Greg Schaffer Hi, I’m Greg Schaffer and welcome to the virtual CISO moment. Today we’re joined by Chris Kipland. He is the CEO of Velocity Incident Response, LLC. It is a New York State service disabled veteran owned business specializing in digital forensics and incident response. Chris is a US Army veteran combat engineer. He brings extensive experience in ransomware negotiations cyber threat intelligence, forensic investigation, and incident command. Over the years, he’s led response efforts across public and private sectors, working in highly regulated environments and help organizations navigate some of their most critical cyber crises. I don’t know which way to properly pronounce it, but Chris, thank you so much for joining us today.
Chris Kimpland Thanks for having me, Greg. I’m excited to be here.
Greg I’m excited to talk to you because I definitely want to talk a little bit more about when we get to that point about ransomware negotiations. We record these on Fridays. And prior to this, I have my Friday morning church group Bible study. And one of the guys there was saying something. prayers for his son because their company just got hit by ransomware. And also as the security technical guru of the group, I was asked, well, what can we do? And I said, we’re doing it right now. Pray. So But looking forward to diving into that. But before we get to that, I want to hear your background, your history. Before we started recording, I know you’re prior U.S. Army, and I did not wear this. This is a complete coincidence that I wore an Army shirt. Folks know that I’m actually prior Air Force, but I had visited Fort Knox about a year and a half ago on a client trip. But hence the shirt. But yeah, take us through how you got started in in security and and definitely talk about your military service and to what led you to be the founder of Velocity Incident Response.
Chris Sure. Well, I think, you know, I started out in help desk for Lenovo warranty support that really got me the foundation Um, and at the time I was working for a consulting company that, you know, I worked on the Lenovo account for awhile. I got up to a senior technician there. Um, and then I moved to cyber defender and that’s when I started getting exposed to viruses and malware, things like that. And that kind of really lit my passion. Um, you know, as you mentioned, I was in the military, so obviously very mission oriented. I’m more of a guardian and protector. So I like to be in a position to help people. And I think that’s what really led me down the path of cyber. So I spent a few years doing kind of some of that incident response and SOC work and then went and became a CISO and a consultant and then But my band hand specialty has always been in incident response and forensics.
Greg So you mentioned something that we always talk to people Well, let me back up. We’re always asked, it’s like, how can I get into cyber? And a lot of times folks will say, well, one of the best things you can do is start at an IT at the help desk, which I’m a proponent of that because I grew up, if you will, in this field in networking, but I spent time on the help desk as well. And there’s a lot that you can learn about the business by being on the help desk and also learn about learning about the business. Since you started that way, how did that role prep you for being, well, not only for being more effective in cybersecurity and information security, but also to open the door for it?
Chris So I think it’s really important, and I agree with you, that one of the best ways in, and It’s interesting, right, because I think there’s two camps right now. Right now, there’s a lot of people wanting to get into cyber. And when you say, well, the best way is to get in through help desk and things like that, it can sometimes be seen as gatekeeping. And I’m like, no, it’s actually that’s where you learn your real foundational problem solving and really understanding the systems and how networks work together and things like that.
Greg Yeah, and I’m sorry for interrupting, but I never really liked the term gatekeeping because it’s such a negative connotation. It’s like almost like everything that requires steps is considered gatekeeping, and it’s not the case. It’s
Chris Yeah, I would agree. I mean, no, go ahead, go ahead. That’s one of those little internet glitches we just had there. Exactly, yeah. No, I think it is important, right? Because I know that later in my career, I started doing test lecturing at Syracuse University, where I would talk about red team operations and incident response and things like that. You lose some of that problem solving if you’re not going through help desk, if you’re not learning how to synthesize technical information and distribute it to non-technical folks. Those are all really key. And it also gets you, I think people see things like, oh, get a cyber job. And all of a sudden you have a six figure career and you’re going to make tons of money. Well, maybe if you’re lucky, but that’s not always the case, right? And some people get into cyber and they realize they don’t like the stress, the constant learning. Maybe they want to be more in the back end and be a network admin or be, you know, and if you do help desk, you kind of get exposed to a lot of that as opposed to starting out where I think cyber is more of a specialty than it is an entry-level position.
Greg Yeah, and that’s always been my position as well, too. I never mean this to sound negative, or some people would use that term gatekeeping, I guess, but that there isn’t really a true entry-level cybersecurity job. And that’s not to say that there aren’t. And the better way to phrase that is that you need to have some proper experience before starting to go for a cybersecurity job. It’s not I think maybe if we do phrase it like, well, you can’t find an entry level job that that maybe does come across a little bit negative. But the reality is, is that. There are just certain skill sets that you need to understand what it is that you’re trying to protect before you can protect it. And you can’t learn that from books. And it’s very difficult to learn that from labs. I’m never going to say never. But I know for me, well, first of all, I guess I’m an anomaly because I never wanted to be in the security stuff. I came into it kicking and screaming because of firewalls. And firewalls were in the networking side. And I’m an old networking engineer. And Sometimes I have dreams of returning to just like, you know, packet analysis and creating subnets and all that fun stuff, because that was fun back in the day. But if you were to give somebody right now who wants to get into information security, cybersecurity, what would you say that the best piece of advice that you can give them right now in this current job market?
Chris It’s hard right now. I do think that there are so many people competing for cyber positions that, you know, unless you have some experience already, it’s going to be difficult to separate you from the thousands of applicants that are applying for these positions. So if you come at it from your end goal may be cyber, but to your point, you get into help desk or maybe like a level one network admin, something like that. And you can build a body of experience and put some real hands on skills behind what you want to do. And then you can kind of sidestep your way into cyber. That’s, I think, a path of least resistance as opposed to just trying to go straight in with nothing but a degree or or something like that and uh certainly i think one other thing that that can be uh considered as well too we we have a lot of folks that have transitioned from other careers into cyber and i’m going to get to military um influence in just a moment but uh the concept of transferable skills we certainly learn things in our other job fields.
Greg I’ve had the pleasure of interviewing several who have been in law enforcement before, like police officers, like actually walking beat police officers that have transitioned into our field. But from your perspective, you were a combat engineer and How did your military experience influence what you’re doing today? I always, I always love to see like, like, like broadly and also specifically with regards to the jobs that you did.
Chris Yeah, it’s, it’s interesting, right? Cause I, I get asked a lot, um, when people find out I’m a veteran, they’re like, Oh, so you got into this through the military. Nope. I blew stuff up in the military.
Greg Yeah. And, and, and the same thing with me, it’s just like, no, I was a mechanic. I mean, you know, I, I, I, you know, and they think maybe I was a soldier. It’s like, no, the only gun I carried was a grease gun. I worked on C one thirty airplanes. I didn’t do anything with regards to cybersecurity or networking. So I hear you.
Chris Yeah. And, and it was, it’s fine because I, I, Bruce D Potter, kind of. Bruce D Potter, For a long time discounted i’m like well. Bruce D Potter, I didn’t come out of the military and go into a parallel field. Bruce D Potter, But when I started thinking about it, the skills I learned in the military so obviously being a combat engineer we’re dealing with explosives a lot so there’s a certain level of. calm that you have to have in high stress situations, discipline, whether that be your self study. I mean, we’re in a field that requires constant studying and learning and adapting, problem solving skills, learning how to work with a team of people. Those were all things that I was able to take from my military Chris Gabbard- Experience and transfer them to being an incident commander or a vc so and things like that so. Chris Gabbard- You know, the more I kind of thought about it i’m like oh yeah you know didn’t necessarily take the job title. Chris Gabbard- From the military and move it into the civilian world, but I certainly got a lot of skills from them. And, uh, I guess, but you don’t really blow anything up bikes. So I guess maybe you could say we detonate like, you know, potential ransomware in, in sandbox environments. So I guess that’s blowing stuff up, isn’t it?
Greg Yeah. I mean, it’s, it’s the cat and mouse game, right? Like we, where, when we’re doing operations as combat engineers, whether it’s counter IED work or it’s, you know, breach clearing. What you’re doing essentially is finding a way to eliminate a problem, whether that’s an IUD in a road or it’s things that are going to slow vehicles down. You have to problem solve before you go and execute anything. And I think that’s where it all starts. And that’s what kind of has helped me in my career, so.
Greg So I want to pivot a little bit into incident response and then go a little bit more specifically into ransomware. But when it comes to incident response, and I know you work on incident response, you worked on breaches that are active at the time, and you’ve also worked as a virtual CISO before. Do you still do virtual CISO work or not the moment?
Chris No, I don’t mean that to you, Greg.
Greg Oh, no, no, no. That’s great because this feeds great into my next question because I often get when we’re doing proposals, sometimes organizations will come up and they say, well, does your proposal include incident response? And my response to that is no, because incident response is such a challenge. really specialized field and you’ve got to make sure you do it right. The analogy I try to show people is like your chief information security officer would not be the one doing forensic incident response. They would be directing people for it. And that’s what we do as well, too. Now, sometimes that means we don’t get the the client, but that’s okay because we want to stay in our lane. But specifically, what is it about incident response that makes it such a specialized field and why it’s so important that you have this really short time window in which you can really be effective before things really get to the point of creating too much damage?
Chris Yeah, I think the big thing is, is that you have to be, you have to wear multiple hats at the same time, especially in an active breach. Dave Kuntz, At the same time that you’re coming up with containment plans which are in you know technical steps for the technical teams you’re also having to quickly assess and triage what’s going on. Dave Kuntz, quantify that into business risk in relay that to business stakeholders you’re talking to law enforcement so you’re grabbing intelligence so you’re doing a lot of things quickly, and I think. it requires a pretty wide breadth of experience. My CISO experience and working internally in companies helps me to relate and understand what business owners need to evaluate. Working as a technical person, I can relate to them. So I think what people get into is like when you’re actually starting to run incidents yourself, you’re as much a business consultant as you are a technical resource. And like the way we approach every case, and I think a lot of companies that specialize in incident response or forensics do, is you have to also have some knowledge of regulatory compliance, breach notification, some legal Dave Kuntz, acumen to kind of understand things like evidence preservation chain of custody how these things are going to play out and litigation because. Dave Kuntz, You know if you’re just kind of going at it and just trying to solve the technical problem if that ends up in court and you didn’t do things the right way, you know that could really impact the company so.
Greg So that’s why everybody listening, why it’s a good idea to keep those roles separate. It’s separation of duties and right people the right tools the right job um no i totally agree with that and and i’d be too afraid of like doing something it would be unintentional but to your point wanting to keep the business operational that i could do something that would would unintentionally mess up the investigation potentially cause a lot bigger issues and and so like with ransomware for example um That’s a very tricky point because a lot of times I’ve seen this with executives where they’re like, if you’re running a tabletop exercise, immediately they say, we will not negotiate with the ransomware folks. We won’t pay the ransom. They’re pretty adamant when it’s a tabletop exercise, but when it comes to the reality and you’re actually facing your business potentially losing revenue or even a possibly an end of business event, they realize that maybe they do have to at least consider it. What’s one of the things that they have as far as a misconception with regards to negotiation with the threat actors when they’re in the throes of a ransomware incident?
Chris Well, I think one thing that’s key is as the business that’s impacted, especially the owners and whatnot, it’s a very emotionally charged situation for them. The misconception is that it’s an emotionally charged situation from the threat actor. The threat actor, this is just business for them. So I think sometimes they think it’s going to be a very hostile You know, like you’re being held up on the street and that’s just not what it is there. They have projections. They have just like salespeople do. They have leniency to work in discounts and things like that. So they’re approaching it very businesslike. Whereas sometimes I think business owners misconstrue the situation that, you know, it’s more of an emotional thing. And I think that’s another reason. to bring in somebody that does this regularly because you can take some of the emotion out of it because you have to be very practical. You have to communicate with certain tactics to have a successful negotiation. The other misconception, go ahead.
Greg No, no, go ahead. Go ahead. I’m sorry.
Chris No, I think the other misconception is, is that You know, as long as we do the right thing, the criminal will do the right thing. Now I’ve done hundreds of negotiations and only two to three times that I can remember, did someone pay and the criminal did not give them the keys. Um, and unfortunately that just happened on a negotiation. We just did, we, we went through the whole thing. We got a. fifty six percent discount on the price. Paid that and then they doubled down with a higher amount because they thought that the company was more financially sound than we were using in our negotiation tactics. So it it unfortunately did not work out for the business. But I tell people You can’t ever totally say we’ll never pay the ransom because if you’re not doing some of the things that you need to be doing, like proper backups, segmentation, things like that, if you’re not doing that, you may be forced to where you have no other option. And to your point, it’s either, well, are you going to close the doors or are you going to weigh this business risk, which is really what it is when you’re deciding to pay or not.
Greg So when you’re weighing the risk, I mean, what are some of the things that you look at? I mean, do you, without, of course, getting into specific examples, but do you work with the clients to kind of step through and do like a financial analysis? It’s like, well, okay, if you don’t pay the ransom, it looks like you’re going to have this amount of loss here, kind of like you’re doing a. a quantitative risk assessment on whether or not you’re going to pay the ransom. Is that the process for it or is it more of a based on historical data and experience or kind of a combination of both?
Chris It’s kind of a combination of both. I mean, one of the things that is pretty standard is whether we’re negotiating to actually reduce the ransom payment because the intent is that we’re going to pay or if we’re just negotiating by time so we can get through containment and kind of kick them out before they escalate. One of the things we always do is we ask for proof of life. So they give us a file tree of data that they’ve exfiltrated. And that’s where we sit down with the client then and analyze and we’re like, let’s look at this data. What is the sensitivity of this data? Are there things in here like PII? Patrick Corbett, EPHI PCI data stuff like that so once we understand what the sensitivity is of the data we then say can any of this data be recreated if you never get it back again, and if they say yes or no. Patrick Corbett, Then that kind of elevates and moves the discussion towards. Well, if we have no way to recreate this and the impact of losing it is going to be greater than the cost of what we’re being asked to pay, you start weighing the options there. You know, I will always advise clients, I’m like, you are dealing with criminals. So, you know, there’s no guarantee that they’re going to follow through. But in some cases, like in this Last instance, they had no backups. They had nothing where they could revert back to anything. So they were kind of pushed up against the wall.
Greg You said a term there that really opened my eyes on how viewing this. And I’m surprised I never really thought about it before. But you use the term you look you ask for proof of life. And to me, that is a term that’s used when you have someone who’s kidnapped. and then they’re being held for ransom. And the epiphany that I had in my brain is that there really isn’t a lot of differences with regards to how you negotiate in those two circumstances there.
Chris Yeah, there’s a lot of parallels there. And, you know, I think when you understand what these what the true intention is, when they exfiltrate this data and they keep it, It is what they’re looking for is a lot of time PII data or EPHI, and those are all tied to identities and humans. So it’s this kind of weird phrase that has kind of worked its way into ransom negotiations that, yeah, give us proof of life that you actually have that data and then we’ll continue the conversation.
Greg That’s fascinating. I never really made that parallel before. But, you know, I can only imagine. I have dealt with clients that have had ransomware like sometimes, but certainly not hundreds of times. And each time, though, the few, I could probably count on both hands that I’ve had to deal with, if that much. Fortunately, knock on wood. But it can be very stressful and particularly when you’re end of life event for a business that just that alone is very, very stressful. thing to go through as the professional. I mean, we have a lot of stress in our field as it is, but you layer that on top of it and then, of course, layer on top of being a being a business owner. I’m sure you have to deal with a lot of stress. What’s one of the things that you do to help decompress from the stress that that you’re dealing with in this wonderful field?
Chris Yeah, it is definitely something that’s really important. And I tell folks all the time. I’m like, if you want to do this long term, you have to find ways to deal with stress. Because even, you know, whether you’re on blue team or answer responses, it’s stressful, no matter what I like to do, I lift weights, and I do a lot of hiking, I love being outdoors, I spend so much of my time connected to technology that The separation and the complete opposite of being outdoors and disconnected is just something that recharges me and kind of quiets everything down so I can focus and come back refreshed.
Greg I can definitely relate, and particularly getting out into nature. Yesterday, first time this season, we had a day that was in the mid-sixties, and we’ve finally been able to dry out a little bit, was able to go mountain biking for the first time. Early in the morning, spent an hour, a little more than an hour in the woods by myself, riding around, slipping on roots. You know what I mean? But I was thinking to myself, oh, I just can’t wait till things just start getting green again. And yeah, there’s something about forest bathing that you just totally decompress.
Greg Well, what future plans you got coming up, Chris? I mean, are you going to be able to eradicate ransomware from the face of the earth? We have it on our roadmap. That’s Q four, right? That’s always what the answer is. It’s like Q four. We’ll have it wrapped up by then.
Chris No, we’re excited. We’re growing, working with some great partners and we’re really excited As much as we’re an incident response and reactive, we have a lot of reactive services, we’re really trying to get that message out there to customers that I’m like, I can definitely do more for you minimizing the impact of a cyber attack if we prepare for one ahead of time as opposed to just reacting. At that point, I’m stopping bleeding. You know, I can only do so much. I want to get it to the point where you’re not bleeding in the first place. So, so yeah, we’re excited and we just got certified as a New York state veteran owned business. So we’re starting to take on state contracts and things like that and grow that part of our business as well.
Greg Well, congratulations on that. I obviously haven’t dealt with the New York State aspect of it, although I lived in New York for a long time, but it’s been thirty plus years since I moved out. But as far as the federal getting qualified as a veteran owned business, And the number of hoops that I had to jump through just seemed at first on the surface, like rather ridiculous. And then I kept reminding myself, it’s the government. It’s the government. It’s okay. That’s the way it’s supposed to be. It’s like, you know, and then the beauty of like doing something with the government is that once you get to a point where you’ve got everything set, it’s equally difficult to unspool it. And so it’s like, you know, it’s almost like you’ve reached government tenure or something.
Greg Well, Chris, thank you so much for joining us today. Fascinating stuff. You know, unfortunately, I know I joked about the eradication of ransomware, but unfortunately, I mean, that’s just something that is most likely always going to be with us. Whenever there’s some way that criminals can exploit the human condition, they will for profit. And sometimes just even just to mess with people. And it’s unfortunate, but it’s a reality we live in. And it’s great that there are people like you out there that are helping to help balance the ship, so to speak. So thank you so much for joining us today.
Chris Thank you, Greg. I appreciate it.
Greg Everybody, stay secure..