Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crisis Communication for Incident Response

Scott J. Roberts
September 28, 2016
Technology
1
320

Crisis Communication for Incident Response

Presented at the SANS Leadership Summit on 9/28/16.

Scott J. Roberts

September 28, 2016
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
94
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
67
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
31
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
23
Homemade Ramen & Threat Intelligence
sroberts
2
490
Introduction to Open Source Security Tools
sroberts
3
4.8k
Building Effective Threat Intelligence Sharing
sroberts
1
110
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
110
Hipster DFIR on OSX - BSidesCincy
sroberts
3
3.2k

Other Decks in Technology

See All in Technology
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
500
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
980
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.6k
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
Application Development WG Intro at AppDeveloperCon
salaboy
0
180
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
Terraform Stacks入門 #HashiTalks
msato
0
350
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
150
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
370
SSMRunbook作成の勘所_20241120
koichiotomo
2
130

Featured

See All Featured
Optimizing for Happiness
mojombo
376
70k
Site-Speed That Sticks
csswizardry
0
23
Building Your Own Lightsaber
phodgson
103
6.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Happy Clients
brianwarren
98
6.7k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
89
Keith and Marios Guide to Fast Websites
keithpitt
409
22k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
Writing Fast Ruby
sferik
627
61k

Transcript

  1. CRISIS COMMS For Incident Response

  2. INTRODUCTION

  3. Security Ops Manger: SIRT of GitHub Author of Intelligence Driven

    IR SANS Instructor in Training & CTI Summit Board SCOTT J ROBERTS

  4. @SROBERTS/#CCIR If you Twitter…

  5. DISCLAIMER: I’m not a public relations specialist

  6. BUT: I consulted quite a few… 4 for those of

    you counting…

  7. THIS STARTED AS A BLOG POST... http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

  8. None

  9. WHAT IS CRISIS COMMUNICATIONS?

  10. –Wikipedia: Crisis Communications [...] a sub-specialty of the public relations

    profession that is designed to protect and defend an individual, company, or organization facing a public challenge to its reputation.

  11. AKA: What you say when everything goes wrong.

  12. WHEN TO DO CRISIS COMMUNICATIONS?

  13. A BREACH

  14. A VULNERABILITY

  15. A DDOS

  16. NOT ANY OF THOSE

  17. FIVE KEYS OF INCIDENT RESPONSE COMMUNICATION

  18. BE CLEAR

  19. WHAT HAPPENED HOW IT HAPPENED WHEN IT HAPPENED WHERE IT

    HAPPENED

  20. IT’S DIFFICULT TO INVESTIGATE INCIDENTS

  21. IT’S DIFFICULT TO EXPLAIN INCIDENTS

  22. IMAGINE BEING NON-SECURITY ONLY SEMI-TECHNICAL FULLY NON-TECHNICAL

  23. THE RULE 5th grade reading level

  24. WITHOUT UNDERSTANDING VICTIMS WILL BE CONFUSED & CRITICS WILL BE

    SKEPTICAL

  25. CLARITY GOES BEYOND ONE MESSAGE - STAY CONSISTENT ACROSS MESSAGES

    & MEDIUMS

  26. ATTRIBUTION

  27. BAD WORDS Advanced, Persistent, Sophisticated, Unusual, Zeroday, etc

  28. – Brad Phillips of Phillips Media Relations You need to

    prepare for today's media culture, in which a tweet can become newsworthy and a news interview can become tweet-worthy.

  29. BE TIMELY

  30. TOO EARLY You have to make lots of follow-ups &

    seem out of control

  31. TOO LATE Your warning is less actionable & you seem

    oblivious

  32. IN THE END THE BEST OPTION IS OFTEN TO OVER

    COMMUNICATE & ASSUME THE WORST

  33. "IT WASN'T AS BAD AS WE INITIALLY THOUGHT…" VS "ACTUALLY

    IT'S WORSE THAN WE THOUGHT..."

  34. LEGAL/REG REQUIREMENTS Industry or Location SEC, PCI, HIPPA, PCI, ETC

  35. – Andy Gilman of Comm Core Consulting Group The secret

    of crisis management is not good vs. bad, it's preventing the bad from getting worse.

  36. BE ACTIONABLE

  37. WHAT IS THE ORGANIZATION DOING TO MITIGATE THE PROBLEM?

  38. WHAT IS THE ORGANIZATION DOING TO REMEDIATE THE PROBLEM?

  39. HOW CAN PEOPLE IDENTIFY IF THEY ARE AFFECTED?

  40. WHAT IS THE ORGANIZATION DOING TO PROTECT USERS?

  41. HOW CAN PEOPLE PROTECT THEMSELVES IF THEY ARE AFFECTED?

  42. – John D. Rockefeller Next to doing the right thing,

    the most important thing is to let people know you are doing the right thing.

  43. BE RESPONSIBLE

  44. THIS ONE IS SCARY

  45. ADMITTING WHAT WENT WRONG AND SAYING YOU’RE SORRY

  46. COLLABORATION Security Team Public Relations Team Legal Team Customer Support

  47. NAME DROPPING Vendors specifically…

  48. –Mark Twain Always acknowledge a fault frankly. This will throw

    those in authority off their guard and give you opportunity to commit more.

  49. BE HUMAN

  50. CREATING A SENSE OF HUMANITY IS WILDLY DIFFICULT & CRITICALLY

    IMPORTANT

  51. SOUNDING HUMAN All communications go through one person Say it,

    write it, read it, then read it out loud Get some outside feedback

  52. AUDIENCE

  53. EXTERNAL Press, Social Media, Public Statements

  54. EXECUTIVE Focus on Clarity, Avoid FUD

  55. INTERNAL If employees don't have a message they'll invent one

  56. INTEL SHARING You aren't on those secret squirrel mailing lists

    just to feel cool... right?

  57. – Unknown If you don't tell your story, someone else

    will.

  58. MEDIUMS

  59. WEBSITE Likely the best…

  60. EMAIL When you know those affected…

  61. SOCIAL MEDIA Because it isn’t 1970…

  62. PRESS RELEASES Because sometimes it is the 1970s…

  63. INTERNAL SHARING However your organization does that…

  64. CASE STUDIES

  65. None
  66. None
  67. None
  68. None
  69. None
  70. None
  71. None
  72. None
  73. None

  74. Time Action ??? Intrusion Begins 11/27-12/15 Fraud Takes Place 12/15/13

    Breach Confirmed Internally, 40 million cards 12/18/13 First Krebs Article 12/19/13 Target Acknowledges Breach 12/20/13 Target says “very few cards”

  75. Time Action 12/21/13 Banks start reissuing cards proactively 12/27/13 3rd

    Party IR identifies stolen card/pins 1/20/2014 70 million additional accounts announced 1/22/14 475 employees laid off w/700 open recs 5/2/14 CEO Gregg Steinhafel Ousted

  76. CLEAR: 4/10 6+ links vs 1 Krebs article

  77. TIMELY: 4/10 Early & often backfired…

  78. ACTIONABLE: 3/10 No idea…

  79. RESPONSIBLE: 7/10 Depends where you look…

  80. –Gregg Steinhafel (Now Former) CEO of Target Our top priority

    is taking care of you and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry.

  81. HUMAN: 5/10 CEO was great but a lot of PR…

  82. Characteristic Score Clear 3 Timely 4 Actionable 3 Responsible 7

    Human 5 TOTAL 22/50 (44%)
  83. None
  84. None
  85. None
  86. None
  87. None
  88. None
  89. None
  90. None

  91. Time Action Late 2014 Initial Compromise 07/16 "Peace" tried selling

    account information 07/25 Sale of Yahoo to Verizon announced ~August Internal investigation finds 2014 attack 09/22 Compromise Information Released 09/27 Senators request formal timeline & info

  92. CLEAR: 9/10 Low FUD & Single Official Source

  93. TIMELY: 5/10* Senators are curious…
 
 *(+/-4)

  94. ACTIONABLE: 9/10 What you do, what they do, etc…

  95. RESPONSIBLE: 5/10 Focus on tools available

  96. HUMAN: 6/10 Feels like a lawyer wrote it…

  97. Characteristic Score Clear 9 Timely 5 Actionable 9 Responsible 5

    Human 6 TOTAL 34/50 (68%)
  98. None
  99. None
  100. None
  101. None
  102. None

  103. Time Action Early 02/15 Incident Begins Early 02/15 Incident On

    Going (Four Days) 03/27 Web & Email Notifications Posted

  104. –Slack Statement Information contained in this user database was accessible

    to the hackers during this incident.

  105. –Slack Statement No financial or payment information was accessed or

    compromised in this attack.

  106. CLEAR: 9/10 No vector but otherwise everything

  107. TIMELY: 10/10 Controlled based on investigation

  108. ACTIONABLE: 10/10 Features & everything

  109. FEATURE Two Factor Authentication

  110. FEATURE Password Kill Switch

  111. RESPONSIBLE: 9/10 Limited on mistakes but focused on actions

  112. HUMAN: 8/10 Good words, limited identity

  113. Characteristic Score Clear 9 Timely 10 Actionable 10 Responsible 9

    Human 8 TOTAL 46/50 (94%)

  114. IN CLOSING

  115. –Warren Buffet It takes 20 years to build a reputation

    and five minutes to ruin it. If you think about that, you'll do things differently.

  116. MAKE A PLAN - Know Your Stakeholders - Know Your

    Decision Makers - Know Your Methods - Know Your Voice

  117. Be Clear Be Timely Be Actionable Be Responsible Be Human

  118. THANKS TO • Kate Guarente & Katelyn Bryant of GitHub

    • Rachel Vandernick of Elizabethtown College • Kristin Reichardt-Rummell of Swish Media • Mark Imbriaco of OperableInc

  119. THANK YOU Original Post: http://git.io/vkMyC @sroberts & [email protected] Lets have

    a conversation…