^ We're a tshirt and sticker company that also has some Git hosting.
^ I figure if the DFIR Summit is cool enough to have a hashtag why can't I?
[fit] This started as a blog post...1
^ In Sept of last year I was reading Krebs and told my boss I saw a super interesting incident. Can you guess which one?
^ PF Chang's!!! So I wrote a blog post about this little website they put together about the breach.
[...] a sub-specialty of the public relations profession that is designed to protect and defend an individual, company, or organization facing a public challenge to its reputation.
Wikipedia: Crisis Communications
^I thought I knew, but needed a real definition, so I did what everyone does and I went to Wikipedia.
^ AKA What are the kind of situations where "everything goes wrong".
^ A data loss or corruption event where attackers compromise your confidentially or integrity.
^ When you have a huge gap that could allow attackers in, especially if users themselves need to do something (like updates).
^ To let people know you're still alive.
^ If you don't know what a DDoS looks like it looks like this...
^ Sometimes you have to do crisis comms when these things don't happen. Rumors gonna rumor.
^ This means how you phrase your message to encourage comprehension.
^ There may be a group of investigators (or teams) working different aspects of an intrusion. That's a lot to keep track of.
^ Your parents, your grand parents, or college kids, or your Chief Financial Officer. The goal isn't what you think is simple, but what they would think is simple.
^ That means a Harry Potter level of writing. Limit word complexity, sentence length & complexity, abstract concepts, and avoid passive voice.
^ This is one of the key points of the whole talk. If you leave room for speculation people will be speculate.
^ Even better, be able to point to one "source of truth". This means one site, one page. The fewer resources to evaluate the better.
![](/Users/sroberts/Pictures/Random Stills/equation.jpg)
^ This is PR specific. It turns out attribution matters to investigators, not much to anyone else. Plus you run the risk of agitating the attackers again.
^ Just don't. If it's news worthy of course it's unusual.
#[fit] Why can't someone get hacked by a #[fit] basic, dumb, & lazy attacker??
"You need to prepare for today's media culture, in which a tweet can become newsworthy and a news interview can become tweet-worthy."
Brad Phillips of Phillips Media Relations
^ Clarity and consistency of message matter, because you don't know which bit people will latch on to.
^ This means when you share messages and how much detail you give. Easily the most nuanced step.
^ If you don't have the full story you have to keep providing updates, revise statements.
^ You'll get Krebs'd, someone else will tell your story. Worse you seem out of control. The attackers may do even more damage.
^ You're always walking a fine line and you'll never get it right.
^ Which would you rather have to say?
^ Your mileage may vary based on industry.
"The secret of crisis management is not good vs. bad, it's preventing the bad from getting worse."
Andy Gilman of Comm Core Consulting Group
^ Don't shoot yourself in the foot. You can't make the damage go away, you're trying to keep it from getting worse.
^ Tell users what you're doing to protect them and how they can protect themselves.
^ What is your temporary solution to keep it from getting worse?
^ What are you doing to keep this from ever happening again.
^ People need to know if, when, and where they were effected.
^ This means things like free Credit Monitoring or other restitution.
"Next to doing the right thing, the most important thing is to let people know you are doing the right thing."
John D. Rockefeller
^ This reestablishes or maintains trust with affected users.
^ Being responsible is about admitting mistakes and the need for improvement. These next tie together.
^ And counter intuitive. Cite the medical field.
^The Medical field is starting to encourage doctors to apologize.
^ Customer support most of all. Maybe even your C-Suite.
^ By which I mean which vendor you brought in to help. People use this as an excuse to say they were responsible. This doesn't impress anyone outside the security community.
"Always acknowledge a fault frankly. This will throw those in authority off their guard and give you opportunity to commit more."
Mark Twain
^ People trust you when you can admit what you did wrong.
^ Sounding like a robot doesn't comfort anyone.
^ Reminds people you're just another person having a bad day, it leads to empathy
- Start all communications go through a single person
- Avoid Legal_-ese_ & Jargon
- Say it, write it, read it to yourself, then read it out loud
- Get outside feedback, but don't sound like a committee
^ Knowing who you're talking doesn't' change the content, but it does change the manager
^ You need to make broad, public statements for everyone outside your organization to take in. Assume everyone will see them (IE the press will get the email you sent to users and a line from your press statement will get cited on Twitter).
^ It's easy to go chasing budget when something bad happens
^ If only to seem in the know... When the hack happens everyone will ask questions. Hubbers have been asked about our DDoS for months. Loose lips sink ships.
^ I'm sure a bunch of people are talking about intel sharing, but it is relevant. Have strong rules of engagement (IE what and when to share) ahead of time to make this easier and more timely.
"If you don't tell your story, someone else will."
Unknown
^ Even if the story is just sharing what the public message should be.
^ Give users & the press a single point of truth with a URL. In the end the teams that do this best all point to one single site.
^ There is a good reason sometimes, but it is very old school.
- ??: Intrusion Begins
- Nov. 27 - Dec. 15, 2013: Fraud Takes Place
- Dec. 15, 2013: Breach Confirmed Internally, 40 million cards affected
- Dec. 18, 2013: Brian Krebs First Article
^ "information accessed included credit and debit card numbers and card expiration dates, with no indication that PIN numbers were impacted"
- Dec. 19, 2013: Target Acknowledges Breach: Minimal Impact
- Dec. 20, 2013: Target announces "very few"2 reports of card fraud
- Dec. 21, 2013: Banks begin reissuing cards proactively
Timeline (Cont.)(yet again):3
- Dec. 27, 2013: 3rd Party IR identifies stolen card/pin information
- Jan. 10, 2014: Access to an additional 70 Million accounts announced
- Jan. 22, 2014: 475 employees from HQ laid off w/700 open recs
^ A Bullseye View: response & resources related to Target's data breach
^ A Bullseye View: an update on our data breach & financial performance
^ A Bullseye View: Target Confirms Unauthorized Access to Payment Card Data in U.S. Stores
^ A Bullseye View: Credit Monitoring FAQ
^ PDF letter from Target CEO
^ A Bullseye View: a message from CEO Gregg Steinhafel
^ I got to page six of "site:target.com breach" before I couldn't take it anymore.
^ KrebsonSecurity: Sources: Target Investigating Data Breach
###6+ links vs. 1 Krebs article...
^ The more places the story is the more muddled it becomes
^ Had to keep revising up
^ IT was hard to figure out what to do, how to determine if you were involved. I know because i got asked by lots of people.
^ Statements were very "PR"-y while the letter was incredibly human and humble.
"Our top priority is taking care of you and helping you feel confident about shopping at Target, and it is our responsibility to protect your information when you shop with us. We didn’t live up to that responsibility, and I am truly sorry."
Gregg Steinhafel CEO of Target
^In general not very, but a few hard to find documents were very human.
^ I'm not trying to bash Target, they had a tough situation and did the best they could.
^ It was funny, when you search Penn State Hack you actually find the CTF team I started as an undergraduate.
- Unknown: Intrusions 1 & 2 Begin
- Nov. 21, 2014: FBI Notification
- May 15, 2015: Engineering Network Offline & Statements Released
(Students, Press, & Partners) - May 18, 2015: PSU Announces Network Back Online
^Re/Code: Penn State Engineering School Cuts Off Internet After Hacking Attacks
^Wall Street Journal: Penn State's Engineering School Computers Hacked
^Penn State News Statement
^Penn State Presidents Statement
^Secure Penn State FAQ
^The Hill It is written for and about the U.S. Congress, with a special focus on business and lobbying, political campaigns and other events on Capitol Hill.
In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation.
- Early February: Incident Began
- Early February: Incident Ongoing Four Days
- March 27 Web Notification Released
- March 27 Email Notifications Released
Information contained in this user database was accessible to the hackers during this incident.
&
No financial or payment information was accessed or compromised in this attack.
###No vector, but otherwise everything
"It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently."
Warren Buffet
- Kate Guarente of GitHub
- Rachel Vandernick of WebPageFX
- Kristin Reichardt-Rummell of Swish Media
- Mark Imbriaco of OperableInc
^ Imbriaco
- Apologize
- Demonstrate understanding of events
- Explain remediation