1 00:00:03,050 --> 00:00:05,290 I'm your host for today. 2 00:00:05,470 --> 00:00:13,990 And we're welcome to DEF CON 30, AltspaceVR Virtual Reality Theater, where we're having DEF CON presentations. 3 00:00:14,130 --> 00:00:21,150 You're probably sick of hearing this from me, but new people are popping in and out all the time. 4 00:00:23,290 --> 00:00:25,950 Our next speaker is Guile. 5 00:00:26,770 --> 00:00:37,530 Guile has been volunteering with different online communities for the past two years by mentoring, moderating Discord servers, and presenting in different community-based InfoSec conferences. 6 00:00:37,530 --> 00:00:41,110 She's been in the tech industry since the early part of this century. 7 00:00:41,930 --> 00:00:52,050 Guile has a graduate certificate in response from SANS Institute and a master's in cybersecurity digital forensics from the NSW Canberra. 8 00:00:52,050 --> 00:00:57,310 Her day job is doing proactive and reactive work as an incident responder. 9 00:00:57,310 --> 00:01:03,450 And her talk is, How My High School Creative Writing Class Helped Me to Become a Better Incident Responder. 10 00:01:05,390 --> 00:01:08,070 So, Guile, please take it away. 11 00:01:08,730 --> 00:01:09,990 Thank you. 12 00:01:12,650 --> 00:01:14,030 Go there. 13 00:01:14,210 --> 00:01:15,450 Oh, wait a minute. 14 00:01:15,450 --> 00:01:17,690 Got to make sure you have access to the stage. 15 00:01:17,930 --> 00:01:19,510 That might help. 16 00:01:20,190 --> 00:01:21,310 Okay. 17 00:01:21,330 --> 00:01:25,250 Let's see if I could get there. 18 00:01:25,530 --> 00:01:26,130 There you go. 19 00:01:26,130 --> 00:01:27,510 You have access now. 20 00:01:27,510 --> 00:01:29,430 There we go. 21 00:01:32,000 --> 00:01:33,360 Okay. 22 00:01:39,680 --> 00:01:40,360 So... 23 00:01:40,360 --> 00:01:42,060 Okay. 24 00:01:42,060 --> 00:01:43,400 There we go. 25 00:01:43,400 --> 00:01:45,720 So, I do have megaphone access now. 26 00:01:45,720 --> 00:01:47,460 Can everybody hear me properly? 27 00:01:47,460 --> 00:01:48,480 Great. 28 00:01:48,480 --> 00:01:49,640 Sounds good. 29 00:01:49,640 --> 00:01:50,040 Okay. 30 00:01:50,900 --> 00:01:52,640 Thank you. 31 00:01:52,640 --> 00:01:54,980 So, good morning, everyone. 32 00:01:54,980 --> 00:01:56,380 I want to say good morning. 33 00:01:56,380 --> 00:01:58,540 It's 4 a.m. 34 00:01:58,540 --> 00:01:59,740 here. 35 00:01:59,960 --> 00:02:02,200 Two minutes after 4 a.m. 36 00:02:02,200 --> 00:02:06,600 So, I am calling... 37 00:02:06,600 --> 00:02:14,620 I'm dialing into this virtual reality space from NARM or Melbourne, Australia. 38 00:02:14,780 --> 00:02:20,000 So, first off, I'd like to start by doing an acknowledgement of country. 39 00:02:20,000 --> 00:02:27,580 I'm presenting from the lands of the Boon Wurrung people, and I wish to acknowledge them as traditional owners. 40 00:02:27,580 --> 00:02:37,260 I would also like to pay my respects to their elders, past and present, and aboriginal elders of other communities who may be here today. 41 00:02:37,280 --> 00:02:38,180 Thank you. 42 00:02:38,180 --> 00:02:39,820 Next slide, please. 43 00:02:43,540 --> 00:02:44,540 Next slide. 44 00:02:44,540 --> 00:02:44,880 Yes. 45 00:02:44,880 --> 00:02:45,120 Okay. 46 00:02:45,120 --> 00:02:46,200 So, I've been introduced. 47 00:02:46,200 --> 00:02:47,840 Thank you very much for that. 48 00:02:47,840 --> 00:02:55,720 So, I just wanted to add that I'm part of the first cohort of Project Freedman. 49 00:02:55,720 --> 00:03:14,980 This is an initiative here in Australia by the Women Speak Cyber and the AWSN, Australian Women in Security Network, to help make sure that we have diversity of thought and representation in our security, our infosec community here in Australia. 50 00:03:15,320 --> 00:03:20,480 I got training in terms of how to present in conferences. 51 00:03:20,800 --> 00:03:23,420 So, I do have a Twitter account. 52 00:03:23,420 --> 00:03:24,940 I have open DMs. 53 00:03:24,940 --> 00:03:32,320 So, please feel free to send me a DM if you have any questions afterwards about my presentation. 54 00:03:32,360 --> 00:03:34,040 Next slide, please. 55 00:03:36,320 --> 00:03:36,700 Okay. 56 00:03:36,700 --> 00:03:43,460 So, for this presentation, I'm going to be covering three areas here. 57 00:03:43,460 --> 00:03:48,980 So, first off, I'm going to talk about what's that creative nerd there. 58 00:03:48,980 --> 00:03:53,220 And then after that, I'm going to talk about incident response. 59 00:03:53,220 --> 00:03:57,360 And then I'm going to be, you know, giving some parting words. 60 00:03:57,360 --> 00:03:58,080 Okay. 61 00:03:58,140 --> 00:04:00,780 So, next slide, please. 62 00:04:02,040 --> 00:04:02,800 Okay. 63 00:04:02,800 --> 00:04:05,860 So, this is a photo, an old photo of mine. 64 00:04:05,860 --> 00:04:09,940 And this dates back from my high school time. 65 00:04:10,020 --> 00:04:20,420 And I was just, this particular day, I remember this vividly because I was just, you know, I brought the family camera. 66 00:04:20,420 --> 00:04:27,720 And this was before the time of, like, you know, digital cameras and all those things where you have to make sure you have a negative, you know. 67 00:04:27,720 --> 00:04:31,860 And then we have to take it to a store to have it processed. 68 00:04:32,020 --> 00:04:35,640 So, I was, like, you know, being all silly and just being goofy. 69 00:04:35,700 --> 00:04:42,460 And I borrowed one of my classmates, you know, beret and just, like, pretending I'm, you know, the artsy-fartsy person. 70 00:04:42,580 --> 00:04:53,120 And just for context, I actually went to a public school that is known for its strong science and math curriculum. 71 00:04:53,120 --> 00:04:55,160 It was called a Science High School. 72 00:04:55,160 --> 00:05:15,200 So, the concept was that there be high schools that are really focused on the STEM or to make sure that the students have this good background in science, technology, and mathematics in the hopes that we will go to the university and major in the STEM areas. 73 00:05:15,200 --> 00:05:22,040 So, if you cannot tell from my accent, I'm originally from the Philippines and I migrated to Australia. 74 00:05:22,480 --> 00:05:34,420 So, I was really lucky to get into that school because the entrance exam was really very competitive and we were, like, ranked. 75 00:05:34,420 --> 00:05:37,200 And then we had to make sure that we also passed the interviews. 76 00:05:37,200 --> 00:05:48,200 But the great thing about being in that Science High School was that there was also what we call electives, so we can take non-science and technology classes. 77 00:05:48,260 --> 00:05:52,660 And one of the first things that I signed up for was the creating writing class. 78 00:05:52,660 --> 00:05:56,500 And honestly, I was really glad that this was before social media. 79 00:05:56,500 --> 00:06:10,020 So, anything that I had in terms of photos and all those things were safe until my dad discovered Facebook and started scanning all my high school photos and started sharing it to everyone. 80 00:06:10,420 --> 00:06:16,380 Well, in a way, that was great because I asked him earlier this week, Hey, Dad, do you remember? 81 00:06:16,380 --> 00:06:18,320 Do you have one of my photos from high school? 82 00:06:18,320 --> 00:06:19,040 Ah, sure, sure. 83 00:06:19,040 --> 00:06:20,020 Which one? 84 00:06:20,020 --> 00:06:21,880 And then he sent me this one. 85 00:06:22,100 --> 00:06:23,380 So, that's the background. 86 00:06:23,380 --> 00:06:30,340 That's the context of why I called myself the creative nerd because I was a nerd first before I became a geekette. 87 00:06:30,340 --> 00:06:33,440 And so, next slide. 88 00:06:33,440 --> 00:06:35,720 So, next slide, please. 89 00:06:36,100 --> 00:06:50,180 So, one of the first things that I learned from my high school creative writing class was to really do research and, you know, document whatever that I come up with. 90 00:06:50,300 --> 00:07:09,800 And at the time, interviews, you know, contact people and interview them for your story or you read up... before we had internet back then. 91 00:07:09,820 --> 00:07:21,140 And the way to do research is actually go to a physical library, talk to a librarian, and then, you know, if you need, like, a book or something, there was a card catalog. 92 00:07:21,140 --> 00:07:25,300 Quick show of hands here or, like, show me your emojis. 93 00:07:25,300 --> 00:07:29,680 Anybody here has seen and used a card catalog in the library? 94 00:07:30,680 --> 00:07:32,200 Okay, any emojis? 95 00:07:32,600 --> 00:07:33,480 Okay. 96 00:07:33,760 --> 00:07:35,280 Okay, great. 97 00:07:36,620 --> 00:07:37,600 Okay, that's good. 98 00:07:37,600 --> 00:07:45,840 So, for those who haven't used a card catalog, so think of it like before we had the search engines, like , you know, Google. 99 00:07:45,840 --> 00:07:47,860 Before Google, there was, like, Yahoo. 100 00:07:47,960 --> 00:07:52,360 You know, that was the way how we did, like, research in the library. 101 00:07:52,360 --> 00:07:58,480 There's a series of, like, cards, and then they're alphabetically arranged. 102 00:07:58,620 --> 00:08:04,720 You know, you have topics, then you have, like, titles, and then it could be arranged by, you know, authors. 103 00:08:04,760 --> 00:08:07,260 Okay, so that's how we did the research. 104 00:08:07,320 --> 00:08:14,060 So, the first thing, the most important thing before you start, you know, like, writing anything, you have to think of an idea. 105 00:08:14,060 --> 00:08:18,420 Like, what do you want to, you know, tell? 106 00:08:18,420 --> 00:08:20,840 What's the story that you want to tell? 107 00:08:20,840 --> 00:08:23,100 You have to start with an idea. 108 00:08:23,180 --> 00:08:31,540 But the challenge is that sometimes if you're just, like, you know, stuck in a rut, you know, you can't really think of an idea. 109 00:08:31,540 --> 00:08:34,580 That's why there are things like story prompts. 110 00:08:34,580 --> 00:08:42,600 So, I remember, like, a week after, like, the first class, we were told, like, come up with an idea. 111 00:08:42,600 --> 00:08:47,220 So, the teacher, you know, said, like, okay, so what are your story ideas? 112 00:08:47,720 --> 00:08:52,120 And a lot of us were stumped, and that's why I should introduce, like, story prompts. 113 00:08:52,120 --> 00:08:53,100 So, what are story prompts? 114 00:08:53,100 --> 00:09:03,740 It's sort of like this, a sentence, you know, like, about something, and then you start, you know, building up, you know, from that particular story. 115 00:09:03,740 --> 00:09:05,320 So, you start with an idea. 116 00:09:05,320 --> 00:09:07,740 Then after that, you know, you think of a setting. 117 00:09:07,740 --> 00:09:12,620 So, you have to make sure that you do your research in terms of your setting. 118 00:09:12,620 --> 00:09:13,880 Where is it going to be? 119 00:09:13,880 --> 00:09:20,140 Is it going to be, like, local to our area, or is it in another city, another, you know, location? 120 00:09:20,140 --> 00:09:28,140 Or if you're thinking of something like writing, like, science fiction, is it set in this planet, or another planet, another galaxy? 121 00:09:28,480 --> 00:09:30,500 And then think of the period. 122 00:09:30,500 --> 00:09:33,020 When we say period, we're talking about the time, okay? 123 00:09:33,020 --> 00:09:38,020 Is it, like, is your story set in the present, or is it in the future? 124 00:09:38,020 --> 00:09:45,440 Or are you thinking about having a historical, you know, context? 125 00:09:45,440 --> 00:09:49,180 So, you've got to, like, do your research regarding that particular period. 126 00:09:49,560 --> 00:09:52,300 And then, of course, there's character building. 127 00:09:52,580 --> 00:10:07,140 So, for those of you who are, you know, into games, or let's just say Dungeons & Dragons, so you're probably familiar with, you know, that particular, you know, you have your... 128 00:10:07,600 --> 00:10:14,000 Think of it as, like, what's going to be, you know, the moral code of your, you know, character. 129 00:10:14,600 --> 00:10:22,500 You're going to be thinking about, okay, are they, you know, more on the good side, you know, like, evil side, or you're neutral. 130 00:10:22,500 --> 00:10:27,840 But mostly, when we start writing, we think of your hero, your protagonist, okay? 131 00:10:27,840 --> 00:10:35,020 So, and then you have to start thinking about their, you know, inner world, about their origin story, where did they come from? 132 00:10:35,020 --> 00:10:37,280 So, you have to start thinking about that. 133 00:10:37,380 --> 00:10:42,940 Okay, then lastly, of course, depending on the setting, you know, it's going to be about the genre. 134 00:10:43,000 --> 00:10:50,440 So, if you're thinking about, like, something in the future set in the other planets, or other galaxies, or something. 135 00:10:50,440 --> 00:10:52,160 So, that could be science fiction. 136 00:10:52,160 --> 00:10:56,200 But within science fiction, there's a lot of things that you can explore there. 137 00:10:56,200 --> 00:11:04,360 So, all in all, all these things that you've thought about, you need to make sure that you've done your research, and you've documented everything. 138 00:11:04,360 --> 00:11:08,140 You need to make sure that you, you know, write notes. 139 00:11:08,140 --> 00:11:17,080 And at that time, I just want to show, like, share this, my first attempt in using a computer. 140 00:11:17,080 --> 00:11:25,880 At that time, okay, there was a lot of, it was summer, and there were a lot of power outages. 141 00:11:26,000 --> 00:11:31,180 And I went to my mom's friend's house, who has a computer. 142 00:11:31,180 --> 00:11:34,420 And at the time, I really didn't know how to use a computer. 143 00:11:34,420 --> 00:11:38,680 And I just wanted to make sure that I'm able to type my story. 144 00:11:38,840 --> 00:11:41,600 And I was told, okay, this is how you do that. 145 00:11:41,600 --> 00:11:45,420 Okay, so that's your screen, black screen, you know, that was WordPerfect. 146 00:11:45,420 --> 00:11:54,480 And I have all these handwritten notes, and I have this story that I've written on paper. 147 00:11:54,480 --> 00:12:02,540 But as I was typing, I, you know, there are, like, other ideas that came in, and I just kept, like, you know, typing everything. 148 00:12:02,540 --> 00:12:07,180 And then suddenly, there was power outage. 149 00:12:07,440 --> 00:12:12,880 And then after, like, about 15 minutes, the power came back. 150 00:12:12,880 --> 00:12:19,600 And then I asked my, I call him uncle, although I'm not, you know, biologically related to him. 151 00:12:19,620 --> 00:12:23,640 I asked my uncle's kid, okay, so, okay, where's my work? 152 00:12:23,640 --> 00:12:26,940 I was, like, just typing, and then suddenly, the lights went out. 153 00:12:26,940 --> 00:12:30,600 And after that, it came back on, and I don't see my words there. 154 00:12:30,600 --> 00:12:34,480 And then he looked at me and asked, like, did you remember to save it? 155 00:12:34,480 --> 00:12:37,540 Like, what do you mean by saving? 156 00:12:39,860 --> 00:12:47,600 Okay, there was no way for me to recover, you know, those, like, I think I spent about three hours typing up my story. 157 00:12:47,600 --> 00:12:53,940 And then, like, okay, and that was my first experience in making sure that I always have, you know, redundancy. 158 00:12:53,940 --> 00:12:56,740 I have, like, backups and all those, you know, things. 159 00:12:56,740 --> 00:13:04,360 So, things that I learned from my creative writing class has really helped me when I shifted careers, like, you know, moving to tech. 160 00:13:04,360 --> 00:13:08,580 Okay, now, next slide, please. 161 00:13:10,520 --> 00:13:19,500 Okay, now, so, another important thing that I learned from my creative writing class was about the plot structure. 162 00:13:19,520 --> 00:13:24,200 Think of a plot structure, if you're a visual person, think of it like a mountain. 163 00:13:24,200 --> 00:13:30,660 So, sometimes it's called a story mountain, and sometimes you just see some examples like a plot diagram. 164 00:13:30,660 --> 00:13:39,780 So, you can see towards the left, you have there, left side of the mountain there, you have the exposition. 165 00:13:39,780 --> 00:13:45,940 So, think of it as the part of the plot when you start introducing your protagonists. 166 00:13:45,940 --> 00:13:50,060 Okay, and you also set the setting and the location there. 167 00:13:50,300 --> 00:13:56,040 And then, afterwards, you have what is called the pacing action. 168 00:13:56,040 --> 00:14:02,720 This is the part of the story that, this is basically after you've set your tone. 169 00:14:02,720 --> 00:14:06,420 Okay, and you've written something about your readers. 170 00:14:06,420 --> 00:14:13,900 I'm sorry, you've written something about your protagonists, and your readers are now invested in your protagonists. 171 00:14:13,900 --> 00:14:18,640 And think of the rising action as an event that interrupts this pattern. 172 00:14:18,640 --> 00:14:21,840 And this basically begins the story arc. 173 00:14:21,840 --> 00:14:32,540 Think of it as also, could be like there's a first conflict in your story, and then it ends with an event that changes everything for your protagonists. 174 00:14:32,700 --> 00:14:38,100 Okay, then towards the top of the story mountain, you have your climax. 175 00:14:38,100 --> 00:14:40,240 This follows the rising action. 176 00:14:40,240 --> 00:14:45,420 This is when everything comes together to create that single dramatic moment. 177 00:14:45,420 --> 00:14:47,880 So, that is the climax of the story. 178 00:14:47,880 --> 00:14:53,720 And then, after the climax of the story, you have to have the falling action. 179 00:14:53,720 --> 00:14:59,140 Sometimes some writers immediately move from climax to the resolution. 180 00:14:59,340 --> 00:15:09,940 But it is better to have a falling action, because you have to make sure that the tension and the conflict has started to resolve. 181 00:15:09,940 --> 00:15:15,220 And then your story starts winding down towards the resolution. 182 00:15:15,220 --> 00:15:20,360 And when we talk about the resolution, that is basically the conclusion of your story's plot. 183 00:15:20,360 --> 00:15:39,580 It could be just one scene, or it could be a series of scenes that will tie down your narrative arc to make sure that you show that something happened to the protagonist, and then what happened to that protagonist, and what changed in that protagonist's life. 184 00:15:39,580 --> 00:15:41,400 So, that is the resolution. 185 00:15:41,400 --> 00:15:44,640 So, this is basically your plot structure. 186 00:15:44,640 --> 00:15:48,860 And all stories should have this plot structure. 187 00:15:49,600 --> 00:15:52,340 Now, next slide, please. 188 00:15:54,080 --> 00:16:01,450 Sorry, I just have to have a sip of water here. 189 00:16:02,450 --> 00:16:20,830 So, in terms of the other important thing that I learned in my creative writing class is about knowing my reader and knowing myself. 190 00:16:21,170 --> 00:16:27,030 So, first of all, I have to make sure that I understand who is my target audience. 191 00:16:27,030 --> 00:16:39,970 I need to know, am I writing for, let's just say, my friends, family members, or am I writing for my classmates, or am I writing for the community? 192 00:16:40,330 --> 00:16:48,930 Because depending on your target audience, think of it in terms of the words that you use. 193 00:16:48,930 --> 00:16:55,970 So , of course, in terms of community, like in the Philippines when I was growing up, it was quite conservative. 194 00:16:55,970 --> 00:17:03,050 And the first story that I wrote was about a same-sex relationship. 195 00:17:03,050 --> 00:17:06,150 And at that time, that was considered quite controversial. 196 00:17:06,150 --> 00:17:09,610 And I was like, hey, you're too young to be writing about those stuff. 197 00:17:09,610 --> 00:17:15,690 And I was talking about it's about someone finding their identity and all those things. 198 00:17:15,690 --> 00:17:21,830 But I have to be very careful about the terminologies and all those things. 199 00:17:22,250 --> 00:17:24,710 So, in a way, I was self-censoring. 200 00:17:24,710 --> 00:17:35,070 But, you know, years later, I just realized that I shouldn't self-censor myself because I'm basically writing for myself. 201 00:17:35,210 --> 00:17:37,990 So , and then how will you tell your story? 202 00:17:38,350 --> 00:17:47,170 So , basically, there's the plot structure, you've done your research, and then how am I going to be telling my story? 203 00:17:47,170 --> 00:18:00,030 So, these are the important things that I've learned from my creative writing class that I still remember after so many decades later. 204 00:18:00,030 --> 00:18:04,650 So, what happened to this creative nerd? 205 00:18:04,650 --> 00:18:07,250 So, the creative nerd went to the university. 206 00:18:07,250 --> 00:18:15,430 Instead of majoring in science technology, I majored in psychology because I wanted to understand myself better. 207 00:18:15,430 --> 00:18:24,070 And at that time, it was, you know, difficult having like a career out of the university as, you know, a psychologist or as a psychology major. 208 00:18:24,070 --> 00:18:29,070 So, my family wanted me to either go to med school or law school. 209 00:18:29,250 --> 00:18:38,810 And I initially thought I want to go to med school, but I dropped by and thought like, nah, I don't want to do like, you know, all the dissection and all those things. 210 00:18:38,810 --> 00:18:41,550 And then I decided I'm just going to go to law school. 211 00:18:41,550 --> 00:18:47,610 So, after finishing my degree in psychology, I went to law school. 212 00:18:47,610 --> 00:18:59,310 And when I was there, I realized that, hey, I'm not like the very argumentative type because I'm turning into a very argumentative person. 213 00:18:59,310 --> 00:19:06,510 No matter what happens, we were being trained to win every single, you know, little argument. 214 00:19:06,510 --> 00:19:09,330 And I thought like, that's not what I want to do. 215 00:19:09,330 --> 00:19:13,070 And so, I got out of law school after two years. 216 00:19:13,070 --> 00:19:18,070 So, I joked that, hey, does that make me an outlaw because I dropped out? 217 00:19:18,410 --> 00:19:21,930 Anyway, then I got connected to the Internet. 218 00:19:21,930 --> 00:19:28,210 And when I got connected to the Internet, I realized, oh, there's a world out there and I want to be part of it. 219 00:19:28,210 --> 00:19:34,210 And that started my shift, career shift to tech. 220 00:19:34,210 --> 00:19:42,090 So, early part of this century, I moved into tech and I started my career doing networking stuff, Cisco stuff, and I love that. 221 00:19:42,090 --> 00:19:48,230 But I really wanted to focus on cybersecurity or at the time it was network security. 222 00:19:48,230 --> 00:19:55,230 It's largely because when I got connected to the Internet, I used IRC and I had an online stalker. 223 00:19:55,230 --> 00:19:58,110 So, that's why I was like really concerned about security. 224 00:19:58,110 --> 00:20:05,570 Anyway, eventually, so from doing networking, network security stuff, I moved into cybersecurity. 225 00:20:05,650 --> 00:20:16,310 And I really wanted to do forensic stuff because I've been reading mystery since I was a kid, mystery novels, all those things. 226 00:20:16,350 --> 00:20:23,730 So, now I'm at this point in my life and my career where I'm doing something that I really love. 227 00:20:23,730 --> 00:20:30,230 And it's digital forensics and focusing on digital forensics and incident response. 228 00:20:30,230 --> 00:20:32,330 So, now, next slide, please. 229 00:20:32,330 --> 00:20:34,910 Let's talk about incident response. 230 00:20:36,070 --> 00:20:39,490 Now, quick question for the listeners. 231 00:20:39,490 --> 00:20:50,110 What is the first thing that goes into your mind when you think about incident response? 232 00:20:51,050 --> 00:20:53,270 Next slide, please. 233 00:20:54,670 --> 00:21:03,550 Do you think of yourself like having a similar expression to this person in this photo? 234 00:21:07,650 --> 00:21:19,890 So, sometimes people consider incident response as one of the more stressful kind of work in the infosec area. 235 00:21:19,890 --> 00:21:26,710 Because basically, you're being called upon to respond to a particular incident. 236 00:21:26,930 --> 00:21:29,010 So, next slide, please. 237 00:21:30,070 --> 00:21:42,130 Now, before I start talking about incident response, I just want to clarify something about the terminology. 238 00:21:42,130 --> 00:21:52,170 So, when we talk about incidents, we need to always clarify that when we're talking about incidents. 239 00:21:52,170 --> 00:21:57,390 So, first off, there's the word event. 240 00:21:57,390 --> 00:22:07,490 When we say event in the context of incident response, an event is just basically something that is observable. 241 00:22:07,730 --> 00:22:10,270 An event is something that is observable. 242 00:22:10,270 --> 00:22:22,570 So, it could be, you know, there was a user connected to a particular website, visited a particular website, you know. 243 00:22:22,690 --> 00:22:24,210 So, that's an event. 244 00:22:24,210 --> 00:22:26,530 That is something that is observable. 245 00:22:26,530 --> 00:22:35,250 Now, when we talk about incident, incident basically means there was an event, an observable happening. 246 00:22:35,250 --> 00:22:36,690 How do you observe that? 247 00:22:36,690 --> 00:22:40,410 You have like logs, you have some evidence there. 248 00:22:40,610 --> 00:22:54,590 And the event itself, that's observable, is something that breaks, you know, the security triad, the CIA. 249 00:22:54,590 --> 00:22:57,990 Either confidentiality, integrity, availability. 250 00:22:57,990 --> 00:23:00,090 So, that becomes an incident. 251 00:23:00,090 --> 00:23:12,810 So, basically, an incident is an event that's observable, but it affects the CIA, or it breaks certain security policies in your organization. 252 00:23:12,890 --> 00:23:22,630 So, when we talk about incident response, it is a process to help protect the organization, and it has several stages. 253 00:23:22,630 --> 00:23:26,310 So, what's the difference between digital forensics and incident response? 254 00:23:26,310 --> 00:23:43,510 So, digital forensics by itself is both an art and a science in terms of understanding what has happened within a system or inside, let's just say, an organization or within your, you know, network infrastructure or your infrastructure. 255 00:23:43,590 --> 00:23:45,610 So, there are different artifacts. 256 00:23:45,610 --> 00:23:49,290 When we say artifacts, these are like the evidence, sources of evidence. 257 00:23:49,290 --> 00:24:00,310 And then incident response uses a lot of the techniques and knowledge from digital forensics in order to help protect your organization. 258 00:24:00,710 --> 00:24:10,470 So , incident response is, think of it like a practical organization, sorry, incident response is the practical application of your digital forensics. 259 00:24:10,470 --> 00:24:17,070 So, the incident response is like you're responding to an incident right now, the present moment. 260 00:24:17,070 --> 00:24:22,210 And then digital forensics, think of it, you're looking at what happened in the past. 261 00:24:22,210 --> 00:24:26,270 So , you're using your different tools and techniques to understand what happens. 262 00:24:26,270 --> 00:24:36,750 You're collecting all these artifacts, evidence, you're making sure that you preserve them just in case you need to present this, you know, case in court. 263 00:24:36,830 --> 00:24:41,470 So, that's the difference between digital forensics and incident response. 264 00:24:41,470 --> 00:24:43,870 Now, next slide, please. 265 00:24:45,630 --> 00:24:52,730 Now, when we talk about incident process, there are several frameworks that are available out there. 266 00:24:52,990 --> 00:24:59,270 So, the first one is the NIST, that's from the National Institute of Standards and Technology. 267 00:24:59,270 --> 00:25:12,350 And this particular incident response framework is actually in the special publication 800-61 Revision 2 or 800-61 R2. 268 00:25:12,350 --> 00:25:17,130 So, NIST is a government agency and works on technology. 269 00:25:17,130 --> 00:25:25,770 And their framework for incident response, or sometimes you can see it like incident handling, there are four steps. 270 00:25:25,770 --> 00:25:27,470 Now, there is SANS. 271 00:25:27,470 --> 00:25:34,490 So, SANS is known for providing security training. 272 00:25:34,490 --> 00:25:40,250 And initially, SANS used to call itself a Sys Admin Audit Network and Security. 273 00:25:40,250 --> 00:25:42,390 So, that's the meaning of SANS. 274 00:25:42,390 --> 00:25:49,510 And compared to the NIST, this is a private organization and they're very much focused on security. 275 00:25:49,510 --> 00:25:54,550 And for them, their incident response framework has six steps. 276 00:25:54,550 --> 00:25:57,430 Think of them, you have the PSIRL. 277 00:25:57,430 --> 00:26:03,670 This is the acronym for those steps for the SANS incident response framework. 278 00:26:03,910 --> 00:26:07,350 Now, can you please go to the next slide, please? 279 00:26:09,070 --> 00:26:15,650 So, for NIST, you have there the four steps in the incident response. 280 00:26:15,650 --> 00:26:20,350 So, you have preparation, and then you have detection and analysis. 281 00:26:20,450 --> 00:26:24,930 And then after the detection and analysis, you have containment, eradication, and recovery. 282 00:26:24,930 --> 00:26:29,190 And then after that, you have the post-incident activity. 283 00:26:29,530 --> 00:26:31,890 Now, let's look at the next slide, please. 284 00:26:31,890 --> 00:26:33,810 Can you please go to the next slide? 285 00:26:33,810 --> 00:26:40,110 So, for SANS, compared to the NIST framework, SANS has six steps. 286 00:26:40,110 --> 00:26:42,710 There are six phases. 287 00:26:42,710 --> 00:26:49,630 So, there's the preparation, identification, containment, eradication, recovery, and lessons learned. 288 00:26:49,630 --> 00:26:51,490 So, next slide, please. 289 00:26:52,510 --> 00:26:58,510 So, comparing this, you can see that both frameworks have the preparation phase. 290 00:26:58,510 --> 00:27:03,470 And then you have the identification phase as the second phase. 291 00:27:03,470 --> 00:27:09,670 And then you have the containment, eradication, and recovery, which are three separate phases from SANS. 292 00:27:09,670 --> 00:27:13,030 This is actually the third phase under NIST. 293 00:27:13,250 --> 00:27:22,590 And then the lessons learned phase from SANS is called the post-incident activity. 294 00:27:22,710 --> 00:27:30,350 So, at this point, I'm just going to go through the six steps of the SANS framework. 295 00:27:30,350 --> 00:27:39,550 So, when we talk about the preparation phase, this is where you should be making sure that you have your documentation in place. 296 00:27:40,490 --> 00:27:46,190 Ideally, you have your security policies. 297 00:27:46,190 --> 00:27:52,650 You do your reviews and you make sure that the security policies are well-known in the organization. 298 00:27:52,650 --> 00:27:56,810 This is the time where you're also doing a risk assessment. 299 00:27:56,850 --> 00:28:01,310 You're basically making sure that you know all your assets when we talk about assets. 300 00:28:01,310 --> 00:28:07,530 These are your endpoints in the context of incident response. 301 00:28:07,530 --> 00:28:10,250 It's your laptops, desktops. 302 00:28:10,270 --> 00:28:15,730 And then you also have to make sure that you identify what are the sensitive assets. 303 00:28:15,730 --> 00:28:22,670 And then you also make sure that you define which are the critical security incidents that the team should focus on. 304 00:28:22,670 --> 00:28:37,430 Because you don't want to call the incident responder when you're just dealing with what turns out to be a desktop issue. 305 00:28:37,450 --> 00:28:40,610 It could be like, oh, the printer didn't work or something. 306 00:28:40,610 --> 00:28:43,450 So, that's not a security incident. 307 00:28:43,450 --> 00:28:48,870 You have to make sure that you have a definition of severity levels, priority. 308 00:28:48,870 --> 00:28:59,430 During the preparation phase, if your organization hasn't built a computer security incident response team, this is the time that you should be doing that. 309 00:28:59,430 --> 00:29:01,490 During the preparation phase. 310 00:29:01,490 --> 00:29:07,750 And then you're also making sure that your team is prepared to respond to incidents at this point. 311 00:29:07,870 --> 00:29:11,110 Now, the second phase is called identification. 312 00:29:11,110 --> 00:29:15,610 This is when you have monitoring of your systems. 313 00:29:15,610 --> 00:29:21,370 And then you have to know what is normal operation, what is normal for your organization. 314 00:29:21,370 --> 00:29:28,550 And this is the phase where you are detecting any deviation from the normal operations. 315 00:29:28,550 --> 00:29:37,270 And you have to understand or check, make sure that these are representing actual security incidents. 316 00:29:37,270 --> 00:29:44,610 And during the identification phase, when an incident is discovered, you need to collect additional evidence. 317 00:29:44,610 --> 00:29:49,390 You need to establish the type, severity, and you need to document everything. 318 00:29:49,630 --> 00:29:55,790 And then from that second phase, you now go to the third step. 319 00:29:55,790 --> 00:29:58,150 This is where you do the containment. 320 00:29:58,150 --> 00:30:00,770 You perform short-term containment. 321 00:30:00,770 --> 00:30:08,350 For example, you may need to isolate a certain part of your network or a network segment that is under attack. 322 00:30:08,350 --> 00:30:26,450 And then you move to long-term containment, where you may need to implement some temporary fixes to make sure that your systems can still continue to be used in production, while at the same time, you are rebuilding the clean systems. 323 00:30:26,450 --> 00:30:31,290 And then from the containment phase, you move to the eradication phase. 324 00:30:31,290 --> 00:30:37,650 This is where if you are affected by a malware, you're removing malware from all your affected systems. 325 00:30:37,650 --> 00:30:40,990 And this is when you're trying to understand the root cause of the attack. 326 00:30:40,990 --> 00:30:47,730 And then you are making sure that you're trying to prevent similar attacks to happen in the future. 327 00:30:48,050 --> 00:30:56,150 And of course, that goes hand-in-hand with the recovery, wherein you will be bringing back your production systems online. 328 00:30:56,150 --> 00:31:00,970 You have to be careful before you bring back your production systems online. 329 00:31:00,970 --> 00:31:09,850 And typically, for a lot of the incidents I've worked in previously, there's always a check of the systems. 330 00:31:09,850 --> 00:31:20,690 For example, if there was a ransomware attack, before a system is fully put back to the production, we have to make sure that we have swept the entire system. 331 00:31:20,690 --> 00:31:23,690 Are there any indicators of compromise there? 332 00:31:23,690 --> 00:31:25,050 Is this a clean system? 333 00:31:25,050 --> 00:31:27,510 Can we put it back online? 334 00:31:27,510 --> 00:31:31,110 Or if it's like a backup, make sure that the backup is clean. 335 00:31:31,190 --> 00:31:37,290 And then part of the recovery phase is to test and verify. 336 00:31:37,290 --> 00:31:43,130 You monitor all the affected systems to make sure that they're back to their normal activity. 337 00:31:43,370 --> 00:31:46,310 Think of it like business as usual. 338 00:31:46,470 --> 00:31:49,710 And then lastly, you have the lessons learned phase. 339 00:31:49,710 --> 00:31:51,010 This is very important. 340 00:31:51,010 --> 00:31:58,170 Some organizations don't do this, but it's very important that you have a time frame. 341 00:31:58,290 --> 00:32:04,770 It's best that two or three weeks, not let's just say six months or one year after the incident. 342 00:32:04,770 --> 00:32:06,750 It has to be as soon as possible. 343 00:32:06,750 --> 00:32:08,230 Maybe it's like two weeks. 344 00:32:08,470 --> 00:32:13,510 You need to perform, let's just say, a review of the incident. 345 00:32:13,510 --> 00:32:18,310 You need to make sure that you have a complete documentation of the incident. 346 00:32:18,310 --> 00:32:27,610 If you need to further investigate the incident, you need to understand what was done to contain that incident. 347 00:32:27,610 --> 00:32:31,650 And then whether there's any improvement in the process. 348 00:32:31,650 --> 00:32:39,730 If you have issues in terms of processes, technology, or people, this is the time we're in. 349 00:32:39,730 --> 00:32:45,090 You're supposed to learn from this particular incident. 350 00:32:45,090 --> 00:32:50,210 But there should be no shaming, no victim blaming, and all those things. 351 00:32:51,690 --> 00:32:59,030 That's our basis in the incident response. 352 00:32:59,050 --> 00:33:09,070 Now, in terms of the preparation phase, you can see towards the right of this particular slide, I have an arrow called proactive. 353 00:33:09,070 --> 00:33:14,710 In incident response, we have what we call proactive and reactive side. 354 00:33:14,710 --> 00:33:17,630 When we say proactive, this is the part we're in. 355 00:33:17,630 --> 00:33:25,930 We are doing proactive projects or activities to help prepare us. 356 00:33:25,930 --> 00:33:33,130 And then towards the identification phase, towards the lessons learned, these are parts of the reactive. 357 00:33:33,130 --> 00:33:38,630 Wherein you're actually reacting to an ongoing incident in your organization. 358 00:33:38,630 --> 00:33:51,070 One of the activities that we do in terms of the proactive side of incident response is doing a tabletop exercise. 359 00:33:54,330 --> 00:34:01,050 Who among you here has participated in a tabletop exercise? 360 00:34:01,050 --> 00:34:03,170 Somebody could like, you know... 361 00:34:07,670 --> 00:34:17,210 Now, for the others who haven't participated in a tabletop exercise, I'm just going to be explaining what is involved there. 362 00:34:17,330 --> 00:34:20,950 Sometimes it's called TTX for short, tabletop exercise. 363 00:34:20,950 --> 00:34:24,330 So think of a tabletop exercise as a mock incident. 364 00:34:24,690 --> 00:34:27,650 So it's not a functional exercise. 365 00:34:27,650 --> 00:34:43,250 When we say functional exercise, you present the group with alerts and they're supposed to be trying to simulate how you're supposed to be responding. 366 00:34:43,250 --> 00:34:45,350 You're going to be checking the dashboards. 367 00:34:45,350 --> 00:34:46,750 It's a functional exercise. 368 00:34:46,750 --> 00:34:51,150 When we talk about tabletop exercise, it's a mock incident. 369 00:34:51,150 --> 00:34:57,630 There is a security incident and you are just giving them scenarios. 370 00:34:57,630 --> 00:35:01,850 And they're not going to be checking any dashboards. 371 00:35:01,850 --> 00:35:10,190 They're not going to be logging into the monitoring systems or the EDR, the endpoint detection response tools. 372 00:35:10,190 --> 00:35:11,850 They're not going to be looking at that. 373 00:35:11,850 --> 00:35:18,110 This is 374 00:35:22,170 --> 00:35:27,230 purely a tabletop exercise. 375 00:35:27,230 --> 00:35:34,250 Think of it, it's purely scenario-based. 376 00:35:34,250 --> 00:35:37,490 You are not responding to a real incident. 377 00:35:37,490 --> 00:35:47,470 Everybody's just there, sitting down, and everybody's just doing some discussions. 378 00:35:48,290 --> 00:35:58,870 And the goal here, there will probably be several goals, but mostly it's to test the IR plan. 379 00:35:58,870 --> 00:36:10,870 And then test the readiness of the organization in terms of if something similar to this scenario happened to your organization, what are you supposed to do? 380 00:36:10,870 --> 00:36:13,190 Who's supposed to be doing this? 381 00:36:13,190 --> 00:36:18,530 Who's supposed to be leading the incident? 382 00:36:18,530 --> 00:36:22,990 Who's supposed to be doing those other things that are in the IR plan? 383 00:36:22,990 --> 00:36:30,590 Before you actually have a tabletop exercise, make sure that you have at least a basic IR plan in place. 384 00:36:30,590 --> 00:36:37,090 And everybody who is involved in responding to the incident should be familiar with the IR plan. 385 00:36:37,090 --> 00:36:51,690 In terms of making sure that the discussion moves along, you need to make sure that when you create tabletop exercises, you have injects. 386 00:36:51,690 --> 00:36:58,930 Injects are additional information that you provide to the participants in your tabletop exercise. 387 00:36:58,930 --> 00:37:09,570 Ideally, the audience or the people who are participating in the tabletop exercise is composed of people who will be part of the incident. 388 00:37:09,570 --> 00:37:12,870 So you'll have a mix of technical people. 389 00:37:12,870 --> 00:37:28,850 And then also the best tabletop exercise will also have some people who are in the management area, because you will need to make sure that you involve certain managers so they're aware of what's happening. 390 00:37:28,850 --> 00:37:44,630 Sometimes if, let's just say, a particular incident would involve communicating with external agencies or external parties, you need to make sure that you have someone, let's just say, doing the comms for this. 391 00:37:44,630 --> 00:37:48,910 Because it could be, let's just say, the incident is like ransomware. 392 00:37:48,910 --> 00:37:51,590 You're preparing for a potential ransomware attack. 393 00:37:51,590 --> 00:38:00,070 You need to make sure that you have somebody who's in the legal team who may need to contact the insurance for your cybersecurity insurance. 394 00:38:00,070 --> 00:38:15,110 And then the other would be that you need to have an external facing statement from the corporate communications, providing a message out there that you have the situation under control and you're investigating it. 395 00:38:15,110 --> 00:38:22,110 So it would be good to have all these people who would potentially be involved in a major security incident. 396 00:38:22,110 --> 00:38:24,030 You can make sure that you have them there. 397 00:38:24,190 --> 00:38:41,810 Okay , so how are we, or like in my case, when I started, you know, creating scenarios for tabletop exercises for my previous clients, this is where the creative nerd came out. 398 00:38:41,810 --> 00:38:44,670 So I was a nerd first before I became a geekette. 399 00:38:44,670 --> 00:38:52,150 So the creative nerd in me started thinking about the things that I learned in my creative writing class. 400 00:38:52,290 --> 00:38:54,350 So next slide, please. 401 00:38:56,710 --> 00:39:06,250 So whenever I created scenarios, I made sure that I'm familiar with my client's incident response plans. 402 00:39:06,250 --> 00:39:15,230 And the incident response plan would actually have, you know, all these different IR bases, you know, identified there. 403 00:39:15,330 --> 00:39:28,430 So when I created, you know, a scenario, every time I need to create our scenario, of course, I need to make sure that first, okay, I set the scene. 404 00:39:28,430 --> 00:39:33,170 So think of it, it's like towards the left of that flat mountain. 405 00:39:33,170 --> 00:39:42,260 So I'm basically providing, think of it, I'm basically providing the exposition. 406 00:39:42,870 --> 00:39:52,290 So usually I put something there, like there's a day, okay, let's just say it's Wednesday morning. 407 00:39:52,950 --> 00:40:08,010 A user may, you know, a user contacts help this saying that they saw something unusual in their screen. 408 00:40:08,010 --> 00:40:11,350 And there was a strange message there. 409 00:40:11,350 --> 00:40:16,250 So think of it as, you know, preparing your, you know, scene there. 410 00:40:16,250 --> 00:40:19,390 So you're basically doing your exposition. 411 00:40:19,390 --> 00:40:33,030 And then afterwards, next inject, you know, for that tabletop exercise, other users started complaining that they can't do anything. 412 00:40:33,030 --> 00:40:36,430 So you're basically setting up the rising action. 413 00:40:36,430 --> 00:40:43,150 And then you start doing, if you're the incident responder, you start identifying who are the affected people. 414 00:40:43,150 --> 00:40:50,510 And then you ask them for, let's just say, any screenshots or read out, like if there's like any message that they see there. 415 00:40:50,750 --> 00:40:57,170 And then you have towards the top, the climax of where you're doing the containment eradication. 416 00:40:57,170 --> 00:41:00,190 Maybe it's because, you know, there's like another inject. 417 00:41:00,190 --> 00:41:04,870 You started like, you know, you saw the message and then you did some research. 418 00:41:05,680 --> 00:41:16,710 It's around some note and it's with a particular, let's just say, threat actor or a particular group, APT groups, that's like using this kind of, let's just say, malware. 419 00:41:16,710 --> 00:41:20,830 And then you start doing your containment eradication. 420 00:41:20,830 --> 00:41:28,870 And then you have your falling action or in your started doing your recovery as part of your incident response. 421 00:41:28,870 --> 00:41:30,470 What are you supposed to do? 422 00:41:30,470 --> 00:41:40,470 So it could be that you have other systems that were affected and you started like using, you know, your team backups, putting them back there. 423 00:41:40,470 --> 00:41:42,050 And then you have the resolution. 424 00:41:42,050 --> 00:41:49,510 Think of it, it's your lessons learned towards the end of that particular scenario in your tabletop exercise. 425 00:41:49,570 --> 00:41:58,450 So for those who may be tasked to do tabletop exercises, remember this plot structure. 426 00:41:58,450 --> 00:42:03,110 And then think of it, it's sort of like kind of mapped to the different phases there. 427 00:42:03,110 --> 00:42:08,670 And you can write appropriate injects for your particular scenario. 428 00:42:13,210 --> 00:42:15,530 Next slide, please. 429 00:42:17,250 --> 00:42:28,310 Now, after your tabletop exercise has been conducted, make sure that you have an after action report. 430 00:42:28,310 --> 00:42:30,490 Okay, this is important. 431 00:42:30,490 --> 00:42:39,730 This is basically documenting what was, you know, what happened during the tabletop exercise. 432 00:42:39,730 --> 00:42:46,610 Like for particular, you know, parts of these scenarios based on the injects. 433 00:42:46,610 --> 00:42:49,210 What was the decision? 434 00:42:49,210 --> 00:42:51,430 What did people, you know, decide? 435 00:42:51,430 --> 00:42:53,030 What did they do? 436 00:42:53,030 --> 00:43:10,490 If let's just say your goal was to improve the IR plan or the IR process, you have to make sure that someone during the tabletop exercise, someone was like taking down notes. 437 00:43:10,670 --> 00:43:14,670 And then these notes will form the basis of your after action report. 438 00:43:14,670 --> 00:43:20,470 You need to identify, let's just say, according to the incident response plan. 439 00:43:20,470 --> 00:43:41,710 Whenever, let's just say, major severity or, you know, let's just say major, you know, cybersecurity incident happens, there should be a message that goes out to the group chat over, let's just say, Slack. 440 00:43:41,710 --> 00:43:47,810 Okay, so if you're using Slack, so according to your IR plan, you're supposed to be using Slack. 441 00:43:47,810 --> 00:44:00,150 And then during the tabletop exercise, people started, you know, saying that, oh, we're just going to start sending messages via WhatsApp. 442 00:44:00,150 --> 00:44:06,010 So there's a deviation between the practice, actual practice and the plan. 443 00:44:06,010 --> 00:44:18,490 So you'll have to decide as an organization, like, are we going to change our incident response plan to indicate that whenever there's an incident, we're supposed to be using WhatsApp? 444 00:44:18,490 --> 00:44:24,410 So the question is, is WhatsApp one of your approved, you know, application when in fact you have Slack? 445 00:44:24,410 --> 00:44:33,470 So these things that you've learned during the tabletop exercise, you put it in the after action report, so that it will drive changes. 446 00:44:33,470 --> 00:44:48,930 Sometimes the incident response plan... you were using, let's just say, an old, you know, ticketing system, and then you move to a new ticketing system. 447 00:44:48,930 --> 00:44:55,290 And by the time that you did this tabletop exercise, everybody kept referring to the new ticketing system. 448 00:44:55,290 --> 00:44:58,830 So you need to, you know, update your IR plan. 449 00:44:58,830 --> 00:44:59,490 Okay. 450 00:44:59,490 --> 00:45:03,230 Now, next slide, please. 451 00:45:04,930 --> 00:45:21,270 Another application of the creative writing class, you know, learnings I had was whenever I actually sit down, and then I need to write a lessons learned report. 452 00:45:21,270 --> 00:45:26,150 So this is towards the reactive part of our IR process. 453 00:45:26,150 --> 00:45:32,590 So I make sure that I have documented what I've done. 454 00:45:32,590 --> 00:45:34,750 So this is like the how. 455 00:45:34,890 --> 00:45:37,050 And then sometimes there's the question like, why? 456 00:45:37,050 --> 00:45:44,790 Why was this particular, you know, let's just say, finding important. 457 00:45:44,790 --> 00:45:46,190 Why is it important? 458 00:45:46,190 --> 00:45:46,710 Okay. 459 00:45:46,710 --> 00:45:59,890 And then I have to make sure that I actually put there some recommendations so that, you know, in the future, what can we do in order to reduce the risk of similar incidents? 460 00:45:59,890 --> 00:46:10,390 And then sometimes when I write lessons learned report, it can be quite, you know, depressing because of what happened. 461 00:46:10,390 --> 00:46:35,770 And just, you know, between us in this particular space, there were times where in there were parts there that I knew with our team has already provided in a previous incident, but this particular client didn't learn from it, you know, they didn't like, 462 00:46:35,770 --> 00:46:40,290 you know, they didn't implement those changes. 463 00:46:40,290 --> 00:46:46,690 And then, you know, about a year or 18 months later, the same thing happened again. 464 00:46:46,690 --> 00:46:57,950 So sometimes it can be quite, you know, demoralizing, but I always try to, you know, remember, you know, like recognizing the positive. 465 00:46:57,950 --> 00:47:00,630 Okay, so I at least put something there. 466 00:47:00,630 --> 00:47:01,930 What was positive? 467 00:47:01,930 --> 00:47:03,310 Okay, I put something there. 468 00:47:03,310 --> 00:47:06,310 So it's not, you know, depressing. 469 00:47:06,310 --> 00:47:07,010 Okay. 470 00:47:07,010 --> 00:47:10,170 And then next slide, please. 471 00:47:10,970 --> 00:47:11,770 Okay. 472 00:47:15,090 --> 00:47:24,130 So when I write the lessons learned report, I also have to remember, what are my readers goals? 473 00:47:24,130 --> 00:47:26,430 Okay, so who's my audience? 474 00:47:26,430 --> 00:47:33,830 So the report that I'm writing is something that's hopefully going to be used as a guide by my clients. 475 00:47:33,830 --> 00:47:53,210 And then one of the things that I always make sure is that I write a good executive report, because depending on who your reader is, okay, there are some wherein they don't dwell into the technical aspect, like the indicators of compromise, they just want to know what happened. 476 00:47:53,210 --> 00:48:00,190 And the executive, you know, summary must have those, you know, think of it, the highlights, the important things. 477 00:48:00,190 --> 00:48:08,150 And especially for those higher ups, like executive level or something, they don't have time to dwell into the nitty gritty details. 478 00:48:08,150 --> 00:48:11,450 And they just want, you know, the executive summary. 479 00:48:11,450 --> 00:48:34,530 But I also make sure that the technical aspects is also documented, it's put in the lessons learned report, so that for the other teams that exist, it could be like engineering, it could be like, let's just say if the network was, you know, part, if there's like something like network related in the particular incidents of people in the network engineering, 480 00:48:34,530 --> 00:48:36,950 they look at it, they understand something there. 481 00:48:36,950 --> 00:48:43,330 So, it's very important to make sure that I have the reader's goals in mind when I'm writing. 482 00:48:43,810 --> 00:48:44,490 Okay. 483 00:48:44,490 --> 00:48:46,610 And then next slide, please. 484 00:48:47,410 --> 00:48:48,110 Okay. 485 00:48:48,110 --> 00:48:54,990 So, in conclusion, okay, I want everyone to remember the mounting. 486 00:48:54,990 --> 00:49:17,250 So, every time you look at the mounting, I hope you remember the plot structure, because the plot structure will help you in terms of framing the narrative when you're creating any tabletop exercise for any simulations, or if you are trying to write your lessons learned report, 487 00:49:17,250 --> 00:49:19,990 like how did the event unfold? 488 00:49:19,990 --> 00:49:21,810 Okay, remember the mounting. 489 00:49:21,930 --> 00:49:24,690 And then second point, think of your reader. 490 00:49:24,690 --> 00:49:27,350 Okay, who's your audience? 491 00:49:27,350 --> 00:49:29,030 Okay, what are their goals? 492 00:49:29,030 --> 00:49:37,410 What do they want out of your, let's just say, your lessons learned report and make sure that you present it in an orderly manner. 493 00:49:37,490 --> 00:49:42,130 And then this one is my call to action to everyone. 494 00:49:42,130 --> 00:49:49,110 So, everybody's saying like, oh, we have to be, you know, make sure that we have like, enough people going into STEM. 495 00:49:49,110 --> 00:50:14,450 Okay, please also support the arts and creative industries, because all the things that I'm doing in terms of the technical aspect, the background that I've had in high school in terms of creative writing, and other artistic classes that I took as elective has helped me in terms of communicating to the stakeholders, 496 00:50:14,450 --> 00:50:18,490 the management about, you know, issues or about incidents. 497 00:50:18,490 --> 00:50:24,310 So, please, let's make sure that we support the arts and creative industries. 498 00:50:24,310 --> 00:50:26,390 Okay, next slide, please. 499 00:50:26,390 --> 00:50:38,370 So, if you have any questions, okay, don't know whether we have that option here in this space, or I am in the Discord. 500 00:50:38,370 --> 00:50:41,130 Okay, you could ask me questions there. 501 00:50:41,130 --> 00:50:46,050 Or you can like send me a message, or like send me a DM in Twitter. 502 00:50:46,050 --> 00:50:46,670 Okay. 503 00:50:46,670 --> 00:50:55,630 Or it could be not even related to this, it could even be like questions about where's the best coffee in Australia? 504 00:50:55,630 --> 00:50:57,190 Not secret about it. 505 00:50:57,190 --> 00:50:58,290 It's in Melbourne. 506 00:50:59,330 --> 00:51:03,030 Okay, thank you very much for your time for having me here. 507 00:51:03,050 --> 00:51:05,230 And please take care, everyone. 508 00:51:05,230 --> 00:51:05,850 Okay. 509 00:51:19,270 --> 00:51:21,090 Is there a question? 510 00:51:21,090 --> 00:51:23,590 I think there's a raised hand icon there. 511 00:51:24,490 --> 00:51:27,730 I did have a question. 512 00:51:27,930 --> 00:51:34,250 So, this is related to but not exactly on your topic. 513 00:51:34,490 --> 00:51:42,790 So, how often would you suggest that a company does tabletop exercises? 514 00:51:45,610 --> 00:51:48,370 Let me just repeat his question. 515 00:51:48,370 --> 00:51:54,570 Ideally, how often should the company do a tabletop exercise? 516 00:51:54,570 --> 00:51:56,230 Did I get it correctly? 517 00:51:58,050 --> 00:51:59,250 Yes. 518 00:51:59,250 --> 00:52:00,030 Yes. 519 00:52:00,030 --> 00:52:00,690 Okay. 520 00:52:00,690 --> 00:52:04,790 So, ideally, it should be on an annual basis. 521 00:52:05,810 --> 00:52:06,650 Yes. 522 00:52:07,010 --> 00:52:10,790 So, and then why do I say on an annual basis? 523 00:52:10,790 --> 00:52:17,130 Because ideally, your IR plan should be reviewed on an annual basis. 524 00:52:18,010 --> 00:52:28,410 So, the ideal scenario is that or situation is that you make sure that everyone's familiar with their incident response plan. 525 00:52:28,410 --> 00:52:40,570 So, those who are involved in doing incident response should have, you know, a chance to go through it, to read through it, and then make sure that they're familiar with that. 526 00:52:40,570 --> 00:52:48,690 And then you make sure that you announce that you're going to have a tabletop exercise, make sure that everybody set aside time for that. 527 00:52:48,690 --> 00:52:54,930 It doesn't have to be long, it could just be three hours, okay, or four hours, depending on how long the scenario is. 528 00:52:54,930 --> 00:52:57,110 So, you can block, you know, like half day. 529 00:52:57,110 --> 00:53:05,330 And then you make sure that there is someone there who's taking down notes, because that's needed for the after action report. 530 00:53:05,330 --> 00:53:05,610 Okay. 531 00:53:05,610 --> 00:53:07,590 And then you run your scenario. 532 00:53:07,590 --> 00:53:22,170 And then based out of that, you know, scenario, then, you know, you go back if you need to, you know, review, change your IR plan, or if there are certain, you know, policies, you know, or processes or procedures that need to be updated. 533 00:53:22,170 --> 00:53:24,570 So, ideally, on an annual basis. 534 00:53:24,570 --> 00:53:36,230 And then you make sure that once you've updated your IR plan, you put there the date where you conducted your tabletop exercise. 535 00:53:36,230 --> 00:53:41,490 So, think of it as you tested your IR plan with that tabletop exercise. 536 00:53:41,830 --> 00:53:44,830 So, does that answer your question? 537 00:53:45,510 --> 00:53:46,890 Yes, thank you. 538 00:53:47,070 --> 00:53:48,550 Okay, no worries. 539 00:53:48,570 --> 00:53:50,070 Okay, anybody else? 540 00:53:54,050 --> 00:53:55,530 Okay, no questions. 541 00:53:55,530 --> 00:53:57,350 So, once again, thank you very much. 542 00:53:57,350 --> 00:53:59,130 Okay, how do I drop the mic? 543 00:54:00,350 --> 00:54:02,470 Press the letter R on your keyboard. 544 00:54:03,170 --> 00:54:04,830 Sorry, the letter what? 545 00:54:05,550 --> 00:54:06,890 Romeo, R. 546 00:54:06,930 --> 00:54:07,490 Ah, Romeo. 547 00:54:07,490 --> 00:54:08,710 Okay, thank you. 548 00:54:09,710 --> 00:54:12,870 Okay, and let me... Thank you very much. 549 00:54:13,450 --> 00:54:16,070 Well, thank you, Gael, for an excellent presentation. 550 00:54:16,070 --> 00:54:17,010 Thank you. 551 00:54:17,010 --> 00:54:23,970 We have about six minutes till the next speaker, so hang around, take a mile break, and we'll be right back. 552 00:54:24,350 --> 00:54:25,350 Okay.