Coming together is a beginning. Keeping together is progress. Working together is success.

–Henry Ford

Maria Thompson is the Public Sector CISO for Amazon Web Services (AWS). The significant cybersecurity incidents she recounts occurred in 2020, while she was the award-winning chief risk officer (CRO) for the State of North Carolina.

One significant cybersecurity incident impacted a county and a connected city affected by two different strains of ransomware. Neither was ever able to identify without a doubt which entity affected the other. This was because once teams started investigating as part of the foundational forensics process, everyone quickly realized that there was a “relationship issue,” meaning a lack of relationship between the two organizations. One entity refused to accept any support or allow the state's Joint Cyber Task Force (JCTF) to conduct forensics in the environment. Anyone who understands an incident response process or has worked in computer forensics understands the importance of identifying how an incident occurred. Having that understanding and forensic details allows responders to map the path of the hacker and understand the tactics, techniques, and procedures (TTPs) used in the compromise.

The incident began when Maria's agency was notified of a ransomware attack within one city. The typical response for the JCTF is to establish a scoping call with the victim organization to understand their level of ...