handling major events part 2 of 2
TRANSCRIPT
Handling Major Events Part 2 of 2
Table of Contents
Notices ............................................................................................................................................ 2
What Has Worked Well? ................................................................................................................. 2
Examples ......................................................................................................................................... 4
Disseminate Information ................................................................................................................ 5
Coordination Lead ........................................................................................................................... 6
Be Ready for Media Inquiries .......................................................................................................... 7
Examples of Media Questions ........................................................................................................ 8
Crisis Communication Plan ............................................................................................................. 9
Page 1 of 9
Notices
23Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
What Has Worked Well?
10Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
What Has Worked Well?
Some recommendations
• Be proactive, create a plan.
• Assign an incident team lead.
• Create a special team with prioritized assignments.
• Prioritize what needs to happen and in what order.
• Create instructions and approved “talking points”.
• Increase coverage of hotline or help desk phone(s).
• Provide resources for callers and reporting sites.
• Provide initial resources for media.
• Keep your staff updated.
• Perform a postmortem meeting after the event.
**010 What has worked well?
Create a standard major event
incident plan and procedures that can
be followed when such activity
Page 2 of 9
occurs. Identify a prioritization plan
of what should be done first. Identify
standard information guidelines and
recovery strategies that can be
released for certain types of activity
while analysis of the ongoing incident
is occurring. Create templates that
can be used for advisories, frequently
asked questions, and technical
documents. Identify processes for
obtaining and assigning backup staff.
Train the backup staff ahead of time.
Create a manual of instructions to be
followed during periods when
handling high priority incidents.
Make advanced arrangements for
secure communication mechanisms
with third parties such as law
enforcement, other CSIRTs, vendors
and constituents.
Create a special team with prioritized
assignments. Identify and assign a
lead for the priority incident. Stagger
staff hours for increased coverage.
Focus technical staff on analysis and
information gathering rather than
answering individual calls. Create
instructions for the CSIRT staff.
Describe the current status and any
reporting procedures. Identify
analysis and response questions that
need to be answered. Create special
tools or procedures for the staff
specific to the ongoing activity.
Increase coverage of the hotline or
helpdesk phone.
Provide initial resources for callers
and reporters. Create a recorded
message that can be updated. Place
current knowledge or status on the
web page and update this as more
Page 3 of 9
information becomes available.
Create an FAQ for incoming
questions. Send it to callers and
reporting sites and put it on the
website. Provide initial resources for
the media. Create talking points for
staff when speaking with the media.
Hold a press conference or issue a
press release. What types of logistics
are necessary to do this?
Keep your staff and management
updated. It is critical to keep all of
your staff members updated
regarding the status of the ongoing
event.
Examples
11Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Examples
Hotline talking points (instructions)
Mass mailing letter
**011 Here are some examples of
things that have worked well in the
past. Provide written talking points
or a script to anyone likely to answer
calls. Emphasize the need to record
the caller's contact information. Is
this someone special that's on a
Page 4 of 9
particular list? If so, find the right
person to talk to them. Give the
script or talking points to the analysts
working the incident so they can
provide updates as new information
becomes available.
A mass mailing letter is a good idea
to have prepared. Draft a letter to
send out to any appropriate email list
the CSIRT has. There may not be
time to draft one from scratch when
the incident escalates and one needs
to go out quickly. You can update
the one you've prepared and send it
as appropriate. If you update the
one that you sent previously, clearly
note what has changed and when.
Disseminate Information
12Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Disseminate Information
Plan for multiple distribution mechanisms.
**012 During a major event you will
want to get information out as fast as
possible. You need to plan ahead
regarding who will need to know and
how you will disseminate the
Page 5 of 9
information. Have mailing lists and
PGP keys already set up. Have
templates for initial advisories and
web notifications ready. Think about
setting up special media hotline and
perhaps a recorded message for your
CSIRT to provide people with updates
or changes during the event.
Publishing statistics regarding the
number of reports and trends on your
web page is a good idea, along with
initial incident information and
mitigation strategies. Methods for
distributing information besides
recorded messages and web pages
include mailing lists, press releases or
conferences, special presentations
such as video broadcasts, and social
media.
Coordination Lead
13Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Coordination Lead
If leading the coordination of a major
event response, ensure that
everyone is on the same page
and has current information
leadership is aware of• what’s happening• the seriousness of the threat• the current status
all needed information and evidence
is collected and analyzed
others who might be affected
are notified
When playing a coordination role,
ensure
accurate timeline is constructed and recorded
actions taken and recommendations given are documented
everyone knows their role and actions to take
**013 If you are the coordination
lead of a major event, here are some
suggestions. Make sure everyone is
Page 6 of 9
informed about the current situation.
Update them as new information
becomes available, but reach a
balance between providing updates
and giving them uninterrupted time
to work. Make leadership aware of
the situation, its seriousness and the
current status. Make sure that
information regarding the incident is
collected and analyzed. Notify and
update those who need to know.
Proper coordination requires an
accurate timeline, documentation of
the actions taken and
recommendations given, confirmation
that everyone knows his or her role
and necessary actions to take.
Be Ready for Media Inquiries
14Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Be Ready for Media Inquiries
Anticipate media interest and plan accordingly.
Prepare standard response or FAQs to address
queries.
**014 Just when you're hitting your
stride handling the incident, the
media gets wind of it and starts
asking questions. From the
beginning you should anticipate that
they'll do that and plan accordingly.
Page 7 of 9
Having standard responses and
frequently asked questions available
will ease the pain a little bit.
Examples of Media Questions
15Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Examples of Media Questions
How serious is the threat?
How much damage can
be done?
Is it global in scope?
How can you prevent it?
Where do I go for help?
What systems are vulnerable
or affected?
How many reports have
been received?
How much damage has been
reported?
How can you fix it?
How does it compare to
other attacks?
What software versions or OS versions are
vulnerable or affected?How to report
activity or vulnerable systems?
What’s the estimated cost of
the activity?
How does it work?
How fast is it spreading or how wide-spread is the activity?
Can the attacker be
traced?
Where was it first reported
from?
Who is affected?
What resources are
available?
**015 In the past, CERT CC has
held press conferences at the SEI.
The CERT Development Team staff
attended some of them to observe
what happened. The press
recorders'--the press reporters'
questions were recorded and later
distilled into these generic questions
shown here. If you ever do a media
presentation, think about what
questions the media might ask and
try to prepare answers ahead of time.
These questions will give you an idea
of what types of answers to prepare.
Note that these questions are a
useful resource, not just for media
inquiries but for typical questions that
many people, including managers,
sponsors, constituents and users may
ask about an incident or major event.
Page 8 of 9
Crisis Communication Plan
16Managing CSIRTs© 2020 Carnegie Mellon University
[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.
Crisis Communication Plan
Breaches of customer data, PII, and
PHI follow a 24/7/365 news cycle;
the news doesn’t wait for you to be
prepared.
Perform a desktop review of your
crisis communication plan… who
speaks when and under what
circumstances?
Establish arrangements with third-
party security experts and PR firms
in advance.
Should you find
yourself post breach
Ensure you accentuate
the positives of resolving
the crisis… what was
done, in what timeframe,
and how did it benefit
employees and
customers?
**016 A crisis communication plan
might be part of a larger
communication plan, or it may be a
separate stand-alone document. The
plan should provide special guidance
for what to do when a crisis or major
event is declared, as it will typically
require more coordinated effort
among a greater number of roles.
The 24-by-7 news cycle won't wait
for you to develop a plan if you have
a data breach involving any sort of
personal data. The more you can
prepare in advance, the
better.
Review your plan. Who are your
spokespersons and when do they
take the stage, so to speak? When
they do, make sure they know what
to say. Make the plan part of an
exercise to give everyone some
practice.
Page 9 of 9