 Welcome! Today I'm going to tell you a story about things that I learned about incident response by being a firefighter. Let's get to it. Here's the agenda, what we're going to cover. I'm going to start with a little introduction about myself, tell you a little bit about my background in IR, and I'm going to tell you a little bit about myself as a firefighter. Then we'll delve into what IR is, for those of you who don't know what IR is, and then we'll talk a little bit about firefighting, because even though you might know what IR is, you might not be familiar with firefighting beyond obviously putting out the fire. Then we'll do some comparisons between IR and firefighting, definitely some similarities and some differences of course. Then I'll describe some challenges and opportunities, the things that I learned from being a firefighter that I then brought back to IR. I'll summarize and then end with some final thoughts. Let's get going. Alrighty, so for those of you who are not familiar with me, my name is Katherine Allman. I go by investigator Chih on the internet in the Twitterverse, and I've been with the University of Buffalo for over 20 years. I'm on staff with B-Sides Rochester and a cyber camp that we hold. I volunteer with some stuff. I've spoken at a bunch of conferences. I have some certifications and a couple degrees. Even those of you who know me from the IT realm may not be familiar with this information about me as a firefighter. I've been in the fire service since about 1997, and since then I've become a state fire instructor with New York State. I've done some credits, college credits on firefighting. I was a certified fire investigator at both levels in New York State, and I was also a member of the J Fire team. So the fire thing is something I've been doing a long time. Just in case you're still not convinced, this is me at the scene of a fire, and this is part of the story that I'm going to tell you. I'm holding what's called a thermal camera. When you look into a thermal camera and you point it at something, what it's going to show you is a difference in temperature. So things that are darker are usually cooler in temperature, and things that are warmer are going to be, are going to show up as lighter in color. We'll see why that matters later. And just in case you weren't sure, I'm the one with the camera and the person to my right is our captain. So now let's delve into what incident response is. I like this definition of incident response because it focuses on the technical components that you're going to need to analyze and contain an incident. We'll see in a bit why that's a little different from incident handling. So you're going to be the boots on the floor person, the person who's actually focused on dealing with this incident directly. You're going to address network events. You might deal with them in a reactive or a proactive way depending on your organization, and an event can be anything that's going to affect the CIA triangle, your confidentiality, integrity, and availability of information. The goals of incident response are going to be to make sure you know when there is, in fact, an incident or some kind of thing going on. You're going to stop that attacker. You're going to minimize the damage that is caused. And ultimately, you want to prevent it from ever happening again or something similar from happening. These are your basic phases of incident response. Preparation, identification, containment, eradication, recovery, and lessons learned. Let's break these down a little bit. Preparation. So during the preparation phase, we're going to document, document, document. You want to document both your network itself. You might want to document the particular machines in question. One of the most important things you'll want to document is where your important data is, right? Where are the keys to the kingdom? That's critical. You might do some toolbuilding, perhaps to help you respond better to an incident, or perhaps to help you know when something is happening that shouldn't be. Then the next step is going to be awareness of the attacks. And ultimately, this could be something as simple as an automated ticket system that tells you that there's a problem, could be from a phone call. Your containment phase, you want to stop whatever is happening. So that might be patching a system, blocking some sort of C2 connection, maybe pulling the power out of the back of a machine. Depends. Then during the eradication phase, you're ultimately going to remediate. You're going to remove compromised hosts from your network. Whatever it is you have to do to get them to get the bad guys gone. During the recovery phase, you need to restore those business functions, because of course that is the whole point of incident response initially is to get up and running again. Then you want to learn from exactly what happened so that the same thing doesn't happen again. Here we have an incident handling. You'll notice it's a little different. It focuses on the other things that are important in an incident. The logistics, communication, the coordination, planning, all of these other functions. And ideally, you want these two things to be separate. Now, I understand in smaller organizations, you might be the only person doing this job and you might have to do both. But if you're the person who's boots on the ground and you're working on containing an incident or eradicating the attacker, you don't also want to have to be the person who's communicating out every five minutes what's going on. So if you have somebody else doing that, it's a whole lot easier to focus on what's at hand. Now let's move to firefighting. What is firefighting? Well, it's the obvious. We're going to put the wet stuff on the red stuff as they say. We're going to prevent the spread and extinguish significant unwanted fires. So, you know, not your backyard barbecue unless it's out of control. And we'll do that for buildings and vehicles, woodlands, that sort of thing. Our goals, as you might expect, are to protect the health and safety of ourselves and of the public. We're also going to protect property and the environment. Just because we're in the process of putting a fire out doesn't necessarily mean we want to make things worse, right? So for example, if we have a situation that might involve hazardous materials, we need to make sure that we're doing our best to prevent that from making the situation worse. And we want to minimize, excuse me, the disruption of community activities. Great example of that would be a car fire or a car accident. You have a lot of people who are, say, trying to get to work in the morning or trying to get home. And if one of those things occurs, we need to set up traffic support to help you still get from place to place and minimize any disruption while we're taking care of the particular incident. We too have a preparedness cycle. It looks kind of like this. We'll do some preparing, then an emergency will happen. We'll respond to it. We're going to recover from it. We'll mitigate where we can and we're back to preparation. Now in this preparedness cycle, in the fire service, we usually start more on the mitigation side. And let me show you how and why. So mitigation for the fire service has to do with preventing future emergencies or minimizing their effects. So if you've ever been to any kind of, say, fire department open house where they're doing fire safety demonstrations, they're handing out smoke detectors, right? That's a mitigation. We want to see if we can help people understand how to prevent fires and accidents in the first place. Sprinklers in a building are another great mitigation method. Preparedness. We need to be prepared to handle that emergency. So we're going to make sure our gear is maintained, that we're drilling so we know how to use the equipment on the truck, that we have preplans of the building. Perhaps there's something unique about accessing certain parts of the building or getting people out if necessary. And then recovering. When we recover from an emergency, we're going to clean up. We're going to restore things to their functional purpose again. We're going to repair equipment that might have been damaged. This is pretty standard for us. So here's the next part of the story. You saw me looking at the camera, right? This is the same fire. Two more pictures from this fire. The one on the left has me, if you probably can't tell because my name's not on my coat, but that is me. And what I'm attempting to do in that picture is change out an air bottle. The way firefighters breathe inside a building that is on fire is we wear something called self-contained breathing apparatus. And that's made of a harness and a bottle and some other pieces that help redirect air flow. Needless to say, there are several components. My job on the left hand side is to change the air bottle. Your average air bottle is about 30 minutes 45, which can go very quickly if you're working hard in a scene. And when a firefighter runs out of air or starts to run out of air, they come out and they ask somebody to change that bottle. So that was my job at this fire. I was changing bottles for the people who needed them. If you look in the picture on the right hand side, you'll get at least a small idea of what that bottle and harness setup looks like, because you can kind of see the top of the bottle. What I want you to focus on in that right hand picture is the fact that the firefighter's shoulder has a lot of damage. If you look carefully, you'll see there's actually been flame and heat impingement to that shoulder area. What I didn't realize when I was changing that bottle is that it was not just his coat that had been damaged, but in fact the harness that holds the bottle and the air hoses that connect to it. So I go to change that bottle, and unfortunately, when I put the new bottle back in and connect it all up, I get hit with a blast of air in the face. Fortunately for me, I was wearing my gear correctly, there was no damage, and ultimately I instructed the firefighter to take the pack and make sure that it went out of service. Now, why is this important? Nobody got hurt, it wasn't a really huge deal, nothing bad ultimately happened, we'll get back to that. So pay close attention to that picture, think about that story, and remember here, I was just doing my job. All right, so one other piece of terminology in the fire system that's really important to understand is the incident command system, and it's this idea of an organized response to a problem. You're going to have a coordinated response with potentially multiple agencies, you need some way to organize that chaos, right, such that everybody knows what they're doing and what their job's supposed to be. If you've been in the military before, you're probably familiar with chain of command, obviously if you're in law enforcement that's something else you're familiar with, not dissimilar idea, this is what forms our effective chain of command. So here's what the incident command system looks like, and we're not going to spend time looking at all of this, but you'll see the incident commanders at the top, typically going to be one of your chief officers, and at the bottom you're going to have operations and planning logistics finance, and in between you'll have some other folks who report directly to the incident commander. What's important to note here is that the incident commander doesn't have a ton of people reporting directly to them, and the reason is it makes this whole situation way more manageable. So let's look at the pieces that are most often in smaller incidents. So you have your incident commander, they're going to define what the goals and the objectives are for that particular incident, again usually your chief or it might be a senior officer if no chief is available. And then you'll have operations. Operations is often the person who is in charge of making sure that those goals and objectives get met by figuring out what the strategy and the tactics are going to be. We sometimes have external operations and internal operations. If it's a large building we might have operations on multiple floors. So we might have operations for the first floor. We have a high-rise facility and sometimes we need multiple levels of operations. So that's not uncommon. The last three here, logistics planning and admin finance, are more common in very very large incidents. When you need to have lots of people and extra supplies and equipment brought in, if there's going to be a long-range plan, something like a hurricane hits, and we have to mobilize troops or demobilize them quickly. That's going to be on the part of planning. And then if we need some kind of licenses or deal with compliance issues, get some money together or whatever, that's where admin and finance is going to come in play. All right, so let's do a comparison of the two and kind of see, I think you'll find it interesting to see how they do compare. So methodology-wise, I think you've seen, they're very very similar, right? The only thing that was really missing from the firefighting circle were the lessons learned. And I'll tell you, even though it's not officially part of the methodology, if you are good at what you do as a firefighter, you absolutely pay attention to lesson learned. So I would say that these really, in terms of their functionality, are really very similar. But let's talk about some misconceptions. In incident response, there's this idea that every event is an incident. Well, that's certainly not the case. You can have an event where something is, you know, change, but it's not necessarily an incident on the part of the particular organization you're with. And not every incident is handled the same way, right? I mean, certainly a small incident involving maybe one social security number is going to be different than an incident involving 100 social security numbers or a thousand. Every incident is quickly solved. Well, we know that's not true. We can have an incident that's really fast, maybe gets resolved in 10 minutes, and it can take one that takes days, weeks, months. It can be a really long time depending on how big the incident is. If law enforcement is involved, it can be even longer than that, depending on what court cases and all the other details play into it. This is, I think, one of the most important ones. There's this idea that every person on an incident response team needs to be a rock star. Well, that's not true. I'm not a rock star. I'll tell you that right now. And as new people come into this field, we shouldn't expect them to be rock stars either. We can all learn from each other. Another thing that's a misconception in IR is this idea that we can accurately attribute whatever's happened to a particular entity. It's hard enough to, you know, figure out attribution at all, but to do it accurately is even harder. Likewise, in firefighting, we have some misconceptions. How about this idea that firefighters are always paid? How many of you know that there are tons of firefighters around this country that aren't paid? I'm one of them. I've been a volunteer firefighter for many years. I've never, ever earned a dime from firefighting, and yet I still love it. It's a fantastic hobby and one that I wouldn't trade for anything. There's also, from television especially, this idea that firefighters are big tough dudes. Well, I know you can only see my floating head, but guess what? Not a big tough dude. Never was, never will be. We also don't fight fires the same way every time. Again, yes, we put the wet stuff on the red stuff, as one of my fire instructors has said, but we don't do it the same way. Maybe we need to do a search and rescue first. Maybe the building has partially underground. There are all sorts of challenges with the situation that don't allow us to do the same exact thing every time. Certainly, there's this idea that fires get extinguished quickly, especially again on television shows, but it can take days. In large, really large situations, it can take longer than that. Just depends. Maybe all you need is a water can and it's a little bit of burning mulch. Sure, that's extinguished quickly, but not all of them. And definitely not a full-time job, because that's not my full-time job. My full-time job is incident response. But we'll see, they're pretty similar things in some ways. First, we'll talk about the differences. So, in terms of incident response, it rarely involves life safety, except in the universe of health care. If you work in health care, you absolutely can be the difference between life and death in some of the incident response situations you might wind up in. Patient records are critical. Ideally, there are things in place to prevent that from being catastrophic. But in the rest of the world, despite what everyone would have you believe, life safety isn't usually the issue. That's important to remember. Certainly, IR teams typically get paid, and as I already mentioned, firefighters, not so much. We use computers and software for our day-to-day job. And while firefighters also sometimes use computers in certain capacity, they use mostly water, foam, chemicals, hoses, and show up in special vehicles, like fire trucks. Most of us doing IR, drive whatever we want, doesn't really matter. Obviously, if you're in an organization like law enforcement, well, you might have a different experience. And we wear special gear as firefighters. I'm not going to show up at a fire in just a t-shirt and shorts. I'm certainly going to put on my gear, right? So, those are some differences. Now, here's where they are similar. In both cases, we're going to focus on that immediate issue first and find that cause later. We need to put that fire out. We need to stop that attacker. We'll deal with attribution and the cause later. We're also going to use triage to determine the bus course of action. If you're not familiar with triage, it's this idea that when you have more than one thing to consider, you're going to decide which of those things is most critical. So, what most people are familiar with in terms of triage is a situation where there's been a motor vehicle accident and you have multiple people who are injured. You might have somebody who just has a bump on the head. You might have somebody who maybe is beyond saving. And you might have somebody who's serious, but with the right interventions could easily be saved. And looking at all those details, you have to decide which one to treat first. Fire situations are exactly the same thing. You're going to want to take a look at the facts and make some decisions about what to do first. Ideally, you've pre-planned that, but we'll come back to that. They're cyclical in nature, both of them. We've seen that already, right? And they both require some pretty interesting thinking outside the box. In incident response, sometimes we use tools that we might use for other things to try to get information for the response. And in firefighting, we do the same kinds of things in the sense that, for example, I have a friend who's a firefighter in my hometown who had a patient on a multi-story building who was very large and they didn't have equipment that would easily facilitate getting him out of the building where he was. So he went to the local hardware store, got some equipment, and built something to get this individual out of where he was stuck. Thought outside the box, didn't just use the equipment he had, worked with other things that he was able to get a hold of. In both cases, we often bring in outside entities. Firefighters rely heavily on mutual aid, bringing in other fire departments as necessary, or perhaps specialty teams. We do the same thing in incident response. While I do incident response for the university, we might need another team if something were significantly serious enough to come in and help us. Maybe if it's a large enough incident, maybe if it's a certain kind of incident. And sometimes in both cases, there are inside teams. So again, I'm inside at the university, and there are companies that have inside firefighting teams because they're a manufacturing organization that's large enough. So now let's talk about the things I've learned from being a firefighter that I think are relevant to IR specifically. I'll start with this first challenge, tunnel vision. This is idea where we focus exclusively on one particular thing instead of seeing that big picture, right? And we make bad decisions when we do that. Think back to that image, the two images, of me changing out that air bottle for the firefighter and his burned coat. This is an example of tunnel vision. I'm focused on doing my job. That's all I'm doing. And frankly, I could have gotten really hurt here because of tunnel vision. I wasn't taking a step back in my head and looking at the bigger picture. I was just focused on the task at hand. Here's another example from firefighting. Look carefully at those cones. Pull up to the fire. You get off the fire truck, and this is what you see. What are those cones protecting? At first glance, you see a fire hose. No big deal. So maybe you're going to use that hose. You're going to help with the fire out. Maybe you're going to bring a piece of gear to the other person if you look carefully who's standing at the door. If you look more carefully, you may or may not see there is actually a live power line that those cones are actually trying to protect you from. And if you go rushing into the scene because you're so focused on putting the fire out or getting the gear that somebody needs, you could get really hurt. We have the same kind of thing in IR. We need to consider whether or not a scene is safe. In many cases, sure it might be, but it depends. It depends on the situation. The picture that I'm showing you below is of a server room that has asbestos. If there's an issue in a server room with asbestos, you don't want to go running in there. Consider if somebody tells you that you have a malware situation and you get focused on that. But it turns out it's just a misconfiguration. Or maybe you do blind hardware acquisition. So you go running in and you grab drives. But that machine you find out later was powered on and was running encryption. And now you don't have the keys anymore because all you've done is grabbed hardware. You haven't thought about it. Maybe you were told that a situation involved ransomware. And you're worried now and you're focused on how you're going to handle the ransomware. But it turns out it's just a phishing email. So hand in hand with tunnel vision is reactionary behavior. Not only are we focused on one thing, but we react to it without thinking ahead. We're allowing those outside forces to make that decision instead of relying on the data we have at hand and thinking about that bigger picture. In the fire service, it can lead to really deadly situations. So the photograph you see here is from a horrible fire that happened not all that long ago in Worcester, Massachusetts. It was a cold storage fire in an old meat packing plant that was built in 1906. People hadn't been in that building in a very, very long time. It had been vacant. No pre-plans had been made. It turns out it had a maze of meat lockers in it. When this fire broke out, there was supposedly somebody trapped inside. So they sent in two firefighters. The two firefighters went in and attempted to find the individual they thought was trapped. They got hopelessly lost and radioed for help. So the chief sent in two more firefighters to help them. Unfortunately, those two firefighters also got hopelessly lost and could not get out of the building nor could they find the two original firefighters that had been sent in. So the fire chief sends in two more firefighters. Guess what? They too get hopelessly lost. And ultimately the fire chief says no more. I'm not sending any more in. Now at first he was harshly criticized by his team for this because of course their own folks were inside that building. But the reality is any further reactionary behavior to try to save these individuals would just have led to more death. These folks died because pre-plans weren't made and they didn't know it was in there and it would have been a reaction to just keep sending firefighters in. We see the same thing within IR although usually not as deadly, right? If we're doing forensics we need it clear explicit goals. If the reactionary behavior is just figure out the bad stuff. That's not helpful. You need to know more specifically what it is they want you looking for. Another example is just pulling a network connection. What if you need more information about the attacker because of what they're doing on other systems? Or what happens if you just turn off a machine? We've already talked about the situation where you have a key in memory and you turn the machine off and it's gone. Suspending all accounts is another example where it could be you have one account that's compromised and now you suspend them all and that causes more headaches. Another challenge is freelancing. Now in our field in IT, a freelancer we often think of as somebody who's more of perhaps somebody who's just not working directly for the company, right? They're a contractor but in the fire service this notion of freelancing is this idea that somebody is not following chain of command. They go off on their own and kind of do what they want in an attempt to get the job done but they're not following what's been laid out for them. And that can lead to dangerous and reckless situations and bad feelings and all kinds of problems. In the fire department we see this typically where we have what's called the crossing of the streams and for those of you don't know the picture in the bottom right is Ghostbusters and they always talk about never cross the streams. Well in firefighting the idea is if I'm streaming water through the front of a building and then a team comes to the rear of a building and that building is a small house, now I'm fighting the team that's putting the water in in both directions and that could be really dangerous. Another way we see this freelancing in the fire department that can be really dangerous is something where doors are opened or windows are smashed without coordinating it with other people. We've seen situations where a window could get smashed and a firefighter could be standing right on the other side of it because they don't realize somebody's there. It can also ultimately feed the fire because where there's more oxygen that fire is going to go. So if it hasn't been planned out and it's not coordinated it can actually make things significantly worse. In incident response we see the same kinds of things. Team goes in to do a response and you get somebody who thinks they're just going to collect everything. Well there could be legal ramifications for that. What happens if they don't collect what's absolutely required? Maybe they overlook something. Maybe there's a duplication of data collection which wastes time or maybe data gets altered or misrepresented because people are freelancing and not everybody's not following the same set of rules or the same guidance. Patience. This is a fantastic opportunity. Ultimately you want to take that moment to determine what the best course of action is. As one of my fire instructors would say, slow is fast, right? You want to be deliberate about what you do because ultimately it will take less time if you take a moment, think things through, and then proceed. So in terms of firefighting you may remember the same house here. It's the same story. On the left is what we pulled up to. You'll notice you can see flame in the picture on the right hand side. The sort of orangey bit that's on the right part of that underneath the eaves next to the downspout. And you'll see a little bit of a glow toward the front of that third window on the right. But we don't see flame blowing through the roof. Now what I was seeing in that thermal camera image was that all of the fire, all of the significant flame and heat for this particular fire, that was up in that roof area. So what would have been ideal is for somebody to go in on the inside, break through from the second floor up into that attic area and ultimately put the fire out. Unfortunately we had people who focused solely on where they saw flame and as a result we see what we see on the right hand side. Where flame blows through the roof and there's a lot more of it and it took us a lot longer to get this fire out. Which isn't to say that what everybody did was wrong but taking a beat and thinking this through might have saved a lot of time with this fire. Okay, patience in terms of incident response. For those of you not familiar with CHEG, CHEG is a company that rents textbooks. Now what do you think the odds are of an entity that rents textbooks to students in higher ed of them using, oh I don't know, same credentials at the university that they use at CHEG or vice versa. Yeah, pretty darn good. So CHEG had a massive breach that involved millions of accounts and because they provide services to multiple universities, as you might expect, many institutions wound up with this exact problem, tons of compromised accounts. But is it really the university's problem in the sense that is it their breach? No. What it is is password reuse. CHEG had the breach. Yes, the universities and institutions have to do something about making sure those passwords get reset, right? That's important. But it's not the same as having those passwords having been breached on the systems that are actually at the university. That is an incident. That's pretty serious. So before you panic when you hear about a huge breach, even if it could impact your institution, think for a moment. Take that beat about exactly what the implications are. What is the real risk here? And also consider that time is important. But as we saw with the picture of the asbestos room, life safety is more important. So taking that beat can also be life-saving an incident response depending on what you're walking into. All right, accountability. It's this idea, at least in the fire service, of knowing where all your people are. You want to know if they're in the trucks. You want to know who came with one truck. You want to know who's gone inside a building. You want to know who's getting rehabbed. But really an incident response. We do the same kinds of thing. We want to make sure that we prevent hazards and duplication of efforts. We don't want to step on each other's toes or have any sort of direct interference. So on the left are accountability tags that we use in firefighting. And for example, we'll use one of those tags. We'll place on the truck so that everybody knows what truck you came in on. That way, the officer on that truck knows where their people are at all time. They might put another, if they go inside the building, they'll use a second tag and put it with the accountability person at the door. So that they know where they are inside the building. For incident response, we can do the same kinds of things. Perhaps wipe card access. If you're going inside a facility where you work, we'll show you what room you're in. And maybe you need something more detailed like an incident access log, depending on the situation. So we can do accountability with IR and it's important. Okay, pre-planning. Pre-planning is absolutely critical. You want to know your environment. You want to know through your own documentation and planning, third-party documentation, and anything else that you can think of before it becomes a problem. And in the fire service, we're going to do that with what are called pre-plans. And in incident response, we're going to do it with things like tabletop and premortem exercises. So that we have this idea of what we might run into before we run into it and prevent those gotchas. So this is the kind of thing we do in firefighting. On the left is a map of a building, basically. I know it's a little difficult to see, but the idea is that it maps out for us where the hydrants are, where the electrical shutoff is, and it might tell us if there's any hazardous materials in the area. The thing on the right might tell us a little more about the building construction. This is more of a general pre-plan that's going to tell us about other hazards, other information, but it's the same concept, right? It tells us what we need to know about the facility we're going into to keep us safe and those that we're trying to rescue and perhaps the general public, depending on the particular situation. We can do the same thing in incident response. We can do tabletop exercises. If you're not already familiar with backdoors and breaches, you should be. The Black Hills folks, John Strand and his crew, have built this amazing card game which uses a 20-sided die and this set of cards, and it can help you build an entire event from the ground up, and then you can do the investigation using those cards It's really interesting and I highly recommend it if you haven't already tried them. But it can walk you through scenarios, everything from something happening in a natural disaster type emergency to the intern who's done the wrong kind of thing and made an accidental mess. Obviously documentation we've talked about, right? Document your servers, document your workstations, document where your data is and what your network is like and the more information you have, the better off you'll be. And hopefully it goes without saying to a certain degree that this would also include your incident response plan and whatever team you have. So to summarize, we want you to start thinking like a firefighter. I think that applying these firefighter ideas to incident response has really made me a better incident responder ultimately. You want to avoid tunnel vision. You want to do what's called a 360 of the problem, which in firefighting might literally mean a 360 around the building, which is what we try to do, or at least somebody does when we get there, whether it might be the operations person, it might be the incident commander, but at a minimum, we always pull past the building that's on fire or potentially on fire so that we can see at least three sides of the building. That gives us that bigger scope. We want to make sure we're acting. We're deliberate. We don't just react. We don't want to be misled by emotion. Follow whatever plan that you and your colleagues have come up with. Don't just freelance. It can be physically dangerous in certain circumstances and it can just be plain frustrating in others. Have patience and take that beat. You never know what you might have missed if you didn't. Those 30 or 60 seconds could save tons of time and even in the fire service, taking those few seconds ultimately could save a life even if you think going faster might have done it. Location. Make sure you know where your people are. Document, document, document your location. Both of your equipment, your people, where your data is and pre-plans they rock. Less chaos, way easier to respond if you already have a plan. And consider something like the incident command system so that you're organizing your response. The thing about the incident command system that's so cool is that ultimately it is fantastic for scaling to larger incidents. As I mentioned, you can have only one person in charge of just a few people. And if you scale that out, it works really well in larger situations. So bringing in outside entities, this is so much easier because everybody's on the same page. So some final thoughts. I know that many of you have never thought about incident response in this way. And that's okay. That's the idea. Think outside that box. Try some things you've never tried before. You may find that ultimately it makes your job maybe more challenging in the beginning because it's going to pull you outside that comfort zone. And the reality is great things never come from comfort zones. So do it. Push that envelope. Hopefully you will find these tactics helpful. I want to thank you for coming to hear me speak. And I want to thank Wall of Sheeps so much for having me. And I hope you have an absolutely wonderful DEF CON and a wonderful rest of your day.