For example, the response by Equifax to this year’s hack dubbed the worst data breach in US history demonstrates how a rushed or delayed communication response can increase the damages of a disruptive crisis, and the currently unfolding story about the 2016 Uber hack coverup demonstrates the importance of transparency.
To help our community prepare for a cyber crisis, AARNet recently hosted a DDoS (Distributed Denial of Service) based cyber crisis exercise with representatives from 20 of our member institutions. The exercise focused on communications and incident response to a persistent attack. Here, we share the key takeaways from the session:
8 tips to help you prepare your organisation for a cyber crisis
- When is an incident a crisis? Ensure that incident responders have a clear idea of when an incident should be escalated to a crisis, and how they do so.
- Communications Management. The business of managing and delegating tasks and distributing up-to-date and accurate information in a live incident scenario with multiple teams and stakeholders can be very tricky. In some cases, established tools such as service desks are not accessible by senior personnel, so the ability to create a Crisis Wiki tool can be beneficial.
- Offline storage of contacts. Crisis coordinators and responders need the ability to contact other members if the phonebook, active directory or email is compromised or unavailable.
- Out of band communication. Have a plan for how your responders will communicate if you believe that your email system may be compromised.
- Communicate to staff, students and affiliates. Official communication channels should be used regularly with staff and students. Include social media such as Twitter and Facebook. Lack of regular communication outside of a crisis will cause confusion when you attempt to communicate during one, which could be exploited against you.
- Have a spokesperson. Many roles in crisis management will mirror those in incident response, however, a significant emphasis will be placed on external communications.
- Know your external contacts. Effective crisis management requires measured external communications. Contacts and relationships should be maintained with external agencies such as:
- Peer organisations
- Suppliers and Vendors
- AARNet (or ISP)
- AusCERT and CERTAu
- Federal law enforcement and intelligence (AFP, ASD, CSOC, etc)
- Insurance providers
- Social Media providers
- Know when to go to the media. Media will often pick up the story sooner or later. The first story that is published will dictate public perception of the incident. In a dedicated campaign, an attacker may even contact the media themselves, utilising the media as another attack vector.
- Your spokesperson should be trained in media engagement
- Developing template responses to certain event types can save precious time, the fine details can be rapidly adjusted to fit your situation.
AARNet would like to thank Eric Pinkerton, Virginia Calegare and Henry Ward from HIVINT for working with us to develop and run the Cyber Crisis Exercise, and prepare this advice.
Hivint offers a free high-level Incident Response run sheet in their securitycolony.com portal. If you like it and are interested to see what else is available then you can sign up for free here.
Image: Fun and games at the Cyber Crisis workshop AARNet held in Sydney recently.