Tortured Responders Dept - Scott & Rebekah's Edition

Transcript

1. The Tortured Responders department Scott & Rebekah’s Version

2. It's me, hi •Scott J Roberts •Instructor of Cyber Security

   @ Utah State University •CAI Masters Student (Also at USU) •Rebekah Brown •Senior Researcher @ University of Toronto's Citizen Lab •SANS FOR578 Co-Author and Instructor

3. We’re the Problem We also wrote a book together…

4. This Started in 2016 AS...

5. Based on Incidents At • 33 restaurants had their credit

   card processing compromised in 2014 PF Chang's • Major credit card data breach in 2013, exposing information of approximately 40 million customers Target • In 2016, Yahoo disclosed a massive data breach affecting 3 billion user accounts, one of the largest in history Yahoo! • In March 2015, Slack reported a data breach affecting about 500,000 users, exposing usernames, email addresses, and hashed passwords Slack

6. But we Wanted to revisit It with a 2024 perspective…

7. Since 2016 Public Awareness Has Changed Public Sophistication Has Changed

   Government Requirements Have Changed Cyber Threat Intelligence Has Become a Key Output

8. SANS Incident Response Cycle Preparation Identification Containment Eradication Recovery Lessons

   Learned

9. SANS Incident Response Cycle Preparation Identification Containmen t Eradicatio n

   Recovery Lessons Learned

10. The Basics: What is Crisis Communications “In short, it is

    the communication process used to respond to a threat to an organization's reputation. The crisis plan is used when there has been a major event.” ~ PRLab
11. None

12. Why Worry about Your Org Reputation Financial Impact: Incidents can

    lead to significant financial losses Trust and Credibility: Incidents erode customer trust and damage brand credibility Competitive Advantage: Can differentiate an organization from competitors Regulatory Compliance: Most industries face strict data protection regulations

13. When Your Reputation Might be in Jeopardy • Data Breach

    • Major Publicly Facing Vulnerability (Esp as a Vendor) • Impactful Disruption • Not These Things

14. The Point: Without understanding victims will be confused and critics

    will be skeptical

15. Five Keys of Incident Response Communications •Clarity •Timeliness •Actionability •Responsibility

    •Humanity

16. Clarity "A simple complication, miscommunication leads to fallout..." - The

    Story of Us What Happened How it Happened When It Happened The Impact

17. Clarity: plain language •Include only relevant information •Use words your

    customers use •Use the Active Voice •Be consistent •Aim for a fifth-grade reading

18. Clarity: Bad Words • “Advanced” • “Persistent” • “Sophisticated” •

    “Unusual” • “Zero Day” • "We take your [security/privacy/trust] very seriously"

19. Timeliness Too Early: Too Many Follow Ups & Seem Out

    of Control Too Late: Your warning is less actionable & you seem oblivious Best Option: Over Communicate & Assume the Worst Legal & Regulatory Requirements

20. Actionability What is the organization doing to mitigate the problem?

    What is the organization doing to remediate the problem? What is the organization doing to protect users? How do people know if they’re affected? What can people do to mitigate the problem? What can people do to remediate the problem?

21. Responsibility Admitting what went wrong and saying you’re sorry This

    is a collaboration with other teams (security, PR, Legal, HR, Customer Support) May have legal requirements... or risk...

22. Humanity Sound Human (And not like a LLM) Know your

    audience Consider External Customers

23. Name Checking & “Bad Blood” • Talk about others knowing

    you might be the next (us included) • No “Deep Cuts”. If you disagree come talk to us!
24. None

25. Case Study: Target in 2016 • Attack Method: Hackers accessed

    Target's network through credentials stolen from a third-party HVAC vendor, then installed malware on point- of-sale systems to capture card data • Timing and Scope: Occurred during the 2013 holiday shopping affecting approximately 40 million credit and debit card accounts and exposing personal data of up to 70 million customers • Impact: The breach resulted in significant financial losses for Target (estimated at $202 million), & led to the resignation of CEO Gregg Steinhafel

26. Response: Target in 2016 • Delayed and Inconsistent Response: Target

    took several days to publicly acknowledge the breach and provided inconsistent information • Underestimating Impact: The company initially downplayed the breach's severity, later revealing it affected more customers than first stated • Lack of Empathy and Support: Early communications focused on technical details rather than addressing customer concerns • Poor Leadership Visibility: Then-CEO Gregg Steinhafel's absence from early communications missed an opportunity to demonstrate strong leadership during the crisis

27. Scoring: Target in 2016 Response Characteristic Score Clarity 3 Timeliness

    4 Actionability 3 Responsibility 7 Humanity 5 Total 22/50 (44%)

28. Response: Target in 2016 • Became the first major card

    issuer to use chip & pin credit cards • Established a Cyber Fusion Center for real-time threat monitoring becoming an industry leader in detection, response, intel, & hunting • Shout out to David Bianco! • Joined the Retail & Hospitality Intelligence Sharing & Analysis Center (RH-ISAC) to collaborate on cybersecurity issues

29. OG CC4IR Incidents • Clarity: 4, Timeliness: 4, Actionable: 3,

    Responsible: 7, Human: 5 • Total: 22/50 (44%) Target • Clarity: 9, Timeliness: 5 (+/-4), Actionable: 9, Responsible: 5, Human: 6 • Total: 34/50 (68%) Yahoo! • Clarity: 9, Timeliness: 10, Actionable: 10, Responsible: 9, Human: 8 • Total: 46/50 (96%) Slack
30. None

31. Case Study: Crowdstrike in 2024 • Cause: A faulty configuration

    update to CrowdStrike's Falcon Sensor software that triggered an out-of-bounds memory read in the Windows sensor client. • Scope: System crashes affecting roughly 8.5 million Windows systems globally, making it the largest outage in the history of information technology. • Impact: Disruption of daily life, businesses, and governments around the world, highlighting the critical reliance on cybersecurity solutions and the potential consequences of software errors. • Not a security incident but still a crisis needing communication

32. Response: Crowdstrike in 2024

33. Response: Crowdstrike in 2024

34. Response: Crowdstrike in 2024

35. Response: Crowdstrike in 2024 Accepted the Pwnie for Most Epic

    Fail of 2024

36. Good Idea Bad execution

37. Scoring: Crowdstrike in 2024 Response Characteristic Score Clarity 8 Timeliness

    10 Actionability 8.5 Responsibility 10 Humanity 9 Total 45.5/50 (91%)
38. None

39. Case Study: Microsoft in Nov 2023 • Cause: Successful password

    spraying attack exploiting a legacy test account • Scope: Unauthorized access to corporate email system, exposing limited email metadata but no sensitive content • Impact: Potential for targeted phishing, reputational damage, mitigated by Microsoft's prompt response and remediation

40. Response: Microsoft in Nov 2023

41. Response: Microsoft in Nov 2023

42. Response: Microsoft in Nov 2023

43. Response: Microsoft in Nov 2023

44. Case Study: Microsoft in Nov 2023 Response Characteristic Score Clarity

    9 Timeliness 10 Actionability 9 Responsibility 10 Humanity 9 Total 47/50 (94%)

45. In Conclusion •At the point where you need a crisis

    communication plan it’s way too late!!! •Involve all your stakeholders both in practice and execution! •Wargame what scenarios you might be in and prepare for them, then score them! •Collaborate and practice collaborating! •Avoid making the same mistakes twice… after all…

46. "I have this thing where I get older but just

    never wiser" – "Anti-Hero" from Midnights

47. Thank you!

48. None