What Would You Do? The Value of Acting Out an Attack

Jason Pufahl 02:21
So you mentioned having an incident response plan, I think you have maybe twice when you drove this, have you done a tabletop for somebody who doesn’t have an incident response plan? Or do you feel it’s a real precursor before you even consider going down that path?

Linn Freedman 02:35
So I think that if a company is thinking about a tabletop exercise, they’re a little more advanced and usually, they have an instant response plan. What I will say is, that I believe it’s very important for you to have an incident response plan to follow during the tabletop because you’re really testing your response. And it’s much more organized and effective if you have a plan in place. So I would say yes, you really do need to have a plan. And then once you have your plan tested through a tabletop exercise.

Steve Maresca 03:18
So what are the overall preparatory steps besides incident response plan in terms of setting up a tabletop organizationally?

Linn Freedman 03:25
So the incident response plan is obviously key and understanding and designating your incident response team, who is going to be on that team that will go through that incident and follow that incident response plan so that you know who the stakeholders are. People understand their roles in the process. These are all ways that you can prepare for a tabletop exercise. The best thing is when companies try to, you know, get me to tell them what the tabletop scenario is ahead of time and I go nope, you’re not getting that because that’s the whole point. It’s going to be a surprise. So because a real incident is a surprise, you can’t really prepare for it. You can prepare by having your plan and your team members in place to respond. Yeah, and well, and you go through different scenarios, very different scenarios that are real-life scenarios so that they can see how these things can happen, how easy it happens, and then how they respond to them.

Matt Fusaro 04:38
How long do they typically run? Should they be prepared for a few hours a whole day, multiple days?

Unknown Speaker 04:45
I think to start, it’s really a phased approach, the first one should be shorter so that you can really talk about the plan. Talk about the team; talk about responsibilities, and then maybe go through one scenario. So I would say a couple of hours. The next one, I think you don’t have all that preparatory work. So you can go to two or three scenarios. So usually I will start with a couple of hours. And then we can go to a three-hour session. If you really want to do a deep dive with getting forensics in and doing an actual exercise. That’s longer. That would be a full day. But to start, I think, to get the flavor of what a tabletop is, a couple of hours is a good way to start.

Jason Pufahl 05:41
We’ve had a couple of discussions where I think we tend to work often in the IT space, right CIOs and IT folks. We’ve definitely had requested people saying we only want the IT people involved. And I think your counsel has generally been: you want legal you want HR, you want representation across the organization. Do you ever do any of that? Are there isolated just to IT staff? Or do you think that’s too limiting?

Linn Freedman 06:09
Well, I think it depends on the goal of the organization, I think any tabletop you do is better than no tabletop, that’s for sure. So you know, I’ve been in situations where they want it to be much more technical, and they start with the IT staff and then and then and then bring in others, I think ultimately, you really, first of all, want to have all your tabletop exercises under the cloak of attorney-client privilege and work product. So it’s important that you have legal involved because you want to make sure that it’s protected because you’re talking about your vulnerabilities. And then secondly, I think you really in a true incident, there are so many moving parts that you need a lot of people involved. And companies don’t always understand how important different parts of the organization are to incident response. Communication is key. If your website is down, or your customers can’t get access to their data, well, all of a sudden, your helpdesk is getting a lot of calls. So you need communications, you need executive leadership to be involved. You need the HR folks involved in the event that there’s employee data that’s involved. So I think I think running through a bunch of scenarios is great because you can see all the different people that might be involved in a real scenario.

Steve Maresca 07:40
You know, going back to the legal representation aspect of it, I’d really like to hear for the benefit of our listeners, what risk there is in not having that participation, because we’ve spoken about it in the past privately, but I think it’s worthy to share it.

Linn Freedman 07:55
Sure. So anytime a company is really talking about vulnerabilities talking about paths that they would take in scenarios and in security incidents, talking about maybe some weaknesses in their plans and in their procedures, you want to protect that in the event that down the road, there’s an incident and a company gets sued, because all of the information, you know, discovery and litigation can be very, very broad. And part of that could encompass your preparation for a security incident. What policies and procedures did you have in place? Did you test? Did you audit? Were there were there findings? All of these things ultimately may be discoverable in litigation. And usually, if you’re upfront and honest, you’re transparent about your weaknesses, if that’s in documentation, it can be used against you in you know, in the future if you’re in litigation. So at least having the protection or trying to have the protection doesn’t always work but trying to have the protection of attorney-client privilege work product doctrine, so that your legal counsel is involved and legal counsel is directing the tabletop is very important for trying or doing your best to protect the entire conversation and the documentation around that tabletop exercise.

Jason Pufahl 09:49
Even the subsequent follow-up documentation, I assume right? The report that comes out of it or whatever that format looks like?

Linn Freedman 09:56
Yeah, so legal counsel. When I do tabletops, I am the one that provides the follow-up to the company to make sure that it’s confidential.

Jason Pufahl 10:13
So you had made a reference, I think at the beginning that you run a tabletop, and generally, everybody struggles through them. Is it because the way that they’re constructed? Do you find that you’re an organization that’s gone through an incident, generally is better prepared? Have you had one that you feel like, “wow, they really, they knocked it out of the park, and we just don’t need to think about it.”

Linn Freedman 10:44
So there have been a couple that I think they did very well, I would say that most companies in their first one, learn a whole lot. Many companies now have a cadence of doing several over a period of time, three a year, whatever, and you do different scenarios. I think that the more you do, the better you get, it’s just like practice for a football game. The more you practice, the better you’re gonna get at your plays. And this is all about plays. So I would say that, that I’ve never come out of a tabletop where there weren’t some takeaways and some lessons learned. And some things to do, what I will say is, oftentimes, it’s hard for a company, to keep the takeaways as top priority. And that’s why having a cadence of doing several a year, you’ll find that, when you’re doing the second one, you’re going back to see what the takeaways were from the first and that people still have some things on their to-do list. So a cadence is a really good way to get better.

Jason Pufahl 11:50
So So actually, it’s a really interesting point, because we see, during an actual incident, right, there’s always an interest in making security improvements for a period of time, three months, maybe six months, if you’re doing your tabletops regularly, at least that keeps information security or data security in the forefront.

Linn Freedman 12:06
For sure. And you know, what you find is everybody has a day job. And then this is on top of that. And so it’s easy for it to go down on the priority pile. So if you’re doing the tabletops, your data security is going to be a priority, but also if you have a cadence and do several a year, you can actually tick off those to-dos because the month before when you’re planning next one, people are going oops, I didn’t do that.

Jason Pufahl 12:38
Yeah, hold them accountable.

Steve Maresca 12:41
I don’t know about you, Linn, but I tend to feel that many incident response plans, business continuity plans, disaster recovery plans, they’re all aspirational. Right?

Jason Pufahl 12:52
And too long, right?

Linn Freedman 12:54
And way too long.

Steve Maresca 12:57
You know, that there’s the old adage, you know, no battle plan survives contact with the enemy. And I think that’s essentially the main thing to underscore, they’re living documents, they need to be treated like living documents. tabletops avoid the, you know, well, liability and the crisis feeling of crisis that an actual incident provides, but it gets you the same outcome.

Jason Pufahl 13:21
And you need to be able to take them off the shelf and use them at the time. I mean, we just looked at one that had to be 40 pages long. And I was lost after page two,

Steve Maresca 13:29
right, so unusable.

Linn Freedman 13:30
So when you’re in the middle of a crisis, which is what a security incident is. Say, you’re in the middle of a ransomware attack, which we’re gonna see a whole lot more of because of the conflict in Russia and Ukraine. When you’re in the middle of that, you’re not looking at a 40 or 60 Page incident response plan, there’s no way you need to know what are we doing? You’ve got to have a cheat sheet. You’ve got to know who to call, you’ve got to know who’s on your plan. And oh, by the way, if you have a ransomware attack, and you can’t get into your contacts, do you have your incident response team on paper somewhere with their cell phone numbers? I mean, that’s, that’s like how nitty-gritty you have to get when you’re in the middle of a chaotic situation, and you can’t have access to any of your data. You need something that’s workable.

Jason Pufahl 14:21
Well, it’s so valuable. You mentioned communications, and I don’t want to go down the path of you all the right things you should do necessarily during an incident but certainly, on our side, every time we’re in the middle of an incident, it’s 50% communications and 50% technical, right? It’s all about managing the expectations internally, managing customer expectations externally. It’s complicated.

Linn Freedman 14:40
And most companies haven’t actually walked through the process that they would take if their customers couldn’t get access to their data; if they couldn’t contact their customers; If they couldn’t do business. They actually haven’t gone through the process of what they would do and who would be responsible for that. And that’s so important, because when it really does happen, then you already know that you already know how you’re going to react.

Steve Maresca 15:09
And some certainly have even, with good intentions, taken steps to, (they believe make their lives a little easier) digitizing records, avoiding paper-based processes, and so forth. And sometimes you need to fall back on that. But if they’re gone, there’s no opportunity,

Jason Pufahl 15:26
Right? Or if you’re not in the office, or if you haven’t taken them home, there are a dozen ways that can be your problem.

Linn Freedman 15:31
Yeah, my tip today for all your listeners is, if you have an incident response team, get all their private emails and all their private cell phone numbers and put it on a piece of paper and take it home.

Jason Pufahl 15:47
So that feels like a good way to wrap. That’s a useful takeaway. And frankly, I like the eye the tip that you made, which was simply just do a tabletop, it doesn’t have to be wildly complicated. You don’t have to make it more than it. Walk through an incident, get a sense of how you might handle it, and then get more formal as you go on. So

Linn Freedman 16:09
yeah, something is better than nothing, that is for sure.

Jason Pufahl 16:13
Fair enough. So I think that note, that’s wise advice right there. Linn, thanks for joining. It’s been a pleasure to have you I really appreciate the insight. Hopefully, as always, you know, people have taken something away from this, have had an opportunity to learn a little bit, and can move forward. So then thank you. Anybody who wants to talk more about tabletops, feel free to reach out to us at LinkedIn- Vancord. We’re happy to have a conversation. We’re happy to help you however, we can. Linn’s obviously a great resource. So maybe we can have a conversation in the future. Linn, thanks.

Linn Freedman 16:46
Thank you.

Unknown Speaker 16:50
Stay vigilant, stay resilient. This has been CyberSound.