Cyber Talks - Break Things Safely: A High-Value Cyber Exercise Program with Daniel Hammond
Hey everyone,
I'm Jason Edwards and welcome to another
CyberTalk developed by
baremetalscyber.com.
Today we're joined by Daniel Hammond,
a respected voice in the field of
cybersecurity and resilience planning.
Daniel brings a wealth of experience
helping organizations prepare for the
unexpected through realistic and impactful
cyber exercises.
His presentation,
Cyber Exercises Beyond the Basics,
challenges the notion that exercises are
just check the box drills.
Instead,
he's going to show us how they can
become strategic tools to strengthen
coordination, reveal blind spots,
and build confidence across teams.
Daniel's work focuses on taking these
simulations far beyond the let's practice
this thing and transforming them into a
core part of an organization's learning
culture.
He's passionate about tailoring every
engagement to maximize its value for the
audience,
making sure each exercise delivers
insight, not just activity.
We're featuring Daniel as part of our
Cyber Talk series,
where we invite experts and professionals
from across the industry to share insights
that make a difference.
If you'd like to take part or learn
more about upcoming sessions,
visit baremetalcyber.com for details.
And welcome, Daniel.
Hey, Jason.
Thanks for having me.
Let's break some stuff, yeah?
Yeah.
Good to see you this afternoon, too.
Likewise.
So if you like,
go ahead and take it away.
Daniel, tell us about yourself,
what you do,
and what you're going to talk to us
about today.
Yeah, fantastic.
And really appreciate, A,
what you're doing with your CyberTalk
series.
And I always love to learn more about
how I can bring value as a cyber
expert, right?
And so one of the skill sets that
I have, in fact,
let me go back a little bit.
I have a military background,
so I was an Army veteran,
and was in the Eighty Second Airborne
Division, signals intelligence.
Then I went into the Army Reserves,
switched over to human intelligence,
became an instructor, ended up deploying,
interrogating some of the most wanted in
our theater.
Then I ended up helping design an advanced
interrogation and analysis course.
I used to break people and now I
break computer systems or at least
simulate that.
When everything's running smoothly,
you don't learn much.
I think having something disrupt your BAU,
And it's better to have it come from
an internal request for a disruption
rather than having the bad guys disrupt
you.
And one of the examples I'd like to
use is, you know,
if you're in a skyscraper,
you don't want to figure out what the
fire is.
exit procedures are while the building's
on fire, right?
You want to have practiced that until it
has become second nature.
And I think that's what we do in
the cyber exercise space,
or at least one of the aspects.
And I'd like to go into some other
deeper use cases with you and the viewers
today.
But that's it.
And really, I got in.
I transitioned from Humint and SIGINT into
cyber intelligence.
So I started doing cyber threat
intelligence for a major bank.
And I've helped build cyber exercise
program at three Fortune five hundred
financial organizations,
including leading, bringing it into one.
So that's.
sort of,
and I've done exercises of like all shapes
and sizes.
I'm sure I'll weave some stories in as
we go, or feel free to interrogate me,
my friend.
Well,
and exercising is a really undervalued
thing, right?
You know what I mean?
It's always better to find the flaws in
your plan before you need the plan, right?
We talk about it with instant response,
but there's many, many, you know,
things that you can do out there to
exercise your team and you need to, right?
We're like thoroughbreds.
If you don't race, you know,
if you don't practice for the race,
you don't race, you know,
you're never going to have a good team.
So.
Absolutely.
One hundred percent,
especially if you're in a heavily
regulated industry.
Even if nothing's happened to you,
some of your peers,
things have happened to and the regulators
have seen those things and then they come
in and they ask you about the gaps
that your peer used to have before they
got their problem.
And if you don't have,
if you haven't thought it through at a
deep enough level,
you're also not gonna have a plan.
And so, you know,
we should learn from each other.
We should, I mean,
the bad guys are out there evolving every
day.
So even if we were a hundred percent
protected today,
tomorrow's a new day with new
capabilities, so.
Well,
it's interesting you mentioned regulators
too, right?
They have a very horizontal view of how
the industry works, right?
They go to one organization,
they see how it works.
They go to another organization,
they see how it works.
And it's very,
very easy after a while for them to
see that, hey,
you're not like the others because you're
not doing X, Y, or Z, right?
And that's really what,
that's the little rough spot on your edge,
right?
That they start peeling off and digging
into.
Whereas if you look like everybody else
because you're doing the best practices,
right?
It's why we call them industry best
practices.
then you have a much easier time with
regulators.
You completely agree.
And I definitely see that as like you
grow to the next level of maturity in
size and structure.
You know, the response maturity,
the resiliency things that are done at the
top tier are new to you.
And you got to close that gap as
fast as you can because otherwise all
you're going to be doing is chasing your
tails, you know.
trying to address things that the
regulators uh have caught and it's better
to self-identify and solve them before
they get there absolutely so you brought
some slides today i'm going to go ahead
and bring them up and uh let's see
OK, I'm ready when you are, Daniel.
Yeah, fantastic.
And just so you guys know,
I have a couple of companies.
One is called Business Interrogation,
which is really all of my consulting work
is about asking questions to help people
improve their resiliency,
to think through market disruptions and
that type of thing.
And really,
cyber exercises are like one of the core
pillars of what I do and how I
serve people.
I think next slide is, yeah,
we can skip that one.
Yeah,
this is just some of the things I've
done.
I guess I've covered probably most of that
stuff.
I did just a couple of other interesting
tidbits.
I've also worked in physical security.
I ran a top tier physical security company
in one of the most violent cities in
the world with over four hundred
employees.
And I helped build a nursing school in
central Honduras.
And I'm a contributing author on seven
books,
including the lead author on customer
driven leadership.
outstanding and thank you for your service
oh thank you man you too yeah so
um let's kind of look at the basics
of cyber exercises i think one of the
things that i find is the biggest
obvious thing is if I see people doing
exercises and they don't have a goal,
sometimes called a purpose,
then I kind of start to doubt their
maturity because really every exercise
should be trying to accomplish something
for someone.
Typically we call it the sponsor or the
stakeholder.
But if if if you don't know what
the requirements are,
if you're just exercising to exercise,
it would be like going to the gym
and randomly doing three things every day
when you walk in there.
you don't have a plan,
you're not going to get an outcome that
you want.
So really drilling into that goal is the
first thing that really directs what are
we trying to do here?
And a lot of times the sponsor and
the stakeholder are not exercise
professionals and you don't have to be,
right?
If you hire a professional,
They're going to be able to take your
what I really need and turn it into
an exercise goal for you.
And when they express that goal back to
you, it should make sense.
And you're like, yeah,
if you can do that,
that's what I need.
Right.
You know, if you're doing, let's say,
a regular an exercise to satisfy a
regulatory requirement.
and you didn't read the requirement and
know how that box needs to be checked,
you're wasting your time, right?
You're not going to satisfy what the
regulator wants.
And so you really need to, you know,
I've had people come up to me and,
you know,
you want them to hire you to do
an exercise.
But my first question is,
is an exercise really what you need?
Will it check your box?
Otherwise,
maybe we're fishing in the wrong pool.
Typically,
most exercises are scenario driven.
I think there are a few use cases
where I would say it's not always the
case that they would be,
but usually that's the case.
We'll go into some use cases later on
where the scenario might be less
important.
Typically, you have a facilitator.
Sometimes in an operations-based exercise,
where you're actually doing the doing
rather than talking about the doing.
I use the Homeland Security Exercise and
Evaluation Program as the model.
It's not specific to cyber exercising,
but it is the government standard for how
an exercise program should be run.
There's two types of exercise,
discussion-based where we're just talking
about what we would do,
and then there's operations-based which
At some level,
somebody is doing something that they
would actually do in response.
And then you want to make sure you
have the right participants there.
Don't bring people into an exercise that
have nothing to do.
You have no engagement for them.
Don't leave out people.
Sometimes you have people that have to be
there around the table for the exercise to
be successful.
If they can't be there,
you probably need to reschedule it so that
they can be.
Or maybe look for them to send a
delegate from their area of expertise.
uh trusted agents are the people that we
use uh you know i'm not an expert
in all things so i work with uh
you know i talk to an executive and
i'll say give me the person that knows
how all of this works and should work
and then i kind of uh
pinky swear them to secrecy if it's uh
if it's required to keep the scenario
secret which again it's not always
required but uh and then they help me
understand how things should flow so that
i can build the scenario and know kind
of which way the dominoes will fall
And then, of course,
you might have people who are just there
to observe the exercise.
That could be potentially an audit-like
function.
But inviting audit into an exercise
changes the exercise because a lot of
times one of their strongest selling
points is this is a safe environment.
When audit's there,
it's a less safe environment.
And then finally,
you want to generate a report that says
this is what we learned together through
this exercise.
Perfect.
Yeah,
I'll just run through a few of these
and go ahead.
So the purpose of a seminar is sort
of educate participants about a cyber
concept.
And again,
this is in the world of cyber threat
exercises.
So if you want to jump to the
next one.
Yeah.
So let's say there's a new threat out
there and you
you can send out an email saying, hey,
everybody watch out for this new threat.
But if it's serious enough and you need
to orient your people,
especially those that are not very cyber
tech savvy,
a seminar is a good way to kind
of push that information out of this is
the new threat.
Like maybe one of the things is threat
actors are now using AI to craft better
phishing emails, right?
So you want to show them kind of,
what an AI-generated phishing email looks
like versus what the emails looked like
two years ago,
which are going to be very different,
a lot of grammatical errors and things of
that nature that AI is not going to
make.
So it just helps orient the people to,
hey, this is a new threat.
This is something you can do.
A lot of times you can do this
as kind of a lunch and learn and
just educate people while they eat their
lunch.
And kind of the human factor is always
critical when it comes to potential gaps
in cybersecurity.
So the smarter your people are.
And, you know,
whether that's a seminar maybe every two
months and and maybe an exercise,
you know,
a couple of times a year can really
help make your people more aware of how
the bad guys come after them.
Absolutely.
I think executive education is super
important.
Sometimes the technical people within the
company know that we have this big,
horrible gap.
But if nobody else knows that,
then being able to communicate that to
executives is super important.
And and, you know,
there you can talk tech to them all
day long,
but their eyes will glaze over and you
have to communicate what is the real
threat to the organization in the language
of the things I care about.
Right.
So is it going to hurt our reputation
if this happens?
Has it happened to three other people in
our industry and we're not
we're making the same mistakes they did.
You've got to translate it into this is
how many dollars and cents not taking care
of this could cost us.
Let's say you push out a new response
playbook or something like that.
A seminar is a good way to say,
hey,
this is how we used to do it.
This is why we changed it.
This is the new process and procedure.
You just get everybody on the same page
very quickly.
Any thoughts on that, Jason?
I think also a great thing about a
seminar, right,
is that you don't need a lot of
preparation for it.
Right.
It's something that you can execute
immediately.
Like you could do it today.
Right.
People can ask you to do it today.
Yeah.
Yeah.
I mean, really,
what you need to know is you need
to you need to understand the threat and
just take a little bit of time to
think how you can communicate that again
in the language that they need to hear
it in.
And then really it's not very interactive
in a seminar.
It's mostly sort of a presentation, right?
But you can certainly have time for
questions either as you go.
I like to kind of do a block
and ask if there are any questions.
um and and then for sure by the
end say does anybody have any questions or
comments or things that are relevant to
this topic that could help us you know
improve our cyber security and then you
you'll you will get some good feedback
typically absolutely okay you can go into
the next one
Workshops.
I think workshops are the most
underutilized of the kind of cyber
exercise offerings.
The thing about a workshop is, you know,
you're trying to create or work through a
cyber product or concept.
So it's more,
even though it's still discussion based,
you're trying to generate an output.
um that that moves cyber security forward
in the organization you want to go to
the next one we'll look at some specific
examples so let's say um all of a
sudden you want to uh bring ai into
your company right um before you just you
know load up copilot and let it run
which is the strategy
I don't think it's a strategy.
It's a way.
It's a way.
It's a way.
uh, loosen your network, right?
You've got to provision it.
You've got to make sure it only has
access to the things it should have access
to.
You need to make sure that, um,
I can't access the AI to get information
that I shouldn't have with my level of
access, right?
There's,
there's a lot of things that you've got
to think through.
Um,
you don't want the AI cross sharing your
information inside and outside of the
network, right?
So you've got to know how are we
going to, what kind of, uh,
walls are we going to build around the
AI and, you know,
how does that restriction benefit or
hinder us?
Right.
So there's a lot to think through in
that.
And so one thing that you can do
is bring all of the key stakeholders
together and go, OK,
who who's got concerns about us bringing
in Copilot?
What what's going to work?
What are you going to be worried about?
And have that discussion around the table
um of of how is this going to
change how we do our our cyber or
protecting the organization from a cyber
security perspective um i've done some of
those with cloud you know organization
thinking about moving stuff into the cloud
in a new way and i'm like we
we walk through here are all the tools
that protect our on-premises um you know
information
how is this gonna work in the cloud?
And in that particular case,
I brought in the lead Azure architect and
he helped us answer the questions.
So literally we had seven executives
around the table and I facilitated sort of
an interrogation of the Azure architect.
And nobody knew better than he did how
their tools work.
So it quickly closed that knowledge gap of
how do we continue to protect
the organization,
which of our tools are still going to
work?
Which of our tools are we going to
have to rely on this partner for?
And so those are the types of things
you can get out of a good workshop.
Pivoting to new technology is good.
How do we create a new response plan
for X scenario is a great time to
do a workshop.
Orienting people to the new plan before we
tabletop, which is the next exercise type.
How can we go in and do a
workshop and just talk through?
This is how the new plan works, right?
You know, before you used to do this,
now you do this just so that you
set those expectations and prepare for
success at the at the next more,
let's say, advanced level.
And one thread through all this, right,
is that you're validating your risk
assessments.
If your risk assessments are accurate,
then the exercises at the end should be
accurate as well, right?
I mean,
they should at least align to what you
considered the risks were.
If you find new risks, right,
that's a good thing because you can go
back and update the risk assessment
process, right?
It's continuous learning cycle between the
two.
A hundred percent.
And, you know,
I like a workshop to kind of kickstart
a process.
For example,
I was working on an industry level
response.
So we had a bunch of working groups
all trying to solve pieces of this.
It's sort of like building the
International Space Station in the cyber
universe for resiliency for the industry.
And the first exercise, they're like,
let's do a tabletop exercise.
And I'm like,
I don't even know what the other
people are working on,
why don't we do a workshop where everybody
brings in their pieces of the puzzle and
we start to assemble it on the virtual
tabletop in front of us and see,
a lot of times you'll find gaps.
You had like, oh,
I thought you were covering that, Jason.
And you thought I was covering it.
And now we've got this giant hole that
nobody's solved for.
Well,
let's fix that before we do the tabletop
because once we do a tabletop and put
it in front of senior people,
we don't want to trip over our hole
in the system, right?
We want to look like we're polished and
we have a plan that's going to work.
Some inadvertent silos, right?
Correct.
Yeah.
And also a lot of, you know,
you can do this with critical partners.
I think exercising with critical partners
is another great way to kind of build
relationships and better understand how do
you have my back in this space, right?
And how are the actions I'm going to
take be supportive and synergistic with
what you're going to do?
Because if a problem happens between us
and a third party and they run this
direction and we run this direction,
it's going to be bad for both of
us.
It's better to have some sort of cohesive,
let's talk about this so that we can
mitigate how badly this ends up for both
of us.
Absolutely.
Cool.
Go to the next one.
Next one's a tabletop.
Those are a lot of times what people
are familiar with.
And it's sort of this is a highly
scenario driven where you've sort of
predetermined the talking points of what
should happen from the beginning.
of where you kick this off to the
end of the exercise.
And the cool thing about an exercise is
you get to decide where does it start
and where does it end, right?
You can certainly have kind of have it
kick off before anything
you know, crazy is happening,
maybe it starts off with some probing in
the network or something like that, right?
And then it goes all the way.
And I mean,
you can also take it all the way
to through bare metal rebuild, right?
I mean, but typically,
depending on the teams you're exercising,
you're going to exercise the pieces that
are important to the teams and the
participants.
And again,
going back to that goal statement.
And so it's these are the places where
you validate or practice and familiarize
with your cyber response plans.
And again, it's not just limited to cyber.
Again,
you want to it's effectively sort of what
we do again with like, you know,
practicing live shooter events and things
like that.
How do we how do we how do
we react to a bad situation in the
most positive way?
You want to go to the next one?
Yeah.
So validates your cyber response plan
works.
It validates that users understand how to
implement the cyber response plans.
Builds proficiency, right?
Again,
going back to that building on fire,
you don't want to figure out how to
get out of the building when the
building's on fire.
You want to already know the three
contingencies for you to get out of the,
you know,
demonstrating that you're practicing and
improving your cyber response plans,
right?
So one of the things that you can
do is show growth for your executive
leadership, for your auditors,
for your regulatory people.
There's nothing better than having it.
Uh, when they say, oh, hey, have you,
what are you guys doing about X?
And you're like, oh,
we exercised X two months ago.
Here's our lessons learned out of that.
And this is what we're doing to close
those gaps.
I mean, that's, uh,
whereas what's the other thing, you know?
Oh yeah, we have a plan for it.
Does it work?
Have you thought through it?
Have you checked the plan?
Do you know that it works, right?
And you won't have the same answers or
confidence.
And confidence is important when you're
dealing with these regulators, right?
Well,
and it brings me to an experience once,
too.
We had an auditor.
And their comment was, well,
but you didn't cover every case.
You didn't cover every possibility, right?
It wasn't detailed enough.
And I gave them the explanation.
I was like, look,
I've done many military exercises,
like high-end military exercises,
millions and millions of dollars worth of
tanks.
And not a single one of those that
I ever really face, right, in real life.
But it's the fact that I went through
them and I was thinking about it and
that I was reacting and I was learning
through that stress is what made it better
in the end when it did happen or
different things happened, right?
And so even if you can't cover every
single use case in an exercise,
the action of doing the exercise is what
is another huge benefit out of it.
Yes,
and this would be my response to the
auditor who asked me that question or the
regulator.
Okay,
could you just give me the comprehensive
list of every possible way I could be
compromised,
and I'll start working on validating,
right?
And sign it, too,
so that if I'm compromised in a way
not on your list,
you can take the responsibility for that.
Every day is a new day with that.
Right.
Right.
Yeah.
Yeah.
And one hundred percent.
You you can't practice for everything.
Right.
And ultimately,
even the most mature exercise programs
that I know are not exercising.
Ninety five percent of an organization for
ninety five percent of the risks.
under the craziest of circumstances it's
just not feasible what you want to do
is you want to try you want to
practice a little bit of this and a
little bit of this and a little bit
of this and then what you're doing by
by trying something new each time and then
maybe revisiting when something went
really bad
Right.
If you had an area that showed a
lot of weakness,
plug that hole and then and then
reexercise it and see how much more
smoothly it goes.
But then also continue to evolve your
program.
Right.
If it you know,
there are some exercises where you need to
be successful.
Right.
The most important thing is we've checked
the box the regulator has given us.
Right.
And you don't want to play around with
that.
You don't want to you don't want to
accidentally do the exercise and forget to
check the box.
Right.
Going back to that goal statement.
But by the same token,
if it's not one of those check the
box exercises, think through.
I'm always trying to think, OK,
I have to do an exercise in this
space.
What could I throw in here that would
be novel, that would be new,
that would help test resiliency in another
aspect or another way that we haven't been
doing, right?
You want to...
And then once you succeed and you've done
all the things at the cyber response
level, start bringing in other teams,
the regulatory response people,
the communications teams.
If they're not already a part of that
core response,
depending on how technical and tactical
you are,
start going to the strategic and the
operational as well.
Absolutely.
Absolutely.
Yeah, I think the next one is drills.
Really,
this gets us into the operational exercise
space.
And if you want to kind of, yeah,
jump over here.
I look at drills as you're actually
practicing some part of the response.
So maybe it's making sure you can get
the right executives on the bridge line
that you need to troubleshoot a project.
say regulatory issue in, you know,
fifteen minutes or whatever your,
you know,
standard response time should be.
That could be a drill, right?
Another drill could be you work with a
red team to compromise something on the
network and see how long does it take
the cyber response people to see it and
respond to it.
Obviously,
you want to be very careful when you
start putting live things on the network,
and there's some creative ways to do that.
I was in charge of evolving a cyber
range at one point in my cyber exercise
program.
background.
And so you know,
those are ways where you can, you know,
practice those things a little more
freely,
but also a drill could be a no
notice exercise where we're not telling
them they're being exercised.
We're watching how they respond to a
controlled compromise, right?
Like, we're in charge, we're running,
we're running the, the bad guy.
And so
we're not just unleashing malware across
our networks, which would be very bad.
Probably the last thing you do at your
place of employment.
Going back to what you said though,
it's always good to honestly not let the
SOC know that there's an exercise going on
until it's done.
You want them to treat it just like
any other thing.
If you tell them something's going on,
you have two problems that.
One is that it's not as serious for
them.
There's not as much adrenaline in the room
because they know something.
the other problem is is what if you
do have an attack and they think it's
part of the red team exercise right so
it's better not to tell them at all
in my opinion just let it happen right
you know what i mean and then see
what happens at the end it's not like
there's a payload waiting you know from
the red team attack so right
Yeah.
And again,
you're probably going to start small in
this kind of thing.
But what it does is it just lets
them be aware and let them know, hey,
we exercise periodically.
You'll treat every single thing that you
see as if it's real until you're told
otherwise.
Even if you figure out beyond a shadow
of a doubt that it's an exercise,
you're going to do all the things you're
supposed to do as if it were real,
right?
Just set those expectations across the
team.
It, A,
keeps them kind of at a heightened level
of alert without overwhelming them,
hopefully.
It keeps them curious, right?
I see something on the network.
Well, it might be an exercise.
Well, it might not be.
Let me go through and keeping an open
mind for is this a simulation or is
this a real bad guy on our network?
And, you know,
commend people also as well, right?
Sock burnout is a real thing.
I mean, every time, you know,
sock analysts see something,
it could be the thing that ruins the
company, right?
That's a lot of stress on a person,
you know, working eight, ten hour shifts,
right?
So when they do catch this kind of
stuff, you know,
make a big deal out of it, right?
I mean, that's an amazing thing.
Great.
Look what you did.
This is awesome.
You know, kudos, you know, spot bonus,
something, right?
One hundred percent.
Yeah, I love that.
Love that.
Yeah.
And, you know, again,
it could be practicing a media response,
right?
Having the communications team actually
write your response.
What would you tell the media?
What's your press statement for this?
So actually that's, again,
how you do an operational type exercises.
There's some doing.
Other ways I like to do this,
and if you go ahead to the,
I think next slide is sort of the
other use cases of things that I think
are fairly interesting.
Yeah, so these are some other use cases.
One is, you know,
the functional exercises, again,
are like tabletops,
more like tabletops and drills.
So you're actually practicing a response,
but there's also some doing in it.
And one of the things that I like
to do is you can see the next
thing on the list is a full scale
exercise, right?
That's like,
let's pretend across the entire
organization this bad thing is happening.
right, let's bring in all the leaders,
bring in everybody.
Well, before you're ready for that,
you need to carve that into pieces and
practice it in pieces to make sure that
you understand how everything is supposed
to fit together.
Because if you don't do that first,
you're going to miss something and your
full scale exercise is going, it's,
you know,
it's like designing that ten thousand
domino thing where you've got everything.
And then all of a sudden you hit
and like right in the middle,
the domino misses.
And then what are you going to do?
Half of it's fallen over.
You can't get to the middle to knock
over the next domino.
Yeah.
it's a big mess so really you kind
of that stair step of increasing maturity
and complexity is really key to doing that
capture the flag exercises are good these
are those cyber range exercises where you
actually practice defending a virtual
network against um bad guys that could be
maybe peers in your industry if you wanted
to host a capture the flag with some
of your your peers in the industry and
kind of have some bragging rights and
you know,
a ridiculously huge trophy that the CISO
gets to put in their office or,
you know, whatever it is, right?
They like this.
They have an extra flag.
Yeah, right.
And then one of the things that I
really like,
and it's the last thing I really have
on this is purple team exercises.
So if you've got kind of that red
team expertise,
especially internally to your
organization,
And let's say you've got five layers of
defense for a specific type of attack,
and they get through the second,
and they get stopped by the third.
And you're like, oh, we won.
We kept them out.
Our layers of defense worked.
But if you don't test layers four and
five,
Maybe they get through levels four and
five as easily as they got through one
and two, which means you have one defense.
And as soon as they,
you know how threat actors are,
if they have the resources and the will
to keep banging their heads against that
firewall of yours, eventually...
they're likely to find something.
Again,
that's why you don't want to be the
low hanging fruit in the industry.
But again,
you also want to make sure that if
you think you have five layers of defense,
you're not actually just relying on a
single layer.
What we can do in that case within
a purple team exercises,
the red team compromises something on the
network,
the blue team looks for it until they
find it.
It's like, okay, I've taken over a system.
blue team looks maybe they get some hints
until they see oh yeah okay i see
what you've done and then they go okay
i moved laterally to another system okay
yep we see that okay now i'm trying
to get through this cyber security defense
okay and let's say once they get stuck
on that layer three that oh we can't
get through this
let the blue team let them through so
you can test that layer four and layer
five of your defenses, right?
Because if it's just a single layer that's
keeping the bad guys out,
that's probably insufficient.
And you already know two layers got
thwarted.
So maybe you're also looking for,
are there better solutions at layer one
and two that could help thwart more?
Then again,
maybe your hackers are just that good.
And sometimes that's the case, right?
They know your network better than anybody
because they work for you.
Yeah.
And there's a lot of scenarios going back
to like the full scale exercise thing,
right?
Your sock may be really good.
but the rest of the organization may not
be.
And one of the things you mentioned,
right, was public communications.
How many times have you seen a company
get hacked?
And the only way the customers find out
is when they can't access the company.
Like CNA insurance, right?
Couldn't even get to their website, right?
And some other companies like that.
You know,
is your internal marketing team thinking
about, okay, well,
we'll contact the customers.
How?
If your email is shut down,
how are you going to do it?
Do you have a backup plan?
Do you have the customer list that you
can, you know, that you can use, right?
I mean, and, you know,
I work for a really good insurance
company, USA, right?
They have a great security department over
there.
And one of the things they had was
they had all the,
a lot of the stuff written down.
it was literally in binders right you know
i mean for that day when you know
they they expected anything to happen up
into well we can't even access x y
and z right and if you look at
solar winds the attack of solar winds
right where they took out people's active
directory like the whole active directory
you could very well be in a situation
where you're not logging into anything
You know,
you're not getting into that SharePoint
portal with all of your plans on it,
right?
You need to have a ready to go
solution.
So full scale exercises around the whole
company are a very valuable thing.
Yeah.
What coming out of a major exercise I
did once was like all of the physical
security for the organization was voice
over internet protocol phones.
And so it's like, yeah,
the network's down and they're like,
but that means nobody can call us.
And you know, it's funny,
it's like you and I are both ex-military,
right?
So we always know there's like, you know,
three different fallbacks on
communications, right?
The blow up goes down,
you pick up the radio,
you pick up the radio,
you do this one.
I mean, you know, so for example,
do you have other people's cell phones
numbers with you?
Or is it on that SharePoint portal on
the website, right?
Or is it in a written binder that
you can go access and go,
here's all the actual phone numbers,
right?
One of the basic things for a SOC
team to do, right,
is write down the actual phone numbers,
right?
I completely agree, Jason.
I think, again, you know,
what came out of that exercise was a
year later,
I got to walk through their physical
security response center.
And they're like, oh,
and here's our hardline phone systems.
And I'm like, you're welcome.
Well, and you know, it's,
I will say one thing too, and just,
you know, as, as we're,
as we're looking at this,
it is okay to find things wrong, right?
One of the,
one of the things you see in the
military when we do exercises,
no thin skins,
everybody's going to make mistakes, right?
Everybody's going to make mistakes.
There'll never be a perfect,
if you have a perfect exercise,
it's like getting a perfect audit.
You worry more about
the perfect audit than you do about the
one with the actual flaws.
If I ever had a perfect exercise,
I would be terrified that that was not
done correctly or that we missed stuff.
I would say leaders out there,
you want to find things wrong.
You want to be able to take that
and push it back into the process like,
hey, we found this, Daniel came in,
we did the exercise, we found this wrong.
We need to look at our risk assessment
process because we didn't ask these
questions during the risk assessment
process.
When we went out and did our annual
review of these controls around the
system,
we didn't ask them about how you're going
to contact the customer if the network is
down.
And so not only are you getting an
exercise out of just the SOC,
there's many,
many other advantages that you get out of
this, many,
many other collateral benefits that you
get because of this.
Yeah, completely agree.
And honestly,
from my perspective is if an exercise goes
perfectly.
Um, and again,
I go back to the goal, right?
If you're checking a box for regulator,
um,
Right.
You know,
do do the take the layup if that's
what you need.
But don't let that be your only exercise.
Right.
Also,
do things that you know will challenge you
every time you do a new response plan
exercise.
I mean, that's just a no brainer.
I mean,
If you've never practiced it,
do you really wanna find the holes in
your plan when you're under the gun,
the bad guys got your network locked down?
That's just not the day to be learning
lessons.
You're gonna have plenty to learn already.
And that's a lesson you need to practice
too.
What happens when you hit the tipping
point and your company can't recover?
Do you actually practice that scenario
with executives, right?
One hundred percent.
I love, you know, again,
one of my favorites is if you go
into a company and they're not really have
if they are not really thinking through
things, you'll find an attitude is, oh,
we'd never pay a ransom.
And I'm like,
if your choice was to pay one dollar
or the organization folds tomorrow and
everybody's out of work and your customers
have no
no supplier, whatever you do for a living,
you wouldn't pay that dollar.
Yeah.
If you ever had a CISO tell you
they wouldn't pay a ransom ever,
I think it's time to find a new
CISO.
You have to be pragmatic enough to know
that sometimes the best
option is unpalatable and if that is the
option we have to take for the good
of the organization again i think that i
think that leadership team that has that
attitude of we would never pay a ransom
and they go down in flames for that
is going to get sued by their shareholders
right i mean they didn't do the thing
that was right for the organization
Well, and look at when companies fail.
Look at Enron or something of that nature.
And again,
it's very rare that companies completely
fail because of cyber.
It's not a common thing, right?
They're hurt a lot of times, like really,
really bad.
But there's not really as many businesses
collapse completely.
There was a university, I think,
in the Midwest that went completely under
because they just couldn't pay the ransom.
They didn't have the insurance, right?
So they were just completely out of
business and they folded.
So if you don't think through that
scenario of what that's going to look
like, you know,
and how you're going to do it,
because there's other things you need to
consider aside from paying the ransom,
right?
You know,
you have double extortion attacks.
You have triple extortion attacks.
Who's going to negotiate on your behalf?
How are you going to contact the cyber
insurance company?
You know,
how are you going to deal with that
claim?
when it's over, right?
Look, Merck had to go to the U.S.
Appeals Court to eventually win their
claim against their cybersecurity
insurance company.
Are you doing all the things that you
said you would do in that insurance
agreement so that when the time comes,
you are covered for these kind of things,
right?
You're not drunk driving,
so your insurance is going to cover it,
right?
Yeah, one hundred percent right.
And I think one of the other things
is, you know, in smaller companies, let's,
you know, I think the bigs, you know,
once
If you can't rebuild your business from
scratch, you're at a point of, you know,
you gotta be thinking through how do we
prevent failure, right?
You know,
if you could just close up shop and
open a new shop tomorrow and not,
you know,
that may be not the same situation,
but one of the things I find,
let's say you're a more of a mid-sized
company and you've got a,
let's say you hire somebody to do your
response, your cyber response.
Are you exercising with them?
Are you practicing that this, hey,
I've got this situation,
let me practice engaging that team
And if you're one of those response
companies,
one of the things you should have is
you should be offering exercises for them,
especially if they're not using your
services regularly.
to get that annual practice together and
reinforce the value you're providing that
customer, right?
Because if they don't, I mean,
that's when they stop paying you, right?
When they're like,
why do we keep paying this company year
after year and they don't do anything for
us?
So kind of going back to my book
on customer-driven leadership, right?
Be proactive and say, hey,
We noticed you didn't use any of your
cyber response hours this year.
We're going to do an exercise with you
and let's practice together so that if
something should happen,
you know how to engage us and everything
goes smoothly.
Yeah, and the last thing I'll add, right,
is that every time you do these things,
whether it's a tabletop, a call,
just a call, right,
when you do it on a call,
or even if you go all the way
up and do a full-scale exercise,
the other thing that you get out of
this as a cybersecurity leader is more
interaction with the board and executive
leadership.
right and it's good interaction right so
okay you did a great big exercise well
now it's time to brief the board on
the great big exercise not only are you
showing you're adding your value to the
discussion right you're you're you're also
educating the board and you're educating
other executives who may not and look
let's be fair about this right unless your
business is cyber security your executives
don't think about it on a daily basis
why well because we want them to think
about scaffolding right we want them to
think about trucking we want them to
all the things that pay us and security
to do our thing we need them to
be better at than us right they need
to be better truck drivers they need to
be better so they're not thinking about
cyber security so anytime you can get that
opportunity to interface right to to to
you know to discuss cyber security with
them it's a great opportunity and you
should take it and these are perfect ways
to do it
And it's reciprocal as well, Jason,
because I think just like you said,
the transportation company isn't thinking
about cybersecurity at the executive
level,
but also the cybersecurity people are
usually very ignorant about what the
business does, how it makes money.
And so it's gotta be both ways.
I have to understand your needs and how
we make money
So that I can offer the right solutions.
Because again,
there's not unlimited things to spend
money on.
But if you tell a CISO that he
has an unlimited or she has an unlimited
budget, she could buy or he could buy.
Fifty thousand solutions.
And honestly,
that could lead to a compromise just
because.
some of those solutions are going to clash
and create vulnerabilities as well, right?
So, you know, you have to be strategic.
And again,
you have to be able to communicate why
this solution is important, right?
Absolutely.
Yeah.
Awesome.
So, Daniel,
it was awesome having you on today.
I really appreciate it.
I'm going to also in this video in
the description,
we'll have contact information for Daniel
and anything else you'd like to add,
Daniel, before I let you go.
Yeah, just in general,
I don't just break things for a living.
I love to I love to solve impossible
problems.
So that's also what that business
interrogator does is just come in and
challenge the thinking
You know, being a friendly disruptor,
pre-thinking what could go wrong and where
there might be some hidden opportunities
in your businesses.
Well,
I think if I was going to call
someone for it, I'd call you,
especially the guy who interrogated
Chemical Ali.
So I'll leave that one on there for
everybody to look at.
Yeah, thank you for that.
Yeah, no worries.
All right.
Awesome.
All right.
Well, thanks, Daniel.
You have a great day and I appreciate
it.
You too.
