5 hours 19 minutes
less than 5.4 out of man communications and strategic communications.
In this lesson, we will understand communication requirements during an incident and the potential need for alternative communications.
Will identify ways to reach effective users and customers during a cyber incident and will discuss how to develop a media relations checklist and how toe work with public relations staff during a cyber incident. So let's talk about alternative communications first.
Think about what you would do if in fact your network was compromised and you were trying to coordinate cyber incident response activities on the compromise network.
It's probably not a good idea to do that. You don't want to tip your hat to the Attackers and let them know you're strategies and that you're onto them and where you've seen them at, so think about what you might do to communicate. If that were the case, do you have the ability to send encrypted email with Piquet? I, for example,
that you can be reasonably sure
is not being compromised, but what other forms of communication do you have that could be off network could be a simple Aziz. You're going to switch to text messages or you are going to use a different SAS application that's not part of your network and uses different credentials, and
no one would really know it even exists.
Maybe something like Microsoft teams or slack or wicker or signal some app like that. They have to be careful with those from a cybersecurity perspective as well. Make sure they're approved for you to use those. But my point in this slide is really to get you to think about
what would you dio in that situation? And how would you make sure that your communications with your team
is secure and you're not giving all of your plays away to the adversary
Now, in strategic communications, there are some incidents that may dictate you don't notify users at all. And there's other incidents where it's perfectly OK to let people know what's going on.
If it's one of those incidents where you don't want to tell anybody, maybe it's an insider threat. Maybe it's a crime. Maybe there's something going on that it's just not appropriate to tell somebody or tell everybody.
Then you have to make sure that everyone knows that and you're all on the same page.
But for those incidents where you do need to get the word out that systems are going to be going down or access to things may be limited because you're actively doing some sort of a cyber incident response.
Here's a couple ways you might get the note the word out. Now again. Remember my previous discussion about what should you be putting out there? And can the adversaries read it? So use these depending on the situation and mileage may vary.
The home page of an intranet site might be appropriate if it's maybe a single application that's out, or you have no reason to believe the adversaries air nearly as advanced as I was talking about before.
Perhaps your service desk greeting. If you have an automated voice system that you can change to say all systems air up or we're currently experiencing an outage, maybe something like that you could send an email to your employee base. You could post messages and common areas. I've worked in a place where a lot of people don't even have an email account because there
construction workers and maintenance people that just don't need a computer or have access to one
so the only way they get their information is through cell phones or seeing something posted on the wall.
Ah, phone tree might be another way where you follow your organization's chain of command and you notify the managers who then notify their supervisors, who then notify their staff telling people in person, depending on how big the organization is, might be an option. Mass calls or texts mess texts to people.
There's a lot of applications out there that have gained popularity with
unfortunate events like active shooters and other emergencies, where companies have now purchased mass notifications where they can blast out
information to cell phones that are on record. Maybe you could use that for a cyber incident as well
and, of course, just single text messages, if that's necessary. And if that's maybe all that you have available to you
now, this slide should be a review for you. These are the questions that executives asked during a cyber incident, and I just wanted to remind you of these again and be prepared, and hopefully, now that we've gone through so much of this course together,
some of these might be a little bit easier for you to see in your mind's eye how you would even get this information and how you would give it to the executives.
So again, we'll now what do we dio might be a question you get. What should we disclose and what are we required to disclose? We've talked all about regulations and things that might trigger the declaration of an incident. So be thinking of those things. When they ask you this question, How much is this going to cost us? Is another one.
What did the Attackers take?
How did they get into our network? What will it take to get I t back to full operational capabilities?
What else don't we know about? So give us those unknown unknowns from an executive perspective that we don't even know to ask.
How could we have prevented this? And how do we make sure this never happens again?
How could we have been better prepared for this?
And who were the Attackers and what was their motivation?
So remember, from our first time we looked at this slide, you won't know all these answers up front. Remember, one thing I recommend it is having these
a slide dedicated to every one of these questions is back up material. So as you are able to answer them, you fill out the slide. And then, as you brief executives, you give them a little bit mawr as you have it. But you should be running yourself through these. If you're the one briefing the executives or your the
certain manager or the sock manager or the Sissoko or the C I o. Have these questions ready to go as much as you can
now have a plan to deal with the media, it's sometimes possible the media may know about a breach before you do, because they saw it publicly posted somewhere. Could be that somebody inside the organization has tipped off the media that there is a story to be had because of a breach
you never really know. Sometimes you contact the media because you need to get the information out there.
when you talk to the media, you can expect a number of questions, and it will really determine our depend on how savvy the media person is as to the complexity of the questions they might ask you. So some of the questions that they may ask you and you should be prepared to answer is
Well, when was this attack discovered?
Who was responsible for this? Did this happen because you have poor security practices? So these were some of the tough ones too. You might get. How did the attack occur? How widespread is this incident?
What is the impact to your customers,
what data was taken and who is responding to this incident?
So again, I have some of these in your mind how you would answer them. And you know what? The appropriate response. Maybe
now make sure to prep any media relations person with what's appropriate to talk about and what's not appropriate to talk about.
So if the media calls and they know about the story and they're asking for an interview, it's generally not going to be you. Are I talking to them because we're knee deep and responding to the incident were very much involved behind the scenes giving information and that sort of thing. However, generally in a company, there is a public relations person
where somebody that will be responsible for this or you may even contract that out to a PR firm,
but you do want to make sure to say, Okay, here's the things that we are comfortable in talking about and your legal and HR and executives were going to of course, have to vet all of that. But they're going to be getting much of this from you. And then you could also say, Here's some things I think we should stay away from because either
one, we're just not sure the answer to It's not appropriate to say right now,
three law enforcement is involved and they told us not to talk about it. So and four, we don't want to damage our reputation unnecessarily because, frankly, we just don't know what was taken or what what they got into yet.
So be ready to discuss what is okay to say in what's not okay to say
okay for this lesson, I got a quiz question for you here. Why should I? Our teams consider having an alternative way to communicate during a cyber incident. Response. A. It's fun to try different tools.
Be because any communication tool on the victim network may be compromised,
or C using multiple tools reduces complexity and makes IR teams more agile.
The correct answer is B because any communication tool on the victim network may be compromised again. You may not need to use this for the majority of the incidents, but it is something you should think about and have a plan for, just in case
in summary in this lesson, we talked about the communication requirements during an event on incident and the potential need for alternative communications. We talked about ways to reach affected users and customers during a cyber incident,
and we also talked about how to develop a media relations checklist and how to work with the public relations staff during a cyber incident.