Know Your Audience Using Personas for Better PSIRT Outcomes Mark Stanislav - Information Security Architect, Cisco [email protected] 

I Normally Skip This Slide, But… • Currently: • Information Security Architect, Cisco • PhD Student in Cybersecurity, Dakota State University • (Selected) Prior Roles: • Head of Application Security/PSIRT • MSP/MSSP Consultant • Security Researcher • UNIX Administrator • Web Developer • IT Help Desk 

Why Do You Care? Because Personas! “A persona funnels data about a user segment into a fictional character, along with other useful information that is relevant to your business. It’s important to focus on behavioral drivers, mindset, and attitudes as this will help your personas to become full representations of real people.” https://designli.co/blog/how-to-build-user-personas-to-guide-product-development/ “Mark, The College Student” will have different problems, goals, and expectations than “Mark, The Security Researcher” 

Building a Persona, NOT a Stereotype Based on Research • Direct Interviews • Review Case Studies • Data Gathering & Analysis • Ask Domain Experts • Academic Publications • Surveys/Questionnaires • Industry Blogs/Podcasts • Observe People Working “Creating personas can help you step out of yourself. It can help you to recognise that different people have different needs and expectations, and it can also help you to identify with the user you’re designing for.” https://www.interaction-design.org/literature/topics/personas 

Example Persona https://designli.co/blog/how-to-build-user-personas- to-guide-product-development/ 

But How Does This Apply to PSIRT? • Helps to ensure a great “customer” experience, each time • Provide tailored, thoughtful interactions with the reporter • Avoid missteps that could lead to unnecessary conflict • Focus your effort on the needs/desires of the reporter • Reduce the frustration of your frontline PSIRT members 

Defining Personas for a PSIRT Non-customer Types • Bug Bounty Hunter • Security Researcher Customer Types • Security Engineer • IT Administrator • End-user (Corporate) • End-user (Student) Bin the Bounty Hunter Mel the Security Researcher Suneil the Security Engineer Gary the IT Administrator Lee the End-user (Corporate) Andy the End-user (Student) 

Duo Security Uses Personas Extensively Custom Made by the Design Research Team 

“But where do I find data for personas?” https://www.hackerone.com/resources/reporting/the-2020-hacker-report 

Bin the Bounty Hunter Background: - Early 20s; living in Tianjin, China - Finishing computer science degree at Nankai University - Works part-time as an information security analyst - Has most nights & weekends free to follow his passions Motivations: - Earning extra income to travel after leaving university - Develop an online reputation for having security expertise - Impressing his infosec friends online and at university https://www.istockphoto.com/photo/license-gm1028398136 

So Why is This Our Bounty Hunter? An Entry-level Security Analyst Earns $60,000 in the U.S. and $20,000 in China https://www.salaryexpert.com/ https://www.hackerone.com/resourc es/reporting/the-2020-hacker-report HackerOne 2020 Report 

Inform PSIRT Decisions via Personas Context Likelihood Level The Context Speak at an Industry Event Medium Some bounty hunters may present findings of their work at industry conferences, giving me exposure to those results Publish Emails With Vendors High Entire communication threads may be shared in public forums, paste boards, social media, etc. after the fact Post Information to Twitter High Tweets may contain bug bounty stories and/or PoC exploits Post Information to a Blog High Long-form write-ups may include detailed steps of a bounty finding and/or communications with the vendor about it Be Combative in Interactions Medium Closing a bug without a reward or not accepting an issue can cause a rift between the vendor and the bug bounty hunter Ask for a Bounty/Reward High Bounty hunters are usually looking for a reward – preferably in cash, but in other contexts vendor swag/reputation points Contact Press/Media Outlets Low Bounty hunters may not have the media resources that a security firm’s researcher team can access for news stories Impact Business Revenues Low Bounty hunters are not likely to be paying customer, so the impact to revenue would be through secondary causes 

So We Should… Try To… • Verify that they have read our Security Response page in full • Determine any blogs, Twitter accounts, etc. they may post to • Clarify that we [do/do not] have a bounty program or do rewards • Review any previous submissions to determine their history Try Not To… • Tell them we will "fix" issues if there's no real priority/risk to it • State anything in responses to them you don't want published • Overstate the value of the issue when just trying to be polite • Take their "risk" evaluation to heart without initial triage done 

Frame the Potential Consequences A bounty hunter submitted a high-severity defect in our service but was upset when we declined to pay a bounty without explanation. Rather than explain our published policies, we rudely ignored them. The bounty hunter published the defect’s details, a working PoC, the entirety of our email communications, and a scathing narrative on their blog with thousands of re-tweets by security professionals. Numerous CISOs for high-value customers are enraged with the PSIRT’s response that created a situation where active exploitation of their service with us was occurring, due to our poor actions. 

Comparing Two Personas Bounty Hunter (Bin) IT Administrator (Gary) Early 20s, single student Mid-40s, married w/ kids Wants to earn extra cash Looking to keep their job Actively looking for bugs Accidentally finds bugs Can provide a full exploit Gives basic how-to info Will write a blog if upset Poor help? No contract. 

Broader Comparison of Personas 

A Real Anecdote on Personas • Reporter: Key “Security Engineer” at major technology company • Issue: Security design concern with a heavily used code base • PSIRT Response: Gave acknowledgement of the Reporter’s concern, but with “boiler plate” language, ignoring the reporter’s domain expertise • Reporter Response: Told the PSIRT they would publish details on the corporate blog, including details about our poor, unhelpful interactions • Solution: Involved a mutual industry friend to help “reset” relations and to effectively start over with the Reporter. Ended up changing code that helped to address their concerns – that they gave us a PoC of, even! 

A Real Anecdote on Personas, Cont. Speak at an Industry Event Publish Emails With Vendors Post Information to Twitter Post Information to a Blog Be Combative in Interactions Ask for a Bounty/Reward Contact Press/Media Outlets Impact Business Revenues HIGH-RISK INTERACTIONS NEED HIGH-TOUCH RESPONSES https://hero.fandom.com/wiki/Kevin_McCallister 

Learning About Your Reporter (Sample) • Who? The Reporter contacted us from their corporate email account • What? The issue is a potential bypass of security product’s feature • Where? The Reporter’s vendor has an on-site evaluation deployment • When? The Reporter found the issue today after applying an update • Why? The Reporter wants to see if they misconfigured the product • How? The reporter shared screenshots and a step-by-step recreation • Review LinkedIn to determine the Reporter’s role in the organization and potential technical depth • Find out where in the sales cycle the Reporter’s employer is and a basic idea of potential revenue • Look for Twitter/Blog/Forum accounts that the Reporter may talk about work/industry topics • Help clarify if this is a misconfiguration first as part of initial triage and then go from there Find Out More! 

Maximize Your Disclosure Policy/Process https://www.go-rbcs.com/articles/vulnerability-disclosure-and-management • Set clear expectations on bug bounties/rewards • Codify a detailed list of all excluded bug classes • Define a “front door” preferred for defect handling • Implement a security.txt to aid the bounty hunter • Denote your PSIRT response SLA/working hours • Provide initial defect submission requirements 

Principles for a Modern PSIRT • Assume Positive Intent: Just because someone may want to publish a blog post or receive a t-shirt does not mean that they aren’t thoughtful and kind people doing their best to help out. • Avoid Complacency: “Oh we always have someone send this bug to us” may mean you’re missing important, subtle context. • Manage Implicit Bias: Even the most well-meaning PSIRT can get frustrated at language barriers and “write off” a reporter for nothing more than a communication conflict; exercise patience! 

But Most of All: Lead With Empathy noun the ability to understand and share the feelings of another. 

Thank You! Mark Stanislav [email protected] https://www.uncompiled.com Appreciation to Duo Security’s Design Research team for sharing knowledge & content!