 Tom here from Warren Systems and I'm joined by John Hammond from Huntress. How you doing John? I'm all right Tom How are you? We are starting a new series here working with the team at Huntress and me and John He's also a fellow creator look him up does a lot of great videos diving into a lot of security stuff there and Some deep dive, which really I think my audience your audience and the Huntress audience all really wants We're gonna get technical here, but before we get technical the first season this episode is gonna be about documentation and And this came up the other day I actually tweeted I I don't like calling it vague tweeting But obviously I can't talk in detail about client personal information But basically a client was hit where I hope not one of ours We got called in because they were hit and I had posted that my favorite Mike Tyson cyber security quote Everybody has a plan till they get hit in the face It is love that statement because it's true because it dealing with it head on is very hard And it was exasperated by this particular larger enterprise that had a lack of documentation So we're gonna talk today about documentation. It's important. It is the most boring part of it Everyone doesn't want to do it But it is also absolutely critical when you as a third party come in there and start asking questions Like what are we gonna do to work on this and where are the servers? How are they connected and there's someone grabs a magic marker and just starts drawing I'm like, oh boy. I was hoping I understand the documents are encrypted now But I was hoping someone had something. Nope, we didn't even have it. It's not even encrypted We just didn't we just kept building over the last X years of our existence and We just have had people that all know and part of the training was the you the new people to start digging in It's just not ideal, right? Yeah. I mean like if it's just stored up here Like if it's all in your head one day It might not be there anymore or that person might be gone So it's really really important to have all this stuff kind of written down Documented archived somewhere somehow so people can get into it I know when we always like open the problems like hey, we have to have documentation We have to have procedures and policies and stuff. It's Really hard to solve that problem because there's a lot to think about and we wonder like, okay What do we need to document or how because sure we've got to keep track of assets or inventory Network data flow stuff like that. What happens when X occurs? Whatever the case may be Yeah, that's a lot of stuff to kind of like figure out So I will offer a shout out and some love to the blue team field manual personally. I think this thing is fantastic There's a lot of great stuff both tech and non-tech in here But if you check out like just one of the first pages they they'll talk about some key documents that you like Absolutely should have Organization chart network diagrams data flow diagrams critical assets incident bridge incident response plan business continuity disaster recovery just Stuff ideas kind of written down so you'll know how to respond when stuff hits the fan Yeah, and this is one of those, you know immediate things is when I started helping them with the chart I said, hey, we got we got to find out who your HR person is like your tech guy What do you care about HR? I said probably someone's going to notice the business has ceased to function in its normal business Probably HR and legal will want to discuss what the employees internally need to handle and how it externally will affect your client So, you know, there's a lot of things in there that don't sound technical But it's just making sure that everyone knows where everyone is. That's why org chart gets mentioned in a blue team field manual You got to know who's responsible for what? Now since we started with cyber security, let's talk about cyber security controls Probably one of the first things you really should work on getting documented and we have a few things pulled up here so let me jump over to one of my other desktops and Before we jump all the way into the NIST incident response We're going to leave links and show notes to all this too, which is a good one too This is actually a pretty short one And I think what we say there's 70. Yeah 79 pages of how to handle some of the incidents kind of 79 as in as in short Yeah, as in short look authority and publications and boilerplate stuff that you don't really Need to read you can skip down Acknowledgements of who included all this. That's great introductory And now we can actually start executive summary and go in here. But following some of these guides I know it's not the best reading and maybe it'll put you to sleep But at least if you go through these they're really important to start understanding what structures are important from there Now the next side of this is going to be what do you document after you know some of this? And the cis controls navigator This is really cool from the center for internet security and I love these guys I love I love the center for information security like they avoid or internet security They've got great hardening guides processes to really get in the weeds on the keyboard the tech stuff and even this even the high level procedure policy documentation All this has to be in place Yeah, and I I know a lot of it people part of their Uh task and they they come in they take over and their new position is and they realized the previous position Was gone because well, they didn't document they had a security incident whatever reason But they also find out that they are Under compliance of one of these like PCI DSS or they have to follow one of these other baselines here And they want to know what to do Well, they it is a daunting task if they're starting at zero for documentation So if you're PCI DSS or you want to fire follow the Mitter attacks framework or other than this one's you can just check these boxes and start We can go check all if you want to go crazy Or just apply certain filters for it or uncheck all but you figure out what things actually apply to you And what this does when you're done, we'll do the full one here We hit export And it's going to think because we have a lot of stuff in there and here is an excel file That you can start putting all the controls in here and it tells you what you need in here And I open it up and leave your office because i'm using linux, but uh, I think it comes up a little prettier in excel But you can go through here users What do you need to do default passwords before deploying any new asset change all default passwords? What these are is to start creating check boxes for you to do So you can start labeling these create a legend create some color coding of what has been done What has been done? It's all written out here with titles and descriptions that are all in plain english And it's a good way to start getting there and it's You can also dev this up. So based on the asset type device physical layers or applications And decide who needs to be assigned to what, you know, maybe you're in charge of the network But maybe there's some work in here for some of the hr people to make sure things are done as well Because everyone kind of has a role to play when it comes to deploying security at a company The the end users are are not immune from this matter of fact. They're kind of like the front line operators, aren't they? Yeah, they're the ones that usually are the most likely to have clicked on something To let things in so making them a participate Participant in this security assessment and having these type of things just laid out for you is great Because this can be that base document for you start doing it and you see how quick it was to create A document like that I love the fact that it's in excel And that's not to say like, okay great using microsoft excel is kind of a solution, but that's really really portable like there's so there's less of a barrier of entry on that because Maybe not everyone has okay microsoft office 365 excel But you could transform that into A comma separated value file like it can be plain text if for whatever reason you need it to be Or you can load that up in like google sheets And it can become a collaborative document and you can add more to it and that's accessible really from anywhere That's on the internet And I mean you'll have to make sure that's kind of hey kept to your own archives and your own library, but There's a lot of ease of use and ease of access in that that's one of the things I've preached a lot was People messaged me all the time. Hey, tell me you cover this unique piece of software on a channel I'm like one of the problems you run into is that accessibility and Cross compatible with either a third party or internally making it easy for everyone to access Um, I mean setting up I can't remember the name of it someone had some that runs in docker That's got some complexities set up that's supposed to help automatically map your network and then create all this Thing then every user has to create a login and I know as someone managing things How many more things that need logins and passwords to manage do I need? Get an excel document whether using google switch, which is my preference or and we have a lot of clients using office 365 You can still do collaborative document sharing there You get the document located within your office 365 environment You get the document shared now people can work on it and just generally speaking most end users can use excel Or at least hopefully can if they're if they're working in an office level position So, you know making the data accessible. I think is first where you start Maybe later you find something very niched in like if you are specifically managing a data center Okay, you have a different need than an IT person in a business There's those are I'll admit Maybe you do need specialized software because your day-to-day operations is running azure But if you're not running azure, you're not working at a large data center You are more run-of-the-mill going to run standard IT Finding the most accessible levels of documents is going to be more helpful to the progress of your work Also, you don't want to be the only one doing it. Trust me that is That's that's an instant failure because you will not have time the more you can break out and delegate is going to be better Good team Yeah, have a team now I will talk about one more thing here and before I pivot over to a little bit another tool that I really like for documentation Which is going to be Well, I closed did I close my excel document? No, I have this in google sheets, but this started as an excel document So my company does a lot of infrastructure builds and excel is also the common language We get to speak between the companies that hire us to build infrastructure at the remote locations and This particular project has some weird naming because this is a company I believe they are based out of vegas We're here in detroit, but these are how they sent us the documents how to build their detroit office they have offices all over the place and One of the advantages of doing this and throwing this excel document in google sheets again This is a rack There's so many use that a rag has where do the horizontal stuff go and this is that physical layer documentation What is in each section of the rack what goes in there now? We were only building infrastructure They actually have a whole separate racks that went for their Servers that were kind of pretty I don't have a copy of them We just happen to see them because someone else was they sent their team in to rack the servers But the same thing they would put what's in like they had a for you storage server They had some things like the triplet council server that was in here one you horizontal rack manager once again Why was all this an excel because people building infrastructure? We're at the point where there's no internet in this building As a matter of fact the lights were kind of dangled by electricians because electrical wasn't finished because we're we're there at the construction phase This is a physical new build out. So having this on a phone or a tablet with Internet access because like I said the building doesn't have it and putting in how this stuff goes It's that barrier of communication being eliminated for being able to do this and this is their FEC war mdf rack and fec war IDF so there was two different locations primary and then the intermediary IDF system here and a lot of these were open Well, this is actually how it ended up. They sent us something different We actually had to move things around because it wouldn't fit but easily edited on the phone back to that low barrier of entry So this is awesome. Yeah, it's just Simple Exactly like this is it it keeps it simple. It keeps it easy It doesn't have to be like over engineered or complex. You don't need an incredible elegance So it just you got to write it down. You just got to have it. You have to you have to go through These cis controls you have to go through this NIST framework guide The onus is kind of on you just to make sure that We have some idea and it's concrete and and established as to what we have and where it is and how it lives This is awesome. This is a great simple solution And one thing that's really important And this is my my previous days I worked as corporate it for a transportation rider that worked in the automotive sector And so we had to do if you're not familiar with it iso documentation And one thing that was like you would fail your ISO if you didn't put the date for everything because everything has a date And that's actually really important because this is how documentation gets out of date Because if you remember you added a new server or something But you look at the date you add the server and the data documentation You know, it's wrong. I can't if you ever have to print these it's easy enough to see the revisions inside of here because it keeps the revision history I can just go version history Blah blah blah, but when you print any of these which by the way do it because back to my very first statement about Things being encrypted if they would have had all those documents, but they would have been encrypted Wouldn't have had all those documents So it is at least somewhere in the server rooms print these out But make sure you put a date on them or write a date on when they're printed so you know That's the time of life with this Now over here I've done a whole video on diagrams.net formally called draw.io. They did some name changing but the software is the same This is free open source embeddable and confluence for those of you that are doing things in confluence embeddable in a lot of different formats But what this allows you to do is without having to pay any license fees Also, it makes it easily shareable because it's free via the web version via download version You can easily share diagrams and documents with people. I I mentioned it I mean, I know I was a long time visio user so I realized video is primarily kind of the gold standard out there But still not everybody has it the nice thing about this It's easy for everyone to have it and start speaking the same language very quickly Matter of fact, without loading anything they can open up in a web browser and upload your diagram and start editing it And send it back to you. Um, they don't need to install anything Matter of fact, we'll go a step further and I have this in my demo You can export these to like a png file. So it's just like a graphic But then it's it's shadow embeds in there the um xml to recreate it So you can actually open import the png and if it was created with draw.io It pulls it back out and reassesses it And it looks like it's great for just like network diagrams data flow diagrams anything that you just need to draw out like this This looks like an easy and awesome solution. Yeah, really easy to use. It's free So low barrier of entry you don't have to go seek approval to get this integrated into your network It doesn't have any ongoing license fees. It's all open source. Um, and you know things like this This is the lab. Uh, is this my lab one? Yeah, uh, well, no, this is actually one of my other ones But sir first breaking down. What are these servers? What's on these servers and things like that? So I know and have documentation and then I print this and it's actually You know taped inside my server rack that way if the lights are out because some catastrophic explosion happens At least we know what servers are which what's on them why they're critical So that's what the servers are listed here and some of the basics This one here is just one of their templates But it shows like a vmware with a disaster recovery site deployment How you a tiley's got to do when and in terms of being able to create Templates it's hard starting at a blank sheet. It's just one of those you stare at it And uh, we'll hit create new diagram and I'll only drag this over to the right screen File new Back to we said, uh, well cloud flow charts here They already have a ton of examples, right? They already have a good good handful of templates you could use to work with Yep, lots of different types of charts that you can use here Network charts other charts different type of groupings for things and it's really nice once you start with some of these Makes life so much easier. Even if it's just a basic We mentioned org chart right here create now kind of a fun thing when you're creating these It does allow you to embed links email links and everything else just like vizio does I know that's a popular feature being able to have all that And I've seen someone do some really slick ones some of our clients have taken the time to do this When they're documenting the servers they hyperlink like the idrack controllers in there So each one you click on for that server it launches you to the idrack page for when you're documenting servers Um, that's just handy when you want to like I need to get into the server I first need to identify the server. Oh, no, how do I get to the idrack? I have another ip list or just put hyperlinks to all your servers inside your draw.io file Like don't overthink it and then once you embed this there's an option to embed This is html and obviously make it that much easier and back what I said earlier Confluence and things like that you can put it in there. So it's shared with your team really easily Or just png files, etc. And away you go. So this is fun tool Well, hey, that's a a great bundle I think between network diagrams. We could use diagrams.net Sure, you could do some visio. Sure, you could do some like lucid chart, whatever you're interested in excel for hey, maybe some asset tracking, maybe some how the server rack looks And working through those like center for internet security guides working through those to build out checklist build out disaster recovery plans, whatever you might need There's a good amount to go through. Yeah, I think you have to get people started I mean if we just set our own talk to a documentation, like I said, it's not the most exciting aspect of IT But it is such a fundamental part and it just makes your job easier One a disaster it does occur because you have a process procedure. What to do This was a well-received thing that we did on that big huntress hacket event It's been a month or just a couple weeks now. I can't I guess it was october So it's been a month now been a month now You know in the choose your own adventure was fun, but you don't really want to do that in real life when you When you're going through there's been an incident now what choose your own adventure. What steps are next? Best time to think about them is before they happen So this was our first episode of Some of these ita tips. I don't know if we have an exact name for these but we'll We're working on more series of these and we do love feedbacks to leave comments and everything of what What more you like to hear from us? We will leave links in all the show notes to all the things we mentioned Of course a link to the blue team handbook the nisk guidelines the cis controls and draught io is Well draught ior diagrams net so I think they still have a redirect for draught io I still want to call it that because when I reviewed it. That's what it was still called. I think so Naming convention silly names silly names Domains and all that fun stuff. Well. Hey, this was a blast. Tom. Thanks so much And I'm excited for us to keep chatting again Yep, and we have more topics But if you have a specific topic you want to coverage next because we can have a long list to go through Don't worry if you don't say nothing we'll still come up with more and you can check out Both of us we each have our own individual channels as well. So we're easy people to find and I think And thank you for making it to the end of the video If you like this video, please give it a thumbs up If you'd like to see more content from the channel hit the subscribe button and hit the bell icon If you like youtube to notify you when new videos come out If you'd like to hire us head over to laurance systems.com fill out our contact page And let us know what we can help you with and what projects you'd like us to work together on If you want to carry on the discussion head over to forums.laurancesystems.com Where we can carry on the discussion about this video other videos or other tech topics in general Even suggestions for new videos. They're accepted right there on our forums, which are free Also, if you like to help the channel out in other ways head over to our affiliate page We have a lot of great tech offers for you and once again. Thanks for watching and see you next time