Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crisis Communications for Incident Response (FIRST15)

Crisis Communications for Incident Response (FIRST15)

My talk on how to apply Crisis Communication techniques for post breach incident responses. Presented at the First 2015 conference in Berlin, Germany.

Scott J. Roberts

June 16, 2015
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. CRISIS COMMS
    FOR INCIDENT RESPONSE

    View Slide

  2. INTRODUCTION

    View Slide

  3. SCOTT J ROBERTS
    DFIR ENGINEER
    @SROBERTS

    View Slide

  4. I WORK FOR GITHUB...

    View Slide

  5. DISCLAIMER:
    I AM NOT A PUBLIC RELATIONS SPECIALIST

    View Slide

  6. BUT I CONSULTED A FEW
    more than a few actually...

    View Slide

  7. THIS STARTED AS A BLOG POST...1
    1 http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

    View Slide

  8. WHAT IS
    CRISIS COMMS?

    View Slide

  9. [...] a sub-specialty of the public relations profession that is designed
    to protect and defend an individual, company, or organization facing a
    public challenge to its reputation.
    Wikipedia: Crisis Communications

    View Slide

  10. AKA: WHAT YOU SAY WHEN EVERYTHING GOES WRONG.

    View Slide

  11. 5 KEYS
    OF IR COMMUNICATION

    View Slide

  12. BE CLEAR

    View Slide

  13. IT'S DIFFICULT TO
    INVESTIGATE INTRUSIONS

    View Slide

  14. IT'S DIFFICULT TO EXPLAIN
    INTRUSIONS

    View Slide

  15. IMAGINE BEING NON-DFIR?
    OR ONLY SEMI-TECHNICAL?
    OR FULLY NON-TECHNICAL?

    View Slide

  16. The Rule:
    EVERYTHING SHOULD BE ON A
    5TH GRADE READING LEVEL

    View Slide

  17. WITHOUT UNDERSTANDING
    VICTIMS WILL REMAIN
    CONFUSED & CRITICS WILL
    REMAIN SKEPTICAL

    View Slide

  18. CLARITY GOES BEYOND ONE MESSAGE
    STAY CONSISTENT ACROSS
    MESSAGES & MEDIUMS

    View Slide

  19. ATTRIBUTION

    View Slide

  20. "You need to be prepared for today's media culture, in which a tweet
    can become newsworthy and a news interview can become tweet-
    worthy."
    Brad Phillips of Phillips Media Relations

    View Slide

  21. BE TIMELY

    View Slide

  22. TOO EARLY:
    YOU HAVE TO MAKE LOTS OF
    FOLLOW-UPS & SEEM OUT OF
    CONTROL

    View Slide

  23. TOO LATE:
    YOUR WARNING IS LESS
    ACTIONABLE & YOU SEEM
    OBLIVIOUS

    View Slide

  24. IN THE END THE BEST OPTION IS OFTEN TO
    OVER COMMUNICATE & ASSUME THE WORST

    View Slide

  25. "IT WASN'T AS BAD AS WE INITIALLY THOUGHT..."
    VS.
    "ACTUALLY IT'S WORSE THAN WE THOUGHT..."

    View Slide

  26. "The secret of crisis management is not good vs. bad, it's preventing the
    bad from getting worse."
    Andy Gilman of Comm Core Consulting Group

    View Slide

  27. BE ACTIONABLE

    View Slide

  28. WHAT IS THE ORGANIZATION
    DOING TO MITIGATE THE
    PROBLEM?

    View Slide

  29. WHAT IS THE ORGANIZATION
    DOING TO REMEDIATE THE
    PROBLEM?

    View Slide

  30. HOW CAN PEOPLE IDENTIFY IF
    THEY ARE AFFECTED?

    View Slide

  31. WHAT IS THE ORGANIZATION
    DOING TO PROTECT USERS?

    View Slide

  32. HOW CAN PEOPLE PROTECT
    THEMSELVES IF THEY ARE
    AFFECTED?

    View Slide

  33. "Next to doing the right thing, the most important thing is to let people
    know you are doing the right thing."
    John D. Rockefeller

    View Slide

  34. BE RESPONSIBLE

    View Slide

  35. This one is scary...

    View Slide

  36. ADMITTING
    WHAT WENT WRONG
    AND
    SAYING YOU ARE SORRY

    View Slide

  37. RESPONSIBILITY TAKES COLLABORATION
    SECURITY TEAM
    PUBLIC RELATIONS TEAM
    LEGAL TEAM
    CUSTOMER SUPPORT

    View Slide

  38. VENDOR NAME DROPPING

    View Slide

  39. "Always acknowledge a fault frankly. This will throw those in authority
    off their guard and give you opportunity to commit more."
    Mark Twain

    View Slide

  40. BE HUMAN

    View Slide

  41. YOU CAN'T OVERVALUE A SENSE OF HUMANITY IN A CRISIS
    IT'S WILDLY DIFFICULT & CRITICALLY IMPORTANT

    View Slide

  42. HOW TO SOUND HUMAN
    ▸ Start all communications go through a single
    person
    ▸ Avoid Legal-ese & Jargon
    ▸ Say it, write it, read it to yourself, then read it
    out loud
    ▸ Get outside feedback, but don't sound like a
    committee

    View Slide

  43. AUDIENCE

    View Slide

  44. EXTERNAL
    PRESS, SOCIAL MEDIA, PUBLIC STATEMENTS

    View Slide

  45. EXECUTIVE
    FOCUS ON CLARITY, AVOID FUD

    View Slide

  46. INTERNAL
    IF EMPLOYEES DON'T HAVE A MESSAGE
    THEY'LL INVENT ONE

    View Slide

  47. "If you don't tell your story, someone else will."
    Unknown

    View Slide

  48. CASE STUDIES

    View Slide

  49. TARGET
    VICTIM: CONSUMER RETAIL
    ATTACKER: CRIMINAL GROUP

    View Slide

  50. TIMELINE:
    ▸ ??: Intrusion Begins
    ▸ Nov. 27 - Dec. 15, 2013: Fraud Takes Place
    ▸ Dec. 15, 2013: Breach Confirmed Internally, 40 million cards affected
    ▸ Dec. 18, 2013: Brian Krebs First Article

    View Slide

  51. TIMELINE (CONT.):
    ▸ Dec. 19, 2013: Target Acknowledges Breach: Minimal Impact
    ▸ Dec. 20, 2013: Target announces "very few"2 reports of card fraud
    ▸ Dec. 21, 2013: Banks begin reissuing cards proactively
    2 http://www.wsj.com/news/articles/SB10001424052702304773104579270591741798968

    View Slide

  52. TIMELINE (CONT.)(YET AGAIN):3
    ▸ Dec. 27, 2013: 3rd Party IR identifies stolen card/pin information
    ▸ Jan. 10, 2014: Access to an additional 70 Million accounts announced
    ▸ Jan. 22, 2014: 475 employees from HQ laid off w/700 open recs
    3 http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/ & http://www.ibtimes.com/timeline-targets-data-
    breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056

    View Slide

  53. View Slide

  54. View Slide

  55. View Slide

  56. View Slide

  57. View Slide

  58. View Slide

  59. AND A BUNCH
    MORE....

    View Slide

  60. View Slide

  61. CLEAR:
    4/10
    6+ LINKS VS. 1 KREBS ARTICLE...

    View Slide

  62. TIMELY:
    4/10
    EARLY & OFTEN BACKFIRED...

    View Slide

  63. ACTIONABLE:
    3/10
    NO IDEA...

    View Slide

  64. RESPONSIBLE:
    7/10
    DEPENDS WHERE YOU LOOK...

    View Slide

  65. KEY STATEMENT
    "Our top priority is taking care of you and helping you feel confident
    about shopping at Target, and it is our responsibility to protect your
    information when you shop with us. We didn’t live up to that
    responsibility, and I am truly sorry."
    Gregg Steinhafel
    CEO of Target

    View Slide

  66. HUMAN:
    5/10
    CEO WAS GREAT BUT A LOT OF PR...

    View Slide

  67. FINAL SCORE:
    48%
    A GOOD LEARNING EXPERIENCE...

    View Slide

  68. PENN STATE
    ENGINEERING
    VICTIM: EDUCATION/GOVERNMENT
    ATTACKER: NATION STATE

    View Slide

  69. TIMELINE
    ▸ Unknown: Intrusions 1 & 2 Begin
    ▸ Nov. 21, 2014: FBI Notification
    ▸ May 15, 2015: Engineering Network Offline & Statements Released
    (Students, Press, & Partners)
    ▸ May 18, 2015: PSU Announces Network Back Online

    View Slide

  70. View Slide

  71. View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. View Slide

  76. KEY STATEMENTS
    In order to protect the college’s network infrastructure as well as
    critical research data from a malicious attack, it was important that the
    attackers remained unaware of our efforts to investigate and prepare
    for a full-scale remediation.

    View Slide

  77. CLEAR:
    7/10
    YOU JUST NEED TO READ 3 SITES AND...

    View Slide

  78. TIMELY:
    7/10
    TOOK THEIR TIME hopefully FOR A REASON

    View Slide

  79. ACTIONABLE:
    8/10
    NOT MUCH... UNLESS YOU ARE ARL

    View Slide

  80. RESPONSIBLE:
    8/10
    ONCE YOU FIND IT...

    View Slide

  81. HUMAN:
    8/10
    ONCE YOU FIND IT... AGAIN...

    View Slide

  82. FINAL SCORE:
    76%
    A SOLID C WITH A B- AFTER THE CURVE

    View Slide

  83. SLACK
    VICTIM: SAAS CHAT PROVIDER
    ATTACKER: CRIMINAL

    View Slide

  84. TIMELINE
    ▸ Early February: Incident Began
    ▸ Early February: Incident Ongoing Four Days
    ▸ March 27 Web Notification Released
    ▸ March 27 Email Notifications Released

    View Slide

  85. View Slide

  86. View Slide

  87. View Slide

  88. View Slide

  89. KEY STATEMENTS
    Information contained in this user database was accessible to the
    hackers during this incident.
    &
    No financial or payment information was accessed or compromised in
    this attack.

    View Slide

  90. CLEAR:
    9/10
    NO VECTOR, BUT OTHERWISE EVERYTHING

    View Slide

  91. TIMELY:
    10/10
    CONTROLLED BASED ON INVESTIGATION

    View Slide

  92. ACTIONABLE:
    10/10
    FEATURES & EVERYTHING

    View Slide

  93. FEATURE: TWO FACTOR AUTHENTICATION

    View Slide

  94. FEATURE: PASSWORD KILL SWITCH

    View Slide

  95. RESPONSIBLE:
    9/10
    LIMITED ON MISTAKES, FOCUS ON ACTIONS

    View Slide

  96. HUMAN:
    8/10
    GOOD WORDS, LIMITED IDENTITY

    View Slide

  97. FINAL SCORE:
    94%
    Curve Buster!!!

    View Slide

  98. OTHER ORGS DOING THIS
    WELL
    PF CHANG'S
    LASTPASS
    GITHUB (IMHO)

    View Slide

  99. IN CLOSING

    View Slide

  100. "It takes 20 years to build a reputation and five minutes to ruin it. If you
    think about that, you'll do things differently."
    Warren Buffet

    View Slide

  101. MAKE A PLAN
    KNOW YOUR STAKEHOLDERS
    KNOW YOUR DECISION MAKERS
    KNOW YOUR METHODS
    KNOW YOUR Voice

    View Slide

  102. BE CLEAR
    BE TIMELY
    BE ACTIONABLE
    BE RESPONSIBLE
    BE HUMAN

    View Slide

  103. THANKS TO:
    ▸ Kate Guarente of GitHub
    ▸ Rachel Vandernick of WebPageFX
    ▸ Kristin Reichardt-Rummell of Swish Media
    ▸ Mark Imbriaco of OperableInc

    View Slide

  104. @SROBERTS OF GITHUB
    ORIGINAL POST: HTTP://GIT.IO/VKMYC

    View Slide

  105. THANK YOU!!!

    View Slide

  106. View Slide

  107. QUESTIONS???

    View Slide