Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crisis Communication for Incident Response

Crisis Communication for Incident Response

Presented at the SANS Leadership Summit on 9/28/16.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

September 28, 2016
Tweet

Transcript

  1. CRISIS COMMS For Incident Response

  2. INTRODUCTION

  3. Security Ops Manger: SIRT of GitHub Author of Intelligence Driven

    IR SANS Instructor in Training & CTI Summit Board SCOTT J ROBERTS
  4. @SROBERTS/#CCIR If you Twitter…

  5. DISCLAIMER: I’m not a public relations specialist

  6. BUT: I consulted quite a few… 4 for those of

    you counting…
  7. THIS STARTED AS A BLOG POST... http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

  8. None
  9. WHAT IS CRISIS COMMUNICATIONS?

  10. –Wikipedia: Crisis Communications [...] a sub-specialty of the public relations

    profession that is designed to protect and defend an individual, company, or organization facing a public challenge to its reputation.
  11. AKA: What you say when everything goes wrong.

  12. WHEN TO DO CRISIS COMMUNICATIONS?

  13. A BREACH

  14. A VULNERABILITY

  15. A DDOS

  16. NOT ANY OF THOSE

  17. FIVE KEYS OF INCIDENT RESPONSE COMMUNICATION

  18. BE CLEAR

  19. WHAT HAPPENED HOW IT HAPPENED WHEN IT HAPPENED WHERE IT

    HAPPENED
  20. IT’S DIFFICULT TO INVESTIGATE INCIDENTS

  21. IT’S DIFFICULT TO EXPLAIN INCIDENTS

  22. IMAGINE BEING NON-SECURITY ONLY SEMI-TECHNICAL FULLY NON-TECHNICAL

  23. THE RULE 5th grade reading level

  24. WITHOUT UNDERSTANDING VICTIMS WILL BE CONFUSED & CRITICS WILL BE

    SKEPTICAL
  25. CLARITY GOES BEYOND ONE MESSAGE - STAY CONSISTENT ACROSS MESSAGES

    & MEDIUMS
  26. ATTRIBUTION

  27. BAD WORDS Advanced, Persistent, Sophisticated, Unusual, Zeroday, etc

  28. – Brad Phillips of Phillips Media Relations You need to

    prepare for today's media culture, in which a tweet can become newsworthy and a news interview can become tweet-worthy.
  29. BE TIMELY

  30. TOO EARLY You have to make lots of follow-ups &

    seem out of control
  31. TOO LATE Your warning is less actionable & you seem

    oblivious
  32. IN THE END THE BEST OPTION IS OFTEN TO OVER

    COMMUNICATE & ASSUME THE WORST
  33. "IT WASN'T AS BAD AS WE INITIALLY THOUGHT…" VS "ACTUALLY

    IT'S WORSE THAN WE THOUGHT..."
  34. LEGAL/REG REQUIREMENTS Industry or Location SEC, PCI, HIPPA, PCI, ETC

  35. – Andy Gilman of Comm Core Consulting Group The secret

    of crisis management is not good vs. bad, it's preventing the bad from getting worse.
  36. BE ACTIONABLE

  37. WHAT IS THE ORGANIZATION DOING TO MITIGATE THE PROBLEM?

  38. WHAT IS THE ORGANIZATION DOING TO REMEDIATE THE PROBLEM?

  39. HOW CAN PEOPLE IDENTIFY IF THEY ARE AFFECTED?

  40. WHAT IS THE ORGANIZATION DOING TO PROTECT USERS?

  41. HOW CAN PEOPLE PROTECT THEMSELVES IF THEY ARE AFFECTED?

  42. – John D. Rockefeller Next to doing the right thing,

    the most important thing is to let people know you are doing the right thing.
  43. BE RESPONSIBLE

  44. THIS ONE IS SCARY

  45. ADMITTING WHAT WENT WRONG AND SAYING YOU’RE SORRY

  46. COLLABORATION Security Team Public Relations Team Legal Team Customer Support

  47. NAME DROPPING Vendors specifically…

  48. –Mark Twain Always acknowledge a fault frankly. This will throw

    those in authority off their guard and give you opportunity to commit more.
  49. BE HUMAN

  50. CREATING A SENSE OF HUMANITY IS WILDLY DIFFICULT & CRITICALLY

    IMPORTANT
  51. SOUNDING HUMAN All communications go through one person Say it,

    write it, read it, then read it out loud Get some outside feedback
  52. AUDIENCE

  53. EXTERNAL Press, Social Media, Public Statements

  54. EXECUTIVE Focus on Clarity, Avoid FUD

  55. INTERNAL If employees don't have a message they'll invent one

  56. INTEL SHARING You aren't on those secret squirrel mailing lists

    just to feel cool... right?
  57. – Unknown If you don't tell your story, someone else

    will.
  58. MEDIUMS

  59. WEBSITE Likely the best…

  60. EMAIL When you know those affected…

  61. SOCIAL MEDIA Because it isn’t 1970…

  62. PRESS RELEASES Because sometimes it is the 1970s…

  63. INTERNAL SHARING However your organization does that…

  64. CASE STUDIES

  65. None
  66. None
  67. None
  68. None
  69. None
  70. None
  71. None
  72. None
  73. None
  74. Time Action ??? Intrusion Begins 11/27-12/15 Fraud Takes Place 12/15/13

    Breach Confirmed Internally, 40 million cards 12/18/13 First Krebs Article 12/19/13 Target Acknowledges Breach 12/20/13 Target says “very few cards”
  75. Time Action 12/21/13 Banks start reissuing cards proactively 12/27/13 3rd

    Party IR identifies stolen card/pins 1/20/2014 70 million additional accounts announced 1/22/14 475 employees laid off w/700 open recs 5/2/14 CEO Gregg Steinhafel Ousted
  76. CLEAR: 4/10 6+ links vs 1 Krebs article

  77. TIMELY: 4/10 Early & often backfired…

  78. ACTIONABLE: 3/10 No idea…

  79. RESPONSIBLE: 7/10 Depends where you look…

  80. –Gregg Steinhafel (Now Former) CEO of Target Our top priority

    is taking care of you and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry.
  81. HUMAN: 5/10 CEO was great but a lot of PR…

  82. Characteristic Score Clear 3 Timely 4 Actionable 3 Responsible 7

    Human 5 TOTAL 22/50 (44%)
  83. None
  84. None
  85. None
  86. None
  87. None
  88. None
  89. None
  90. None
  91. Time Action Late 2014 Initial Compromise 07/16 "Peace" tried selling

    account information 07/25 Sale of Yahoo to Verizon announced ~August Internal investigation finds 2014 attack 09/22 Compromise Information Released 09/27 Senators request formal timeline & info
  92. CLEAR: 9/10 Low FUD & Single Official Source

  93. TIMELY: 5/10* Senators are curious…
 
 *(+/-4)

  94. ACTIONABLE: 9/10 What you do, what they do, etc…

  95. RESPONSIBLE: 5/10 Focus on tools available

  96. HUMAN: 6/10 Feels like a lawyer wrote it…

  97. Characteristic Score Clear 9 Timely 5 Actionable 9 Responsible 5

    Human 6 TOTAL 34/50 (68%)
  98. None
  99. None
  100. None
  101. None
  102. None
  103. Time Action Early 02/15 Incident Begins Early 02/15 Incident On

    Going (Four Days) 03/27 Web & Email Notifications Posted
  104. –Slack Statement Information contained in this user database was accessible

    to the hackers during this incident.
  105. –Slack Statement No financial or payment information was accessed or

    compromised in this attack.
  106. CLEAR: 9/10 No vector but otherwise everything

  107. TIMELY: 10/10 Controlled based on investigation

  108. ACTIONABLE: 10/10 Features & everything

  109. FEATURE Two Factor Authentication

  110. FEATURE Password Kill Switch

  111. RESPONSIBLE: 9/10 Limited on mistakes but focused on actions

  112. HUMAN: 8/10 Good words, limited identity

  113. Characteristic Score Clear 9 Timely 10 Actionable 10 Responsible 9

    Human 8 TOTAL 46/50 (94%)
  114. IN CLOSING

  115. –Warren Buffet It takes 20 years to build a reputation

    and five minutes to ruin it. If you think about that, you'll do things differently.
  116. MAKE A PLAN - Know Your Stakeholders - Know Your

    Decision Makers - Know Your Methods - Know Your Voice
  117. Be Clear Be Timely Be Actionable Be Responsible Be Human

  118. THANKS TO • Kate Guarente & Katelyn Bryant of GitHub

    • Rachel Vandernick of Elizabethtown College • Kristin Reichardt-Rummell of Swish Media • Mark Imbriaco of OperableInc
  119. THANK YOU Original Post: http://git.io/vkMyC @sroberts & sroberts@github.com Lets have

    a conversation…