Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Crisis Communications for Incident Response (FIRST15)

Scott J. Roberts
June 16, 2015
Technology
1
270

Crisis Communications for Incident Response (FIRST15)

My talk on how to apply Crisis Communication techniques for post breach incident responses. Presented at the First 2015 conference in Berlin, Germany.

Scott J. Roberts

June 16, 2015
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
sroberts
2
390
Introduction to Open Source Security Tools
sroberts
3
4.6k
Building Effective Threat Intelligence Sharing
sroberts
1
88
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
73
Crisis Communication for Incident Response
sroberts
1
250
Hipster DFIR on OSX - BSidesCincy
sroberts
3
3k
Community Intelligence & Open Source Tools
sroberts
5
1k
Responding @ Scale: osquery for Mass Incident Response and Detection
sroberts
1
12k
Hipster DFIR on OSX
sroberts
2
900

Other Decks in Technology

See All in Technology
javapを使ってクラスファイルを読んでみよう!
yujisoftware
1
190
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
k6による負荷試験 入門から実践まで
fujiwara3
3
1.2k
安心して現場で学習できる環境として Flutter Web の管理サイトがおすすめな話
htsuruo
5
150
データマイニングと機械学習-SVM
trycycle
0
150
Exadata Database Service on Dedicated Infrastructure X9M / Exadata Database Service on [email protected] X9M / Exadata Database Machine 比較
oracle4engineer
PRO
0
2.5k
どうしてもcgoから逃げられなくなったあなたに知ってほしいcgoの使い方入門
sakiengineer
1
1.1k
Amazon CodeCatalyst と Amazon CodeWhisperer で開発を加速しよう!
twingob
1
100
エンジニアのキャリアパスはどう描く? まつもとりーさんと考える後悔しないキャリア選択
matsumoto_r
PRO
2
340
ローカルAITuber勢の現在地と未来
sr2mg4
0
130
機械学習モデル性能向上への学習データからのアプローチ
okada_fuutass
0
170
Predictive back transition Animation on Android 14
line_developers
PRO
1
550

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
420
60k
Ruby is Unlike a Banana
tanoku
93
9.7k
How to Ace a Technical Interview
jacobian
271
22k
Optimising Largest Contentful Paint
csswizardry
2
790
What the flash - Photography Introduction
edds
64
10k
Side Projects
sachag
450
39k
Done Done
chrislema
178
15k
Robots, Beer and Maslow
schacon
154
7.5k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
11k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
130k

Transcript

  1. CRISIS COMMS
    FOR INCIDENT RESPONSE

    View Slide

  2. INTRODUCTION

    View Slide

  3. SCOTT J ROBERTS
    DFIR ENGINEER
    @SROBERTS

    View Slide

  4. I WORK FOR GITHUB...

    View Slide

  5. DISCLAIMER:
    I AM NOT A PUBLIC RELATIONS SPECIALIST

    View Slide

  6. BUT I CONSULTED A FEW
    more than a few actually...

    View Slide

  7. THIS STARTED AS A BLOG POST...1
    1 http://sroberts.github.io/2014/09/22/crisis-comms-for-ir/

    View Slide

  8. WHAT IS
    CRISIS COMMS?

    View Slide

  9. [...] a sub-specialty of the public relations profession that is designed
    to protect and defend an individual, company, or organization facing a
    public challenge to its reputation.
    Wikipedia: Crisis Communications

    View Slide

  10. AKA: WHAT YOU SAY WHEN EVERYTHING GOES WRONG.

    View Slide

  11. 5 KEYS
    OF IR COMMUNICATION

    View Slide

  12. BE CLEAR

    View Slide

  13. IT'S DIFFICULT TO
    INVESTIGATE INTRUSIONS

    View Slide

  14. IT'S DIFFICULT TO EXPLAIN
    INTRUSIONS

    View Slide

  15. IMAGINE BEING NON-DFIR?
    OR ONLY SEMI-TECHNICAL?
    OR FULLY NON-TECHNICAL?

    View Slide

  16. The Rule:
    EVERYTHING SHOULD BE ON A
    5TH GRADE READING LEVEL

    View Slide

  17. WITHOUT UNDERSTANDING
    VICTIMS WILL REMAIN
    CONFUSED & CRITICS WILL
    REMAIN SKEPTICAL

    View Slide

  18. CLARITY GOES BEYOND ONE MESSAGE
    STAY CONSISTENT ACROSS
    MESSAGES & MEDIUMS

    View Slide

  19. ATTRIBUTION

    View Slide

  20. "You need to be prepared for today's media culture, in which a tweet
    can become newsworthy and a news interview can become tweet-
    worthy."
    Brad Phillips of Phillips Media Relations

    View Slide

  21. BE TIMELY

    View Slide

  22. TOO EARLY:
    YOU HAVE TO MAKE LOTS OF
    FOLLOW-UPS & SEEM OUT OF
    CONTROL

    View Slide

  23. TOO LATE:
    YOUR WARNING IS LESS
    ACTIONABLE & YOU SEEM
    OBLIVIOUS

    View Slide

  24. IN THE END THE BEST OPTION IS OFTEN TO
    OVER COMMUNICATE & ASSUME THE WORST

    View Slide

  25. "IT WASN'T AS BAD AS WE INITIALLY THOUGHT..."
    VS.
    "ACTUALLY IT'S WORSE THAN WE THOUGHT..."

    View Slide

  26. "The secret of crisis management is not good vs. bad, it's preventing the
    bad from getting worse."
    Andy Gilman of Comm Core Consulting Group

    View Slide

  27. BE ACTIONABLE

    View Slide

  28. WHAT IS THE ORGANIZATION
    DOING TO MITIGATE THE
    PROBLEM?

    View Slide

  29. WHAT IS THE ORGANIZATION
    DOING TO REMEDIATE THE
    PROBLEM?

    View Slide

  30. HOW CAN PEOPLE IDENTIFY IF
    THEY ARE AFFECTED?

    View Slide

  31. WHAT IS THE ORGANIZATION
    DOING TO PROTECT USERS?

    View Slide

  32. HOW CAN PEOPLE PROTECT
    THEMSELVES IF THEY ARE
    AFFECTED?

    View Slide

  33. "Next to doing the right thing, the most important thing is to let people
    know you are doing the right thing."
    John D. Rockefeller

    View Slide

  34. BE RESPONSIBLE

    View Slide

  35. This one is scary...

    View Slide

  36. ADMITTING
    WHAT WENT WRONG
    AND
    SAYING YOU ARE SORRY

    View Slide

  37. RESPONSIBILITY TAKES COLLABORATION
    SECURITY TEAM
    PUBLIC RELATIONS TEAM
    LEGAL TEAM
    CUSTOMER SUPPORT

    View Slide

  38. VENDOR NAME DROPPING

    View Slide

  39. "Always acknowledge a fault frankly. This will throw those in authority
    off their guard and give you opportunity to commit more."
    Mark Twain

    View Slide

  40. BE HUMAN

    View Slide

  41. YOU CAN'T OVERVALUE A SENSE OF HUMANITY IN A CRISIS
    IT'S WILDLY DIFFICULT & CRITICALLY IMPORTANT

    View Slide

  42. HOW TO SOUND HUMAN
    ▸ Start all communications go through a single
    person
    ▸ Avoid Legal-ese & Jargon
    ▸ Say it, write it, read it to yourself, then read it
    out loud
    ▸ Get outside feedback, but don't sound like a
    committee

    View Slide

  43. AUDIENCE

    View Slide

  44. EXTERNAL
    PRESS, SOCIAL MEDIA, PUBLIC STATEMENTS

    View Slide

  45. EXECUTIVE
    FOCUS ON CLARITY, AVOID FUD

    View Slide

  46. INTERNAL
    IF EMPLOYEES DON'T HAVE A MESSAGE
    THEY'LL INVENT ONE

    View Slide

  47. "If you don't tell your story, someone else will."
    Unknown

    View Slide

  48. CASE STUDIES

    View Slide

  49. TARGET
    VICTIM: CONSUMER RETAIL
    ATTACKER: CRIMINAL GROUP

    View Slide

  50. TIMELINE:
    ▸ ??: Intrusion Begins
    ▸ Nov. 27 - Dec. 15, 2013: Fraud Takes Place
    ▸ Dec. 15, 2013: Breach Confirmed Internally, 40 million cards affected
    ▸ Dec. 18, 2013: Brian Krebs First Article

    View Slide

  51. TIMELINE (CONT.):
    ▸ Dec. 19, 2013: Target Acknowledges Breach: Minimal Impact
    ▸ Dec. 20, 2013: Target announces "very few"2 reports of card fraud
    ▸ Dec. 21, 2013: Banks begin reissuing cards proactively
    2 http://www.wsj.com/news/articles/SB10001424052702304773104579270591741798968

    View Slide

  52. TIMELINE (CONT.)(YET AGAIN):3
    ▸ Dec. 27, 2013: 3rd Party IR identifies stolen card/pin information
    ▸ Jan. 10, 2014: Access to an additional 70 Million accounts announced
    ▸ Jan. 22, 2014: 475 employees from HQ laid off w/700 open recs
    3 http://blogs.wsj.com/corporate-intelligence/2013/12/27/targets-data-breach-timeline/ & http://www.ibtimes.com/timeline-targets-data-
    breach-aftermath-how-cybertheft-snowballed-giant-retailer-1580056

    View Slide

  53. View Slide

  54. View Slide

  55. View Slide

  56. View Slide

  57. View Slide

  58. View Slide

  59. AND A BUNCH
    MORE....

    View Slide

  60. View Slide

  61. CLEAR:
    4/10
    6+ LINKS VS. 1 KREBS ARTICLE...

    View Slide

  62. TIMELY:
    4/10
    EARLY & OFTEN BACKFIRED...

    View Slide

  63. ACTIONABLE:
    3/10
    NO IDEA...

    View Slide

  64. RESPONSIBLE:
    7/10
    DEPENDS WHERE YOU LOOK...

    View Slide

  65. KEY STATEMENT
    "Our top priority is taking care of you and helping you feel confident
    about shopping at Target, and it is our responsibility to protect your
    information when you shop with us. We didn’t live up to that
    responsibility, and I am truly sorry."
    Gregg Steinhafel
    CEO of Target

    View Slide

  66. HUMAN:
    5/10
    CEO WAS GREAT BUT A LOT OF PR...

    View Slide

  67. FINAL SCORE:
    48%
    A GOOD LEARNING EXPERIENCE...

    View Slide

  68. PENN STATE
    ENGINEERING
    VICTIM: EDUCATION/GOVERNMENT
    ATTACKER: NATION STATE

    View Slide

  69. TIMELINE
    ▸ Unknown: Intrusions 1 & 2 Begin
    ▸ Nov. 21, 2014: FBI Notification
    ▸ May 15, 2015: Engineering Network Offline & Statements Released
    (Students, Press, & Partners)
    ▸ May 18, 2015: PSU Announces Network Back Online

    View Slide

  70. View Slide

  71. View Slide

  72. View Slide

  73. View Slide

  74. View Slide

  75. View Slide

  76. KEY STATEMENTS
    In order to protect the college’s network infrastructure as well as
    critical research data from a malicious attack, it was important that the
    attackers remained unaware of our efforts to investigate and prepare
    for a full-scale remediation.

    View Slide

  77. CLEAR:
    7/10
    YOU JUST NEED TO READ 3 SITES AND...

    View Slide

  78. TIMELY:
    7/10
    TOOK THEIR TIME hopefully FOR A REASON

    View Slide

  79. ACTIONABLE:
    8/10
    NOT MUCH... UNLESS YOU ARE ARL

    View Slide

  80. RESPONSIBLE:
    8/10
    ONCE YOU FIND IT...

    View Slide

  81. HUMAN:
    8/10
    ONCE YOU FIND IT... AGAIN...

    View Slide

  82. FINAL SCORE:
    76%
    A SOLID C WITH A B- AFTER THE CURVE

    View Slide

  83. SLACK
    VICTIM: SAAS CHAT PROVIDER
    ATTACKER: CRIMINAL

    View Slide

  84. TIMELINE
    ▸ Early February: Incident Began
    ▸ Early February: Incident Ongoing Four Days
    ▸ March 27 Web Notification Released
    ▸ March 27 Email Notifications Released

    View Slide

  85. View Slide

  86. View Slide

  87. View Slide

  88. View Slide

  89. KEY STATEMENTS
    Information contained in this user database was accessible to the
    hackers during this incident.
    &
    No financial or payment information was accessed or compromised in
    this attack.

    View Slide

  90. CLEAR:
    9/10
    NO VECTOR, BUT OTHERWISE EVERYTHING

    View Slide

  91. TIMELY:
    10/10
    CONTROLLED BASED ON INVESTIGATION

    View Slide

  92. ACTIONABLE:
    10/10
    FEATURES & EVERYTHING

    View Slide

  93. FEATURE: TWO FACTOR AUTHENTICATION

    View Slide

  94. FEATURE: PASSWORD KILL SWITCH

    View Slide

  95. RESPONSIBLE:
    9/10
    LIMITED ON MISTAKES, FOCUS ON ACTIONS

    View Slide

  96. HUMAN:
    8/10
    GOOD WORDS, LIMITED IDENTITY

    View Slide

  97. FINAL SCORE:
    94%
    Curve Buster!!!

    View Slide

  98. OTHER ORGS DOING THIS
    WELL
    PF CHANG'S
    LASTPASS
    GITHUB (IMHO)

    View Slide

  99. IN CLOSING

    View Slide

  100. "It takes 20 years to build a reputation and five minutes to ruin it. If you
    think about that, you'll do things differently."
    Warren Buffet

    View Slide

  101. MAKE A PLAN
    KNOW YOUR STAKEHOLDERS
    KNOW YOUR DECISION MAKERS
    KNOW YOUR METHODS
    KNOW YOUR Voice

    View Slide

  102. BE CLEAR
    BE TIMELY
    BE ACTIONABLE
    BE RESPONSIBLE
    BE HUMAN

    View Slide

  103. THANKS TO:
    ▸ Kate Guarente of GitHub
    ▸ Rachel Vandernick of WebPageFX
    ▸ Kristin Reichardt-Rummell of Swish Media
    ▸ Mark Imbriaco of OperableInc

    View Slide

  104. @SROBERTS OF GITHUB
    ORIGINAL POST: HTTP://GIT.IO/VKMYC

    View Slide

  105. THANK YOU!!!

    View Slide

  106. View Slide

  107. QUESTIONS???

    View Slide