Incident Response: Choose Right Words
Make Sure Message Meets Customer's Needs - Not the Attacker's
Denial of service attacks against large organizations shouldn't come as a surprise anymore, says attorney Ronald Raether, who says attack targets should be better prepared to communicate the incidents to the public.
Recent DDoS attacks against U.S. financial institutions by the hacktivist group Izz ad-Din al-Qassam highlight the need for all organizations to better prepare for these incidents and to develop appropriate communications plans when dealing with the media and their customers, says Raether, an attorney specializing in technology-related issues, including breach response.
"I think that these companies should have been prepared for this type of event," Raether says in an interview with Information Security Media Group's Tom Field [transcript below]. "In fact, since at least as early as April of this year, the number of denial-of-service attacks on financial institutions has been increasing by 300 percent."
These attacks bring with them significant media interest, Raether says, so organizations should begin to use their relationships with the media as a vehicle to get their messages out to the public and to foster the communication around the attackers.
"From a company's perspective, it's much better that the story is about the hacktivists as opposed to about the financial institutions and the strengths or weaknesses of [their] security," Raether explains.
"Make sure that the story is communicated in a way that's beneficial to the financial institution," he says.
But organizations need to be sure not to provide the wrong message or to guarantee customers that their information is secure, Raether warns. "Denial-of-service attacks often are used as a smokescreen to hide something more nefarious," he says.
"When you have this type of security incident, I think the company needs to be prepared to deal with the hacktivists and media interest, but also to realize that there may be something bigger on the horizon - a breach - and be prepared to deal with that," he says.
In the interview, Raether also discusses:
- Institutions' responses to recent attacks;
- Anticipating hacktivist threats;
- How to engage the media.
Raether is a partner at Faruki Ireland & Cox in Dayton, Ohio. His experience with technology-related issues spans an array of legal areas, including patent; antitrust; licensing and contracts; employment; trademark; domain name disputes; and federal and state privacy statutes. He has been involved in cases addressing compliance with statutes that regulate the use and disclosure of personal information and laws that concern the adequacy of securing against unauthorized access to personal information. Raether has successfully defended companies in more than 25 class actions.
Assessing Institutions' Response
TOM FIELD: You, like all of us, have been sitting back and seeing this string of DDoS attacks against financial institutions. From what you see, how do you assess at least the institution's public evidence of incident response?
RONALD RAETHER: Responding to a security incident is much trickier than dealing with a data breach. In a data breach, the law defines what the company has to communicate to the public. With a security incident, the companies are really balancing the need to provide guidance and support to its customers and clients versus providing the bad guys information that can do more harm than what the initial attack could pose on the company, and a denial-of-service attack is a great example of that.
What happens is that given the flood of packets and information, they try to shut down the company's website. That alone does not create harm other than the inconvenience from the user of that website. They can't get on and see the balance in their checking account. It's frustrating, but it doesn't cause financial harm to the consumer. But often times those denial-of-service attacks are used by the hacker to hide or cloud a more nefarious attack that they want to impose. Using that castle analogy that we've heard about and used in the past, I'm storming the front gate so I can draw your attention away from the back door. The companies are really in a bind in terms of if they provide too much information about the incident, then they only help the hackers in educating them as to how well their attack is going on, and whether it's time for them to try that back-door approach where on the other side, the consumer is frustrated because they can't get into their checking account.
Bank Response: Pros and Cons
FIELD: There hasn't been a ton of information that we've seen publicly, but from what you've heard and what you've read, what do you believe the banks have done well, and where have they maybe fallen short?
RAETHER: I think overall the banks have done a fairly good job. Mainly that's because this is a security incident; it's not a data breach. It's a little tricky to navigate how much you tell and in what way you do so. In looking at this from the outside, there has been a lot of media interest in this story, and I presume that the financial institutions have been using their public relations departments to provide the reporters that are publishing these stories with information on the back side. A lot of the themes that I would include in my communication are if the company is being victimized by this hacktivist, that this is related to something bigger and broader beyond my client, the financial institution. That story is being told I think fairly well in the traditional media, in print, in blogs online.
The center of the story has really been about the hacktivist and less about the deficiencies of the company. I think if I had one complaint, [it would be], for example, Wells Fargo on its Twitter page and Twitter responses, just to say that the systems were down and it apologized for that. I think U.S. Bank did a slightly better job, and to some extent it may be because they were a later victim of these hacktivists, but they did provide what I think to be the essentials in terms of what was happening and why the system was down, but I think, more importantly, providing work-around for its customers. "I know you're frustrated that you can't get online, but here's a 1-800 number where you can call and do your banking."
One thing that has been lacking in the media and I think in the responses is that there's no threat to individual personal financial information by a denial-of-service attack. I think that theme could have been played out more, generally saying' there's really no, at least right now, direct threat to you, and I'm sorry that you're inconvenienced and here's another way to be able to get to your information.'
Anticipating Hacktivist Attacks
FIELD: We don't have a ton of experience here with hacktivist attacks, but from what you've seen, what you've experienced with your clients, what are some of the proper ways that organizations can anticipate and then respond to hacktivist incidents such as what we've seen?
RAETHER: I think that these companies should have been prepared for this type of event. I don't believe it was a surprise. In fact, since at least as early as April of this year, the number of denial-of-service attacks on financial institutions has been increasing by 300 percent. In other words, they reported that even prior to this recent hacktivist event that they've been seeing denial of service attacks. So I think they should have been prepared for it. I do believe that when these types of security incidents occur and there's a media interest in the type of events - which there should be with hacktivists that create a media story that most people are interested in - the companies learn to use the relationships that they have with the media in order to use that vehicle as a way to get out their messages as opposed to creating a message on their own, either on Facebook, Twitter or their web pages that centers the story around the financial institutions. In other words, to me for the companies, from a company's perspective, it's much better that the story is about the hacktivists as opposed to about the financial institutions and the strengths or weaknesses of its security.
How to Prepare
FIELD: We're talking about financial institutions today, but really it could be any kind of prominent organization that's victimized by a DDoS attack. For organizations that are concerned about such incidents, how should they be preparing to respond now?
RAETHER: As I mentioned before, they need to be certain that they have either internally or externally individuals that have media contacts, relationships that they can develop and use to make sure that the story is communicated in a way that's beneficial to the financial institution. I think also they need to be prepared for a bigger event. As I mentioned earlier, denial of service attacks often are used as a smokescreen to hide something more nefarious, the back door. Packing the gate is a denial-of-service attack, the front gate, so they can hide the activity of trying to get in the back door. When you have this type of security incident, I think the company needs to be prepared to deal with the hacktivists and media interest, but also to realize that there may be something bigger on the horizon, a breach, and be prepared to deal with that.
Getting the Word Out
FIELD: Organizations that have been attacked or may be attacked, what do the constituents most need to hear from them?
RAETHER: I think first and foremost they want to hear that their information is safe, and that's not unusual even in a breach incident. You want to let your customers and clients know that the trust of their data and you is not being compromised. As I mentioned earlier, in a denial of service attack, the actual data itself - if that's the only vector by which the bad guys are attacking you - then that personal information is not at risk and so I think that needs to be communicated. There's always that need to be vigilant and you don't want to over-promise because it may be hiding that backdoor attack that may resolve in a larger breach, so you don't want to say or do anything that two or three months from now is used against you when there's a broader incident, but you want to let people know that you can be trusted in managing their data.
The other thing is we want to be able to have the convenience that the Internet provides to us, we being the consumer. I think you need to convey to the consumer timing in terms of when the web-enabled service is going to be available again, but also, as U.S. Bank did, provide an alternative means by which the consumer can get to their information, a 1-800 number, whatever that may be.
Biggest Incident Response Lesson
FIELD: Final question for you. If you were to boil it down, what would you say is the single biggest incident response lesson that we've learned so far from these incidents?
RAETHER: Again, I'm looking at this from the outside and what it seems to me is that the general media, press, blogs and stories on the Internet, I think those traditional outlets, whether intentionally or unintentionally, have been used in an effective way to convey most of what these financial institutions want to get out. The lesson is if you have those contacts, if there's an interest in this story via the media, use that outlet to communicate what the company wants to get out there on these particular issues.
You want to also make sure that you're dealing with these consumer concerns that we just talked about. Is my information safe? How do I get to the services that I'm being denied access to because of this bad guy's behavior? Recruit all of these different individuals into your communication plan. We're talking about recruiting the media and now we're talking about recruiting your customers into the process, both of effectively communicating your message, but also, more importantly, improving the overall security of your systems. "Customer, we've had this denial-of-service attack. If something else bad happens, please let us know immediately so that we can prevent any further manipulation of our systems."