New Course – LDR553

Just over a year ago I was launched the BETA of the MGT553 2-day Cyber Incident Management Course with the SANS Institute. The MGT553 course was originally developed in response to a Law Enforcement request to help them train their staff to better support major incidents that are regularly hitting large and small organisations.

I think what we built was unique in the market, and content wise, full of real-world cases and examples – well I have been doing this for a while (my LinkedIn profile). The course sold well especially OnDemand and as it was written during COVID with that modality in mind.

The problem we had was the two-day limit – so sorry if you were in one of my classes that ran past 5pm. However, just over six months after MGT553 went into full production I was asked to expand it to five days! So if you wondered why I’ve been quiet on here, I’ve been writing 3 days of courseware and 18 new labs(!)

The new course, now branded under the Leadership abbreviation LDR (LDR553) being five days allows us to expand out some important topics (staff development and training) and to deep dive into lots of different incident types.

Below, I’ll outline some of the new elements and to explain some of the design choices made.

Changes over MGT553

As you can imagine the main change is having the extra three days which has allowed me to bring some great new elements to the course. I’ll touch on a few of the big additions in this post and over the coming months I’ll pick out some others to highlight.

Team Development and IM Training – this was at the end of an already busy session two, but we have moved it to session three and have expanded it to talk about how to build good exercises and how to have fun with them. We cover how plan your exercises and how to run some great Table Top eXercises (TTXs) with almost no props and only about 30 mins planning.

So what new stuff did we add? Well….. here’s some of the bigger chunks:

Cyber Threat Intelligence (CTI), is common place in many SOC/IR teams, but outside of these security teams awareness is generally low. As a result, CTTI is often that untaped resource in terms of incident support. So we look at what CTI can provide before and during incidents. So when you call for help they have templates of what they can do and how.

I’ve found that by considering what you might need before an incident you can get the CTI staff draft some glossy one-pager guides on Tactics, Techniques and Procedures (TTPs) used by the threat actors CTI are tracking as most likely to hit your organisation. This means you are super prepared with a quality product you can share with Execs and IM teams to inform them about their current adversary.

Timing wise we positioned this module before Supply Chain Attacks as many’s-a-time my team has been tasked to undertake some Open Source Intelligence (OSINT) analysis of our partners to see if we can learn more about their just-notified attack and/or the attacker.

But some of you are probably thinking:

Steve, in an supply chain attack there is no IR/IM work to do, what you covering?

Well, I’m glad you asked!

Communication is an underlying theme on this course and a Supply Chain Attack is probably the pinnacle: Here, our goal is to assess the supplier notifications, comprehend the associated impact, and solicit further details as required. To support this we look at planning communications with suppliers (assuming that an opportunity for direct dialogue arises) and possibly leveraging our relationship (contractual and personal) to get the most information possible and the assurances we need for our execs (whom will then need briefing).

The accompanying Supply Chain Attack labs are fun, real-world-level frustrating and built upon actual cases. As we battle some of the tactics deployed by vendors to avoid direct answers we hope to equip students with the ability to identify such techniques but also allows us to try to defeat them, or at least learn these dark ways incase they need to stall in the future.

Having dealt with numerous instances of Business Email Compromise (BEC), I included a comprehensive module on these financially devastating attacks. By delving into the origins of such attacks and analysing the six distinct types of BEC, attendees have a deeper understanding of the attack’s origins and can potentially support Legal as they work to allocate responsibility for ensuing financial losses. Our lab exercises have a captivating head-scratcher scenario inspired by real-life cases that make them my personal favourite.

Ransomware is a big subject and something that is probably one of the top risks for most businesses and because it leverages many of the issues we cover throughout the course we put this at the end. In this longer module we consider the stages of a ransomware attack, the relationship between Ransomware as a Service (RaaS) operators, Initial Access Brokers and Credential Theft attackers as well as the parts they play.

As we are not a technical course (try Ryan Chapman’s Ransomware for Incident Responders course (FOR528) for that), we will look at the decisions/options that Execs will want to have, the types and volume of information they will need to make those decisions and how you get better at responding.

We’ll dig into the sorts of things you want to be fast at for the the Golden Hour from initial impact and the challenges and goals for the first 24 hours. We will then review several public ransomware cases to see where things when wrong for the victims and if their response was the best course of action.

The Capstone lab is a time-sensitive high stress one that we believe will work both live in person, LiveOnline and OnDemand the main thing that will change is the number of people on you team and thus the level of work you will need to complete to be the best.

Sharing Experience

One of the different approaches we will be trying on this course is the use of open Polls to let people see how others think. As we go through the course and labs we will pose questions as we would in class about different aspects of incidents, labs and hot topics. To link Live, LiveOnline and OnDemand students we will use open polls where we pose a question, students go to a site and answer the question (the Poll) and after voting they get to see how others have voted. This will hopefully allow people to see if their thinking aligns with that of others.

Availability and Formats

We are launching the LDR553 in a BETA at the October London conference and in early 2024 it should be available on general release and OnDemand.

We haven’t worked out the dates of the 2024 teaches, but given SANS finds the Hybrid (Live in person and LiveOnline) formats popular, I believe all teaches will be in this format. Location wise, I’m hoping to teach in the US and EU/APAC on alternative months to enable people to get to a Live in person event within a reasonable travelling distance.

Wrap up

So there you go, that’s a high level summary of some of the key changes we introduced when we developed LDR553. I think it’s a solid base, I’ve been able to include the common attacks that impact all organisations, so students will be prepared to develop and improve their organisations to better detect, respond and recover for major attacks and incidents.

A reminder that the October course is a BETA (it’s a reduced price as this is the first classroom run of the course), some things might not run to plan like class timings, but they should be close. Offered in Live in Person and LiveOnline at the October Event in London it will be a hoot. The post BETA class will not start until about February 2024 and the OnDemand version will probably not be until about February/March 2024.

I’d love to see you at the BETA, but hurry, it’s only been announced two days and already it’s selling well. There is about £1500 discount (1800 Euros) over the regular price.

Steve AG

Examples of Public statements

This is where we’ll drop some public breach statements as we find them to serve as a reference to others looking to draft something similar:


Taken from (checked 1st Dec 2022):

September 15, 6:25pm PT

We are currently responding to a cybersecurity incident. We are in touch with law enforcement and will post additional updates here as they become available.

September 16, 10:30am PT

While our investigation and response efforts are ongoing, here is a further update on yesterday’s incident:

  • We have no evidence that the incident involved access to sensitive user data (like trip history).
  • All of our services including Uber, Uber Eats, Uber Freight, and the Uber Driver app are operational.
  • As we shared yesterday, we have notified law enforcement.
  • Internal software tools that we took down as a precaution yesterday are coming back online this morning.

September 19, 10:45am PT

While our investigation is still ongoing, we are providing an update on our response to last week’s security incident.

What happened?

An Uber EXT contractor had their account compromised by an attacker. It is likely that the attacker purchased the contractor’s Uber corporate password on the dark web, after the contractor’s personal device had been infected with malware, exposing those credentials. The attacker then repeatedly tried to log in to the contractor’s Uber account. Each time, the contractor received a two-factor login approval request, which initially blocked access. Eventually, however, the contractor accepted one, and the attacker successfully logged in.

From there, the attacker accessed several other employee accounts which ultimately gave the attacker elevated permissions to a number of tools, including G-Suite and Slack. The attacker then posted a message to a company-wide Slack channel, which many of you saw, and reconfigured Uber’s OpenDNS to display a graphic image to employees on some internal sites.

How did we respond?

Our existing security monitoring processes allowed our teams to quickly identify the issue and move to respond. Our top priorities were to make sure the attacker no longer had access to our systems; to ensure user data was secure and that Uber services were not affected; and then to investigate the scope and impact of the incident.

Here are some of the key actions we took, and continue to take: 

  • We identified any employee accounts that were compromised or potentially compromised and either blocked their access to Uber systems or required a password reset.
  • We disabled many affected or potentially affected internal tools.
  • We rotated keys (effectively resetting access) to many of our internal services.
  • We locked down our codebase, preventing any new code changes.
  • When restoring access to internal tools, we required employees to re-authenticate. We are also further strengthening our multi-factor authentication (MFA) policies.
  • We added additional monitoring of our internal environment to keep an even closer eye on any further suspicious activity.

What was the impact?

The attacker accessed several internal systems, and our investigation has focused on determining whether there was any material impact. While the investigation is still ongoing, we do have some details of our current findings that we can share.

First and foremost, we’ve not seen that the attacker accessed the production (i.e. public-facing) systems that power our apps; any user accounts; or the databases we use to store sensitive user information, like credit card numbers, user bank account info, or trip history. We also encrypt credit card information and personal health data, offering a further layer of protection.

We reviewed our codebase and have not found that the attacker made any changes. We also have not found that the attacker accessed any customer or user data stored by our cloud providers (e.g. AWS S3). It does appear that the attacker downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices. We are currently analyzing those downloads.

The attacker was able to access our dashboard at HackerOne, where security researchers report bugs and vulnerabilities. However, any bug reports the attacker was able to access have been remediated.

Throughout, we were able to keep all of our public-facing Uber, Uber Eats, and Uber Freight services operational and running smoothly. Because we took down some internal tools, customer support operations were minimally impacted and are now back to normal.

Who is responsible?

We believe that this attacker (or attackers) are affiliated with a hacking group called Lapsus$, which has been increasingly active over the last year or so. This group typically uses similar techniques to target technology companies, and in 2022 alone has breached Microsoft, Cisco, Samsung, Nvidia and Okta, among others. There are also reports over the weekend that this same actor breached video game maker Rockstar Games. We are in close coordination with the FBI and US Department of Justice on this matter and will continue to support their efforts.

Where do we go from here?

We’re working with several leading digital forensics firms as part of the investigation. We will also take this opportunity to continue to strengthen our policies, practices, and technology to further protect Uber against future attacks.

Electronic Arts

Taken from (Checked 1 Dec 2022):

June 11, 2021

We are investigating a recent incident of intrusion into our network where a limited amount of game source code and related tools were stolen. No player data was accessed, and we have no reason to believe there is any risk to player privacy. Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business. We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.

July 14, 2021

In June, we reported a recent incident of intrusion into our network (see earlier statement below). This week, we’ve been made aware of an extortion threat from the alleged hackers, and a portion of some files were released to the public. We have analyzed the files released by the alleged hackers, and at this time, we continue to believe that it does not contain data that poses any concern to player privacy, and we have no reason to believe that there is any material risk to our games, our business or our players. We continue to work with federal law enforcement officials as part of this ongoing criminal investigation.

Do you pay or not?

With Ransomware/Extortion continuing to be in the press almost daily, there is the ongoing conundrum of should you pay an extortionist or not?

While it is easy to talk about the moral aspect and the trust issues that stem from having faith in someone that actively threatens the viability of the organisation, it is different when it’s 2am, it’s your data and someone is asking your advice.

That said, one of the most important thing is to retain perspective on the issue and to look at what you are getting (or not) and how that leaves you positioned.

Person looking shocked at a generic laptop

What are you actually buying?

Before we look at what you are buying we should consider the current Ransomware proposition, what the attacker has and what they want from you. We should consider the leverage they have and how that influences your decision process.

So, lets assume that a variation of following standard attack could happen to you:

  • Attackers break into your network via one of three common means:
  • The attackers then sell the access (aka acting as an Initial Access Broker). A ransomware operator buys the access and plans out their attack.
  • A ransomware operator undertakes recon of the network looking for open Windows File Shares (SMB) e.g. \\Company_Files or \\Finance_records something that they can apply leverage with.
  • Ransomware operator exfiltrates data they believe will have value and prove they were in the network.
  • Ransomware operator will look for ways to escalate their privileges to enable them to get access to the Domain Controllers (DC); there they will configure the DC to instruct the domain systems to run the encrypting program.
  • They leave the ransom message method and await the victim’s connection.

Now the ransomware group will probably undertake a triple extortion:

  1. Pay them to get the data decrypted (and returned to you in the case of them deleting/wiping the data) – Extortion.
  2. Pay them to prevent them publishing your data online – Second extortion.
  3. Ransom operators contact suppliers and customers for payment to stop the data being released onto the internet – Third extortion.

For sale or for rent?

There are a few things to note when considering the ‘offer’ from the Ransomware ‘Customer Support’ (as they sometimes call themselves).

  • Ransomware encrypting software is optimised to encrypt and reports from victims is that decryption programs are very slow [many report they actually decrypted only small percentages of their impacted systems].
  • The attackers cannot be trusted to not return later for more payments to prevent the leak of the data they stole – despite you paying the initial first ransom.
  • If you pay the ransom and they return your data (or decrypt it) they can still publish it after promising (and taking payment) to destroy it.
  • Even if not published in places you can find, you can never be totally sure that it was not sold on the hacker underground.
  • Regulator reporting action is still required regardless of payments and claims. While some might consider this obvious, the UK Information Regulator and the UK National Cyber Security Centre (NCSC) wrote publicly to clarify the matter here.


There are many aspects to consider when advising the organisational executive on a strategy regarding payment or an extortion or ransom, but these three we believe are the most important:

  • You are renting silence not buying it – that data will come out sometime, so don’t make a payment to ‘secure’ it.
  • Unless the viability of your business depends on getting the exact impacted servers/services restored using the attackers decryption, then you are probably better off rebuilding from new and struggling through – at least that way you know they were clean again when you rebuilt them.
  • If you pay once, you may be labelled as a ‘payer’ and that may result in an increase in future attacks.

Is it Incident Response or Incident Management?

What is the difference and why should we care?

Incident Response (IR) is widely documented as the technical activities and actions taken in response to some negative Cyber activity.

Incident Management on the other hand is the less hands-on, but no less important, work above the IR team in coordinating the wider activities.

What is an Incident

The UK National Cyber Security Centre (NCSC) defines a cyber security incident as:

  • A breach of a system’s security policy in order to affect its integrity or availability
  • The unauthorised access or attempted access to a system

Cyber incidents can take many forms, such as denial of service, malware, ransomware or phishing attacks.

What is Incident Response

The technical activities which take place during and immediately after an incident are the cyber incident response. These include:

  • Initial Triage of the system
  • System log analysis
  • Acquiring and analysing system hard drives looking for Indicators of Compromise (IoCs).
  • Acquiring and analysing system memory (RAM).
  • Network capture and analysis or examination of network flows.
  • Analysis of authentication logs/systems and controls (Domain Controllers, Cloud Consoles and other authentication mechanisms.
  • Reviewing the data in consultation with Cyber Threat Intelligence (CTI) from Open Sources (OSINT)

What is Incident Management

Incident Management is the coordination of the other responses by the business; sometimes generalised as the non-technical responses. As an example the following are just some of the main IM tasks and are something that most managers are equipped to handle:

  • Working with Legal regarding notifying:
    • Data regulators (for PII, PHI, PCI, Gov data controllers etc).
    • Law Enforcement.
    • IR Support teams to augment the main IR team (or to act as IR Team if none exist).
    • IR Companies with bitcoins for sale for urgent Ransomware payments.
  • Planning Enterprise hardening of Corp networks.
    • Coordinating about mass password resets.
    • Coordinating the hardening and patching existing tech.
    • Monitoring capacity of Admin staff as they surge to support Incident.
  • Working with Corp Comms for public messages for:
    • Press enquiries.
    • Partner enquiries.
    • Customer enquiries.
    • Investor Enquiries.
  • Working with Customer Support:
    • getting scripts and messaging ready for staff.
    • ensuring they have enough capacity via calls/chat/email etc.

Laptop hourly chimes

You might wonder why an IM site is talking about laptop chimes, well during an incident time is exceptionally precious and so you must not the passing of hours so you don’t miss deadlines etc. Additionally, we want to record what we did each part of the day, so taking note every hour is a great way to summarise the day quickly and easily.

In this post I will show you how to add hourly chimes to your Windows 10 system, mobiles or your Mac OSX laptop.


Starting with the Mac OSX 12 and later you need to open your System Preferences and go to the Dock & Menu Bar applet. In there scroll on the left to the Menu Bar Only section. Click there and the Clock options should appear like the image below. Finally, check the Announce the time box and select the hourly cadence.

View of the System Preferences, Dock & Menu Bar options to set the hourly cadence for time announcements.

For Fun I also customise the voice choosing Zarvox and slowing the speed down max; that gets me a voice similar to the Cylon’s from Battlestar Galactica.

Settings for BGS Cylon type voice.

For OSX up to 12 you still go to System Preferences but you select Date & Time then the Clock tab where you will see the same options.

View of the System Preferences, Date & Time options to set the hourly cadence for time announcements fro Pre Mac OSX 12 systems.


For mobiles, you can simple add a recurring countdown timer. When the timer alerts, you can hit the repeat button and it restarts another hour countdown.

The screenshot is from an iPhone, but Android has the same functionality.

Windows Settings

For Microsoft Windows it’s different as there is no built in functionality we can leverage.

That said, in the Microsoft Software Store you can get a free Hourly Reminder app that will do the same thing; simply download and configure.

Why I made this site

I’m super pleased to announce that I finally finished a brand new 2-day MGT553 Cyber Incident Management course with SANS. In this course we’ll look at all aspects of the Management side of an Incident. If you’ve ever worked in IR you will know the massive benefit of having people above you getting you the access, logs, support and engagement you need to focus on the technical aspects of the case. The MGT553 is designed to help Managers, Execs, Legal Counsel and Law Enforcement staff to understand their role so they can be more pre-emptive with their planning and delivery of assistance.

So this site is just for me and a few colleagues to be able to park URLs, posts and other handy guides so the course students can grab them before they attend or at anytime in the future.

I’ll try to post regularly, topics will either be blog posts on new and interesting items that pop into the cyber tech news and longer posts will be on guides and tips for all to be better at IM.

Finally, if you’re interested the Beta will run in May 2022 (link to register) and after that we have a series of private and public runs of the course.

I look forward to seeing you here and maybe on a course in the near future.

  • Steve AG

Sending Passphrases and Files

Sending Passphrases

Sometimes you need to share passphrases and files – it’s hard at the best of times and in an incident it can be really difficult.

These two are really easy to use and together you can send a passphrase and then a file encrypted with that received passphrase.

The beauty of the site is you can share a password with someone and if they can see the passphrase you know they got it. If they get an error you know it was compromised en-route.

File Transfer

Once they remote person has a secure passphrase you can then use it to encrypt the file to send and you can use something like to share it over HTTPS.

See both are easy to use and default to secure mode. Remember however, that one person’s secure file sharing is another persons exfiltration tool, so you might want to ensure you track and alert on the use of these tools.