All right, we're going to go ahead and look at identifying threats and vulnerabilities and talk about why this is important. Now, remember this isn't in response, so we're not trying to make you an exploit writer or a pin tester, or a hacker or even a vulnerability management person. We're just trying to point out to you that you need some of that skill to be able to do this effectively and once we get into like some of the more hands-on exercises a little bit later in the skills path, you will see why that is. All right. Let's jump right into it here. Why is threat notification important? Well, first of all, identifying threats can actually and will usually be part of a response. In other words, you have to know what the threat is, what threat became a realization or what threat was actually relax and become an exploit or a breach of whenever the case may be. Threat knowledge is often needed to properly respond. If you're trying to respond to or eradicate a threat that you have no knowledge of or you don't understand, it can make it extremely difficult, if not impossible, to properly respond to that threat. You need to be able to identify the threat, you need to be able to ascertain some information about whatever the threat or threat actor is. Now, there are many threats and organizations information. This could include a lot of different things. It doesn't have to be any one thing specifically, but you have to know what those are, and this is going to be a very organizationally specific thing. For example, a bank is going to have some similar threats to a DOD agency, but they're also going to have quite a few different threats that are unique to those specific industry groups. You have to keep that in mind as well and do this is more like a discovery exercise. It's not going to be something where you're going to take a template and be able to just put that template on and It works. Now, the insider threats, not as big of a threat as in the past, but they're still common. Some insider threats are unintentional. In other words, we find some of the biggest data losses or issues that happen in environments, is a lot of times something that happened unintentionally. It wasn't an intentional data leak or anything like that. If you look at some of the more recent big data breaches, some of the big banks, some of those things were just overlooked. It wasn't a malicious intent to put something out there, just wasn't thought through properly as they were designing some of the security around it. This is still an often overlooked area. Even though I say it's not as big of a threat as it has been in the past. It's still a threat. It's still a formidable threat and it still has to be addressed. This should include contractors, suppliers, and even customers. We talk about information security, especially in the intelligence world, we find a lot of times that supply chain is one of the bigger things that we're concerned about. When you think about an incident response, you have to always include those people or those entities as part of your insider threats. The biggest incident response case I ever worked on, where I was called in as one of the outside experts was a case. It was a large global service providers that was providing a service through a software package to lots of big companies and that piece of software got compromised. Therefore, all of these threat actors had backdoors into every company that was using that software and they infiltrated quite a few companies through that third party software. I was commissioned to coordinate this global incident response across multiple companies and this was like a poster child for supply chain breakdown where this thing was. I learned a lot through that I've documented it. I'll probably publish a book on that at some point, but that's something you have to think about contractors, suppliers, and even customers. You need to look at them as potential insider threads, because they will usually have more access than someone who's not a contractor supplier or customer. All right. Now, there's also outside threats. This includes: APTs, other threat actors, malware viruses, script kiddies, and competitors. Believe it or not, for most organizations that deal in lots of confidential or sensitive data, that data beginning in the hands of their competitors is one of their biggest threats. As a matter of fact, in a lot of cases it is the biggest single threat to that company's survival. Keeping that data confidential and secret in a situation where only they have access to that data, that is absolutely property number 1 in some organizations that do certain types of work. Outsiders, these will include competitors, because they are absolutely trying to get a look at whatever data sources they can. I don't want you to take that as me saying that all competitors are out there trying to break the law and find that information but, there are some, remember we live in a global economy. We live in a global economic environment to where some of the things that we consider to be unethical or not legal here in the US may be legal and completely ethical in some other parts of the world. You have to think about that when you think about outside threats. There's also some other threats that sometimes are difficult to quantitate like natural disasters. There's always talk, I keep hearing about this big earthquake that could essentially take California off of the US mainland. Some other people talk about that there could be one and so big that can happen along the Mississippi river, Valadier and essentially just separate the US into two halves and have an ocean between. We can't quantitate what that would look like or what the effect that will be. Well, when you look at your organization, like your data and how you do your data security and things like that, there are some potential natural disaster threats like losing all that data that we just can't quantitate. Now, one of the most serious things is to realize that sometimes natural disasters could result in loss of lives and things like that, and we have to be able to quantitate or at least plan for that as well when we talk about responding. This is not something, it's dark, but we do have to remember that we have to include that in our scenarios as far as what the process is what to do. Now, you are probably already have HR, legal, etc. That's got a pretty solid process for responding to these things, but you want to make sure as the corporate incident response team that you plug in that you have visibility and some feel for, what the general climate and processes from that perspective. Some other threats, we've talked about this in another session with uneducated end-users. End-user attacks are the most common reasons for breaches. Phishing attacks, social engineering or other types of social engineering are things that we find happening within users. Now, training programs should include some knowledge of incident response. What I mean by that, is when you're training your end-users, we need to shake up our whole end-user's security awareness training, and you need to include in that training some mention of incident response and that hey, we have an incident response team and we haven't answered response practice, and you as an employee, as an end-user, you need to know about this. You need to know that when something happens or when certain things happen, there is a process for reporting these things, so that the incident response team can get a hold of it and takeover it as soon as possible to minimize any impact. A lot of times if I look at somebody end-user's security awareness training programs, and they absolutely fail to mention to the end-users that, hey, by the way, you don't have to try to figure this thing out on your own. We have an incident response team whose job it is to do exactly that. Yes, watching a little three minute video on, don't click on this, don't click on that, don't open this, don't open that. Here's what a phishing e-mail looks like by the way, if you're not sure, here's a process that you need to follow to reach out to the incident response team or report this, even the IT so that it can eventually get handed off to the nearest response team. These are things that need to be slowly worked into end-user's security awareness. I see that as being a big step in improving our overall security awareness by making the end-user's aware that we have incident response and they're standing by to help us out in case something big really happens. Also remember lot of times, the end-user attacks are sometimes the first indicators of attack. Now this is going to be a touchy one here. Some professionals are not going to like this, but unqualified IT and security staff, this could be the biggest gap. Now, the good news about this is most of these gaps are fixable with appropriate training and resources. You're taking this course, you're taking this skill session, you're taking a step in that direction if you're IT or security staff. Understanding what the proper response, tactics, techniques, steps are is one of the key things that we can integrate into IT and security practices, and by doing that, we might make the biggest impact in improving the overall security and incident response posture of the organization. Now, this can be the best source of defense because it can also be the biggest vulnerability. If you have unqualified or understaffed, because one is almost as bad as the other. Understaffed, under-qualified securities in IT, that could be your biggest vulnerability and the bad guys notice, so that's something that we have to consider as well. Also another big threat that's been big for a few years now is ransomware. Ransomware attacks have become more prevalent. They've become even harder to stop and they're getting smarter with how they do it. They're actually doing a lot of reconnaissance on their targets before they hit the target. They're not just hitting you, they're doing recon first. Find out things about you, because we've got pure intel that show that they're looking to see what can you afford and that type of thing. Because they don't want to ask you for ransom that you can't pay, so they're actually putting a lot of effort into figuring out how you operate, what your profit and losses are, what you can afford it, what you can't afford, and more importantly, they're taking this information now, they're not only getting in and locking your stuff, but they're taking stuff as well, so that if for example, you have followed good ransomware policies and procedures, you have good backups, you're able to restore from backup, they will circle back and say, "Oh, by the way, if you restore from backup great, but we have your data offline as well. If you don't pay this ransom, we're going to release this data publicly and that's going to hurt you as much as the encrypted files would." They're expanding on that and you have to be aware of that. The reason I bring this up and the reason I wrote this into this training is, I recently worked on a case where the incident response team was not aware that this is going to and you can look this up on the Internet. There was actually the city of Baltimore had a ransomware attack where the ransomware operates at exactly there. They stole a bunch of customer or I guess you could say citizens of Baltimore information and they threatened to release that if the city of Baltimore didn't pay the ransom. I saw this happen in another organization where I mentioned it and they looked at it for a while and really understand what I was saying, and sure enough, these guys had definitely taken information out. A day later they got the email saying, "Yeah, we noticed you've probably decrypted stuff right now or you've restored from backup. However, we do have your data and we are going to sell it on the Internet if you don't pay this ransom." You need to be aware of that as a response team because going in to respond to a ransomware outbreak, you need to also look for signs that they were not only trying to lock stuff, but they also made an effort to exfiltrate things out. This is something that I saw when I was helping them with this case that they didn't see. I saw evidence that didn't look like a normal ransomware attack where generally with ransomware, you see they get in they're running PowerShell and doing all these things. It's really just a massively encrypt as much as they can, as fast they can. They're playing a pure numbers game. But in this particular incident, I noticed that there appeared to be a lot more activity around the boxes that I knew were compromised, and it definitely look like they were taking stuff and moving it somewhere to exfiltrate. Sure enough, they confirmed that a day later with an email requesting ransom payment, because they had also taken stuff that they were going to sell. Hopefully you enjoyed this session, you learned something from it, and I look forward to seeing you in the very next one. Feel free as always, to email us with any questions that you might have. Thanks again.
