another, I would think the Apollo difference here is we take a lot of time for developing relevant and realistic scenarios that are uniquely tailored for you guys. We work with insiders to get key insights, developing these scenarios that mean as much for you as they could possibly mean. And again, back to skeleton scope, as difficult or as more foundational as they need to be, based on your tolerance for that. And then on the Connecticut side, again, building on everything on the standard side, we just identify additional scale and scope for that would be in scope. Defining vlans or network segments, particular resources that should not be touched. That should be touched. Think of it more like we can blacklist items. We could whitelist items. We could also do a capture the flag where if we get to this particular resource, this critical asset or key infrastructure, games over. Along with that, a little bit more technical prep, working with your engineering teams or whomever might be in charge for deploying the agents to prep for that. It is an agent. And we have a slide a little bit later talking more about that. We do use an agent based approach to the simulation piece to make sure it's fully and completely controlled because the last thing that any of us want, especially us, who would bear a little bit of culpability if we actually attacked you instead of simulated attack to you. So we make sure that we keep tight control on this. Yeah, it's coming later, but, you know, since we're, we're on that, uh, these are non destructive exercises, fully simulated, non destructive. It's, you know, uh, contained. Yeah. Um, this is a little bit of a breakdown. Andy was, was, was talking about this, uh, uh, already, um, you know, like what we think is effective, we've been doing this for a long time, you know, our team is, you know, we're long term practitioners here. Um, and we found, as some of these other folks that do their exercises, as Andy was mentioning, it's really more of a run through an entire scenario from a to z, then into discussion. Right. There's no, there's no phase into the incident, no key decision points along the way. There's no sense of urgency, stressing decisions to be made that you also have to live with as the incident in our scenario progresses. Right. Maybe, you know, you took too much action ahead of time and created a different fork in the road. Um, again, our, our exercises can be extremely dynamic where we may be generating new slides on the fly based on our discovery, uh, sessions with you. Um, we don't think those are the most effective because they really just become the art of the possible. Um, where there is value there, there's a better way. Um, having a conversation is definitely a start, but we feel like working through a scenario in progressive phases, guiding the participants. Right. And that's our job as the facilitators, creating that environment and walking everyone through the scenario, being able to answer questions as they come up. We want everyone to ask questions that's very significant as part of the participation to our exercises, understanding how those response actions apply at each phase of the scenario and having folks work together to develop and decide in real time. Not having the a to z. Like I clicked on an email, ransomware kicked off, infrastructure tipped over. I need to start recovery options. How would we approach this versus. Let's start with the initial inject and how the initial alerting might come in. Maybe it's a phone call from the help desk. Maybe you've got a tool in place that would tip you to something going on and it just, you know, like a thread on a sweater pulling from there. And as we talked about, incredibly important, that post exercise review or what we call a hot wash, um, immediately following that scenario. So while we're in that sort of mode, um, maybe tensions are high, you know, anxiety levels are high, maybe depression levels are high depending on. Depending on how the exercise went. But let's capture those thoughts and the feelings and confidence level in your organization, in your teams, in your approach, because that's something that really feeds into a longer term strategy and road mapping for maturity. So let's get into the fun stuff, which is the next slide. Yeah, I like the image here. So, yeah, so a little bit more about the kinetic tabletop. Again, that uniquely Apollo service we have here. Adding action to the standard tabletop. Going back to one of the earlier slides asking what comes to mind when you think about exercise or kinetic, that's essentially putting into motion where the standard is extremely valuable, especially the way we approach that, this makes more of an immersive or functional exercise possible. You're not just sitting around discussing what could happen. As Andy mentioned earlier, we can actually bring receipts to the table and be like, well, this is how it would actually happen based on your current configuration. Right. EDR would respond this way, right. Your idps would respond this way, et cetera. They are agent based, non destructive attacks. Many, I mean, thousands and thousands of possible different scenarios we could apply. Ransomware, lateral movement, data exfiltration are just, uh, some that we could do in a bunch of different subcategories and attack types underneath, again, they are non destructive. I keep stressing that because it is important. Um, it does lead to a little bit of apprehension. Um, we've run these on, on operational systems during the middle of the day. We've run them after hours on segmented, you know, non production sec, uh, segments, you know, after hours. Um, we can cater to whatever you're comfortable with, um, pre assessed or real time, in parallel with the standard tabletop that would go along with this. So if you're uncomfortable or not confident how this might go the first time, we can definitely do these pre assessed. So it gives you a sense of, again, how your infrastructure as currently configured would respond. Then we derive a scenario based on the realistic configuration and outcomes from that technical assessment. These are very real eye openers for folks that have not had this done before. You've never done any sort of technical assessment and did you have anything to add here? No, I just really love the concept and it's one of my favorite services that we've ever come up with. And it's just, I guess a note. When Apollo does this, this is the only service we have that's never had a complaint. And I mean that in terms of like five star, we've had other services that are very highly rated and four and a half stars or whatnot. But this one is, is the only thing in the entire portfolio that has been done at scale repeated and always gets five stars. Now, I will tell you that there's always stress in the process. People think sometimes that they want it, that they're going to give it a poor rating in the middle because it is stressing them out. And then at the end when they see the report and the results, it always comes home. It's a fantastic approach. Yeah, well, and harping on that a little bit is we as practitioners understand how these things can become very personal. These are emotional events, even simulated an incident. As a lot of us talk about internally here is it's the worst day for somebody. It's their worst day either professionally, career, maybe their life. They're having to deal with a lot of stuff that's going on at the same time. And so it's, it's rational to be, you know, apprehensive and a little, you know, concerned. But again, it's great to go through that exercise in a controlled environment versus having all of those emotions flood on the day of an event because it's, you know, likely to happen. And we want you to be as prepared as possible. And that's, again, people process technology. But the people aspect is, is key. Being able to, you know, become collective, especially if you're in a leadership position, understanding, you know, the, the other team members are deriving their anxiety and stress level from, from you. And being calm and cool could make a big difference in the outcomes. So let's talk about what a report should include. Absolutely. What do they get out of a good tabletop exercise? Well, a lot of stuff, but from a tangible report leave behind. We've made some evolutions in our report, and I think we've done a really great job of breaking down these six different, we call them objective areas. We can apply maturity scores to these. I will say most folks would rather not. The lead behind observations and recommendations are generally enough to spark a roadmap strategy discussion, and that's really where we find our value. But breaking down these six different objective areas in adaptability, again, your ability to quickly react to the changes and the unexpected things that may come your way. Number two is the communication. So your ability to share information again laterally, but also vertically, up and down effectively, efficiently and as quick as can be. Andy footstomped this a little bit earlier and it's definitely a key in our reporting, is escalation. So your willingness to notify and engage other decision makers and leaders, other specialized team, maybe third party support that you have for specific infrastructure, we deal with this a lot, especially in cloud based environments. There may be multiple people in the supply chain that you would need to reach out for or reach out to coordinating response efforts. If you're not practicing that, it can be very, very clunky. But also just knowing when and how to escalate beyond just a localized event into an incident that becomes major. Number four, being plans and processes, right? Do you have them? Do you practice them? Does the business, are they aware of them? And then obviously, how effective they are, how up to date are they constantly evolving as you onboard, off board technology, maybe bring on new partners, new departments. I would say that plans and processes comes after communication and escalation with intent. I think that's a good call out to make here because the, what, what can make the difference in effective communication and positive escalation is a simple process. Right. A checkbox for have we met the criteria? And there's, there's a lot of folks that, that would be willing to escalate. They just don't know when. And so there's, these are, these are in order. Keep going. Yeah, no, absolutely. Thresholds baked in for all your resources and such communication lists, et cetera. We could go into a session right now. Teamwork. Absolutely. The collaborative effort to work as a team. Also, again, with external resources, maybe those within your organization that you usually don't interface with or collaborate with day to day, this gives you that opportunity to engage with them, build those relationships, network and know where and who to reach out to in a given event. We've got a lot of examples of how this has really paid dividends just in the discovery. I mean, it's really incredible. Technical capability. Pretty much on the nose there. Again, your use of technology, software and hardware to detect, prevent and respond to issues. Awesome. Let's talk about maturity, since you briefly mentioned it. So let's drill down on it. Absolutely. So from the outset, our goal is more of a partnership with you. We will critique, but we're not specifically critical, as in criticizing you. This is a partnership in all of our engagements. And I think, as Andy mentioned, our survey results will share that. We want you to be better. Our value and our leave behind is that when we come back the next time, and we hope we will again, different things that we'll find. And that maturity starts with a foundation for strategic goal, for strategic growth. The assessments provide that baseline an understanding of where you're currently at, so you know how far you want to go and what that might look like. It's a real insight to your security posture. It's a clear lens. Our report, looking at all of your posture, revealing strengths to build upon and the vulnerabilities that you need to address. Blueprint for resilience, that word, you'll see that word built in throughout. Mandy was talking about that specifically during the defense in depth conversation. But it's really a pathway to maturity, that path to get you to where you want to be. People process like technology lead to a holistic security vision. We're not just looking at one aspect. We're taking in the entire organization as we go through our discovery calls. As mentioned before, learning about each of the areas you would like to engage, we get very familiar with them, and in some cases, we've literally uncovered incidents or signs of issues that they need to address because we're taking them through what we think might be a good attack vector that maybe they haven't considered or they don't have visibility of and for one reason or another, comes up during those discovery calls. And so, yeah, plays really well into scenario development. Cultivating a security culture again, as we do with security awareness training for our employees. We want to do the same for our security folks, our it folks. Right? Continually training, understanding that as the threat landscape evolves, we need to continually train as that evolves. Train as you fight, if you're military out there. And also a key here, and I almost foot stumped this earlier, but empowering informed decisions. So a lot of folks bring us in. They already know things are gaps and kind of weaknesses, but they don't quite know how to have that conversation. Our reports can be the opening of those conversations can be, you know, evidence based discussions. Right. It's no longer, I think I need more of this, or I think I need more of that. We could bring evidence, and here's specific areas where we would recommend changes. It could be hardware. You know, you're lacking a DLP solution. It could be training, you know, a lot of tier ones. We need some more tier two s and three s, etcetera. Annie, did you want to add anything here? No, I'm ready to go to the next slide because it's one of my favorite slides. The next three slides are my favorites. Everything you said is spot on. And I think I'd like to lead into the next slide with a trust but verify. Except I prefer the words trust but validate. And so one of the things that. That a tabletop should do is validate whether or not you're on the right track, whether. And in our case, with the kinetic tabletop, we're able to validate the efficacy of tools against attacks of x, y, and z, type from x, y, and z, place and threat vectors, etcetera. And so while EDR is a critical security tool and data classification is a critical control and inventory is cis number one on purpose. Understanding the efficacy on the ground of each thing in its tier against its purpose is a critical decision factor that so many organizations don't have because they're unable to validate whether, whether or not the things they're doing are actually effective. This approach does exactly that. And what you have here is a. I believe this is a ransomware survey. Oh, also a worm and a trojan there. So what we do is we go in and we run 400 or more types of ransomware in the environment from a base compromise. So we assume that somebody clicked the fish or whatever, or they bought access, the bad guy bought access from an access broker, because you've already been compromised. Something along those lines. And so we leave behind, given this assumption, for an attack vector, which happens to all kinds of organizations across the world, we take the most common ones and we say, starting with that as the assumption, what would your efficacy be if that happened? And we're able to leave it behind. So it's possible that your EDR goes from 100% down to 89%. And so what mitigating controls do you need? Or what should you be watching to identify whether or not that's happened? You want to fill anything else on this before we go to the next one? No, and I know we're running up on time here, but. Absolutely. And this just shows kind of a completed versus attempted. So the ratio is you want to be lower than higher on the ATT and CK technique. But again, overall containerizing and categorizing what your vulnerabilities are mapped against Mitre, ATT and CK framework. So being very specific in where you need to make changes. So it gets very prescriptive. We're talking a lot of abstracts here, and that's on purpose, but our reports get extremely detailed. With that, we'll move to a lateral movement again as, as pivoting off of the endpoint assessment, showcasing what it would look like if an attacker gets hold. And I, I will step back one 1 minute and say our exercises are basically an assumed breach. Right. We're exercising from the point of something has happened and something is, is continuing to happen. So we, we come in here and looking at lateral movement as the ability to move across your network. Here you see basically a spider graph of the network. You see a red dot there where we were able to basically capture the flag, gain domain admins on a particular credential here. A lot more detail under this report. This is just a high level visual, but showcasing all the servers, workstations, SQL servers, databases, websites, you name it. We've got the host of it, including tokens and net shares and everything you've heard people refer to. The blast radius. This actually shows what the blast radius would be of ATT and CK type X, Y or Z that we've chosen to run in your assessment. And I'll make a note, this is not an NMAP scan. Each of those blips indicate footholds. They're not nodes that were scanned. Those are. We were able to move to all of those nodes. The red just happened to be the most effective and that's showcased here where domain controller. We were able to get domain admin using an SMB token manipulation and all simulated, all non destructive. But you probably are going to want to reset those credentials after we've taken them. And several other steps. And several other steps, yes. Which we will provide remediations for. Absolutely. Let's go ahead and wrap it up. And if anybody has questions that we can field real fast, drop them in the chat. But the short, the short of it is you got to go beyond traditional defenses. You got to go beyond just putting in controls, walking away and forgetting it and hoping the sock will catch everything. You got to get immersive and get the entire team, not just in the SoC, not just in the GRC, not across the security team, but all of it and into the business. They're going to be involved. If the bad thing happens, the impact needs to be as high as possible and as targeted as possible, which is why precance scenarios that work in any organization shouldn't work for you. You need to be working with a partner to do these things. It's impossible to be truly fully effective. Nobody's a profit in their own land. Which is why relying on third parties is so critical for this type of thing. There's always some sort of internal momentum that prevents things from going as far as fast as they could. And the solution is to get actionable insights that you can continuously use, which is why one and done is not enough. Nick? Absolutely, absolutely. I think it's, again, harping on the partnership aspect and the leap behinds, highly customized for you. And that's, I think, again, one of our differentiators. We're at the top of the hour and we appreciate you all for joining us. Thank you so much. I don't see any questions in the chat, but please feel free to reach out directly to Nick, or you can get to go to the website and reach out to the team at large. And we hope to be able to help you out in the near future. Let's get this thing on the road and every organization out there on a path to good, because we. I really don't want the bad guys to win.