Preparing an incident response plan for ransomware
An incident response plan is the key to successfully surviving a ransomware attack, and it's a bit like Dramamine. The time to get one is too late to get one. @Vmiss (Melissa Palmer) joins us again to talk about this important topic. We talk about the important role cyber insurance companies can play in helping you find an IR team and helping you develop a plan. (They can actually force you to do so in order to get coverage.) @vmiss was a blast to talk to again, and we're sure you'll enjoy this episode.
Mentioned in this episode:
Interview ad
We've got another good one for you on the topic of ransomware this time, it's
Speaker:about how to prepare for a ransomware attack with an incident response plan.
Speaker:Hope you enjoy the episode.
W. Curtis Preston:hi, and welcome to Backup Central's Restore it All podcast.
W. Curtis Preston:I'm your host, W.
W. Curtis Preston:Curtis Preston, aka a Mr.
W. Curtis Preston:Backup, and I have with me my super expensive vacation planner coordinator.
W. Curtis Preston:How's it going?
W. Curtis Preston:Prasanna,
Prasanna Malaiyandi:I'm doing well, Curtis, how are things going?
Prasanna Malaiyandi:Are you excited?
W. Curtis Preston:I am excited, um, uh, and my wife is starting to get excited.
W. Curtis Preston:I started showing her some pictures a while ago and she's
W. Curtis Preston:been like downplaying it.
W. Curtis Preston:Like she doesn't want to get excited.
W. Curtis Preston:She wants to be sort of, Excited, but I needed her to prep for the vacation
W. Curtis Preston:because this is, so this is, we're going to the Maldives, uh, which for
W. Curtis Preston:those that don't know, is a series of islands off the southern coast of India.
W. Curtis Preston:And, um, and, and I'm on one of those islands and, and it's a tiny island that
W. Curtis Preston:literally we could walk from one end to the other in probably about 10 minutes.
W. Curtis Preston:Um, and.
W. Curtis Preston:We're staying in one of those, uh, for the first couple of nights we're staying
W. Curtis Preston:in one of those things over the water,
Prasanna Malaiyandi:
Speaker:Oh, the Villas over the.
W. Curtis Preston:villas over the water with our, we have our own
W. Curtis Preston:pool, and then right on the other side of the pool is the ocean.
W. Curtis Preston:And then for the rest of the week, we're staying in a, a deluxe, um, beach.
W. Curtis Preston:Uh, Villa, which basically you, you have your own private section to the beach.
W. Curtis Preston:Um, I mean, it's really, really cool.
W. Curtis Preston:Uh, but it's the
Prasanna Malaiyandi:away your
W. Curtis Preston:we've ever gone.
W. Curtis Preston:What's that?
Prasanna Malaiyandi:Can I stow away in your luggage
W. Curtis Preston:Yeah, I mean, it looks really cool.
W. Curtis Preston:Um, and, uh, we're very excited.
W. Curtis Preston:I'm just trying to, you know, what happened was, I saw this movie last
W. Curtis Preston:week, it's really kind of funny.
W. Curtis Preston:It, it's a horror movie called Infinity Pool.
W. Curtis Preston:and it was about a book author who goes with his wife to a resort island.
W. Curtis Preston:And I watched it and one of, one of the things I said, I was like, wow,
W. Curtis Preston:everybody's really nicely dressed there.
W. Curtis Preston:Maybe I should have my wife look into the way she should prepare for the trip.
W. Curtis Preston:Cuz if she shows up and you know, , whatever, and then she sees
W. Curtis Preston:everybody else dresses some other way.
W. Curtis Preston:She's gonna be really mad at me.
W. Curtis Preston:So that's the phase that we're in right now is, is, um, looking at
W. Curtis Preston:their, looking at their Instagram account, So this is what we're doing.
W. Curtis Preston:We're looking at the Islands Instagram account, uh, and looking
W. Curtis Preston:at the way people dress there.
W. Curtis Preston:And, uh, I think we'll be okay.
W. Curtis Preston:Uh, they're, um, I, I will say everyone on their Instagram account looks a
W. Curtis Preston:lot younger than us, but you know,
Prasanna Malaiyandi:Have you not heard about Instagram filters?
Prasanna Malaiyandi:Oh, speaking of, did you hear, I know you're a big movie person, Curtis,
Prasanna Malaiyandi:but they're making a movie with Tom Hanks and someone else, and they're
Prasanna Malaiyandi:gonna use AI to make them look younger.
W. Curtis Preston:really
Prasanna Malaiyandi:
Speaker:Yeah, I can't remember.
W. Curtis Preston:to make who look younger, Tom
Prasanna Malaiyandi:Hanks.
Prasanna Malaiyandi:Yeah, Tom Hanks and someone else.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:I, I don't remember the name of the movie or who the director was, but
Prasanna Malaiyandi:I read that somewhere the other day.
Prasanna Malaiyandi:I was like, I should tell Curtis
W. Curtis Preston:AI is gonna be the death of us.
W. Curtis Preston:That's a whole other podcast.
Prasanna Malaiyandi:which is go listen to Curtis's other podcast,
Prasanna Malaiyandi:other, other podcasts with you and Jeff talking about movie.
W. Curtis Preston:is, yeah, we, uh, it's called the things that
W. Curtis Preston:Entertain Us and, um, the, uh, yeah, so, uh, not too many episodes, but
W. Curtis Preston:yeah, basically we end up mostly talking about movies that we've seen.
W. Curtis Preston:Um, and, uh, I'll be talking about in our next recording about this, this
W. Curtis Preston:movie be called The Infinity Pool.
W. Curtis Preston:Anyway, it's, um, an interesting movie.
W. Curtis Preston:So speaking of interesting, we're having our, a repeat guest and,
W. Curtis Preston:um, we, we had her on, uh, a few weeks ago and we got talking about
W. Curtis Preston:ransomware, one of our favorite topics.
W. Curtis Preston:And we, we, we got into this phase where it was like, you know what?
W. Curtis Preston:That, that is a great conversation, but there's no way we could, we could
W. Curtis Preston:do it justice on that recording.
W. Curtis Preston:So it was, Hey, we're gonna have her come back.
W. Curtis Preston:And, uh, she is, uh, she's been in the industry for quite a while and she's been
W. Curtis Preston:specializing in, uh, she's done VMware.
W. Curtis Preston:Uh, she did.
W. Curtis Preston:Now she's, she's working, uh, Starting to specialize in security and ransomware.
W. Curtis Preston:So we're, uh, and she's the author of the vmiss.net blog, and we are
W. Curtis Preston:excited to have her on the podcast.
W. Curtis Preston:Again, Melissa Palmer, aka @vmiss.
W. Curtis Preston:How's it going?
W. Curtis Preston:Thank you for
Melissa Palmer:having me back.
Melissa Palmer:It's going good.
Prasanna Malaiyandi:I was surprised that you were like, Ooh, I'll
Prasanna Malaiyandi:come back on the podcast after
Melissa Palmer:yeah, that was, of course, when I come back
Prasanna Malaiyandi:Well, thank you for
Melissa Palmer:scare.
Melissa Palmer:It takes a lot more.
Melissa Palmer:You said it.
Melissa Palmer:I've been in around this industry for a while.
Melissa Palmer:It takes a lot more than that to scare me away after all these years.
Prasanna Malaiyandi:And Curtis, I think, uh, now might be a good time
Prasanna Malaiyandi:to put out our normal disclaimer.
W. Curtis Preston:Yeah, prasanna and I work for different companies.
W. Curtis Preston:Uh, he works for Zoom.
W. Curtis Preston:I work for Druva.
W. Curtis Preston:This is not a podcast of either company and the opinions that you hear are ours.
W. Curtis Preston:Also, be sure to rate us at, uh, Uh, rate this podcast.com/restore
W. Curtis Preston:and, um, if you wanna join the conversation, reach out to me.
W. Curtis Preston:By the way, I, I gotta give a bunch of ways cuz I, I got some
W. Curtis Preston:complaints and people say, well, I don't use Twitter anymore.
W. Curtis Preston:So how you give your Twitter address.
W. Curtis Preston:So my LinkedIn is, you know, linkedin.com/ally/mr.
W. Curtis Preston:Backup.
W. Curtis Preston:Uh, you can find me there.
W. Curtis Preston:Uh, you can find me on Facebook.
W. Curtis Preston:I'm on Facebook, Facebook Messenger, but my email is, uh, w Curtis Preston.
W. Curtis Preston:Uh, my Facebook is w Curtis Preston.
W. Curtis Preston:I'm pretty easy to find if you're looking for me.
W. Curtis Preston:Um, and reach out to me and we'll get you in on the, on the conversation.
W. Curtis Preston:Yeah.
W. Curtis Preston:Um, the, um, this, this thing of responding to a ransomware attack,
W. Curtis Preston:this, this is something I've been spending a lot of time on lately, uh,
W. Curtis Preston:because I've been, I'm, I'm working on writing my next book, which will be
W. Curtis Preston:about responding to ransomware attacks.
W. Curtis Preston:You know, one of the things that you said in the pre-call was that if, if
W. Curtis Preston:the first time you're thinking about responding to a ransomware attack is
W. Curtis Preston:after you got a ransomware attack,
Melissa Palmer:Um,
W. Curtis Preston:it's not so good.
W. Curtis Preston:Right.
W. Curtis Preston:, there's a lot of, yeah.
W. Curtis Preston:In fact, when I was looking at the, sort of the outline that I've been
W. Curtis Preston:working on for the book, most of the outline is the first half , right?
W. Curtis Preston:Everything that you need to do before, right.
W. Curtis Preston:Um,
Melissa Palmer:that's, it's like you can't just talk about
Melissa Palmer:ransomware recovery, right?
Melissa Palmer:Like, it, it, it's a hard topic to talk about because you're like,
Melissa Palmer:there's all this other stuff that if you haven't done it, guess what?
Melissa Palmer:You are not gonna be able to recover.
Melissa Palmer:So we can't just talk about recovering.
Melissa Palmer:It doesn't work that way.
W. Curtis Preston:Right.
W. Curtis Preston:It's sort of like I, I've made the joke, uh, a few times probably on
W. Curtis Preston:the pod where I've said, listen, you know, I've been in the backup
W. Curtis Preston:industry, you know, a long time.
W. Curtis Preston:I, I've decided to give up backups and I'm just gonna skip straight to restores.
W. Curtis Preston:Right?
W. Curtis Preston:You can't really , you can't really do that.
W. Curtis Preston:Just like I've also said that if I'd have known how great grandkids were,
W. Curtis Preston:I would've just gone straight to them.
W. Curtis Preston:Um, but not, not really
Prasanna Malaiyandi:
Speaker:It's not how it works.
Prasanna Malaiyandi:
Speaker:Yeah.
W. Curtis Preston:Yeah.
Melissa Palmer:It is a really good analogy though.
Melissa Palmer:It really
W. Curtis Preston:Yeah, it is, it is.
W. Curtis Preston:By the way, you want a little, little sad thing.
W. Curtis Preston:So my granddaughter and her mother and, and her husband,
W. Curtis Preston:uh, are, this is their last day
Prasanna Malaiyandi:Oh, I was gonna ask you about
W. Curtis Preston:been living here for a while, and they're moving out tomorrow.
W. Curtis Preston:So,
Prasanna Malaiyandi:Hmm.
W. Curtis Preston:little sad moment.
W. Curtis Preston:Little sad moment.
Prasanna Malaiyandi:No.
W. Curtis Preston:Um, but, uh, anyway, so, you know, sorry to bring that down.
W. Curtis Preston:So let's talk about what, what do you think, Melissa?
W. Curtis Preston:Let, let's sort of go through those things that we really needed to have done before.
Melissa Palmer:Uh, well, lemme, lemme try to set the stage a little bit.
Melissa Palmer:Like, does everybody remember like, the disaster recovery tests, like
Melissa Palmer:back in the day, you go to the colo, you got the checkbook, the, the.
Melissa Palmer:Clipboard you make, the checkbox isn't like, I don't know, you play
Melissa Palmer:doom for a while and eat some food.
Melissa Palmer:Someone restores a server and it's like, well, it kind of worked and we're good.
Melissa Palmer:Yeah, that's how old I am.
Melissa Palmer:Um, so and then you're like, oh, it kind of worked.
Melissa Palmer:So we passed our d r test, but we can't actually recover.
Melissa Palmer:Right?
Melissa Palmer:So what you need to do is actually do a ransomware recovery test where
Melissa Palmer:you actually recover everything.
Melissa Palmer:There's a novel concept, and when you do that, you're gonna figure out all the.
Melissa Palmer:but you didn't do cuz it's not gonna work or something's not gonna whatever.
Melissa Palmer:But it, it's, you know, talking from the backup lens cuz I was
Melissa Palmer:at Veeam for quite some time.
Melissa Palmer:Um, something I talked a lot about with Veeam customers was, you know, trying to
Melissa Palmer:understand the whole recovery process.
Melissa Palmer:Cuz if I'm the backup admin and we get ransomware, I don't just
Melissa Palmer:go start restoring stuff all over.
Melissa Palmer:Like that's not what happens.
Melissa Palmer:It's not like, oh no, right somewhere tech, let me start restoring servers.
Melissa Palmer:We'll be back online in 20 minutes.
Melissa Palmer:Like it doesn't work that way.
Melissa Palmer:, you have to figure out what happened.
Melissa Palmer:Before you can start restoring, you have to figure out what happened.
Melissa Palmer:You have to figure out if the threat actors are still around.
Melissa Palmer:You have to understand what was impacted.
Melissa Palmer:I have heard a lot of people say, um, oh, well, we treat ransomware
Melissa Palmer:different and we just recover in place.
Melissa Palmer:So we're good to go.
Melissa Palmer:And I'll go back to the little VMware.
Melissa Palmer:Yeah, I'll go back to the VMware ransomware thing.
Melissa Palmer:Well, if your VMware environment is ransomware, guess what?
Melissa Palmer:You're not recovering in place cuz there's nowhere to recover to.
Melissa Palmer:Uh, so it's understanding all those different things.
Melissa Palmer:You need to have some kind of understanding of what happened
Melissa Palmer:before you can recover.
Melissa Palmer:And that is generally driven by the incident response process, which is
Melissa Palmer:gonna be driven by the security team.
Melissa Palmer:So again, if you haven't talked to the security team before,
Melissa Palmer:ransomware has attacked you.
Melissa Palmer:You're gonna have a bad time.
Prasanna Malaiyandi:Or vice versa, if the security team hasn't talked to you about
Prasanna Malaiyandi:how backup integrates into that process.
Melissa Palmer:that's really scary.
Melissa Palmer:That's really, that's really, that's really disturbing.
Melissa Palmer:Those are actually really even, I think that's
Melissa Palmer:scarier.
W. Curtis Preston:I think it's, it's a, it's a combination, right?
W. Curtis Preston:Well, you know, uh, yesterday, I think that was yesterday, we recorded
W. Curtis Preston:a, a great podcast, uh, by the way, with Tom from Gestalt, um, that,
W. Curtis Preston:that, uh, net, uh, @networkingnerd.
W. Curtis Preston:Yeah.
W. Curtis Preston:and he, uh, we were talking a lot about the networking side
W. Curtis Preston:of the, the response, right?
W. Curtis Preston:Shutting down things.
W. Curtis Preston:Um, and, and using a combination of technologies, many of which are easier
W. Curtis Preston:to use if you, if you set them up front.
W. Curtis Preston:Right.
W. Curtis Preston:And, uh, talking about things like VLANs and, uh, you know, like one of
W. Curtis Preston:the things we talked about was having a VLAN for all of your desktops and
W. Curtis Preston:laptops, so that if you want to stop everybody from doing anything, you
W. Curtis Preston:just shut off those VLANs and boom.
W. Curtis Preston:Um, there, you know, instead of having to notify 5,000 users, hey, stop doing
W. Curtis Preston:anything, you just shut off their network.
W. Curtis Preston:So they can't, they can't do anything.
W. Curtis Preston:And then if stuff is still happening, , um, well, it's not the users, right?
W. Curtis Preston:It's, it's malware, right?
Prasanna Malaiyandi:back to segmentation.
W. Curtis Preston:know, yeah, the, the network segmentation and the, the
W. Curtis Preston:security part, I think, um, What, what, what role do you think the, I'll ask you
W. Curtis Preston:what you think before I say what I think
W. Curtis Preston:So what role do you think cyber insurance companies and then the, the companies
W. Curtis Preston:that they can put you in touch with?
W. Curtis Preston:The, the
Melissa Palmer:Cyber insurance is becoming more and more interesting
Melissa Palmer:cuz it gets to the point where they hand you the list of things you
Melissa Palmer:need to do before they'll issue your policy and guess what you're gonna
Melissa Palmer:probably be able to cover anyway.
Melissa Palmer:Um, but a big part of, I've seen in a lot of policies lately is
Melissa Palmer:having, um, basically an instant response from on retainer ready
Melissa Palmer:to go as part of your policy.
Melissa Palmer:And I think that is invaluable.
Melissa Palmer:I.
Melissa Palmer:, everybody should have some kinda relationship with an IR firm
Melissa Palmer:if you can't do it in house.
Melissa Palmer:And uh, even if you can, right?
Melissa Palmer:Sometimes you do still need that outside perspective.
Melissa Palmer:I know a lot of larger orgs are like, no, no, we do our own ir, well, you do
Melissa Palmer:your own ir, but you're not dealing with ransomware every day and these people are
Melissa Palmer:so you might want a little bit of help.
W. Curtis Preston:Yeah.
W. Curtis Preston:Yeah.
W. Curtis Preston:Um, you know, um, I hate to do it, but a another, another movie reference.
W. Curtis Preston:I just saw the , the movie plane, and you know, the plane goes down in the
W. Curtis Preston:middle of nowhere and they brought in the guy, they brought in the incident
W. Curtis Preston:response guy basically once he showed up.
W. Curtis Preston:Right.
W. Curtis Preston:See, there's a movie reference for everything,
Melissa Palmer:I haven't, I can't tell you the last movie I've watched.
Melissa Palmer:I really can't.
Melissa Palmer:I don't
W. Curtis Preston:I can, I can, I can pull up my app, uh,
W. Curtis Preston:cuz I have the Regal Unlimited.
Melissa Palmer:tell you the last thing I watched.
Melissa Palmer:I can't tell you the last movie I watched, cuz I don't remember.
W. Curtis Preston:I, I, yeah, I, I saw like three this week.
W. Curtis Preston:So in, in the theaters
Prasanna Malaiyandi:so back to the cyber insurance from movies.
Prasanna Malaiyandi:Uh,
Prasanna Malaiyandi:I, yes.
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:No, but, but, but I think, well, this is one of the points that I remember
Prasanna Malaiyandi:because remember when Tony came on from SPECT Logic, Curtis, and he was like,
Prasanna Malaiyandi:oh my God, they got hit with ransomware.
Prasanna Malaiyandi:And he's like, just the previous month they had signed up for cyber insurance.
Prasanna Malaiyandi:They had an IR firm come in, give them sort of the list of, Hey, here's
Prasanna Malaiyandi:everything you need to do to help.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:And he was like, that was probably the most valuable thing of that sort of
Prasanna Malaiyandi:cyber insurance policy was having the experts who could walk you through.
W. Curtis Preston:And it, and it wasn't even like he, he was just
W. Curtis Preston:lucky enough to have already, you know, contracted with them.
W. Curtis Preston:Right.
W. Curtis Preston:But the best I think would be to , well, not that you would know
W. Curtis Preston:this, but to do it not a month in advance, but obviously way in
Melissa Palmer:right.
W. Curtis Preston:to get, and to give you some time to work with the incident
W. Curtis Preston:response team and to make sure that you are doing the things that they want
Melissa Palmer:but that's like, that's like the problem, right?
Melissa Palmer:Like it's not, if it's when, and you don't know when.
Melissa Palmer:It could be tomorrow, it could be next week, it could be next month.
Melissa Palmer:It could be next year.
Melissa Palmer:Like you don't
W. Curtis Preston:It could have been three weeks ago.
Melissa Palmer:and you just haven't realized it yet, right?
W. Curtis Preston:Yeah.
Prasanna Malaiyandi:Do it today.
Melissa Palmer:That's my favorite.
W. Curtis Preston:Yeah.
W. Curtis Preston:Uh, so, which is why it doesn't matter when you invent a time machine.
Melissa Palmer:You know, I have bad news to you.
W. Curtis Preston:What
Melissa Palmer:I haven't invented a time machine because there are certain
Melissa Palmer:points I've always promised to myself.
Melissa Palmer:If I invented the time machine, I would go back to this point and tell
Melissa Palmer:myself I invented the time machine.
Melissa Palmer:And if that hasn't happened, I haven't invented it because
Melissa Palmer:time is not linear, right?
Melissa Palmer:So I haven't invented a time machine.
Melissa Palmer:I'm very upset about that.
W. Curtis Preston:Me neither.
W. Curtis Preston:Um, but, um, well, it's been a weird, it's been, we've been jumping in and out
W. Curtis Preston:of the topic here on this podcast, but,
Prasanna Malaiyandi:Incident response.
W. Curtis Preston:yeah.
W. Curtis Preston:So we, we, we get the cyber insurance folks because I
W. Curtis Preston:think in the, in the initial.
W. Curtis Preston:Ransomware phase, what people thought of cyber insurance was just a
W. Curtis Preston:company to pay their ransom for you, and that they're definitely saying
W. Curtis Preston:they're not interested in it anymore.
Melissa Palmer:Yeah.
Melissa Palmer:And there's more costs beyond the ransom, right?
Melissa Palmer:So you paid the ransom, but what about everything else?
Melissa Palmer:Um, that's the thing.
Melissa Palmer:And policies have changed over time, like, back in the day a couple years ago, right?
Melissa Palmer:Like before the pandemic, uh, it was like easy to get cyber insurance.
Melissa Palmer:Like, oh yeah, I'll take a cyber insurance policy for 5 million, please, whatever.
Melissa Palmer:And now it's hard.
Melissa Palmer:And if you do actually use your, I've seen a lot of cases where if you actually
Melissa Palmer:use the insurance policy, guess what?
Melissa Palmer:They don't necessarily drop you, but guess what Your deductible co becomes.
Melissa Palmer:What they paid for your last ransomware attack, right?
Melissa Palmer:So if I had to pay 2.5 million, guess what?
Melissa Palmer:I now have a 2.5 million deductible for my next attack because let's face it.
Melissa Palmer:We get IR in, right?
Melissa Palmer:We figured out what happened, we have to recovered, and then there's a whole
Melissa Palmer:stage where we have to do a postmortem, figure out how they got in, if they're
Melissa Palmer:still in and close up the gaps.
Melissa Palmer:That doesn't always happen cuz people are so, like, ohms are back, we're good to go.
Melissa Palmer:Happy day, happy day.
Melissa Palmer:And they get hit again because they never fixed the way they
Melissa Palmer:got in in the first place.
W. Curtis Preston:What, what do you think about the idea of.
W. Curtis Preston:And again, this would be driven by management.
W. Curtis Preston:And you know, a lot of times, like you said, management isn't necessarily
W. Curtis Preston:at that moment thinking about the the best way to do something.
W. Curtis Preston:They just wanna do the fastest way to do something.
W. Curtis Preston:Right.
W. Curtis Preston:So another thing I've been looking into is the idea of wouldn't the best
W. Curtis Preston:practice to be to figure out how they got in before you do the recovery,
W. Curtis Preston:before you turn everything back on.
Melissa Palmer:Yeah.
Melissa Palmer:And that, that's where the IR firms come in, because.
Melissa Palmer:they'll kind of get in and they'll be able to do that.
Melissa Palmer:They'll be able to say like, you guys are so messed up.
Melissa Palmer:You didn't have any logging unabled anywhere.
Melissa Palmer:Like we, we can't tell right now.
Melissa Palmer:Right?
Melissa Palmer:It really depends on what happens in that first phase.
Melissa Palmer:Um,
W. Curtis Preston:Yeah.
Melissa Palmer:and it comes back to kind of getting ready for the
Melissa Palmer:attack and what kind of security practice you have in some places.
Melissa Palmer:Yeah.
Melissa Palmer:We could see, people can figure out, uh, throw in a tool and say, yeah, guess what?
Melissa Palmer:They came in here.
Melissa Palmer:We know we're good to go.
Melissa Palmer:Other times they might not find it just because there was never.
Prasanna Malaiyandi:they came in.
Prasanna Malaiyandi:They went out before you even knew
Prasanna Malaiyandi:or nothing was
W. Curtis Preston:under
Melissa Palmer:or we didn't, you know, we didn't have logging on or whatever.
Melissa Palmer:Or they turned something off or,
W. Curtis Preston:Logging is a beautiful thing and, and also
W. Curtis Preston:a system to get those logs off
Melissa Palmer:yeah,
Melissa Palmer:that's what people like, forget about, like
Melissa Palmer:who cares about the logs, like whatever their logs.
Melissa Palmer:No, you're, you're going to care about the logs someday, I promise you.
W. Curtis Preston:Yeah, I mean, even if it's something as simple of making
W. Curtis Preston:sure that the logs are represented as text somewhere, that is then
W. Curtis Preston:backed up by the backup system so that you can restore all of them.
W. Curtis Preston:That's basic, but there are systems that you can buy that will just automatically,
W. Curtis Preston:uh, exfiltrate all of those logs for you.
W. Curtis Preston:Yeah.
W. Curtis Preston:Yeah.
Prasanna Malaiyandi:I wanna go back to a point you made earlier, Melissa, about
Prasanna Malaiyandi:sort of, okay, how do you make sure that you fix the things that broke so everyone
Prasanna Malaiyandi:isn't like, Hey, my VMs are back up.
Prasanna Malaiyandi:I don't need to worry about these things anymore.
Prasanna Malaiyandi:Have you heard any cases where, I know sometimes executives have
Prasanna Malaiyandi:sort of financial liability, right?
Melissa Palmer:I've heard of that trend, right?
Melissa Palmer:Like your guess what your bonus is tied to if you get ransomware or not, and how you.
Melissa Palmer:And stuff like that, that's starting to happen in some places.
Melissa Palmer:Um, but a lot of it comes down to maybe the processes were
Melissa Palmer:never clearly defined upfront.
Melissa Palmer:Right.
Melissa Palmer:And that's where a lot of the cyber insurance stuff can
Melissa Palmer:actually come in and help.
Melissa Palmer:Well, they'll be like, you need to show us your response process.
Melissa Palmer:And they'll be like, here you go.
Melissa Palmer:And they'll be like, okay, so where's the rest of it?
Melissa Palmer:Or something like that, right?
Melissa Palmer:Like, what, what
Melissa Palmer:happened?
W. Curtis Preston:the.
Melissa Palmer:this is it.
Melissa Palmer:Like here's a page.
Melissa Palmer:Like it's not gonna work.
Melissa Palmer:Um, and again, it comes back to.
Melissa Palmer:the old school DR test.
Melissa Palmer:Like there needs to be ransomware recovery tests and postmortems of
Melissa Palmer:that ransomware recovery test, right?
Melissa Palmer:Like y'all need to get in room, figure out what worked, what didn't work.
W. Curtis Preston:Having done the old school DR test, I'm curious as to how
W. Curtis Preston:they do a ransomware recovery test.
W. Curtis Preston:Because one of the hardest parts of a ransomware recovery is that the
W. Curtis Preston:attacker is there is still attacking, like with a dr, you just say,
W. Curtis Preston:okay, those six systems are dead.
Melissa Palmer:So, yeah.
Melissa Palmer:So here's where it gets complicated.
Melissa Palmer:You need to test multiple types of recoveries, right?
Melissa Palmer:So maybe I'm recovering, please.
Melissa Palmer:I, I can't.
Melissa Palmer:, I will vomit in my mouth if I say maybe I'm recovering in place.
Melissa Palmer:I can't even like say that.
Melissa Palmer:So we're not gonna say that, but like maybe I'm going to my second site.
Melissa Palmer:Maybe I'm going to a warm site.
Melissa Palmer:Maybe I'm going to a hot site.
Melissa Palmer:Maybe I'm going to a public cloud.
Melissa Palmer:Maybe I'm going to a VMware cloud.
Melissa Palmer:You gotta test all those, right?
Melissa Palmer:Because you don't know where you're going until that incident response
Melissa Palmer:phase starts, especially when law enforcement gets involved, right?
Melissa Palmer:So let's say stuff's really bad, the FBI comes, and guess what?
Melissa Palmer:We are quarantining your whole data center while we investigate.
Melissa Palmer:Then what do you do?
Prasanna Malaiyandi:Yeah.
Prasanna Malaiyandi:You're down for business, otherwise,
Melissa Palmer:do?
Melissa Palmer:No, you go to public cloud, you go to um, a service provider, you go someplace else.
Melissa Palmer:So you have to have all that ironed out ahead of time.
Melissa Palmer:You have to know that there's different considerations for
Melissa Palmer:recovery from ransomware attack than a traditional disaster.
Melissa Palmer:So I guess, you know, from a traditional disaster, like what if the
Melissa Palmer:zombies eat both data centers, right?
Melissa Palmer:Then you would still need to go to the
Prasanna Malaiyandi:but people probably aren't thinking about that though, right?
Prasanna Malaiyandi:The fact that, hey, maybe the F B I will come quarantine, right?
Prasanna Malaiyandi:Do you have your backups offsite?
Prasanna Malaiyandi:Do you have it in someplace that you can bring it up?
Prasanna Malaiyandi:And like you mentioned earlier, Melissa, it's like things you should plan for ahead
Prasanna Malaiyandi:of time before you get to the point where you are trying to recover from ransomware.
Melissa Palmer:Exactly.
Melissa Palmer:And again, unless an organization, so I have a couple of examples
Melissa Palmer:of, I don't wanna say Dr.
Melissa Palmer:Done wrong, but uh, I worked for an uh, company when I was
Melissa Palmer:an intern on Wall Street and everything was in New York City.
Melissa Palmer:and nine 11 happened and they were a block from the World Trade Center.
Melissa Palmer:That's what they couldn't, they couldn't do anything like they were done.
Melissa Palmer:Right.
Melissa Palmer:Like they were just done.
Melissa Palmer:So they like rebuilt their systems in a hotel room someplace.
Melissa Palmer:Right.
Melissa Palmer:And that kicked off a huge project to say, we actually need a second data
Melissa Palmer:center and it needs to be not around here.
Melissa Palmer:Right.
Melissa Palmer:Um, I'm also on the east coast, right?
Melissa Palmer:So New York, hurricane Sandy, we had this hurricane roll through.
Melissa Palmer:And again, like the data centers are like 20 miles from each other.
Melissa Palmer:Guess.
Melissa Palmer:, they both tanked.
Melissa Palmer:Um, so things like that.
Melissa Palmer:So until an organization actually has something happen to them, it's really,
Melissa Palmer:and here's the issue, the, the, the difference between disaster recovery
Melissa Palmer:and ransomware recovery, when we talk about it, traditional disaster
Melissa Palmer:recovery stuff, until it happens, it's easy to accept the risk, right?
Melissa Palmer:Well, you know what?
Melissa Palmer:It's cheaper for us to just like recover from this disaster and be down for
Melissa Palmer:two weeks than it is to actually put everything into place where we build a
Melissa Palmer:second site, yada, yada, yada, yada, et.
Melissa Palmer:that's because the risk is so low, right?
Melissa Palmer:And there's all kinds of equations for this in, you know,
Melissa Palmer:cybersecurity and stuff like that.
Melissa Palmer:But when you change it to ransomware, the risk is going to, it's going to
Melissa Palmer:happen like a probability of one.
Melissa Palmer:It will happen.
Melissa Palmer:Um, and that's what people don't understand.
Melissa Palmer:Like this is going to happen.
Melissa Palmer:It's not like you can say like, well, you know, we haven't had a hundred
Melissa Palmer:years storm ever, so we'll be fine.
Melissa Palmer:Um, it's different like that.
Melissa Palmer:And a lot of people, I've actually seen a huge uptick in people getting.
Melissa Palmer:I don't think a lot of people are where they need to be.
Melissa Palmer:Um, but I think as people get ready and it gets harder and harder to attack
Melissa Palmer:people because they've put like some semblance of security in it, right?
Melissa Palmer:You're gonna go for the low-hanging fruit, you're gonna see the people
Melissa Palmer:who aren't ready get hit harder and you're just gonna see more and more
Melissa Palmer:attacks and the threat actors are gonna have to get more creative.
Prasanna Malaiyandi:So here's a question for you.
Prasanna Malaiyandi:Normally when we think about backup and recovery, right, it's always
Prasanna Malaiyandi:about restoring your data or your application because there might be
Prasanna Malaiyandi:a hardware failure, an application fault, user error, et cetera.
Prasanna Malaiyandi:Sometimes people talk about ransomware in the same context as
Prasanna Malaiyandi:disaster recovery and sort of those
Melissa Palmer:Ransomware is a disaster.
Melissa Palmer:I
Prasanna Malaiyandi:but, but here's the question though, Melissa
Prasanna Malaiyandi:is, Like you had just mentioned, it's not the same as a flood or a
Prasanna Malaiyandi:hurricane or something like that.
Prasanna Malaiyandi:And so are we kind of pushing ourselves and kind of giving people the false
Prasanna Malaiyandi:impression that it is similar to those other disasters and things that they
Prasanna Malaiyandi:shouldn't worry about versus we should be treating it similar to like an application
Prasanna Malaiyandi:failure or user failure and treating it
Prasanna Malaiyandi:similar.
Prasanna Malaiyandi:It's like more towards that side of the spectrum than this side.
Melissa Palmer:and you know, that all falls under DR anyway, like hardware
Melissa Palmer:failure and all that kind of stuff.
Melissa Palmer:Um, and again, in a lot of those cases, it's easy to say, well, you know what?
Melissa Palmer:I don't really want a second site.
Melissa Palmer:It's just cheaper to deal with the hardware.
Melissa Palmer:It'll take we'll rush order.
Melissa Palmer:I was in a situation at a company, we'll just rush order at a new array from
Melissa Palmer:E M C that will solve our problems.
Melissa Palmer:Like that was the plan and that happened.
Melissa Palmer:Um, so crazy stuff like that.
Melissa Palmer:But the problem, why I like to make the analogy so much is the problem
Melissa Palmer:is when you tell someone that you have to get ready to recover from
Melissa Palmer:ransomware, they're just like, I don't.
Melissa Palmer:what to do.
Melissa Palmer:You have to put it in some context that kind of makes sense.
Melissa Palmer:I mean, disaster recovery is definitely like not sexy, even though
Melissa Palmer:I've done it most in my career.
Melissa Palmer:Um, but it's something that everybody has an inkling about at least, right?
Melissa Palmer:Everybody kind of knows that there is usually a DR test once
Melissa Palmer:or twice or year a minimum.
Melissa Palmer:Um, so it's a way, it's a starting point, right?
Melissa Palmer:It's not your final destination, but it's a starting
Melissa Palmer:point.
Melissa Palmer:It's a.
Melissa Palmer:place to start context.
Melissa Palmer:Maybe you have some playbook, some processes that we can leverage to go build
Melissa Palmer:on top of that and say, okay, so how do we make sure that we can recover now under
Melissa Palmer:any
W. Curtis Preston:I like to, I like to say that it's a subset, right?
W. Curtis Preston:A DR is a subset of a ransomware recovery, but there's so much else, right?
W. Curtis Preston:And the big thing, the but, and I think you said it already, Prasanna, but the
W. Curtis Preston:big thing to me, the difference between a DR and a ransomware attack, um, is
W. Curtis Preston:that the, the disaster isn't, Right.
W. Curtis Preston:You're, you're still right when
Melissa Palmer:the disaster never
W. Curtis Preston:a flood is gone, you're like, okay, all
W. Curtis Preston:these servers got wiped out.
W. Curtis Preston:So those are the
Melissa Palmer:because the threat is still there.
Melissa Palmer:Just because you recovered from the ransomware attacked doesn't mean
Melissa Palmer:they're not gonna hit you again, or someone else isn't gonna hit
W. Curtis Preston:Right.
W. Curtis Preston:Well, and, and how do you even know, um,
Prasanna Malaiyandi:gone.
W. Curtis Preston:You know, like when you, when when a hurricane wipes out a
W. Curtis Preston:data center, you're like, okay, those are the servers we need to restore.
W. Curtis Preston:But how do, when you walk into your data center and there's a
W. Curtis Preston:ransomware attack going on, how do you even know which servers have
W. Curtis Preston:been affected or not affected?
W. Curtis Preston:Right.
W. Curtis Preston:That's, that is a big part of it.
Prasanna Malaiyandi:Yeah, and I guess the other thing is even like you
Prasanna Malaiyandi:might see the active infection, like things are being encrypted, et cetera,
Prasanna Malaiyandi:but it might just be lying silently.
Prasanna Malaiyandi:Right.
Prasanna Malaiyandi:We've talked about dwell time in the past, right.
Prasanna Malaiyandi:Where it's
Melissa Palmer:chill.
Melissa Palmer:They just chill in there for a while.
Melissa Palmer:Like, who knows?
Melissa Palmer:Um, I, I can't remember off the top of my head, but I remember reading like a big
Melissa Palmer:name breach or something like that, or a big name attack, and they said they were
Melissa Palmer:in the network for like six months or
Prasanna Malaiyandi:I think Solar Winds was like
Melissa Palmer:was it?
Melissa Palmer:I don't remember.
Melissa Palmer:But I remember reading a couple of them where they've been in there a
Melissa Palmer:significant period of time and who knows what they're doing there, right?
Melissa Palmer:Like who knows unless you catch them.
Melissa Palmer:So it's about
Melissa Palmer:catching 'em past.
W. Curtis Preston:The meantime is something like 60 days
W. Curtis Preston:actually is what I, what I read.
W. Curtis Preston:Um, I
Melissa Palmer:be the worst ransomware person.
Melissa Palmer:I'd be like, let's go, let's go.
Melissa Palmer:It's like, no, you're not supposed to do that.
Melissa Palmer:You gotta take your time and traverse through the network and get ad.
Melissa Palmer:I'd be like, let's go encrypt VMware.
Melissa Palmer:Let's go.
Melissa Palmer:I'd be caught so fast.
Melissa Palmer:Or maybe I wouldn't, maybe I.
W. Curtis Preston:That's
Prasanna Malaiyandi:You're only caught if someone's monitoring and watching.
Prasanna Malaiyandi:Right Melissa?
Melissa Palmer:Right.
Melissa Palmer:And you need to be
Melissa Palmer:looking for the right things.
W. Curtis Preston:Yeah.
W. Curtis Preston:As soon as you encrypt a, a vm, uh, you're gonna set off alarm or two.
W. Curtis Preston:Um, but I, I think you encrypt, I think you encrypt a lot of
W. Curtis Preston:files that no one's looking at.
W. Curtis Preston:Right.
W. Curtis Preston:But the moment you start
Melissa Palmer:Once you hit the the thing, the only thing is you'll hit.
Melissa Palmer:You'll hopefully you'll be caught as soon as you start encrypting the VMs.
Melissa Palmer:You do them all at once, so it doesn't matter.
W. Curtis Preston:Yeah.
W. Curtis Preston:Right.
W. Curtis Preston:Cuz it's,
Melissa Palmer:I got all
Melissa Palmer:of 'em.
Melissa Palmer:It doesn't matter that you caught me doing the first one, I did them all.
Melissa Palmer:Um, but yeah, so generally they're in their wreaking havoc, steal maybe
Melissa Palmer:exfiltrating data, doing some stuff before they go encryption habit.
Melissa Palmer:Or maybe like, I've heard cases recently where they don't even
Melissa Palmer:bother, like encrypting stuff.
Melissa Palmer:They're just stealing data at this point and be like, by the
Melissa Palmer:way, look what we have.
Prasanna Malaiyandi:Is that easier by the way, to steal data?
Prasanna Malaiyandi:Because it seems that you can sort of fly under the radar if you just steal
Prasanna Malaiyandi:data because people will probably, maybe they notice, maybe they don't,
Prasanna Malaiyandi:but it's not as obvious as, say,
Melissa Palmer:It is definitely not as obvious as encrypting stuff, I'm
Melissa Palmer:like this weird monitoring nerd too.
Melissa Palmer:I had like this monitoring fetish at Veeam.
Melissa Palmer:It was very strange.
Melissa Palmer:Um, so like, I would like really hone in on like what to look
Melissa Palmer:for to catch that too, right?
Melissa Palmer:But not everybody is crazy like me.
Melissa Palmer:Um,
Melissa Palmer:network
W. Curtis Preston:I think, yeah, I do.
W. Curtis Preston:To answer your question, Prasanna, I do think that exfiltration as an overall
W. Curtis Preston:process is easier in that if you can get any data out that there's a, there's a
W. Curtis Preston:much higher chance that they will respond.
W. Curtis Preston:That they will pay the ransom.
W. Curtis Preston:Right?
W. Curtis Preston:Because backups aren't gonna help.
Melissa Palmer:I'm looking at my black hat over there.
Melissa Palmer:I'm wondering if I should like, put it on for this discussion or something.
Melissa Palmer:Um, like you would probably like see like, all right, like if I'm a bad person,
Melissa Palmer:I'm not a bad person, I'm a good person.
Melissa Palmer:Um, like they start small, right?
Melissa Palmer:They grab a file here and there and they see if they
Prasanna Malaiyandi:if anyone notices.
Melissa Palmer:this, grab that, right?
Melissa Palmer:Like, you don't go and just be like, oh look, here's the final.
Melissa Palmer:25 million gigabytes of MP3s.
Melissa Palmer:I'm gonna take it all at once.
Melissa Palmer:No, they're like picky and choosy.
Melissa Palmer:They try to find the sensitive data.
Melissa Palmer:They take a little bit here and there.
Melissa Palmer:Maybe they only need to grab a couple spreadsheets.
Melissa Palmer:Right?
Melissa Palmer:It's not like, I think there's this misnomer that like they get
Melissa Palmer:in there and I'm just gonna start downloading massive chunks of
Melissa Palmer:data.
W. Curtis Preston:well, that's the whole point of
Melissa Palmer:so you could exfiltrate a vm, just like
Melissa Palmer:download the vmd K and be like,
W. Curtis Preston:yeah, exactly.
Melissa Palmer:ad.
Melissa Palmer:Have a nice life
W. Curtis Preston:that's that whole phase of the, um, the initial phase of an attack
W. Curtis Preston:is trying to expand out, seeing what you can find out, seeing if you can find
W. Curtis Preston:a spreadsheet called customer database
Melissa Palmer:You know?
Melissa Palmer:Right.
W. Curtis Preston:xls , right.
W. Curtis Preston:Um, or like.
Melissa Palmer:you might not bother encrypting everything, but if you
Melissa Palmer:can't find much, you say, all right, I'll steal some stuff and tell 'em I
Melissa Palmer:have some files, but I won't tell them what I'll hope that'll make them pay.
Melissa Palmer:And I'll just go, you know, encrypt some stuff while.
Melissa Palmer:Which is more illegal?
Melissa Palmer:Is one more legal than the other?
Prasanna Malaiyandi:I think they both are pretty bad,
Melissa Palmer:is one more illegal than the other?
W. Curtis Preston:Well, they're both extortion.
W. Curtis Preston:Um, the act, The act
Melissa Palmer:but if you're actually exfiltrating, you're stealing it.
W. Curtis Preston:yeah.
W. Curtis Preston:That's gonna depend on where this happens.
W. Curtis Preston:Uh, whether or not exfiltrating the data is a different crime.
W. Curtis Preston:And damaging the data.
W. Curtis Preston:Um, but, uh, but in the, the extortion happens on both sides, right?
W. Curtis Preston:And that's definitely illegal in
Melissa Palmer:that
W. Curtis Preston:pretty much every jurisdiction
Melissa Palmer:legal kids.
Prasanna Malaiyandi:Yeah, so we talked about, so we talked
Prasanna Malaiyandi:about incident response.
Prasanna Malaiyandi:You've now been hit by a ransomware attack.
Prasanna Malaiyandi:in, then let's just take VMware environments, right?
Prasanna Malaiyandi:So what do you see people doing like, or what are things that they
Prasanna Malaiyandi:should be doing that they're not?
Prasanna Malaiyandi:Like, how do they even approach
Melissa Palmer:Yeah, so he,
Prasanna Malaiyandi:VMware environment gets encrypted Now, what
Melissa Palmer:Um, to me it's trash.
Melissa Palmer:I would throw it away and start over, like, I'm not even joking.
Melissa Palmer:Throw it
W. Curtis Preston:No, not
Prasanna Malaiyandi:and, and, and, and how much?
Prasanna Malaiyandi:And and how much would you, when you say throw it away, are you talking about
Prasanna Malaiyandi:throwing away the virtual machines, throwing away the ESXi servers, the.
Melissa Palmer:the host, wipe the storage array, wipe it all and start over.
Melissa Palmer:Um, and, and here's the thing, right?
Melissa Palmer:So like, you know, I, I like it.
Melissa Palmer:I have this weird side of me that also does like weird blogging stuff, right?
Melissa Palmer:And like, I like SEO and stuff like that.
Melissa Palmer:And even my career at Veeam people are like, how do I back up my VMware host?
Melissa Palmer:you don't, they're like, what do you mean?
Melissa Palmer:I'm like, you don't, um, you automate the build process
Melissa Palmer:and the configuration, right?
Melissa Palmer:You don't actually back up your host and restore it.
Melissa Palmer:It's, you
Prasanna Malaiyandi:You just rebuild
Melissa Palmer:thing.
Melissa Palmer:It's a clean install and you configure it.
Melissa Palmer:Um, so that's what people need to be testing to is how I would
Melissa Palmer:actually recover is almost misnomer.
Melissa Palmer:Cuz Prasannally I would trash it.
Melissa Palmer:Um, how do I re rapidly rebuild a VMware environment?
Melissa Palmer:And that's something.
Melissa Palmer:People don't do every day, right?
Melissa Palmer:Like that stuff runs like you might have not even reinstalled.
Melissa Palmer:You could have just been upgrading for the last like 10 years and like,
Melissa Palmer:whatever, probably not 10, probably four or five years, you'll get a new host.
Melissa Palmer:I don't know.
Melissa Palmer:It depends.
Melissa Palmer:Um, so that's something that people don't practice and don't do.
Melissa Palmer:Um, and you can actually do that all.
Melissa Palmer:for the most part, um, in a nested virtualization environment.
Melissa Palmer:Get all your processes down stuff.
Melissa Palmer:So it's a pretty low co I mean, you should test on your physical hardware
Melissa Palmer:at some point for any drivers and stuff, but it's actually a relatively low
Melissa Palmer:cost and effort thing to figure out.
Melissa Palmer:It's not rocket science.
Prasanna Malaiyandi:But when you do this testing, wouldn't you also want to
Prasanna Malaiyandi:involve, say like your networking team,
Melissa Palmer:Yes, you would wanna, any of this testing,
Melissa Palmer:you wanna involve anybody?
Melissa Palmer:Everybody, right?
Melissa Palmer:Everybody should be involved in this.
Melissa Palmer:everybody.
Melissa Palmer:And that's I think, one of the biggest problems we see that they're not,
W. Curtis Preston:So when you say,
Melissa Palmer:They're like, I don't have time to do this.
W. Curtis Preston:when you say rebuild the VMware environment,
W. Curtis Preston:um, obviously you're talking about vm, you know, wiping the hosts and,
W. Curtis Preston:and the storage and all of that.
W. Curtis Preston:When we get to the phase of actually bringing back VMs,
Melissa Palmer:Mm-hmm.
W. Curtis Preston:what way would you do that?
Melissa Palmer:Um, so most backup software these days have something
Melissa Palmer:built in where it'll actually scan for ransomware as you are restoring, right?
Melissa Palmer:And find the ransomware if it's there.
Melissa Palmer:Cause at that point, you know what you're infected with,
Melissa Palmer:so you know what to look for.
Melissa Palmer:Um, so I would be either scanning it or, you know, if you have really good.
Melissa Palmer:and then you can decide how you're gonna fix it, or you're just gonna go
Melissa Palmer:back to an earlier point or whatever.
Melissa Palmer:Um, you know, some people are really good with the IR stuff and say, we know the
Melissa Palmer:ransomware came in this date, this time we are absolutely a million percent certain
Melissa Palmer:because we have all these logs go back to the last known good restore point, right?
Melissa Palmer:Um, so it really depends.
Melissa Palmer:But the backup people gonna be a big part of that, right?
Melissa Palmer:Because it's gonna be
W. Curtis Preston:Y Yeah, I,
Melissa Palmer:do they have built in?
W. Curtis Preston:this is something I put a lot of thought into lately
W. Curtis Preston:of if the meantime of a, of a.
W. Curtis Preston:Infection is 60 days, and some of them are twice that, um, the, the
W. Curtis Preston:idea of of saying, oh, well we got, we got infected December 1st, so
W. Curtis Preston:we're gonna restore to December 1st.
W. Curtis Preston:That's a
Melissa Palmer:That doesn't, it doesn't always work.
Melissa Palmer:In some cases it might, in some cases it won't.
Melissa Palmer:And then you're going back to scanning,
W. Curtis Preston:So you've got, you've got to, I think in most
W. Curtis Preston:cases, if many, if not most cases, you're gonna do a restoring.
Melissa Palmer:Yeah.
Melissa Palmer:I've seen kind of almost like two stage recoveries too.
Melissa Palmer:Like get the bare minimum of stuff something up and run something
Melissa Palmer:online up and running, right.
Melissa Palmer:To restore services and then do the full recovery later.
Melissa Palmer:So you're not, you might be like, all right, so you know what?
Melissa Palmer:We can roll these servers back to December 29th.
Melissa Palmer:We can use the newest copy of the database.
Melissa Palmer:We can mash it together and make it work and serve our customers
Melissa Palmer:while we're actually restoring everything the right way.
Prasanna Malaiyandi:Rackspace,
Melissa Palmer:So it did that.
W. Curtis Preston:Prasanna.
W. Curtis Preston:Yeah.
Melissa Palmer:you okay?
Melissa Palmer:You were eating another sip of tea there.
W. Curtis Preston:It's what I thought of when you, when you, as soon as
W. Curtis Preston:she said that, I, yeah, I know.
W. Curtis Preston:Yeah.
W. Curtis Preston:Just make sure.
W. Curtis Preston:Unlike Rackspace, just make sure that you thought of this beforehand.
W. Curtis Preston:Right.
W. Curtis Preston:The only way that this is gonna work is if you identify what are the three
W. Curtis Preston:services that need to be up right away so that we can function as a company and
W. Curtis Preston:what are the other 20, 5,000 services
Melissa Palmer:That kind of, um, that ties almost more into like
Melissa Palmer:the business con, you know, B C D R
W. Curtis Preston:Yeah.
W. Curtis Preston:Yeah,
Melissa Palmer:continuity sort.
Melissa Palmer:Like what are our key applications and what level of, what do we have
Melissa Palmer:to do to get those online First comes back to our RPOs and RTOs, right?
W. Curtis Preston:yeah.
Melissa Palmer:it's, it's, the thing is, it's such a big discussion that unless
Melissa Palmer:you've had it cross-functionally with the business owners and the app owners,
Melissa Palmer:and the infrastructure owners and the security team, you're not in a good.
W. Curtis Preston:Yeah.
W. Curtis Preston:I, I think, I think it's, it's just, it's one thing to have a discussion,
W. Curtis Preston:again, going to Dr versus rr, um, is that it's one thing to go, well, what
W. Curtis Preston:are the servers we're gonna do first?
W. Curtis Preston:And what are, what are the servers that we're gonna do three hours later?
W. Curtis Preston:It's a whole other thing to say, what are the servers we're gonna do the
W. Curtis Preston:first couple of days, and what are the servers we're gonna do next week?
W. Curtis Preston:Right.
W. Curtis Preston:I,
Melissa Palmer:And that, that's the problem, right?
Melissa Palmer:You don't know until it happens.
Melissa Palmer:Like if, if you, if it's your whole environment is done right.
Melissa Palmer:That is very different than, oh, we know, just, they just did this
Melissa Palmer:subset of servers or whatever.
Melissa Palmer:It's, and like we were, um, The company I worked for a company
Melissa Palmer:that I no longer worked there.
Melissa Palmer:It was a pr uh, I was a customer and they had a, a very, they were one of the first
Melissa Palmer:really, really big ransomware attacks in the news, and it was like a disaster.
Melissa Palmer:I was like, wow, I'm glad I'm not on the VMware team anymore
Melissa Palmer:there when this is going down.
Melissa Palmer:Right.
Melissa Palmer:Um, , but it really depends and you don't know what's gonna happen.
Melissa Palmer:The only thing you can do is be as prepared as possible, right?
Melissa Palmer:Test different recovery methods.
Melissa Palmer:Um, and I love RPOs and RTOs in saying that we can meet them under a testing
Melissa Palmer:scenario, but in the real world, we don't know that that's gonna happen.
W. Curtis Preston:Yeah.
Prasanna Malaiyandi:One of the things on the podcast we talked about a couple
Prasanna Malaiyandi:days ago was, Like Tom was mentioning, oh yeah, you just shut down your
Prasanna Malaiyandi:network and you start figuring out, okay, what was affected but in what?
Prasanna Malaiyandi:And you prevent everything go from going in and out.
Prasanna Malaiyandi:And I was like, but how do you communicate?
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:And he's like, yeah, make sure you have ahead of time, sort of use cell phones.
Prasanna Malaiyandi:iMessage can work.
Prasanna Malaiyandi:You can set up a separate Slack instance completely outside of
Prasanna Malaiyandi:the corporate environment, right?
Prasanna Malaiyandi:Whatever it is to keep that ongoing communications.
Melissa Palmer:like, uh, how am I supposed to use Microsoft Teams to
Melissa Palmer:communicate with a security team?
Melissa Palmer:Well, that might be Office 365.
Melissa Palmer:That might be, okay, that's a bad example.
W. Curtis Preston:Yeah, as long as you have a, as long as you have a,
W. Curtis Preston:um, an internet connection, right?
W. Curtis Preston:Um, which is pretty easy to get
Melissa Palmer:but like who has people's phone numbers these days?
W. Curtis Preston:people with incident response plans, that's who
Melissa Palmer:yeah, that's
Prasanna Malaiyandi:But But aren't there issues though, where ransomware
Prasanna Malaiyandi:actors might still have access to your Slack instance and be monitoring
Prasanna Malaiyandi:what's going on from an incident
Melissa Palmer:I've seen that.
Melissa Palmer:I've seen that.
Melissa Palmer:I've seen, I have seen that happen where like, they still had access.
Melissa Palmer:It was teams.
Melissa Palmer:I think they still had access.
Melissa Palmer:They were watching the IR stuff happen as they were still in there hanging out.
Melissa Palmer:It's like, oh yeah, Y again,
W. Curtis Preston:
Speaker:ransomware stuff is bad.
W. Curtis Preston:
Speaker:Melissa, I'm just gonna take that stance.
Melissa Palmer:bad.
Melissa Palmer:It's bad, and you don't know what's gonna happen until it happens.
Melissa Palmer:Which is why, and it ties back to incident response, right?
Melissa Palmer:And having an incident response firm on retainer that does this every day.
Melissa Palmer:Right?
Melissa Palmer:Because I, I don't care how good, even if, like, okay, let's say
Melissa Palmer:you drop Melissa into X, Y, Z company and you put her in charge.
W. Curtis Preston:Do are you gonna repel down a rope from a helicopter?
W. Curtis Preston:Because that
Melissa Palmer:Yes, I'm gonna repel down a rope from a helicopter,
Melissa Palmer:drop me in, right, and say, Melissa, get ready for ransomware,
Melissa Palmer:and six months later you hit me.
Melissa Palmer:I would like to say that I'll be able to recover, but I don't know that.
Melissa Palmer:I don't know.
Melissa Palmer:That doesn't matter how good you are, you're not doing this every day, right?
Melissa Palmer:Like, so unless you're doing this every day, cuz every attack is different.
Melissa Palmer:It's gonna be like, what have these people seen in the other events?
Melissa Palmer:What, what ransomware gang have you been hit by?
Melissa Palmer:Right?
Melissa Palmer:So I can put everything into place that I think I will need
Melissa Palmer:to make sure that we recover.
Melissa Palmer:And yeah, honestly, we'd probably recover all our data.
Melissa Palmer:I don't know if we meet our RPOs and our tails.
Melissa Palmer:I, I, I'm pretty sure I could get all the data to the recoverable point,
Melissa Palmer:but what was Exfiltrated, how did they get in all that kind of stuff.
Melissa Palmer:you don't know, which is why you have to call the pros.
Melissa Palmer:You have to call the people that do this every day.
Prasanna Malaiyandi:Is there sort of a standard ransomware recovery test, but.
Prasanna Malaiyandi:That kind of outlines like, Hey, here are the thing.
Prasanna Malaiyandi:Because I can imagine, say you can't afford, the pros
Prasanna Malaiyandi:say you can't afford the pros.
Prasanna Malaiyandi:Right?
Prasanna Malaiyandi:Is there sort of a, here are the testing scenarios you should be thinking
Prasanna Malaiyandi:about, or here are the things that sort of get shot in the head when a
Prasanna Malaiyandi:ransomware recovery or ransomware hits.
Melissa Palmer:Um, Google tabletop exercises like ransomware recovery,
Melissa Palmer:disaster recovery, tabletop exercises.
Melissa Palmer:Right?
Melissa Palmer:That's a good place to start.
Melissa Palmer:I've thought about doing like a dungeon and dragon style type,
Melissa Palmer:like ransomware recovery thing.
Melissa Palmer:I
Prasanna Malaiyandi:
Speaker:With the actual people.
Prasanna Malaiyandi:
Speaker:Yeah, with like you get the networking security
Melissa Palmer:think that would be fun and useful.
Melissa Palmer:And you know what?
Melissa Palmer:When you make things fun, people actually pay a.
Prasanna Malaiyandi:Yep.
Melissa Palmer:right?
Melissa Palmer:So like, if I get you all in terms and be like, today we are going to talk
Melissa Palmer:about ransomware recovery and have a mock simulation of what would happen.
Melissa Palmer:Be like, okay, you're a Paladin, you're a warrior, uh, you're a ma.
Melissa Palmer:Uh, an adult black dragon just showed up and encrypted your VMs.
Melissa Palmer:What are you doing?
Melissa Palmer:Right?
Melissa Palmer:Like,
Melissa Palmer:you're gonna have so much fun, you're gonna remember it, and
Melissa Palmer:it's gonna work out a lot better.
Prasanna Malaiyandi:Yeah.
W. Curtis Preston:I like that.
W. Curtis Preston:Yeah.
W. Curtis Preston:Um, by the way, one of the things, you know, we talked a lot about prepping.
W. Curtis Preston:One of the things that I think also in terms of, we talked
W. Curtis Preston:about exfiltration monitoring.
W. Curtis Preston:I also, uh, like the idea, and we talked about it on a couple of
W. Curtis Preston:different episodes, this idea of, um, Something on your d n s side
W. Curtis Preston:that would notice when you start talking to really weird domain names.
Melissa Palmer:Yeah, that's a big one.
Melissa Palmer:And there's all these lists.
Melissa Palmer:Um, a lot of these researchers will just like tweet like, by the way, domains
Melissa Palmer:looking a little hot, a little suss.
Melissa Palmer:You might wanna block that stuff.
Melissa Palmer:Um, so yeah, there's these lists of these like known bad domains
Melissa Palmer:and ips and stuff like that too.
W. Curtis Preston:Right.
W. Curtis Preston:Yeah.
W. Curtis Preston:And, and the other, uh, but I, I do think that if.
W. Curtis Preston:If you implement exfiltration monitoring, if you have a specific exfiltration
W. Curtis Preston:monitoring, I think you could stop mo or, or notice it quickly and stop it.
W. Curtis Preston:Um, but what I'm hearing from others is that not everybody
W. Curtis Preston:can afford such a thing.
W. Curtis Preston:Right.
W. Curtis Preston:Um, that, that,
Melissa Palmer:lot of people can't afford it or they don't have the
Melissa Palmer:skill set to build it themselves, and you really wanna be building and
Melissa Palmer:maintaining your own security systems.
Melissa Palmer:Probably not.
W. Curtis Preston:No, but a lot of people do,
Melissa Palmer:Yeah, because they have no choice.
Melissa Palmer:It's better than nothing.
Melissa Palmer:Like I've done some weird stuff with some weird software because
Melissa Palmer:it was better than nothing.
Melissa Palmer:Um, it, it, it's really a difficult point to be in.
Melissa Palmer:And it's kind of like, you know, you all these people put out these, um, all
Melissa Palmer:these, uh, security companies will do all this research of like, here's the
Melissa Palmer:top ways they're getting in and blah, blah, blah, and all this kind of stuff.
Melissa Palmer:Um, there's a lot of marketing that goes into it, but
Melissa Palmer:there's a lot of truth, right?
Melissa Palmer:So like, I.
Melissa Palmer:. The big thing was the people for a long time, the people
Melissa Palmer:let it in, you know, multi.
Melissa Palmer:Where was it when, when this whole Cisco thing happened?
Melissa Palmer:That was like, um, mfa, right?
Melissa Palmer:They got in through their mfa cuz they kept spamming of them.
Melissa Palmer:Eventually they said yes because like, stop calling me at 11 o'clock at night.
Melissa Palmer:Um, . Now they're saying, oh, it's more vulnerabilities than people, right?
Melissa Palmer:So honestly, I feel like the people might be easier to deal
Melissa Palmer:with in the vulnerabilities.
Melissa Palmer:I don't know.
Melissa Palmer:Um, because then it's gonna be like testing the patches.
Melissa Palmer:Can we patch everything?
Melissa Palmer:Can we remediate everything?
Melissa Palmer:It's, it's just like, what are the areas that you can find within your
Melissa Palmer:own organization to be quick wins because you wanna prove that you can
Melissa Palmer:win to your management so you get more money and can do more projects.
Melissa Palmer:So you need like a balance of quick wins to prove progress and high.
Melissa Palmer:right?
Melissa Palmer:What are the things that I can implement that will have the
Melissa Palmer:most impact to reduce the risk?
Melissa Palmer:And you're never gonna get the risk to zero.
Melissa Palmer:I, there's um, a lot of people say that, like assume breach, right?
Melissa Palmer:Like assume they're gonna get in so we can do all this security stuff.
Melissa Palmer:We can do all this backup.
Melissa Palmer:And backup is basically assuming they're gonna get in, right?
Melissa Palmer:Like, we're not backing this stuff up cuz we think our security is so great.
Melissa Palmer:Like we're assuming that it's the last line of defense, we're gonna need it.
Melissa Palmer:Um, so a lot of it is just trying to mitigate what you.
Melissa Palmer:in a way that makes sense for your organization, because we can't have
Melissa Palmer:everybody working 20 hour days doing this either, or they're gonna be too fried to
Melissa Palmer:make mistakes and people are a problem.
Melissa Palmer:Um, it, it's difficult.
Melissa Palmer:It really is hard for any organization.
Melissa Palmer:It's what can I do with what resources I have and cya, right?
Melissa Palmer:If I'm, I'd probably be doing a lot of cya when, you know, they tell you
Melissa Palmer:it's too expensive, you can't do that.
Melissa Palmer:Well, you better have that documented.
Melissa Palmer:So when you get ransomware, not like, Melissa, why didn't you
Melissa Palmer:put in that security system?
Melissa Palmer:You told me we didn't have the.
W. Curtis Preston:You don't know what's the current hot way that they're gonna,
W. Curtis Preston:they're, they're gonna attack you.
W. Curtis Preston:You can't stop all, uh, vulnerabilities.
W. Curtis Preston:You can't stop all stupid user things that stupid users are gonna do.
W. Curtis Preston:Um, and, um, And, and so you, I do think you, you have to assume breach, right?
W. Curtis Preston:And so you do have to do some things in your network that are going to
W. Curtis Preston:tell you when the bad guys are here.
W. Curtis Preston:Um, and that we stop it
W. Curtis Preston:as quickly as we can.
Melissa Palmer:Can we make a movie about this?
Melissa Palmer:Please?
Melissa Palmer:Like that would be really cool.
W. Curtis Preston:Nobody.
W. Curtis Preston:It'll only be
Melissa Palmer:I'm gonna watch it
Melissa Palmer:I'm gonna have chat, G b T, write me a movie.
Melissa Palmer:I've had to write me ransomware, hallmark movies.
Melissa Palmer:I kid you not, I'm just saying
Melissa Palmer:have to entertain myself.
Melissa Palmer:How now?
Prasanna Malaiyandi:Wait,
W. Curtis Preston:my wife would watch it if we make it a
W. Curtis Preston:krama, make it a Korean drama.
W. Curtis Preston:Um,
Melissa Palmer:be good.
Melissa Palmer:Or like a Bollywood ransomware story.
W. Curtis Preston:yeah, I, there was a ransomware attack and a
W. Curtis Preston:krama that, uh, I dunno if you saw, there's one called Startup.
W. Curtis Preston:Um, and, uh, there, there's a, there's a, a really big
W. Curtis Preston:incubator in Korea in this movie.
W. Curtis Preston:Um, and this group of people, they, they do a startup there and.
W. Curtis Preston:Right at the crucial moment they get, they get a ransomware attack.
W. Curtis Preston:Um, and, and it was because some people did some dumb stuff.
W. Curtis Preston:They cut some corners, you know, and so they got
Prasanna Malaiyandi:They got.
W. Curtis Preston:and the tech wasn't bad.
W. Curtis Preston:Right.
W. Curtis Preston:Um, there, I, I've actually seen a lot of, there was, uh, the good
W. Curtis Preston:doctor, that's the one with the guy that has, he's on the spectrum anyway.
W. Curtis Preston:They got, they got,
Melissa Palmer:episode
W. Curtis Preston:they got, they got a ransomware
W. Curtis Preston:attack.
Melissa Palmer:Grey's Anatomy
W. Curtis Preston:Uh, Grey's Anatomy did one.
W. Curtis Preston:Uh, the good doctor did one and the tech wasn't bad.
W. Curtis Preston:Right.
W. Curtis Preston:Uh, I just, I just hate it when it's like, like when you watch, I dunno if you
W. Curtis Preston:ever watch, did you ever watch the Net?
Melissa Palmer:Yeah.
Melissa Palmer:Yeah.
Prasanna Malaiyandi:Yep.
W. Curtis Preston:That tech
Melissa Palmer:Look, all I know is I was, I don't know, maybe there's some
Melissa Palmer:Hallmark movies going on in my house and it was on in the other room when I was
Melissa Palmer:cooking dinner and my ears perked up.
Melissa Palmer:Cause I heard something about an engineer and it was the dude who was the engineer.
Melissa Palmer:I was like, oh, I had hopes for this one.
Melissa Palmer:So Hallmark, if you are listening to this, I would love to be your female
Melissa Palmer:lead in a I think that would be so much.
Melissa Palmer:Come on, come on.
Melissa Palmer:Happy ending.
Melissa Palmer:They, we, we recover from
W. Curtis Preston:question is, how can you incorporate a small
W. Curtis Preston:town with a business that's, you know, on its last legs?
W. Curtis Preston:And
Melissa Palmer:Totally.
Prasanna Malaiyandi:That would
Prasanna Malaiyandi:work.
Prasanna Malaiyandi:Yeah.
W. Curtis Preston:instead of a ran, instead of a, uh, you know, a big
W. Curtis Preston:bookstore coming into town to shut down your little bookstore, it's
W. Curtis Preston:the ransomware attack shuts down the little, the little bookstore in
Prasanna Malaiyandi:Or it could be at a doctor's
W. Curtis Preston:And,
Melissa Palmer:Yeah.
Melissa Palmer:Or local hospital.
Melissa Palmer:We could do local hospital.
Melissa Palmer:That would be fine.
Melissa Palmer:Small town hospital only thing for miles.
W. Curtis Preston:It's, it's the big city girl that knows, um, that knows
W. Curtis Preston:about ransomware to rescue the little
Melissa Palmer:big city girl, leaves her job at a software company, goes back
Melissa Palmer:to her hometown to go out on her own.
Melissa Palmer:just
W. Curtis Preston:Um, can you tell I've seen a Hallmark movie or show a show
Melissa Palmer:I, it's my guilty pleasure.
Melissa Palmer:I'm just gonna say that, uh, around Christmas there was a thing going around.
Melissa Palmer:It was like Hallmark movie generator, and I looked at it
Melissa Palmer:and I went, this is my life.
Melissa Palmer:Oh my goodness.
Melissa Palmer:I'm a Hallmark movie.
Melissa Palmer:This is so cool.
W. Curtis Preston:They are kind of predictable as storylines, but, but yet
W. Curtis Preston:they've yet to have a ransomware attack.
Melissa Palmer:Come on.
W. Curtis Preston:I'm behind that.
W. Curtis Preston:Yeah.
W. Curtis Preston:Well on that note, um, speaking of disappointing, um, you
W. Curtis Preston:know, if you folks like this
W. Curtis Preston:episode, I think there's
W. Curtis Preston:some, I, uh, uh, I think, no, I think this was a good episode.
W. Curtis Preston:Um, and I like, I think, you know, we covered a lot.
W. Curtis Preston:We also had a little bit of fun.
W. Curtis Preston:I love that.
W. Curtis Preston:That's actually my favorite kind of episode where we, if it's just straight
W. Curtis Preston:talk the whole time, it's boring.
W. Curtis Preston:Um, and.
W. Curtis Preston:This was good.
W. Curtis Preston:Uh, good, good.
W. Curtis Preston:Smattering of both.
W. Curtis Preston:So, um, I think the one thing we're getting away from this is the best way
W. Curtis Preston:to respond to a ransomware attack is to respond to it before it happens.
Melissa Palmer:Yes.
W. Curtis Preston:Right.
W. Curtis Preston:Talk to people, talk to, you know, talk to a incident response team.
W. Curtis Preston:A cyber insurance company's a good way to get one of those.
W. Curtis Preston:Um, you know, uh, do all the, the, those, the ransomware recovery scenarios, right?
W. Curtis Preston:All the different scenarios from a, the, the backup and recovery standpoint, right?
W. Curtis Preston:Um, and, um, and do some kind of monitoring, logging, logging.
W. Curtis Preston:Saving your logs, getting the logs, logging log.
W. Curtis Preston:I can't, I can't say that.
W. Curtis Preston:I can't say it that
Prasanna Malaiyandi:lugging.
W. Curtis Preston:Yeah, log, logging.
W. Curtis Preston:Logging, I can't, I don't know.
W. Curtis Preston:My tongue doesn't do that anyway.
W. Curtis Preston:Um, and then also some kind of monitoring for what's going on in your environment.
W. Curtis Preston:That would set off alarms when a ransomware.
W. Curtis Preston:You know, initial phase is happening.
W. Curtis Preston:Uh, cuz that's the key to start to stopping it, is to stop it
Melissa Palmer:Yep.
Melissa Palmer:Get it.
Prasanna Malaiyandi:Yeah,
W. Curtis Preston:absolutely.
W. Curtis Preston:Well, thanks Melissa
Melissa Palmer:Thank you.
W. Curtis Preston:and uh, thanks Prasanna despite the fact that you were the
W. Curtis Preston:cause of all of our technical problems.
Prasanna Malaiyandi:I'm sorry.
Prasanna Malaiyandi:Hopefully not.
Melissa Palmer:Sounds like a Hallmark
Prasanna Malaiyandi:I
Melissa Palmer:Sounds like a Hallmark movie, just saying
W. Curtis Preston:We'll see this.
Prasanna Malaiyandi:Thanks Curtis, and enjoy your vacation, Curtis, and
Prasanna Malaiyandi:thanks Melissa for joining us again.
Melissa Palmer:my pleasure.
W. Curtis Preston:All right, and thanks to our listeners, uh, you know, you're
W. Curtis Preston:the reason we do this, and be sure to subscribe so that you can restore it all.
Listen On
