Speaker 1: 0:04

Morning Nick, how you doing.

Speaker 2: 0:06

Good sir, how are you?

Speaker 1: 0:07

Doing well. So we're coming with a new podcast here. Right, We've got the Field Notes and it's live. We're live right now, 7.30 in the morning, Thursday. Nick, what's the thought behind Field Notes here in the morning, thursday, nick.

Speaker 2: 0:26

What's the thought behind Field Notes here? Yeah, I think around IT, out of Labs, we always want to build community, bring people together, share knowledge throughout the space, and I think this is another one of those mediums to do that. So when we're doing, that is bringing everybody together, having a cup of coffee in the morning before you get your day started, maybe spark some new thoughts and ideas, and we can do that in a space where people can ask questions and we can just have free-flowing conversation. So I think that's just an evolution of growing the community.

Speaker 1: 1:00

Awesome. Speaking of that, we did game night last night here. So we do the monthly game night first Wednesday of every month. We had a great turnout last night. I think we had like 20 or some people and we played a game called Blood on the Clock Tower, which is a social deduction game, and there's a murder that happens in a town. And there's some bad people mixed into the group and the group's trying to figure out who's good, who's bad. Happy to say, I was on the team of the bad guys and we won.

Speaker 2: 1:34

So what's the art of this game? Is there a little bit of social engineering?

Speaker 1: 1:38

Yeah, it's all social engineering and misdirection and trying to figure out what role people are playing, so kind of like a real world security team.

Speaker 2: 1:51

I got a couple of text messages from fellow game night attendees with some pictures of you guys playing and I think they said it's a pretty intense game. It takes a long time, you're in the game for a while, so it's not a simple game to play.

Speaker 1: 2:04

You're in it. Yeah, you're in it for a while.

Speaker 2: 2:11

It took. I think about three and a half hours To play one game. I think I'd be a spectator. I'd be watching you guys play. It's a long time to be committed to a game, nick, we do you.

Speaker 1: 2:26

We've got a couple coffee themes right, so he's doing a coffee-themed podcast, cyber Sips. It's going live this week. I think the first one A lot of coffee themes. We're talking a little bit about coffee today. What are you drinking, nick, today? Actually?

Speaker 2: 2:46

we switched it up. My wife and I got some Tim Hortons coffee that we brewed this morning, but I think the most important thing is drinking it out of our Victory mug from the CTF, not that long ago, if everybody remembers. So I thought I'd taste like victory, would be the perfect theme of the morning. So the coffees, so-so. I mean, I prefer my Black Rifle coffee from America, but we'll give a nod to our neighbors to the north, but the cup is what we care about. Nice, how about yourself?

Speaker 1: 3:26

well, um, I've got, uh, I do um kind of this mail order coffee, um, from, I think it's a company called atlas coffee company, and today I'm drinking something from Ecuador. But let's go back to that thing there, nick, because part of this podcast I think we want to talk about is the other side of security, right. So I mean, you know, we're humans, we work in teams with other humans and there's that human side of the interactions that we all have. We talk about game night, right, and it's that community bringing people together and doing this work that we do in the field.

Speaker 2: 4:15

I think you hit the nail on the head that we're still humans. We're reading the news, like everybody else. We're trying to stay in front of these things. We're trying to stay in front of these things and I think one of the topics we want to talk about today is how much, or the ramp, that these attacks have been coming in. I don't know if everybody shares the same thought as we do, but it seems over the past maybe year or less, a little less, it seems like the attacks have attacks or breaches.

Speaker 2: 4:46

We hate to say the B word, but has picked up up speed and so kind of wanted to chat about that. There's a couple articles that we can spin off of that. There was one I think it was from nevada and this was from a week ago or so where they the state offices shut down their networks because of a an attack they had. They closed the state offices, the websites are offline, the phone lines were offline, so they had a major outage. And then we had another one. Eric, I think you found both of these. There's another cybersecurity incident in Maryland affecting Metro Transit, where I think, from what we were reading here, the mobility all of MTA was shut down. They couldn't schedule new trips, they couldn't send trips, they couldn't take bookings for upcoming trips and any existing trips that were currently happening, so they couldn't schedule anything. There was a major outage there. So obviously big deals for both these states to be dealing with.

Speaker 1: 5:46

Yeah, and we're coming off of the work here in Minnesota with the St Paul breach and the ramifications of that that are still being dealt with, and Nick, one of us was on the news a couple times talking about it. But you know, and there's lots of things that you want to say, but you really, you really can't say, uh, the floor is yours, well, oh boy, um, I'll get to that, but, and I think what we want to talk about on on this podcast is that opportunity to really maybe share some of the human insights of things, some stuff about our personal lives. We'll probably talk a little bit about aviation, because I do some flying, talk about coffee, talk about other activities that we're doing outside of work, just to bring some of that human element in it, and you did mention that contest.

Speaker 1: 6:48

You and I had a bet outside of work just to bring some of that human element in it, and you did mention that contest. You and I had a bet. Your team came in first, we did not. I don't remember exactly where we came in, but it wasn't first and I think we're going to have a rematch on that aren't we, nick?

Speaker 2: 7:02

We're going to figure out a time for a rematch, yep, and we'll probably do the same thing we did last time. We won't train very much, we'll do our normal things, we'll come in and we'll.

Speaker 1: 7:12

We'll try to take first again. So you said you didn't train, but I heard that you had reached out to the ctf manufacturer and were this might make news, but continue up here. You were getting some coaching.

Speaker 2: 7:28

I can't say this is true. I can't say this is true. No, we do know the CTF owners, though, of this, but I can't say there was any communication with them prior to testing Interesting or competition.

Speaker 1: 7:43

Interesting. So, on these breaches, right, it's um, it is frustrating that we don't learn what the iocs or the indicators of compromise are early on. Right, we're, we're in the space, we're working with customers, we're running teams in the space, and it's really difficult to get information, just as simply as what were the IOCs, what were you seeing, so that we can all react to it? And it's unfortunate that it seems, 99% of the organizations involved in a breach clam up. And Nick, you were real close to the last one. You were working side by side with some of the folks on the mitigation piece. Did you have any direction that you really couldn't share? What was going on at the time?

Speaker 2: 8:42

I think we had a little bit I don't want to say information that we couldn't share what was going on at the time. I think we had a little bit. We had a I don't want to say information that we couldn't share, but you know, we were people were keeping things a little close to the vest because we were getting information siphoned to us I would say broken comms, right Like we're. They were telling us some things but we weren't getting clear guidance. So we had to go into a defensive posture because we had intersecting points with St Paul, so, you know, siphoning off some information, going to these meetings that were being set up by the state as well, and any other organization was welcome as well in the area that they could go to. But yeah, we didn't have I wouldn't say we had special information, but some of our leaders were a little bit closer than I think others might have been allowed.

Speaker 2: 9:27

But I would agree, I think that was some of our and this isn't just for the St Paul incident. I think this is we see this a lot where and you said it perfectly they clam up information getting out, especially for organizations like us that are hosting or helping many different companies with their cybersecurity that have intersecting points, and this could be anybody any breach besides St Paul and you know. We need to get this information so we can understand what we need to secure Right and then a return. If we know what the problem is, we can turn around and help the organization that's having a current issue.

Speaker 1: 10:04

Yeah, and we've got close relationships with Homeland Security, cisa, fbi, with InfraGard, and even folks in those communities weren't getting great details about what was going on. I think we learned what the IOCs were maybe 12 hours before they were posted out by the VCA or the Bureau of Criminal Apprehension in sort of broadcast out to the people that are part of that group which get those IOCs. I think we didn't really have much time to react to it either. So, yeah, that is frustrating. I think Evan Francon over at FR Secure a while ago was starting a series during the pandemic of how do we fix a broken industry, and I think this is one of the things that continues to be broken in the industry and I think this is one of the things that continues to be broken in the industry is just that lack of communication where we're trying to help each other right.

Speaker 1: 11:09

See so, to see so, and we're just not there yet.

Speaker 2: 11:11

Yeah, you want to all band together in time of crisis and do you have any thoughts on why that would be? Do you think it's fear of public? You know people coming out saying you know, why did this happen?

Speaker 1: 11:27

You know what's happening or what are you doing about it, or are they just not prepared for that conversation at all? So at a previous organization that I was a fractional CISO of, I'd been there for three or four years. During that time we were involved in a breach. It was one of our partners was breached. They had some of our data. That data was getting. They had gotten ransomed.

Speaker 1: 11:54

They were real closed off about exactly what was happening. Subsequently, they did share how the threat actors got in, but it was the way in which the organization that I was involved with reacted was interesting. It was just tons of internal meetings about not just on the technical side, about how do we make sure that the data that could have been exfiltrated, didn't contain any sensitive information or it was all encrypted or what have you, but it was just around the communications out.

Speaker 1: 12:34

What are we going to say? Who's going to say it? How do we say it? I probably spent in the first week it was probably a 70 hour work week. I don't think any less than 30 hours of that were around the optics of internally messaging, external messaging, posturing, and it was like we we got a lot of work to do. I don't have time to sit in these meetings, but you know there was probably three different meetings about the same topic with different groups throughout all levels of the organization.

Speaker 2: 13:15

Instead of spending that all that time in the meetings, you want to be boots on the ground with the guys and girls doing the work to either come back from breach or uh, protect the walls. You want to be on the front lines yeah it's, it's that constant um.

Speaker 1: 13:31

You know there's something going on. Technical teams are trying to work on it and then um, the, the, the. Some of the leadership team are trying to get information, so it's that constant, okay, well, you know what do we know Well?

Speaker 1: 13:47

we know about the same amount that we knew 15 minutes ago. Another 15 minutes, right, and I think, where organizations that haven't drilled this and practiced it through tabletop exercises just get into that cycle of it's just kind of chaos and panic. So you've got do the drills, you got to do the tabletop exercises so that when something happens, you know how to react to it. And you know, nick, I think I'm just seeing that more and more as these breaches are just becoming more and more prevalent. The need to do the tabletop exercises small ones as a team, the infrastructure team, all right, how are we going to restore from backup? Are the backups immutable? How do we get to them? How do we recover? What if there's malicious content in the backups? Just kind of drilling that. So it's not when you get woken up at 4 am saying you need to restore these four servers right now, and then you have 15 people calling you about the same thing. You've already rehearsed it and you have your playbooks. Without that right, it's uh, it's just chaos.

Speaker 2: 14:57

Yeah, and yeah, I totally agree. You got to do tabletops. Uh, hopefully annually, um or more. But uh, you know we, if we continue to train these things, muscle memory is what you want and if you can get your whole team to have that muscle memory, people just kick in and do work instead of people lining up behind the leader for you to shuffle them around, so you've wasted less time doing that. That even cuts out a meeting. You could designate somebody for communication, sending that upwards, or set up times for communication. Hey, you'll get updates at these times, this.

Speaker 2: 15:30

But you kind of led me to something I was thinking about last night and I was thinking about the culture we're in for cybersecurity and I kind of came up with this loose quote, but it was and I wrote it down here and I was thinking security isn't about building higher walls, it's about knowing somebody's already inside and being ready for them.

Speaker 2: 15:48

And I think that is exactly what we need to be doing is, you know, practicing, assume breaches, that potentially somebody is already inside, but we're so confident in our systems and our operators that you know we're always ready for something.

Speaker 2: 16:03

And I always draw back to my military experience. We trained constantly, always doing training missions in the field, live fire training so you're ready. You don't just get sent somewhere into harm's way, not knowing those weapon systems or tactics that we would use in that theater. So it's's the same thing here. We can. We've seen we have a good threat landscape of previous IOCs and what we can do to be training and we need to do that so we can come in with a tabletop exercise to any organization and help them train. But we need to be talking to everybody at that organization, not just the operators you know you want to train and practice with them, but also talking to the people you know around the organization you know the janitor, to see you know what they know and what they can do and help and getting people in these right sections to do the good work that they can do to help out with an in time of crisis.

Speaker 1: 17:01

This reminds me a conversation we had last night with one of the folks that was at game night and he was dealing with an incident that had happened a few days prior. But the attack vector was a little different. He's a reverse engineer by trade and he had seen a. The organization that he was working with had seen an attack come in through a compromised vendor update and that's not all that unusual. But this was the first time that he saw an AI tool involved in exfiltration of data. So the malicious update from the vendor was able to run some AI commands or essentially use AI cloud to create prompts to go out and collect certain information off of that system, package it up and send it out in an encrypted way, I think, to a GitHub repository. So it was just interesting to just hear about how sophisticated and smart and crafty the threat actors are, and we know that right. But there's always going to be another attack vector that we haven't even thought of. So there's only so much drilling and training that you can do for specific attack vectors.

Speaker 1: 18:40

But, like you, said that drilling and training, for you know what do you do in the event of there's something happening now. How do we work together to react to it? And, nick, I'll leave with a story that's kind of reminded me of my childhood.

Speaker 1: 19:19

I was raised by my mom and she was going to getting higher education, going through her bachelor's or associate's and then bachelor's and then eventually her master's degree and at the time going back and forth between the coasts to, to, to go to the college that she wanted to go to, and, um, and I traveled a ton I think I maybe 16 times before I graduated college. It was just a ton of back and forth between the East coast and the West coast, cause we had some relatives on the on the West coast and it was a little kid at the time of of this story. Uh, but we're traveling from I think it was Maryland at the time, or maybe I was in third grade and we were traveling to.

Speaker 1: 19:55

California over the summer and driving an older Chevy pulling a U-Haul going across the country. My mom and I I'm real young and we would always drive sunup to sundown, find a hotel and stay the night, get up bright and early.

Speaker 1: 20:21

As a kid driving 13 hours a day. It's really boring. So I'd always be like all you know when are we going to stop. And this is before satellites or commercially available satellites and navigation systems. So it's all paper maps. It's the rand mcnally map book and we're driving across. I think it was um wyoming and it's it gets pitch dark at night, as you can imagine. Right, you know you're in between towns and it's just a really dark road and I think we were trying to get to.

Speaker 1: 20:59

There's a place called little america which is like this big gas station, um like I don't 100 or so pumps or something crazy, but anyway, we're probably like 45 minutes from there. The sun's down and my mom's like, yeah, we're just going to get to this stop.

Speaker 1: 21:18

And there's a car in front of us and in front of that car is a tractor trailer and in front of that car is a tractor trailer and it's just the three of us going on this black stretch of highway and you can see the tractor trailer hit his brakes a couple times right, Probably all going pretty fast, maybe 70, 80. And the tractor trailer then slams its brakes on, pulls across the highway, blocking both lanes. So cars coming towards us and there wasn't any.

Speaker 1: 22:02

And then us, and there's nobody behind us, and there wasn't any. And then you know, us and there's nobody behind us and there's just the tractor trailer, the car in front, and then us, and then the driver of the tractor trailer gets out of the cab and you can see all this in the headlights of the car in front of us.

Speaker 1: 22:25

Reaches behind his seat, comes towards the car with a tire iron. Tink smashes out the left headlight of the car in front of us. Tink smashes out the right headlight of the car in front of us. Now there's no lights, just the brake lights of that car and our lights and the truck's lights which are across the highway and the whole truck's kind of lit up with their lights.

Speaker 1: 22:58

The driver gets back in the cab, shuts the door, drives off and the way my mom tells the story is we're just sitting there right, just stunned, shocked, shocked. And then finally, when the tractor trailer lights are way off in the distance, my mom pulls forward again and keeps driving and you know, at the time we're like, well, do we help the people? Right, I was a little kid. You know she's a woman traveling alone with a little kid. You know what do you do and you know we kept going, stayed way far behind the tractor trailer. But the point of the story is that car in front one didn't recognize that he was following the tractor trailer too close with his brights on and the tractor trailer driver had enough of it, took care of the problem, right. But after we left that person in that car, those people in that car, just you know then, were stranded with no lights right.

Speaker 1: 24:16

It's impossible to drive because it's just pitch dark. There's no street lights, right, it's just you know, a black highway.

Speaker 1: 24:22

So then you know where, um, so then you know where's, where's the, the playbook for that, where there isn't one, and it just reminds me of. We get put into these situations like this all the time. How do we react to it? What do we do? And by situations like this I don't mean a tractor trailer driver knocking out your headlights, but just the unexpected and the unknown, like the AI attacks that you know. Yesterday you wouldn't have even thought it was an attack factor, but you know, here you are dealing with a vendor update. That was a bad update, so it's just being able to plan for the unplanned.

Speaker 2: 25:00

Semper Gumby always flexible, yeah, no, it's a good story that we can draw back um to the things that we're doing and repetition training. You know, invest in your operators, make sure they're continuing to train, uh, training, uh, that they can go during the day, uh, practice, do CTFs, uh, tabletop exercises. There's so many things that we can, can do, but we need to also train our staff. You know, uh, phishing emails, right, sending those things out, newsletters, all kinds of things we can do. But, um, we're probably up on time here.

Speaker 1: 25:32

Let's get out of here we got you, I do, uh, yeah, good one, we'll see. When are we doing this? Is it monthly?

Speaker 2: 25:40

I think we're gonna. We're gonna try monthly. Uh, we might play with the times too to see what uh everybody likes. Uh, we can do mornings, we can do afternoons, so we'll, uh, we'll, take a poll made from the audience and see, uh, if lunchtime or morning's better. Have a great day, nick. Yep, you too, sir, we'll see you. Yeah, thanks all.