Cyber Crisis Communication – A Key factor in Incident Response

With incident and crisis becoming a routine activity in the Cyberworld, communications with stakeholders during various phases of a disaster are becoming a critical activity. Many enterprises had damage much more significant than the actual cyber incidents, by unprofessional, non-transparent communications and statements on specific events.

‘Trust’ key component for the resilience in the Cyberworld, timely relevant, transparent communication to various stakeholders is essential to ensure confidence and trust.

Multiple stakeholders, both internal and external, are interested (for good and bad) parties on events that impact enterprise sustainability and affect its constituents. From an external stakeholder perspective, it could be customers, partners, regulators, competition, supply chain, media, researchers, insurers, enviers, fraudsters etc. From an internal stakeholder perspective, it could be employees, management, board etc. Specific internal stakeholders are CEO, CRO, GC, Company secretary, CMO, COO, CFO, and business/account leaders. Many regulators and contracts mandate communication and disclosures of any incidents.

For each of these internal and external stakeholder groups, specific, clear need-to-know basis communications at different stages of an incident crisis, required. Without defined policies for disclosure and designated participating stakeholders to execute, not practical for a single stakeholder group to communicate to all with relevant information, considering various communication formats, depth of disclosure, language to each of the recipient groups in the specific time frame during a crisis. Cybersecurity is a niche domain, and every crisis could be different in its nature. Most of the internal stakeholders may not have a clear understanding of security controls and types of incidents, except the hyped word of ‘breach’ in a single context. And each of the external stakeholder groups expects communication, which is relevant, contextual, and understandable to them to consume and take it forward.

During a crisis possibility of grapevine, deformation attempts through social media, media coverages without facts, new attack campaign groups, are all possibilities, considering the existence of those, any official crisis communication to be worded to clarify and avoid speculations.

Speculative, suppressed, non-confident, denial without rational, too much, or too little disclosure in these communications can have its problems. It is normal to observe multi-fold attack attempts, malintent blogs, customer pressure, and speculations during a crisis, mainly based on non-validated information shared by internal stakeholders, speculators, or advisories.

One of the challenges we faced in my earlier SOC role was that during an incident technical handler under pressure to validate, contain and mitigate the incident was bound to face stakeholder teams periodically to upraise the situation. Pureplay technical resources under crisis pressure struggled to build trust with their stakeholders confidently. An alternate approach we used that time was to involve a group of SOC resources with call center experience, fluent in English, capable of handling pressure to interact (bridge, calls) with external stakeholders with the details provided by SOC technical handlers. It was a game-changer in reducing the additional pressure on incident handlers while working on the crisis.

This is a reality in many security crises where CISO is mandated by internal business and function to face external stakeholders since no other internal functions take up the role or ignorant on what is required. With these mandates, CISO loses valuable time in crisis mitigation.

Media and others overhype 'Breach' as a term, any incident (of any nature) related to cyber is termed, Breach. This hype creates big damage and a multifold impact to enterprises. Many take advantage of this situation since it is not viable for any enterprise to come out to clarify the situation to arrest speculations during a crisis too challenging to identify, who really is your partner and friend at that time. There were many situations were partner or contractor or vendor or consultant working with you, leaking sensitive non validated information to external parties or to their communities for fame (or other interest), and making crisis to worsen.

During crisis phases, the enterprise needs to have a common sustainable approach in crisis communication to its internal and external stakeholders, although content details may vary to each of the stakeholder groups. Crisis communication approach should be a defined and tested process in the enterprise incident handling program, and this has to be periodically updated, tested and signed off by legal and corporate function.

The cyber crisis is slightly different from BCP-DR since nature and impact could vary in each of these crisis situations, the impact may or may not be visible fully, external/internal adversaries are involved, response recovery process always not be of the defined one in the document.

Decision-makers and authorities during a crisis has to be pre-defined, and they should have the required know-how to take the decision.

Assume a situation of a critical cyber incident; to avoid lateral movements and the huge impact, you may have to isolate few networks, suspend service or isolate an office location. CEO needs to be informed for his/her concurrence, you call and wake up CEO from sleep at a later hour, brief situation and ask for permission to disrupt operations to avoid a further major impact or to avoid additional damages. In that short time CEO will be clueless (except on the trust on CISO) on how to validate, weigh options and provide approval; he may not even have valid questions to clarify his assumptions properly.

One of the suggestive approaches for crisis communication is

• Create a program for crisis communication within CISO’s organization, which is a continues activity considering changes in approach, stakeholders etc
• Define internal and external stakeholders based on the level of information they should be getting and the periodicity during the incident
• Define the method of communication to each of these stakeholder groups
• Build a Crisis communication playbook

 Crisis Communication playbook 

The objective is to define - What to communicate, When, to Whom, How and Why and by Who – when time is critical, information is limited, mounting pressure for various stakeholders updates, answers to all questions not available (who, what, why, when, where, how)

Define 15-20 different Cyber Crisis scenarios based on the business and security maturity – a few examples

• Malware propagation
• Ransomware
• Sensitive information leaked to public space
• Privileged credentials available in Dark web
• DDOS
• Vulnerability disclosure of an internal system in the public domain
• Huge recon activity – coordinated across multiple internet gateways
• Presence of rootkit on multiple critical servers
• A huge volume of data extrusion attempts
• PII / PHI data leaked
• Breach disclosure in media and social networks
• Attacks (malware, phishing, DDOS, recon, exploits) originating from the internal network to outside networks and to federated connections
• Lateral movements
• Account takeovers 
• Service disruptions
• Targeted massive phishing campaign

Define internal and external stakeholders (participative/informed)

• Participative: CIO, CRO, COO, CMO, DPO, CHRO, GC, Company Secretary, CEO, Business / functional leaders, external threat intelligence bodies, partners etc
• Informed: employees, partners, helpdesk, regulators, customers, CERT, law enforcement, Media, insurers, supply chain, impacted parties etc

Roles and Responsibilities

For each of the participative roles, their responsibilities to be defined.

• Specify their role in each of the defined incident scenario’s
• All may not have role in every incident scenario, and some may have a role in all the scenarios. Ex. DPO / Privacy officer role is only required if the incident is related to GDPR, PII, PHI 

Define around 5 questions (based on the incident scenario assigned) they could ask (will get answers during the crisis from the central team)

• Questions to be agreed during the planning stage and further refined during testing and changing the environment
• Else time will be wasted during the crisis with vague general-purpose questions from each of the stakeholders

During a cyber crisis, CISO will be in charge of Crisis management. 

• Participative stakeholders will have assigned target recipients groups they only should be interacting (ex. CMO to Media, ex. DPO to privacy regulators, CRO to board etc)
• Guidelines on what (not) non-participative stakeholders (employees, contractors, partners) can share during and after incident.
• Language, min/max information to be shared at each phase of the crisis with respective stakeholders (external and internal) to be defined and documented.
• This to be signed off by respective leadership stakeholders and adherence should be made a mandate
• Information shared should be specific to avoid using shared information or samples to hit again in another form or mode.
• Classification, RMS / Encryption enforcement based on the sensitivity of information shared to specific groups.

Methods and mode of communication varies, it could be (ex)

• Email
• Bridge
• Internal portals
• Collaborative tools
• Calls
• Bulletin boards
• Service desk
• Out of band
• Template response content, for each of the defined crisis scenarios in each of the incident phases, to be available in the playbook.

Designated individual or function within CISO’s team should ensure the required information available to each of the participating stakeholders during the crisis, as defined in the playbook.

The playbook should be updated at least every year or when roles or situation changes or based on learnings. The playbook should be available and accessible to all participating stakeholders when required.

Tabletop exercise to be done every 6 months and a full-blown testing once in a year for this to be effective.

Bad crisis communication could have a ripple effect of bad communication, attracting new attackers, lost customer confidence, reduced stock price, employee/partner morale etc

Let us work together for a Safer Cyber Space.