handling major events part 2 of 2

Handling Major Events Part 2 of 2

Table of Contents

Notices ............................................................................................................................................ 2

What Has Worked Well? ................................................................................................................. 2

Examples ......................................................................................................................................... 4

Disseminate Information ................................................................................................................ 5

Coordination Lead ........................................................................................................................... 6

Be Ready for Media Inquiries .......................................................................................................... 7

Examples of Media Questions ........................................................................................................ 8

Crisis Communication Plan ............................................................................................................. 9

of 9

Notices

23Managing CSIRTs© 2020 Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

What Has Worked Well?



What Has Worked Well?

Some recommendations

• Be proactive, create a plan.

• Assign an incident team lead.

• Create a special team with prioritized assignments.

• Prioritize what needs to happen and in what order.

• Create instructions and approved “talking points”.

• Increase coverage of hotline or help desk phone(s).

• Provide resources for callers and reporting sites.

• Provide initial resources for media.

• Keep your staff updated.

• Perform a postmortem meeting after the event.

**010 What has worked well?

Create a standard major event

incident plan and procedures that can

be followed when such activity

of 9

occurs. Identify a prioritization plan

of what should be done first. Identify

standard information guidelines and

recovery strategies that can be

released for certain types of activity

while analysis of the ongoing incident

is occurring. Create templates that

can be used for advisories, frequently

asked questions, and technical

documents. Identify processes for

obtaining and assigning backup staff.

Train the backup staff ahead of time.

Create a manual of instructions to be

followed during periods when

handling high priority incidents.

Make advanced arrangements for

secure communication mechanisms

with third parties such as law

enforcement, other CSIRTs, vendors

and constituents.

Create a special team with prioritized

assignments. Identify and assign a

lead for the priority incident. Stagger

staff hours for increased coverage.

Focus technical staff on analysis and

information gathering rather than

answering individual calls. Create

instructions for the CSIRT staff.

Describe the current status and any

reporting procedures. Identify

analysis and response questions that

need to be answered. Create special

tools or procedures for the staff

specific to the ongoing activity.

Increase coverage of the hotline or

helpdesk phone.

Provide initial resources for callers

and reporters. Create a recorded

message that can be updated. Place

current knowledge or status on the

web page and update this as more

of 9

information becomes available.

Create an FAQ for incoming

questions. Send it to callers and

reporting sites and put it on the

website. Provide initial resources for

the media. Create talking points for

staff when speaking with the media.

Hold a press conference or issue a

press release. What types of logistics

are necessary to do this?

Keep your staff and management

updated. It is critical to keep all of

your staff members updated

regarding the status of the ongoing

event.

Examples



Examples

Hotline talking points (instructions)

Mass mailing letter

**011 Here are some examples of

things that have worked well in the

past. Provide written talking points

or a script to anyone likely to answer

calls. Emphasize the need to record

the caller's contact information. Is

this someone special that's on a

of 9

particular list? If so, find the right

person to talk to them. Give the

script or talking points to the analysts

working the incident so they can

provide updates as new information

becomes available.

A mass mailing letter is a good idea

to have prepared. Draft a letter to

send out to any appropriate email list

the CSIRT has. There may not be

time to draft one from scratch when

the incident escalates and one needs

to go out quickly. You can update

the one you've prepared and send it

as appropriate. If you update the

one that you sent previously, clearly

note what has changed and when.

Disseminate Information



Disseminate Information

Plan for multiple distribution mechanisms.

**012 During a major event you will

want to get information out as fast as

possible. You need to plan ahead

regarding who will need to know and

how you will disseminate the

of 9

information. Have mailing lists and

PGP keys already set up. Have

templates for initial advisories and

web notifications ready. Think about

setting up special media hotline and

perhaps a recorded message for your

CSIRT to provide people with updates

or changes during the event.

Publishing statistics regarding the

number of reports and trends on your

web page is a good idea, along with

initial incident information and

mitigation strategies. Methods for

distributing information besides

recorded messages and web pages

include mailing lists, press releases or

conferences, special presentations

such as video broadcasts, and social

media.

Coordination Lead



Coordination Lead

If leading the coordination of a major

event response, ensure that

everyone is on the same page

and has current information

leadership is aware of• what’s happening• the seriousness of the threat• the current status

all needed information and evidence

is collected and analyzed

others who might be affected

are notified

When playing a coordination role,

ensure

accurate timeline is constructed and recorded

actions taken and recommendations given are documented

everyone knows their role and actions to take

**013 If you are the coordination

lead of a major event, here are some

suggestions. Make sure everyone is

of 9

informed about the current situation.

Update them as new information

becomes available, but reach a

balance between providing updates

and giving them uninterrupted time

to work. Make leadership aware of

the situation, its seriousness and the

current status. Make sure that

information regarding the incident is

collected and analyzed. Notify and

update those who need to know.

Proper coordination requires an

accurate timeline, documentation of

the actions taken and

recommendations given, confirmation

that everyone knows his or her role

and necessary actions to take.

Be Ready for Media Inquiries



Be Ready for Media Inquiries

Anticipate media interest and plan accordingly.

Prepare standard response or FAQs to address

queries.

**014 Just when you're hitting your

stride handling the incident, the

media gets wind of it and starts

asking questions. From the

beginning you should anticipate that

they'll do that and plan accordingly.

of 9

Having standard responses and

frequently asked questions available

will ease the pain a little bit.

Examples of Media Questions



Examples of Media Questions

How serious is the threat?

How much damage can

be done?

Is it global in scope?

How can you prevent it?

Where do I go for help?

What systems are vulnerable

or affected?

How many reports have

been received?

How much damage has been

reported?

How can you fix it?

How does it compare to

other attacks?

What software versions or OS versions are

vulnerable or affected?How to report

activity or vulnerable systems?

What’s the estimated cost of

the activity?

How does it work?

How fast is it spreading or how wide-spread is the activity?

Can the attacker be

traced?

Where was it first reported

from?

Who is affected?

What resources are

available?

**015 In the past, CERT CC has

held press conferences at the SEI.

The CERT Development Team staff

attended some of them to observe

what happened. The press

recorders'--the press reporters'

questions were recorded and later

distilled into these generic questions

shown here. If you ever do a media

presentation, think about what

questions the media might ask and

try to prepare answers ahead of time.

These questions will give you an idea

of what types of answers to prepare.

Note that these questions are a

useful resource, not just for media

inquiries but for typical questions that

many people, including managers,

sponsors, constituents and users may

ask about an incident or major event.

of 9

Crisis Communication Plan



Crisis Communication Plan

Breaches of customer data, PII, and

PHI follow a 24/7/365 news cycle;

the news doesn’t wait for you to be

prepared.

Perform a desktop review of your

crisis communication plan… who

speaks when and under what

circumstances?

Establish arrangements with third-

party security experts and PR firms

in advance.

Should you find

yourself post breach

Ensure you accentuate

the positives of resolving

the crisis… what was

done, in what timeframe,

and how did it benefit

employees and

customers?

**016 A crisis communication plan

might be part of a larger

communication plan, or it may be a

separate stand-alone document. The

plan should provide special guidance

for what to do when a crisis or major

event is declared, as it will typically

require more coordinated effort

among a greater number of roles.

The 24-by-7 news cycle won't wait

for you to develop a plan if you have

a data breach involving any sort of

personal data. The more you can

prepare in advance, the

better.

Review your plan. Who are your

spokespersons and when do they

take the stage, so to speak? When

they do, make sure they know what

to say. Make the plan part of an

exercise to give everyone some

practice.

of 9

handling major events part 2 of 2

Documents