The Tortured Responders department Scott & Rebekah’s Version 

It's me, hi •Scott J Roberts •Instructor of Cyber Security @ Utah State University •CAI Masters Student (Also at USU) •Rebekah Brown •Senior Researcher @ University of Toronto's Citizen Lab •SANS FOR578 Co-Author and Instructor 

We’re the Problem We also wrote a book together… 

This Started in 2016 AS... 

Based on Incidents At • 33 restaurants had their credit card processing compromised in 2014 PF Chang's • Major credit card data breach in 2013, exposing information of approximately 40 million customers Target • In 2016, Yahoo disclosed a massive data breach affecting 3 billion user accounts, one of the largest in history Yahoo! • In March 2015, Slack reported a data breach affecting about 500,000 users, exposing usernames, email addresses, and hashed passwords Slack 

But we Wanted to revisit It with a 2024 perspective… 

Since 2016 Public Awareness Has Changed Public Sophistication Has Changed Government Requirements Have Changed Cyber Threat Intelligence Has Become a Key Output 

SANS Incident Response Cycle Preparation Identification Containment Eradication Recovery Lessons Learned 

SANS Incident Response Cycle Preparation Identification Containmen t Eradicatio n Recovery Lessons Learned 

The Basics: What is Crisis Communications “In short, it is the communication process used to respond to a threat to an organization's reputation. The crisis plan is used when there has been a major event.” ~ PRLab 

No content

Why Worry about Your Org Reputation Financial Impact: Incidents can lead to significant financial losses Trust and Credibility: Incidents erode customer trust and damage brand credibility Competitive Advantage: Can differentiate an organization from competitors Regulatory Compliance: Most industries face strict data protection regulations 

When Your Reputation Might be in Jeopardy • Data Breach • Major Publicly Facing Vulnerability (Esp as a Vendor) • Impactful Disruption • Not These Things 

The Point: Without understanding victims will be confused and critics will be skeptical 

Five Keys of Incident Response Communications •Clarity •Timeliness •Actionability •Responsibility •Humanity 

Clarity "A simple complication, miscommunication leads to fallout..." - The Story of Us What Happened How it Happened When It Happened The Impact 

Clarity: plain language •Include only relevant information •Use words your customers use •Use the Active Voice •Be consistent •Aim for a fifth-grade reading 

Clarity: Bad Words • “Advanced” • “Persistent” • “Sophisticated” • “Unusual” • “Zero Day” • "We take your [security/privacy/trust] very seriously" 

Timeliness Too Early: Too Many Follow Ups & Seem Out of Control Too Late: Your warning is less actionable & you seem oblivious Best Option: Over Communicate & Assume the Worst Legal & Regulatory Requirements 

Actionability What is the organization doing to mitigate the problem? What is the organization doing to remediate the problem? What is the organization doing to protect users? How do people know if they’re affected? What can people do to mitigate the problem? What can people do to remediate the problem? 

Responsibility Admitting what went wrong and saying you’re sorry This is a collaboration with other teams (security, PR, Legal, HR, Customer Support) May have legal requirements... or risk... 

Humanity Sound Human (And not like a LLM) Know your audience Consider External Customers 

Name Checking & “Bad Blood” • Talk about others knowing you might be the next (us included) • No “Deep Cuts”. If you disagree come talk to us! 

No content

Case Study: Target in 2016 • Attack Method: Hackers accessed Target's network through credentials stolen from a third-party HVAC vendor, then installed malware on point- of-sale systems to capture card data • Timing and Scope: Occurred during the 2013 holiday shopping affecting approximately 40 million credit and debit card accounts and exposing personal data of up to 70 million customers • Impact: The breach resulted in significant financial losses for Target (estimated at $202 million), & led to the resignation of CEO Gregg Steinhafel 

Response: Target in 2016 • Delayed and Inconsistent Response: Target took several days to publicly acknowledge the breach and provided inconsistent information • Underestimating Impact: The company initially downplayed the breach's severity, later revealing it affected more customers than first stated • Lack of Empathy and Support: Early communications focused on technical details rather than addressing customer concerns • Poor Leadership Visibility: Then-CEO Gregg Steinhafel's absence from early communications missed an opportunity to demonstrate strong leadership during the crisis 

Scoring: Target in 2016 Response Characteristic Score Clarity 3 Timeliness 4 Actionability 3 Responsibility 7 Humanity 5 Total 22/50 (44%) 

Response: Target in 2016 • Became the first major card issuer to use chip & pin credit cards • Established a Cyber Fusion Center for real-time threat monitoring becoming an industry leader in detection, response, intel, & hunting • Shout out to David Bianco! • Joined the Retail & Hospitality Intelligence Sharing & Analysis Center (RH-ISAC) to collaborate on cybersecurity issues 

OG CC4IR Incidents • Clarity: 4, Timeliness: 4, Actionable: 3, Responsible: 7, Human: 5 • Total: 22/50 (44%) Target • Clarity: 9, Timeliness: 5 (+/-4), Actionable: 9, Responsible: 5, Human: 6 • Total: 34/50 (68%) Yahoo! • Clarity: 9, Timeliness: 10, Actionable: 10, Responsible: 9, Human: 8 • Total: 46/50 (96%) Slack 

No content

Case Study: Crowdstrike in 2024 • Cause: A faulty configuration update to CrowdStrike's Falcon Sensor software that triggered an out-of-bounds memory read in the Windows sensor client. • Scope: System crashes affecting roughly 8.5 million Windows systems globally, making it the largest outage in the history of information technology. • Impact: Disruption of daily life, businesses, and governments around the world, highlighting the critical reliance on cybersecurity solutions and the potential consequences of software errors. • Not a security incident but still a crisis needing communication 

Response: Crowdstrike in 2024 

Response: Crowdstrike in 2024 

Response: Crowdstrike in 2024 

Response: Crowdstrike in 2024 Accepted the Pwnie for Most Epic Fail of 2024 

Good Idea Bad execution 

Scoring: Crowdstrike in 2024 Response Characteristic Score Clarity 8 Timeliness 10 Actionability 8.5 Responsibility 10 Humanity 9 Total 45.5/50 (91%) 

No content

Case Study: Microsoft in Nov 2023 • Cause: Successful password spraying attack exploiting a legacy test account • Scope: Unauthorized access to corporate email system, exposing limited email metadata but no sensitive content • Impact: Potential for targeted phishing, reputational damage, mitigated by Microsoft's prompt response and remediation 

Response: Microsoft in Nov 2023 

Response: Microsoft in Nov 2023 

Response: Microsoft in Nov 2023 

Response: Microsoft in Nov 2023 

Case Study: Microsoft in Nov 2023 Response Characteristic Score Clarity 9 Timeliness 10 Actionability 9 Responsibility 10 Humanity 9 Total 47/50 (94%) 

In Conclusion •At the point where you need a crisis communication plan it’s way too late!!! •Involve all your stakeholders both in practice and execution! •Wargame what scenarios you might be in and prepare for them, then score them! •Collaborate and practice collaborating! •Avoid making the same mistakes twice… after all… 

"I have this thing where I get older but just never wiser" – "Anti-Hero" from Midnights 

Thank you! 

No content