Crisis Communication for Incident Response

Transcript

1. CRISIS COMMS For Incident Response

2. INTRODUCTION

3. Security Ops Manger: SIRT of GitHub Author of Intelligence Driven

   IR SANS Instructor in Training & CTI Summit Board SCOTT J ROBERTS

4. @SROBERTS/#CCIR If you Twitter…

5. DISCLAIMER: I’m not a public relations specialist

6. BUT: I consulted quite a few… 4 for those of

   you counting…

7. THIS STARTED AS A BLOG POST... http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

8. None

9. WHAT IS CRISIS COMMUNICATIONS?

10. –Wikipedia: Crisis Communications [...] a sub-specialty of the public relations

    profession that is designed to protect and defend an individual, company, or organization facing a public challenge to its reputation.

11. AKA: What you say when everything goes wrong.

12. WHEN TO DO CRISIS COMMUNICATIONS?

13. A BREACH

14. A VULNERABILITY

15. A DDOS

16. NOT ANY OF THOSE

17. FIVE KEYS OF INCIDENT RESPONSE COMMUNICATION

18. BE CLEAR

19. WHAT HAPPENED HOW IT HAPPENED WHEN IT HAPPENED WHERE IT

    HAPPENED

20. IT’S DIFFICULT TO INVESTIGATE INCIDENTS

21. IT’S DIFFICULT TO EXPLAIN INCIDENTS

22. IMAGINE BEING NON-SECURITY ONLY SEMI-TECHNICAL FULLY NON-TECHNICAL

23. THE RULE 5th grade reading level

24. WITHOUT UNDERSTANDING VICTIMS WILL BE CONFUSED & CRITICS WILL BE

    SKEPTICAL

25. CLARITY GOES BEYOND ONE MESSAGE - STAY CONSISTENT ACROSS MESSAGES

    & MEDIUMS

26. ATTRIBUTION

27. BAD WORDS Advanced, Persistent, Sophisticated, Unusual, Zeroday, etc

28. – Brad Phillips of Phillips Media Relations You need to

    prepare for today's media culture, in which a tweet can become newsworthy and a news interview can become tweet-worthy.

29. BE TIMELY

30. TOO EARLY You have to make lots of follow-ups &

    seem out of control

31. TOO LATE Your warning is less actionable & you seem

    oblivious

32. IN THE END THE BEST OPTION IS OFTEN TO OVER

    COMMUNICATE & ASSUME THE WORST

33. "IT WASN'T AS BAD AS WE INITIALLY THOUGHT…" VS "ACTUALLY

    IT'S WORSE THAN WE THOUGHT..."

34. LEGAL/REG REQUIREMENTS Industry or Location SEC, PCI, HIPPA, PCI, ETC

35. – Andy Gilman of Comm Core Consulting Group The secret

    of crisis management is not good vs. bad, it's preventing the bad from getting worse.

36. BE ACTIONABLE

37. WHAT IS THE ORGANIZATION DOING TO MITIGATE THE PROBLEM?

38. WHAT IS THE ORGANIZATION DOING TO REMEDIATE THE PROBLEM?

39. HOW CAN PEOPLE IDENTIFY IF THEY ARE AFFECTED?

40. WHAT IS THE ORGANIZATION DOING TO PROTECT USERS?

41. HOW CAN PEOPLE PROTECT THEMSELVES IF THEY ARE AFFECTED?

42. – John D. Rockefeller Next to doing the right thing,

    the most important thing is to let people know you are doing the right thing.

43. BE RESPONSIBLE

44. THIS ONE IS SCARY

45. ADMITTING WHAT WENT WRONG AND SAYING YOU’RE SORRY

46. COLLABORATION Security Team Public Relations Team Legal Team Customer Support

47. NAME DROPPING Vendors specifically…

48. –Mark Twain Always acknowledge a fault frankly. This will throw

    those in authority off their guard and give you opportunity to commit more.

49. BE HUMAN

50. CREATING A SENSE OF HUMANITY IS WILDLY DIFFICULT & CRITICALLY

    IMPORTANT

51. SOUNDING HUMAN All communications go through one person Say it,

    write it, read it, then read it out loud Get some outside feedback

52. AUDIENCE

53. EXTERNAL Press, Social Media, Public Statements

54. EXECUTIVE Focus on Clarity, Avoid FUD

55. INTERNAL If employees don't have a message they'll invent one

56. INTEL SHARING You aren't on those secret squirrel mailing lists

    just to feel cool... right?

57. – Unknown If you don't tell your story, someone else

    will.

58. MEDIUMS

59. WEBSITE Likely the best…

60. EMAIL When you know those affected…

61. SOCIAL MEDIA Because it isn’t 1970…

62. PRESS RELEASES Because sometimes it is the 1970s…

63. INTERNAL SHARING However your organization does that…

64. CASE STUDIES

65. None
66. None
67. None
68. None
69. None
70. None
71. None
72. None
73. None

74. Time Action ??? Intrusion Begins 11/27-12/15 Fraud Takes Place 12/15/13

    Breach Confirmed Internally, 40 million cards 12/18/13 First Krebs Article 12/19/13 Target Acknowledges Breach 12/20/13 Target says “very few cards”

75. Time Action 12/21/13 Banks start reissuing cards proactively 12/27/13 3rd

    Party IR identifies stolen card/pins 1/20/2014 70 million additional accounts announced 1/22/14 475 employees laid off w/700 open recs 5/2/14 CEO Gregg Steinhafel Ousted

76. CLEAR: 4/10 6+ links vs 1 Krebs article

77. TIMELY: 4/10 Early & often backfired…

78. ACTIONABLE: 3/10 No idea…

79. RESPONSIBLE: 7/10 Depends where you look…

80. –Gregg Steinhafel (Now Former) CEO of Target Our top priority

    is taking care of you and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry.

81. HUMAN: 5/10 CEO was great but a lot of PR…

82. Characteristic Score Clear 3 Timely 4 Actionable 3 Responsible 7

    Human 5 TOTAL 22/50 (44%)
83. None
84. None
85. None
86. None
87. None
88. None
89. None
90. None

91. Time Action Late 2014 Initial Compromise 07/16 "Peace" tried selling

    account information 07/25 Sale of Yahoo to Verizon announced ~August Internal investigation finds 2014 attack 09/22 Compromise Information Released 09/27 Senators request formal timeline & info

92. CLEAR: 9/10 Low FUD & Single Official Source

93. TIMELY: 5/10* Senators are curious…
 
 *(+/-4)

94. ACTIONABLE: 9/10 What you do, what they do, etc…

95. RESPONSIBLE: 5/10 Focus on tools available

96. HUMAN: 6/10 Feels like a lawyer wrote it…

97. Characteristic Score Clear 9 Timely 5 Actionable 9 Responsible 5

    Human 6 TOTAL 34/50 (68%)
98. None
99. None
100. None
101. None
102. None

103. Time Action Early 02/15 Incident Begins Early 02/15 Incident On

     Going (Four Days) 03/27 Web & Email Notifications Posted

104. –Slack Statement Information contained in this user database was accessible

     to the hackers during this incident.

105. –Slack Statement No financial or payment information was accessed or

     compromised in this attack.

106. CLEAR: 9/10 No vector but otherwise everything

107. TIMELY: 10/10 Controlled based on investigation

108. ACTIONABLE: 10/10 Features & everything

109. FEATURE Two Factor Authentication

110. FEATURE Password Kill Switch

111. RESPONSIBLE: 9/10 Limited on mistakes but focused on actions

112. HUMAN: 8/10 Good words, limited identity

113. Characteristic Score Clear 9 Timely 10 Actionable 10 Responsible 9

     Human 8 TOTAL 46/50 (94%)

114. IN CLOSING

115. –Warren Buffet It takes 20 years to build a reputation

     and five minutes to ruin it. If you think about that, you'll do things differently.

116. MAKE A PLAN - Know Your Stakeholders - Know Your

     Decision Makers - Know Your Methods - Know Your Voice

117. Be Clear Be Timely Be Actionable Be Responsible Be Human

118. THANKS TO • Kate Guarente & Katelyn Bryant of GitHub

     • Rachel Vandernick of Elizabethtown College • Kristin Reichardt-Rummell of Swish Media • Mark Imbriaco of OperableInc

119. THANK YOU Original Post: http://git.io/vkMyC @sroberts & [email protected] Lets have

     a conversation…