Think haunted houses are scary? Try stepping into a breach in progress. In this spine-chilling episode, we sit down with Shelley Ma, Incident Response Lead at Coalition, to guide us through the real-world horrors of cybersecurity. Shelley doesn’t just face the darkness for a living — she negotiates with it. Confronting cybercriminals head-on, keeping her cool when it counts, beating burnout and more, Shelley explores what it’s really like being on the front lines when the alarms start screaming.
IT Horror Stories
The scariest stories in IT.
About This Episode
Host
Jonathan Crowe
Director of Community, NinjaOne
Guest
Shelley Ma
Incident Response Lead at Coalition
About Shelley Ma
Shelley Ma is an incident response lead for Coalition Incident Response, where she assists businesses in managing the response and remediation of cyber breaches. Shelley specializes in ransomware cases and ransomware negotiations, with a high success rate in reducing ransom amounts. As an EnCE-certified examiner, the depth of her experience lies within complex breach investigations, computer forensics, and incident response. Since 2014, Shelley has analyzed, responded to, and investigated thousands of incident cases. She specializes in network intrusion investigations, litigation forensics, intellectual property theft, and related crimes.
Audio Transcript
[00:00:00] Shelley: There was no protocol, no SLA. We didn’t know anything about the attackers behind them. Essentially, we made things up as we went. Also, it was the first time for me to really witness the sheer chaos of a client whose whole livelihood and life’s work and passion was stolen from them. And there wasn’t anything that they could do about it.
Introduction
[00:00:24] Jonathan Crowe: Hello, and welcome. Please come in. Join me. I’m Jonathan Crowe, Director of Community at NinjaOne and this, this is IT Horror Stories. Brought to you by NinjaOne, the leader in automated endpoint management.
[00:00:39] Jonathan: Hello everyone, welcome back to another episode of IT Horror Stories. I’m your host, Jonathan Crowe, director of Community at NinjaOne, and I’m very excited to have a special guest with us today. We have Shelley Ma, Senior Incident Response Lead at Coalition. Shelley, thank you for joining us.
[00:00:55] Shelley: Happy to be here.
[00:00:56] Jonathan: So everyone, we have folks who are brave enough to come on the show and share their horror stories. We have a guest who spends nearly every day in an IT horror story, not of her own making, but coming in and being a hero in that story. Shelley, tell us a little bit about incident response and what your role is at Coalition.
[00:01:21] Shelley: Yeah absolutely. So I’ve been in the industry for 11 years. And as far as my day-to-day goes, I spend my days assisting companies of all sizes and functions who’ve experienced some type of cyber breach or cyber incident or digital compromise. I.e. they’ve been hacked. I had my start as a digital forensic analyst and then slowly made my way towards becoming an incident response lead. And day to day, I guess I work with the claims team at Coalition, responding to policyholders. We see a lot of business email compromises. We see a lot of fraudulent direction of funds, and of course a lot of ransomware, which is where I fortunately or unfortunately cut my teeth.
[00:02:08] Jonathan: Absolutely. And what a unique perspective that you’re bringing. We have those folks who, these incidents, when they happen to them, it’s a singular instance that really stands out. And you are coming from the perspective of, this is your day to day. You’re brought in to essentially be, I think it’s fair to say you’re kind of like the Ghostbusters, right?
[00:02:32] You and the team at Coalition, you’re brought in, but you’re so much more than that. I think we are…
[00:02:36] Shelley: Wow. That’s a much cooler title, Jonathan. I think I’ll adopt that.
[00:02:40] Jonathan: So someone is having a bad time. The horror is happening. You’re brought in to help in that situation. And it’s much more than that. We were talking yesterday. Your colleague kind of was describing your role as also being okay, sure, Ghostbuster slash therapist slash several other things. Because you’re really coming into working with people in a scenario where there’s high tension, there’s high emotions. Talk a little bit about that.
Busting ghosts
[00:03:07] Shelley: Absolutely. So I would say that folks who work in incident response are prone to burnout. We’re operating on the times and cadences of our clients, and we’re also operating at the time zones of our threat actors. It can be really high stress, it can be really emotional, and it does involve a lot of difficult conversations. But I would say a common theme of motivation for anybody that works in this industry is the perpetual learning and growth. Of course, also like the innovation and the technology, but primarily what keeps us going is that very rewarding payout of seeing positive outcomes as a direct result of your impact. And that is unmatched. And I’m sure anybody that works in similar industries can relate to that.
[00:03:58] Jonathan: Talk to us a little bit about how you got into this field, because again, I mean, we’re talking about these situations that most companies and most people are trying their hardest to avoid.
[00:04:10] Have you always wanted to kind of seek out ways that you can help, or what are some of the other origins of how you got into this path to begin with?
[00:04:19] Shelley: I would say that quite a lot of folks that are established in this industry, we sort of just fell into it. A lot of us come from different backgrounds, different technical backgrounds, and then somehow just weaved our way into this field. So as for myself, I used to be a science major. That’s what I went to university for. Believe it or not, I wanted to be a doctor. So I was in pre-med in South Africa, which is where I grew up, and went to university. It takes six years to earn a medical degree. I wasn’t patient enough, it was taking too long. So I decided to take a shortcut and go into the field of forensic science, like the traditional kind of forensics. I overcame my fear of dead bodies reasonably quickly. You had to. Also around that time I applied for a scholarship to go to the United States to further my forensic career. I was lucky enough to get that scholarship. Enrolled in George Washington University in DC. So that day, it was the first day of orientation. They had all of these new graduate students packed into a room. The idea was that we were going to be introduced to the various forensic streams and the various faculty members. And I just remember sitting there, I was sitting in the front row. And then you had all of these, you know, these folks go up talking about forensic science, forensic psychology, forensic toxicology, chemistry, etc, etc.
[00:05:44] And, I wasn’t being very motivated. I didn’t feel like it was capturing my attention up until the very last person who went up to speak and she was the head of the program of digital forensics. Now, at that point, I had never heard of digital forensics, but it completely captivated me. I always had an affinity for technology. I’ve always loved tech. At the same time, I was also very interested in science. I was very interested in forensics. And here is this industry, this career that married up all of these different components that I was super interested in. So right after her talk, I went up to her and basically like strongly requested if she could accept me into the program. She did take a chance on me because I didn’t come from any type of technical background, but she did take me on. And that’s essentially how I made my pivot into the industry.
From cadavers to incident response
[00:06:39] Jonathan: That’s amazing. And just the field of forensics obviously, in a lot of ways some very obvious big jumps from that area of forensics into digital forensics. Right. Do you feel like there is kind of a necessary ability for you to be able to step back and see things a little bit more objectively, not to be kind of caught up in that moment?
[00:07:04] Shelley: I would say yes for the most part. And the reason is because it’s very easy to be captured in the weeds of tech. We can get very engrossed in the nuances of the scenario that’s happening in front of us. But I think coming from a science background, what that’s taught me is to always have that curious mindset and to also zoom out and think big picture. Like what is happening, what is a story that can be told here? And at the end of the day, when we’re applying scientific principles, whether that’s dead body forensics or whether that’s digital forensics, the protocol and the workflow have a lot of similarities. There’s always that common denominator of finding out the truth. So yes, I think like having the scientific background and pivoting that into what I do today, it’s definitely had a lot of advantages. And also one of the things that science always teaches you, especially in those professions like medicine or any type of the “ologies,” so microbiology and physiology, is it teaches you to be a critical thinker. And of course that’s a skill set that is very relevant and very important in what I do today as well.
[00:08:21] Jonathan: It strikes me that this is also just one element of your role. That you also have the really messy components of dealing with people. How much of your work is also dealing with clients who are, you know, in addition to… you’re brought on board to see what’s the story here, what exactly happened, piecing together those pieces of the puzzle, following the clues.
[00:08:44] And then in the meantime, you also are working with people who have business disruption, who may be facing a lot of pressures themselves to resolve things quickly. Are you kinda involved a lot with the client facing aspect of things too?
[00:08:58] Shelley: That’s my every day. Yes. I pretty much deal with people in all facets of what I do. Of course there’s the client aspect. We work very closely with lawyers and counsel in general. And then, as far as, even just going back to the clients that I’m dealing with, you’re dealing with personalities of all types across the entire breadth of an organization.
[00:09:19] So that does start with C-Suite and executives, but it goes, it also involves the technical folks, the HR folks, maybe the person that clicked on that initial phishing email that is forced to be on the call, even if they don’t want to. Um, so yeah, so always dealing with people. And then of course there’s the internal team.
[00:09:37] It’s a lot of collaboration, a lot of… we have to work in a team dynamic because there’s so many different components that are happening at the same time simultaneously. We have, you know, the folks that are working on recovery and remediation. The people that are doing the forensics and trying to figure out what’s going on.
[00:09:54] Then you have the people that are actively monitoring the environment to make sure that nothing additional is happening. The threat actor is not coming back in. And then all of that has to be threaded together so it can be relayed to the client and they can see the progress. Oh, and let’s not forget, it’s also the hackers, right?
[00:10:10] They’re also people at the end of that. On the other side of the keyboard is also a person that you’re dealing with. So it’s mostly people and a few garnishes of technology.
[00:10:21] Jonathan: Well, I’m so glad you brought that last part up because that’s absolutely what I wanted to dive into next is: Here you are, you’re in the whodunit, you’re the detective putting things together. But it’s not often, I think that a lot of those forensic experts are then expected to go, maybe not necessarily literally face to face, but engage with the perpetrator of the crime. And that also is a key aspect of what you’re doing, right.
Engaging with the perpetrators of the crime
[00:10:49] Shelley: Absolutely. Yes. A huge part of what I do is engaging with threat actors and trying to negotiate ransoms.
[00:10:58] Jonathan: When we’re talking about IT horror stories, ransomware has come up a few different times as you would expect, right? It’s one of the larger, more certainly prolific and headline grabbing cyber crimes. And when people think of IT disasters, that’s often one of the first things they think about.
[00:11:16] The fear of what the downtime can cause, the pressure that people face in there. There’s also a very different, very kind of real layer to this, where you’re talking with criminals. I know you wanted to talk about kind of one of your first investigations and windows into this world.
[00:11:37] Shelley: Yeah, happy to. So right after I graduated from the digital forensics program, my first job was at a boutique digital forensics and incident response company. It was a relatively small company, probably only 14, 15 people. At that time we saw a lot of remote intrusions. There were a lot of tax fraud matters. I worked on a lot of website compromises, and there were a number of civil matters. But it wasn’t until April of 2016 where the cyber landscape made a huge shift. Because that was the start of the rise of ransomware. I didn’t realize at that time how much that would dictate the direction of my career, like how much it would impact literally everything I do from that point forward. When you’re new in your career, you feel like you have a lot to prove, right? Especially in consulting where, when you’re engaging directly with clients, especially in a niched industry, like incident response, people come to you in moments of crisis and they expect you to be the expert. Like, let’s say you have this weird growth and you wanna go to the doctor, and the doctor says, “Oh, you know this growth. I know exactly what it is, it’s no big deal. I’ve seen it a hundred times, and here’s exactly how you treat it.”
[00:12:56] So that, you know, that feels good vs. Ooh, yeah, I don’t know what that is. Let me, hold on. Let me Google this. Like totally different experience.
[00:13:03] So as a fresh consultant, you are already anxious. You’re fearful. There’s a lot of imposter syndrome going on. Also I didn’t come from that heavy technical background, so suffice to say those early days needed a lot of mental gymnastics on my part. The very first ransomware case came in for me mid-April of 2016. That was also the first one our company’s ever had. Which, if I think about it in retrospect, in comparison to what we see today, it was a relatively low grade attack. But at that time it was new territory and I was completely shook. I was like, what is this? Part of the response involves threat actor reach out, communicating with threat actors. No one told me prior to that, not in school, not in internship, that it would be part of my job to actually speak to cybercriminals in Eastern Europe. So there was like, there was no playbook on how to deal with ransomware.
[00:13:58] There was no protocol, no SLA, we didn’t know anything about the attackers behind them. Essentially, we made things up as we went. Also, it was the first time for me to really witness the sheer chaos of a client whose whole livelihood and life’s work and passion was stolen from them. And there wasn’t anything that they could do about it. The panic and the fear and the uncertainty was really shocking. And that was also one of the first times that I realized the real impact of cyber crime at a fundamental human level. So that first case, as I said, you know, we made things up as we went. Threat actor asked us to reach out to them over email.
[00:14:40] So we set up an anonymous email account. We had a meeting to discuss what our first message to the threat actor should be. And then we decided on “Hello.” After a few rounds of back and forth in very broken English. Remember, this is before the days of ChatGPT and Google Translate was like five out of 10 at best. We eventually agreed on the hefty ransom price of one Bitcoin. Which at that point, Jonathan, it was $300.
[00:15:11] Jonathan: Don’t remind me, Shelley.
[00:15:12] Shelley: I know I did not invest either. It’s a sore spot. We had no idea how to buy Bitcoins. We didn’t know anything about crypto. So we ended up going on this like dodgy exchange site, I would say akin to Craigslist but not Craigslist.
[00:15:27] And then we found a random guy who agreed to meet us on a street corner downtown. And then he asked for the exact amount in cash, and he said that once we paid him, he would transfer the Bitcoins to us. So we did exactly that. We put the bills in a brown paper bag, and then we met up with a guy downtown and he was carrying an iPad. We went into a bank. He laid out the bills, he counted them. The bank security was eyeing us the whole time, like, what are these people doing? He was happy with the payment. He swiped on his iPad and we got our Bitcoins. Eventually, we paid that ransom. We got the decryption tool. Now this decryption tool is, it’s a very janky tool. It’s built in someone’s garage.
[00:16:14] Jonathan: Right.
[00:16:14] Shelley: We’re not talking about like an enterprise grade decryption software. So it was like trying to use PowerPoint in 1998. I dunno if you still remember that, but it was very labor intensive to get the thing to work. At the end, we managed to decrypt the files. We managed to decrypt 70% of the files. It wasn’t perfect, but we still salvaged the vast majority of what the client needed to be back up and operational and start rebuilding some of those permanently broken items. We did give the threat actor that feedback. You know, we let him know that, hey, only 70% of the files decrypted. And they were very generous and they offered us 30% of the payment back. They were like, here’s a 30% discount, refund. However, TLDR we, we ended up getting nothing back because…
[00:17:02] Jonathan: wow.
[00:17:02] Shelley: They eventually said to us that they spent the money on vodka and Tommy Hilfiger. As if it could get more cliche than that.
[00:17:11] Jonathan: So, oh man, what an amazing actual cloak and dagger. The paper, the money in a brown paper bag. Incredible. Going back to the mindset of your, of the client in that case. This is something, as you mentioned, it really kind of hit you, the real world impact, how you saw them reacting.
[00:17:29] You had to be the expert, so you had to kind of play that role, even though this is something that no one has done before. You’re doing it for the first time, you’re kind of feeling it out. There’s also an element where, did you feel like you’re maybe putting yourself at risk? Not necessarily physically, but so much as, digitally, you could now be at a target. You’re interacting with these people who clearly have no hesitation to commit, you know, digital crimes.
[00:17:54] Shelley: We have to be very careful in the way that we engage with threat actors. We make sure that we have all the barriers in place to ensure our safety and our anonymity. When we communicate with threat actors, we do not reveal our identities. We engage with them on behalf of the client. In those days, interesting enough, the ransomware actors often did not know the identity of who they attacked.
[00:18:21] Jonathan: Hmm.
[00:18:21] Shelley: It was very opportunistic, like they only cared about the technology and its exposure. Then they would target them. But there wasn’t the level of reconnaissance that we see today, where it’s super targeted and they know exactly who you are.
[00:18:33] They know about your finances, they know about your employees. We didn’t see that then. So suffice to say like it didn’t feel as personal as it would today.
“It’s a human on the other end.”
[00:18:45] Jonathan: And then at the same time after you’ve had now this back and forth, this interaction, and you realize that you’re dealing with someone who spent their money on vodka and Tommy Hilfiger. Did it kind of take the, I don’t know, the mystique away a little bit?
[00:19:01] The monster and the shadows kind of loses its power ‘cause you get to see a little bit more of it.
[00:19:06] Shelley: A hundred percent. Whenever I am put in a position where I have to communicate with threat actors, I always remind myself that it’s a human on the other end. It’s a person, they think like a human. They are prone to the same psychological impacts as we are. When I used to think about hackers, right, I thought about them, you know, in that very stereotypical hoodie, in the dark basement kind of glaring over the screen… and do you know exactly what I’m talking about that like, um, the screen shining on their face? Yeah, I don’t see that anymore. It’s just a regular person who is trying to make a living. You know, in not a very nice way. But yes, it definitely humanizes them and it removes the mystique. And in many ways that’s very helpful. When we’re thinking of techniques and tactics on how to communicate and negotiate with them. A lot of my clients tend to ask the question of, like, we’re dealing with criminals, we’re dealing with terrorists, we’re dealing with, we’re dealing with perpetrators. How do we know that they will stick to their end of the bargain? And you know, I always have the same answer because it is true and it always tends to surprise people.
[00:20:18] And that’s that threat actors, they operate their businesses like it’s an actual legitimate business. They are very reputationally conscious and they do care about how they show up. So if they start to garner the reputation that, oh, we have somebody that paid us and we didn’t stick to their, our end of the bargain, ultimately that could come back to bite them and they might lose out on future payouts. So yes, it’s a very like human facet to this job.
[00:20:51] Jonathan: I mean, the evolution into “this is run like a business,” I mean, due to that spike, and incidents and attacks and all the funds and everything I mean, these have become major, major operations. And so I know that you’ve seen things from now almost 10 years. How have things changed?
Ransomware: Then vs. now
[00:21:09] Shelley: That’s a great question. I will say that I’m very glad that I was working in the industry when ransomware was still in its infancy, so I was able to observe its evolution and was able to develop my skillset along with it. Like, you didn’t know if you were on the right track because the track didn’t even exist. If I were an incident responder entering this world for the first time today, I imagine I’d have a lot more anxiety. Today’s landscape is so far beyond my wildest imagination from the brown paper bag days. The magnitude of damage that I see today is massive. It’s magnanimous, due to the interdependency and the enmeshment between our real lives and our digital assets.
[00:21:52] I’ve dealt with massive corporations losing millions of dollars on a daily basis due to a full ransomware lockdown. I’ve had clients in healthcare that weren’t able to treat their patients or deploy ambulatory services. The ones that tend to affect me the most are the smaller family owned businesses.
[00:22:11] Jonathan: Hmm.
[00:22:11] Shelley: The mom and pop shops that have had their businesses completely crippled. I’ve seen threat actors actively harass customers, clients. I’ve also seen threat actors threaten the public safety of the family members of my clients. I’ve also had attackers like ask me if they could submit their resume to me for a job. And it just goes on and on and on. Cyber threats, like they really should not be on the back burner, not in present day. I never cease to be surprised every year, every couple of months, by something new that threat actors are doing. Whether that’s tooling sophistication or stealthier intrusion methods, anti-forensics, you know, increased aggression or the integration of new technologies into their own protocols like artificial intelligence.
[00:23:00] So they will keep getting more and more sophisticated as our technology and our dependency on technology becomes more sophisticated. And we will always be playing catch up. We’re always 10 steps behind.
[00:23:12] Jonathan: You’ll see the waves of things whenever there finally is a big crackdown and they’re able to uncover, you know, a big organization or infrastructure and take it down. And then of course the torch gets carried along. Things pop back up a little while later.
[00:23:27] A big noticeable shift is as backup has become more prevalent, as people are able to, as I guess that threat of encryption has been able to be, at least in some cases, be addressed. You know, there’s this shift to exploitation into stealing data, posting it publicly, shaming people. In terms of, you know, the horror stories, I mean, you’re coming in and the main focus is to help the client and it must be so rewarding to be able to come in and help people in dire moments. At the same time, I’m sure there must be some cost to it as well.
The human impact
[00:24:04] Shelley: A lot of us that work in cybersecurity or incident response or any type of like tangential security industry, we become very paranoid individuals in general. There is general consensus that all of our data is already out there anyway. What you were saying, earlier about sort of the sophistication and the evolution in their techniques in response to the wide adoption of backups.
[00:24:30] That’s what I call the irony of better security. So, when something happens, like something in the industry is happening, like attackers keep getting in through this one vulnerability, then we tell everybody, okay, don’t use this tool anymore. Patch this vulnerability. What are threat actors gonna do? Of course they’re not gonna just stop, right?
[00:24:50] Sit back and say, oh, well, too bad. Let’s go and do something else. They’re gonna find another way in, and they’re gonna find another way in. And the next time they come in, it’s going to be more stealthy. It’s gonna be more sophisticated, they’re gonna use better tooling, and we have to then respond with more effort and stronger tools and whatever.
[00:25:09] And that cycle just keeps repeating itself over and over. And that’s why we’re in the loop. That’s why we’re always behind them, and constantly paying catch up.
Don’t just focus on building walls. Fortify your center.
[00:25:20] Jonathan: Security can’t be on the back burner. It needs to be a priority. What about in terms of your work as an incident response provider? When companies do unfortunately, get into situations where now they have to be in incident response mode, what are the things that when you go into a new, situation, a new deployment, that you’re saying, “Okay, I’m so glad this company had X, Y, or Z in place.” Or, and what are the things where you’re like, oh no, this is a bad situation. This could have been so much better.
[00:25:51] Shelley: That’s such a great question. I don’t wanna be a walking cliche, but there is truth in the statement that it’s not a matter of if, but a matter of when something happens. So often, a lot of focus by IT teams is to place a lot of attention on that perimeter, right? How do we prevent threat actors from getting in?
[00:26:12] How do we drill it into employees to never click on phishing emails? Employees will always click on phishing emails, period. That’s always gonna happen. So what I like to encourage is for organizations to think about safety nets that they can put in place to minimize or completely extinguish the threat after that phishing email has been clicked on. After the threat actor bypasses your barrier and your perimeter, then what? Did you ever watch Game of Thrones, Jonathan?
[00:26:39] Jonathan: Of course.
[00:26:40] Shelley: You know how they were, they put all that focus like season after season on that giant wall.
[00:26:45] Jonathan: Yes.
[00:26:46] Shelley: Like, you need to build a wall, let’s protect the wall, build that wall as high as possible, right? The white walkers still managed to like, penetrate that wall. And then the inside was all soft and mushy. So a lot of companies have networks that are exactly like that. They have these great perimeters, but the inside of the network is defenseless. So once something gets in, something like malware or ransomware or an encryption algorithm, it gets to absolutely everything.
[00:27:11] It cripples everything, all departments, all facets of that entire digital network. And then it becomes catastrophic. So, it’s important to think about how you can neutralize the threat. Consider things like endpoint security solutions. You know, there’s a lot of talks about EDR these days. They are basically antiviruses on steroids. They are protective, they are great. Consider them. Segregate the networks. Isolate your critical and sensitive data, so if something like ransomware gets in, you know, they only affect a small portion of your network and not necessarily absolutely everything. Only permit access for people who absolutely need access to certain file shares or certain applications. Not every user needs to be an administrator on their endpoints. Not everyone needs access to absolutely everything. Why that’s important is because when threat actors come in, one of the first things they do is they try and escalate their privileges. How do they do that? Let’s say they come in on a random service account or a printer account, like Canon. Service account. Canon, should not have access to HR folders or anything like that, if it’s configured properly. But let’s say they try and obtain the credentials of the next level up account, and it’s a random employee. But if that employee’s accesses are not are not configured to only allow what’s necessary, and let’s say they have access to a lot of different facets of that network, then the threat actor would also have access to all of those different facets of the network. The one thing that you don’t want is for a threat actor to gain access to the highest privileged accounts, which would be like a domain administrator account. And that’s essentially like having keys to the kingdom. So it’s very important to audit your networks, right? Don’t have like dormant accounts that are domain administrators sitting around and haven’t been used for 20 years.
[00:29:08] Like that’s not necessary. And those are the things that threat actors love to target and love to exploit and love to use to carry out the rest of their attacks. I always encourage people to just clean house, you know, every couple of months. Take a look at your network, what’s old, what can be, gotten rid of, what’s end of life, things that like that. It’s also very important to have an incident response plan. When you’re going through the exercise of creating an incident response plan, it like forces you to think about the components that are absolutely necessary to get your business back up and running in all sorts of different scenarios. And it also highlights what’s missing. Like I heavily encourage fire drills, which are core tabletop exercises, and those are like essentially role play exercises that stress tests your response in a safe and contained manner so that when a real incident happens, you know exactly what to do. The, from a response perspective, those clients that have an incident response plan, that have a robust protocol on exactly what to do when an incident happens, the efficiency in which we can get them back up and running and get business continuity back, it’s night and day in comparison to those that are truly experiencing it for the very first time. Also, the other thing that I always tend to advise is when you get an email request from even a known vendor or a known contact and they ask you to change the payment method, just pick up the phone and call the last known number before you go ahead and do it. Because we see fraud transfer of funds way too often.
[00:30:59] That doesn’t need to happen if you just, like, spoke to the actual person and confirmed with them like, Hey, you know, did you really request this change of funds or did you not? That can save a lot of headaches later on. And, also I like that you touched on the topic of backups, Jonathan, because yes it’s one thing to have backups. Most of my clients these days have backups.
[00:31:22] Jonathan: Right.
[00:31:23] Shelley: But we still run into a lot of issues with them. We don’t make sure that our backups are up to date. Sometimes people don’t know how to restore from backups at all. Like we know they exist, but we don’t know how to restore from them. So you just always know that, always ensure that they’re valid, ensure that your team knows how to get them, get access to them and know how to restore them in a timely manner. And also always make sure that they’re disconnected from your primary network because again, you know, everything is connected. Once something gets in, it’s going to impact everything and that includes the backups.
Closing
[00:31:55] Jonathan: I love that so many of your suggestions there were not just focused on tooling. On software. Of course that plays a critical role in things, but having the people, the processes, the policies in place, and actually reviewing those, actually putting them to use. I’m a huge fan of tabletops.
[00:32:14] I’m glad you brought that up. Being able to actually go through those exercises and then cover, “Oh, we actually have a gap here. We don’t know the answer to this question. What if this person was out? Do we really know how, is are all these things documented?” I think it’s a great use of time and, of course, time is the most valuable commodity we all have.
[00:32:33] And so I think it gets put aside a lot. But, having you folks like yourself really reinforcing that is a great thing for people to hear.
[00:32:40] Shelley: Thank you.
[00:32:43] Jonathan: Shelley, thank you so much for joining us, really talking about your, your role here, which is a very, very interesting and important one. Thank you so much for everything that you do. And thank you for coming on and being a part of IT Horror stories.
[00:32:58] Shelley: Absolutely my pleasure, Jonathan, and thank you very much for the opportunity. It was such, such a pleasure to speak to you.
Introduction
[00:00:24] Jonathan Crowe: Hello, and welcome. Please come in. Join me. I’m Jonathan Crowe, Director of Community at NinjaOne and this, this is IT Horror Stories. Brought to you by NinjaOne, the leader in automated endpoint management.
[00:00:39] Jonathan: Hello everyone, welcome back to another episode of IT Horror Stories. I’m your host, Jonathan Crowe, director of Community at NinjaOne, and I’m very excited to have a special guest with us today. We have Shelley Ma, Senior Incident Response Lead at Coalition. Shelley, thank you for joining us.
[00:00:55] Shelley: Happy to be here.
[00:00:56] Jonathan: So everyone, we have folks who are brave enough to come on the show and share their horror stories. We have a guest who spends nearly every day in an IT horror story, not of her own making, but coming in and being a hero in that story. Shelley, tell us a little bit about incident response and what your role is at Coalition.
[00:01:21] Shelley: Yeah absolutely. So I’ve been in the industry for 11 years. And as far as my day-to-day goes, I spend my days assisting companies of all sizes and functions who’ve experienced some type of cyber breach or cyber incident or digital compromise. I.e. they’ve been hacked. I had my start as a digital forensic analyst and then slowly made my way towards becoming an incident response lead. And day to day, I guess I work with the claims team at Coalition, responding to policyholders. We see a lot of business email compromises. We see a lot of fraudulent direction of funds, and of course a lot of ransomware, which is where I fortunately or unfortunately cut my teeth.
[00:02:08] Jonathan: Absolutely. And what a unique perspective that you’re bringing. We have those folks who, these incidents, when they happen to them, it’s a singular instance that really stands out. And you are coming from the perspective of, this is your day to day. You’re brought in to essentially be, I think it’s fair to say you’re kind of like the Ghostbusters, right?
[00:02:32] You and the team at Coalition, you’re brought in, but you’re so much more than that. I think we are…
[00:02:36] Shelley: Wow. That’s a much cooler title, Jonathan. I think I’ll adopt that.
[00:02:40] Jonathan: So someone is having a bad time. The horror is happening. You’re brought in to help in that situation. And it’s much more than that. We were talking yesterday. Your colleague kind of was describing your role as also being okay, sure, Ghostbuster slash therapist slash several other things. Because you’re really coming into working with people in a scenario where there’s high tension, there’s high emotions. Talk a little bit about that.
Busting ghosts
[00:03:07] Shelley: Absolutely. So I would say that folks who work in incident response are prone to burnout. We’re operating on the times and cadences of our clients, and we’re also operating at the time zones of our threat actors. It can be really high stress, it can be really emotional, and it does involve a lot of difficult conversations. But I would say a common theme of motivation for anybody that works in this industry is the perpetual learning and growth. Of course, also like the innovation and the technology, but primarily what keeps us going is that very rewarding payout of seeing positive outcomes as a direct result of your impact. And that is unmatched. And I’m sure anybody that works in similar industries can relate to that.
[00:03:58] Jonathan: Talk to us a little bit about how you got into this field, because again, I mean, we’re talking about these situations that most companies and most people are trying their hardest to avoid.
[00:04:10] Have you always wanted to kind of seek out ways that you can help, or what are some of the other origins of how you got into this path to begin with?
[00:04:19] Shelley: I would say that quite a lot of folks that are established in this industry, we sort of just fell into it. A lot of us come from different backgrounds, different technical backgrounds, and then somehow just weaved our way into this field. So as for myself, I used to be a science major. That’s what I went to university for. Believe it or not, I wanted to be a doctor. So I was in pre-med in South Africa, which is where I grew up, and went to university. It takes six years to earn a medical degree. I wasn’t patient enough, it was taking too long. So I decided to take a shortcut and go into the field of forensic science, like the traditional kind of forensics. I overcame my fear of dead bodies reasonably quickly. You had to. Also around that time I applied for a scholarship to go to the United States to further my forensic career. I was lucky enough to get that scholarship. Enrolled in George Washington University in DC. So that day, it was the first day of orientation. They had all of these new graduate students packed into a room. The idea was that we were going to be introduced to the various forensic streams and the various faculty members. And I just remember sitting there, I was sitting in the front row. And then you had all of these, you know, these folks go up talking about forensic science, forensic psychology, forensic toxicology, chemistry, etc, etc.
[00:05:44] And, I wasn’t being very motivated. I didn’t feel like it was capturing my attention up until the very last person who went up to speak and she was the head of the program of digital forensics. Now, at that point, I had never heard of digital forensics, but it completely captivated me. I always had an affinity for technology. I’ve always loved tech. At the same time, I was also very interested in science. I was very interested in forensics. And here is this industry, this career that married up all of these different components that I was super interested in. So right after her talk, I went up to her and basically like strongly requested if she could accept me into the program. She did take a chance on me because I didn’t come from any type of technical background, but she did take me on. And that’s essentially how I made my pivot into the industry.
From cadavers to incident response
[00:06:39] Jonathan: That’s amazing. And just the field of forensics obviously, in a lot of ways some very obvious big jumps from that area of forensics into digital forensics. Right. Do you feel like there is kind of a necessary ability for you to be able to step back and see things a little bit more objectively, not to be kind of caught up in that moment?
[00:07:04] Shelley: I would say yes for the most part. And the reason is because it’s very easy to be captured in the weeds of tech. We can get very engrossed in the nuances of the scenario that’s happening in front of us. But I think coming from a science background, what that’s taught me is to always have that curious mindset and to also zoom out and think big picture. Like what is happening, what is a story that can be told here? And at the end of the day, when we’re applying scientific principles, whether that’s dead body forensics or whether that’s digital forensics, the protocol and the workflow have a lot of similarities. There’s always that common denominator of finding out the truth. So yes, I think like having the scientific background and pivoting that into what I do today, it’s definitely had a lot of advantages. And also one of the things that science always teaches you, especially in those professions like medicine or any type of the “ologies,” so microbiology and physiology, is it teaches you to be a critical thinker. And of course that’s a skill set that is very relevant and very important in what I do today as well.
[00:08:21] Jonathan: It strikes me that this is also just one element of your role. That you also have the really messy components of dealing with people. How much of your work is also dealing with clients who are, you know, in addition to… you’re brought on board to see what’s the story here, what exactly happened, piecing together those pieces of the puzzle, following the clues.
[00:08:44] And then in the meantime, you also are working with people who have business disruption, who may be facing a lot of pressures themselves to resolve things quickly. Are you kinda involved a lot with the client facing aspect of things too?
[00:08:58] Shelley: That’s my every day. Yes. I pretty much deal with people in all facets of what I do. Of course there’s the client aspect. We work very closely with lawyers and counsel in general. And then, as far as, even just going back to the clients that I’m dealing with, you’re dealing with personalities of all types across the entire breadth of an organization.
[00:09:19] So that does start with C-Suite and executives, but it goes, it also involves the technical folks, the HR folks, maybe the person that clicked on that initial phishing email that is forced to be on the call, even if they don’t want to. Um, so yeah, so always dealing with people. And then of course there’s the internal team.
[00:09:37] It’s a lot of collaboration, a lot of… we have to work in a team dynamic because there’s so many different components that are happening at the same time simultaneously. We have, you know, the folks that are working on recovery and remediation. The people that are doing the forensics and trying to figure out what’s going on.
[00:09:54] Then you have the people that are actively monitoring the environment to make sure that nothing additional is happening. The threat actor is not coming back in. And then all of that has to be threaded together so it can be relayed to the client and they can see the progress. Oh, and let’s not forget, it’s also the hackers, right?
[00:10:10] They’re also people at the end of that. On the other side of the keyboard is also a person that you’re dealing with. So it’s mostly people and a few garnishes of technology.
[00:10:21] Jonathan: Well, I’m so glad you brought that last part up because that’s absolutely what I wanted to dive into next is: Here you are, you’re in the whodunit, you’re the detective putting things together. But it’s not often, I think that a lot of those forensic experts are then expected to go, maybe not necessarily literally face to face, but engage with the perpetrator of the crime. And that also is a key aspect of what you’re doing, right.
Engaging with the perpetrators of the crime
[00:10:49] Shelley: Absolutely. Yes. A huge part of what I do is engaging with threat actors and trying to negotiate ransoms.
[00:10:58] Jonathan: When we’re talking about IT horror stories, ransomware has come up a few different times as you would expect, right? It’s one of the larger, more certainly prolific and headline grabbing cyber crimes. And when people think of IT disasters, that’s often one of the first things they think about.
[00:11:16] The fear of what the downtime can cause, the pressure that people face in there. There’s also a very different, very kind of real layer to this, where you’re talking with criminals. I know you wanted to talk about kind of one of your first investigations and windows into this world.
[00:11:37] Shelley: Yeah, happy to. So right after I graduated from the digital forensics program, my first job was at a boutique digital forensics and incident response company. It was a relatively small company, probably only 14, 15 people. At that time we saw a lot of remote intrusions. There were a lot of tax fraud matters. I worked on a lot of website compromises, and there were a number of civil matters. But it wasn’t until April of 2016 where the cyber landscape made a huge shift. Because that was the start of the rise of ransomware. I didn’t realize at that time how much that would dictate the direction of my career, like how much it would impact literally everything I do from that point forward. When you’re new in your career, you feel like you have a lot to prove, right? Especially in consulting where, when you’re engaging directly with clients, especially in a niched industry, like incident response, people come to you in moments of crisis and they expect you to be the expert. Like, let’s say you have this weird growth and you wanna go to the doctor, and the doctor says, “Oh, you know this growth. I know exactly what it is, it’s no big deal. I’ve seen it a hundred times, and here’s exactly how you treat it.”
[00:12:56] So that, you know, that feels good vs. Ooh, yeah, I don’t know what that is. Let me, hold on. Let me Google this. Like totally different experience.
[00:13:03] So as a fresh consultant, you are already anxious. You’re fearful. There’s a lot of imposter syndrome going on. Also I didn’t come from that heavy technical background, so suffice to say those early days needed a lot of mental gymnastics on my part. The very first ransomware case came in for me mid-April of 2016. That was also the first one our company’s ever had. Which, if I think about it in retrospect, in comparison to what we see today, it was a relatively low grade attack. But at that time it was new territory and I was completely shook. I was like, what is this? Part of the response involves threat actor reach out, communicating with threat actors. No one told me prior to that, not in school, not in internship, that it would be part of my job to actually speak to cybercriminals in Eastern Europe. So there was like, there was no playbook on how to deal with ransomware.
[00:13:58] There was no protocol, no SLA, we didn’t know anything about the attackers behind them. Essentially, we made things up as we went. Also, it was the first time for me to really witness the sheer chaos of a client whose whole livelihood and life’s work and passion was stolen from them. And there wasn’t anything that they could do about it. The panic and the fear and the uncertainty was really shocking. And that was also one of the first times that I realized the real impact of cyber crime at a fundamental human level. So that first case, as I said, you know, we made things up as we went. Threat actor asked us to reach out to them over email.
[00:14:40] So we set up an anonymous email account. We had a meeting to discuss what our first message to the threat actor should be. And then we decided on “Hello.” After a few rounds of back and forth in very broken English. Remember, this is before the days of ChatGPT and Google Translate was like five out of 10 at best. We eventually agreed on the hefty ransom price of one Bitcoin. Which at that point, Jonathan, it was $300.
[00:15:11] Jonathan: Don’t remind me, Shelley.
[00:15:12] Shelley: I know I did not invest either. It’s a sore spot. We had no idea how to buy Bitcoins. We didn’t know anything about crypto. So we ended up going on this like dodgy exchange site, I would say akin to Craigslist but not Craigslist.
[00:15:27] And then we found a random guy who agreed to meet us on a street corner downtown. And then he asked for the exact amount in cash, and he said that once we paid him, he would transfer the Bitcoins to us. So we did exactly that. We put the bills in a brown paper bag, and then we met up with a guy downtown and he was carrying an iPad. We went into a bank. He laid out the bills, he counted them. The bank security was eyeing us the whole time, like, what are these people doing? He was happy with the payment. He swiped on his iPad and we got our Bitcoins. Eventually, we paid that ransom. We got the decryption tool. Now this decryption tool is, it’s a very janky tool. It’s built in someone’s garage.
[00:16:14] Jonathan: Right.
[00:16:14] Shelley: We’re not talking about like an enterprise grade decryption software. So it was like trying to use PowerPoint in 1998. I dunno if you still remember that, but it was very labor intensive to get the thing to work. At the end, we managed to decrypt the files. We managed to decrypt 70% of the files. It wasn’t perfect, but we still salvaged the vast majority of what the client needed to be back up and operational and start rebuilding some of those permanently broken items. We did give the threat actor that feedback. You know, we let him know that, hey, only 70% of the files decrypted. And they were very generous and they offered us 30% of the payment back. They were like, here’s a 30% discount, refund. However, TLDR we, we ended up getting nothing back because…
[00:17:02] Jonathan: wow.
[00:17:02] Shelley: They eventually said to us that they spent the money on vodka and Tommy Hilfiger. As if it could get more cliche than that.
[00:17:11] Jonathan: So, oh man, what an amazing actual cloak and dagger. The paper, the money in a brown paper bag. Incredible. Going back to the mindset of your, of the client in that case. This is something, as you mentioned, it really kind of hit you, the real world impact, how you saw them reacting.
[00:17:29] You had to be the expert, so you had to kind of play that role, even though this is something that no one has done before. You’re doing it for the first time, you’re kind of feeling it out. There’s also an element where, did you feel like you’re maybe putting yourself at risk? Not necessarily physically, but so much as, digitally, you could now be at a target. You’re interacting with these people who clearly have no hesitation to commit, you know, digital crimes.
[00:17:54] Shelley: We have to be very careful in the way that we engage with threat actors. We make sure that we have all the barriers in place to ensure our safety and our anonymity. When we communicate with threat actors, we do not reveal our identities. We engage with them on behalf of the client. In those days, interesting enough, the ransomware actors often did not know the identity of who they attacked.
[00:18:21] Jonathan: Hmm.
[00:18:21] Shelley: It was very opportunistic, like they only cared about the technology and its exposure. Then they would target them. But there wasn’t the level of reconnaissance that we see today, where it’s super targeted and they know exactly who you are.
[00:18:33] They know about your finances, they know about your employees. We didn’t see that then. So suffice to say like it didn’t feel as personal as it would today.
“It’s a human on the other end.”
[00:18:45] Jonathan: And then at the same time after you’ve had now this back and forth, this interaction, and you realize that you’re dealing with someone who spent their money on vodka and Tommy Hilfiger. Did it kind of take the, I don’t know, the mystique away a little bit?
[00:19:01] The monster and the shadows kind of loses its power ‘cause you get to see a little bit more of it.
[00:19:06] Shelley: A hundred percent. Whenever I am put in a position where I have to communicate with threat actors, I always remind myself that it’s a human on the other end. It’s a person, they think like a human. They are prone to the same psychological impacts as we are. When I used to think about hackers, right, I thought about them, you know, in that very stereotypical hoodie, in the dark basement kind of glaring over the screen… and do you know exactly what I’m talking about that like, um, the screen shining on their face? Yeah, I don’t see that anymore. It’s just a regular person who is trying to make a living. You know, in not a very nice way. But yes, it definitely humanizes them and it removes the mystique. And in many ways that’s very helpful. When we’re thinking of techniques and tactics on how to communicate and negotiate with them. A lot of my clients tend to ask the question of, like, we’re dealing with criminals, we’re dealing with terrorists, we’re dealing with, we’re dealing with perpetrators. How do we know that they will stick to their end of the bargain? And you know, I always have the same answer because it is true and it always tends to surprise people.
[00:20:18] And that’s that threat actors, they operate their businesses like it’s an actual legitimate business. They are very reputationally conscious and they do care about how they show up. So if they start to garner the reputation that, oh, we have somebody that paid us and we didn’t stick to their, our end of the bargain, ultimately that could come back to bite them and they might lose out on future payouts. So yes, it’s a very like human facet to this job.
[00:20:51] Jonathan: I mean, the evolution into “this is run like a business,” I mean, due to that spike, and incidents and attacks and all the funds and everything I mean, these have become major, major operations. And so I know that you’ve seen things from now almost 10 years. How have things changed?
Ransomware: Then vs. now
[00:21:09] Shelley: That’s a great question. I will say that I’m very glad that I was working in the industry when ransomware was still in its infancy, so I was able to observe its evolution and was able to develop my skillset along with it. Like, you didn’t know if you were on the right track because the track didn’t even exist. If I were an incident responder entering this world for the first time today, I imagine I’d have a lot more anxiety. Today’s landscape is so far beyond my wildest imagination from the brown paper bag days. The magnitude of damage that I see today is massive. It’s magnanimous, due to the interdependency and the enmeshment between our real lives and our digital assets.
[00:21:52] I’ve dealt with massive corporations losing millions of dollars on a daily basis due to a full ransomware lockdown. I’ve had clients in healthcare that weren’t able to treat their patients or deploy ambulatory services. The ones that tend to affect me the most are the smaller family owned businesses.
[00:22:11] Jonathan: Hmm.
[00:22:11] Shelley: The mom and pop shops that have had their businesses completely crippled. I’ve seen threat actors actively harass customers, clients. I’ve also seen threat actors threaten the public safety of the family members of my clients. I’ve also had attackers like ask me if they could submit their resume to me for a job. And it just goes on and on and on. Cyber threats, like they really should not be on the back burner, not in present day. I never cease to be surprised every year, every couple of months, by something new that threat actors are doing. Whether that’s tooling sophistication or stealthier intrusion methods, anti-forensics, you know, increased aggression or the integration of new technologies into their own protocols like artificial intelligence.
[00:23:00] So they will keep getting more and more sophisticated as our technology and our dependency on technology becomes more sophisticated. And we will always be playing catch up. We’re always 10 steps behind.
[00:23:12] Jonathan: You’ll see the waves of things whenever there finally is a big crackdown and they’re able to uncover, you know, a big organization or infrastructure and take it down. And then of course the torch gets carried along. Things pop back up a little while later.
[00:23:27] A big noticeable shift is as backup has become more prevalent, as people are able to, as I guess that threat of encryption has been able to be, at least in some cases, be addressed. You know, there’s this shift to exploitation into stealing data, posting it publicly, shaming people. In terms of, you know, the horror stories, I mean, you’re coming in and the main focus is to help the client and it must be so rewarding to be able to come in and help people in dire moments. At the same time, I’m sure there must be some cost to it as well.
The human impact
[00:24:04] Shelley: A lot of us that work in cybersecurity or incident response or any type of like tangential security industry, we become very paranoid individuals in general. There is general consensus that all of our data is already out there anyway. What you were saying, earlier about sort of the sophistication and the evolution in their techniques in response to the wide adoption of backups.
[00:24:30] That’s what I call the irony of better security. So, when something happens, like something in the industry is happening, like attackers keep getting in through this one vulnerability, then we tell everybody, okay, don’t use this tool anymore. Patch this vulnerability. What are threat actors gonna do? Of course they’re not gonna just stop, right?
[00:24:50] Sit back and say, oh, well, too bad. Let’s go and do something else. They’re gonna find another way in, and they’re gonna find another way in. And the next time they come in, it’s going to be more stealthy. It’s gonna be more sophisticated, they’re gonna use better tooling, and we have to then respond with more effort and stronger tools and whatever.
[00:25:09] And that cycle just keeps repeating itself over and over. And that’s why we’re in the loop. That’s why we’re always behind them, and constantly paying catch up.
Don’t just focus on building walls. Fortify your center.
[00:25:20] Jonathan: Security can’t be on the back burner. It needs to be a priority. What about in terms of your work as an incident response provider? When companies do unfortunately, get into situations where now they have to be in incident response mode, what are the things that when you go into a new, situation, a new deployment, that you’re saying, “Okay, I’m so glad this company had X, Y, or Z in place.” Or, and what are the things where you’re like, oh no, this is a bad situation. This could have been so much better.
[00:25:51] Shelley: That’s such a great question. I don’t wanna be a walking cliche, but there is truth in the statement that it’s not a matter of if, but a matter of when something happens. So often, a lot of focus by IT teams is to place a lot of attention on that perimeter, right? How do we prevent threat actors from getting in?
[00:26:12] How do we drill it into employees to never click on phishing emails? Employees will always click on phishing emails, period. That’s always gonna happen. So what I like to encourage is for organizations to think about safety nets that they can put in place to minimize or completely extinguish the threat after that phishing email has been clicked on. After the threat actor bypasses your barrier and your perimeter, then what? Did you ever watch Game of Thrones, Jonathan?
[00:26:39] Jonathan: Of course.
[00:26:40] Shelley: You know how they were, they put all that focus like season after season on that giant wall.
[00:26:45] Jonathan: Yes.
[00:26:46] Shelley: Like, you need to build a wall, let’s protect the wall, build that wall as high as possible, right? The white walkers still managed to like, penetrate that wall. And then the inside was all soft and mushy. So a lot of companies have networks that are exactly like that. They have these great perimeters, but the inside of the network is defenseless. So once something gets in, something like malware or ransomware or an encryption algorithm, it gets to absolutely everything.
[00:27:11] It cripples everything, all departments, all facets of that entire digital network. And then it becomes catastrophic. So, it’s important to think about how you can neutralize the threat. Consider things like endpoint security solutions. You know, there’s a lot of talks about EDR these days. They are basically antiviruses on steroids. They are protective, they are great. Consider them. Segregate the networks. Isolate your critical and sensitive data, so if something like ransomware gets in, you know, they only affect a small portion of your network and not necessarily absolutely everything. Only permit access for people who absolutely need access to certain file shares or certain applications. Not every user needs to be an administrator on their endpoints. Not everyone needs access to absolutely everything. Why that’s important is because when threat actors come in, one of the first things they do is they try and escalate their privileges. How do they do that? Let’s say they come in on a random service account or a printer account, like Canon. Service account. Canon, should not have access to HR folders or anything like that, if it’s configured properly. But let’s say they try and obtain the credentials of the next level up account, and it’s a random employee. But if that employee’s accesses are not are not configured to only allow what’s necessary, and let’s say they have access to a lot of different facets of that network, then the threat actor would also have access to all of those different facets of the network. The one thing that you don’t want is for a threat actor to gain access to the highest privileged accounts, which would be like a domain administrator account. And that’s essentially like having keys to the kingdom. So it’s very important to audit your networks, right? Don’t have like dormant accounts that are domain administrators sitting around and haven’t been used for 20 years.
[00:29:08] Like that’s not necessary. And those are the things that threat actors love to target and love to exploit and love to use to carry out the rest of their attacks. I always encourage people to just clean house, you know, every couple of months. Take a look at your network, what’s old, what can be, gotten rid of, what’s end of life, things that like that. It’s also very important to have an incident response plan. When you’re going through the exercise of creating an incident response plan, it like forces you to think about the components that are absolutely necessary to get your business back up and running in all sorts of different scenarios. And it also highlights what’s missing. Like I heavily encourage fire drills, which are core tabletop exercises, and those are like essentially role play exercises that stress tests your response in a safe and contained manner so that when a real incident happens, you know exactly what to do. The, from a response perspective, those clients that have an incident response plan, that have a robust protocol on exactly what to do when an incident happens, the efficiency in which we can get them back up and running and get business continuity back, it’s night and day in comparison to those that are truly experiencing it for the very first time. Also, the other thing that I always tend to advise is when you get an email request from even a known vendor or a known contact and they ask you to change the payment method, just pick up the phone and call the last known number before you go ahead and do it. Because we see fraud transfer of funds way too often.
[00:30:59] That doesn’t need to happen if you just, like, spoke to the actual person and confirmed with them like, Hey, you know, did you really request this change of funds or did you not? That can save a lot of headaches later on. And, also I like that you touched on the topic of backups, Jonathan, because yes it’s one thing to have backups. Most of my clients these days have backups.
[00:31:22] Jonathan: Right.
[00:31:23] Shelley: But we still run into a lot of issues with them. We don’t make sure that our backups are up to date. Sometimes people don’t know how to restore from backups at all. Like we know they exist, but we don’t know how to restore from them. So you just always know that, always ensure that they’re valid, ensure that your team knows how to get them, get access to them and know how to restore them in a timely manner. And also always make sure that they’re disconnected from your primary network because again, you know, everything is connected. Once something gets in, it’s going to impact everything and that includes the backups.
Closing
[00:31:55] Jonathan: I love that so many of your suggestions there were not just focused on tooling. On software. Of course that plays a critical role in things, but having the people, the processes, the policies in place, and actually reviewing those, actually putting them to use. I’m a huge fan of tabletops.
[00:32:14] I’m glad you brought that up. Being able to actually go through those exercises and then cover, “Oh, we actually have a gap here. We don’t know the answer to this question. What if this person was out? Do we really know how, is are all these things documented?” I think it’s a great use of time and, of course, time is the most valuable commodity we all have.
[00:32:33] And so I think it gets put aside a lot. But, having you folks like yourself really reinforcing that is a great thing for people to hear.
[00:32:40] Shelley: Thank you.
[00:32:43] Jonathan: Shelley, thank you so much for joining us, really talking about your, your role here, which is a very, very interesting and important one. Thank you so much for everything that you do. And thank you for coming on and being a part of IT Horror stories.
[00:32:58] Shelley: Absolutely my pleasure, Jonathan, and thank you very much for the opportunity. It was such, such a pleasure to speak to you.
