I'm your host for today. And we're welcome to DEF CON 30,
AltspaceVR Virtual Reality Theater, where we're having DEF CON presentations.
You're probably sick of hearing this from me, but new people are popping in
and out all the time. Our next speaker is Guile.
Guile has been volunteering with different online communities for the past
two years by mentoring, moderating Discord servers, and presenting in
different community-based InfoSec conferences. She's been in the tech
industry since the early part of this century. Guile has a graduate
certificate in response from SANS Institute and a master's in cybersecurity
digital forensics from the NSW Canberra. Her day job is doing proactive
and reactive work as an incident responder. And her talk is,
How My High School Creative Writing Class Helped Me to Become a Better
Incident Responder. So, Guile, please take it away.
Thank you. Go there.
Oh, wait a minute. Got to make sure you have access to the stage.
That might help.
Okay. Let's see if I could get there.
There you go. You have access now.
There we go.
Okay.
So...
Okay.
There we go. So, I do have megaphone access now. Can everybody hear me
properly?
Great. Sounds good.
Okay.
Thank you.
So, good morning, everyone.
I want to say good morning. It's 4 a.m. here.
Two minutes after 4 a.m.
So, I am calling...
I'm dialing into this virtual reality space from NARM or Melbourne,
Australia.
So, first off, I'd like to start by doing an acknowledgement of country.
I'm presenting from the lands of the Boon Wurrung people,
and I wish to acknowledge them as traditional owners.
I would also like to pay my respects to their elders, past and present,
and aboriginal elders of other communities who may be here today.
Thank you.
Next slide, please.
Next slide. Yes.
Okay. So, I've been introduced. Thank you very much for that.
So, I just wanted to add that I'm part of the first cohort of Project
Freedman.
This is an initiative here in Australia by the Women Speak Cyber and the
AWSN, Australian Women in Security Network,
to help make sure that we have diversity of thought and representation in
our security, our infosec community here in Australia.
I got training in terms of how to present in conferences.
So, I do have a Twitter account. I have open DMs.
So, please feel free to send me a DM if you have any questions afterwards
about my presentation.
Next slide, please.
Okay. So, for this presentation, I'm going to be covering three areas here.
So, first off, I'm going to talk about what's that creative nerd there.
And then after that, I'm going to talk about incident response.
And then I'm going to be, you know, giving some parting words.
Okay. So, next slide, please.
Okay. So, this is a photo, an old photo of mine.
And this dates back from my high school time.
And I was just, this particular day, I remember this vividly because I was
just, you know, I brought the family camera.
And this was before the time of, like, you know, digital cameras and all those things
where you have to make sure you have a negative, you know.
And then we have to take it to a store to have it processed.
So, I was, like, you know, being all silly and just being goofy.
And I borrowed one of my classmates, you know, beret and just, like,
pretending I'm, you know, the artsy-fartsy person.
And just for context, I actually went to a public school that is known
for its strong science and math curriculum.
It was called a Science High School.
So, the concept was that there be high schools that are really focused on the STEM
or to make sure that the students have this good background in science, technology,
and mathematics in the hopes that we will go to the university and major in the STEM areas.
So, if you cannot tell from my accent, I'm originally from the Philippines
and I migrated to Australia.
So, I was really lucky to get into that school because the entrance exam
was really very competitive and we were, like, ranked.
And then we had to make sure that we also passed the interviews.
But the great thing about being in that Science High School was that there was also
what we call electives, so we can take non-science and technology classes.
And one of the first things that I signed up for was the creating writing class.
And honestly, I was really glad that this was before social media.
So, anything that I had in terms of photos and all those things were safe
until my dad discovered Facebook and started scanning all my high school photos
and started sharing it to everyone.
Well, in a way, that was great because I asked him earlier this week,
Hey, Dad, do you remember? Do you have one of my photos from high school?
Ah, sure, sure. Which one? And then he sent me this one.
So, that's the background. That's the context of why I called myself the creative nerd
because I was a nerd first before I became a geekette.
And so, next slide. So, next slide, please.
So, one of the first things that I learned from my high school creative writing class
was to really do research and, you know, document whatever that I come up with.
And at the time, interviews, you know, contact people and interview them for your story
or you read up... before we had internet back then.
And the way to do research is actually go to a physical library, talk to a librarian,
and then, you know, if you need, like, a book or something, there was a card catalog.
Quick show of hands here or, like, show me your emojis.
Anybody here has seen and used a card catalog in the library?
Okay, any emojis? Okay. Okay, great. Okay, that's good.
So, for those who haven't used a card catalog, so think of it like before we had the search engines,
like, you know, Google. Before Google, there was, like, Yahoo.
You know, that was the way how we did, like, research in the library.
There's a series of, like, cards, and then they're alphabetically arranged.
You know, you have topics, then you have, like, titles, and then it could be arranged by, you know, authors.
Okay, so that's how we did the research.
So, the first thing, the most important thing before you start, you know, like, writing anything,
you have to think of an idea. Like, what do you want to, you know, tell?
What's the story that you want to tell? You have to start with an idea.
But the challenge is that sometimes if you're just, like, you know, stuck in a rut, you know,
you can't really think of an idea. That's why there are things like story prompts.
So, I remember, like, a week after, like, the first class, we were told, like, come up with an idea.
So, the teacher, you know, said, like, okay, so what are your story ideas?
And a lot of us were stumped, and that's why I should introduce, like, story prompts.
So, what are story prompts? It's sort of like this, a sentence, you know, like, about something,
and then you start, you know, building up, you know, from that particular story.
So, you start with an idea. Then after that, you know, you think of a setting.
So, you have to make sure that you do your research in terms of your setting.
Where is it going to be? Is it going to be, like, local to our area, or is it in another city, another, you know, location?
Or if you're thinking of something like writing, like, science fiction, is it set in this planet, or another planet, another galaxy?
And then think of the period. When we say period, we're talking about the time, okay?
Is it, like, is your story set in the present, or is it in the future?
Or are you thinking about having a historical, you know, context?
So, you've got to, like, do your research regarding that particular period.
And then, of course, there's character building.
So, for those of you who are, you know, into games, or let's just say Dungeons & Dragons,
so you're probably familiar with, you know, that particular, you know, you have your...
Think of it as, like, what's going to be, you know, the moral code of your, you know, character.
You're going to be thinking about, okay, are they, you know, more on the good side, you know, like, evil side, or you're neutral.
But mostly, when we start writing, we think of your hero, your protagonist, okay?
So, and then you have to start thinking about their, you know, inner world, about their origin story, where did they come from?
So, you have to start thinking about that.
Okay, then lastly, of course, depending on the setting, you know, it's going to be about the genre.
So, if you're thinking about, like, something in the future set in the other planets, or other galaxies, or something.
So, that could be science fiction.
But within science fiction, there's a lot of things that you can explore there.
So, all in all, all these things that you've thought about, you need to make sure that you've done your research, and you've documented everything.
You need to make sure that you, you know, write notes.
And at that time, I just want to show, like, share this, my first attempt in using a computer.
At that time, okay, there was a lot of, it was summer, and there were a lot of power outages.
And I went to my mom's friend's house, who has a computer.
And at the time, I really didn't know how to use a computer.
And I just wanted to make sure that I'm able to type my story.
And I was told, okay, this is how you do that.
Okay, so that's your screen, black screen, you know, that was WordPerfect.
And I have all these handwritten notes, and I have this story that I've written on paper.
But as I was typing, I, you know, there are, like, other ideas that came in, and I just kept, like, you know, typing everything.
And then suddenly, there was power outage.
And then after, like, about 15 minutes, the power came back.
And then I asked my, I call him uncle, although I'm not, you know, biologically related to him.
I asked my uncle's kid, okay, so, okay, where's my work?
I was, like, just typing, and then suddenly, the lights went out.
And after that, it came back on, and I don't see my words there.
And then he looked at me and asked, like, did you remember to save it?
Like, what do you mean by saving?
Okay, there was no way for me to recover, you know, those, like, I think I spent about three hours typing up my story.
And then, like, okay, and that was my first experience in making sure that I always have, you know, redundancy.
I have, like, backups and all those, you know, things.
So, things that I learned from my creative writing class has really helped me when I shifted careers, like, you know, moving to tech.
Okay, now, next slide, please.
Okay, now, so, another important thing that I learned from my creative writing class was about the plot structure.
Think of a plot structure, if you're a visual person, think of it like a mountain.
So, sometimes it's called a story mountain, and sometimes you just see some examples like a plot diagram.
So, you can see towards the left, you have there, left side of the mountain there, you have the exposition.
So, think of it as the part of the plot when you start introducing your protagonists.
Okay, and you also set the setting and the location there.
And then, afterwards, you have what is called the pacing action.
This is the part of the story that, this is basically after you've set your tone.
Okay, and you've written something about your readers.
I'm sorry, you've written something about your protagonists, and your readers are now invested in your protagonists.
And think of the rising action as an event that interrupts this pattern.
And this basically begins the story arc.
Think of it as also, could be like there's a first conflict in your story, and then it ends with an event that changes everything for your protagonists.
Okay, then towards the top of the story mountain, you have your climax.
This follows the rising action.
This is when everything comes together to create that single dramatic moment.
So, that is the climax of the story.
And then, after the climax of the story, you have to have the falling action.
Sometimes some writers immediately move from climax to the resolution.
But it is better to have a falling action, because you have to make sure that the tension and the conflict has started to resolve.
And then your story starts winding down towards the resolution.
And when we talk about the resolution, that is basically the conclusion of your story's plot.
It could be just one scene, or it could be a series of scenes that will tie down your narrative arc to make sure that you show that something happened to the protagonist,
and then what happened to that protagonist, and what changed in that protagonist's life.
So, that is the resolution.
So, this is basically your plot structure.
And all stories should have this plot structure.
Now, next slide, please.
Sorry, I just have to have a sip of water here.
So, in terms of the other important thing that I learned in my creative writing class is about knowing my reader and knowing myself.
So, first of all, I have to make sure that I understand who is my target audience.
I need to know, am I writing for, let's just say, my friends, family members, or am I writing for my classmates, or am I writing for the community?
Because depending on your target audience, think of it in terms of the words that you use.
So, of course, in terms of community, like in the Philippines when I was growing up, it was quite conservative.
And the first story that I wrote was about a same-sex relationship.
And at that time, that was considered quite controversial.
And I was like, hey, you're too young to be writing about those stuff.
And I was talking about it's about someone finding their identity and all those things.
But I have to be very careful about the terminologies and all those things.
So, in a way, I was self-censoring.
But, you know, years later, I just realized that I shouldn't self-censor myself because I'm basically writing for myself.
So, and then how will you tell your story?
So, basically, there's the plot structure, you've done your research, and then how am I going to be telling my story?
So, these are the important things that I've learned from my creative writing class that I still remember after so many decades later.
So, what happened to this creative nerd?
So, the creative nerd went to the university.
Instead of majoring in science technology, I majored in psychology because I wanted to understand myself better.
And at that time, it was, you know, difficult having like a career out of the university as, you know, a psychologist or as a psychology major.
So, my family wanted me to either go to med school or law school.
And I initially thought I want to go to med school, but I dropped by and thought like, nah, I don't want to do like, you know, all the dissection and all those things.
And then I decided I'm just going to go to law school.
So, after finishing my degree in psychology, I went to law school.
And when I was there, I realized that, hey, I'm not like the very argumentative type because I'm turning into a very argumentative person.
No matter what happens, we were being trained to win every single, you know, little argument.
And I thought like, that's not what I want to do.
And so, I got out of law school after two years.
So, I joked that, hey, does that make me an outlaw because I dropped out?
Anyway, then I got connected to the Internet.
And when I got connected to the Internet, I realized, oh, there's a world out there and I want to be part of it.
And that started my shift, career shift to tech.
So, early part of this century, I moved into tech and I started my career doing networking stuff, Cisco stuff, and I love that.
But I really wanted to focus on cybersecurity or at the time it was network security.
It's largely because when I got connected to the Internet, I used IRC and I had an online stalker.
So, that's why I was like really concerned about security.
Anyway, eventually, so from doing networking, network security stuff, I moved into cybersecurity.
And I really wanted to do forensic stuff because I've been reading mystery since I was a kid, mystery novels, all those things.
So, now I'm at this point in my life and my career where I'm doing something that I really love.
And it's digital forensics and focusing on digital forensics and incident response.
So, now, next slide, please. Let's talk about incident response.
Now, quick question for the listeners.
What is the first thing that goes into your mind when you think about incident response?
Next slide, please.
Do you think of yourself like having a similar expression to this person in this photo?
So, sometimes people consider incident response as one of the more stressful kind of work in the infosec area.
Because basically, you're being called upon to respond to a particular incident.
So, next slide, please.
Now, before I start talking about incident response, I just want to clarify something about the terminology.
So, when we talk about incidents, we need to always clarify that when we're talking about incidents.
So, first off, there's the word event.
When we say event in the context of incident response, an event is just basically something that is observable.
An event is something that is observable.
So, it could be, you know, there was a user connected to a particular website, visited a particular website, you know.
So, that's an event. That is something that is observable.
Now, when we talk about incident, incident basically means there was an event, an observable happening.
How do you observe that? You have like logs, you have some evidence there.
And the event itself, that's observable, is something that breaks, you know, the security triad, the CIA.
Either confidentiality, integrity, availability. So, that becomes an incident.
So, basically, an incident is an event that's observable, but it affects the CIA, or it breaks certain security policies in your organization.
So, when we talk about incident response, it is a process to help protect the organization, and it has several stages.
So, what's the difference between digital forensics and incident response?
So, digital forensics by itself is both an art and a science in terms of understanding what has happened within a system or inside, let's just say, an organization or within your, you know, network infrastructure or your infrastructure.
So, there are different artifacts. When we say artifacts, these are like the evidence, sources of evidence.
And then incident response uses a lot of the techniques and knowledge from digital forensics in order to help protect your organization.
So, incident response is, think of it like a practical organization, sorry, incident response is the practical application of your digital forensics.
So, the incident response is like you're responding to an incident right now, the present moment.
And then digital forensics, think of it, you're looking at what happened in the past.
So, you're using your different tools and techniques to understand what happens.
You're collecting all these artifacts, evidence, you're making sure that you preserve them just in case you need to present this, you know, case in court.
So, that's the difference between digital forensics and incident response.
Now, next slide, please.
Now, when we talk about incident process, there are several frameworks that are available out there.
So, the first one is the NIST, that's from the National Institute of Standards and Technology.
And this particular incident response framework is actually in the special publication 800-61 Revision 2 or 800-61 R2.
So, NIST is a government agency and works on technology.
And their framework for incident response, or sometimes you can see it like incident handling, there are four steps.
Now, there is SANS. So, SANS is known for providing security training.
And initially, SANS used to call itself a Sys Admin Audit Network and Security.
So, that's the meaning of SANS.
And compared to the NIST, this is a private organization and they're very much focused on security.
And for them, their incident response framework has six steps.
Think of them, you have the PSIRL. This is the acronym for those steps for the SANS incident response framework.
Now, can you please go to the next slide, please?
So, for NIST, you have there the four steps in the incident response.
So, you have preparation, and then you have detection and analysis.
And then after the detection and analysis, you have containment, eradication, and recovery.
And then after that, you have the post-incident activity.
Now, let's look at the next slide, please.
Can you please go to the next slide?
So, for SANS, compared to the NIST framework, SANS has six steps.
There are six phases.
So, there's the preparation, identification, containment, eradication, recovery, and lessons learned.
So, next slide, please.
So, comparing this, you can see that both frameworks have the preparation phase.
And then you have the identification phase as the second phase.
And then you have the containment, eradication, and recovery, which are three separate phases from SANS.
This is actually the third phase under NIST.
And then the lessons learned phase from SANS is called the post-incident activity.
So, at this point, I'm just going to go through the six steps of the SANS framework.
So, when we talk about the preparation phase, this is where you should be making sure that you have your documentation in place.
Ideally, you have your security policies.
You do your reviews and you make sure that the security policies are well-known in the organization.
This is the time where you're also doing a risk assessment.
You're basically making sure that you know all your assets when we talk about assets.
These are your endpoints in the context of incident response.
It's your laptops, desktops.
And then you also have to make sure that you identify what are the sensitive assets.
And then you also make sure that you define which are the critical security incidents that the team should focus on.
Because you don't want to call the incident responder when you're just dealing with what turns out to be a desktop issue.
It could be like, oh, the printer didn't work or something.
So, that's not a security incident.
You have to make sure that you have a definition of severity levels, priority.
During the preparation phase, if your organization hasn't built a computer security incident response team, this is the time that you should be doing that.
During the preparation phase.
And then you're also making sure that your team is prepared to respond to incidents at this point.
Now, the second phase is called identification.
This is when you have monitoring of your systems.
And then you have to know what is normal operation, what is normal for your organization.
And this is the phase where you are detecting any deviation from the normal operations.
And you have to understand or check, make sure that these are representing actual security incidents.
And during the identification phase, when an incident is discovered, you need to collect additional evidence.
You need to establish the type, severity, and you need to document everything.
And then from that second phase, you now go to the third step.
This is where you do the containment.
You perform short-term containment.
For example, you may need to isolate a certain part of your network or a network segment that is under attack.
And then you move to long-term containment, where you may need to implement some temporary fixes to make sure that your systems can still continue to be used in production,
while at the same time, you are rebuilding the clean systems.
And then from the containment phase, you move to the eradication phase.
This is where if you are affected by a malware, you're removing malware from all your affected systems.
And this is when you're trying to understand the root cause of the attack.
And then you are making sure that you're trying to prevent similar attacks to happen in the future.
And of course, that goes hand-in-hand with the recovery, wherein you will be bringing back your production systems online.
You have to be careful before you bring back your production systems online.
And typically, for a lot of the incidents I've worked in previously, there's always a check of the systems.
For example, if there was a ransomware attack, before a system is fully put back to the production,
we have to make sure that we have swept the entire system.
Are there any indicators of compromise there?
Is this a clean system?
Can we put it back online?
Or if it's like a backup, make sure that the backup is clean.
And then part of the recovery phase is to test and verify.
You monitor all the affected systems to make sure that they're back to their normal activity.
Think of it like business as usual.
And then lastly, you have the lessons learned phase.
This is very important.
Some organizations don't do this, but it's very important that you have a time frame.
It's best that two or three weeks, not let's just say six months or one year after the incident.
It has to be as soon as possible.
Maybe it's like two weeks.
You need to perform, let's just say, a review of the incident.
You need to make sure that you have a complete documentation of the incident.
If you need to further investigate the incident, you need to understand what was done to contain that incident.
And then whether there's any improvement in the process.
If you have issues in terms of processes, technology, or people, this is the time we're in.
You're supposed to learn from this particular incident.
But there should be no shaming, no victim blaming, and all those things.
That's our basis in the incident response.
Now, in terms of the preparation phase, you can see towards the right of this particular slide, I have an arrow called proactive.
In incident response, we have what we call proactive and reactive side.
When we say proactive, this is the part we're in.
We are doing proactive projects or activities to help prepare us.
And then towards the identification phase, towards the lessons learned, these are parts of the reactive.
Wherein you're actually reacting to an ongoing incident in your organization.
One of the activities that we do in terms of the proactive side of incident response is doing a tabletop exercise.
Who among you here has participated in a tabletop exercise?
Somebody could like, you know...
Now, for the others who haven't participated in a tabletop exercise, I'm just going to be explaining what is involved there.
Sometimes it's called TTX for short, tabletop exercise.
So think of a tabletop exercise as a mock incident.
So it's not a functional exercise.
When we say functional exercise, you present the group with alerts and they're supposed to be trying to simulate how you're supposed to be responding.
You're going to be checking the dashboards. It's a functional exercise.
When we talk about tabletop exercise, it's a mock incident.
There is a security incident and you are just giving them scenarios.
And they're not going to be checking any dashboards.
They're not going to be logging into the monitoring systems or the EDR, the endpoint detection response tools.
They're not going to be looking at that.
This is purely a tabletop exercise.
Think of it, it's purely scenario-based.
You are not responding to a real incident.
Everybody's just there, sitting down, and everybody's just doing some discussions.
And the goal here, there will probably be several goals, but mostly it's to test the IR plan.
And then test the readiness of the organization in terms of if something similar to this scenario happened to your organization, what are you supposed to do?
Who's supposed to be doing this? Who's supposed to be leading the incident?
Who's supposed to be doing those other things that are in the IR plan?
Before you actually have a tabletop exercise, make sure that you have at least a basic IR plan in place.
And everybody who is involved in responding to the incident should be familiar with the IR plan.
In terms of making sure that the discussion moves along, you need to make sure that when you create tabletop exercises, you have injects.
Injects are additional information that you provide to the participants in your tabletop exercise.
Ideally, the audience or the people who are participating in the tabletop exercise is composed of people who will be part of the incident.
So you'll have a mix of technical people.
And then also the best tabletop exercise will also have some people who are in the management area,
because you will need to make sure that you involve certain managers so they're aware of what's happening.
Sometimes if, let's just say, a particular incident would involve communicating with external agencies or external parties,
you need to make sure that you have someone, let's just say, doing the comms for this.
Because it could be, let's just say, the incident is like ransomware. You're preparing for a potential ransomware attack.
You need to make sure that you have somebody who's in the legal team who may need to contact the insurance for your cybersecurity insurance.
And then the other would be that you need to have an external facing statement from the corporate communications,
providing a message out there that you have the situation under control and you're investigating it.
So it would be good to have all these people who would potentially be involved in a major security incident.
You can make sure that you have them there.
Okay, so how are we, or like in my case, when I started, you know, creating scenarios for tabletop exercises for my previous clients,
this is where the creative nerd came out. So I was a nerd first before I became a geekette.
So the creative nerd in me started thinking about the things that I learned in my creative writing class.
So next slide, please.
So whenever I created scenarios, I made sure that I'm familiar with my client's incident response plans.
And the incident response plan would actually have, you know, all these different IR bases, you know, identified there.
So when I created, you know, a scenario, every time I need to create our scenario, of course,
I need to make sure that first, okay, I set the scene.
So think of it, it's like towards the left of that flat mountain.
So I'm basically providing, think of it, I'm basically providing the exposition.
So usually I put something there, like there's a day, okay, let's just say it's Wednesday morning.
A user may, you know, a user contacts help this saying that they saw something unusual in their screen.
And there was a strange message there.
So think of it as, you know, preparing your, you know, scene there.
So you're basically doing your exposition.
And then afterwards, next inject, you know, for that tabletop exercise,
other users started complaining that they can't do anything.
So you're basically setting up the rising action.
And then you start doing, if you're the incident responder, you start identifying who are the affected people.
And then you ask them for, let's just say, any screenshots or read out, like if there's like any message that they see there.
And then you have towards the top, the climax of where you're doing the containment eradication.
Maybe it's because, you know, there's like another inject.
You started like, you know, you saw the message and then you did some research.
It's around some note and it's with a particular, let's just say, threat actor or a particular group, APT groups, that's like using this kind of, let's just say, malware.
And then you start doing your containment eradication.
And then you have your falling action or in your started doing your recovery as part of your incident response.
What are you supposed to do?
So it could be that you have other systems that were affected and you started like using, you know, your team backups, putting them back there.
And then you have the resolution. Think of it, it's your lessons learned towards the end of that particular scenario in your tabletop exercise.
So for those who may be tasked to do tabletop exercises, remember this plot structure.
And then think of it, it's sort of like kind of mapped to the different phases there.
And you can write appropriate injects for your particular scenario.
Next slide, please.
Now, after your tabletop exercise has been conducted, make sure that you have an after action report.
Okay, this is important. This is basically documenting what was, you know, what happened during the tabletop exercise.
Like for particular, you know, parts of these scenarios based on the injects.
What was the decision? What did people, you know, decide? What did they do?
If let's just say your goal was to improve the IR plan or the IR process, you have to make sure that someone during the tabletop exercise, someone was like taking down notes.
And then these notes will form the basis of your after action report. You need to identify, let's just say, according to the incident response plan.
Whenever, let's just say, major severity or, you know, let's just say major, you know, cybersecurity incident happens, there should be a message that goes out to the group chat over, let's just say, Slack.
Okay, so if you're using Slack, so according to your IR plan, you're supposed to be using Slack.
And then during the tabletop exercise, people started, you know, saying that, oh, we're just going to start sending messages via WhatsApp.
So there's a deviation between the practice, actual practice and the plan. So you'll have to decide as an organization, like, are we going to change our incident response plan to indicate that whenever there's an incident, we're supposed to be using WhatsApp?
So the question is, is WhatsApp one of your approved, you know, application when in fact you have Slack? So these things that you've learned during the tabletop exercise, you put it in the after action report, so that it will drive changes.
Sometimes the incident response plan... you were using, let's just say, an old, you know, ticketing system, and then you move to a new ticketing system. And by the time that you did this tabletop exercise, everybody kept referring to the new ticketing system. So you need to, you know, update your IR plan. Okay.
Now, next slide, please.
Another application of the creative writing class, you know, learnings I had was whenever I actually sit down, and then I need to write a lessons learned report. So this is towards the reactive part of our IR process.
So I make sure that I have documented what I've done. So this is like the how. And then sometimes there's the question like, why? Why was this particular, you know, let's just say, finding important. Why is it important? Okay.
And then I have to make sure that I actually put there some recommendations so that, you know, in the future, what can we do in order to reduce the risk of similar incidents? And then sometimes when I write lessons learned report, it can be quite, you know, depressing because of what happened.
And just, you know, between us in this particular space, there were times where in there were parts there that I knew with our team has already provided in a previous incident, but this particular client didn't learn from it, you know, they didn't like, you know, they didn't implement those changes.
And then, you know, about a year or 18 months later, the same thing happened again. So sometimes it can be quite, you know, demoralizing, but I always try to, you know, remember, you know, like recognizing the positive.
Okay, so I at least put something there. What was positive? Okay, I put something there. So it's not, you know, depressing. Okay. And then next slide, please. Okay. So when I write the lessons learned report, I also have to remember, what are my readers goals? Okay, so who's my audience?
So the report that I'm writing is something that's hopefully going to be used as a guide by my clients. And then one of the things that I always make sure is that I write a good executive report, because depending on who your reader is, okay, there are some wherein they don't dwell into the technical aspect, like the indicators of compromise, they just want to know what happened.
And the executive, you know, summary must have those, you know, think of it, the highlights, the important things. And especially for those higher ups, like executive level or something, they don't have time to dwell into the nitty gritty details. And they just want, you know, the executive summary.
But I also make sure that the technical aspects is also documented, it's put in the lessons learned report, so that for the other teams that exist, it could be like engineering, it could be like, let's just say if the network was, you know, part, if there's like something like network related in the particular incidents of people in the network engineering, they look at it, they understand something there.
So, it's very important to make sure that I have the reader's goals in mind when I'm writing. Okay. And then next slide, please. Okay. So, in conclusion, okay, I want everyone to remember the mounting. So, every time you look at the mounting, I hope you remember the plot structure, because the plot structure will help you in terms of framing the narrative
when you're creating any tabletop exercise for any simulations, or if you are trying to write your lessons learned report, like how did the event unfold? Okay, remember the mounting. And then second point, think of your reader. Okay, who's your audience? Okay, what are their goals? What do they want out of your, let's just say, your lessons learned report and make sure that you present it
in an orderly manner. And then this one is my call to action to everyone. So, everybody's saying like, oh, we have to be, you know, make sure that we have like, enough people going into STEM. Okay, please also support the arts and creative industries, because all the things that I'm doing in terms of the technical aspect, the background that I've had in high school in terms of creative writing, and other artistic
classes that I took as elective has helped me in terms of communicating to the stakeholders, the management about, you know, issues or about incidents. So, please, let's make sure that we support the arts and creative industries. Okay, next slide, please. So, if you have any questions, okay, don't know whether we have that option here in this space,
or I am in the Discord. Okay, you could ask me questions there. Or you can like send me a message, or like send me a DM in Twitter. Okay. Or it could be not even related to this, it could even be like questions about where's the best coffee in Australia?
Not secret about it. It's in Melbourne. Okay, thank you very much for your time for having me here. And please take care, everyone. Okay.
Is there a question? I think there's a raised hand icon there.
I did have a question. So, this is related to but not exactly on your topic. So, how often would you suggest that a company does tabletop exercises?
Let me just repeat his question. Ideally, how often should the company do a tabletop exercise? Did I get it correctly?
Yes.
Yes. Okay. So, ideally, it should be on an annual basis. Yes. So, and then why do I say on an annual basis? Because ideally, your IR plan should be reviewed on an annual basis.
So, the ideal scenario is that or situation is that you make sure that everyone's familiar with their incident response plan. So, those who are involved in doing incident response should have, you know, a chance to go through it, to read through it, and then make sure that they're familiar with that.
And then you make sure that you announce that you're going to have a tabletop exercise, make sure that everybody set aside time for that. It doesn't have to be long, it could just be three hours, okay, or four hours, depending on how long the scenario is. So, you can block, you know, like half day.
And then you make sure that there is someone there who's taking down notes, because that's needed for the after action report. Okay. And then you run your scenario. And then based out of that, you know, scenario, then, you know, you go back if you need to, you know, review, change your IR plan, or if there are certain, you know, policies, you know, or processes or procedures that need to be updated. So, ideally, on an annual basis.
And then you make sure that once you've updated your IR plan, you put there the date where you conducted your tabletop exercise. So, think of it as you tested your IR plan with that tabletop exercise. So, does that answer your question?
Yes, thank you.
Okay, no worries. Okay, anybody else?
Okay, no questions. So, once again, thank you very much. Okay, how do I drop the mic?
Press the letter R on your keyboard.
Sorry, the letter what?
Romeo, R.
Ah, Romeo. Okay, thank you.
Okay, and let me... Thank you very much.
Well, thank you, Gael, for an excellent presentation.
Thank you.
We have about six minutes till the next speaker, so hang around, take a mile break, and we'll be right back.
Okay.