Skip to content

Instantly share code, notes, and snippets.


sroberts/ Secret

Created Nov 3, 2015
What would you like to do?
Deckset Presentation for Crisis Communications for Incident Response

[fit] Crisis Comms

[fit] for Incident Response

[fit] Introduction

left fill

[fit] Scott J Roberts

Advanced Persistent Incident Responder


[fit] I work for GitHub...

^ We're a tshirt and sticker company that also has some Git hosting.

If you Twitter




^ I figure if the DFIR Summit is cool enough to have a hashtag why can't I?


[fit]I am not a Public Relations Specialist

[fit] But I consulted a couple

[fit] four to be precise...

[fit] This started as a blog post...^1

^ In Sept of last year I was reading Krebs and told my boss I saw a super interesting incident. Can you guess which one?


^ PF Chang's!!! So I wrote a blog post about this little website they put together about the breach.

[fit]What Is

[fit]Crisis Comms?

[...] a sub-specialty of the public relations profession that is designed to protect and defend an individual, company, or organization facing a public challenge to its reputation.

Wikipedia: Crisis Communications

^I thought I knew, but needed a real definition, so I did what everyone does and I went to Wikipedia.


AKA: What you say when everything goes wrong.

[fit] When to do

[fit] Crisis Comms???

^ AKA What are the kind of situations where "everything goes wrong".

A Breach

^ A data loss or corruption event where attackers compromise your confidentially or integrity.

A Vulnerability

^ When you have a huge gap that could allow attackers in, especially if users themselves need to do something (like updates).


^ To let people know you're still alive.


^ If you don't know what a DDoS looks like it looks like this...

[fit] Not a (Breach|Vuln|DDoS)...

^ Sometimes you have to do crisis comms when these things don't happen. Rumors gonna rumor.

[fit]5 Keys

[fit]Of IR Communication

Be Clear

^ This means how you phrase your message to encourage comprehension.

It's difficult to investigate intrusions

^ There may be a group of investigators (or teams) working different aspects of an intrusion. That's a lot to keep track of.

It's difficult to explain intrusions

Imagine being non-DFIR?

Or only semi-technical?

Or fully non-technical?

^ Your parents, your grand parents, or college kids, or your Chief Financial Officer. The goal isn't what you think is simple, but what they would think is simple.

The Rule:

Everything should be on a 5th grade reading level

^ That means a Harry Potter level of writing. Limit word complexity, sentence length & complexity, abstract concepts, and avoid passive voice.

[fit]Without understanding

[fit]victims will remain

[fit]confused & critics will

[fit]remain skeptical

^ This is one of the key points of the whole talk. If you leave room for speculation people will be speculate.

[fit]Clarity goes beyond one message

[fit]Stay consistent across

[fit]messages & mediums

^ Even better, be able to point to one "source of truth". This means one site, one page. The fewer resources to evaluate the better.

![](/Users/sroberts/Pictures/Random Stills/equation.jpg)


^ This is PR specific. It turns out attribution matters to investigators, not much to anyone else. Plus you run the risk of agitating the attackers again.


[fit]Bad Words





"Nation State"



^ Just don't. If it's news worthy of course it's unusual.

Personal Aside:

#[fit] Why can't someone get hacked by a #[fit] basic, dumb, & lazy attacker??

"You need to prepare for today's media culture, in which a tweet can become newsworthy and a news interview can become tweet-worthy."

Brad Phillips of Phillips Media Relations

^ Clarity and consistency of message matter, because you don't know which bit people will latch on to.

Be Timely

^ This means when you share messages and how much detail you give. Easily the most nuanced step.

Too Early:

You have to make lots of follow-ups & seem out of control

^ If you don't have the full story you have to keep providing updates, revise statements.

Too Late:

Your warning is less actionable & you seem oblivious

^ You'll get Krebs'd, someone else will tell your story. Worse you seem out of control. The attackers may do even more damage.

[fit]In the end the best option is often to

[fit]over communicate & assume the worst

^ You're always walking a fine line and you'll never get it right.

[fit] "It wasn't as bad as we initially thought..."


[fit] "Actually it's worse than we thought..."

^ Which would you rather have to say?

[fit] Legal/Reg Requirements

[fit] Industry or Location


^ Your mileage may vary based on industry.

"The secret of crisis management is not good vs. bad, it's preventing the bad from getting worse."

Andy Gilman of Comm Core Consulting Group

^ Don't shoot yourself in the foot. You can't make the damage go away, you're trying to keep it from getting worse.

Be Actionable

^ Tell users what you're doing to protect them and how they can protect themselves.

What is the organization doing To mitigate the problem_?_

^ What is your temporary solution to keep it from getting worse?

What is the organization doing to remediate the problem_?_

^ What are you doing to keep this from ever happening again.

How can people identify if they are affected_?_

^ People need to know if, when, and where they were effected.

What is the organization doing to protect users_?_

^ This means things like free Credit Monitoring or other restitution.

How can people protect themselves if they are affected_?_

"Next to doing the right thing, the most important thing is to let people know you are doing the right thing."

John D. Rockefeller

^ This reestablishes or maintains trust with affected users.

Be Responsible

^ Being responsible is about admitting mistakes and the need for improvement. These next tie together.

This one is scary*...*

^ And counter intuitive. Cite the medical field.


[fit]what went wrong


[fit]saying you are sorry

^The Medical field is starting to encourage doctors to apologize.

[fit] Responsibility Takes Collaboration

Security Team

Public Relations Team

Legal Team

Customer Support

^ Customer support most of all. Maybe even your C-Suite.


[fit] Vendor

[fit] Name Dropping

^ By which I mean which vendor you brought in to help. People use this as an excuse to say they were responsible. This doesn't impress anyone outside the security community.

"Always acknowledge a fault frankly. This will throw those in authority off their guard and give you opportunity to commit more."

Mark Twain

^ People trust you when you can admit what you did wrong.

Be Human

^ Sounding like a robot doesn't comfort anyone.

[fit] You can't overvalue a sense of humanity in a crisis

[fit] it's wildly difficult & critically important

^ Reminds people you're just another person having a bad day, it leads to empathy


How to Sound Human

  • Start all communications go through a single person
  • Avoid Legal_-ese_ & Jargon
  • Say it, write it, read it to yourself, then read it out loud
  • Get outside feedback, but don't sound like a committee

[fit] Audience

^ Knowing who you're talking doesn't' change the content, but it does change the manager



Press, Social Media, Public Statements

^ You need to make broad, public statements for everyone outside your organization to take in. Assume everyone will see them (IE the press will get the email you sent to users and a line from your press statement will get cited on Twitter).


Focus on Clarity, Avoid FUD

^ It's easy to go chasing budget when something bad happens


If employees don't have a message they'll invent one

^ If only to seem in the know... When the hack happens everyone will ask questions. Hubbers have been asked about our DDoS for months. Loose lips sink ships.

Intel Sharing

[fit] You aren't on those secret squirrel

[fit] mailing lists just to feel cool... right?

^ I'm sure a bunch of people are talking about intel sharing, but it is relevant. Have strong rules of engagement (IE what and when to share) ahead of time to make this easier and more timely.

"If you don't tell your story, someone else will."


^ Even if the story is just sharing what the public message should be.

[fit] Mediums


Likely the best...

^ Give users & the press a single point of truth with a URL. In the end the teams that do this best all point to one single site.


When you know those affected...

Social Media

Because this isn't 1970...

Press Release

Because you think it is 1970...

^ There is a good reason sometimes, but it is very old school.

[fit] Case Studies



Victim: Consumer Retail

Attacker: Criminal Group


  • ??: Intrusion Begins
  • Nov. 27 - Dec. 15, 2013: Fraud Takes Place
  • Dec. 15, 2013: Breach Confirmed Internally, 40 million cards affected
  • Dec. 18, 2013: Brian Krebs First Article

^ "information accessed included credit and debit card numbers and card expiration dates, with no indication that PIN numbers were impacted"

Timeline (Cont.):

  • Dec. 19, 2013: Target Acknowledges Breach: Minimal Impact
  • Dec. 20, 2013: Target announces "very few"^2 reports of card fraud
  • Dec. 21, 2013: Banks begin reissuing cards proactively

Timeline (Cont.)(yet again):[^3]

  • Dec. 27, 2013: 3rd Party IR identifies stolen card/pin information
  • Jan. 10, 2014: Access to an additional 70 Million accounts announced
  • Jan. 22, 2014: 475 employees from HQ laid off w/700 open recs

[^3]: &

^ A Bullseye View: response & resources related to Target's data breach

^ A Bullseye View: an update on our data breach & financial performance

^ A Bullseye View: Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores

^ A Bullseye View: Credit Monitoring FAQ

^ PDF letter from Target CEO

^ A Bullseye View: a message from CEO Gregg Steinhafel

And a bunch more....

^ I got to page six of " breach" before I couldn't take it anymore.

^ KrebsonSecurity: Sources: Target Investigating Data Breach



###6+ links vs. 1 Krebs article...

^ The more places the story is the more muddled it becomes



Early & often backfired...

^ Had to keep revising up



No idea...

^ IT was hard to figure out what to do, how to determine if you were involved. I know because i got asked by lots of people.



Depends where you look...

^ Statements were very "PR"-y while the letter was incredibly human and humble.

Key Statement

"Our top priority is taking care of you and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry."

Gregg Steinhafel CEO of Target



CEO was great but a lot of PR...

^In general not very, but a few hard to find documents were very human.

Final Score:


A good learning experience...

^ I'm not trying to bash Target, they had a tough situation and did the best they could.


Penn State Engineering

Victim: Education/Government

Attacker: Nation State

^ It was funny, when you search Penn State Hack you actually find the CTF team I started as an undergraduate.


  • Unknown: Intrusions 1 & 2 Begin
  • Nov. 21, 2014: FBI Notification
  • May 15, 2015: Engineering Network Offline & Statements Released
    (Students, Press, & Partners)
  • May 18, 2015: PSU Announces Network Back Online

^Re/Code: Penn State Engineering School Cuts Off Internet After Hacking Attacks

^Wall Street Journal: Penn State's Engineering School Computers Hacked

^Penn State News Statement

^Penn State Presidents Statement

^Secure Penn State FAQ

^The Hill It is written for and about the U.S. Congress, with a special focus on business and lobbying, political campaigns and other events on Capitol Hill.

Key Statements

In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation.



You just need to read 3 sites and...



Took their time hopefully for a reason



Not much... unless you are ARL



Once you find it...



Once you find it... again...

Final Score:


A solid C with a B- after the curve

left 75%


Victim: SaaS Chat Provider

Attacker: Criminal


  • Early February: Incident Began
  • Early February: Incident Ongoing Four Days
  • March 27 Web Notification Released
  • March 27 Email Notifications Released

Key Statements

Information contained in this user database was accessible to the hackers during this incident.


No financial or payment information was accessed or compromised in this attack.



###No vector, but otherwise everything



Controlled based on investigation



Features & everything

[fit] Feature: Two Factor Authentication

[fit] Feature: Password Kill Switch



Limited on mistakes, focus on actions



Good words, limited identity

Final Score:


Curve Buster!!!

Other Orgs Doing Well

PF Chang's




GitHub (IMHO)



[fit] In Closing

"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."

Warren Buffet

Make a Plan

Know Your Stakeholders

Know Your Decision Makers

Know Your Methods

Know Your Voice

[fit] Be Clear

[fit] Be Timely

[fit] Be Actionable

[fit] Be Responsible

[fit] Be Human

Thanks to:

  • Kate Guarente of GitHub
  • Rachel Vandernick of WebPageFX
  • Kristin Reichardt-Rummell of Swish Media
  • Mark Imbriaco of OperableInc

^ Imbriaco

  • Apologize
  • Demonstrate understanding of events
  • Explain remediation

@sroberts of GitHub

Original Post:

[fit] Thank you!!!

[fit] Questions???

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment