Get that ‘We’ve been hacked!’ press release ready NOW
June 16, 2022
The ransomware hits. The corporate sky is falling. All hell breaks loose.
One day later, the board of directors holds an emergency meeting. Let’s be clear: we can’t really tell customers about this before we do the public disclosure, they say. If we do, we could be wrongfully passing along what might well be material, inside information about our company. And then too, we have contracts with big customers that dictate what and when we tell them. Oh, and by the way, one of our clients is the Department of Defense, and that one has much stricter requirements — no, I can’t remember what those reqs are; I’ll check tomorrow.
Sound familiar? It should. These are the kind of discussions your company is going to hold, sooner or later, be it in tabletop incident response walkthroughs or in real life (if your company hasn’t been through it already, that is). At a ransomware walkthrough put on last week at RSA 2022, presenters staged three board of directors’ meetings: one representing what goes down a day after ransomware hits, one two days after and the third a week later.
Bringing the “what do we do now?” fingernail-chomping and those “woops, I guess we should have done that differently” moments to life were Glenn Gerstell, senior advisor for the Center for Strategic & International Studies and moderator of the panel; Preston Golson, director of critical-issues advising firm the Brunswick Group; Robert Huber, chief security officer at Tenable Inc.; and Suzanne Spaulding, senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies (CSIS), as well as a member of the Cyberspace Solarium Commission.
How prepared was that poor, stricken, fictional company — let’s call it CYA Widgets — for the ransomware strike? Had they done tabletop exercises? Were they proactive enough to have prepared a press release for this type of scenario (as all organizations should, of course, given the high likelihood that we’re all going to get hit sooner or later)?
As the Cybersecurity & Infrastructure Security Agency (CISA) put it in its Shields Up response to Russia’s invasion of Ukraine and related cyberattacks, “Every organization — large and small — must be prepared to respond to disruptive cyber incidents.”
Let’s join the meeting of CYA Widgets’ board of directors to find out how prepared they were for their ransomware hit, how they responded and what factors they had to take into account in their responses.
Maybe we can pick up some tips for what to do when our own skies fall?
Ransomware hit, 1 day later: The timer starts
One thing that moderator Gerstell wanted to make crystal clear: “We can't really tell customers about the full nature of this before we do the public disclosure, because then we're going to be wrongfully passing along what might well be material inside information about our company.”
Customers have to wait to get a heads-up: First comes the notification to the Securities and Exchange Commission (SEC). Your company’s board should already be familiar with the risk factors portion of its annualized SEC reports: Form 10-K describes vulnerability to malicious cyber activity and how it might affect your company. Your company should already have set out policies and procedures as part of its description of board oversight.
At this early stage, your company might not have total certainty about just what the consequences of this ransomware attack might be, but Gerstell errs on the side of considering an issue like this to be material. As it is, your directors, officers and other corporate insiders can’t trade public companies securities while in possession of material nonpublic information, and that could well include a cybersecurity incident like what you’re dealing with now. It might not even be prudent to trade right after the issue is made public, Gerstell said. Appearances matter, so “We need to be real careful.”
Bottom line: File an SEC disclosure as soon as possible, even if you don't have all the facts and are still investigating.
“I think we should notify the FBI,” Gerstell suggested. “Tell them we're going to do a public disclosure. We don't want to be in a position where we're sitting on the news, with some shareholder complaining to us.”
Takeaway: Victimized companies have to strike a delicate balance between
- Adhering to contracts with customers that stipulate that they be informed of issues that might interfere with your company’s ability to perform the contract in a timely way, filing with the SEC, and
- Disclosure that risks disclosing material insider information.
Complication: Contracts differ. CYA Widgets, for example, has a contract with the Department of Defense that has much stricter requirements than the company’s other customers. He’ll have to doublecheck on just what those requirements are, Gerstell mused, now that he thinks about it. “Again, we need to be careful in what we disclose to customers, before we've made this broader public disclosure,” he noted.
“I happen to be the lucky stucky who reviews most of the security addendums for likely contracts, and it will certainly require us to notify them, once we confirm there's been a breach, within 48 hours,” said Huber. “We do have to inform large enterprise contracts. …
“And that timer just started.”
Rev your PR engines!
Golson, playing the head of communications for the unfortunate CYA Widgets, agreed that one of the first things a targeted company has to do is to develop key messaging to stakeholders. It’s not just about responsible disclosure, but also about limiting misconceptions about the company’s operations, he said. “Saying that we’re working with law enforcement shows that we’re being a responsible party — and also implicitly reminds people that we are the victims of crime,” Golson said.
Come up with a core set of key messages, he advised — kind of like the Rosetta Stone of messaging, to serve as a base for all stakeholder communications, whether that be to customers, employees, regulators or as reaction to the media.
What’s in your messaging toolkit?
Keep the messages as transparent as possible, Golson recommended.
Don’t get too far in front of an investigation: You want to provide a general explanation of who/what/when/where happened, but don’t apply timelines that get ahead of the details.
“We don't want to say things we have to take back later,” he cautioned, or “that will bring down the trust.”
Lay out timelines of what to say when, to make sure that information disclosures are sequenced appropriately as opposed to prematurely, which can entail legal jeopardy.
Other best messaging practices:
- If the issue leaks, you want to buy time. How will you go to the media if it happens before you’ve laid out the right things to say?
- Prepare a full Q&A document that addresses the most likely questions your company will receive, with defensible, accurate answers that have been approved by Legal.
- Take into account the fact that employees will find out about the issue through the rumor mill. Recognize and address their anxiety.
- Assume that anything given to employees will become public.
- Customers are critically important. You’ll probably want to begin informing your company’s biggest customers first, as well as your customers’ chief information security officers (CISOs), whose phones will be ringing off the hook.
- Prepare talking points for investors, acknowledging that it’s common for security issue news to foment misconceptions about the incident leading to shortages or other disruptions in operations. Be ready to provide them with accurate information.
- Got a tiny communications staff? Plump it up. Consider bringing in an outside communications adviser team.
“Well, you know, all of this sounded very reasonable when we were developing the playbook,” Spaulding commented. “And even when we did the exercise. Now, it seems overwhelming. We've got a week's worth of work to do.”
Yes, at least.
But wait, before we adjourn: Did CYA Widgets end up being extorted by the attackers?
CYA now has three days to respond.
2 days later: It’s backup time
A lot has happened.
CYA hired an extortion services firm. It wasn’t part of the original plan, but one of the company’s cybersecurity vendors recommended the firm, and Huber checked it out with some other CSOs, so it’s all good.
“You know, over the past few years, some really good specialized firms have arisen that focus just on this problem,” Gerstell said. These firms have experience in negotiating with ransomware gangs and know how to communicate with them on the dark web — something that CYA, and likely most companies, don't know how to do.
“We don't even have to get involved,” Gerstell informed the board. Plus, in any negotiation, it’s good to have an agent in the middle who can buy you more time, he said. “It sort of gets us one step removed directly from dealing with these criminal people. … [and] my sense is we have a little bit of breathing room.”
The CSO’s take: The security operations center (SOC) is making good progress, but the attack still isn’t completely contained from a lateral-movement perspective. More critically, CYA’s plant operations are functioning, but the logistics system is offline.
“What does that mean for us as an organization?” Huber asked. “No shipments go out the door. We do have offline tape backups, but we need to engage with the logistics vendor to rebuild the system. It's a legacy, unsupported system, so we can't do that ourselves. … we're recommending [that we move to] shut down plant operations, for safety reasons. Ensure that we have no issues within the plant itself, even though we don't believe it's a fact at this point.”
The elephant in the room: the challenge of restoring from backups. It won’t be easy. “We have a lot” to restore, Huber said, as so many companies do.
Do a mock interview
It’s time to update the key messages and Q&A, Golson said, to reflect the latest state of play. The comms team will sit down with the CSO for 15-20 minutes to run through a mock interview, with outside advisors, to make sure that he’s ready and prepared to answer any questions he might receive from CISOs.
As far as the media goes, the incident is no longer a secret. “Thankfully, for customers, we've turned our key messages into talking points and … messages for the customer, and … backing that up with talking points for customers that our relationship managers can use when they talk to them about what's going on,” Golson updated the board.
“What we told them is that as soon as the incident was discovered, we moved quickly to take steps to mitigate,” Golson continued. “We've enlisted a top outside forensics firm to help us investigate the matter. We've told them that the security of our systems is of paramount importance. … We build that trust. And we also committed to let them know if they've been affected down the road. We'll contact them until it's kind of like no one's happy about that, per se, but there they are. They appreciate that we're talking.”
Meanwhile, the hackers have started to leak the information to drive up the pressure, the filing with the SEC has been done, it’s time to unleash the press release, and the media has questions. How do you respond?
However works best for you, Golson said.
“We don't feel obligated to answer every question that they give us,” he suggested. “We shouldn't … feel obligated to explain all the gory details about … what occurred. It's not advisable to tell the world about security vulnerabilities. And those reporters don't expect us to do that anyways, because … committees don't do that. We shouldn't also discuss how the ransomware negotiations go, shouldn't say anything about a pay/no pay decision. … We'll address those questions that we want to answer.”
1 week later: Did you stiff the SEC?!
Get ready for some heavy lifting. “We need to find out where we are. And we're going to have to make some big decisions, particularly about whether to pay this ransom,” Spaulding said in opening the third board meeting.
Suzanne Spaulding, senior adviser for homeland security and director of the Defending Democratic Institutions project at the Center for Strategic and International Studies (CSIS), warns the board that the third meeting post-attack will be intense.
Recovery is going well: About 80 percent of workstations are back up. There’s been no more identified lateral movement. The shipping system will be back up in 72 hours, but Huber recommends keeping the plant shuttered, in an abundance of caution.
Meanwhile, CYA’s friends at the SEC weren’t too thrilled with the company’s “somewhat skinny” filing about the incident, Gerstell noted. “As you recall, what we put out the other day was just a simple statement saying that we're evaluating the extent of the incident,” he recounted. “And that was right, because we didn't have more details at the time, we didn't want to speculate, and we indicated some of the basics, [and] that was the right call. The alternative was saying nothing.”
Not surprisingly, the SEC staff at this point wants more information, Gerstell told the board. It’s time to think about filing supplemental material as news develops. “This illustrates that we just have to be prepared for a day-by-day evaluation; we have to be on top of developments here.”
You also have to figure out how to pay the ransom. And monitor the news to correct any inaccuracies.
And oh, by the way, the White House will be calling. It’s decided to make an urgent shipment of medical supplies related to the pandemic to countries in need, all across the world, and your company happens to be a primary supplier. Time to ramp up manufacturing — you’ve got a few days, tops.
Say, Bob, has manufacturing even been restarted?!
Think this article was long? That well may be, but this only skims the surface of CYA’s complicated, multi-part, pretend ransomware response and what your own business could potentially face.
TL;DR: Do you have a press release prepared?
The time to act was yesterday.
Call PR, call Legal and start typing, bucko!
Lisa Vaas, Senior Content Marketing Manager, Contrast Security
Lisa Vaas is a content machine, having spent years churning out reporting and analysis on information security and other flavors of technology. She’s now keeping the content engines revved to help keep secure code flowing at Contrast Security.
Subscribe to the Contrast Blog
By subscribing to our blog you will stay on top of all the latest appsec news and devops best practices. You will also be informed of the latest Contrast product news and exciting application security events.