When it comes to cybersecurity, you can never be overprepared. In fact, one of the most-requested activities our partners at Cisco Talos get from companies concerned about cybersecurity threats is to conduct a “tabletop exercise” where they play out a variety of threat scenarios and responses.
On this episode of The Disruptive Enterprise Podcast – Part 2 of a two-part series – host Gregory J. Turner, CRO/CIO at MTM Technologies, and his guest Sean Mason, General Manager of Cisco Talos Incident Response at Cisco, discuss how to use real-world scenarios and experiences to plan before a crisis begins.
Who’s ready to talk about cybersecurity incident response?
Practicing Immediate Responses for Cybersecurity Threats (Part 2)
By Gregory J. Turner, CRO/CIO for MTM Technologies, with Sean Mason, General Manager of Cisco Talos Incident Response at Cisco
Gregory Turner: Welcome back to part two of our discussion on security with my guest, Sean Mason, General Manager of Cisco Talos. If you haven’t listened to part one, please do so and then, come back to this episode. And now, let’s get into part two of our podcast. I’d like to turn the attention a little bit to tabletop exercises. Could you talk a little bit about this aspect of your services and why this is such a good idea?
Sean Mason: Yeah. And tabletops, as I always say, they’re the number one most requested product of service that we actually have. And I don’t know if you knew that when you asked me this. And I’d say it’s really kind of peaked up when ransomware really started taking up, right? And we had a lot of folks going, “Whoa. I don’t want that to happen to me. Those guys don’t know what they’re doing,” as all these news articles come out, all this information maybe gets leaked behind the scenes about this or the other, there’s a lot of Monday morning quarterbacks, if you will.
Sean Mason: And a lot of folks go, “Hey, I really want to take a step back and I want to put my organization through an exercise where we can understand how we would actually respond.” So, we have a couple KM situations, but realistically, we really try to tailor them to the organization. What’s top of mind for them? What’s really their biggest concerns, right? And then, also, additionally, if they’re aware of anything, maybe they help us build it and maybe throw in some curve balls as well to these tabletops.
Sean Mason: So, if you think about it, it’s usually a couple hours that we go through per scenario, right? And we walk through as simple as an idea of, “Hey, the help desk is receiving a bunch of phone calls”, right? “Okay. Let me look around a table of 30, 50 people,” whatever it is in the room, “Who here is from the help desk? What do you do? Looks like, oh, there’s a phone call, answer the phone call.” Well, now, this other guy is getting a phone call and then, you kind of escalate it over time.
Sean Mason: And again, as I mentioned, you kind of start throwing some curve balls in there as you go along, right? Ultimately, you’re trying to get people to think through what’s happening. You’re feeding them a little bit more information as you go and you’re seeing who they’re going to interact with, what do their SOPs say and then, ultimately, how would they truly respond, right? You’re not in the middle of a crisis, but you are walking through essentially a crisis situation.
Sean Mason: And from our perspective, we usually have somebody leading the conversation, they’re usually presenting, walking folks through it. And then, also, given the experience that we have just responding to a lot of these incidents, we’re also peppering in a lot of our real-world experience, right? “Well, hey, that’s a really interesting thing that you just said, but I can also tell you that we’ve seen this twice in the last month, where somebody who took that course of action maybe went down the wrong path and let me explain why.”
Sean Mason: So, bringing a lot of that real-world experience into that tabletop is, to me, immensely valuable. And then, the second individual is usually sitting there taking notes, right? And it could be something you’re just not even thinking about and they catch on to it, because again, we’ve gone through this time and time again both from emergency perspective but also from a tabletop perspective.
Sean Mason: So, at the end of the day—and I say at the end of the day, it’s usually a little while later I could put together a formal report and debrief, but we walk you through, “Hey, here are some areas that I thought you really excelled at as an organization, some areas that you really shouldn’t mess with. And then, here are some areas for improvement based on our experience. And this is what we would suggest working on moving forward.”
Sean Mason: So, at the very high level, that’s what the tabletops are. And then, other thing I would say is kudos to the Cisco Talos Incident Response team, because over the years, we’ve really tried a couple of different approaches as well. So, the typical, “Hey, we got a PowerPoint. Let’s put it up there,” very base, standard approach, it’s great, but we also have gone down the path of things that are very technical.
Sean Mason: So, maybe just little hands-on, the keyboard action, right? “Hey, let’s get into some tools and see how that works out.” All the way to things where we even have some dice floating around with our cool CTIR logo on them that we use for maybe adding in some random elements of chance, right? So, it’s a more of, what we call, a gamified tabletop as well. So, it can be a little bit more fun, a little bit more engaging, but the idea is to learn more about the organization, learn more about the approach towards incident response when your hair is not on fire.
Gregory Turner: Right. And is that a service that our clients could obtain regardless of where they are in the continuum of improving their cyber security framework?
Sean Mason: Absolutely. When I go back to the Cisco Talos Incident Response Retainer, not only is it used for in case of emergency, but we also baked in all of the proactive services that we have. It really just kind of comes down to what makes the most sense for the organization today, right? So, all the way from tabletops to IR plan refreshes to maybe drawing up some new playbooks, which frankly, would probably be drawing up some playbooks with the adversaries really kind of changing their approach right now, to the threat hunting, the compromise assessments, to Cyber Rain, so on and so forth.
Sean Mason: And when I think of tabletops in particular, you say okay on the continuum, to me, some of the best organizations in the world, and when I say some of the best, they’ve truly invested in security, they have very large teams, they know their way around security tools, the data they have all squared away, it’s kind of textbook, if you will, they’re doing tabletops maybe every quarter, right? So, it’s not just a one and done and walk away, right? As I said, some of the best in the world, they’re doing this on repeat, because they want to continually get better.
Gregory Turner: Right. Yeah. I think it’s an excellent tool. I am very impressed with the approach. And I would like to see organizations maybe even do a tabletop exercise as part of an initial current state assessment. And then, based on the recommendations that came out of that and again, there might be some things that you’re doing really well, but there’s other areas that you can improve upon. And then, using that to build a very pragmatic, “Hey, here’s an approach that we’re going to take to improve our security framework. And then, use that method, tabletop exercise, on a periodic basis to test whether or not you, in fact, did improve it.”
Sean Mason: Yeah.
Gregory Turner: I’m a big believer in pragmatic and use-case modeling. So-
Sean Mason: Yeah. And just one last comment on tabletops, but we actually had a customer go through and perform a tabletop with us. And I think I want to say it’s about two weeks, maybe a little bit more later, where they actually got hit with a pretty large ransomware case. And one of the first comments they made to my team was, “I’m so glad we just went through that tabletop, because we know exactly where we are weak and we know exactly where we are strong and we just worked with you because we actually use the same consultants”, right? They kind of get married to a client and everybody knew everybody and we just basically got to work, but this time, with a little bit more fire in our hair. But it really changed the approach of the incident, because it was no more just, I don’t know-
Gregory Turner: A deer in the headlights. Yeah.
Sean Mason: Yeah. That’s a good way to put it. Thank you. So, it showed its value immediately. It was pretty awesome.
Gregory Turner: That’s great. Maybe to go through a little bit more about the service, there’s two areas, one is compromise assessments and then, the other is threat hunting. Can you tell me a little bit about those. And how are they different, they kind of seem similar?
Sean Mason: Yeah. That’s a good question. And I’d still say even to this day, there’s still a little misunderstanding between the two, right? So, when I think of a compromise assessment, I tend to think of a very broad view of the environment, right? And a lot of folks say, “Well, am I compromised where you really have to get in the weeds?” “Yeah, but no”, right? So, when I think of a compromise assessment, I think, “Let me look as best I can across the entire network.”
Sean Mason: Now, that is not trivial, right? You’re not going to be able to do forensics on every single device, especially if you’re talking an enterprise that has maybe half-a-million devices out there. It’s just not going to happen. And to me, I think that’s where you use and leverage a lot of tooling, right? And proud plug for Cisco, we have a lot of enterprise grade tools, right? So, if we can bring something in like maybe AMP for Endpoints, maybe Stealthwatch, maybe Umbrella, or, heck, if the customer maybe has a SIM tool or frankly, the other thing is we can maybe live off the land.
Sean Mason: If there’s already something installed, let’s take a look at what that data is showing us, right? And we can take a broader view of the world and understand where do we have problems, what’s actually going on, and are there things we maybe have to dive deeper on, right? So, instead of trying to hit half-a-million endpoints as I kind of used as my example, maybe we only have to look at 20 of them or so, they’re really kind of saying, “Hey, you should take a look.”
Sean Mason: And I can tell you from time and time again of having done this for years, sometimes, just opening up a security console that’s maybe not been looked at months, it’s pretty telling already, right? To me, that’s more of what compromise assessment is going to be, as opposed to a threat hunt. And when it comes to hunting, a lot of different theories out there, but to me, the key thing is it’s usually based on a hypothesis, which is, I remember we did this one for a client maybe a year or so ago at this point, but the ideal is, “Hey, we think we’re leaking data out of a specific office.”
Sean Mason: Well, we took that as the hypothesis, right? The hypothesis being there is data leaving the company from this office and we kind of work backwards from there. We said, “Hey, we don’t have to look at the entire organization, we just really have to look at maybe a geographical location and then, go from there”, right? So, it was very tightly scoped. Some other ideas would be, “Maybe I feel like my external-facing web servers are compromised and I might have adversaries with a foothold there.”
Sean Mason: Well, now, you just moved away from looking at maybe individual user endpoints, maybe your active domain controllers, maybe now, you’re just looking at your web servers and what’s out there in your DMC. So, it’s really about scoping down and limiting the scope of what you’re looking at. And then, frankly, just some other things, too, when I think about kind of back to one of your first question, which was the intelligence-driven approach, well, thinking about what I was saying around the data being FTP’ed out of the organization, that would be a very good reason to do hunt right now.
Sean Mason: I have this hypothesis saying. “Maybe Maze team is in here and maybe they’re exfilling data over FTP. Well, you know what, let me go see what tools and telemetry I have available so that I can turn my attention there and see if I can discover something”, right? To me, that is the, I don’t know, real definition and real definite use-case, frankly, right now that people should be doing around hunting.
Gregory Turner: That’s excellent. Great. Thank you for making that clear and that does really help to understand the suite of services that are part of the Talos Incident Response services. Sean, there’s a lot of stuff that’s out there and there’s probably a hundred more questions that I could ask you, but what I’d like to do is maybe put it to you this way, what should I have asked you that I didn’t? And what is it that you really want to get across to our listeners today?
Sean Mason: Yeah. That’s a really good question. And I think throughout this, I’ve talked about some of the changes in the adversaries’ TTPs, which we’re seeing right now. So, I think the first thing is, what should I, as a security practitioner, do? And to me, that would be make sure you’re going out there and reading as much as you can. In particular, I would ask you to take a look at the talosintelligence.com website.
Sean Mason: We tend to put as much information as we can out there as quickly as we can to make sure folks are armed, right? And you don’t necessarily need to be a Cisco customer or a Cisco Talos Incident Response customer to get value out of that, right? So, I think that would be one of the things I would do, is make sure you’re going out there and reading and understanding and learning as much as you can.
Sean Mason: And then, I think secondly, kind of back to some of our conversation around cyber insurance, we’ve touched on the retainer, I would tell you this, I think—and let me back up just a second, too, because I was going through some old notes today. I guess it’s end of the year, I’m getting nostalgic, I’m looking at some of my notes and I said, “Wow, here’s a note from two years ago I wrote to myself.” And it was like the top five problems I’m seeing in IR today, right? I never did anything with it, I just kind of took some notes to myself. And I think number one was not having an understanding of what partners you can call on in a time of crisis.
Sean Mason: And today, when you think about cyber insurance, I think about this term called breach coaches, which is a fancy way of saying lawyers, right? And then, third, last but not the least, your incident response retainer provider. Hopefully, that’s Cisco Talos IR. You really should have those three at a minimum on call in handy, right? So, you should hopefully have a contract in place. You should have all that stuff set up. So, if and when you do have an incident and you do have an issue, you know who to call. And I’m going to steal your term, there’s nothing worse than the deer in the headlights look during a crisis.
Gregory Turner: Right. I think that’s great advice. I think that’s excellent advice. And certainly, our clients and certainly, those listening today, you can certainly include Cisco and the Talos Incident Response team to that list of contacts, as well as MTM Technologies. And Sean, I just want to thank you so much for your time today. This has been truly educational. I think we really got into some good discussions about just the pragmatic approach, just what we’re seeing today. And I really want to thank you for sharing your stories.
Sean Mason: No, I appreciate it. And thank you guys so much for having me. This is definitely a pleasure. And I’m not quite sure when we’ll post this, but I will just say happy holidays to everybody out there.
Gregory Turner: And thank you to our audience for listening. I hope you found this podcast helpful. For any questions, comments, or feedback, please feel free to send an email to firstname.lastname@example.org. And for more about The Disruptive Enterprise, visit mtm.com. At The Disruptive Enterprise, this is Greg Turner. Thank you.