Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crisis Communications for Incident Response (FIRST15)

Ded29c7918dce50c65131df03c769004?s=47 Scott J. Roberts
June 16, 2015
Technology
1
240

Crisis Communications for Incident Response (FIRST15)

My talk on how to apply Crisis Communication techniques for post breach incident responses. Presented at the First 2015 conference in Berlin, Germany.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

June 16, 2015
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
Ded29c7918dce50c65131df03c769004?s=48 sroberts
2
310
Introduction to Open Source Security Tools
Ded29c7918dce50c65131df03c769004?s=48 sroberts
3
4.4k
Building Effective Threat Intelligence Sharing
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
76
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
Ded29c7918dce50c65131df03c769004?s=48 sroberts
0
64
Crisis Communication for Incident Response
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
220
Hipster DFIR on OSX - BSidesCincy
Ded29c7918dce50c65131df03c769004?s=48 sroberts
3
2.8k
Community Intelligence & Open Source Tools
Ded29c7918dce50c65131df03c769004?s=48 sroberts
5
940
Responding @ Scale: osquery for Mass Incident Response and Detection
Ded29c7918dce50c65131df03c769004?s=48 sroberts
1
11k
Hipster DFIR on OSX
Ded29c7918dce50c65131df03c769004?s=48 sroberts
2
840

Other Decks in Technology

See All in Technology
tfcon-2022-cpp
Dcc589548f0372645aaeb95bda8e22c2?s=48 cpp
5
5.1k
Unity Package Managerで自作パッケージを配布する方法
3dfed36dc1543f0007b5fd46fcb41a47?s=48 yunoda
0
190
ITエンジニアを取り巻く環境とキャリアパス / A career path for Japanese IT engineers
D2322aa2c45d0190205b3ed8bfdd6717?s=48 takatama
0
590
1,000万人以上が利用する「家族アルバム みてね」のSRE組織は4年間でどのように作られてきたのか/SRE NEXT 2022
46839cf590a549efe13547c17a6b2fde?s=48 isaoshimizu
6
3.1k
キャッチアップ Android 13 / Catch up Android 13
D2bcabeeb1ddff142fb8988b412cb4d3?s=48 yanzm
2
1.2k
モダンデータスタックとかの話(データエンジニアのお仕事とは)
95be3c1812a3ae53c2d81cc7ea2eeb3d?s=48 foursue
0
420
⚡Lightdashを試してみた
2c6a9bc003b77685330cc9359b6fbbc4?s=48 k_data_analyst
0
210
長年運用されてきたモノリシックアプリケーションをコンテナ化しようとするとどんな問題に遭遇するか? / SRE NEXT 2022
3e77f9dbec6a87756d1dbdddab283aee?s=48 nulabinc
PRO
15
7.7k
IDOLY PRIDEにおけるAssetBundleビルドパイプラインについて
8192a3d22a844b926f2e1bd7aef5fb25?s=48 qualiarts
0
160
Scrum Fest Niigata 2022 開発エンジニアに聞いてみよう!
478bd912a17b65fa0ab8c1d81912b9b1?s=48 moritamasami
1
280
AWS ChatbotでEC2インスタンスを 起動できるようにした
Eb5a213a0a76afa872249a05444c78c1?s=48 iwamot
0
160
Adopting Kafka for the #1 job site in the world
D984cd543d2abef28596cc5cfe82240c?s=48 ymyzk
1
520

Featured

See All Featured
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
5.9k
Fireside Chat
864a009ac73600c7c02e1f26629dd989?s=48 paigeccino
11
1.3k
Fantastic passwords and where to find them - at NoRuKo
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
25
1.5k
Bootstrapping a Software Product
A9179349dd2bdc67f377719f56d85656?s=48 garrettdimon
295
110k
Build The Right Thing And Hit Your Dates
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
19
1.1k
Building a Scalable Design System with Sketch
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
447
30k
ReactJS: Keep Simple. Everything can be a component!
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
655
120k
Bash Introduction
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
596
210k
Reflections from 52 weeks, 52 projects
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
337
17k
A designer walks into a library…
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
196
16k
Robots, Beer and Maslow
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
7.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
5b9fe87ec1faa67a4599782930f45ec9?s=48 sstephenson
151
12k

Transcript

  1. CRISIS COMMS FOR INCIDENT RESPONSE

  2. INTRODUCTION

  3. SCOTT J ROBERTS DFIR ENGINEER @SROBERTS

  4. I WORK FOR GITHUB...

  5. DISCLAIMER: I AM NOT A PUBLIC RELATIONS SPECIALIST

  6. BUT I CONSULTED A FEW more than a few actually...

  7. THIS STARTED AS A BLOG POST...1 1 http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

  8. WHAT IS CRISIS COMMS?

  9. [...] a sub-specialty of the public relations profession that is

    designed to protect and defend an individual, company, or organization facing a public challenge to its reputation. Wikipedia: Crisis Communications

  10. AKA: WHAT YOU SAY WHEN EVERYTHING GOES WRONG.

  11. 5 KEYS OF IR COMMUNICATION

  12. BE CLEAR

  13. IT'S DIFFICULT TO INVESTIGATE INTRUSIONS

  14. IT'S DIFFICULT TO EXPLAIN INTRUSIONS

  15. IMAGINE BEING NON-DFIR? OR ONLY SEMI-TECHNICAL? OR FULLY NON-TECHNICAL?

  16. The Rule: EVERYTHING SHOULD BE ON A 5TH GRADE READING

    LEVEL

  17. WITHOUT UNDERSTANDING VICTIMS WILL REMAIN CONFUSED & CRITICS WILL REMAIN

    SKEPTICAL

  18. CLARITY GOES BEYOND ONE MESSAGE STAY CONSISTENT ACROSS MESSAGES &

    MEDIUMS

  19. ATTRIBUTION

  20. "You need to be prepared for today's media culture, in

    which a tweet can become newsworthy and a news interview can become tweet- worthy." Brad Phillips of Phillips Media Relations

  21. BE TIMELY

  22. TOO EARLY: YOU HAVE TO MAKE LOTS OF FOLLOW-UPS &

    SEEM OUT OF CONTROL

  23. TOO LATE: YOUR WARNING IS LESS ACTIONABLE & YOU SEEM

    OBLIVIOUS

  24. IN THE END THE BEST OPTION IS OFTEN TO OVER

    COMMUNICATE & ASSUME THE WORST

  25. "IT WASN'T AS BAD AS WE INITIALLY THOUGHT..." VS. "ACTUALLY

    IT'S WORSE THAN WE THOUGHT..."

  26. "The secret of crisis management is not good vs. bad,

    it's preventing the bad from getting worse." Andy Gilman of Comm Core Consulting Group

  27. BE ACTIONABLE

  28. WHAT IS THE ORGANIZATION DOING TO MITIGATE THE PROBLEM?

  29. WHAT IS THE ORGANIZATION DOING TO REMEDIATE THE PROBLEM?

  30. HOW CAN PEOPLE IDENTIFY IF THEY ARE AFFECTED?

  31. WHAT IS THE ORGANIZATION DOING TO PROTECT USERS?

  32. HOW CAN PEOPLE PROTECT THEMSELVES IF THEY ARE AFFECTED?

  33. "Next to doing the right thing, the most important thing

    is to let people know you are doing the right thing." John D. Rockefeller

  34. BE RESPONSIBLE

  35. This one is scary...

  36. ADMITTING WHAT WENT WRONG AND SAYING YOU ARE SORRY

  37. RESPONSIBILITY TAKES COLLABORATION SECURITY TEAM PUBLIC RELATIONS TEAM LEGAL TEAM

    CUSTOMER SUPPORT

  38. VENDOR NAME DROPPING

  39. "Always acknowledge a fault frankly. This will throw those in

    authority off their guard and give you opportunity to commit more." Mark Twain

  40. BE HUMAN

  41. YOU CAN'T OVERVALUE A SENSE OF HUMANITY IN A CRISIS

    IT'S WILDLY DIFFICULT & CRITICALLY IMPORTANT

  42. HOW TO SOUND HUMAN ▸ Start all communications go through

    a single person ▸ Avoid Legal-ese & Jargon ▸ Say it, write it, read it to yourself, then read it out loud ▸ Get outside feedback, but don't sound like a committee

  43. AUDIENCE

  44. EXTERNAL PRESS, SOCIAL MEDIA, PUBLIC STATEMENTS

  45. EXECUTIVE FOCUS ON CLARITY, AVOID FUD

  46. INTERNAL IF EMPLOYEES DON'T HAVE A MESSAGE THEY'LL INVENT ONE

  47. "If you don't tell your story, someone else will." Unknown

  48. CASE STUDIES

  49. TARGET VICTIM: CONSUMER RETAIL ATTACKER: CRIMINAL GROUP

  50. TIMELINE: ▸ ??: Intrusion Begins ▸ Nov. 27 - Dec.

    15, 2013: Fraud Takes Place ▸ Dec. 15, 2013: Breach Confirmed Internally, 40 million cards affected ▸ Dec. 18, 2013: Brian Krebs First Article

  51. TIMELINE (CONT.): ▸ Dec. 19, 2013: Target Acknowledges Breach: Minimal

    Impact ▸ Dec. 20, 2013: Target announces "very few"2 reports of card fraud ▸ Dec. 21, 2013: Banks begin reissuing cards proactively 2 http://www.wsj.com/news/articles/SB10001424052702304773104579270591741798968

  52. TIMELINE (CONT.)(YET AGAIN):3 ▸ Dec. 27, 2013: 3rd Party IR

    identifies stolen card/pin information ▸ Jan. 10, 2014: Access to an additional 70 Million accounts announced ▸ Jan. 22, 2014: 475 employees from HQ laid off w/700 open recs 3 http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/ & http://www.ibtimes.com/timeline-targets-data- breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056
  53. None
  54. None
  55. None
  56. None
  57. None
  58. None

  59. AND A BUNCH MORE....

  60. None

  61. CLEAR: 4/10 6+ LINKS VS. 1 KREBS ARTICLE...

  62. TIMELY: 4/10 EARLY & OFTEN BACKFIRED...

  63. ACTIONABLE: 3/10 NO IDEA...

  64. RESPONSIBLE: 7/10 DEPENDS WHERE YOU LOOK...

  65. KEY STATEMENT "Our top priority is taking care of you

    and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry." Gregg Steinhafel CEO of Target

  66. HUMAN: 5/10 CEO WAS GREAT BUT A LOT OF PR...

  67. FINAL SCORE: 48% A GOOD LEARNING EXPERIENCE...

  68. PENN STATE ENGINEERING VICTIM: EDUCATION/GOVERNMENT ATTACKER: NATION STATE

  69. TIMELINE ▸ Unknown: Intrusions 1 & 2 Begin ▸ Nov.

    21, 2014: FBI Notification ▸ May 15, 2015: Engineering Network Offline & Statements Released (Students, Press, & Partners) ▸ May 18, 2015: PSU Announces Network Back Online
  70. None
  71. None
  72. None
  73. None
  74. None
  75. None

  76. KEY STATEMENTS In order to protect the college’s network infrastructure

    as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation.

  77. CLEAR: 7/10 YOU JUST NEED TO READ 3 SITES AND...

  78. TIMELY: 7/10 TOOK THEIR TIME hopefully FOR A REASON

  79. ACTIONABLE: 8/10 NOT MUCH... UNLESS YOU ARE ARL

  80. RESPONSIBLE: 8/10 ONCE YOU FIND IT...

  81. HUMAN: 8/10 ONCE YOU FIND IT... AGAIN...

  82. FINAL SCORE: 76% A SOLID C WITH A B- AFTER

    THE CURVE

  83. SLACK VICTIM: SAAS CHAT PROVIDER ATTACKER: CRIMINAL

  84. TIMELINE ▸ Early February: Incident Began ▸ Early February: Incident

    Ongoing Four Days ▸ March 27 Web Notification Released ▸ March 27 Email Notifications Released
  85. None
  86. None
  87. None
  88. None

  89. KEY STATEMENTS Information contained in this user database was accessible

    to the hackers during this incident. & No financial or payment information was accessed or compromised in this attack.

  90. CLEAR: 9/10 NO VECTOR, BUT OTHERWISE EVERYTHING

  91. TIMELY: 10/10 CONTROLLED BASED ON INVESTIGATION

  92. ACTIONABLE: 10/10 FEATURES & EVERYTHING

  93. FEATURE: TWO FACTOR AUTHENTICATION

  94. FEATURE: PASSWORD KILL SWITCH

  95. RESPONSIBLE: 9/10 LIMITED ON MISTAKES, FOCUS ON ACTIONS

  96. HUMAN: 8/10 GOOD WORDS, LIMITED IDENTITY

  97. FINAL SCORE: 94% Curve Buster!!!

  98. OTHER ORGS DOING THIS WELL PF CHANG'S LASTPASS GITHUB (IMHO)

  99. IN CLOSING

  100. "It takes 20 years to build a reputation and five

    minutes to ruin it. If you think about that, you'll do things differently." Warren Buffet

  101. MAKE A PLAN KNOW YOUR STAKEHOLDERS KNOW YOUR DECISION MAKERS

    KNOW YOUR METHODS KNOW YOUR Voice

  102. BE CLEAR BE TIMELY BE ACTIONABLE BE RESPONSIBLE BE HUMAN

  103. THANKS TO: ▸ Kate Guarente of GitHub ▸ Rachel Vandernick

    of WebPageFX ▸ Kristin Reichardt-Rummell of Swish Media ▸ Mark Imbriaco of OperableInc

  104. @SROBERTS OF GITHUB ORIGINAL POST: HTTP://GIT.IO/VKMYC

  105. THANK YOU!!!

  106. None

  107. QUESTIONS???