CCT 116: Incident Resilience - Navigating the CISSP Incident Management Maze (D7)

Prepare to elevate your cybersecurity savvy to new heights! Join Sean Gerber as we dissect the nuts and bolts of the incident response process, an indispensable asset for acing the CISSP exam and bolstering your organization's digital defense. This episode is a treasure trove of strategies, focusing on crafting top-notch incident response plans and fostering a security culture that can withstand the toughest cyber challenges. Whether you're a part of a burgeoning small business or a sprawling enterprise, you'll uncover tailored advice on utilizing firewall and DNS protection, embracing multi-factor authentication, and more. Don't forget to catch the unveiling of "Reduce Cyber Risk," the podcast set to empower SMBs with state-of-the-art cybersecurity tactics.

Imagine if your cross-departmental team could seamlessly orchestrate their cyber defense responses. We've got you covered with a deep dive into the art of conducting tabletop exercises, bringing together the brightest from management, IT, HR, and public relations to fortify incident response strategies. Sean illuminates real-world scenarios, from ransomware to insider threats, and emphasizes the importance of tools like SIEM systems and firewall log monitoring. By adopting the perspective of an ethical hacker, you'll gain a competitive edge, learning to set up formidable defenses that keep potential threats at bay.

Wrapping up the cyber odyssey, we navigate through best practices for managing infected machines and minimizing cyber threats. You'll learn about the tightrope walk of containing malware while keeping the business gears turning, especially when critical servers come into play. Sean walks you through a litany of recovery methods, from leveraging third-party services to tackling zero-day exploits. As we broach the subject of regulatory repercussions following data breaches, the conversation turns to the art of remediation, the importance of patch management, and embedding a proactive security mindset throughout your corporate culture. With this episode, your data—and your trust—will never be more secure.

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

TRANSCRIPT

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning it's Sean Gerber with CISSP Cyber Training, and I hope you all are having a beautiful day today. Today is an amazing day where you're going to be talking about the incident response process and some key factors that you need to be aware of as it relates to that. One, for taking the CISSP and two, as a cybersecurity professional who is going to be helping save the planet from the evil hacker horde and that's your ultimate goal, right? So, as you're going to pass the CISSP, you want to be out there to help people and help companies be successful, and then, financially, you want to gain from that. Right, it's all about. Well, we're going to be talking about incident response and kind of how the plans you should be, some key things you need to be aware of as it relates to the CISSP exam. But before we do I like what I'm trying to do is bring in more content, a few articles that have been out there in the news that you can help you as a CISSP and as a security professional within your organization. Also know I'm going to be making some changes, obviously, to CISSP. Cyber Training is going to stay the same, but I'm going to be launching a new podcast called Reduce Cyber Risk. I actually had used both the Reduce Cyber Risk podcast and the CISSP podcast, kind of one and the same, but I'm going to relaunch the Reduce Cyber Risk podcast to have specifically focused on SMB protection basically small, medium sized businesses and governmental organizations that are small, that need protection from the evil hacker horde, and the ultimate goal is just to kind of help expand that exposure so that people are provider prepared for the event that there's going to be a cyber incident. Because, guess what, as you all are listening to this, you know it's not a matter of if, it's a matter of when. Okay, so this is an article that came out in Computer World. Now, this was sponsored by Cisco, so obviously it has a Cisco slant to it. But there's some key things as a security professional you need to be aware of that would really help reduce your organization's cybersecurity footprint right, and there are some of the issues they may have. Now, the comment they bring up is about 43% of cyber attacks are aimed at SMBs. So if you're not familiar with an SMB is it's a small, medium sized business. So you could have something from a small machine shop of five people up to as many as a medium sized businesses like over a billion in gross sales. So that means that large organizations you're talking a wide swath of individuals and companies that could be affected by these various attacks, and the reason these SMBs are in many cases, attacked more often than some of the larger companies. One is the larger companies can thwarted, but two and two, the SMBs usually don't have the same kind of budget that a medium or a large company may have. So one of the things that it's recommended is that is increasing your technology investment, and this IDC is a company that is similar to Gartner, and they go out and they give recommendations on what you should do and that obviously, the recommendation is that you need to have security as part of your company's mindset, their culture, and you need to invest more in the security stack that might be available out there for you Now as you're considering protecting your organization. One of the things we always talk about here is making sure you have patches. You have all of the support requests up to date. Everything is in place to help protect your company from the various vulnerabilities that are out there. Now Cisco recommends these four main things that you should do to help deal with emerging threats, and we're just going to briefly go over them. And we've talked about this in this overall cybersecurity, the CISSP. But one of the things is firewall and DNS protection. You need to have some level of high quality firewalls and DNS protection for your organization. Now they obviously include their Maraki firewalls and umbrella as their products, but you need to have something out there that's in good quality that you could use within your organization, and this firewalls could be virtual, they could be hardware based, depending upon your organization and how it is architected. It will depend a lot about what type of firewalls you want to use, but again, I know these are basic concepts, but it's important to understand that a lot of these things, if you do the basics, you will dramatically reduce the risk to your organization. Obviously, multi-factor authentication Cisco has Duo that they use. You can use Ping any other types of multi-factor authentication that are out there. In many cases, these are very plug and play. They're designed very quickly to be integrated within a small or medium sized business, so there's lots of opportunity there that you can do this, and it's not super expensive to integrate these type of multi-factor solutions. Another option is single sign on. Now, this is what allows you, obviously your employees, to use the one set of credentials to log into multiple applications and then that way, they don't have to remember various passwords. So that's an important part in this overall plan as well. If you have some level of single sign on and it may, potentially it's even incorporated within your multi-factor stack that will help reduce the risk of employees having passwords that they will reuse over and over again, which will then dramatically reduce your risk as well. So Duo, in the case of Cisco, will do all that for you, and I've used Duo in the past. Great product works awesome, and it may give you what you actually need Endpoint protection. Obviously, when you're dealing with, do you have like a crowd strike or do you have a McAfee? Do you have some sort of endpoint protection on? And then, do you have any VPNs that are allowing access within your environment, any virtual private networks that you have. You want to make sure that you have all of those documented and all of those well protected. I mean, and these are basic things, right? So if you're studying your CISSP, you're going well, yeah, this is what most people should be doing, and you're right they should be doing it, but I see it time and time again that they're not doing it. So therefore, you, as a person who's studying for your CISSP, need to come to them and provide these kind of tools to help them pass not really pass well, pass the, not the test, but pass the hack that's heading their way. So, but it's up to you to help provide that information for them. Okay, let's roll into what we're going to be talking about today. Okay, so, as this relates to 7.6.1 of the CISSP, okay, so, as we get started, we're gonna be getting into domain 7.6.1-ish and that's gonna cover one through, I think.1 through.7,. But we're gonna be covering the incident response process through from the ISC squared book on the certified information security professional, and this is chapter 17 of what you would do it. So, if you're matching this up to what the book would have, you're going to be able to see that in chapter 17,. These are some of the key concepts you're gonna have to know for incident response. So we're gonna kind of go through each of these and how you would deal with it one for the test and then two, how you can transpose that information that you learn into your daily activities. So, first thing, we're gonna be talking about preparing. So you're gonna prepare, and this is the pre-incident phase. You want to make sure that, as you are, before you even go to an organization and you're sitting there going, okay, I'm ready for my incident, you wanna have an incident response plan at least drafted in your mind and then put that on paper and then from there you can help develop. How do you wanna deal with the overall incident if it were to happen. Now, one of the things that can be very valuable in this and I'm a big proponent of use the technology to help you be successful In the fact of use utilize AI to help you, especially if you're in a new company or you're just getting started. Utilize AI to help you create these various scenarios or these various situations that you have, to help you create this best product that you could potentially get, and this comes down to incident response plan creation. I would recommend that you go out and have either Microsoft Copilot, have a chat, gpt, have maybe Bard create for you an incident response plan. Now, this response plan will gather the information on the internet, put something together and it will put it in a paper format for you to be able to utilize it. Now it's very generic. It's not gonna be enough for you to go. Okay, here you go, here's my incident response plan. It's going to force you to. You're gonna have to dig into it and add to it, but it's a great way to give you an outline to help you create a product that you can then put within your organization, and it'll help you create this. Really, you need to have a very comprehensive and detailed incident response plan that includes roles, responsibilities, communication channels and the overall escalation procedures, and this is one that we've talked about in CISP. Cyber training is what is your plan and how are you going to execute on your plan? And then you need to test your plan, and that's one of the key factors is around training and drills. You do need to conduct regular tabletop exercises with your various teams to test this out Now. The teams will include when you're management, but it'll also include your infrastructure folks, people that are doing your IT work, your HR people and your PR. You know, your public relations folks or maybe your public affairs type folks, and if you're in a small and medium-sized company, you're probably going well. That's probably like four people and that might be all you need, but I would also recommend that you have the owner of that organization with you as well. It's important that the owner understands what is going into a cyber incident and how would that person run from that or run that incident as well. So it's important that you do this and then, as you do these regular tabletops, you want to come up with different scenarios around these. Now, these could be a ransomware type scenario. These could be a insider threat type scenario. When you're talking insider threat, you're going well. How would that? Let's talk about a small and medium-sized business. What does that mean? That means maybe you have an engineer, that this engineer is thinking of leaving the company and this engineer wants to take the information that he's created working for this small company and then transpose it to another, take it to another company. You want to be able to. How would you deal with that? How would you deal with, all of a sudden your entire hard drive is gone Because somebody copied it. Those are things that you're going to want to go through on a training so that you understand how to respond to them, both one from a internal process, but potentially even from a law enforcement situation. So those are the kind of training and drills you want to go through and that's how you want to have that prepared in a pre-incidence situation so that you're available and ready to act on it once the situation would occur. You also want to consider what are some tool acquisitions and configuration pieces that you want to put in place prior to this all occurring. Now, this could be a situation where you have forensic type and types of tools in place. Maybe you have a SIM, which is your security incident event management type of tool that you have in place. It could be as simple as you have a, maybe a communication process that's available, already purchased, ready to go in the event there's an issue. You may decide. You know what. I'm not going to purchase any of these things. I'm just going to, but I know what tools I'm going to use in the event something bad were to happen. Now I wouldn't recommend that last one. I actually would recommend purchasing the products as well, just because it's really hard to test it if you don't actually have it, but you're going to have to dedicate resources to go and do this. But if you integrate these tools one, you purchase them too, you test them and then you test them on a frequent basis. When that situation does occur, you will have the ability to respond to it very, very quickly, much quicker than if you didn't even, obviously, practice for it. Okay, so now we're gonna talk about the detection, more or less the identification phase. So this comes into you want to ensure that during this piece of this, you have in place all of the necessary tools to be able to detect there's a bad thing happening, just like we talked about with the article about Cisco. You wanna ensure you have firewalls in place. You wanna ensure that not just that they're enabled, but there's logs that are being generated from these firewalls that are being sent to various systems, and these could be critical systems. You could have a situation where you have the firewall up. It's your, maybe your internet front facing firewall. It's up, it's limiting traffic coming into your company, but, let's say, the bad guys or girls get into your environment. Well, if you don't have the logging enabled and it's not going into a SIM or somebody's not monitoring it, then you may not even understand that you had an issue when all of a sudden, everything blows up and you're like, well, I didn't realize we had an issue. Well, yeah, because if nobody's watching the firewalls and nobody's monitoring these systems, you may not ever know. Now, one thing you may think about as a security professional is it may not be where you buy the tools internally. Maybe you outsource this capability to a third party. I know CrowdStrike is a great example of this. Crowdstrike will actually has a managed service provider product that will then, in turn, you can sign up for it and they will manage and monitor all of your infrastructure and ensure that nothing bad will happen. This is a really good product for small, medium-sized businesses, because they just don't have the money or the resources to be able to buy all this information or buy all this infrastructure. You also wanna create alerts for any sort of suspicious activity that may have attempted. Now, what you wanna consider and this is I recommend this is why I'm not a big proponent of certifications, but I am a proponent of taking some of the courseware that goes with the certification. So, as an example, if you have individuals that are in your organization that may be studied for the Certified Ethical Hacker Program. The certification getting the cert is fine, but understanding the training behind the Certified Ethical Hacker is really important, because you understand a bit more of how does an attacker look at an organization and therefore you can put in place some alerts that would trigger in the event that there is a potential issue. And so that's a really important factor is that if you, you have to understand the mind of the adversary. If you don't understand the mind of the adversary, you odds are highly likely that you will not truly be able. They will get around you. They will work around your path. One of the things I've talked to a couple friends of mine that are here locally that work for a strong cyber organization and they work on the red team piece of this. They're going against some companies that I've worked with in the past, and one of the comments that I've made to them is most times, cybersecurity professionals will look at the. They call it the low hanging fruit, which I actually hate that term. It is stuff that's easy, right. So if you have tools that are telling you that, if you fix this problem. It's a cry or critical issue. Then security professionals go oh great, let's fix it. High critical fixed it, boom done. That's great. But what about the medium ones? And if you're an attacker, will an attacker leverage a medium vulnerability? And I will say, yes, they will do that all day long because they know that they can do that under the wire and you won't even look for them. So I say all of this to basically be understanding the mind of an attacker is a really good thing for putting alerts in your organization to understand if somebody's trying to gain access to your company and this could be multiple fail login attempts, it could be account service accounts that may be used in off times or off hours. All of those things can help be set up to alert for suspicious activities. The other thing is network traffic analysis. You really wanna look in for any sort of network traffic that might be occurring that is out of the ordinary. Do you have unexpected spikes in your network traffic? Are your IDS your intrusion detection and prevention systems? Are they flagging on potential threats and may look like a false positive, but are they truly a false positive? Are they something that is actually jit? And so therefore, it's important that you understand the patterns and the behaviors of these systems so that you can ensure that they're properly being mitigated and monitored. And also, if you do hire out a third party to do some of this for you, it's imperative that you know your network so that you can explain this to this third party, what may be a false positive and what may not be a false positive. So that's just kind of something to consider. Last thing is behavior analysis, or analytics. You need to understand the behaviors of your people. Do they have access to sensitive files? Are there compromised accounts that maybe they're leveraging that you didn't? Maybe there's something that's been an account with a contractor that has been dormant for a while and now that's being leveraged? Those behavioral analytics are a key factor in also discovering if you have a problem. So, again, that's the detection phase. Okay, so let's roll into the response phase Now. In the response phase, this is how do you respond in the event something were to happen? So let's say you have malware that hits your organization and it hits multiple workstations. How are you gonna deal with that? Are you gonna isolate it? Are you gonna segregate it off? Are you going to do like I know someone in another company. When they got hacked, they just started ripping devices out of the wall. Are you gonna do that? Probably wouldn't be a good idea, but maybe that's your only choice, maybe that's all you can do. So it's important that. How would you isolate these infected machines on the network to prevent further spreading of the malicious software? You're gonna have to figure out how do you contain it. Then, when you're dealing with how would you respond, in the fact of how would you eradicate it? So if you have a web server that's hosting it and it gets attacked and it has been the malicious software is all over it how would you eradicate it off of a web server? And maybe, if you have that web server is your only front facing server, that one is your company, everybody sees Okay. So that would be bad, but that's not the end of the world. But maybe, just maybe, that's the only web server that you have that communicates with the outside world at all, is it's it? So if there's any sort of EDI connections, which is your electronic data interchange, any sort of funds that are transferred between your organization and another, and it's through that one web server, well, what happens? You take it down. What are you gonna do Now? You can't communicate outbound, you can't transfer funds, it just depends on your organization. That could be critical piece of system that was within your company that you would have to know about. So you also wanna look at how do you reduce the malicious files, how would you patch for vulnerabilities and then how would you harden up the security settings for that specific server? Is that server a physical server sitting in a rack somewhere in rack space or maybe in your own data center? Or is it a virtual server that's sitting in AWS that you can turn around and then maybe blow away and start all over again? I don't know, but that's something you have to consider and know. How would you eradicate this problem from your organization? Now it could. The eradication could be multiple steps too. It could be something where you originally just get yourself up and operational, but then you have to go through a very arduous process of removing the software from these various systems. Then the last part of this from eradication is how would you recover in this situation? So like, say, for example, you get a denial of service attack and it hits your online web server. How would you bring this back? One but two, how would you be able to monitor that you're not getting a DDoS attack again in the future? Now, that may require you can do it at the server itself, but it's a really bad place to do it. You may have to work with other organizations like Cloudflare, or you may have to buy another product that does denial of service mitigations for you. So those are things you're gonna have to be aware of as it relates to trying to recover from this type of an event. Now step four is the mitigation piece of this. You're gonna have to work, like we talked about in, when you're mitigating this problem, a couple different areas. One, you deal with workarounds and then two, you deal with isolation. We kind of talked about this with the denial of service attack. How would you work around that denial of service attack? How would you deal with getting your products back or your systems back online? And again, it could be from Cloudflare and they're shunting all the traffic. It could be. The fact is that you start to stand up a whole new internet presence and you work out of there. You're gonna have to figure out what would be your temporary workaround to be able to deal with this situation. If there's a critical vulnerability, how would you patch this and how could you do a temporary patch until a permanent patch is fixed? So let's just say it's a zero day for a specific application and you know there's zero days out there. You know that the application does not have a patch. How would you mitigate the problem? How would you manage the problem? Is it a front facing website or is it internal to your organization? You may have to understand, you know what, if this server gets compromised because there's a zero day on it and it's front facing, you may wanna take it down. You may not wanna leave it up. You may wanna move it into your network and allow a reverse proxy to basically bring data into that specific server and that specific server only. So there's a different scenarios you're gonna have to work through to ensure that you don't have the network compromised. You wanna isolate that server from other parts to again to prevent lateral movement. So what does that mean? That means that if you have that server let's say it's on the front, it's a web server and it's available to the internet, but it's got a critical vulnerability that you can't patch immediately what could you do? These are just some options. You could bring them into your network. You could have a reverse proxy setup so that if anybody wants to gain access to this server, they have to go to a specific address. That would then in turn put them into your, drop them into your network to gain access to this server. But by doing that you would also then limit that that server nothing else can communicate to that server except to the internet, and that would limit the amount of exposure that if someone trying to get into your network or they could do lateral movement within your company. Now, that may be fine for a very short period of time, but in many cases, if it's sitting as a web server on the front on the internet, as or hi, you want it to communicate with other things. So sitting it internal to your network and not being able to communicate may defeat the purpose a bit. So you're going to have to just decide how would you manage that, and so that's where you'll work with your architects to figure out what is the best course of action around it. Now, when you're dealing with reporting, what could you do as it relates to dealing with the report? What are some different aspects that you can come into when it comes to reporting? Well, data breach reporting, as you can see, is getting to become a huge factor, especially when it comes to regulations. I am dealing with this all the time. I see this from both China, I see it from the United States and in Europe as well. There's new regulations that are coming out that are forcing security professionals to be experts in so many things. The NISTU it's NIS2 out of Europe is a huge factor in new emerging technologies and it's putting a lot of restrictions on companies that are putting in this technology in Europe. You need to be aware of that. Well, if there's an incident that occurs, who are you going to call? Not Ghostbusters, you could call Ghostbusters, but they may not help you a lot. But when it comes to an incident, are you going to call the CEO? You want to have a plan and this part comes down to a part of the beginning where you have an incident response process to call in the event that there is an incident. I call the CEO, I call the CIO, I call IT, I call it a regulator. Do I deal with a regulator that is in my space? In the United States, you have the Environmental Protection Agency. Is there a regulator you've got to talk to with them? Do you have to deal with Department of Homeland Security China? It's the MIIT. Who do you talk to there? You're going to have to have all of these various types of responses planned and ready to go. You also need to make sure, though, that if you do have it we've mentioned this at CIS's Peace Cyber Training multiple times just because you have a breach does not mean you need to notify somebody immediately Now if they have notification requirements. Yes, you need to meet whatever the compliance requirements are around breach notification, but we talked about this before. When it comes to breach notification, you need to have some lawyer friends, everybody get in a room and decide what is a breach notification? When will we do a breach notification? Reason is because that term. Don't leave that up to just your interpretation or the lawyer's interpretation of what it is, and have that well-defined and understood by all parties. It's an important factor, one of the most important factors I can tell you, as it relates to incident management. Have that defined. You know what it's like Mike Tyson said. I love this quote. He goes you have a plan when you go in the ring until you get hit in the face and then your plan goes out the window and you have a new plan. Well, that's the same thing with this incident response process. You have a plan until the malware hits you in the face and then you come up with a new plan, but at least you've discussed the plan, so you know what you may or may not do. Action is taken. You need to have their successful phishing attack and the compromises that potentially could happen with employee credentials. You need to understand how the incident was handled and then how you deal with password resets, user education and so forth. So, again, those are all the things that can happen through a reporting process relating to incident response. You also need to have some sort of lesson learn process that you would go through related to this, which we'll get into the next, that's, in section seven. But when you're dealing with reporting, having a lessons learned plan, dealing with the regulators and with your senior leadership is an important factor as well. Step six this is where you're dealing with recovery. How do you recover from the situation? And this comes into do you have images that are already built that you can recover from, or you need to validate that why it crashed, why you had this situation? Was it because of malicious software? Was it because of, maybe, a new hardware update? Was it due to somebody just hitting star dot, star delete, what was it? You need to understand those and recover from that. But do you have a plan to recover with these systems? Is the recovery something that is relatively simple to do? So if you have backup systems, can you just restore from these backups with a push of a button? Is it to the point where it's just it's all images and we can restore, not a problem? That is where you want to be. That is the ultimate litmus test is that you don't have to let it worry you about business resiliency and that you can stay operational no matter what the situation, no matter what the time, what you may run into. You also need to have a monitoring plan put in place and this would deal around. Do you have any sort of? If someone defaces your website, how would you know that someone defaced it? Is that just the fact that someone tells you or do you have some sort of alerting and monitoring to let you know that that potentially could happen? You always need to make sure that you have your monitoring the site and you're having people tell you that if something seems out of the ordinary or different, that they alert you and let you know as soon as they possibly can. It's important that they communicate all the time and that you, as a security professional, are constantly reaching out to them, trying to get that communication going with them. Last thing is remediation and lessons learned. You want to make sure that you have some sort of remediation put in place to deal with any of these issues that may come up. This comes down to a plan. This is your incident response plan. May not be part of your response plan, may not be the fact that, okay, I'm going to respond because it's an incident. Well, what if you just discover that you have systems that are outdated, that need to be patched? How are you going to respond to that? What is your patch management plan? And then also, do you have any sort of user training, that's, teaching people how to deal with these risks as well? This comes down to phishing incidents. How would you handle that? Do you have a process in place to teach your employees around phishing incidents and not just, okay, they discover there's an incident, how do they report the incident? I try to come back to the fact that every employee is a sensor. Every employee is one that will tell you if something does not seem right within your organization. The problem with that, though, is sometimes people will report stuff that isn't necessary because they don't know, and it causes a lot of churn. But I would rather have the churn of someone reporting something that is not right that actually was a false positive than someone that just decides not to report something that was legitimately a fish, and now I have a much bigger problem that I could have had resolved much earlier. And then the last thing, when it deals with the incident response, is your lessons learned. You want to have a plan as it relates to how would you deal with lessons learned, from your post mortem to policy updates, to training enhancements. So what does a post mortem mean? You go through this process when your incident is done. You walk through how, what happened good, what happened bad, where could we add benefit, where could we take something away, and then you make policy updates to this situation, so that you, when the situation occurs again, that you don't make the same mistakes twice. Now, it may not, it may be a policy update, it may be the fact that you have a better communication plan with your people, but whatever that is, you make these updates, you make these changes to your organization quickly and effectively so that the next time the situation occurs, you now can learn from it and move on. And then you make some training enhancements. I would highly recommend that you have some level of training from all of the people involved in the exercise that you're dealing with this incident, as well as follow on employees to tell them hey, this incident occurred, these are the findings we got out of it, and here is some specific training specifically for you. Now I will tell you that sharing findings with all your employees may not be the best option. I was just going to kind of couch a little bit of what I said. Sharing the findings with the senior leadership, that's important. Sharing it with all the employees probably not the best idea. One you don't want them to know some of the things that happened. But I would share with your employees that you did do a tabletop exercise, it was successful, and that you had some great learnings that would affect them directly, just because they need to know that you're doing these things. One from I just TNO I trust no one but also to the fact that you know they need to know that you're doing these things to help protect the data, and it's their responsibility as an employee to highlight any problems they run into. They, too, should bring that up to leadership and ensure that it's protected. Okay, that's all I have for today on the incident response. This again was 7.6.1 is get this in chapter 17 of the ISC squared book and you can go ahead and listen to this while you're reading along, and it will give you some guidance and direction. All right, I hope you guys have a wonderful, wonderful day and we will catch you all on the flip side, see ya.