This document offers guidance for employees or incident responders who believe they have discovered or are responding to a security incident.
Email to panic@twinelabs.com or a message to #panic should be used to notify the security team of run-of-the mill issues. Be a good witness. Behave as if you were reporting a crime and include lots of specific details about what you have discovered.
Issues meeting this severity are simply suspicions or odd behaviors. They are not verified and require further investigation. There is no clear indicator that systems have tangible risk and do not require emergency response. This includes suspicious emails, outages, strange activity on a laptop.
Email to panic@twinelabs.com or a message to #panic should be used to notify the security team of low or medium severity issues.
High severity issues relate to problems where an adversary or active exploitation hasn’t been proven yet, and may not have happened, but likely to happen. This may include vulnerabilities with direct risk of exploitation, threats with risk or adversarial persistence on our systems (eg: backdoors, malware), malicious access of business data (eg: passwords, vulnerability data, payments information), or threats that put any individual at risk of physical harm.
High severity issues should include an email to panic@twinelabs.com with “Urgent” in the subject line, or a message to #security with “@channel incident” in the message to alert incident responders.
Critical issues relate to actively exploited risks and involve a malicious actor. Identification of active exploitation is critical to this severity category.
Critical severity issues should involve a message to “@channel” in #security and #panic, as well as messages to the CEO (joseph@twinelabs.com) and CTO (nikhil@twinelabs.com). Continue escalation until you receive acknowledgement. Involvement of a crisis lead for public relations, a lawyer familiar with breach notification, and a “heads up” to our consultant response partners are highly recommended.
By definition, the detection of unauthorized access of client data is a critical-severity incident. If unauthorized access is detected, the response team should make the client's security representatives aware of the breach, in addition to following the procedure outlined above under "Critical Severity."
Issues where the malicious actor is an internal employee, contractor, vendor, or partner requires sensitive handling. Please contact the CEO and CTO directly and do not discuss with other employees. These are critical issues and must be pushed to follow up.
If there are IT communication risks, the New York team will announce an out of band solution within the office, and will communicate this to managers with directions over cell phones.
Incident responders (i.e. all engineers) must have Wickr messaging arranged.
For critical issues, the response team will follow an iterative response process designed to investigate, contain exploitation, remediate our vulnerability, and document a post-mortem with the lessons of an incident.
- CTO or CEO will determine if a lawyer be included and attorney client privilege between responders will begin.
- A central “War Room” will be designated.
- The following meeting will occur at regular intervals until the incident is resolved:
- Update Breach Timeline
- New Indicators of Compromise
- Investigative Q&A
- Emergency Mitigations
- Long Term Mitigations (including Root Cause Analysis)
- Everything Else
We will Update a Breach Timeline with all known temporal data related to the incident. All Indicators of Compromise will be updated and shared among breach responders. The group will add new knowns and unknowns to the Investigative Q&A. A list of tactical Emergency Mitigations will be updated. A list of long term, post breach Long Term Mitigations will be updated. Once items related to response are covered, technical responders may leave the meeting and meta-topics (Everything Else) related to the breach are discussed (communications, legal issues, blog posts, etc) with leadership.
| Name | Cell Number | wickr |
|---|---|---|
| Ian | 484-793-5515 | iansibner |
| Nikhil | 973-943-3223 | nikhiltwine |
To engineers: add links to runbooks that follow from vulnerability assessments / penetration tests here.