Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crisis Communication for Incident Response

Crisis Communication for Incident Response

Presented at the SANS Leadership Summit on 9/28/16.

Scott J. Roberts

September 28, 2016
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. CRISIS COMMS
    For Incident Response

    View Slide

  2. INTRODUCTION

    View Slide

  3. Security Ops Manger: SIRT of GitHub
    Author of Intelligence Driven IR
    SANS Instructor in Training & CTI Summit Board
    SCOTT J ROBERTS

    View Slide

  4. @SROBERTS/#CCIR
    If you Twitter…

    View Slide

  5. DISCLAIMER:
    I’m not a public relations specialist

    View Slide

  6. BUT:
    I consulted quite a few…
    4 for those of you counting…

    View Slide

  7. THIS STARTED AS A
    BLOG POST...
    http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

    View Slide

  8. View Slide

  9. WHAT IS CRISIS
    COMMUNICATIONS?

    View Slide

  10. –Wikipedia: Crisis Communications
    [...] a sub-specialty of the public
    relations profession that is designed
    to protect and defend an individual,
    company, or organization facing a
    public challenge to its reputation.

    View Slide

  11. AKA:
    What you say when everything goes wrong.

    View Slide

  12. WHEN TO DO CRISIS
    COMMUNICATIONS?

    View Slide

  13. A BREACH

    View Slide

  14. A VULNERABILITY

    View Slide

  15. A DDOS

    View Slide

  16. NOT ANY OF
    THOSE

    View Slide

  17. FIVE KEYS OF
    INCIDENT RESPONSE
    COMMUNICATION

    View Slide

  18. BE CLEAR

    View Slide

  19. WHAT HAPPENED
    HOW IT HAPPENED
    WHEN IT HAPPENED
    WHERE IT HAPPENED

    View Slide

  20. IT’S DIFFICULT TO
    INVESTIGATE
    INCIDENTS

    View Slide

  21. IT’S DIFFICULT TO
    EXPLAIN INCIDENTS

    View Slide

  22. IMAGINE BEING
    NON-SECURITY
    ONLY SEMI-TECHNICAL
    FULLY NON-TECHNICAL

    View Slide

  23. THE RULE
    5th grade reading level

    View Slide

  24. WITHOUT UNDERSTANDING
    VICTIMS WILL BE CONFUSED
    &
    CRITICS WILL BE SKEPTICAL

    View Slide

  25. CLARITY GOES BEYOND
    ONE MESSAGE
    -
    STAY CONSISTENT ACROSS
    MESSAGES & MEDIUMS

    View Slide

  26. ATTRIBUTION

    View Slide

  27. BAD WORDS
    Advanced, Persistent, Sophisticated, Unusual,
    Zeroday, etc

    View Slide

  28. – Brad Phillips of Phillips Media Relations
    You need to prepare for today's
    media culture, in which a tweet
    can become newsworthy and a
    news interview can become
    tweet-worthy.

    View Slide

  29. BE TIMELY

    View Slide

  30. TOO EARLY
    You have to make lots of follow-ups
    &
    seem out of control

    View Slide

  31. TOO LATE
    Your warning is less actionable
    &
    you seem oblivious

    View Slide

  32. IN THE END THE BEST
    OPTION IS OFTEN TO
    OVER
    COMMUNICATE &
    ASSUME THE WORST

    View Slide

  33. "IT WASN'T AS BAD AS WE
    INITIALLY THOUGHT…"
    VS
    "ACTUALLY IT'S WORSE
    THAN WE THOUGHT..."

    View Slide

  34. LEGAL/REG
    REQUIREMENTS
    Industry or Location
    SEC, PCI, HIPPA, PCI, ETC

    View Slide

  35. – Andy Gilman of Comm Core Consulting Group
    The secret of crisis management is
    not good vs. bad, it's preventing
    the bad from getting worse.

    View Slide

  36. BE ACTIONABLE

    View Slide

  37. WHAT IS THE
    ORGANIZATION
    DOING TO MITIGATE
    THE PROBLEM?

    View Slide

  38. WHAT IS THE
    ORGANIZATION DOING
    TO REMEDIATE THE
    PROBLEM?

    View Slide

  39. HOW CAN PEOPLE
    IDENTIFY IF THEY ARE
    AFFECTED?

    View Slide

  40. WHAT IS THE
    ORGANIZATION
    DOING TO PROTECT
    USERS?

    View Slide

  41. HOW CAN PEOPLE
    PROTECT THEMSELVES
    IF THEY ARE
    AFFECTED?

    View Slide

  42. – John D. Rockefeller
    Next to doing the right thing, the
    most important thing is to let
    people know you are doing the
    right thing.

    View Slide

  43. BE RESPONSIBLE

    View Slide

  44. THIS ONE IS SCARY

    View Slide

  45. ADMITTING
    WHAT WENT WRONG
    AND
    SAYING YOU’RE
    SORRY

    View Slide

  46. COLLABORATION
    Security Team
    Public Relations Team
    Legal Team
    Customer Support

    View Slide

  47. NAME DROPPING
    Vendors specifically…

    View Slide

  48. –Mark Twain
    Always acknowledge a fault frankly.
    This will throw those in authority
    off their guard and give you
    opportunity to commit more.

    View Slide

  49. BE HUMAN

    View Slide

  50. CREATING A SENSE OF
    HUMANITY IS
    WILDLY DIFFICULT
    &
    CRITICALLY IMPORTANT

    View Slide

  51. SOUNDING
    HUMAN
    All communications go through one person
    Say it, write it, read it, then read it out loud
    Get some outside feedback

    View Slide

  52. AUDIENCE

    View Slide

  53. EXTERNAL
    Press, Social Media, Public Statements

    View Slide

  54. EXECUTIVE
    Focus on Clarity, Avoid FUD

    View Slide

  55. INTERNAL
    If employees don't have a message they'll
    invent one

    View Slide

  56. INTEL SHARING
    You aren't on those secret squirrel mailing
    lists just to feel cool... right?

    View Slide

  57. – Unknown
    If you don't tell your story,
    someone else will.

    View Slide

  58. MEDIUMS

    View Slide

  59. WEBSITE
    Likely the best…

    View Slide

  60. EMAIL
    When you know those affected…

    View Slide

  61. SOCIAL MEDIA
    Because it isn’t 1970…

    View Slide

  62. PRESS RELEASES
    Because sometimes it is the 1970s…

    View Slide

  63. INTERNAL
    SHARING
    However your organization does that…

    View Slide

  64. CASE STUDIES

    View Slide

  65. View Slide

  66. View Slide

  67. View Slide

  68. View Slide

  69. View Slide

  70. View Slide

  71. View Slide

  72. View Slide

  73. View Slide

  74. Time Action
    ??? Intrusion Begins
    11/27-12/15 Fraud Takes Place
    12/15/13 Breach Confirmed Internally, 40 million
    cards
    12/18/13 First Krebs Article
    12/19/13 Target Acknowledges Breach
    12/20/13 Target says “very few cards”

    View Slide

  75. Time Action
    12/21/13 Banks start reissuing cards proactively
    12/27/13 3rd Party IR identifies stolen card/pins
    1/20/2014 70 million additional accounts announced
    1/22/14 475 employees laid off w/700 open recs
    5/2/14 CEO Gregg Steinhafel Ousted

    View Slide

  76. CLEAR: 4/10
    6+ links vs 1 Krebs article

    View Slide

  77. TIMELY: 4/10
    Early & often backfired…

    View Slide

  78. ACTIONABLE: 3/10
    No idea…

    View Slide

  79. RESPONSIBLE: 7/10
    Depends where you look…

    View Slide

  80. –Gregg Steinhafel (Now Former) CEO of Target
    Our top priority is taking care of you and
    helping you feel confident about
    shopping at Target, and it is our
    responsibility to protect your information
    when you shop with us. We didn’t live up
    to that responsibility, and I am truly sorry.

    View Slide

  81. HUMAN: 5/10
    CEO was great but a lot of PR…

    View Slide

  82. Characteristic Score
    Clear 3
    Timely 4
    Actionable 3
    Responsible 7
    Human 5
    TOTAL 22/50 (44%)

    View Slide

  83. View Slide

  84. View Slide

  85. View Slide

  86. View Slide

  87. View Slide

  88. View Slide

  89. View Slide

  90. View Slide

  91. Time Action
    Late 2014 Initial Compromise
    07/16 "Peace" tried selling account information
    07/25 Sale of Yahoo to Verizon announced
    ~August Internal investigation finds 2014 attack
    09/22 Compromise Information Released
    09/27 Senators request formal timeline & info

    View Slide

  92. CLEAR: 9/10
    Low FUD & Single Official Source

    View Slide

  93. TIMELY: 5/10*
    Senators are curious…


    *(+/-4)

    View Slide

  94. ACTIONABLE: 9/10
    What you do, what they do, etc…

    View Slide

  95. RESPONSIBLE: 5/10
    Focus on tools available

    View Slide

  96. HUMAN: 6/10
    Feels like a lawyer wrote it…

    View Slide

  97. Characteristic Score
    Clear 9
    Timely 5
    Actionable 9
    Responsible 5
    Human 6
    TOTAL 34/50 (68%)

    View Slide

  98. View Slide

  99. View Slide

  100. View Slide

  101. View Slide

  102. View Slide

  103. Time Action
    Early 02/15 Incident Begins
    Early 02/15 Incident On Going (Four Days)
    03/27 Web & Email Notifications Posted

    View Slide

  104. –Slack Statement
    Information contained in this user
    database was accessible to the
    hackers during this incident.

    View Slide

  105. –Slack Statement
    No financial or payment
    information was accessed or
    compromised in this attack.

    View Slide

  106. CLEAR: 9/10
    No vector but otherwise everything

    View Slide

  107. TIMELY: 10/10
    Controlled based on investigation

    View Slide

  108. ACTIONABLE: 10/10
    Features & everything

    View Slide

  109. FEATURE
    Two Factor Authentication

    View Slide

  110. FEATURE
    Password Kill Switch

    View Slide

  111. RESPONSIBLE: 9/10
    Limited on mistakes but focused on actions

    View Slide

  112. HUMAN: 8/10
    Good words, limited identity

    View Slide

  113. Characteristic Score
    Clear 9
    Timely 10
    Actionable 10
    Responsible 9
    Human 8
    TOTAL 46/50 (94%)

    View Slide

  114. IN CLOSING

    View Slide

  115. –Warren Buffet
    It takes 20 years to build a
    reputation and five minutes to ruin
    it. If you think about that, you'll do
    things differently.

    View Slide

  116. MAKE A PLAN
    - Know Your Stakeholders
    - Know Your Decision Makers
    - Know Your Methods
    - Know Your Voice

    View Slide

  117. Be Clear
    Be Timely
    Be Actionable
    Be Responsible
    Be Human

    View Slide

  118. THANKS TO
    • Kate Guarente & Katelyn Bryant of GitHub
    • Rachel Vandernick of Elizabethtown College
    • Kristin Reichardt-Rummell of Swish Media
    • Mark Imbriaco of OperableInc

    View Slide

  119. THANK YOU
    Original Post: http://git.io/vkMyC
    @sroberts & [email protected]
    Lets have a conversation…

    View Slide