Ransomware Response: Training & Preparation
Key Points
- Meg West explains that incident response consultants spend most of their time proactively preparing clients—not just reacting to attacks—through training and “Security Incident Response First Responder” (SIRFR) classes that teach technical response skills and log analysis.
- A key part of preparation is educating non‑technical employees, who are the weakest link, about common attack vectors such as phishing and the social‑engineering tactics (urgency, fear) attackers use to trick them.
- By training both cyber‑security staff and everyday workers to recognize and properly handle suspicious communications, organizations can avoid panic and reduce the likelihood of successful ransomware or breach incidents.
- The consultant emphasizes that effective incident response also relies on having appropriate security tools in place to detect and block attacks before they reach vulnerable users.
- Overall, a blend of hands‑on technical training, employee awareness programs, and preventive technology is presented as the best strategy to mitigate ransomware nightmares.
Sections
- Preparing for Ransomware with First‑Responder Training - Incident response consultant Meg West explains how her firm educates clients—through Security Incident Response First Responder (SIRFR) classes on log analysis, digital forensics, and response protocols—to proactively handle ransomware attacks before they occur.
- Industry‑Specific Incident Response Planning - The speaker explains how organizations tailor threat expectations by industry, develop a pre‑defined cybersecurity incident response plan, and validate it through simulations and ransomware readiness assessments.
- Proactive Incident Response Planning - The speaker urges organizations to analyze incidents for root causes and to secure an incident‑response retainer beforehand, emphasizing that preventive preparation is far cheaper than reacting after a breach.
Full Transcript
# Ransomware Response: Training & Preparation **Source:** [https://www.youtube.com/watch?v=XyOvdhjrEX4](https://www.youtube.com/watch?v=XyOvdhjrEX4) **Duration:** 00:08:21 ## Summary - Meg West explains that incident response consultants spend most of their time proactively preparing clients—not just reacting to attacks—through training and “Security Incident Response First Responder” (SIRFR) classes that teach technical response skills and log analysis. - A key part of preparation is educating non‑technical employees, who are the weakest link, about common attack vectors such as phishing and the social‑engineering tactics (urgency, fear) attackers use to trick them. - By training both cyber‑security staff and everyday workers to recognize and properly handle suspicious communications, organizations can avoid panic and reduce the likelihood of successful ransomware or breach incidents. - The consultant emphasizes that effective incident response also relies on having appropriate security tools in place to detect and block attacks before they reach vulnerable users. - Overall, a blend of hands‑on technical training, employee awareness programs, and preventive technology is presented as the best strategy to mitigate ransomware nightmares. ## Sections - [00:00:00](https://www.youtube.com/watch?v=XyOvdhjrEX4&t=0s) **Preparing for Ransomware with First‑Responder Training** - Incident response consultant Meg West explains how her firm educates clients—through Security Incident Response First Responder (SIRFR) classes on log analysis, digital forensics, and response protocols—to proactively handle ransomware attacks before they occur. - [00:03:08](https://www.youtube.com/watch?v=XyOvdhjrEX4&t=188s) **Industry‑Specific Incident Response Planning** - The speaker explains how organizations tailor threat expectations by industry, develop a pre‑defined cybersecurity incident response plan, and validate it through simulations and ransomware readiness assessments. - [00:06:20](https://www.youtube.com/watch?v=XyOvdhjrEX4&t=380s) **Proactive Incident Response Planning** - The speaker urges organizations to analyze incidents for root causes and to secure an incident‑response retainer beforehand, emphasizing that preventive preparation is far cheaper than reacting after a breach. ## Full Transcript
It's every business's worst nightmare.
They've been hacked
and ransomware is being demanded, and they don't really know what to do.
Today we have with us Meg West.
She is an incident response consultant and she's going to show us what she does
as part of her role on X-Forceto be able to deal with this very problem.
Can you help me out? What would I have done?
Yeah, absolutely.
I can definitely help you out.
Thankfully, that's what I do every day.
A large misconception about incident response consultants
is that we literally only respondto incidents doing the technical things.
But the reality is a large portionof incident response, and what I do
for my daily job, is helping my clients prepare for the incident.
And as we've noted down, one of the first things that we do
as an incident response consulting agency is education for our clients.
We go to them and we help them discern if an incident happens,
how should they be reacting to it?
We offer things that are called SIRFR classes
or that stands for security incident response, first responder classes.
And we literally teach these cybersecurity people from different organizations
how to respond to an incident if it happens.
Digital forensics, how to query logs, anything that could be relevant
to responding to an incident.
So helping these people prepare for the incident
and learn how to do these technical things before it actually happens
saves them from being in a scramble when the incident does occur.
Well, that makes a lot of sense.
But there's also education for the people
who are ultimately responsible for some of these break ins, employees.
What do they do on their education side?
Yeah, absolutely.
So employee education for people who don't work in I.T.
is just as important as educating your incident response and cybersecurity folks.
And the reason for that being is that humans employees
are some of the weakest links in an organization,
and they're some of the biggest and most widely targeted
people in an organization because they're not generally
formally trained on how to detect a cybersecurity incident.
Today, it stands that phishing through email
is one of the largest attack vectors.
That's how most of the attacks are still happening.
People still fall for that.
Absolutely. Literally every single day.
So what we can do is educate our employees on how to look
for a cybersecurity attack.
For instance, if an employee receives an email
that's urging them to do something extremely quickly, it says, Hey, Dan,
you need to click on this link and update your password
in the next 2 hours or else you're getting fired.
The attackers are trying to play on your sense of urgency.
They're creating fear.
They want you to think irrationally
and illogically to get you to do something quickly.
So when we take the time to educate our employees
and let them know, hey, you should be expecting to receive this kind of emails,
they're better prepared for it.
Should we have in place the security tools to help prevent this?
Yes, of course. Email filters and firewalls are going to help,
but they're still going to be at 1% or less that make it through unfortunately.
And that's why we need to train our secondary defenses,which are the people, and educate them.
It makes a lot of sense, and I suppose this is part of a larger strategy.
Education is just the first fork of that. What is the rest of that strategy look like?
A large part of working in incident response consulting,
especially from the proactive side, we say proactive because it becomes more
the incident is trying to strategize
what are we going to do when the incident happens.
We're trying to predict
based upon our industry, where our industries,
where our organization is located, how many employees we have,
what kind of data types we're dealing with.
We want to strategize what kind of incidents and attacks
can we expect to happen just because we're a financial industry,
because we're a health care industry, we can generally tell based upon the type
of industry and several other factors what kind of attacks to expect.
So for us, we're trying to discern that.
Second, we're trying to put in placea plan.
We have what's called a cybersecurityincident response plan.
That's something that every organizationshould have.
It's a plan that literally dictates
what you should be doing when an incident happened
so that you're prepared and you have a checklist
of what to run through when it happens.
And that strategization is going to take away a lot of the questioning,
a lot of the gray area of when an incident happens
instead of trying to discern who do I need to escalate this incident to?
Who do I need to call at 2 a.m. in the morning when I need a firewall change?
It's already all strategized out.
It's pre-planned so that it takes a lot of the guesswork away.
One thing, though, a part of a strategy to really make sure it works,
I suppose, is to simulate. And how does that play out?
Yeah, absolutely.
So how we can try the strategy into the simulation and going back to the strategy part a little bit,
one thing that's really important for a lot of organizations are to do assessments, right?
Specifically, we do a lot of ransomware readiness assessments.
And what that means is we'll go into an organization,
we'll ask them all their technical, they're executive experts,
a lot of really in-depth detail questions and take a look at their environment
and kind of do a gap analysis that says if you were to get hit by ransomware,
how devastating, how large of an impact would it be for your organization?
And based on the results of that, then we're going to carry into the simulation aspect of it.
Once we know your weaknesses, where your organization needs to better bolster their cybersecurity,
we're going to go ahead and we're goingto test this in a simulation.
So specific we offer a cyber range exercise, think cyber warfare, kind of purpleteaming going on,
where we're going to go ahead and virtualizea client's environment and replicate it.
And then we're going to craft a very specific scenario to that client, to their industry,
and we're going to put it into play in the actual virtualized environment and have them go and respond to the incident.
Meanwhile, personnel like myself and my colleagues who have years
of training, working in incident response, we're taking very cautious notes.
We're trying to discern, you know, how can we help this organization
do better by watching them carry out the simulation.
And then we write them a report, a very detailed report
that says you should do this better so that you can respond better to an incident.
And that really points out the flaws potentially in that strategy that you've done in a prior step.
Yeah, absolutely. So it all ties in together very well.
And that, of course, brings us to the last point
is, is that once you've gone through all this, I'm sure there are some lessons to be learned.
That's something you talk about before as a formal practice.
Yeah, of course. It's a lifecycle.
I mean, no matter what lifecycle you look at, whether it's NIS, the National Institute of Standards, or if you look at SANS
all of the incident response lifecycles go through in a big circle.
And coming full circle means learning from your past incident.
If you're having an incident over and over again and it has the same attack vector, it's the same kind of incident, but you're not learning from the incident.
That's why it keeps happening, because you're not taking the time to sit down with the relevant personnel and stakeholders within your organization
to identify why did this incident happenand what kind of security controls do I need to put into place, whether they're technical, strategic
to prevent another incident from happening again?
Most organizations, they have an incident.
They remediate it, meaningthey get their business back to normal operating standardsand they go about their days.
They don't talk about why did this happen, how can we prevent this from happening again? What went wrong?
What did we do well?
these are key defining characteristics that we need to identify during incidents to help prevent them from reoccurring.
Because being a victim is very expensive. Well, that is excellent advice. I want to give you the last word on this.
For our people who are watching this and want to avoid being a victim, what do you really recommend they do now?
Yeah, that's a great question.
I recommend not waiting for the incident to happen.
I recommend getting an incident response retainer, acquiring them ahead of time
to prepare for an incident because the reality is
all these organizations, they think, Oh, I don't want to spend,
you know, a couple thousand.
Well, let's be realistic. It's a lot more than a couple thousand.
But they think I don't want to spend the money ahead of time for an incident that may never happen.
The reality is, as the saying goes, incidents already happen to you or you don't know it's happened yet.
We a cybersecurity incident response professionals literally see day in and day
out these same incidents that are occurring in different environments, whether it's Linux or Windows.
But we are trained professionals who are there to handle your organization's worst day
while you're executives are running around like chickens with their heads cut off.
We're there to be calm to help you walk through it, to help remediated and recover from itas quickly and effectively as possible.
So prepare for the incident before it happens. Take the time to do it.
Put a process into place and hire an incident response retainer.
It'll make your life so much easier.
I so much appreciate the part about being calm.
Yeah, calmness is one of the key defining factors for being an incident
response consultant while everyone else is just running around frantic. You know, sending angry emails, scared out of their minds.
Having that person to be your pillar of strength to turn to has done this day in and day out for many years of their life.
It's something that money is no trivia for.
Well, thank you so much for joining us, Meg.
And for those who are watching, Hey, before you leave, don't forget to hit like and subscribe.