Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crisis Communication for Incident Response

Scott J. Roberts
July 08, 2015
Technology
2
7.7k

Crisis Communication for Incident Response

My presentation at SANS DFIR Summit 2015.

Scott J. Roberts

July 08, 2015
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
94
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
67
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
31
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
23
Homemade Ramen & Threat Intelligence
sroberts
2
490
Introduction to Open Source Security Tools
sroberts
3
4.8k
Building Effective Threat Intelligence Sharing
sroberts
1
110
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
110
Crisis Communication for Incident Response
sroberts
1
320

Other Decks in Technology

See All in Technology
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
170
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
750
Lambdaと地方とコミュニティ
miu_crescent
2
370
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110

Featured

See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
246
1.3M
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Designing the Hi-DPI Web
ddemaree
280
34k
Visualization
eitanlees
145
15k
Faster Mobile Websites
deanohume
305
30k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Making the Leap to Tech Lead
cromwellryan
133
8.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Scaling GitHub
holman
458
140k
The World Runs on Bad Software
bkeepers
PRO
65
11k

Transcript

  1. CRISIS COMMS FOR INCIDENT RESPONSE

  2. INTRODUCTION

  3. SCOTT J ROBERTS ADVANCED PERSISTENT INCIDENT RESPONDER @SROBERTS

  4. I WORK FOR GITHUB...

  5. IF YOU TWITTER @SROBERTS & #CCIR

  6. DISCLAIMER: I AM NOT A PUBLIC RELATIONS SPECIALIST

  7. BUT I CONSULTED A COUPLE four to be precise...

  8. THIS STARTED AS A BLOG POST...1 1 http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

  9. None

  10. WHAT IS CRISIS COMMS?

  11. [...] a sub-specialty of the public relations profession that is

    designed to protect and defend an individual, company, or organization facing a public challenge to its reputation. Wikipedia: Crisis Communications

  12. AKA: WHAT YOU SAY WHEN EVERYTHING GOES WRONG.

  13. WHEN TO DO CRISIS COMMS???

  14. A BREACH

  15. A VULNERABILITY

  16. A DDOS

  17. None

  18. NOT A (BREACH|VULN|DDOS)...

  19. 5 KEYS OF IR COMMUNICATION

  20. BE CLEAR

  21. IT'S DIFFICULT TO INVESTIGATE INTRUSIONS

  22. IT'S DIFFICULT TO EXPLAIN INTRUSIONS

  23. IMAGINE BEING NON-DFIR? OR ONLY SEMI-TECHNICAL? OR FULLY NON-TECHNICAL?

  24. The Rule: EVERYTHING SHOULD BE ON A 5TH GRADE READING

    LEVEL

  25. WITHOUT UNDERSTANDING VICTIMS WILL REMAIN CONFUSED & CRITICS WILL REMAIN

    SKEPTICAL

  26. CLARITY GOES BEYOND ONE MESSAGE STAY CONSISTENT ACROSS MESSAGES &

    MEDIUMS

  27. ATTRIBUTION

  28. BAD WORDS "ADVANCED" "PERSISTENT" "SOPHISTICATED" "UNUSUAL" "NATION STATE" "ZERODAY" ETC

  29. PERSONAL ASIDE: WHY CAN'T SOMEONE GET HACKED BY A basic,

    dumb, & lazy attacker??

  30. "You need to prepare for today's media culture, in which

    a tweet can become newsworthy and a news interview can become tweet-worthy." Brad Phillips of Phillips Media Relations

  31. BE TIMELY

  32. TOO EARLY: YOU HAVE TO MAKE LOTS OF FOLLOW-UPS &

    SEEM OUT OF CONTROL

  33. TOO LATE: YOUR WARNING IS LESS ACTIONABLE & YOU SEEM

    OBLIVIOUS

  34. IN THE END THE BEST OPTION IS OFTEN TO OVER

    COMMUNICATE & ASSUME THE WORST

  35. "IT WASN'T AS BAD AS WE INITIALLY THOUGHT..." VS. "ACTUALLY

    IT'S WORSE THAN WE THOUGHT..."

  36. LEGAL/REG REQUIREMENTS INDUSTRY OR LOCATION SEC, PCI, HIPPA, PCI, ETC

  37. "The secret of crisis management is not good vs. bad,

    it's preventing the bad from getting worse." Andy Gilman of Comm Core Consulting Group

  38. BE ACTIONABLE

  39. WHAT IS THE ORGANIZATION DOING TO MITIGATE THE PROBLEM?

  40. WHAT IS THE ORGANIZATION DOING TO REMEDIATE THE PROBLEM?

  41. HOW CAN PEOPLE IDENTIFY IF THEY ARE AFFECTED?

  42. WHAT IS THE ORGANIZATION DOING TO PROTECT USERS?

  43. HOW CAN PEOPLE PROTECT THEMSELVES IF THEY ARE AFFECTED?

  44. "Next to doing the right thing, the most important thing

    is to let people know you are doing the right thing." John D. Rockefeller

  45. BE RESPONSIBLE

  46. This one is scary...

  47. ADMITTING WHAT WENT WRONG AND SAYING YOU ARE SORRY

  48. RESPONSIBILITY TAKES COLLABORATION SECURITY TEAM PUBLIC RELATIONS TEAM LEGAL TEAM

    CUSTOMER SUPPORT

  49. VENDOR NAME DROPPING

  50. "Always acknowledge a fault frankly. This will throw those in

    authority off their guard and give you opportunity to commit more." Mark Twain

  51. BE HUMAN

  52. YOU CAN'T OVERVALUE A SENSE OF HUMANITY IN A CRISIS

    IT'S WILDLY DIFFICULT & CRITICALLY IMPORTANT

  53. HOW TO SOUND HUMAN ▸ Start all communications go through

    a single person ▸ Avoid Legal-ese & Jargon ▸ Say it, write it, read it to yourself, then read it out loud ▸ Get outside feedback, but don't sound like a committee

  54. AUDIENCE

  55. EXTERNAL PRESS, SOCIAL MEDIA, PUBLIC STATEMENTS

  56. EXECUTIVE FOCUS ON CLARITY, AVOID FUD

  57. INTERNAL IF EMPLOYEES DON'T HAVE A MESSAGE THEY'LL INVENT ONE

  58. INTEL SHARING YOU AREN'T ON THOSE SECRET SQUIRREL MAILING LISTS

    JUST TO FEEL COOL... right?

  59. "If you don't tell your story, someone else will." Unknown

  60. MEDIUMS

  61. WEB LIKELY THE BEST...

  62. EMAIL WHEN YOU KNOW THOSE AFFECTED...

  63. SOCIAL MEDIA BECAUSE THIS ISN'T 1970...

  64. PRESS RELEASE BECAUSE YOU THINK IT IS 1970...

  65. CASE STUDIES

  66. TARGET VICTIM: CONSUMER RETAIL ATTACKER: CRIMINAL GROUP

  67. TIMELINE: ▸ ??: Intrusion Begins ▸ Nov. 27 - Dec.

    15, 2013: Fraud Takes Place ▸ Dec. 15, 2013: Breach Confirmed Internally, 40 million cards affected ▸ Dec. 18, 2013: Brian Krebs First Article

  68. TIMELINE (CONT.): ▸ Dec. 19, 2013: Target Acknowledges Breach: Minimal

    Impact ▸ Dec. 20, 2013: Target announces "very few"2 reports of card fraud ▸ Dec. 21, 2013: Banks begin reissuing cards proactively 2 http://www.wsj.com/news/articles/SB10001424052702304773104579270591741798968

  69. TIMELINE (CONT.)(YET AGAIN):3 ▸ Dec. 27, 2013: 3rd Party IR

    identifies stolen card/pin information ▸ Jan. 10, 2014: Access to an additional 70 Million accounts announced ▸ Jan. 22, 2014: 475 employees from HQ laid off w/700 open recs 3 http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/ & http://www.ibtimes.com/timeline-targets-data- breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None

  76. AND A BUNCH MORE....

  77. None

  78. CLEAR: 4/10 6+ LINKS VS. 1 KREBS ARTICLE...

  79. TIMELY: 4/10 EARLY & OFTEN BACKFIRED...

  80. ACTIONABLE: 3/10 NO IDEA...

  81. RESPONSIBLE: 7/10 DEPENDS WHERE YOU LOOK...

  82. KEY STATEMENT "Our top priority is taking care of you

    and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry." Gregg Steinhafel CEO of Target

  83. HUMAN: 5/10 CEO WAS GREAT BUT A LOT OF PR...

  84. FINAL SCORE: 48% A GOOD LEARNING EXPERIENCE...

  85. PENN STATE ENGINEERING VICTIM: EDUCATION/GOVERNMENT ATTACKER: NATION STATE

  86. TIMELINE ▸ Unknown: Intrusions 1 & 2 Begin ▸ Nov.

    21, 2014: FBI Notification ▸ May 15, 2015: Engineering Network Offline & Statements Released (Students, Press, & Partners) ▸ May 18, 2015: PSU Announces Network Back Online
  87. None
  88. None
  89. None
  90. None
  91. None
  92. None

  93. KEY STATEMENTS In order to protect the college’s network infrastructure

    as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation.

  94. CLEAR: 7/10 YOU JUST NEED TO READ 3 SITES AND...

  95. TIMELY: 7/10 TOOK THEIR TIME hopefully FOR A REASON

  96. ACTIONABLE: 8/10 NOT MUCH... UNLESS YOU ARE ARL

  97. RESPONSIBLE: 8/10 ONCE YOU FIND IT...

  98. HUMAN: 8/10 ONCE YOU FIND IT... AGAIN...

  99. FINAL SCORE: 76% A SOLID C WITH A B- AFTER

    THE CURVE

  100. SLACK VICTIM: SAAS CHAT PROVIDER ATTACKER: CRIMINAL

  101. TIMELINE ▸ Early February: Incident Began ▸ Early February: Incident

    Ongoing Four Days ▸ March 27 Web Notification Released ▸ March 27 Email Notifications Released
  102. None
  103. None
  104. None
  105. None

  106. KEY STATEMENTS Information contained in this user database was accessible

    to the hackers during this incident. & No financial or payment information was accessed or compromised in this attack.

  107. CLEAR: 9/10 NO VECTOR, BUT OTHERWISE EVERYTHING

  108. TIMELY: 10/10 CONTROLLED BASED ON INVESTIGATION

  109. ACTIONABLE: 10/10 FEATURES & EVERYTHING

  110. FEATURE: TWO FACTOR AUTHENTICATION

  111. FEATURE: PASSWORD KILL SWITCH

  112. RESPONSIBLE: 9/10 LIMITED ON MISTAKES, FOCUS ON ACTIONS

  113. HUMAN: 8/10 GOOD WORDS, LIMITED IDENTITY

  114. FINAL SCORE: 94% Curve Buster!!!

  115. OTHER ORGS DOING WELL PF CHANG'S LASTPASS DNSIMPLE BUFFER GitHub

    (IMHO) HTTP://F&$KYEAHPOSTMORTEMS.TUMBLR.COM/

  116. IN CLOSING

  117. "It takes 20 years to build a reputation and five

    minutes to ruin it. If you think about that, you'll do things differently." Warren Buffet

  118. MAKE A PLAN KNOW YOUR STAKEHOLDERS KNOW YOUR DECISION MAKERS

    KNOW YOUR METHODS KNOW YOUR Voice

  119. BE CLEAR BE TIMELY BE ACTIONABLE BE RESPONSIBLE BE HUMAN

  120. THANKS TO: ▸ Kate Guarente of GitHub ▸ Rachel Vandernick

    of WebPageFX ▸ Kristin Reichardt-Rummell of Swish Media ▸ Mark Imbriaco of OperableInc

  121. @SROBERTS OF GITHUB ORIGINAL POST: HTTP://GIT.IO/VKMYC

  122. THANK YOU!!!

  123. None

  124. QUESTIONS???

  125. None