WS4-Security Incident Response: What Would You Do?
Security Incident Response: What Would You Do?
How to respond a security incident is something that should be practiced often, so when an incident occurs, everyone knows what to do and what is expected. Come and be part of an incident response team as we work through an incident in a tabletop exercise in a mystery type of motif. There will be roles to fulfill (maybe you want to be a security analyst, or an incident commander, or the communication specilist). Join this session and claim your role, and your script, and be part of a Cyber Security Incident Response Team. (No experience is needed. Information will be provided, along with clues and what you need to share at specific times. Ad lib'ing is wildly encouraged.)
icon search Searchable Transcript
Toggle between list and paragraph view.
[00:00:03.200]Glad to be with you today,
[00:00:05.180]and to share this information with you.
[00:00:09.400]I've been in IT for a lot longer
[00:00:13.860]than I have not been in IT.
[00:00:15.770]So some of you might recognize me.
[00:00:18.580]I started at Nebraska Medicine on March one.
[00:00:22.020]Prior to that, I worked for the University of Nebraska.
[00:00:25.610]I was based in Lincoln.
[00:00:27.458]I started at UNL back at the start of 2014,
[00:00:33.145]but prior to that I worked at Emporia State University
[00:00:36.320]in Emporia, Kansas.
[00:00:38.040]So I've been in it a long time,
[00:00:40.180]in security for about the last 15 years.
[00:00:44.210]So welcome, I hope you'll have fun.
[00:00:48.920]I know you just all had lunch,
[00:00:51.020]and you probably wanna just kind of relax,
[00:00:54.980]but I'm gonna make you do something here,
[00:00:58.350]so hope you're ready for it.
[00:01:02.195]Here's the agenda.
[00:01:03.597]I wanna leave time for all of you,
[00:01:06.920]so we're just gonna scoot right through this.
[00:01:10.898]Here's what I want you to learn from this.
[00:01:12.820]This is gonna be a tabletop exercise.
[00:01:16.400]For those of you that don't know
[00:01:17.820]what a tabletop exercise is,
[00:01:20.350]it's basically a test run of your incident response plan.
[00:01:25.870]And we like to do them in information security
[00:01:30.805]so that when there is an information security event
[00:01:34.714]or incident we can quickly pivot
[00:01:38.809]and do what needs to be done to collect evidence,
[00:01:42.939]to contain, to eradicate the whatever is going on.
[00:01:48.676]Make sure that we've got everything clean
[00:01:52.070]and get the systems back up.
[00:01:54.499]So this is kind of what we're gonna emulate today.
[00:01:58.320]When you do a tabletop exercise
[00:02:00.690]you pretend that
[00:02:04.563]you all don't know
[00:02:06.500]all the information at the same time.
[00:02:10.260]So you have to deploy different ways
[00:02:12.858]of getting information out to kind of replicate
[00:02:18.244]what would happen in a real life incident.
[00:02:21.720]There's many roles,
[00:02:23.660]and I'm glad to see that we have quite a few participants,
[00:02:27.030]because I think there's enough roles for at least 17 people.
[00:02:32.970]But we can have duplicate.
[00:02:34.830]But anyways, there's different roles,
[00:02:36.950]and different ways that people
[00:02:39.181]add to the incident response efforts.
[00:02:43.751]You're gonna learn today how important it is
[00:02:46.660]to share information,
[00:02:48.260]and to share it in a timely manner.
[00:02:51.620]And I'm using a different type of approach.
[00:02:55.380]So I am using a murder mystery,
[00:02:59.540]well a mystery motif.
[00:03:01.840]You've probably been to a mystery theater,
[00:03:04.553]where maybe it included food,
[00:03:08.110]and you're given roles and booklets,
[00:03:12.990]and you are going to role play.
[00:03:16.442]And there is some information that you can share.
[00:03:20.453]And in the booklet there's gonna be information
[00:03:24.605]that you do not share.
[00:03:27.042]And so I've kind of created this incident
[00:03:33.930]to reflect like a murder mystery evening or event.
[00:03:40.509]And if you've ever been to a mystery theater
[00:03:44.216]you know that it can go for a little while.
[00:03:48.640]We have 50 minutes,
[00:03:50.730]so we're not gonna get through the entire incident.
[00:03:54.780]I'm not even sure we'll get through
[00:03:56.103]what I want us to get through.
[00:03:57.860]We're gonna try.
[00:03:59.840]But what I want you to do is to have fun with your role,
[00:04:05.062]share the information that needs to be shared,
[00:04:08.510]keep the stuff secret that you're supposed to keep secret.
[00:04:12.040]And I just want you to kind of get a sense
[00:04:14.250]of how this all works.
[00:04:15.670]And the different approach is to kind of
[00:04:19.030]mix it up for people,
[00:04:22.360]to kind of, 'cause tabletop exercises don't tend
[00:04:25.302]to be a whole lot of fun,
[00:04:28.020]and I like to have fun when I'm working.
[00:04:30.020]So this is a good way to do that.
[00:04:33.649]It's also a great way to show people
[00:04:36.024]who are not involved in the incident response process,
[00:04:39.473]because you'll give them a script,
[00:04:42.759]basically of what they need to do
[00:04:45.050]and what they need to say.
[00:04:46.700]And that's what we're gonna do today.
[00:04:49.007]So no experience is needed.
[00:04:51.699]And I hope you have fun.
[00:04:55.700]So let's get started.
[00:04:58.364]Here's the rules.
[00:05:00.341]When we start,
[00:05:02.680]and if you start talking for the first time,
[00:05:06.720]I want you to,
[00:05:08.770]or if you join in a conversation,
[00:05:10.402]I want you to first introduce yourself,
[00:05:13.730]and then the role that you're playing.
[00:05:16.330]So I would be Cheryl O'dell,
[00:05:20.534]information security team member.
[00:05:24.954]The booklet, now if we were in a physical setting,
[00:05:30.353]you would pick up the part of the booklet
[00:05:32.294]that would be only for your role.
[00:05:37.780]But I only have the booklet available in digital form.
[00:05:44.283]And because of the time commitment,
[00:05:47.540]the time limitations,
[00:05:49.811]it's one booklet.
[00:05:51.884]So you're gonna read your role in the booklet,
[00:05:55.380]you're gonna go to your page or pages,
[00:05:57.156]and when you see stop here, stop there.
[00:06:01.510]Don't keep going.
[00:06:02.530]Don't read through the whole booklet,
[00:06:04.244]'cause then you won't have fun.
[00:06:08.020]Follow the instructions of what you can share
[00:06:10.005]and what you should keep secret.
[00:06:12.560]And I want you to play up your role as much as you want.
[00:06:15.870]Ad lib as much as you want.
[00:06:18.060]It takes all types of personalities in IT, right?
[00:06:22.001]And it takes all types of people
[00:06:24.450]to make the diverse and productive team.
[00:06:26.820]So, if you can turn on your camera,
[00:06:32.100]and I fully expect that when you go to talk
[00:06:38.170]that you're gonna unmute yourself and participate.
[00:06:43.260]So let's go.
[00:06:47.050]I want you to select,
[00:06:48.470]here's the list of roles,
[00:06:50.557]and the number that I need.
[00:06:54.396]If we want two or three people
[00:06:58.722]that wanna be incident commanders, that's fine,
[00:07:00.335]you just need to realize that there might be more than one.
[00:07:04.090]But this is what the scenario I've called for.
[00:07:08.050]So think about a role.
[00:07:09.900]Again, you don't have to have any experience.
[00:07:14.273]You are gonna be given information of what's going on,
[00:07:20.290]and what you can share and what you can't.
[00:07:25.466]So I am gonna just kind of call out
[00:07:29.398]and see if we've got these roles filled.
[00:07:34.330]Do we have someone,
[00:07:36.990]or more than one person
[00:07:38.340]that wants to be an incident commander?
[00:07:40.700]Just holler out yeah.
[00:07:41.930]I don't care who it is.
[00:07:48.701]I'll do it.
[00:07:50.692]How about an IR coordinator?
[00:07:53.200]I need a couple of those.
[00:07:55.190]I can do that.
[00:07:58.840]I need a communications response team member.
[00:08:05.630]I can do that.
[00:08:06.710]Okay, you're not really
[00:08:07.870]gonna have to communicate anything,
[00:08:09.380]but it's, we're playing the roles, right?
[00:08:12.800]I need three information security analysts.
[00:08:18.300]I can be one of those.
[00:08:23.184]All right, at least we got one.
[00:08:25.520]I can do one as well.
[00:08:29.500]How about some server admins?
[00:08:32.860]I'll try that.
[00:08:34.445][Woman} I will too.
[00:08:38.193]How about network team member?
[00:08:42.023]Can I have at least one?
[00:08:47.200]All right, we'll come back.
[00:08:48.150]How about a systems team manager?
[00:08:58.013]All right, we'll work through that.
[00:09:00.450]How about a data center operations manager?
[00:09:08.591]I thought we had enough people in here,
[00:09:12.940]where are all my people?
[00:09:16.970]Cheryl, I'll be a data center person.
[00:09:22.163]Cheryl, in whatever spot you want,
[00:09:24.712]I'll volunteer for anything you want.
[00:09:29.673]Well, it's more about,
[00:09:31.490]okay, I haven't been keeping track.
[00:09:32.980]So help desk team lead.
[00:09:39.250]And network team lead.
[00:09:45.710]I'll take that.
[00:09:48.100]So did anybody decide that they would be
[00:09:50.460]a systems team manager?
[00:09:55.080]Who said that they would do whatever I needed them to do?
[00:09:57.690]I'll take the other Raul.
[00:09:59.483](laughing) all right the other Raul, you're that person,
[00:10:04.495]the systems team manager.
[00:10:06.374]All right, and did we get anybody to be
[00:10:09.760]a network team manager, or team member?
[00:10:13.350]If not, at least we got the team lead.
[00:10:16.940]I'll be the network team member.
[00:10:21.960]All right, let me copy in the link.
[00:10:24.518]I had to share this link from my personal account.
[00:10:29.800]So I'm gonna put it in chat
[00:10:32.988]as soon as I find chat.
[00:10:37.440]Always at the you can lose stuff
[00:10:41.800]when you're in Zoom,
[00:10:42.680]I just don't get that.
[00:10:44.870]That's to keep you on your toes,
[00:10:46.540]that's all it is.
[00:10:47.876]When you share something it moves all menus
[00:10:49.910]all over the place.
[00:10:51.236]That is true.
[00:10:53.830]All right, where'd you go?
[00:10:57.195]As soon as I find chat.
[00:11:03.160]There it is.
[00:11:05.150]Nope, that isn't.
[00:11:06.650]Okay, I'm gonna stop, I'm gonna chat.
[00:11:18.192]Click on the link in chat,
[00:11:22.690]and then I'll share what you see.
[00:11:29.210]You should see,
[00:11:37.450]you should see this role booklet,
[00:11:42.820]Amplify Your Role.
[00:11:45.500]By the way, while you're going to your role
[00:11:49.834]and reading your information,
[00:11:53.430]this incident is entirely fictional.
[00:11:58.480]I am not representing anybody, anything, any situation,
[00:12:03.050]any story, any technical person, any person alive or dead,
[00:12:07.366]any institution ever.
[00:12:11.278]So I'm not saying this might've happened somewhere,
[00:12:15.325]I'm just saying I've never been involved
[00:12:17.446]in anything like this before.
[00:12:19.984]So I'm gonna give you a couple of minutes
[00:12:25.800]for you to go to your role.
[00:12:29.310]And it's bookmarked so you should be able
[00:12:32.270]just to click on your role link,
[00:12:34.246]and it will take you to your portion
[00:12:40.995]of the incident response.
[00:12:47.120]So this is where I would play music,
[00:12:49.340]but I'll be quiet so you can concentrate.
[00:13:28.750]Now, if you're reading this,
[00:13:30.040]and if you have a question for me,
[00:13:33.770]you can chat me directly.
[00:14:16.525]Looks like people are still reading.
[00:15:08.010]So I know I have one,
[00:15:11.040]I or, IR coordinator,
[00:15:14.617]do I have a second one?
[00:15:19.150]Who all wanted to be an IR coordinator?
[00:15:23.600]Julie, Julia was one.
[00:15:28.920]Oh good, there's our answer, Julia.
[00:16:24.760]So the other Raul,
[00:16:29.100]can you remind me which your role you're doing?
[00:16:32.640]Would be the teams, systems team manager.
[00:16:46.400]All right, does anybody need more time
[00:16:51.280]to understand what's going on
[00:16:54.560]with your role?
[00:17:02.005]I'm hearing nothing.
[00:17:06.740]I think Julia had her hand up for a second.
[00:17:09.770]Sorry, I just,
[00:17:10.603]I just need about 30 more seconds to finish reading
[00:17:12.350]and then I'm good.
[00:17:21.950]It was Mr. Mustard in the camel room.
[00:17:24.770](Laughing) You know, I should have used those names.
[00:17:32.700]I was trying to think of names of nobody I knew.
[00:17:40.469]Yes, Colonel mustard in the library with the candle stick.
[00:17:46.828]With the candlestick.
[00:17:48.480]Not with the candlestick.
[00:17:51.841]I can tell you that. (laughing)
[00:17:55.610]It was with a network wire.
[00:18:00.180]It's not a wire, it's a cable.
[00:18:02.730]Okay, it's a cable.
[00:18:05.494]It's not a program, it's an application.
[00:18:10.790]All right, so something has happened.
[00:18:14.490]We're not sure why,
[00:18:15.860]we're not sure who.
[00:18:18.263]what we know, when,
[00:18:20.350]and we're not sure how.
[00:18:23.460]We're pretty sure,
[00:18:25.670]we're pretty sure that an incident happened,
[00:18:28.580]and we need to figure it out.
[00:18:30.851]So now next steps, the phone is ringing at the help desk,
[00:18:36.960]it's ringing all over the place.
[00:18:39.150]Operations team desk, network,
[00:18:41.140]even the security team.
[00:18:42.709]Oh the mayhem.
[00:18:44.232]There's an incident.
[00:18:45.905]So time to pull out the incident response plan.
[00:18:50.200]So you have the characters,
[00:18:52.879]and I'm gonna turn it over to you.
[00:19:02.180]So, what has happened here?
[00:19:07.920]At the IT help desk, since seven a.m.,
[00:19:11.350]we've been getting all types of calls
[00:19:13.920]from staff reporting that
[00:19:16.637]their computers were restarted overnight
[00:19:19.460]because of some patches that were applied,
[00:19:23.074]and a lot of people are just calling to double check
[00:19:25.702]that everything was okay.
[00:19:35.180]Is that it?
[00:19:38.007]Is there any other information?
[00:19:40.010]I know that someone got into the data center,
[00:19:41.730]and it must have been a person who had access,
[00:19:43.503]and used an ax to destroy systems in one rack,
[00:19:46.880]front and back.
[00:19:48.240]So the rack of three servers,
[00:19:49.790]it wasn't a full rack,
[00:19:52.340]and all three servers have significant damage
[00:19:54.520]on the front and back sides.
[00:19:56.092]One server in particular was attacked,
[00:19:58.048]and is hanging by one side rails.
[00:20:00.975]Whoever did this was really mad at that one server,
[00:20:04.430]they wanted it out of commission for good.
[00:20:09.740]Our security team has been looking into these servers
[00:20:12.500]that were affected,
[00:20:13.550]and we don't believe that they should be
[00:20:15.710]affecting any legitimate system or service.
[00:20:24.219]Oh, go ahead.
[00:20:25.052]I can share that all three servers that were destroyed
[00:20:27.973]were only redundant servers.
[00:20:30.303]Two are actually not even powdered on
[00:20:33.010]because they're ready to be decommissioned,
[00:20:34.798]and the third server we are getting up
[00:20:37.510]because we've had a tape restore system,
[00:20:40.783]in case there was a need to restore from an old tape backup,
[00:20:43.720]but we're not actually using it.
[00:20:47.120]So nothing destroyed should be affecting users.
[00:20:51.960]From the network side,
[00:20:52.920]I don't believe equipment has been affected
[00:20:55.420]by this incident.
[00:20:56.260]I don't know if I have any team members that,
[00:20:57.657]if there's any challenges with the network today.
[00:21:02.770]No, you're correct.
[00:21:03.840]No network equipment has been affected by this incident.
[00:21:07.280]All network services are working correctly,
[00:21:09.530]the access to the internet is working.
[00:21:11.401]The access to the university servers
[00:21:13.870]and systems are working.
[00:21:15.110]And if there are issues reported by end users,
[00:21:17.249]it is not the network.
[00:21:19.580]No changes have been made on any firewalls
[00:21:21.642]or any network equipment
[00:21:23.380]that would be causing end users issues.
[00:21:26.300]If someone could sneak an ax into the data center
[00:21:28.603]and no one from the data center operations team would know,
[00:21:36.330]Just a question,
[00:21:37.330]has anyone contacted the CIO
[00:21:39.330]and let him know that somebody managed
[00:21:41.280]to sneak in with an ax and destroy the servers? (laughing)
[00:21:48.680]In addition to the CIO,
[00:21:50.250]what about the chief information security officer?
[00:21:53.270]Are they in the know about this incident?
[00:21:58.240]There aren't any sort of administration,.
[00:22:00.210]it looks like that would be me. (laughing)
[00:22:05.430]It says that I have alerted the CIO
[00:22:13.740]and the others that know the data center operations manager,
[00:22:21.678]So it looks like I have alerted them,
[00:22:23.480]and also the AVP of IT.
[00:22:27.293]This is Mary from operations.
[00:22:28.322]In regards to the question
[00:22:30.037]about how did someone with an ax get into the data center?
[00:22:33.370]We're not sure, we're looking into that at this time.
[00:22:42.010]Do we know anymore about what caused this incident
[00:22:44.770]so we can keep it from happening again?
[00:22:58.715]Has anyone communicated with end users
[00:23:01.971]about the servers being down?
[00:23:04.680]Do we need to do that?
[00:23:10.580]There is no, we don't have any service
[00:23:16.060]or system effected by the problem.
[00:23:21.300]They should not have any problem right now.
[00:23:26.790]One thing I can say being the system team manager
[00:23:29.890]is I do know that Tabitha, a student employee,
[00:23:33.350]works at the data center during the night shift.
[00:23:37.910]Apparently that log shows
[00:23:39.970]that she entered the data set at six in the morning today,
[00:23:44.052]but left shortly after, without clocking out.
[00:23:55.040]That sounds important.
[00:23:56.410]Has anyone keeping notes about this incident,
[00:24:00.100]or writing down details?
[00:24:03.110]I'm keeping some locally.
[00:24:05.110]I'm waiting for the document to be created on a server,
[00:24:07.937]and once that's,
[00:24:08.900]or not on a server, but on a,
[00:24:10.140]yeah, on the server.
[00:24:10.973]Once that's done, then I can put them in the,
[00:24:12.740]in that shared document.
[00:24:20.020]One thing I can share is
[00:24:22.330]Anderson, the backup restore service coordinator,
[00:24:24.760]and Mary, the data center operations manager,
[00:24:27.198]is dealing with an HR issue right now,
[00:24:30.230]but is aware of this incident,
[00:24:31.608]and will join this call when they can.
[00:24:39.897]I think, as Raul mentioned earlier,
[00:24:42.470]potentially the only service not working right now
[00:24:45.170]is that old tape backup and restore service.
[00:24:50.829]Yeah, that's correct.
[00:24:52.403]There is some traffic, a little traffic,
[00:24:56.358]but it's not related to the main controller,
[00:25:00.800]so an email or (indistinct).
[00:25:11.910]As a coordinator,
[00:25:12.743]I wanna make sure that we're following all of the steps.
[00:25:14.640]And so we've already gone through detection,
[00:25:16.884]and we're trying to figure out what's happened.
[00:25:20.005]So I wanna make sure that I get everything into the notes.
[00:25:22.140]Have we contained everything?
[00:25:25.802]Is there anything that,
[00:25:27.573]that we need to make sure is contained?
[00:25:32.741]And if we figure out what the cause is, can we eradicate it?
[00:25:47.039]It shows here on my notes
[00:25:48.060]that I, there's a server was struck with an ax
[00:25:53.210]and was left behind.
[00:25:57.797]I don't know where that ax might be.
[00:26:07.550](indistinct) went back to the office.
[00:26:09.480]Well, the sentence tells me that
[00:26:11.384]Anderson found the server destroyed,
[00:26:13.370]grabbed the ax left behind,
[00:26:14.926]and ran after Tabitha.
[00:26:17.960]And when Anderson realized he looked like an ax murderer
[00:26:22.150]he stopped running and went back into the office
[00:26:24.633]and called to explain.
[00:26:27.764]It looks like at this point,
[00:26:29.322]while Anderson was talking to me on the phone,
[00:26:34.040]the university police showed up to question Anderson.
[00:26:47.317]Do we know (indistinct)?
[00:26:54.320]Yeah, at this time there isn't anything
[00:26:55.960]that's affected on the network side,
[00:26:57.393]I just had heard from Mary
[00:27:00.000]that three servers were being decommissioned,
[00:27:02.799]and network connectivity was affecting those at that time.
[00:27:07.520]But other than that,
[00:27:08.353]there wasn't anything on the network side
[00:27:10.370]that's being affected.
[00:27:18.730]I'll call it for y'all,
[00:27:20.140]I know you're struggling.
[00:27:21.346]You did great.
[00:27:23.870]You did awesome.
[00:27:25.722]You shared information that you were supposed to share.
[00:27:31.083]The other Raul, I think you shared a little too much,
[00:27:34.339]but that's okay.
[00:27:38.853]But, so what stands out to you from this exercise?
[00:27:51.150]What, go ahead.
[00:27:53.080]The one thing I could say,
[00:27:54.316]it's funny, 'cause I was worried that I was gonna
[00:27:56.589]touch on the keep secret,
[00:27:58.640]'cause there was section on my side
[00:27:59.980]that says keep secret.
[00:28:01.710]I was, I can't say that part,
[00:28:02.875]I have to kept going back my other notes.
[00:28:05.320]Anyway, to answer the question you pose,
[00:28:08.279]I believe, basically if there's no preparation
[00:28:13.074]on how to handle an issue,
[00:28:14.629]you get a situation like this,
[00:28:16.950]where everyone's blindly looking for an answer
[00:28:19.640]or providing information that either is relevant,
[00:28:22.093]or if there is a preparation set to say,
[00:28:27.080]well if there is a network down
[00:28:28.600]these are the steps we need to take,
[00:28:29.935]it will make this a lot smoother
[00:28:32.320]rather than calling
[00:28:34.651]okay, who has this information?
[00:28:37.208]If there was preparation,
[00:28:39.075]it would immediately make it
[00:28:41.957]so in the case of the role that I had,
[00:28:43.250]I can present the,
[00:28:45.643]the schedule and the people that work,
[00:28:49.438]and that right there can give
[00:28:51.840]whoever's leading the the investigation
[00:28:54.790]to know who they need to ask questions.
[00:28:57.550]So to me, at least in this experience of what,
[00:29:00.116]when I've run into these types of issues,
[00:29:02.326]is that we neglect to train on how to,
[00:29:09.121]how to react to these types of problems,
[00:29:12.195]or at least have a blueprint of what to do.
[00:29:17.050]We're all different, right,
[00:29:18.480]and so we all have different personalities.
[00:29:20.559]Josh was playing the IR commander,
[00:29:23.113]he was new to the university,
[00:29:25.353]you may not have known that.
[00:29:28.190]And so he wasn't sure who all the players were,
[00:29:32.580]but he knew that he's done this for many years,
[00:29:35.340]and he can take over and get this done.
[00:29:38.330]Julia, she was playing both of IR coordinators,
[00:29:42.981]and one of them wanted Josh's job.
[00:29:48.210]She wanted to be the commander,
[00:29:51.851]so she was ready to start taking on Josh,
[00:29:56.041]and saying "Are we doing everything right?
[00:29:58.977]"Are we doing that?"
[00:30:00.150]And then the other IR coordinator,
[00:30:02.550]the two coordinators,
[00:30:04.480]they were supposed to be going,
[00:30:06.247]"Are you taking notes?
[00:30:07.307]"Am I taking notes?
[00:30:08.297]"Who's taking notes?
[00:30:09.227]"Where are the notes?"
[00:30:10.240]You know, that kind of thing.
[00:30:12.890]One thing I wanted to add as well,
[00:30:14.275]being part of the network,
[00:30:16.240]it was kind of just describing
[00:30:17.627]"Oh, it's not the network issue,
[00:30:18.647]"not a network issue,"
[00:30:19.480]but I had some information that was HR-related
[00:30:22.340]that I was told not to talk about,
[00:30:24.210]and with the balancing of kind of
[00:30:26.550]is this an HR issue,
[00:30:27.625]and how much can you expose
[00:30:29.057]because of privacy of peoples and investigation thing,
[00:30:33.360]it's hard to balance that, right?
[00:30:34.660]And trying to get to the point of where,
[00:30:37.255]where the issue is coming from,
[00:30:38.541]it is a hard thing to balance for sure.
[00:30:41.940]And I should catch you up
[00:30:42.987]and make sure everybody knows
[00:30:44.634]that this incident was Tabitha,
[00:30:47.456]who was a student worker in the data operations center,
[00:30:53.763]she had set up a peer to peer file sharing service
[00:30:59.134]on the old backup, tape backup server.
[00:31:03.911]She had uploaded illegal copies of movies,
[00:31:09.230]which I thought I came up with
[00:31:10.107]some pretty good movie titles.
[00:31:12.813]They were pretty good.
[00:31:13.646]They were pretty good.
[00:31:15.290]Zombie Apocalypse 27,
[00:31:18.766]T-Rex vs Godzilla,
[00:31:22.670]When Lucy met Charlie,
[00:31:25.372]and the golden oldie, Swept Away with the Breeze.
[00:31:29.391]Anyway, she set that up,
[00:31:32.214]Tabitha set that up
[00:31:34.050]and was sharing the link out with friends.
[00:31:35.932]And so she was using university equipment
[00:31:38.784]to do illegal, illicit activity.
[00:31:42.750]And Anderson, the server admin,
[00:31:48.570]figured it out, saw the service running,
[00:31:51.581]had figured out it was Tabitha,
[00:31:56.480]the Tabitha admin user ID was used,
[00:31:59.243]so he notified Mary,
[00:32:03.220]who was Tabitha's boss.
[00:32:06.150]They notified HR,
[00:32:07.420]and they were gonna meet with Tabitha
[00:32:10.030]at the end of her shift.
[00:32:11.037]But the jig was up because
[00:32:13.160]HR showed up too early.
[00:32:17.910]And so she was asking "Why are they here?"
[00:32:20.580]And they of course didn't let her know why,
[00:32:23.913]and she got scared.
[00:32:25.830]So she grabbed the fire ax,
[00:32:28.430]you know the ax that's in the fire station,
[00:32:31.111]and she decided she was gonna destroy the server,
[00:32:34.210]because if they destroyed the server
[00:32:36.039]they'd never be able to figure out it was her.
[00:32:38.324]Of course she was in there destroying equipment.
[00:32:42.070]And so she destroyed the server with the ax and ran off.
[00:32:45.770]And Anderson walked in just in time
[00:32:48.650]to see her running off.
[00:32:49.900]And why he picked up the ax,
[00:32:51.672]I don't know, but he did.
[00:32:54.530]And then he started running after Tabitha.
[00:32:57.330]And so people saw him in the parking lot with an ax,
[00:33:02.910]And then he realized what he looked like,
[00:33:05.210]and he decided to go back.
[00:33:07.340]And then university police showed up.
[00:33:09.490]So anyways, that was the whole backstory.
[00:33:13.720]But meanwhile, IT had to handle the issue
[00:33:17.280]that there were some data center issues.
[00:33:20.568]The help desk, that was great, Michael,
[00:33:25.300]the way you shared that information.
[00:33:27.395]What people were calling about
[00:33:29.440]had nothing to do with what was going on in the data center.
[00:33:33.472]But a lot of times that's what it is, right?
[00:33:35.846]You have to piece together,
[00:33:37.713]you get clues from other people,
[00:33:41.489]and you try to piece together.
[00:33:46.720]So what are some other things you might've learned
[00:33:52.542]through this exercise?
[00:33:59.150]I would say that one of the things that I learned is
[00:34:01.480]sharing as much as you know,
[00:34:02.637]even if you don't think it's related,
[00:34:05.000]or has anything to do with it,
[00:34:07.710]it might be a piece of the puzzle that's needed for,
[00:34:10.940]to actually solve it.
[00:34:12.300]'Cause I chose not to share a lot
[00:34:14.310]about the decommissioned servers,
[00:34:15.460]well that would've led back to the fact
[00:34:17.400]that they set up a,
[00:34:18.540]that peer to peer file sharing
[00:34:20.048]on those decommissioning servers,
[00:34:22.257]and so then you could have started piecing that together
[00:34:24.590]a little bit better.
[00:34:25.691]And I didn't share right away
[00:34:27.500]that Anderson and Mary were meeting with HR right now
[00:34:32.690]Well, but with the decommissioned service stuff,
[00:34:35.340]you can't exactly share that
[00:34:36.610]if it's an active police investigation
[00:34:38.800]to something illegal either
[00:34:40.420]with the incident command group.
[00:34:42.930]So there's a very thin line that you can walk with that.
[00:34:48.890]Right, but I didn't know there was,
[00:34:50.080]all I knew is that network connectivity
[00:34:51.454]was affecting those three,
[00:34:52.903]three decommissioned servers.
[00:34:54.680]So I, I could have shared it directly,
[00:34:57.460]and probably should have been earlier.
[00:34:59.050]But, again, it's a personality thing,
[00:35:00.100]it's like "Oh, I didn't think it was that important."
[00:35:01.549]So that kind of comes into play.
[00:35:03.341]So that's a little bit of a downside on my side, my part.
[00:35:10.948]Well, you know,
[00:35:12.490]tabletop exercises are really important
[00:35:15.190]in that preparation that Raul was talking about,
[00:35:19.592]that in order to be able to deal with an HR issue,
[00:35:26.399]the university police being involved,
[00:35:32.460]equipment destroyed, help desk calls,
[00:35:35.043]you've gotta be able to quickly respond in the right way.
[00:35:42.040]You don't wanna just respond
[00:35:43.035]because you want to get it done now,
[00:35:44.737]you have to collect the information,
[00:35:47.988]make sure somebody's keeping track.
[00:35:51.615]You gotta, it's important
[00:35:54.260]from an information security perspective
[00:35:56.818]that when we collect the information that's going on
[00:36:01.500]is that we write everything down
[00:36:03.350]that has been done, at what time, who said what,
[00:36:07.855]and the chain of custody is key.
[00:36:12.618]That ax that, even though it's not information,
[00:36:19.282]Anderson should have left the ax alone,
[00:36:26.710]but that has nothing to do with information security,
[00:36:29.920]but it does have to do with the police investigation.
[00:36:33.260]And whenever there's an incident that occurs
[00:36:36.035]you're not quite sure where the incident might lead,
[00:36:41.307]especially if you don't have the details.
[00:36:43.814]All you know is that three servers are down,
[00:36:46.504]and you have no ideas that gonna lead to something else.
[00:36:51.373]And if nobody had known,
[00:36:55.120]if nobody had caught Tabitha doing this,
[00:37:01.260]and all we knew is that there were,
[00:37:04.365]there was, I dunno, a high volume of network traffic
[00:37:09.143]to the tape backup server, the old tape backup server,
[00:37:13.188]they probably could have kept going on forever and ever.
[00:37:16.371]And this never would have come to light,
[00:37:19.500]and it would have never been an incident.
[00:37:23.407]So, you just never know.
[00:37:24.240]So it's important.
[00:37:25.316]So some of the key objectives here.
[00:37:28.784]Yes, there was, sometimes there is information
[00:37:33.965]you can't share from a legal perspective,
[00:37:36.190]whether it's HR related.
[00:37:39.979]In this instance, it was HR related,
[00:37:43.010]so people couldn't share some of that.
[00:37:46.330]But there's also that rumor mill that's going on.
[00:37:51.910]Some people knew that an ax was involved,
[00:37:54.300]and it was like "Wow, why, who got an ax?"
[00:38:00.950]But it's important to share everything else,
[00:38:04.950]It's important to have somebody
[00:38:06.880]be responsible for writing it down.
[00:38:08.803]You need the IR commander
[00:38:11.690]to make sure that you keep the conversation going,
[00:38:14.613]that all the details are being thought out,
[00:38:18.130]that the right people are getting communicated
[00:38:20.910]at the right time.
[00:38:22.435]But you need somebody else
[00:38:24.795]to be that communications person
[00:38:28.155]so that the commander can keep the team going,
[00:38:31.801]the communications person can worry about
[00:38:34.537]"Okay, it's time to communicate again,"
[00:38:36.789]and they can start getting the right people engaged
[00:38:44.990]Anyways, so what feedback do you have for me for this?
[00:38:50.930]Did you have fun?
[00:38:54.293]Did you learn anything?
[00:39:00.060]What would you, what would you do to make this better?
[00:39:03.120]What could I do to make this better,
[00:39:05.160]besides give you more time? (laughing)
[00:39:16.520]Should I do this again?
[00:39:18.660]Should I hold this again for other people?
[00:39:21.450]Do you think there would be other people
[00:39:22.970]that would be interested in this?
[00:39:27.499]All right, so what questions do you have?
[00:39:35.050]Or comments or anything?
[00:39:40.901]Something that will be useful
[00:39:45.545]is in the chat to change our names
[00:39:48.397]to the role that we named.
[00:40:08.803]And I should've reminded all of you to introduce yourself,
[00:40:11.320]and the role that you were playing.
[00:40:14.320]From the beginning I should have done that,
[00:40:16.533]but I just kinda let you all go.
[00:40:20.947]And that's a great idea, Raul,
[00:40:23.955]I just didn't know how much time we would have to do that,
[00:40:27.387]how much time it would have taken,
[00:40:29.227]but we would have had time,
[00:40:31.150]'cause it didn't take us long to get through that,
[00:40:34.320]that one scene and that incident response.
[00:40:37.580]So, yeah, definitely changing the name
[00:40:39.610]in Zoom to the role you were playing.
[00:40:46.070]What do you think next steps would be
[00:40:47.730]for this current incident
[00:40:49.087]if we were playing,
[00:40:50.551]if we had a scene two?
[00:41:02.005]Action I guess.
[00:41:07.292]Just looking at it
[00:41:09.203]from the communication response team member perspective,
[00:41:11.250]it would be okay, how much can you actually
[00:41:15.040]tell everyone else about what's going on?
[00:41:17.079]Hey, there was an incident at the,
[00:41:19.642]at the server, but can,
[00:41:24.126]since HR is involved and so forth,
[00:41:27.180]it's figuring out how you can craft your communication,
[00:41:29.393]and you know what you can, and can't say.
[00:41:34.150]Would you need to send a communication out?
[00:41:40.210]I imagine just because
[00:41:41.660]there might be rumors going around
[00:41:43.010]about an ax wielding person in the parking lot,
[00:41:45.010]you'd want something to clarify.
[00:41:47.520]And just go like "Hey, no one was murdered,
[00:41:52.417]"there's no body, just minor incident."
[00:41:55.925]I see Erin's on here,
[00:41:57.800]she may have a suggestion for what not to say. (laughing)
[00:42:02.441]But yes, definitely, you would have to check with HR,
[00:42:07.115]and probably let HR handle that communication.
[00:42:13.871]But from a technical standpoint,
[00:42:17.163]all three servers, they weren't being used by users,
[00:42:21.600]so there's nothing to communicate out there.
[00:42:25.070]Definitely would wanna make sure the CIO,
[00:42:27.980]the ADP of IT and the CISO
[00:42:32.370]were all kept in the loop.
[00:42:34.114]And if I would have had the second scene ready,
[00:42:38.160]that's where we would have come in.
[00:42:40.260]We would have had those players join us,
[00:42:43.657]and they could then be kept up to date.
[00:42:56.021]One of the parts of an incident response plan
[00:43:00.158]is not just preparing and going through the steps
[00:43:04.666]of analyzing, containing, eradicating,
[00:43:08.043]it's also how do we improve our incident response plan?
[00:43:14.060]It's an ongoing thing
[00:43:15.763]because technology changes,
[00:43:18.940]there may be new ways of communicating, who knows.
[00:43:22.677]And so the last step is called an after action plan.
[00:43:27.695]Sometimes it's called a different term,
[00:43:31.130]but what it means is after you're done with the,
[00:43:35.111]the main part of the incident,
[00:43:37.402]you got everything back up,
[00:43:39.909]you give everybody a day or so to,
[00:43:43.908]I guess rest,
[00:43:45.481]but you want that information still fresh in their mind,
[00:43:49.010]and you pull all the players back together,
[00:43:51.286]and you unpack what happened.
[00:43:54.620]And so your facilitator,
[00:43:57.845]it could be anybody,
[00:43:59.620]but usually it's somebody who was not involved
[00:44:02.699]in dealing with the incident.
[00:44:07.750]And that facilitator will lead you through
[00:44:09.850]a list of questions about
[00:44:11.166]okay, what worked well?
[00:44:13.077]What didn't work well?
[00:44:15.910]Does the incident response plan need to be updated?
[00:44:18.394]Are there any policies that need to be looked at?
[00:44:22.270]Any procedures that need to be updated?
[00:44:24.800]And it's a way to continually improve
[00:44:29.180]your incident response plan,
[00:44:30.594]which is a very necessary step,
[00:44:33.327]because it's part of a life cycle.
[00:44:35.990]It's everything that IT is.
[00:44:39.360]You have to continue that way.
[00:44:43.730]I had a question.
[00:44:45.050]So, do you feel that organizations
[00:44:47.880]concentrate a lot on actually what happened technically,
[00:44:51.690]and kind of improving that
[00:44:52.830]and making sure that doesn't happen
[00:44:54.336]so that all the network doesn't go down,
[00:44:56.350]or this, that and the other
[00:44:57.880]and less on the actual process itself?
[00:45:00.720]So for example teasing out
[00:45:02.160]oh, I should've said something at this point,
[00:45:04.410]or that kind of case?
[00:45:05.470]It seems like IT people like to focus
[00:45:07.686]on solving the problem, not so much improving
[00:45:11.470]maybe the process of what led you
[00:45:14.050]to help solve that problem.
[00:45:15.185]You know, I'd say yes and no.
[00:45:18.859]I feel with IT professionals
[00:45:22.366]that I have worked over, worked with overall the years,
[00:45:28.784]they all wanna do the right thing,
[00:45:30.432]it's just that they they're in their mindset.
[00:45:33.520]When I was a desktop technician,
[00:45:36.555]that was my tunnel vision.
[00:45:39.930]When I became a server admin,
[00:45:42.319]suddenly it's like okay, I'm thinking server level,
[00:45:46.230]I'm not thinking customer level.
[00:45:47.620]So it's, it's real easy to,
[00:45:53.400]to get those blocks on your,
[00:45:58.918]those, I guess those virtual blocks
[00:46:03.620]on what you see in the world.
[00:46:05.033]And that's why we need the team to include all
[00:46:08.560]the different IT perspectives.
[00:46:14.180]Well, I think I'm just about out of time.
[00:46:18.250]Are there any other questions or comments?
[00:46:21.400]My, if you have anything you wanna share with me,
[00:46:24.476]I'll chat my new email address.
[00:46:27.540]It's real easy.
[00:46:33.122]And it was nice seeing some of you,
[00:46:38.063]well nice seeing all of you,
[00:46:39.779]but some of you I worked on a daily basis with,
[00:46:44.320]so it's nice seeing you all again.
[00:46:47.350]But if there are no other questions,
[00:46:52.565]and let's just make it clear
[00:46:55.776]this was all fictional. (laughing)
[00:47:02.899]It does not represent anything.
[00:47:07.124]Yes, okay, good.
[00:47:09.540]Thanks so much.
[00:47:11.307]All right, thank you all.
[00:47:12.830]Thank you, Cheryl.
[00:47:15.264]Thank you, Cheryl.
[00:47:16.700]This was an innovative way to present the content,
[00:47:21.252]and a great model that I personally,
[00:47:24.200]I'm gonna take this and use it in
[00:47:25.687]like the gamification in a teaching and learning scenario.
[00:47:29.360]So when I do trainings for
[00:47:30.777]how do you use Zoom,
[00:47:32.470]and how do you unmute and mute your mic?
[00:47:34.500]Rather than teaching our students and faculty
[00:47:37.120]how to mute and unmute themselves,
[00:47:38.870]let's play a game like this.
[00:47:39.703]And if they're muting and unmuting,
[00:47:41.750]coming on and on,
[00:47:42.583]and doing these certain actions,
[00:47:43.416]of they can figure it out
[00:47:45.060]and do it without instructions
[00:47:46.340]to specifically do it in a gaming scenario like this,
[00:47:49.148]what a great way to learn and then apply it later on.
[00:47:51.612]So thanks for sharing this model with us.
[00:47:55.090]You're very welcome.
Log in to post comments