 Good day, I'm X-Ray, I'm your host for today, and we're welcome to DEFCON 30, Alt Space VR, Virtual Reality Theater, where we're having DEFCON presentations. You've probably sick of hearing me hearing this, or hearing this from me, but new people are popping in and out all the time. Our next speaker is Gail. Gail has been volunteering with different online communities for the past two years by mentoring, moderating Discord servers and presenting in different community-based InfoSec conferences. She's been in the tech industry since the early part of this century. Gail has a graduate certificate in response from the SANT Institute and a master's in cybersecurity digital forensics from the NSW Canberra. Her day job is doing proactive and reactive work as an incident responder. And her talk is how my high school creative writing class helped me to become a better incident responder. So, Gail, please take it away. Thank you. Oh, wait a minute. Gotta make sure you have access to the stage. That might help. Okay, let's see if I could get there. There you go, you have access now. There we go. Okay. There we go. So, I do have megaphone access now. Can everybody hear me properly? Sounds good. Okay, thank you. So, good morning, everyone. I'm saying good morning. It's 4 a.m. here. Two minutes after 4 a.m. So, I am calling. I'm dialing into this virtual reality space from NARM or Melbourne, Australia. So, first of all, I'd like to start by doing an acknowledgement of country. I'm presenting from the lands of the Bullarong people and I wish to acknowledge them as traditional owners. I would also like to pay my respects to their elders, past and present, and aboriginal elders of other communities who may be here today. Thank you. Next slide, please. Next slide, yes. Okay, so I've been introduced. Thank you very much for that. So, I just wanted to add that I'm part of the first cohort of Project Freedman. So, Project Freedman is an initiative here in Australia by the Women's Peak Cyber and the AWSN Australian Women Insecurity Network to help make sure that we have diversity of thought and representation in our security, our InfoSec community here in Australia. I got training in terms of how to present in conferences. So, I do have a Twitter account. I have open DMs, so please feel free to send me a DM if you have any questions afterwards about my presentation. Next slide, please. Okay, so for this presentation, I'm going to be covering the areas here. So, first off, I'm going to talk about what's that creative nerd there and then after that, I'm going to talk about incident response and then I'm going to be giving some parting words. Okay. So, next slide, please. Okay, so this is an old photo of mine and this dates back from my high school time. And I was just, this particular day, I remember this vividly because I was just, you know, I brought the family camera and this was before the time of like, you know, digital cameras and all those things where you had to make sure you had a negative, you know, and then we have to take it to store to have it processed. So, I was like, you know, being all silly and just being goofy and I borrowed one of my classmates, you know, Beret and pretending I'm, you know, the artsy person and just for context, I actually went to a public school that is known for its strong science and math curriculum. It was called a science high school. So, the concept was that there be high schools that are really focused on the STEM or to make sure that the students have this good background in science, technology and mathematics in the hopes that we will go to the university and major in the STEM areas. So, if you cannot tell from my accent, I'm originally from the Philippines and I migrated to Australia. Okay. So, I was really lucky to get into that school because the entrance exam was really very competitive and we were like wrong and then we had to make sure that we also passed the interviews. But the great thing about being in that science high school was that there was also what we call like elective so we can take non-science and technology classes. And one of the first things that I signed up for was the creating writing class. And honestly, I was like really glad that this was before social media. So, anything that I had in terms of photos and all those things were safe until my dad discovered Facebook and started scanning all my high school photos and started sharing it to everyone. So, this particular, well, in a way that was great because I asked him earlier this week, hey dad, do you remember, do you have one of my photos from high school? I said, sure, sure, which one? And then he just sent me this one. So, that's the background, that's the context of why I called myself the creative nerd because I was a nerd first before I became a geekette. And so, next slide. So, next slide please. So, one of the first things that I learned from my high school creative writing class was to really do research and, you know, document whatever that I come up with. And at the time, interviews, you know, contact people and interview them for your story or you read up, like, before we had internet back then. And the way to do research is actually go to a physical library, talk to a librarian, and then, you know, if you need, like, a book or something, there was the card catalog. Quick show of hands here or, like, show me your emojis. Anybody here has seen and used a card catalog in the library? Okay, any emojis? Okay. Okay, great. Okay, that's good. So, for those who haven't used a card catalog, so think of it like before we had the search engines, like, you know, Google, before Google, there was, like, Yahoo. You know, that was the way how we did, like, research in the library. There's a series of, like, cards and then they're alphabetically arranged. It's, you know, you have topics, then you have, like, titles and then it could be arranged by, you know, authors. Okay, so that's how we did the research. Okay, so the first thing, the most important thing before you start, you know, like, writing anything, you have to think of an idea, like, what do you want to, you know, tell? What's the story that you want to tell? You have to start with an idea. But the challenge is that sometimes if you're just, like, you know, stuck in a rut, you know, you can't really think of an idea. That's why there are things like story prompts. So I remember, like, a week after, like, the first class, and we were told, like, come up with an idea. So the teacher, you know, said, like, okay, so what are your story ideas? And a lot of us were stumped, and that's why she introduced, like, story prompts. So what are story prompts? It's sort of, like, just a sentence, you know, like, about something and then you start, you know, building up, you know, from that particular story. So you start with the idea. Then after that, you know, you think of a setting. So you have to make sure that you do your research in terms of your setting. Where it's going to be? Is it going to be, like, local to our area? Or is it in another city, another, you know, location? Or if you're thinking of something like writing, like, science fiction, is it set in this planet or another planet, another galaxy? And then think of for the period. When you say period, we're talking about the time. Okay, is it, like, is it your story set in the present? Or is it in the future? Or are you talking about, or are you thinking about having it, having a historical, you know, context? So you got to, like, do your research regarding that particular period. And then, of course, there's character building. So for those of you who are, you know, into games, or let's just say Dungeons & Dragons, so you're probably familiar with, you know, that particular, you know, you have your, think of it as, like, what's going to be, you know, the moral code of your character? You're thinking about, okay, are they, you know, more on the good side, you know, like evil side or your neutral. But mostly when we start writing, we think of your hero, your protagonist, okay? So, and then you have to start thinking about their, you know, inner world, about their origin story. Where did they come from? So you have to start thinking about that. Okay, then lastly, of course, depending on the setting, you know, it's going to be about the genre. So if you're thinking about, like, something in the future set in the other planets or other galaxies or something, so that could be science fiction. But within science fiction, there's a lot of things that you can explore there. So all in all, all these things that you've thought about, you need to make sure that you've done your research and you've documented everything. You need to make sure that you, you know, write notes. And at that time, I just want to show, like, share this, my first attempt in using a computer. At that time, okay, there was a lot of, it was summer and there were a lot of power outages. And I went to my mom's friend's house who had a computer and at that time, I really didn't know how to use a computer. And I just wanted to make sure that I'm able to type my story. And I was told, okay, this is how you do that. Okay, so that's your screen, black screen, you know, that was word perfect. And I have all these handwritten notes and I have this story that I've written on paper. But as I was typing, I, you know, there are like other ideas that came in and I just kept like, you know, typing everything. And then suddenly there was power outage. And then after like about 15 minutes, the power came back. And then I asked my, I call him uncle. Okay, although I'm not, you know, biologically related to him. I asked my uncle's kid, okay, so, okay, where's my work? I was like just typing and then suddenly the lights went out and after that it came back on and I don't see my words there. And then he looked at me and asked like, did you remember to save it? Like what do you mean by saving outgain? There was no way for me to recover, you know, those, like I think I spent about three hours typing up my story and then like, okay, and that was my first experience in making sure that I always have, you know, redundancy. I have like backups and all those, you know, things. So things that I learned from my creative writing class has really helped me when I shifted careers, like, you know, moving to tech. Okay, now, next slide please. Okay, now, so another important thing that I learned from my creative writing class was about the plot structure. Think of a plot structure. If you're a visual person, think of it like a mountain. So sometimes it's called a story mountain and sometimes you just see some examples like a plot diagram. So you can see towards the left, you have there, left side of the mountain there, you have the exposition. So think of it as the part of the plot when you start introducing your protagonist, okay, and you also set the setting and the location there. And then afterwards, you have what is called the facing action. This is the part of the story that this is basically after you've set your tone, okay, and you've written something about your readers, I'm sorry, you've written something about your protagonist and your readers are now invested in your protagonist. And think of the facing action as an event that interrupts this pattern. And this basically begins the story art. Think of it as also, it could be like there's a first conflict, you know, in your story and then it ends with an event that changes everything for your protagonist. Okay, then towards the top of the story mountain, okay, you have your climax. This follows the rising action. This is when everything comes together to create that single dramatic moment. So that is the climax of the story. Okay, and then after the climax of the story, you have to have the falling action. Sometimes some writers immediately move from climax to the resolution but it is better to have a falling action because you have to make sure that the tension and the conflict has started to resolve and then your story starts winding down towards the resolution. And when we talk about the resolution, that is basically the conclusion of your story plot. It could be just one scene or it could be a series of scenes that will tie down your narrative art to make sure that you show that something happened to the protagonist and then what happened to that protagonist and what changed in that protagonist's life. So that is the resolution. So this is basically your plot structure and all stories should have this plot structure. Okay, now next slide please. Okay, now, sorry, I just have to have a sip of water here. So in terms of the other important thing that I learned in my creative writing class is about knowing my reader and knowing myself. Okay, so first of all, I have to make sure that I understand who's my target audience. I need to know, am I writing for, let's just say, my friends, family members or am I writing for my classmates or am I writing for the community? Okay, because depending on your target audience, you either think of it in terms of the words that you use. So of course, in terms of community, like in the Philippines when I was growing up, it was quite conservative. And the first story that I wrote was about a same sex relationship and at that time that was considered quite controversial and I like, hey, you're too young to be writing about those stuff and I was talking about, like it's about someone finding their identity and all those things. But I have to sort of like be very careful about the terminologies and all those things. Yeah, so in a way, I was self-sensoring. But, you know, years later, I just realized that I shouldn't like self-censor myself because I'm basically writing for myself. So and then how will you tell your story? So you basically, there's the plot structure, you've done your research and then how am I going to be telling my story? Okay, so these are like the important things that I've learned from my creative writing class that I still remember like after like so many decades later. So what happened to this creative nerd? So the creative nerd went to the university instead of majoring in science, technology, I majored in psychology because I wanted to understand myself better and at that time it was, you know, difficult having like a career out of the university as, you know, a psychologist or as a psychology major. So my family wanted me to either go to med school or law school and I initially thought, I want to go to med school, but I dropped by and thought like, no, I don't want to do like, you know, all the dissection and all those things. And then I decided I'm just going to go to law school. So it's after finishing my degree in psychology, I went to law school and when I was there, I realized that, hey, I'm not like the very argumentative type because I'm turning into a very argumentative person. No matter what happens, we were being trained to win every single, you know, little argument. And I thought like, that's not what I want to do. And so I got out of law school after two years. So I joked that, hey, does that make me an outlaw because I got out? Anyway, then I got connected to the internet and when I got connected to the internet, I realized, oh, there's a world out there and I want to be part of it. And that started my shift, career shift to tech. So early part of this century, I moved into tech and I started my career doing networking stuff, Cisco stuff and I love that. But I really wanted to focus on cybersecurity or at the time it was network security. It's largely because when I got connected to the internet, I used IRC and I had an online stalker and so that's why I was like really concerned about security. So anyway, eventually, so from doing like networking, network security stuff, I moved into cybersecurity and I really wanted to do forensic stuff because I've been reading mystery, since I was a kid, mystery novels, all those things. So now I'm at this point in my life and my career, I'm doing something that I really love and it's digital forensics and focusing on digital forensics and incident response. So now next slide, please. Let's talk about incident response. Now, quick question for the listeners. What is the first thing that goes into your mind when you think about the response? Next slide, please. Do you think of yourself having like a similar expression to this person in this photo? Okay, yeah. So sometimes people consider like incident response as one of the more stressful kind of work in the infosec area is basically you're being called upon to respond to a particular incident. Okay, so next slide, please. Now, before I start talking about incident response, I just want to clarify something about the terminology, okay? So when we talk about incidents, we need to always clarify that when we're talking about incidents, okay? So first off, okay, there's the word event. When we say event in the context of incident response, an event is just basically something that is observable. An event is something that is observable. So it could be, you know, there was a user connected to a particular website, went to visit a particular website, you know, so that's an event that is something that is observable. Now, when we talk about incident, incident basically means there was an event, an observable happening, okay? How did you observe that? You have like logs, okay? You have some evidence there. And the event itself, okay? That observable is something that breaks, you know, the security triad, the CIA, either confidentiality, integrity, availability. So that becomes an incident. So basically an incident is an event that's observable, but it, you know, affects the CIA or it, you know, breaks certain, you know, security policies in your organization. So when you talk about incident response, it is a process to help protect the organization and it has several stages. So what's the difference between digital forensics and incident response? So digital forensics by itself is both an art and a science in terms of understanding what has happened within a system or inside, let's just say an organization or within your, you know, network infrastructure or your infrastructure. So there are different artifacts. When we say artifacts, these are like the evidence, sources of evidence. And then incident response uses a lot of the techniques and knowledge from digital forensics in order to help protect your organization. So incident response is, think of it as like a practical organization, sorry, incident response is the practical application of your digital forensics. So the incident response is like you're responding to an incident right now, the present moment. And then digital forensics, think of it, you're looking at what happened in the past. So you're using your different tools and techniques to understand what happens. You're collecting all these artifacts, evidence, you're making sure that you preserve them just in case you need to present this case in court. So that's the difference between digital forensics and incident response. Now, next slide please. Now, when we talk about incident process, there are several frameworks that are available out there. So the first one is the NISD that's from the National Institute of Standards and Technology. And this particular incident response framework is actually in the special publication 800-61 revision 2 or 800-61 R2. So NISD is a government agency and works on technology. And their framework for incident response sometimes like you can see it like incident handling, there are four steps. Now there is SANS, okay. So SANS is known for providing security training. And initially, SANS used to call itself a CIS admin audit network and security. So that's the meaning of SANS, okay. And compared to the NISD, this is a private organization and they're very much focused on security. And for them, their incident response framework has six steps. So think of them, you have the PSURL. This is the acronym for those steps for their, for the SANS incident response framework. Now, can you please go to the next slide please? Okay. So for NISD, you have there the four steps in the incident response. So you have preparation and then you have detection and analysis. And then after the detection and analysis, you have containment, eradication and recovery. And then after that, you have the post incident activity. Now let's look at the next slide please. Can you please go to the next slide? So for SANS compared to the NISD framework, SANS has six steps. There are six phases. So there's the preparation, identification, containment, eradication, recovery and lessons learned. So let's slide please. So comparing this, you can see that both framework has the preparation phase, okay? And then you have the identification phase as the second phase. And then you have the containment eradication recovery which are three separate phases from SANS, exactly the third phase under NISD. And then the lessons learned phase from SANS is called the post incident activity, okay? So at this point, I'm just going to go through the six steps of the SANS framework. So when we talk about the preparation phase, this is where you should be making sure that you have your documentation in place there. Ideally, you have your security policies, okay? You do your reviews and you know, you make sure that the security policies are well known in the organization. This is the time we're in. You're also doing, you know, risk assessment. You're basically making sure that you know all your assets when we talk about assets. So these are your end points. When we say end points in the context of incident response, it's your laptops, desktops, okay? And then you also have to make sure that you identify what are the sensitive assets. And then you also make sure that you define which are the critical security incidents that the team should focus on. Because you don't want to make, you know, you don't want to call like the incident responder when you're just dealing, let's just say with what turns out to be, you know, like a desktop issue when it, you know, it could be like, oh, the printer didn't work or something. So that's not a security incident. Okay, you have to make sure that you have a definition of severity levels, priority. And during the preparation phase, okay, if your organization hasn't built like a CISR, computer security incident response team, this is the time that you should be doing that. Okay, during the preparation phase. And then you're also making sure that your team is prepared to respond to incidents at this point. Now, the second phase is called identification. So this is when you have monitoring of your systems and then you have to know what is normal operation, what is normal for your organization. And this is the place wherein you are detecting any deviation from the normal operations. And you have to understand or like check, make sure that these are representing actual security incidents. And during the identification phase, when, you know, an incident is discovered, you need to collect additional evidence, you need to establish the type, severity, and you need to document everything. Okay, and then from that second phase, you now go to the third, like, you know, the step. This is wherein you do the containment you perform, you know, short-term containment. Like for example, you may need to isolate certain part of your network or a network segment that is under attack. And then you move to a long-term containment wherein you may need to implement some temporary fixes to make sure that your systems can still continue to be used in production while at the same time you are rebuilding the clean systems. Okay, and then from the containment phase, you move to the eradication phase. This is where if you are affected by a malware, you're removing malware from all your affected systems. And this is when you're trying to understand the root cause of the attack and then you are making sure that you're trying to prevent similar attacks, you know, to happen in the future. And of course, that goes hand-in-hand with recovery, wherein you will be bringing back your production systems online. You have to be careful before you bring back your production systems online. And typically for a lot of the incidents I've worked in previously, there's always a check of the systems. Like for example, if there was a ransomware attack before a system is fully put back to the production, we have to make sure that we have swept the entire system. Are there any indicators of compromise there? Is this a clean system? Can we put it back online? Or if it's like a backup, make sure that the backup is clean. And then part of the recovery phase is to test and verify, you monitor all the affected systems to make sure that they're back to their normal activity, to think of it like business as usual. And then lastly, you have the lessons learned phase. This is very important. Some organizations don't do this, but it's very important that you have a timeframe. It's best that like two, three weeks, not let's just say six months or one year after the incident. It has to be as soon as possible. Okay, maybe it's like two weeks. You need to perform, let's just say like a review of the incident. You need to make sure that you have a complete documentation of the incident. And then if you need to further investigate the incident and then you need to understand what was done to contain that incident. And then whether there's any improvement in the process, if you have like issues in terms of processes, technology or people, this is the time we're in, you're supposed to learn from this particular incident. But there should be no shaming, no victim blaming and all those things. Okay, so that's our pieces in the incident response. Now in terms of the preparation phase, you can see towards the right of this particular slide, I have an arrow called proactive. So in incident response, we have what we call like proactive and reactive side. So when we say proactive, this is the part we're in. We are doing proactive projects or think of it like activities to help prepare us. And then towards the identification phase towards the lessons learned, these are part of the reactive. We're in your actually reacting to an ongoing incident in your organization. So one of the activities that we do in terms of the proactive side of incident response is doing a table, table that exercise. Next slide, please. So who among you here has participated in a tabletop exercise? Somebody could like, you know, cool, someone, okay, the rest, okay, cool. Now for the others who haven't like participated in a tabletop exercise, I'm just gonna be like explaining what is involved there. Sometimes it's called TTX for short, tabletop exercise. So think of a tabletop exercise as a mock incident. So it's not a functional exercise. When we say functional exercise, you present, you know, the group, okay, with the, you know, alerts and they're supposed to be, you know, trying to simultaneously, you know, how you're supposed to be responding like you're gonna be checking the dashboards as a functional exercise. When we talk about tabletop exercise, it's a mock incident, okay. There is a security incident and you are just giving them scenarios. Think of it as just scenarios and they're not gonna be checking any dashboards. They're not gonna be logging into, you know, the monitoring systems or the EDR, the endpoint detection response, you know, tools. They're not gonna be looking at that. So this is purely, sorry, excuse me. Okay. This is purely a tabletop exercise. Think of it, it's, you know, purely, you know, scenario-based. You are not responding to a real incident. Everybody's just, you know, they're, you know, sitting down and everybody's just discussions. I'm sorry, everybody's just doing some discussions, okay. And the goal here, okay, there will probably be several goals, but mostly it's to test the IR plan and then test the readiness of the organization in terms of like, if something similar to this scenario happened to your organization, what are you supposed to do? Who's supposed to be doing this? Who's supposed to be leading the incident? Who's supposed to be doing those other things that are in the IR plan? So before you actually have a tabletop exercise, make sure that you have at least even like a basic IR plan in place and everybody who's involved in responding to the incident should be familiar with the IR plan. Okay, now in terms of making sure that the discussion moves along, okay, you need to make sure that when you create tabletop exercises, you have injects. So injects are additional information that you provide to the participants in your tabletop exercise. Ideally, the audience or the people who are participating in the tabletop exercise is composed of people who will be part of the incident, okay. So you'll have a mix of technical people and then also the best tabletop exercise will also have some people who are in the management area because you will need to make sure that you involve certain managers or they're aware of what's happening and then sometimes if let's just say a particular incident would involve communicating with external agencies or external parties, you need to make sure that you have someone, let's just say doing the comms for this because it could be let's just say the incident is like ransomware, you're preparing for a potential ransomware attack. You need to make sure that you have somebody who's in the legal team who may need to contact the insurance for your cybersecurity insurance and then the other would be that you need to have an external facing statement from the corporate communications, providing a message out there that you have the situation under controlling you're investigating it. So it would be good to have all these people who would potentially be involved in a major security incident. Make sure that you have them there. Okay, so how are we, or like in my case when I started creating scenarios for tabletop exercises for my previous clients, this is where the creative nerd came out. So I was a nerd first before I became a decade. So the creative nerd in me started thinking about the things that I learned in my creative writing class. So next slide please. So whenever I created scenarios, I made sure that I'm familiar with my client's incident response plans and the incident response plan would actually have all these different IR pages identified there. So when I created scenario or every time I need to create our scenario, of course, I need to make sure that first, okay, I set the scene. So think of it, it's like towards the left of that flat mountain. So I'm basically providing, think of it, I'm basically providing the exposition. So usually I put something there, like there's a day. Okay, let's just say it's Wednesday morning, okay. A user may, you know, a user contacts would help this saying that they saw something unusual in their screen and there was a strange message there. So think of it as, you know, preparing your scene there. So you're basically doing your exposition. And then afterwards, next inject, you know, for that tabletop exercise, other users started complaining that they can't do anything. So you're basically setting up the rising action and then you start doing, if you're the incident responder, you start identifying who are the affected people. And then you ask them for, let's just say any screenshots or read out, like if there's like any message that they see there. And then you have towards the top, the climax or we're in, you're doing the containment eradication, maybe because, you know, there's like another inject. You started like, you know, you saw the message and then you did some research turns out it's around some note and it's with a particular, let's just say threat actor or a particular group, APT groups that's like using this kind of, let's just say malware and then you start doing your containment eradication and then you have your falling action or in your, started doing your recovery as part of your incident response. What are you supposed to do? So it could be that you have other systems that were affected and you started like using, you know, your clean backups, putting them back there and then you have the resolution, think of it it's your lessons learned towards the end of that particular scenario in your tabletop exercise. So for those who may be tasked to do tabletop exercises, remember this plot structure and then think of it it's sort of like kind of mop to the different faces there and you can write appropriate injects for your particular scenario. Okay. Now, next slide please. Okay. Now after your tabletop exercise has been, you know, conducted, make sure that you have an after action report. Okay. This is important. This is basically documenting what was, you know, what happened during the tabletop exercise like for particular, you know, parts of these scenario that based on the injects, what was this decision? What did people, you know, decide? What did they do? If let's just say your goal was to improve the IR plan or the IR process, you have to make sure that someone during the tabletop exercise, someone was like taking down notes and then these notes will form the basis of your after action report. You need to identify. Let's just say according to the incident response plan, whenever let's just say major severity or, you know, let's just say major, you know, cybersecurity incident happens, there should be a message that goes out to the group chat over, let's just say Slack. Okay. So if you're using Slack, so according to your IR plan, you're supposed to be using Slack. And then during the tabletop exercise, people started, you know, saying that, oh, we're just going to start sending messages via WhatsApp. So there's a deviation between the practice, actual practice and the plan. So you'll have to like decide as an organization, like are we going to change our incident response plan to indicate that whenever there's an incident, we're supposed to be using WhatsApp. So the question is, is WhatsApp one of your approved, you know, applications when in fact you have Slack. So these things that you've learned during the tabletop exercise, you put it in the after-action report so that it will drive changes. Sometimes the incident response plan, you see, you were using, let's just say an old, you know, ticketing system and then you moved to a new ticketing system and by the time that you did this tabletop exercise, everybody kept referring to the new ticketing system so you need to, you know, update your IR plan. Okay. Now, next slide please. Another application of the creative writing class, you know, learnings I had was whenever I actually sit down and then I need to write a lessons learned report. So this is towards the reactive part of our IR process. So I make sure that I have documented what I've done. So this is like the how. And then sometimes there's the question like why, why was this particular, you know, let's just say finding important, why is it important? Okay. And then I have to make sure that I actually put there some recommendation so that, you know, in the future what can we do in order to reduce the risk of this similar incidents and then sometimes when I write lessons learned report, it could be quite, you know, depressing because of what happened and just, you know, between us in this particular space, okay, there were times were in, there were parts there that I knew with our team has already provided in a previous incident, but this particular client didn't learn from it. You know, they didn't like, you know, they didn't implement those changes and then, you know, about a year or 18 months later, the same thing happened again. Okay. So sometimes it could be quite, you know, the moralizing, but I always try to, you know, remember, you know, like recognizing the positive. Okay. So I at least put something there. What was positive? Okay. I put something there. So it's not, you know, depressing. Okay. And then next slide, please. Okay. So when I write the lessons learned report, I also have to remember what are my reader's goals? Okay. So who's my audience? So the report that I'm writing is something that's go, that's hopefully going to be used as a guide by my clients. And then one of the things that I always make sure is that I write a good executive report because depending on who your reader is, okay, there are some or in they don't dwell into the technical aspect, like the indicators of compromise. They just want to know what happened and the executive, you know, summary must have those, you know, think of it, the highlights, the important things and especially for those higher ups like executive level or something, they don't have time to dwell into the nitty-gritty details and they just want, you know, the executive summary. But I also make sure that the technical aspect is also documented. It's put in the lessons learned report so that for the other teams that exist, it could be like engineering, it could be like, let's just say if the network is, you know, part, if there's like something like network related in the particular incident. So people in the network engineering, they look at it, they understand something there. So it's very important to make sure that I have the reader's goals in mind when I'm writing. Okay. And then next slide, please. Okay. So in conclusion, okay, I want everyone to remember the mounting so every time you look at the mounting, so I hope you remember the flat structure because the flat structure will help you in terms of framing the narrative when you're creating any tabletop exercise for any simulations or if you are trying to write your lessons learned report, like how did the event unfold? Okay. Remember the mounting. And then second point, think of your reader, okay. Who's your audience? Okay. What are their goals? What do they want out of your, let's just say your lessons learned report and make sure that you present it in an orderly manner. And then this one is my call to action to everyone. So everybody's saying like, oh, we have to be, you know, make sure that we have like enough people going into STEM. Okay. Please also support the arts and creative industries because all the things that that I'm doing in terms of the technical aspect, the background that I've had in high school in terms of creative writing and other artistic classes that I took as elective has helped me in terms of communicating in to the stakeholders to management about, you know, issues or about incidents. So please let's make sure that we support the arts and creative industries. Okay. Then next slide, please. So if you have any questions, okay. Don't know whether we have that option here in this space or I am in the discord. Okay. You could ask me questions there or you can like send me a message or like send me a DM in Twitter. Okay. Or it could be not even related to this. It could even be like any questions about where's the best coffee in Australia. No secret about it. It's in Melbourne. Okay. Thank you very much for your time for having me here. And please take care everyone. Okay. Oh, yes. Go ahead and speak up. God should be able to hear what you're saying and respond. Okay. Is there a question? I think if there's a raise hand icon there. I did have a question. So this is related to but not exactly on your topic. So how often would you suggest that a company does table top exercises? Let me just repeat this question. Ideally how often should the company do table top exercise? Did I get it correctly? Yes. Yes. Okay. So ideally it should be on an annual basis. So and then why do I say on an annual basis? Because ideally your IR plan should be reviewed on an annual basis. Okay. So the ideal scenario is that our situation is that you make sure that everyone's familiar with their incident response plan. So those who are involved in doing incident response should have a chance to go through it, to read through it. And then make sure that they're familiar with that. And then you make sure that you announce that you're going to have a table top exercise. Make sure that everybody set aside time for that. It doesn't have to be long. It could just be three hours or four hours depending on how long the scenario is. So you can block half day. And then you make sure that there is someone there who's taking down notes because that's needed for the after action report. Okay. And then you run your scenario and then based out of that, you know, scenario, then, you know, you go back if you need to, you know, review, change your IR plan or if there are certain, you know, policies, you know, or processes or procedures that need to be updated. So ideally on an annual basis. And then you make sure that once you've updated your IR plan, you put there the date we're in, you conducted your table, table top exercise. Okay. So think of it as you tested your IR plan with that table top exercise. So does that answer your question? Yes. Thank you. Okay. No worries. Okay. Anybody else? Okay. No question. So once again, thank you very much. Okay. How do I drop the mic? Press the letter R on your keyboard. Sorry. The letter what? Romeo R. Ah, Romeo. Okay. Thank you. Okay. And that's me. Thank you very much. Well, thank you, Gal, for an excellent presentation. We have about six minutes till the next speaker. So hang around, take a mile break, and we'll be right back. Okay.