Specialty Podcast: Managing Cyber Crisis Communications

Intro (00:00):
You are listening to the Alliant Specialty Podcast, dedicated to insurance and risk management solutions and trends shaping the market today.

Brendan Hall (00:09):
Alright, welcome ladies and gentlemen to another Alliant Specialty podcast. I'm your hostess with the mostest, Brendan Hall from the Alliant Cyber team. I am joined today by Dan Wire from Mandiant, a Google company. Dan, welcome to the pod.

Dan Wire (00:24):
Yes, thank you for having me.

Brendan Hall (00:25):
So Dan leads the somewhat new crisis communications team at Mandiant, and he and I had the pleasure of meeting when we were in Denver a couple of months back, and I was just really intrigued by the fact that you started the practice, a homegrown enterprise rather than an acquisition. It's a part of the incident response process that people don't think about that much, right? They think, they're very focused on who's my breach coach. They're very focused on who am I going to use for incident response and who's going to negotiate a ransomware payment for me. So it's an often overlooked part. As an insurance broker we know and obviously clients know that it is covered by most cyber insurance policies, if not all policies, and it's a critical part of the process. One thing we've come to see in recent years especially is that there are a lot of players. It used to be, again, to an incident, it was the client had their problem, then it was outside council, then there was the incident responders. Now depending on who you engage, you can have five or six different parties on the phone, which can be very confusing for clients. They're asking, it's almost like people need to start wearing uniforms or having certain color codes to their Webex appearances, so that the clients can keep telling everybody apart. That’s just part of the complexity where incident response is gone. That just begins to scratch the surface. Obviously, the threat actors really upped their game, and they continue to do so with the use of generative AI and tons of other different methodologies here. But Dan, from your perspective, what changes in the threat landscape have impacted how victim companies communicate during an event?

Dan Wire (01:50):
Yes, that's a great place to start. And actually jumping off from your mention of the threat actors and how they're operating, at the end of the day, Mandiant looks at the world from a threat-oriented perspective, and that's where this practice was born from. If we think about how threat actors accomplish their mission, they're looking to exploit risk to an organization until it becomes tolerable, and then they get some reward from that process. If we think back 10 years, that was really focused on the technical side of the house. How can I infiltrate a company and disrupt some operations and create that intolerable risk scenario?

We've gotten better on the defensive side, on technical defenses. We have new tools, we are doing a better job making it harder and really making it more expensive for threat actors to execute that technical side of their operation. What we also have to consider is that there's business risk that they're looking to exploit. And that's what we've seen. From the lens of communication, that's been the big change for us because once a threat actor has gone in, let's look at a a ransom and extortion case. They've deployed ransomware that creates its own technical challenge, but they've also potentially exfiltrated data and they're looking to extort that data and accomplish their mission through what becomes fundamentally non-technical. How they go about that then expands into the public domain. And so from a communications perspective, and also very much from a legal perspective, we have a lot of organizations that aren't quite ready to address that type of risk to their organization because they haven't practiced it or they're not familiar with how a threat actor will use the public domain to execute their attack. Just to give some quick specifics, what does that mean? Certainly anything from a targeted email within an organization saying, I've exfiltrated your data. How do you manage that? To a dark web name and shame site to direct media engagement to actually going out and reaching out to stakeholders of that victim organization and saying, hey, I got your data from this organization and using the stakeholder to increase the risk in that scenario. So all of these become fundamentally non-technical, but they do require some business risk decisioning. You have to do that from the lens of both the cyber crisis response and also from a business risk decisioning. And that's where we come in and help organizations balance those two aspects of it.

Brendan Hall (04:09):
Got you. It begs the question, this is an interesting industry, cyber specific, how did you get into this space? Communications is certainly a business major, but I don't think crisis and certainly cyber crisis is not something that every kid grows up saying, I want to be a baseball player, but I want to be a cyber crisis comms person. So, how did you get into this?

Dan Wire (04:27):
Yes, my baseball dreams quickly evaporated after high school.

Brendan Hall (04:30):
Yes, after little league, me too.

Dan Wire (04:34):
I was lucky enough, and I actually joined the FireEye corporate communications team right as FireEye and Mandiant came together in an acquisition, which was really a merger of equals. That happened in 2014, and it was right as we were seeing the rise of ransomware and then shortly thereafter, extortion and then what evolved into multifactor extortion. So very naturally, because we had a pretty significant media relations team at that time, and we had relationships with reporters, those reporters were then turning to our clients saying, hey, we heard something happened at your organization. Our clients were in turn coming to our consultants and the FireEye media team and saying, hey, how do we manage these media inquiries? So it was really that initial stage where we saw threat actors using the media predominantly to create that business risk for their victim organizations. I've been looking at this problem and helping our clients since about that 2015 time period. In 2020, FireEye was attacked by the Russian government, what became known as the SolarWinds incident, in popular terms. It was a pretty significant industry event. I managed the communications for that event from a FireEye perspective and learned a lot of lessons having sat in the seat that our clients go through when they're going through a live incident. I think there was some key things, even at a company of incident responders, the entire organizational response from technical to business to communications to your third parties, all of your stakeholders, it's really hard. For those of us that do it on a regular basis, it's still a very challenging aspect. There is no cookie cutter approach, there is no best practice that will solve all your problems. You really need to be responsive and have a grounding in best practices but be flexible to each scenario and then how each event will unfold. A lot of lessons learned from that. Then eventually as we continued to see the threat actors using this public domain, it's not going away as part of their attack techniques. We formalized the group in 2022 because we recognized that there was an emerging threat or expanding threat from the threat actors in this communication side of things. And our clients were not prepared for that.

Brendan Hall (06:40):
Yes, I don't think anybody was. Certainly smaller or the SME side, but even enterprise I think folks were not ready for that.

Dan Wire (06:49):
I'll offer, I think a lot of organizations have an all-scenarios crisis response plan or they've gone through some subset of crises that they're figuring out how their organization would respond, and they might feel good about that all scenarios response. There's a couple things that trip up our clients during this process, and one of them is the pace of a forensics investigation is going to be weeks or months. You need to organize your communications and your business response to match that pace. That's not very common from a crisis scenario perspective. The other big thing is you have adversary with hands-on keyboard that's watching what their victim is doing and they're adjusting their strategy. They're looking if they're making statements, how can they undermine those statements again, trying to increase that risk, because they're trying to accomplish their mission, get paid, whatever that may be.

Brendan Hall (07:38):
Right, and so that's, to me, that's a pretty key difference. Because crisis management has been around for, I don't know how long, right?

Dan Wire (07:43):
For sure. Yes. As long as bad things have been happening, right?

Brendan Hall (07:46):
Yes, somebody's been there to try to help out. This cyber crisis management is definitely a different beast, requires a different approach and thoughtfulness. With that being said, what do you see as the most common mistakes amongst clients, whether they engage you and then they want to run over and disregard what you're saying or what are the biggest mistakes you see out there?

Dan Wire (08:05):
I think right off the bat, what we've historically seen and continue to see is an over rotation on the media and the role that the media played through these processes. Just because a reporter reaches out, does not dictate your communication strategy. And so, many organizations are knocked off their response, and all of a sudden they're trying to tailor some sort of communications to a media inquiry, which may not really be relevant to the event, and it certainly might not be relevant to their stakeholders. But reporters are smart and they're insightful and they know how cybersecurity attacks unfold, and they want that level of detail because that's ultimately what their audience wants. But their audience isn't necessarily our victim organization stakeholders. We need to stay focused on what are the risks to the stakeholders, and how do we mitigate those risks if possible with communications. And sometimes, there's essential information that we need to get out. Classic example is if your infrastructure's down internally, how are you communicating with your employees? What should they be doing? Because you don't want them turning to external channels, and you don't want confusion. For the most part, if you can get some measured communications out just to let people know what the status is, that'll help keep the temperature low. So people aren't freaking out, they're just waiting for more information, whatever that may be.

Brendan Hall (09:22):
Yes, it's a huge piece of it. We work with our clients all the time on incident response readiness. It tends to get buried, the comms part. People think, oh yes, well we have a comms department or if we get to that, we'll push it off. We're always pushing people today. If there's a panel for everything on your, make sure, I'll refer back to the advice that one of my mentors, Ed Stroz from Stroz Friedberg, he used to say all the time, you never want to pick your team on the day of the game. It’s not just the preach coach, it's not just your incident responder. You got to get somebody with the crisis communications, get your notification vendor set up ahead of time, because the last thing you want to be doing while your hair is on fire, is negotiating limitations of liability and other types of legal clauses while you have an active emergency happening. To all you folks out there who might be listening, get your ducks in a row ahead of time, and you'll thank yourself. When we talk to clients post incident all the time, and you say, what would you do differently having now been through this, and now you can do a full rear view mirror check, and they always refer back to more planning. This is from people who in some cases are very well prepared, right? They said, we would've planned more, we would've looked at this scenario, we would've done more tabletop exercises, or we would've fine-tuned our IR plan even more for whatever reason. It's critical that you have these providers lined up. So Dan, just last thing before we go here, what's the best way to get in touch with you and your team if folks need to get you in a pinch?

Dan Wire (10:41):
Anytime you need anything Mandiant related, you can always email into investigations@mandiant.com. That's a 24-by-seven line. It's monitored by our experts both on the communications, but also on the technical side. We can make sure to get to you as quickly as we can.

Brendan Hall (10:56):
I'm thrilled for you guys. I think what you're doing is really important work, which is why we really wanted to get you out here to highlight all the services you're providing. So thanks for your time and best of luck.

Dan Wire (11:05):
Thank you as well, and appreciate your partnership.