Cyber Resilience: Tactics for Post-Attack Recovery

Join Christie Terrill and Tom Eston as they share practical advice on the proactive security measures you can take today and provide a space to ask our security experts your most pressing questions.

In an era where cyber threats do not discriminate by industry, understanding and implementing offensive security tactics is paramount for any organization's cyberattack recovery process.

Join industry experts Christie Terrill, CISO at Bishop Fox, and Tom Eston, VP of Consulting & Cosmos at Bishop Fox, as they lead a vital discussion on leveraging offensive security strategies not just to prevent a cyber incident, but critically, in the aftermath if a cyber attack occurs.

The session will cover:

  • Immediate Response Measures: How to utilize offensive security to identify and mitigate vulnerabilities swiftly during an attack.
  • Secure Recovery: Ensuring that the restoration of services and systems is accomplished securely, preventing any residual vulnerabilities from being exploited again.
  • Resilience Building: Strategies to strengthen your defenses post-incident, making your organization less susceptible to future attacks.

Our session will provide actionable insights on proactively safeguarding your organization against the next cyber threat and offer an opportunity to engage with our experts on your specific concerns.


Transcript:

Hello, 

Welcome everyone to our webcast, cyber resilience: offensive security for post attack recovery. 

We're excited to have all of you here today and to have Bishop Fox's CISO, Christie Terrill, and VP of consulting in Cosmos, Tom Eston, join us as we explore how we're gonna leverage offensive security strategies to not only prevent a cyber incident, Before we get started, I do just want to remind you that you can freely comment through the chat module as well as you can ask any questions in the dedicated q and a module. At this time, I'd love for both Christie and Tom to introduce themselves.

Great. I'll go first. Hi, everyone. I'm Christie Terrill. I've been with Bishop Fox for quite a while, about fifteen years.

I'm based here in New York City, and some of the roles that I've had here at Bishop Fox, in addition to CISO, have been overseeing some of our delivery services as well as head of customer success, and being client facing as I am as our CISO as well. So, I have a a lot to share about how I've seen, things evolve over time with what what clients our clients need to do, post attack. Looking forward to sharing it with you.

Alright. And, I am Tom Eston. I'm the VP of consulting in Cosmos at Bishop Fox.

I am not as OG as Christie, but I have been at Bishop Fox for, three and a half years now. And, I have, a background in offensive security, as well as, working for large financial institutions, working for product companies. I've I've got a lot of experience over about eighteen years in the industry, specifically in the offensive security space. So, I'm really excited to talk to you all about, things that I've seen, things that my team has seen in in in working with our clients of how do we help clients get, past a breach, what do we do from a post attack perspective, and really, you know, what things can can you take back to, your organization, after we discuss those things?

Perfect. Thanks, Christy and Tom. And I am Rachel Chisholm. I'm the director of content marketing here and will be your moderator for today's webcast. Before we kick off, I do wanna quickly review through our focus for today, as we specifically go into the role of offensive security during attack, post attack, how to build that customer trust using offensive security.

We also are gonna talk about packing and fixing vulnerabilities as well as continuous testing, and then we'll wrap with a dedicated q and a session. So let's get started. Our first question, that I want to ask you guys, most people think of offensive security as programs and tactics that are planned out in advance in line with, you know, a larger schedule of priority for the organization. But how have you seen offensive security play a role during a live attack?

Yeah. It's a it's a great question.

And I think what comes to mind first is just the, the amount of ransomware attacks that we have seen on organizations, I mean, globally, across the world, but just within our clients as well, is pretty staggering.

I mean, this is backed up by, you know, all the recent, research from the Verizon DBIR that just came out recently and other reports that we we just constantly keep hearing about in the media. And so the way that organizations have had to respond to ransomware, and the other thing I wanna cover too a little bit later is around third party, apps and third party, vendors that might be part of working with your organization, what the risk is there if they get breached and somehow, you know, that becomes your problem as well.

And these are things we are seeing in the news all the time.

But I I look and think about what our clients have been doing, and how we've been helping them, get through an attack or or post breach.

And with ransomware specifically, what's interesting is that we've really had to, work with these organizations, and figure out, you know, where in the attack surface, what did the breach start. And so there's been a lot of work that we have to do with the IR teams, with the IT teams within an organization to kinda understand okay. So, you know, you had a whole department, as an example, compromised through ransomware. What was the attack vector?

And it's really important for the offensive security team within an organization to be assisting, the IR teams, the IT teams of understanding where that attack had started, what was the attack vectors in play, was that a vulnerability from a missing patch, Was it an employee that was social engineered? Was it a third party vendor that, was involved through a connection, perhaps through an API or through other some other connection.

And we have to understand that. And so that's why it's really important for the offensive security team to be part of those conversations and that investigation because, typically, in a good defensive security program, those individuals are gonna have an understanding of the attack surface. They're typically going to be continuously or hopefully continuously testing the attack surface and the environment and understanding where those vulnerabilities are, how those attack vectors if there was a vulnerability that could be leveraged, during an attack, and then providing that information back to those IR teams and the IT teams, to assist in kind of that post remediation. So, I kinda go back to when I'm thinking of, third party breaches. I think of the target breach, many years ago, but still very relevant, right, where, Target had still one of the largest, I think, credit card breaches in US history, and that was all through a third party.

And you think of that from a risk perspective, the the offensive security team needs to understand where those third party applications are, how they are tested.

In fact, hopefully, they're doing some of their own testing with that, and, you know, that can really help a lot from a a post breach perspective.

So thinking about the post to talks then, what's the first thing that you think of in terms of, like, what role often SIP security can play? Right? So we've talked about, like, during the attack itself, but now that the attack has been able to, you know, be calmed down in a way where you can start thinking about post attack and what next steps need to happen for that recovery process, what's that first thing that you think about for office security?

Yeah. Really, the first thing is getting systems back up and running. That is that is usually the priority.

That's something that we have seen and continue to see with large breaches, you know, such as the UnitedHealthcare breach, you know, obviously, of critical importance, right, where pharmacies and all of the associated systems need to come back up in place. You know, criticality of getting systems up is is very important, and that's where offensive security can also help. So in terms of checking to make sure that new systems that are coming online, perhaps those systems were rebuilt, reconfigured, reimaged, or what have you, they need to be tested. They need to be assessed, and they need to make we need to make sure that those systems are secure and free of any malware, free of any other back doors, anything else that might be lingering in those systems. So, there's a large effort with defensive security that kinda help assist both your IR and your IT teams in getting those systems back up and running, making sure they're secure.

Patching is another area, right, where if a, exploit or an attack happens through a a patch, that didn't get out there quite in time or just from a vulnerable system, ensuring that, you know, the entire attack surface is looked at to ensure that the systems are patched, that they are secure, and that it's, okay to start doing business again.

Yeah. I'd really like to, that's great, Tom. I'd like to add to that, just my perspective. So in my role as CSO as Bishop Fox, also having been interim CSO for other organizations and also here being have customer trust, or actually sorry. Customer success in the past, I think of customer trust. And, you know, for us at Bishop Fox, it's you know, we're business to business, but there is the aspect of business to business or business to consumer.

And so, you know, even when it's not just a full on breach, if there's a mistake that's been made, you know, how are we as the company, you know, involved? How are we gonna get ahead of that and be sensitive to our customers' concerns and their interpretation of the events that led to that incident. So there are a lot of ways to restore customer trust, but a few of them that come to mind that, you know, relate to offensive security is, first of all, transparency.

Owning the mistake, sharing the plans to resolve it, and letting them know what we're gonna do to prevent this from happening again.

That is just, I think, in any kind of no matter whose fault it was, third party, your own development team, doesn't matter, really owning that.

Then external validation. And so, you know, if a customer has reason to believe that you weren't on top of your game for some reason, then it's kind of fair for them to question your ability to self correct. And that's where third party services and third party offensive security services can really play a key role. Because past the initial triage and incident response efforts, there's still a lot to do for any organization to self check, you know, make sure that we believe as an organization, we have things, whether it's back online or patched or secure.

But having that third party check your defensive defenses and the controls you have in your environment, I think, is really important. And customers may want, you know, reasonably so, much more recent assessment results from your pen testing, from your monitoring than you have at hand. You might say, oh, we do annual testing, but that was eleven months ago. If you've had an event, a breach, an incident, whatever it's qualified as, your customers are gonna want much more real, kind of attestation that you are in a secure state, and they're often not gonna take your own word for it.

And that's why bringing in a third party to help with that can be really important, and that's where offensive security services that people don't often think of as part of a post breach kind of immediate need can really, play a role. And there's also one more thing to add. You know, you may need to provide some, letters of assessment or reports to your clients based on each environment or service or app that's tested.

And this is also an opportunity to introduce more iterative or real time type testing activities because you even we can say this as someone who does point in time pen tests, they can be out of date if there's any further changes to your environment. So when you talk about getting ahead of how you're gonna prevent this from happening again, you need to take a closer look at what type of more real time, and iterative testing that you can introduce now to give that assurance that moving forward, you would catch something like this or prevent something like this in the future.

Yeah. Exactly. I we've got a question that came in, and it kinda circled back a little bit, Tom, to what you were saying.

And that is from Peter. And he said, once symptoms start to show up, what are the first things to do then? Right? So I think that actually kind of goes back more to even a live attack when those first symptoms come up. You know, he's asking unplug, reboot, What what should you be doing? So I love, Tom, and to see any insights from you guys. You know, what once the radars go off, what what is that first thing that you would recommend?

Yeah. Well, the first thing I recommend is, you know, having your IR team or an IR professional, be engaged immediately, that's the first step. Right?

I would not be going to my pen test or offensive security team to find out what to do.

Hopefully, an organization has a detailed incident response plan of steps to take, first, who should be contacted, what that call tree is, and start triaging the incidents.

It you know, I would not recommend first thing you should do is a pen test. Right? That is probably way further further down the list than, engaging your IR teams who will know what to do. Right? Whether that is, you know, holding systems in place. You know you know, it can vary, right, depending on the type of attack.

But, yeah, start with your IRR teams first and then work with your offensive security teams after.

Perfect. And, Christy, you mentioned in your answer a lot of customer trust. Right? And I know if from the research reports that, Tom, that you had mentioned, Verizon d b r DBIR versus, like, Ponemon's state of security, all of those reports that customer trust and reputation is one of the biggest concerns for people when, you know, when it comes to cybersecurity, especially post attack. Christie, I'd love for you to go more into that customer trust. And, you know, are there specific stakeholders that you need to be rebuilding that trust with, and where does offensive security help in that process?

Sure. Well, you know, one interesting angle to this is there's actually internal stakeholders that may need this assurance, as well. So, whether you're a big or small company, you know, you have teams like your sales team, your risk management or internal audit team, your broader executive team who have varying levels of technical awareness and understanding of nuance and how this could come to be. And so there's actually some, you know, internal management to be done on giving them assurance of those same elements I said around the kind of transparency of, like, what's happened and how we're gonna prevent this.

Now depending on the root cause of the incident, so, like, is it the internally developed application or is it a third party service, that influences which processes need a closer look. Right? Because was it, you know, a third party supply chain type of risk that we, you know, maybe didn't, appropriately, mitigate that we accepted, or is it something that we actually introduced directly by our own development team? So, you know, then you can not it's not about laying blame.

I mean, I'm very in all the work that I've done in this industry, I mean, I'm very objective. It's all about finding out, like, what happens so that we can fix it. It's not blaming a person or a team. You know, root cause analysis is really just what can we change about that so it doesn't happen again.

But, you know, giving that assurance to those other internal teams as well as your customers, again, whether it be other businesses or consumers as well.

It's just so important because many of us, Bishop Fox included, you know, our reputation is essentially our business. And if you are providing direct services to consumers or you're providing financial management services, like, any of those things are near and dear to people's, you know, hearts, wallets, minds, health, health care services, etcetera.

So what I would love for you to elaborate even more on, like, those critical next steps. Yeah. Would you yeah. Would you mind going into that a little further for us?

Sure.

Well, I can I think I can distill it down just into a couple of key steps just to recap what I've been, elaborating on?

So, first of all, I'm not gonna get into specifics of, like, SEC or other required disclosures as that is very much case by case on your industry and the type of events, the type of company. You know, there are there are rules and matrices to tell you what you have to do for that. So, you know, kind of box that to the side, but it's communication with the impact of customers. Again, it could be clients and other businesses or it could be consumers.

So think about that communication.

There is such a thing as doing it too soon. I mean, you always have to get a handle on what's going on, but you also don't want to be in the news before you've had a chance to, you know, understand yourself. What are we you know, what can we say about this? What can we say that we understand about this event? So, you know, communication with the impacted customers is really, number one, most important.

And then two, providing that third party validation of your remediation efforts. So that is it's not quite incident response.

It's the what have you done to near term fix that from not happening again? And then it begs the question on what are you going to be doing in the future to prevent this from popping up somewhere else so you're not playing whack a mole and saying, yep. We fixed that app. We're good.

And then it begs the question of what about all the other apps you have? Right? And so being very clear about what proactive monitoring or services have you now introduced to prevent this from happening again in the future. And you don't even have to get so specific as to, you know, certain technologies or products.

It's just really about, giving confidence in your programmatic efforts to catch things before they become wider problems. I mean, companies all the time are catching security alerts or security incidents that don't become breaches. Right? So that's really important.

I think we all can recognize that. Those especially people who are, you know, blue team in defense.

You know, it's kind of these get into the news when they become true, you know, reportable incidents and breaches, but there are things that happen all the time where you may still have to go through these steps of communication, third party validation, and, you know, some extra proactive efforts even if it's not some kind of category of a public security breach.

Perfect. So I think kind of going back, Tom, you know, beyond customer trust, Tom, you specifically mentioned packing and fixing vulnerabilities. Could you give us some examples of of how Bishop Fox or you and your experience have helped clients do that in that post incident?

Yeah.

It's, you know, the the two big ones that come to mind are MoveIt and the Palo Alto network, you know, OS vulnerabilities that we see pretty much once a month at this point.

But we have many clients that have been affected by both of those, major vulnerabilities or series of vulnerabilities. And one of the great things of, you know, of Bishop Fox and and our Cosmos, product is our ability to quickly, identify and find those assets that have those associated vulnerabilities.

And that's something that I think all organizations need to strive for is part of that continuous testing and monitoring piece because it is so difficult to just immediately respond on your own as an organization to whatever the latest, you know, major vulnerability is such as, like, MoveIt, which is a great example, which just took organizations by surprise that a lot of organizations didn't even know that they had this file transfer ability, right, you know, on on their network. And, one thing that, like, Cosmos does, and I'm sure there's other services too, is identifying, what those assets are that have those vulnerabilities and then quickly being able to respond and remediate.

So a good provider like Bishop Fox should be able to tell you where those vulnerabilities are, how to remediate them, and then assist you through that process. And all of that should be in real time. So there shouldn't be any type of, I'm waiting for a report, and it's gonna take two days to get this report so I can take action on that. These things should all be in real time, and they should be immediate because this is the nature of the the world that we live in these days.

Vulnerabilities and exploits happen within minutes, and, the threat landscape, depending on your industry and depending on your organization, can change very frequently, and you have to stay up to date on that. And that is why there has to be some type of continual monitoring.

I know there are some organizations that have large capabilities and probably large pocketbooks that can do this on their own, but that's really where you need a third party to come in and really assist you getting that continuous monitoring in place.

So with that continuous testing just being so crucial and the post breach, can you explain more about, like, what that is and why why that's important, that continuous always on testing versus maybe some point in time testing that a lot of pin test pin testers do?

Yeah. It it's a great question. You know, over the years, we have seen the shift in, penetration testing and and now what we call offensive security really moving from that point in time assessment to something more continuous. And, again, that is driven by the change in the threat landscape and the speed at which attackers are moving in this kind of modern world that we live in.

Right? We have everything kinda going against organizations. We have AI now. We have, you know, nation state attackers that have unlimited funds, unlimited money, as well as organized crime that is using things like ransomware that you hear about the news every day.

But that has really driven the shift from this point in time. As Christy has mentioned, you know, you get a report, that report is out of date usually within minutes. It is only a snapshot of an organization's security or a subsection of that organization security.

So we have to evolve offensive security into this continuous mindset to address today's real threats.

And, a lot of that these days requires more advanced testing. It requires more technology and requires expertise from a team that leverages technology and automation to make those efficiencies and to create that efficiencies and to create that real time and continuous aspect of testing. So one of the things that we do at Bishop Fox is with our Cosmos, attack surface management offering, it is a continuous look at your attack surface. It's continuously looking for new vulnerabilities, emerging threats that are coming out, and taking action immediately to work with your teams to address those vulnerabilities.

So think of it as more of like a continuous pen test in a lot of ways. And then, of course, you can dive deeper into applications.

Like, we offer a continuous application penetration test as well, which is doing, you know, an an initial assessment and then doing testing after that for changes and and and things within the application. But this is really the evolution of things, and organizations need to start doing this because just that one time or that one compliance test that you do every year for PCI or whatever regulatory requirements you have, it just isn't enough.

And actually can I piggyback on that real quick?

Yes. Please do.

So, you know, I'm actually in a unique position here because while I understand what kind of services we offer our customers, I also am a consumer of those same services. So one of the things I'd like to just share kind of as a anecdote, as a case study, if you will, is the ability to be told from a provider that you have an emerging like, they are aware of an emerging threat that may impact your environment. You go, oh, okay. Let's say it was move it or the Palo Alto OS example.

You know, you're already hearing about it amongst your peers. You're already hearing about it in the technical news, you know, you follow. And then your provider tells you, we we're aware of this. We're checking for it.

You know, we'll be in touch soon. And then with single digit hours, you then get an answer back.

Your environment is not susceptible susceptible to this, or you are and it's in these three places. This is what you have to remediate, and here's how to do it. Just that level of assurance and confidence that, you know, you don't have to scramble and do all that work yourself and maybe not have a handle on your attack surface or maybe have the technical resources in house to do that level of analysis, is fantastic.

There's been I think that's really, really great, and it just reminds me of how many cyber incidences and breaches we see in the news. I think I open up the news, and there's a new one every single day. Right? Some more extensive than others.

Some have been highly, highly targeted in the health care area. And, you know, I think what I would love to know and maybe in our audience too is, like, how do we learn from some some of those happenings? Right? How do we make sure that that doesn't become us?

And I'd love to get kind of y'all's insight, you know, from from what y'all seen and what y'all know in certain situations or in certain breaches as to, you know, how how can we prevent or if we end up in that same situation, how can we make sure we get out of it in a with a more positive outcome.

Yeah. I guess I'll I'll add to kind of what's already been said.

I think, you know, it's tough.

You're trying to stay ahead of everything that we continuously see in the news, but I kinda look at it as, you know, who are your partners, through all this? And, you know, Christy had mentioned kind of your internal partners and your external partners, and I think that's so important. So when I when I talk to organizations, you know, we first ask, you know, who who is gonna help you through a a breach if if it was gonna happen? And we all know that it's usually a matter of time. You know, everybody or every org is gonna get hacked in some way, shape, or form.

So who are your partners? And I know for some organizations like a financial institution as an example, you're probably gonna leverage, you know, your people like your risk department, your internal and then who are your external partners? Right? A breach.

And then who are your external partners? Right? Do you have a third party that you can go to?

You know, someone had mentioned, you know, what if you don't have an IR team in your organization in the chat?

We'll find a partner that does. Right? Find a professional, find an organization that has that capability, and then you can leverage that if the time comes. So I think it's this holistic good looking at who are your partners, who's going to help you, and then, you know, thinking about making sure you have the right processes within, to address any breach situation that might come up.

Yeah. And I'll I'll piggyback on that too just to answer the gentleman's question about IR, and maybe not having a team or a plan.

You know, we see very small companies who are are releasing one app and maybe don't have that kind of technical team on-site as you're as you're saying, and we also work with Fortune, you know, ten, twenty, fifty, one hundred companies who clearly do have their own team. To what Tom just said, you don't even have to you don't even have to pay an upfront retainer. You just have to identify now who will you call, how much will it cost when you call them. Just get that pricing upfront. Get a quote that's good for a year or two years or something like that. Just have some of those relationships built. It does not mean you have to have an entire in house team.

There should be some type of plan to at least just be, you know, who's on first, who's on second from an incident management standpoint internally.

That can go a long way just so there's not chaos. Just so there's if one person's out, one person's not available, there's maybe a one, two, three, four, five type of person even up to your executive level of, like, who's going to be the point person to try to think through this if it happens.

Perfect. And we've got a few more questions that have come in as well. So I'd love to address those.

We have one that says, how do you prioritize which systems or vulnerabilities to address first during an active attack, and what criteria guide, which criteria guides these decisions?

Yeah. I'll take I'll take part of that question.

So I think it's understanding your, your assets, where your assets are in the organization, and then the attack surface ultimately. Right? And and this is a hard problem. Right?

Asset management is just a major, issue for most organizations these days. And, of course, there's a lot of tools and a lot of solutions and vendors out there that can help you with asset management, but that really is the the initial piece of it. Right? You have to understand where your assets are, and then you have to understand the risk of those assets.

So there has to be a discussion of what are your most critical assets, whether those are applications, those are systems, you know, kinda getting back to the the old mantra of what what are your crown jewels of the organization, and then how are those jewels protected.

But it can be difficult. Right? If you're a major, you know, institution that has, you know, thirty, forty thousand employees, I mean, that attack surface can be massive. But that's where a third party can assist, like Bishop Fox, understanding your attack surface, prioritizing, and then assigning, you know, a risk type of assessment or doing a risk assessment on those, on those assets is really important because we know we can't cover everything.

But we as an organization, I think, can do a good job of at least understanding where those assets are with the right tools, with the rights, you know, procedures in place, then kinda going from there. But, yeah, it kind of all starts with understanding your assets.

I have a slightly different angle on that on that question. Just with my experience building out programs for organizations that often last twelve months or two years or or longer, and it could be for a right variety of reasons. Sometimes it is post breach. Sometimes it's just strategic, and we want to improve.

I see it as if if it truly is post live and post incident. Maybe the question is, you know, during incident, how you prioritize your efforts. It's identifying what is the incident and vulnerabilities at hand, and it's remediating that that you know about. Then it's looking kind of like a broader concentric circles.

Then do we have any other assets that have that same risk of vulnerability?

Do we have any other environments that have that same risk of vulnerability? And then you kinda keep doing that until you get to the level of processes and policies, like, kinda like how did we get here? How did we not catch this in the first place? What do we have to change, you know, much more programmatically, whether it's development life cycle steps, whether it's that third party vendor assessment steps.

Like, what was it that led us to not realize that this would be an issue? Because that's not what you're gonna do first thing. First thing, you're gonna remediate the one issue at hand and then kind of look for any related tangential issues. Another thing come companies worry about, I think rightfully so, whether you are getting the news like the Wall Street Journal or even kind of in the technical news websites about an issue is that that can make you right for other attacks.

Right? Other hackers can be like, oh, they just got popped.

They're, you know, cluster right now. Like, let me see what else I can find. So, like, you are put in a vulnerable position when it's made public that you've had an issue.

So that is kind of again, I think it has kinda concentric circles wider and wider of looking at and triaging what issues you may have until you get to kind of that at a true programmatic level, what do we have to change in our policies, people, process, staffing, everything, you know, to not have this happen again.

The next question actually goes hand in hand with, the IR question, not, you know, business some businesses don't have those in place, and I think that's probably the case for a lot of small to medium sized businesses. And this question really goes into how can an SMB, you know, rebuild that trust with their customers, as well as internal stakeholders when they don't necessarily have these extensive resources?

Well okay. So I'm gonna give one answer. I mean, I'm probably not gonna like it.

It's gonna cost you a lot of money because you are going to have to overcycle on providing assurance.

And especially if you're small already and, you know, you don't have that in house talent, you're gonna have to hire it from the outside. It's not even all things Bishop Fox can do. I'm not touting Bishop Fox here. I'm just saying you're gonna have to bring in a lot of help to, you know, do all these activities to provide assurance that this won't happen again.

It doesn't mean, though, the kind of the death of your your reputation or the death of your business is just I've never seen it be successful without without organizations being able to kind of release their pocketbooks pocketbooks to just bring in experts.

There there's really no way around it. You're not gonna be able to kind of if you already are a small or medium sized business, you're probably not gonna be able to handle this type of response and ongoing efforts yourself.

Yeah. I mean, I'd say unless you have some very talented people on your teams that can do all this by themselves, but, I mean, that is very difficult, you know, based on my experience too. You know, because a lot of it will have to do with your industry.

You know, Christy touched upon, you know, regulations depending on your industry that you have to abide by. Some are way more strict than others and may mandate certain rules or mandate certain, you know, types of programs that you have to implement or based on certain frameworks. So, it can be comp get complicated and very expensive very quickly.

But is there something else I'd like to add? As I thought about this as I started working with startups, you know, even fifteen, ten years ago, who would have these concerns, you know, startups who are high-tech startups providing a service and application to much larger organizations, and they're feeling like, how could I possibly meet these expectations of these large companies?

And, yes, well, that is a challenge.

You know, some of the breaches Tom mentioned, you know, Target, we didn't mention the obvious, you know, Equifax, some of those.

These companies are still around. So while breaches occur and they can be very expensive to remediate and appropriately triage, it does not mean the kind of the death of your business.

So I, you know, I just wanna say that because I was kind of saying, yeah, open your pocketbooks. I'm not not, like, making it look like a cash grab. I'm just saying, like, you will have to bring in the experts, but it does not mean the death of your business. I I I have not personally worked with organizations that actually had to shut their doors because of the ramifications or cost of a security, incident or breach.

Yeah. That's a great point.

You know, you see, the other thing I wanna mention real quick, and and we had touched upon communication.

One piece of advice is definitely don't recommend in communications, that you blame your users for the breach.

And I think there were a few recent examples over the last couple months of organizations that for whatever reason, I think these were, like, related to password.

You know, the reason the breach happened was because the our users were using easily guessable passwords or reusable passwords, and the attacker basically sprayed the passwords across and were able to break in that way. And users should change their passwords and be more secure. Right? That's not the best way to handle the situation.

Right? Ultimately, that is the organization's responsibility of how users choose passwords. Right? But, in those communications, you know, never come across as, like, blaming someone else other than, hey.

We're taking responsibility, and we're gonna do better next time is a much better approach.

Well, perfect. That was actually our last question.

So as we wrap up today, we would love to leave with you guys with a few helpful resources. So be sure to check out. We've got a report, that Bishop Fox did with this with Dance Institute, on the mind and method of modern adversaries.

We also have a blog, I actually dropped in the chat, but we also have a blog on validating incident response plans with red team tabletop exercises. And then we have a video from our capabilities development team director on how zero day disclosures alter attacker strategies. So we definitely recommend you guys check that out post webcast. And thank you guys again for joining our conversation today. We invite y'all to check out our penetration testing services as well as our cosmos platform and how Bishop Fox can help you prepare before and post cyber attacks on bishop fox dot com. So thanks again, and have a great rest of your day.


Christie Terrill

About the speaker, Christie Terrill

Chief Information Security Officer

Christie Terrill is the Chief Information Security Officer (CISO) of Bishop Fox, with more than 20 years of experience in security and technology services. She oversees the company’s security strategy and program, and has played an integral part in developing the company’s operational strategy while simultaneously ensuring the greatest value for clients. A 15-year Bishop Fox veteran, Christie most recently drove the rigorous, multi-year process of completing certifications for Bishop Fox’s ISO/IEC 27001 Type 2 and SOC 2 Type 2 Security Trust Services Criteria. Having joined Bishop Fox as a consultant, she quickly ascended to partner and established the company's enterprise security consulting practice, as well as serving in the sales organization.

More by Christie

Tom Eston

About the speaker, Tom Eston

VP of Consulting and Cosmos at Bishop Fox

Tom Eston is the VP of Consulting and Cosmos at Bishop Fox. Tom's work over his 15 years in cybersecurity has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of the podcast The Shared Security Show; and a frequent speaker at user groups and international cybersecurity conferences including Black Hat, DEF CON, DerbyCon, SANS, InfoSec World, OWASP AppSec, and ShmooCon.
More by Tom

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.