1 00:00:06,320 --> 00:00:11,499 [Music] 2 00:00:15,679 --> 00:00:20,240 okay everybody um next talk is from gal 3 00:00:18,560 --> 00:00:23,600 de la cruz uh 4 00:00:20,240 --> 00:00:23,600 about incident response 5 00:00:24,480 --> 00:00:29,119 thank you very much so um once again 6 00:00:27,359 --> 00:00:32,320 thank you for having me here this is my 7 00:00:29,119 --> 00:00:34,800 second time doing a talk 8 00:00:32,320 --> 00:00:37,280 in lca so it's like really good to be 9 00:00:34,800 --> 00:00:39,280 back so before i start i'd like to begin 10 00:00:37,280 --> 00:00:42,079 by acknowledging the traditional owners 11 00:00:39,280 --> 00:00:43,760 of the land on which we meet virtually 12 00:00:42,079 --> 00:00:46,239 today and i would like to pay my 13 00:00:43,760 --> 00:00:49,440 respects to elders past and present 14 00:00:46,239 --> 00:00:51,440 so this particular talk it's based on 15 00:00:49,440 --> 00:00:53,039 the things that i've experienced before 16 00:00:51,440 --> 00:00:56,000 there's always like a lot of questions 17 00:00:53,039 --> 00:00:58,000 so i'm coming from the perspective of 18 00:00:56,000 --> 00:01:00,320 system administrators who are like as 19 00:00:58,000 --> 00:01:03,440 probably thinking why are me why are 20 00:01:00,320 --> 00:01:05,680 they referring to us incident responders 21 00:01:03,440 --> 00:01:08,000 why are they asking me to do this or as 22 00:01:05,680 --> 00:01:09,200 i call this stock adventures in ireland 23 00:01:08,000 --> 00:01:12,720 okay 24 00:01:09,200 --> 00:01:15,280 so first off okay so for those who are 25 00:01:12,720 --> 00:01:17,520 wondering i'm based in melbourne 26 00:01:15,280 --> 00:01:19,600 where we have the best coffee and i'm a 27 00:01:17,520 --> 00:01:21,280 senior security consultant focusing on 28 00:01:19,600 --> 00:01:23,920 incident response and i'm part of the 29 00:01:21,280 --> 00:01:26,479 ibm x-force ir so it's a cool name 30 00:01:23,920 --> 00:01:28,880 exports okay so i shifted the deck in 31 00:01:26,479 --> 00:01:30,560 the early part of this century and i 32 00:01:28,880 --> 00:01:32,960 received my graduate certificate in 33 00:01:30,560 --> 00:01:35,200 incident response from science institute 34 00:01:32,960 --> 00:01:38,799 and went on to go for a masters in cyber 35 00:01:35,200 --> 00:01:40,880 security focusing specifically on 36 00:01:38,799 --> 00:01:42,880 digital forensics and i volunteer for 37 00:01:40,880 --> 00:01:45,280 different organizations so i hang out in 38 00:01:42,880 --> 00:01:47,040 different slacks and discord channel 39 00:01:45,280 --> 00:01:48,960 after work okay 40 00:01:47,040 --> 00:01:50,880 and i do mentoring with different 41 00:01:48,960 --> 00:01:52,560 organizations and if you have any 42 00:01:50,880 --> 00:01:56,320 follow-up questions or anything feel 43 00:01:52,560 --> 00:01:57,920 free to dm me in twitter my dms are open 44 00:01:56,320 --> 00:01:59,439 okay 45 00:01:57,920 --> 00:02:01,680 now so 46 00:01:59,439 --> 00:02:03,600 what will i be talking talking about 47 00:02:01,680 --> 00:02:06,640 like basically just you know these three 48 00:02:03,600 --> 00:02:08,879 things here why why i decided to submit 49 00:02:06,640 --> 00:02:10,879 to a talk again to 50 00:02:08,879 --> 00:02:12,160 this linux conference specifically in 51 00:02:10,879 --> 00:02:14,000 this system 52 00:02:12,160 --> 00:02:15,840 administration mini conference and then 53 00:02:14,000 --> 00:02:18,560 i'm going to be talking about the 54 00:02:15,840 --> 00:02:20,480 incident response life cycle 55 00:02:18,560 --> 00:02:23,440 and then what are the typical activities 56 00:02:20,480 --> 00:02:25,040 and questions okay so 57 00:02:23,440 --> 00:02:27,360 let me just make sure that i have 58 00:02:25,040 --> 00:02:29,680 everything here that i could still see 59 00:02:27,360 --> 00:02:31,840 you know 60 00:02:29,680 --> 00:02:34,080 something here okay 61 00:02:31,840 --> 00:02:34,080 so 62 00:02:34,800 --> 00:02:41,280 um it was last year when i read uh the 63 00:02:38,480 --> 00:02:44,239 x-force threat intelligence index 64 00:02:41,280 --> 00:02:47,120 uh report and one of the things that 65 00:02:44,239 --> 00:02:50,160 actually stuck to my mind was that there 66 00:02:47,120 --> 00:02:53,120 was a proliferation of malware that 67 00:02:50,160 --> 00:02:55,440 targets linux towards the 2020. so the 68 00:02:53,120 --> 00:02:57,920 2021 uh 69 00:02:55,440 --> 00:02:59,760 threat intelligence index actually 70 00:02:57,920 --> 00:03:02,560 covers like the previous year so now 71 00:02:59,760 --> 00:03:05,280 this year 2022 uh the report is being 72 00:03:02,560 --> 00:03:08,159 you know uh generated and finalized so 73 00:03:05,280 --> 00:03:10,480 this particular thought stuck in my mind 74 00:03:08,159 --> 00:03:11,280 and like you know someone who has okay 75 00:03:10,480 --> 00:03:13,200 please 76 00:03:11,280 --> 00:03:15,920 don't play me or something who's you 77 00:03:13,200 --> 00:03:18,640 know basically have windows background 78 00:03:15,920 --> 00:03:20,879 okay and i thought like now um you know 79 00:03:18,640 --> 00:03:23,519 threat actors or attackers are now you 80 00:03:20,879 --> 00:03:26,239 know focusing on you know the linux 81 00:03:23,519 --> 00:03:28,799 operating system and largely because uh 82 00:03:26,239 --> 00:03:30,959 we have you know the cloud uh sort our 83 00:03:28,799 --> 00:03:33,519 resources up there we're in or just like 84 00:03:30,959 --> 00:03:35,200 say up there the cloud uh you know 85 00:03:33,519 --> 00:03:37,760 options where you could like spin up 86 00:03:35,200 --> 00:03:40,080 your servers so there is also that 87 00:03:37,760 --> 00:03:42,560 widespread adaption of linux as the 88 00:03:40,080 --> 00:03:44,720 operating system so 89 00:03:42,560 --> 00:03:48,400 there is actually a rise in the linux 90 00:03:44,720 --> 00:03:50,799 malware families uh specifically what my 91 00:03:48,400 --> 00:03:52,799 colleagues in the x-force ir team and 92 00:03:50,799 --> 00:03:54,799 the intel team actually found out was 93 00:03:52,799 --> 00:03:57,120 that there was a rise in terms of 94 00:03:54,799 --> 00:03:59,439 developing linux cryptominers and 95 00:03:57,120 --> 00:04:01,920 ransomware and because of that move of 96 00:03:59,439 --> 00:04:03,840 the servers to the cloud now it was 97 00:04:01,920 --> 00:04:06,000 quite interesting that some of the 98 00:04:03,840 --> 00:04:08,000 incident response cases that my 99 00:04:06,000 --> 00:04:10,480 colleagues have you know uh have 100 00:04:08,000 --> 00:04:13,439 investigated they found you know linux 101 00:04:10,480 --> 00:04:16,239 variant of the defray 911 or the ransom 102 00:04:13,439 --> 00:04:19,280 exx ransomware and also the s file 103 00:04:16,239 --> 00:04:21,199 ransomware so that stuck in my mind and 104 00:04:19,280 --> 00:04:23,440 i thought like hey i want to make sure 105 00:04:21,199 --> 00:04:26,240 that uh people with the linux background 106 00:04:23,440 --> 00:04:28,479 could sort of like understand why are we 107 00:04:26,240 --> 00:04:30,639 you know asking a lot of questions 108 00:04:28,479 --> 00:04:31,840 during the incident response process 109 00:04:30,639 --> 00:04:32,720 okay 110 00:04:31,840 --> 00:04:34,800 and 111 00:04:32,720 --> 00:04:36,400 one of the things that i want to 112 00:04:34,800 --> 00:04:38,960 highlight especially to you who are 113 00:04:36,400 --> 00:04:42,080 listening in this for uh 114 00:04:38,960 --> 00:04:44,080 to my talk is that you as the system add 115 00:04:42,080 --> 00:04:46,560 means you are actually considered 116 00:04:44,080 --> 00:04:49,120 security incident is incident first 117 00:04:46,560 --> 00:04:52,800 responders whether you like it or not 118 00:04:49,120 --> 00:04:55,680 you are part of like the bigger ir 119 00:04:52,800 --> 00:04:56,400 process and why because you're the one 120 00:04:55,680 --> 00:04:58,960 who 121 00:04:56,400 --> 00:05:00,960 uh have deployed your servers or if not 122 00:04:58,960 --> 00:05:02,960 you are the one who are taking care of 123 00:05:00,960 --> 00:05:06,240 the servers and the applications there 124 00:05:02,960 --> 00:05:08,800 so you are the best person to understand 125 00:05:06,240 --> 00:05:10,639 what is happening in your you know 126 00:05:08,800 --> 00:05:12,800 servers and your environment and if 127 00:05:10,639 --> 00:05:14,960 there's something dodgy going on uh 128 00:05:12,800 --> 00:05:16,880 using your tools or whatever you know 129 00:05:14,960 --> 00:05:19,520 monitoring tools or scripts that you may 130 00:05:16,880 --> 00:05:21,120 have there you will be like alerted so 131 00:05:19,520 --> 00:05:24,160 you will have 132 00:05:21,120 --> 00:05:27,440 you know that first hand knowledge about 133 00:05:24,160 --> 00:05:29,919 your systems okay and so 134 00:05:27,440 --> 00:05:32,639 my goal for this short talk is to walk 135 00:05:29,919 --> 00:05:36,400 you through the ir process so that you 136 00:05:32,639 --> 00:05:38,880 understand why you may get asked certain 137 00:05:36,400 --> 00:05:42,320 questions or you may be asked to 138 00:05:38,880 --> 00:05:43,520 participate in certain activities okay 139 00:05:42,320 --> 00:05:46,400 now 140 00:05:43,520 --> 00:05:48,880 so there is this diagram this is a 141 00:05:46,400 --> 00:05:51,600 classic diagram it actually comes from 142 00:05:48,880 --> 00:05:53,919 the nist there is a document called 143 00:05:51,600 --> 00:05:54,880 computer security incident handling 144 00:05:53,919 --> 00:05:56,800 guide 145 00:05:54,880 --> 00:05:59,919 and think of the ir 146 00:05:56,800 --> 00:06:01,680 as a life cycle and each phase 147 00:05:59,919 --> 00:06:04,960 has its own 148 00:06:01,680 --> 00:06:06,560 distinctive activities okay 149 00:06:04,960 --> 00:06:08,800 now 150 00:06:06,560 --> 00:06:10,880 um 151 00:06:08,800 --> 00:06:13,680 the idea before you actually have an 152 00:06:10,880 --> 00:06:16,479 incident is that you should have like 153 00:06:13,680 --> 00:06:17,360 beard or you haven't had any incidents 154 00:06:16,479 --> 00:06:20,400 yet 155 00:06:17,360 --> 00:06:22,880 that's like really fantastic but 156 00:06:20,400 --> 00:06:25,039 you know you don't you know rest on your 157 00:06:22,880 --> 00:06:26,800 lawrence and say yeah we haven't had 158 00:06:25,039 --> 00:06:28,560 like any incidents or anything or 159 00:06:26,800 --> 00:06:31,120 security breaches 160 00:06:28,560 --> 00:06:33,280 it is a reality and a sad fact that 161 00:06:31,120 --> 00:06:35,440 there will be breaches there will be 162 00:06:33,280 --> 00:06:37,759 like you know incident and you need to 163 00:06:35,440 --> 00:06:39,759 be prepared for that so the first part 164 00:06:37,759 --> 00:06:42,639 of the ir life cycle is that it's 165 00:06:39,759 --> 00:06:45,759 preparation so what is involved in 166 00:06:42,639 --> 00:06:49,840 preparation okay so first of all you 167 00:06:45,759 --> 00:06:51,919 have to have an ir plan okay now um if 168 00:06:49,840 --> 00:06:54,800 you don't have an ir plan in your 169 00:06:51,919 --> 00:06:57,199 organization please start brainstorming 170 00:06:54,800 --> 00:07:00,000 and thinking about it and make sure that 171 00:06:57,199 --> 00:07:02,720 you have a plan that is communicated to 172 00:07:00,000 --> 00:07:04,479 everyone like in the technology teams so 173 00:07:02,720 --> 00:07:07,280 that they are aware of like what are 174 00:07:04,479 --> 00:07:10,000 they supposed to do in case there is a 175 00:07:07,280 --> 00:07:12,240 bridge or a security incident now let me 176 00:07:10,000 --> 00:07:13,360 clarify first the terms about like 177 00:07:12,240 --> 00:07:15,919 incident 178 00:07:13,360 --> 00:07:17,919 so some people get confused about events 179 00:07:15,919 --> 00:07:20,479 and you know incidents so when we talk 180 00:07:17,919 --> 00:07:23,120 about an event that means 181 00:07:20,479 --> 00:07:24,000 there is an observable 182 00:07:23,120 --> 00:07:27,039 uh 183 00:07:24,000 --> 00:07:28,080 uh change or there is uh something that 184 00:07:27,039 --> 00:07:31,440 occurred 185 00:07:28,080 --> 00:07:33,680 so what is an event so it could be that 186 00:07:31,440 --> 00:07:34,720 there was a connection 187 00:07:33,680 --> 00:07:37,280 from 188 00:07:34,720 --> 00:07:39,680 one endpoint like a host you know 189 00:07:37,280 --> 00:07:40,639 connecting to a server so that is an 190 00:07:39,680 --> 00:07:43,520 event 191 00:07:40,639 --> 00:07:45,919 now uh what is an incident incident 192 00:07:43,520 --> 00:07:48,160 basically means in the parlance or 193 00:07:45,919 --> 00:07:49,280 terminology of incident response it 194 00:07:48,160 --> 00:07:52,479 means that 195 00:07:49,280 --> 00:07:54,720 uh there was an event it was it's not a 196 00:07:52,479 --> 00:07:57,840 false positive it's a true positive and 197 00:07:54,720 --> 00:07:59,360 it has breached the security triad so 198 00:07:57,840 --> 00:08:01,280 what's the security detail you have the 199 00:07:59,360 --> 00:08:02,400 cia so you have 200 00:08:01,280 --> 00:08:05,280 not the 201 00:08:02,400 --> 00:08:07,759 agency but confidentiality 202 00:08:05,280 --> 00:08:10,400 integrity and availability okay 203 00:08:07,759 --> 00:08:14,240 so that's how we define incident 204 00:08:10,400 --> 00:08:16,720 now in order to prepare uh uh when you 205 00:08:14,240 --> 00:08:18,639 uh prepare for the response to an 206 00:08:16,720 --> 00:08:21,680 incident so there are things that you 207 00:08:18,639 --> 00:08:24,240 can do okay there is what is known as 208 00:08:21,680 --> 00:08:25,039 tabletop exercise or ttx 209 00:08:24,240 --> 00:08:28,639 okay 210 00:08:25,039 --> 00:08:30,960 so you as the system administrator as 211 00:08:28,639 --> 00:08:34,399 part of the security first responder 212 00:08:30,960 --> 00:08:37,760 team you could possibly be invited to 213 00:08:34,399 --> 00:08:39,839 join or attend a ttx so if they ask you 214 00:08:37,760 --> 00:08:42,560 could you please attend the tabletop 215 00:08:39,839 --> 00:08:45,200 exercise please don't say no please say 216 00:08:42,560 --> 00:08:48,399 yes because this is the chance for you 217 00:08:45,200 --> 00:08:51,279 to actually be involved in a simulated 218 00:08:48,399 --> 00:08:53,839 think of it as a mock incident there's a 219 00:08:51,279 --> 00:08:56,080 mock incident there is an incident that 220 00:08:53,839 --> 00:08:59,680 uh like it's think of it it's like a 221 00:08:56,080 --> 00:09:01,760 scenario based on the most likely you 222 00:08:59,680 --> 00:09:04,080 know incidents that will affect your 223 00:09:01,760 --> 00:09:06,160 industry or your organization prepared 224 00:09:04,080 --> 00:09:08,399 by either someone inside the 225 00:09:06,160 --> 00:09:10,800 organization or it could be that they've 226 00:09:08,399 --> 00:09:11,760 engaged you know a consulting team 227 00:09:10,800 --> 00:09:13,360 so 228 00:09:11,760 --> 00:09:15,680 just to clarify when we talk about 229 00:09:13,360 --> 00:09:17,680 tabletop exercises this is 230 00:09:15,680 --> 00:09:19,120 non-functional because some technical 231 00:09:17,680 --> 00:09:21,279 people they're kind of afraid like oh i 232 00:09:19,120 --> 00:09:23,680 need to like do this and do that and all 233 00:09:21,279 --> 00:09:25,519 those things no it's just think of that 234 00:09:23,680 --> 00:09:27,440 think of it it's like everybody gets 235 00:09:25,519 --> 00:09:29,360 talking you know talking like there's 236 00:09:27,440 --> 00:09:30,160 going to be like a situation provided to 237 00:09:29,360 --> 00:09:32,080 you 238 00:09:30,160 --> 00:09:34,000 and then you'll be asked to talk about 239 00:09:32,080 --> 00:09:36,720 what are you supposed to do 240 00:09:34,000 --> 00:09:38,560 once you see this or you know get this 241 00:09:36,720 --> 00:09:39,600 particular information 242 00:09:38,560 --> 00:09:41,680 and then 243 00:09:39,600 --> 00:09:43,360 after that there's going to be injects 244 00:09:41,680 --> 00:09:46,000 okay injects are like you know 245 00:09:43,360 --> 00:09:49,120 additional information that are provided 246 00:09:46,000 --> 00:09:51,600 to you to move the incident along okay 247 00:09:49,120 --> 00:09:54,320 so once someone asks you to could you 248 00:09:51,600 --> 00:09:56,640 please you know attend the tabletop 249 00:09:54,320 --> 00:09:58,800 exercise just say yes another thing that 250 00:09:56,640 --> 00:10:01,519 you could potentially be asked to do as 251 00:09:58,800 --> 00:10:02,399 part of the preparation phase is to 252 00:10:01,519 --> 00:10:05,120 check 253 00:10:02,399 --> 00:10:07,600 a playbook so what is a playbook 254 00:10:05,120 --> 00:10:10,079 think of this as you know processes or 255 00:10:07,600 --> 00:10:13,680 the procedures that are 256 00:10:10,079 --> 00:10:16,480 um needed in order for the organization 257 00:10:13,680 --> 00:10:18,320 or for your team to respond to security 258 00:10:16,480 --> 00:10:20,320 incidents so sometimes as the subject 259 00:10:18,320 --> 00:10:23,040 matter expert you will be consulted and 260 00:10:20,320 --> 00:10:24,959 asked hey we have this playbook for this 261 00:10:23,040 --> 00:10:27,120 could you please take a look at that 262 00:10:24,959 --> 00:10:30,399 would you please check this so please 263 00:10:27,120 --> 00:10:32,160 say yes and then another thing that you 264 00:10:30,399 --> 00:10:34,560 could potentially be asked to do is 265 00:10:32,160 --> 00:10:36,160 about logs though so us 266 00:10:34,560 --> 00:10:38,079 uh digital forensics you know 267 00:10:36,160 --> 00:10:41,680 investigative store you know incident 268 00:10:38,079 --> 00:10:44,480 responder we love logs okay because logs 269 00:10:41,680 --> 00:10:46,959 give us you know a lot of information 270 00:10:44,480 --> 00:10:49,519 regarding time stamp what has happened 271 00:10:46,959 --> 00:10:52,079 so log analysis is one of the things 272 00:10:49,519 --> 00:10:53,680 that we do as incident responders now 273 00:10:52,079 --> 00:10:56,720 maybe you'll be asked hey could you 274 00:10:53,680 --> 00:10:59,200 check the log retention period how long 275 00:10:56,720 --> 00:11:02,480 do we keep our logs locally and then 276 00:10:59,200 --> 00:11:04,880 aside from local you know um storage you 277 00:11:02,480 --> 00:11:07,440 know you there's also such thing as are 278 00:11:04,880 --> 00:11:09,200 we sending it somewhere um you know it 279 00:11:07,440 --> 00:11:11,279 could be in another data center it could 280 00:11:09,200 --> 00:11:13,200 be in the cloud so the log retention 281 00:11:11,279 --> 00:11:15,760 period is important especially if we 282 00:11:13,200 --> 00:11:18,079 need to go back and check what happened 283 00:11:15,760 --> 00:11:18,959 before a particular incident 284 00:11:18,079 --> 00:11:19,920 okay 285 00:11:18,959 --> 00:11:22,399 now 286 00:11:19,920 --> 00:11:24,079 so that's for the preparation phase the 287 00:11:22,399 --> 00:11:27,839 next phase is called 288 00:11:24,079 --> 00:11:30,560 detection and analysis okay so 289 00:11:27,839 --> 00:11:32,959 it is possible that 290 00:11:30,560 --> 00:11:34,079 uh by the time that you've been like 291 00:11:32,959 --> 00:11:37,040 called to 292 00:11:34,079 --> 00:11:39,600 install an edr and endpoint detection 293 00:11:37,040 --> 00:11:41,839 response agent on the endpoint there is 294 00:11:39,600 --> 00:11:44,000 already an incident and to further 295 00:11:41,839 --> 00:11:46,560 figure out like what's happening across 296 00:11:44,000 --> 00:11:49,360 your environment you may be asked to 297 00:11:46,560 --> 00:11:52,000 suddenly deploy an edr agent but 298 00:11:49,360 --> 00:11:54,880 supposedly this edr agent should have 299 00:11:52,000 --> 00:11:56,880 been put in there during the preparation 300 00:11:54,880 --> 00:11:59,120 phase but sometimes you know you may not 301 00:11:56,880 --> 00:12:01,360 have that but you know 302 00:11:59,120 --> 00:12:03,120 you gotta do what you have to do okay 303 00:12:01,360 --> 00:12:05,760 now another thing that you may be asked 304 00:12:03,120 --> 00:12:08,160 to do is to run certain scripts to 305 00:12:05,760 --> 00:12:10,800 collect a triage package so just to 306 00:12:08,160 --> 00:12:11,600 clarify a triage package think of it as 307 00:12:10,800 --> 00:12:13,040 like 308 00:12:11,600 --> 00:12:16,720 uh 309 00:12:13,040 --> 00:12:19,360 basic you know information needed to 310 00:12:16,720 --> 00:12:21,920 investigate the incident so you will 311 00:12:19,360 --> 00:12:23,279 probably be asked like for example there 312 00:12:21,920 --> 00:12:24,399 is this 313 00:12:23,279 --> 00:12:26,800 um 314 00:12:24,399 --> 00:12:29,760 the velociraptor you could use it as an 315 00:12:26,800 --> 00:12:30,560 offline triage collector or specifically 316 00:12:29,760 --> 00:12:33,040 for 317 00:12:30,560 --> 00:12:36,399 uh linux unix you know os there is the 318 00:12:33,040 --> 00:12:39,279 uac it's uh which stands for you unix 319 00:12:36,399 --> 00:12:42,000 like artifacts collector so you may be 320 00:12:39,279 --> 00:12:44,399 asked to deploy that run this particular 321 00:12:42,000 --> 00:12:47,680 scripts and then once 322 00:12:44,399 --> 00:12:49,120 the script has finished collecting all 323 00:12:47,680 --> 00:12:52,000 those 324 00:12:49,120 --> 00:12:54,639 potential artifacts or data you may be 325 00:12:52,000 --> 00:12:56,320 asked to could you please of course in 326 00:12:54,639 --> 00:12:58,560 the time of the pandemic everybody's 327 00:12:56,320 --> 00:13:00,240 like working remotely 328 00:12:58,560 --> 00:13:00,959 you'll be asked to 329 00:13:00,240 --> 00:13:03,120 uh 330 00:13:00,959 --> 00:13:05,680 save it send it 331 00:13:03,120 --> 00:13:06,560 to a cloud secure cloud storage it used 332 00:13:05,680 --> 00:13:08,480 to be 333 00:13:06,560 --> 00:13:10,880 that when there is an incident before 334 00:13:08,480 --> 00:13:11,680 the pandemic or before times 335 00:13:10,880 --> 00:13:13,600 uh 336 00:13:11,680 --> 00:13:14,480 incident responders will actually go on 337 00:13:13,600 --> 00:13:16,800 site 338 00:13:14,480 --> 00:13:19,040 okay to the client side or to that 339 00:13:16,800 --> 00:13:20,639 particular site and start you know 340 00:13:19,040 --> 00:13:23,600 collecting these 341 00:13:20,639 --> 00:13:25,839 uh sources of evidence but now because 342 00:13:23,600 --> 00:13:28,959 of the challenges with 343 00:13:25,839 --> 00:13:31,440 um traveling and some restrictions you 344 00:13:28,959 --> 00:13:33,680 know sometimes you'll be provided with 345 00:13:31,440 --> 00:13:36,560 the one-page instructions on how to 346 00:13:33,680 --> 00:13:38,959 actually run this and then given a link 347 00:13:36,560 --> 00:13:41,360 to a secure cloud storage and then you 348 00:13:38,959 --> 00:13:43,519 upload the collected artifacts there 349 00:13:41,360 --> 00:13:45,360 and then sometimes it could be that 350 00:13:43,519 --> 00:13:47,279 you'll be asked to collect 351 00:13:45,360 --> 00:13:49,360 certain specific artifacts like for 352 00:13:47,279 --> 00:13:52,000 example the contents of the 353 00:13:49,360 --> 00:13:54,320 slash etc directory or the slash home 354 00:13:52,000 --> 00:13:56,480 directory like for you know figuring out 355 00:13:54,320 --> 00:13:58,959 who are like the users there and 356 00:13:56,480 --> 00:14:01,519 most specially the slash bar directory 357 00:13:58,959 --> 00:14:03,279 there's a lot of logs there so one of 358 00:14:01,519 --> 00:14:06,160 the things that we commonly checked is 359 00:14:03,279 --> 00:14:09,199 that the contents of the wtmp for 360 00:14:06,160 --> 00:14:13,040 successful logins and log out okay and 361 00:14:09,199 --> 00:14:14,079 the btmp for failed login okay and one 362 00:14:13,040 --> 00:14:16,639 thing that 363 00:14:14,079 --> 00:14:20,639 we actually check for btmp for failed 364 00:14:16,639 --> 00:14:23,279 login is that uh it is possible that a 365 00:14:20,639 --> 00:14:26,480 user may have accidentally typed their 366 00:14:23,279 --> 00:14:28,320 password at the user login prompt so we 367 00:14:26,480 --> 00:14:30,639 could actually see that we're gonna 368 00:14:28,320 --> 00:14:32,959 check that the other thing so aside from 369 00:14:30,639 --> 00:14:35,279 that there's also the last log file 370 00:14:32,959 --> 00:14:37,760 which is the most recent use user login 371 00:14:35,279 --> 00:14:38,880 so it really depends on what kind of 372 00:14:37,760 --> 00:14:41,360 incident 373 00:14:38,880 --> 00:14:43,360 are we investigating it could be like 374 00:14:41,360 --> 00:14:45,600 potential insider threat or it could be 375 00:14:43,360 --> 00:14:47,600 that you have attackers who were able to 376 00:14:45,600 --> 00:14:50,800 go into your organization and they've 377 00:14:47,600 --> 00:14:53,199 been moving around and trying to log on 378 00:14:50,800 --> 00:14:54,560 to the different you know servers 379 00:14:53,199 --> 00:14:55,760 okay 380 00:14:54,560 --> 00:14:58,959 so 381 00:14:55,760 --> 00:15:00,959 uh as we go along in the incident uh 382 00:14:58,959 --> 00:15:03,040 process or in the incident you know uh 383 00:15:00,959 --> 00:15:06,160 response uh life cycle 384 00:15:03,040 --> 00:15:09,040 there is this part called containment 385 00:15:06,160 --> 00:15:12,399 eradication and recovery phase 386 00:15:09,040 --> 00:15:14,560 okay so potentially you may be asked 387 00:15:12,399 --> 00:15:14,560 to 388 00:15:16,240 --> 00:15:21,279 do some quarantining or containment of 389 00:15:19,120 --> 00:15:23,519 the server so when we talk about uh 390 00:15:21,279 --> 00:15:25,440 containment okay there are several ways 391 00:15:23,519 --> 00:15:28,399 that you could do that okay 392 00:15:25,440 --> 00:15:30,240 you could do it on a network level ask 393 00:15:28,399 --> 00:15:31,680 the network team hey could you please 394 00:15:30,240 --> 00:15:34,240 shut down the 395 00:15:31,680 --> 00:15:36,399 uh you know that particular switch port 396 00:15:34,240 --> 00:15:37,440 okay or it could be that 397 00:15:36,399 --> 00:15:40,320 uh 398 00:15:37,440 --> 00:15:43,120 you have a an edr which has the 399 00:15:40,320 --> 00:15:45,279 capability to do uh containment or 400 00:15:43,120 --> 00:15:47,279 quarantine wherein the network 401 00:15:45,279 --> 00:15:48,800 communication is going to be stopped 402 00:15:47,279 --> 00:15:50,240 except from 403 00:15:48,800 --> 00:15:51,839 the server 404 00:15:50,240 --> 00:15:54,000 to the edr 405 00:15:51,839 --> 00:15:55,920 server or it could be an edr in the 406 00:15:54,000 --> 00:15:57,680 cloud okay so that's the only network 407 00:15:55,920 --> 00:15:58,560 communication that's allowed 408 00:15:57,680 --> 00:16:00,399 uh 409 00:15:58,560 --> 00:16:02,079 several years ago actually it's more 410 00:16:00,399 --> 00:16:04,880 than a decade ago 411 00:16:02,079 --> 00:16:07,519 believe it or not i had one client who 412 00:16:04,880 --> 00:16:09,279 actually told me in our panic in 413 00:16:07,519 --> 00:16:12,160 containing the server they actually 414 00:16:09,279 --> 00:16:15,519 unplug it and like oh and plug you know 415 00:16:12,160 --> 00:16:17,279 the lan cable uh no the power cable oh 416 00:16:15,519 --> 00:16:20,399 please don't do that because we will 417 00:16:17,279 --> 00:16:22,079 lose certain artifacts that are volatile 418 00:16:20,399 --> 00:16:24,800 like for example things that are in the 419 00:16:22,079 --> 00:16:27,199 memory okay so make sure that you have a 420 00:16:24,800 --> 00:16:28,639 process procedure for containing your 421 00:16:27,199 --> 00:16:29,519 servers 422 00:16:28,639 --> 00:16:30,320 okay 423 00:16:29,519 --> 00:16:32,000 now 424 00:16:30,320 --> 00:16:34,399 uh if let's just say this is a 425 00:16:32,000 --> 00:16:36,639 particular you know incident uh 426 00:16:34,399 --> 00:16:38,399 requiring a freshly installed like for 427 00:16:36,639 --> 00:16:42,240 example it could be that you've been hit 428 00:16:38,399 --> 00:16:44,240 with you know ransomware and 429 00:16:42,240 --> 00:16:46,800 you you know 430 00:16:44,240 --> 00:16:48,880 your choice now is hey we just have to 431 00:16:46,800 --> 00:16:50,560 you know do a freshly installed so 432 00:16:48,880 --> 00:16:54,480 potentially you could be asked to do 433 00:16:50,560 --> 00:16:56,160 that okay or it could be that okay once 434 00:16:54,480 --> 00:16:58,000 we've like done our reinstall you're 435 00:16:56,160 --> 00:17:00,480 gonna be asked hey can we use the 436 00:16:58,000 --> 00:17:03,600 backups okay but before you use the 437 00:17:00,480 --> 00:17:05,760 backup make sure that your back backups 438 00:17:03,600 --> 00:17:06,720 are clean what do i mean by that it 439 00:17:05,760 --> 00:17:07,760 could be 440 00:17:06,720 --> 00:17:10,720 that 441 00:17:07,760 --> 00:17:14,480 when your system was backed up 442 00:17:10,720 --> 00:17:16,880 it also backed up the binaries for the 443 00:17:14,480 --> 00:17:18,559 malware or for the ransomware so 444 00:17:16,880 --> 00:17:20,480 you basically started like a fresh 445 00:17:18,559 --> 00:17:22,319 reinstall and then you put your backup 446 00:17:20,480 --> 00:17:25,360 in and then you get you know infected 447 00:17:22,319 --> 00:17:27,520 again so just make sure that you all you 448 00:17:25,360 --> 00:17:29,600 also check your backups whether they're 449 00:17:27,520 --> 00:17:32,320 clean okay and then another thing is 450 00:17:29,600 --> 00:17:34,799 that are your backups usable so part of 451 00:17:32,320 --> 00:17:36,880 the preparation phase would be in terms 452 00:17:34,799 --> 00:17:38,720 of the backups you always check your 453 00:17:36,880 --> 00:17:40,880 backups too because you may be like 454 00:17:38,720 --> 00:17:42,799 doing a backup but you haven't really 455 00:17:40,880 --> 00:17:45,039 tried a restore 456 00:17:42,799 --> 00:17:47,919 and you know it could be that during 457 00:17:45,039 --> 00:17:50,880 your hour of need that's when you need 458 00:17:47,919 --> 00:17:52,640 to restore your backups you find out 459 00:17:50,880 --> 00:17:54,480 that they're not usable so make sure 460 00:17:52,640 --> 00:17:57,120 that before this happens part of the 461 00:17:54,480 --> 00:18:00,080 preparation is check that your backups 462 00:17:57,120 --> 00:18:02,720 are usable okay 463 00:18:00,080 --> 00:18:05,200 now potentially okay 464 00:18:02,720 --> 00:18:07,440 as you go progress along the way for 465 00:18:05,200 --> 00:18:08,480 this uh incident response you know life 466 00:18:07,440 --> 00:18:10,480 cycle 467 00:18:08,480 --> 00:18:14,000 there are things that you learn like you 468 00:18:10,480 --> 00:18:16,240 know oh we should have done this okay so 469 00:18:14,000 --> 00:18:18,480 at this particular phase it's called the 470 00:18:16,240 --> 00:18:19,360 post-incident activity or sometimes it's 471 00:18:18,480 --> 00:18:22,400 called 472 00:18:19,360 --> 00:18:24,480 lessons learned phase okay 473 00:18:22,400 --> 00:18:26,000 for this okay could be like you'll be 474 00:18:24,480 --> 00:18:27,679 asked questions about 475 00:18:26,000 --> 00:18:30,240 what can we improve 476 00:18:27,679 --> 00:18:32,640 okay what can we improve as a team or in 477 00:18:30,240 --> 00:18:35,440 terms like processes or it could be 478 00:18:32,640 --> 00:18:37,760 maybe there is some challenges in terms 479 00:18:35,440 --> 00:18:39,760 of the technology that you have there or 480 00:18:37,760 --> 00:18:41,919 it could be that you don't have enough 481 00:18:39,760 --> 00:18:44,160 people so typically most of like the 482 00:18:41,919 --> 00:18:46,240 lessons learned will be focus on these 483 00:18:44,160 --> 00:18:48,720 three things people processes and 484 00:18:46,240 --> 00:18:51,520 technology and then what did we learn 485 00:18:48,720 --> 00:18:53,919 from this okay and then what are the 486 00:18:51,520 --> 00:18:56,240 improvements that we need to make in 487 00:18:53,919 --> 00:18:58,880 order to make sure that we are able to 488 00:18:56,240 --> 00:19:01,840 protect our organization our information 489 00:18:58,880 --> 00:19:04,559 assets and have probably let's just say 490 00:19:01,840 --> 00:19:06,559 faster recovery time so basically it's 491 00:19:04,559 --> 00:19:10,880 more about questions like 492 00:19:06,559 --> 00:19:13,280 how can we do better next time okay so 493 00:19:10,880 --> 00:19:16,320 these are the things that would actually 494 00:19:13,280 --> 00:19:17,520 help improve your incidence response 495 00:19:16,320 --> 00:19:20,000 capacity 496 00:19:17,520 --> 00:19:22,720 or i'm sorry capability or sometimes 497 00:19:20,000 --> 00:19:24,799 what happens is that um an incident 498 00:19:22,720 --> 00:19:27,679 happens and you think that oh we're all 499 00:19:24,799 --> 00:19:30,640 set we have the ir plan and then turns 500 00:19:27,679 --> 00:19:32,640 out that the ir plan hasn't been updated 501 00:19:30,640 --> 00:19:34,960 in ages and when you look at it it's not 502 00:19:32,640 --> 00:19:37,120 you know you don't have the correct you 503 00:19:34,960 --> 00:19:39,280 know or contact lease or it could be 504 00:19:37,120 --> 00:19:41,200 like people have moved on so you don't 505 00:19:39,280 --> 00:19:43,440 know who to contact about this 506 00:19:41,200 --> 00:19:44,960 particular information assets and then 507 00:19:43,440 --> 00:19:48,240 you know part of the post incident 508 00:19:44,960 --> 00:19:50,400 activity is to make sure that you also 509 00:19:48,240 --> 00:19:51,200 improve update your incident response 510 00:19:50,400 --> 00:19:52,640 plan 511 00:19:51,200 --> 00:19:56,240 okay now 512 00:19:52,640 --> 00:19:58,640 as you go along here there's definitely 513 00:19:56,240 --> 00:20:01,039 a lot of lessons learned make sure that 514 00:19:58,640 --> 00:20:03,039 you are also documenting each step of 515 00:20:01,039 --> 00:20:06,799 the way like for example if you were 516 00:20:03,039 --> 00:20:09,200 asked by let's just say a third-party 517 00:20:06,799 --> 00:20:11,600 vendor or a service provider as a 518 00:20:09,200 --> 00:20:14,400 security service provider to run certain 519 00:20:11,600 --> 00:20:16,000 scripts or to you know install certain 520 00:20:14,400 --> 00:20:18,080 agents and all those things make sure 521 00:20:16,000 --> 00:20:21,039 that you're also documenting them 522 00:20:18,080 --> 00:20:23,600 because um later on if let's just say 523 00:20:21,039 --> 00:20:26,400 there is a need to do it again at least 524 00:20:23,600 --> 00:20:27,520 you have them ready or it could be that 525 00:20:26,400 --> 00:20:28,559 whatever 526 00:20:27,520 --> 00:20:30,640 uh 527 00:20:28,559 --> 00:20:33,360 you know steps that were 528 00:20:30,640 --> 00:20:36,320 done during the detection analysis the 529 00:20:33,360 --> 00:20:40,480 containment this could potentially be 530 00:20:36,320 --> 00:20:42,320 part of a new playbook so the cycle let 531 00:20:40,480 --> 00:20:45,360 me go back again 532 00:20:42,320 --> 00:20:48,400 okay the cycle here as you can see okay 533 00:20:45,360 --> 00:20:51,120 so you progress along from preparation 534 00:20:48,400 --> 00:20:53,120 to detection and analysis containment 535 00:20:51,120 --> 00:20:55,600 eradication and recovery to post 536 00:20:53,120 --> 00:20:58,320 incident activity so after that okay 537 00:20:55,600 --> 00:21:01,440 whatever you've learned here you go back 538 00:20:58,320 --> 00:21:03,280 to the preparation meaning you 539 00:21:01,440 --> 00:21:05,039 maybe things that you've learned you can 540 00:21:03,280 --> 00:21:07,280 create a mock incident you can have 541 00:21:05,039 --> 00:21:10,640 another tabletop exercise or you could 542 00:21:07,280 --> 00:21:11,760 create another playbook okay 543 00:21:10,640 --> 00:21:13,760 now 544 00:21:11,760 --> 00:21:16,880 my ass from you 545 00:21:13,760 --> 00:21:19,360 okay for after this is that please when 546 00:21:16,880 --> 00:21:22,000 you go back to work think about your 547 00:21:19,360 --> 00:21:24,159 incident response process do you have a 548 00:21:22,000 --> 00:21:26,480 plan or if you have a plan when was the 549 00:21:24,159 --> 00:21:28,559 last time you tested it uh when was the 550 00:21:26,480 --> 00:21:30,640 last time let's just say you updated it 551 00:21:28,559 --> 00:21:34,400 uh do you have 552 00:21:30,640 --> 00:21:36,400 an wall tabletop exercises do you have 553 00:21:34,400 --> 00:21:38,799 playbooks there so you start thinking 554 00:21:36,400 --> 00:21:40,720 about this and slowly but surely you 555 00:21:38,799 --> 00:21:43,200 know you go along and and i know it's 556 00:21:40,720 --> 00:21:45,520 going to be a big ass because aside from 557 00:21:43,200 --> 00:21:47,520 doing your system administration duties 558 00:21:45,520 --> 00:21:49,679 because of you know coveting the 559 00:21:47,520 --> 00:21:51,760 pandemic you may be asked to do other 560 00:21:49,679 --> 00:21:53,520 things you know especially covering for 561 00:21:51,760 --> 00:21:56,799 let's just say other shifts of people 562 00:21:53,520 --> 00:21:59,120 who may be isolating and can't work so 563 00:21:56,799 --> 00:22:02,000 do it you know maybe like on a quarterly 564 00:21:59,120 --> 00:22:04,159 basis you have a plan to do this part 565 00:22:02,000 --> 00:22:06,320 and then after that do another point 566 00:22:04,159 --> 00:22:08,080 okay so with that 567 00:22:06,320 --> 00:22:10,640 okay 568 00:22:08,080 --> 00:22:12,960 so if you're interested in getting a 569 00:22:10,640 --> 00:22:15,760 copy of the x-force threat intelligence 570 00:22:12,960 --> 00:22:17,840 index just go to the ibm website search 571 00:22:15,760 --> 00:22:20,559 for it okay and 572 00:22:17,840 --> 00:22:22,320 you have to provide some you know uh 573 00:22:20,559 --> 00:22:24,640 information about your email and all 574 00:22:22,320 --> 00:22:27,200 those things uh don't worry we have this 575 00:22:24,640 --> 00:22:29,760 you know uh the data privacy you know 576 00:22:27,200 --> 00:22:31,679 regulations and all those things so uh 577 00:22:29,760 --> 00:22:34,480 and you can opt out of marketing just to 578 00:22:31,679 --> 00:22:37,280 get a copy of that report okay and then 579 00:22:34,480 --> 00:22:39,679 there's a good guide from an nist that's 580 00:22:37,280 --> 00:22:41,760 remember it's uh the publication 581 00:22:39,679 --> 00:22:45,039 800-61r2 582 00:22:41,760 --> 00:22:48,320 it's available for free from nist and 583 00:22:45,039 --> 00:22:51,039 then if you are interested into in terms 584 00:22:48,320 --> 00:22:53,039 of specializing in you know let's just 585 00:22:51,039 --> 00:22:55,120 say digital forensics coming from a 586 00:22:53,039 --> 00:22:57,280 linux background there's a very good 587 00:22:55,120 --> 00:22:59,120 book from norseparch press it's called 588 00:22:57,280 --> 00:23:01,919 practical linux forensics that's a very 589 00:22:59,120 --> 00:23:04,080 good book if you need to actually 590 00:23:01,919 --> 00:23:07,200 collect some artifacts you can you know 591 00:23:04,080 --> 00:23:10,320 go to github search for the uac or you 592 00:23:07,200 --> 00:23:12,799 know you can use also velociraptor okay 593 00:23:10,320 --> 00:23:16,880 so if you have any questions after this 594 00:23:12,799 --> 00:23:19,760 conference i have allocated uh you know 595 00:23:16,880 --> 00:23:22,159 a few minutes for some questions okay 596 00:23:19,760 --> 00:23:25,440 you can like ask those questions if not 597 00:23:22,159 --> 00:23:28,960 you can always dm me in twitter okay 598 00:23:25,440 --> 00:23:31,679 so that's it so i'm gonna just minimize 599 00:23:28,960 --> 00:23:33,120 this so i could see if there's any 600 00:23:31,679 --> 00:23:35,280 questions there 601 00:23:33,120 --> 00:23:39,120 yeah there's a couple questions 602 00:23:35,280 --> 00:23:41,679 um so first question is uh do you prefer 603 00:23:39,120 --> 00:23:45,840 people to rebuild servers and restore 604 00:23:41,679 --> 00:23:48,840 data or restore the full 605 00:23:45,840 --> 00:23:51,840 the full image during the recovery 606 00:23:48,840 --> 00:23:55,600 phase um as with all things with in the 607 00:23:51,840 --> 00:23:58,320 ir world uh it depends on 608 00:23:55,600 --> 00:24:00,720 you know how fast you need 609 00:23:58,320 --> 00:24:01,600 the system to be up 610 00:24:00,720 --> 00:24:03,279 so 611 00:24:01,600 --> 00:24:05,440 you're the one who's gonna be like you 612 00:24:03,279 --> 00:24:08,320 know deciding because you're the 613 00:24:05,440 --> 00:24:10,799 information asset owners okay 614 00:24:08,320 --> 00:24:13,279 just make sure that before you start you 615 00:24:10,799 --> 00:24:14,799 know putting back all those backups as i 616 00:24:13,279 --> 00:24:15,840 mentioned before make sure that they're 617 00:24:14,799 --> 00:24:17,440 clean 618 00:24:15,840 --> 00:24:19,919 okay 619 00:24:17,440 --> 00:24:22,400 okay next question is how do you balance 620 00:24:19,919 --> 00:24:24,320 incidents that affect support support 621 00:24:22,400 --> 00:24:26,799 systems versus responses that 622 00:24:24,320 --> 00:24:28,880 potentially affect production systems 623 00:24:26,799 --> 00:24:31,840 how do you go about risk assessment on 624 00:24:28,880 --> 00:24:32,640 the changes involved in 625 00:24:31,840 --> 00:24:34,559 okay 626 00:24:32,640 --> 00:24:38,159 so once again it depends on the 627 00:24:34,559 --> 00:24:40,400 organization's uh risk profile 628 00:24:38,159 --> 00:24:42,240 or what they consider as very critical 629 00:24:40,400 --> 00:24:45,120 to their existence 630 00:24:42,240 --> 00:24:47,760 so if let's just say what is like very 631 00:24:45,120 --> 00:24:49,760 important for their existence is you 632 00:24:47,760 --> 00:24:52,320 know remediating immediately watching 633 00:24:49,760 --> 00:24:54,000 production because once production is 634 00:24:52,320 --> 00:24:56,000 affected that basically affects the 635 00:24:54,000 --> 00:24:58,799 whole business so you start you know 636 00:24:56,000 --> 00:25:00,640 responding there so typically let's just 637 00:24:58,799 --> 00:25:02,480 say a sample scenario would be let's 638 00:25:00,640 --> 00:25:04,159 just say ransomware 639 00:25:02,480 --> 00:25:06,000 okay we're in it could be like several 640 00:25:04,159 --> 00:25:09,600 servers may have been affected and they 641 00:25:06,000 --> 00:25:12,240 immediately ring our ir hotline so we 642 00:25:09,600 --> 00:25:14,799 immediately stand up a lot of streams so 643 00:25:12,240 --> 00:25:16,960 there's several work streams in parallel 644 00:25:14,799 --> 00:25:19,440 happening at the same time so we have 645 00:25:16,960 --> 00:25:21,760 the incident response uh you know 646 00:25:19,440 --> 00:25:24,240 happening we're in there's gonna be a 647 00:25:21,760 --> 00:25:26,559 collection of the artifacts to make sure 648 00:25:24,240 --> 00:25:28,240 that we know what we're dealing with so 649 00:25:26,559 --> 00:25:29,600 we have to make sure that we understand 650 00:25:28,240 --> 00:25:32,000 what is this malware what are the 651 00:25:29,600 --> 00:25:33,440 capabilities and then there would be 652 00:25:32,000 --> 00:25:36,000 some collection of let's just say 653 00:25:33,440 --> 00:25:38,159 certain files because if it's like a new 654 00:25:36,000 --> 00:25:40,240 malware variant we'll have a separate 655 00:25:38,159 --> 00:25:41,360 track for the reverse engineers we're 656 00:25:40,240 --> 00:25:43,760 going to be doing the reverse 657 00:25:41,360 --> 00:25:46,159 engineering on the malware then we have 658 00:25:43,760 --> 00:25:47,840 a separate track wherein we start doing 659 00:25:46,159 --> 00:25:49,600 like you know the remediation so 660 00:25:47,840 --> 00:25:51,360 sometimes what happens is that you have 661 00:25:49,600 --> 00:25:52,240 several tracks happening at the same 662 00:25:51,360 --> 00:25:54,480 time 663 00:25:52,240 --> 00:25:55,840 okay but in order to do that you will 664 00:25:54,480 --> 00:25:59,039 need to make sure that in your 665 00:25:55,840 --> 00:26:02,000 organization if your ir team is in-house 666 00:25:59,039 --> 00:26:04,000 you have enough enough people there and 667 00:26:02,000 --> 00:26:06,720 that's why what i found is that most 668 00:26:04,000 --> 00:26:09,039 organizations will actually call in 669 00:26:06,720 --> 00:26:12,320 a third-party vendor but please make 670 00:26:09,039 --> 00:26:14,720 sure that you have an existing retainer 671 00:26:12,320 --> 00:26:17,520 first because what happened what i've 672 00:26:14,720 --> 00:26:19,919 seen so far is that some organizations 673 00:26:17,520 --> 00:26:21,760 don't have that retainer or like a 674 00:26:19,919 --> 00:26:23,039 contract or something and they start 675 00:26:21,760 --> 00:26:25,679 calling up in 676 00:26:23,039 --> 00:26:28,640 like last last month with the lag4j and 677 00:26:25,679 --> 00:26:30,080 all those things it was very very busy 678 00:26:28,640 --> 00:26:32,799 it may be that 679 00:26:30,080 --> 00:26:34,799 you you call an ir firm and they said 680 00:26:32,799 --> 00:26:36,880 sorry we can't really take you on 681 00:26:34,799 --> 00:26:38,960 because we're like really busy you know 682 00:26:36,880 --> 00:26:41,279 providing all this services to our 683 00:26:38,960 --> 00:26:43,600 existing clientele so so think of like 684 00:26:41,279 --> 00:26:45,360 that retainer as a way for you to make 685 00:26:43,600 --> 00:26:47,919 sure that you have that allocated 686 00:26:45,360 --> 00:26:50,320 resources for you 687 00:26:47,919 --> 00:26:51,919 by the way i'm not a salesperson i'm not 688 00:26:50,320 --> 00:26:54,799 trying to sell you anything i'm just 689 00:26:51,919 --> 00:26:57,440 like talking from experience 690 00:26:54,799 --> 00:26:59,120 okay all right um i think that's all the 691 00:26:57,440 --> 00:27:00,480 questions we've got all right thank you 692 00:26:59,120 --> 00:27:02,559 very much 693 00:27:00,480 --> 00:27:04,320 thank you very much for listening to my 694 00:27:02,559 --> 00:27:06,559 talk i hope you learned something from 695 00:27:04,320 --> 00:27:09,919 this hit me up in twitter if you have 696 00:27:06,559 --> 00:27:11,679 any questions okay so take care and once 697 00:27:09,919 --> 00:27:14,559 again i can't give everybody a hug so 698 00:27:11,679 --> 00:27:18,240 i'm going to give you a wakandan salute 699 00:27:14,559 --> 00:27:21,480 giving take care be well and be safe and 700 00:27:18,240 --> 00:27:21,480 thank you