[00:00:03:15–00:00:30:09]

Navroop Mitter:
Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, armortext.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.

[00:00:40:04–00:01:01:01]

Matt Calligan:
This is the second part of a two-episode conversation we had with RL Leaders last time. We discussed why weaving storytelling into your security response exercises can make it more actionable for your executive team. And some interesting tips coming directly from Hollywood writers and producers they work with. This episode, we put their ideas to the test by walking them through a typical tabletop exercise, inject to see what exactly it means to create a compelling narrative, and why it can help you with your exercises.

I guess it’s time to put our money where our mouth is and have you guys weigh in on one of our exercises. So, go easy on us ‘cause this is where—this is actually coming from our 2023 one, which is one of our first publications.

So what I’m going to do here is, I’m just going to read off the beginning of the module and then kind of riff from there. You guys—good place to do that?

Erik:
Sounds great.

[00:29:45:09–00:31:03:23]

Matt:
All right. So there’s some missing stuff in here because this—the module itself is designed to be sort of choose-your-own-adventure. And you can add your own components. So, the scenario is, your company has been hit by a ransomware attack, and immediately, you know that you have lost some or all functionality of a critical, mission-critical operation or manufacturing facility of some sort.

But the full scope of the attack is still being evaluated. So, the impacts to the company communication platforms are not immediately known. There’s no way to be confident that the tools that appear to be functional are, in fact, compromised. Or aren’t, in fact, I should say. Your company’s IT employees are contacting company executives on an ad hoc basis, and while on personal devices, alerting them about the incident.

The threat actor has left files on impacted machines with instructions to establish contact within a 24-hour timeline, and they do not include a ransom demand. Where would you all—now that’s the exercise setup. 

Erik:

Yeah.

Matt:

Clearly, we go into different questions and stuff like that. That’s a pretty standard tabletop format. Where are some spaces with opportunities to improve—even just the setup—from your perspective?

[00:31:04:01–00:33:44:09]

Erik:

I think leaning into a lot of the unknowns and sort of pulling on the thread of—you don’t know how wide this is, you don’t know how reliable your comms are. And so, as the event starts to unfold, having the—and this is where you get to sort of that external facilitator, that sort of simulation master—as someone who’s run it—running the exercise can say, as people start to strategize, you take someone out of the game right away.

Okay. So, you’re on mute now for the next ten minutes. You don’t know—for the first minute, you don’t know that. And so, you’re answering the question of whoever just asked you. And it’s going to take some time for that person to realize they’re out of the game, and it’s going to take a couple minutes for the other people that are in the scenario to realize—okay, they were mid-sentence and just cut off.

Why was that? Was that just normal, like cell phone? How—is it related to the attack or not? Leaning in to the unknowns and really expanding on them in a way that can create just some additional confusion? Uncertainty, really, it’s—so, as people are communicating, trying to execute a mitigation plan, dialing it in and out of their connectivity, and messages get a little garbled.

You get every third word. And so, playing with that sort of variability would be something that you could lean into right at the beginning. A second-level thing would be maybe adding in kind of what you were talking about—that sort of physical aspect. And so, adding in something where there’s a environmental, weather-related factor—whether it’s snow, ice, hurricane, even just a forecast of a hurricane.

So there’s an additional clock on—in—the storm’s due to hit in five hours. 

Matt:

Yeah. 

Erik:

And so, then people are starting to think about—well, maybe I gotta go home and button up my house, and what am I—so—

Matt:
—My dog’s out. Okay.

Erik:
Right. You’re having to do this real-world calculation of—oh, I got to call somebody to make sure that—get the car in the garage or out of the—those sort of things where it divides someone’s focus, leveling up the complexity without, again, getting to the melodramatic aspect of it.

[00:33:44:14–00:37:27:01]

Brian:
Yeah. And I would add that the another way to look at it is that the exercise is in a box, and there’s sort of a pre-box and a post-box. So, before the exercise happens, what do you want the participants to know? Maybe, in the real world, a month ago, you put a new patch on your—all of your computers. Maybe you know going in that only 95% of the employees uploaded the patch.

So, you know you’ve got a vulnerability. Maybe we leak some information to the executives who are going to participate in this about some other ransomware attacks that are attacking in the industry. So, there’s some things that just kind of get their mindset focused on this before the exercise begins. Maybe we reveal some things about—during the course of it—about the villain.

So, we start to personalize his or her attacks on the company. We start to understand their motivation. We start to feel compelled to compete. And so, that would be another thing. And then, post, what are the things? Maybe you have a really important—the most important—sales pitch the company’s ever going to do next week.

Matt:

Yeah. 

Brian:

And this is disrupting that. Or maybe you’re servicing a customer. You’ve got a big—or a big conference you’re going to—it doesn’t matter. 

Matt:

Right. 

Brian:

Something that, inside the scope of that organization, is the next thing that they need to think about. And so, not only do we have to fix this thing for the now, but we have to fix it for our ability to do the future—starts to not only cost us in the present, but it’s starting to diminish our income flow in the future.

Matt:

Yeah. 

Brian:

And so, you start to build the stakes. So now I’m competing with an active adversary. I’m starting to—it’s personal for me now. And now, I’m starting to see that it’s costing me money. And so, all of a sudden, I’m emotionally engaged in a way that I might not be if you just threw the scenario on the table and said, “Okay, here’s your inciting event. What are you going to do?”

Matt:

Yeah. 

Brian:

And I think that Erik’s point—in the real world, there’s always somebody who didn’t get to the meeting, who can’t make communications, who’s climbing Mount Kilimanjaro and doing something different that allows them not to be available. In a typical tabletop, I’d say, “Oh, well, I’m climbing Mount Kilimanjaro, but Jane’s going to be in charge, and she’ll know what to do.”

Well, nobody has told anybody that Jane was going to be in charge, so they don’t know what to do. So, if you just cut me out and don’t allow me to make that little inject, then people have to figure out who’s in charge of whatever I’m in charge of when I’m unavailable. So, you start to add some complexity to the story. And then I think the other thing is, inside the present box, you always want something else that you can throw in there that’s going to disrupt it.

The minute that it looks like you’ve got it figured out, you want to throw some water on top of that.

Matt:
Right. Right.

Brian:
You want a pipe to break or a hurricane to hit.

Matt:
Flood or something, yeah.

[00:37:33:08–00:38:47:23]

Erik:
Or the—

Brian:

—It’s so—

Erik:

—CEO says, “Great, you fixed it. Now we need to get to that future box of, ‘All right, thanks for everyone for doing great work.’ How—now, we kind of got to work through the weekend in order to meet the deadline of Monday.” Right?

Matt:
Right.

Brian:
And there’s—your scenario has a lot of thinking about communications. But if you’re thinking about this as attack on your brand, your communications would be a lot different. Your focus on communications would be a lot different than if you thought that it was something that you could contain internally. 

Matt:

Right. 

Brian:

And that they were only trying to get some ransom from you—that this isn’t a step in a bigger process. But as you start to unpack the motivation of the bad guy or the bad people, then you start to see the threat for what it really is. And that’s what you’re going to want to do in any real-world scenario. You’re going to want to understand as quickly as possible what this really is and— 

Matt:

—Right.

Brian:

—what it seems like it is.

[00:38:48:01–00:39:39:09]

Matt:

When that was—when this—there was an inject that we had as part of this exercise— 

Erik:

—Yeah. 

Matt:
—that speaks to an executive is, you find out that he’s on a—on Signal or WhatsApp sharing sensitive information with reporter. And now the organization needs to figure out how to get them removed from that platform or stop them in the midst of all this. And with his team throwing this into that box, the—asking the team to figure out the—how do you find this guy?

How do you get him to stop sharing this? And how do you control your brand image when you know the plan is, and the tools that they’re using are kind of scattershot? What, from your perspective, how—what else would you add to that kind of an inject to just to spice that up as well?

[00:39:39:09–00:41:44:16]

Erik:
I think being able to—I think that’s a really good inject. I think it’s the way in which you deliver it. And this is where you could lean into some of the storytelling tools, visuals, where you get the actual physical—graphical representation of the text, right, the text that’s being passed around. Or you have a screen, and you start to see it, and then you don’t quite know who’s doing it and, but maybe there’s some breadcrumbs, and you can lead the participants into getting to the answer.

‘Cause I think it’s as people are collaborating towards this—a solution. That’s another part of the creative immersive process that we do—is really that the collaboration between—

Matt:

—Yeah.

Erik:

—folks that we bring from the creative world, folks that are the subject matter experts. ‘Cause if you’re working on a problem together, that’s another touchpoint for reinforcing learning.

And so, you—it’ll be when you’re swapping the war stories afterwards of, “Oh, we were doing this. It wasn’t necessary.” No one’s telling the war stories of, “I did this, and I did this, and I did this.” It’s, “We did this.” The—there was this time together, “we did this, and you did that, and I did…” And so, it’s the collaboration and being able to lean on this sort of visual. This is a place where you could look to enhance kind of the existing state of the art with, in addition to the narrative techniques and storytelling, but some graphical—a little clip of a newscast you have—

Matt:

—Yeah.

Erik:

—some prerecorded content, whether it’s—

Matt:
—Those cheat codes—

Erik:

—Exactly. Yeah. 

Matt:

—The emotional cheat codes. Yep.

Erik:
You get still photo, and then, to Brian’s point, anything with sound—it gets to—it just touches a different part of your brain where you’re—where if you—not even with the ominous violins playing Jaws in the background, but something where you just kind of have people exposed to certain noises and sounds that may induce a little bit of extra stress.

Matt:
Yeah.

Brian:

Yeah and just—

[00:41:44:18–00:42:14:07]

Erik:
—That just—that little—the—I’m sorry, Brian. There’s just the ding of Signal going off every 30 secs, so people are like, “Who’s text it?” That’s the giveaway. Right? So maybe that’s one of the little breadcrumbs—is you start to create that audio signature of someone that’s in the room, sort of under the table, doing something. But it’s—they’re going to get outed.

Matt:

Yeah.

Erik:

Because their tech is beeping on them. 

Matt:

That’s a good idea.

[00:42:14:09–00:43:49:00]

Brian:
Yeah. I was just going to add a kind of an aside that as companies mature, it becomes a lot more difficult to create and to be innovative inside them. Their rules start to mature, their policies and procedures. But in a crisis, you’re looking for people to act and often to act boldly.

And so, one of the things that you want to create in this, inside the exercise, is the freedom for people to move without maybe all of the coordination that it would take in a normal routine time because you want to make sure that you create that urgency, that they realize that we’re not in a normal routine time.

Matt:

Right.

Brian:

And so, one of the things that we found is that the creatives that we integrate into these scenarios when we do them, they’re not moved at all by your rules. 

Matt:

Right. 

Brian:

The only thing that ever limits them is their imagination. And seeing them work and seeing the freedom of them to create a new idea of, “What if we did this?” is a really powerful thing for an organization, even when it goes back to their rule set. They’ve at least been exposed to that kind of rapid innovation, rapid thinking, that can be really useful when the next crisis comes.

[00:43:49:04–00:45:33:00]

Matt:
What would be—what would be some… If somebody is listening right now, thinking of, “This is a really great idea, but what do I—how do I start with this?” What would be some first steps that you would give to somebody who likes this concept and wants to start bringing these ideas in—into their exercises? 

Erik:
I think the first step is to find that external partner to really facilitate, to find the alternative viewpoint—someone that’s sort of outside the org to collaborate with—‘cause I think just the nature of collaboration outside of that regular sort of skill set will lead to just different perspectives.

Brian often talks about everyone brings their experience, training experience, education—that shapes the lens by which you see the world. And bringing those—bringing multiple lenses together—creates new focal points. And bringing—just leaning into bringing—those alternative perspectives into the—this scenario, into the world there, will pay dividends right away.

I think taking advantage of some of those technology, some of those emerging tools, to create content… Obviously, working with someone to underpin a strong narrative is something that we really believe in. But then, the tools to execute it are starting to become something that is available to everyone.

Matt:
Yeah.

[00:45:33:02–00:48:05:22]

Brian:
Yeah. Our company was formed originally, sort of out of the ashes of 9/11, where they ask, “This is unfolding like a movie—what might happen next?” There’s a whole story behind that that I won’t go into. But the 9/11 report—one of the four failures that it identified was a failure of imagination.

And what we’ve learned, though, is that most of these failures are not really a failure of imagination of what might happen. It’s a failure to imagine what we’d have to do to preclude it. And I think that’s the real value of bringing somebody from outside. 

Matt:

Yeah.

Brian:

Because if organizations tend to think alike anyways—so here are the threats that we anticipate—well, if somebody else comes in and says, “Yeah, but it would be really easy to attack you this way. What would you do about that?” And they would probably say, “Well, we don’t think that will ever happen.” But when you have somebody else in the room who says, “Yeah, but what if it did?”—that forces you to think through kind of another level of threat. 

Matt:

Yeah. 

Brian:

And so, I think we would encourage people to help build that story from maybe some outside voices or some voices even inside your organization that you don’t normally listen to—maybe people who are closer to your customers, closer to the edge of your organization, who see some things that maybe aren’t bubbling their way up to the corporate management as you build these.

And then I try to really build out why the villain is doing what they’re doing. 

Matt:

Right. 

Brian:

Put a face, a personality, a motivation on them, even if you don’t share it with everybody initially. You want to have a story that’s deep enough to make sense when people start peeling back the onion.

And so, that’s how we’d go about it. And if people are thinking about how to do this, talk to us.

Matt:
Yeah, yeah. With that in mind, what are you all working on next?

[00:48:06:00–00:49:16:11]

Erik:
So we have some different—so we’re in the process of just launching a series of discovery sprints, which is our ideation process with a couple of different parts of the DoD, and really looking at futures and trying to imagine a world—sort of a near-future 2040, so 15 years out. What would that look like in terms of different evolutions within the commercial technology world? 

And then, working with that partner to sort of overlay their technology roadmaps around this scenario and to identify specifically where there might be gaps and what should the government be looking at investing in now to address future scenarios that are within the realm of possibility.

Brian:

Yeah, our recent businesses has often been just beyond certainty. 

Matt:

Right. 

Brian:

So—

Matt:

—Yeah.

Brian:
—get beyond a couple iterations of Moore’s Law. What do you think’s going to happen? And that’s where the creative energy that we bring is really helpful.

Matt:
Yeah. It’s vortex of the imagination.

[00:49:16:13–00:50:11:03]

Brian:
Yeah, absolutely. And that’s where our network thrives. And that’s the most fun for us as well.

Matt:

Yeah. 

Brian:

Because you can’t really be wrong. So that’s a good thing because the future hasn’t happened yet. 

Matt:

Yeah. 

Brian:

But on the other hand, what you want to do—what we try to do for our clients—is build enough confidence so they can move rapidly, because we live in a time where change is accelerating.

And so, we want to prepare the people that we’re working with to operate at the speed of that change, the speed of their threats, and that’s getting more and more difficult. And so, we try to help them not only think about where to go but also think about how to disrupt their own processes, to keep them from moving as fast as they need to.

[00:50:11:05–00:50:41:00]

Matt:
Yeah. Well, my final question is always our favorite here. So, and it’s—this is more just speaking of theoretical and future stuff—there is no wrong answer on this one. But let’s say you’ve just run the high-stakes national security simulation. Now you’ve—you’re successfully deploying that energy to the private sector. And the particular project you were on is over. The debriefing is done. What’s your celebratory drink of choice for you guys?

Erik:
Brian, you go first.

[00:50:41:02–00:52:53:03]

Brian:
Well, okay, so I’d move out of my prepper chamber, and I would go to any bar that Lamar is working at—

Erik:

—Oh. 

Brian:

—and get a Mar— 

Erik:

—That’s a good answer.

Brian:

—a Manhattan from Lamar. We have a favorite bartender. He’s a good friend of Erik’s and has become a good friend of mine. 

Matt:

Nice. 

Brian:
And he works in DC, and I don’t know if we can give a plug to where he works, Erik, but he makes the best Manhattan on earth, so—

Matt:

—Now I got to know this guy. Yeah.

Brian:

—we leave it in his hands.

Erik:
Ex—that’s a great answer. I was also going to say Manhattan with a little bit of rye. And so—

Matt:

—Yeah.

Erik:

—that’s my beverage of choice. If I’m really—if it was a real high-stakes scenario, then maybe I might break into a little bit of the Midwinter Night Dram—

Matt:

—There you go.

Erik:
—Rye. And so, that makes a pretty mean Manhattan.

Matt:
Basil Hayden has a—

Erik:
—Dark Rye. 

Matt:

—an—

Erik:

They have that—

Matt:
—the Dark Rye. 

Erik:

—Dark Rye.

Matt:

Yes!

Erik:
That is—so that’s what I do at home. That is my Manhattan of choice. When I am making drinks at home, I use that—

Matt:

—Yeah.

Erik:

—Basil Hayden Dark Rye.

Matt:
It almost has like a vermouthy finish to it already. It’s like this has to go in a Manhattan like I got to do it.

Erik:

Absolutely. 

Brian:
Agreed.

Matt:
When I—

Erik:
—Yeah, and it’s easy to come by.

Matt:
Yeah, yeah. It’s not like Buffalo Trace or something where it’s always sold out.

Erik:
Right. Right.

Matt:
Yeah. I got to figure out where Lamar is too. That sounds like a must have.

Erik:
I’ll shoot you a text. We’ll find a time to meet up there soon.

Matt:
Excellent. All right. Well, gents, I appreciate it. And, folks, for tuning in, I appreciate your time as well. Thanks for tuning in today’s podcast, and we will catch you next time. 

Erik:

Thanks for having us. 

Brian:

Yeah. Thank you so much. 

Matt:

Thanks, guys.

[00:52:53:05–00:53:14:19]

Matt:
We really hope you enjoyed this episode of The Lock & Key Lounge. 

If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at lounge@armortext.com or our website, armortext.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.