Part 2 of 3: exclusive perspectives Ryan McLaren and Shanna Daly following the 2024 AWSN IR Competition
Vaughan: So once the participants have meticulously cataloged their findings, the subsequent challenge lies in effectively communicating them to diverse stakeholders. Ryan, what observations did you make regarding participants' approaches to this crucial step? How well did they navigate this aspect?
Ryan: Indeed, I believe they handled it quite effectively. Conveying information about cyber incidents is inherently challenging. Striking a balance between providing necessary details and upholding operational security, without revealing too much to potential adversaries, is a delicate dance. Additionally, there's the intricate task of elucidating complex technical concepts to audiences who may not possess a technical background.
Navigating this terrain in the realm of cybersecurity is no small feat, yet this year's competition showcased commendable efforts by teams to craft compelling internal and external communications. It's noteworthy to acknowledge the diversity and depth of the communications, and it's possible that a few teams may have leveraged ChatGPT for assistance in drafting media statements. While there's nothing inherently wrong with that, it's encouraging to witness the variety and depth of communications, the manner in which teams compiled information, and how they articulated it.
The standout examples in communication this year centered on effectively summarizing the incident, outlining proactive steps or actions for individuals and the organization to safeguard against future harm. Communicating in the realm of cybersecurity poses challenges, especially considering the ever-evolving nature of incidents. Teams demonstrated adaptability by updating and crafting the most current briefs, acknowledging the dynamic environment they were operating in.
Certainly, this year emphasized the critical need for timely and clear communication, a lesson underscored by the insights gained from high-profile public incidents. So it was truly enriching to provide participants with this opportunity as part of the competition, and the quality of output from several teams was notably inspiring. I found it particularly gratifying. Indeed, as you mentioned, we've had no shortage of case studies this year, offering ample material for these analyses.
Vaughan: Another point you raised that often goes unnoticed is not just presenting the facts but also crafting relevant recommendations for stakeholders on what steps to take next. Shanna, drawing from your judging experience in the competition and contrasting it with real-world scenarios, any insights on stakeholder communications?
Shanna: Absolutely. Ryan did touch on the abundance of instances highlighting how not to communicate this year. Post-competition, when I inquired about exemplary crisis communications, especially seeking good standards in Australia, unfortunately, about 94% of the responses highlighted what not to do. It's apparent that there is a significant gap in effective communication standards, not just in Australia but likely globally. Witnessing these teams craft remarkable communications, coupled with positive judge feedback, is undeniably invaluable for incident response teams and aspiring professionals entering this field.
Vaughan: Hopefully, some of these individuals find themselves working in prominent organizations that encountered challenges in communication this year. Shanna, did you notice any indications in the responses regarding how participants considered legal and privacy issues?
Shanna: From my judging perspective, which was more focused on an earlier stage of the competition, this aspect wasn't prominently featured. It might be worth exploring with Ryan if he has additional insights on that front.
Ryan: Absolutely. So look, I think we all know the legal, regulatory environment is one that continues to change. That landscape is ever-evolving, particularly when examining the current governmental stance in Australia. The messaging regarding regulatory requirements and the forward steps we are taking has caught my attention. The trajectory in Australia seems to lean towards more regulation and heightened requirements for organizations dealing with incidents to promptly report, respond efficiently, and address them transparently in the public domain.
In this dynamic legal and regulatory space, we emphasized the need for participants in this year's competition to grasp and articulate the nuances. It was crucial to gauge their awareness of diverse legal and regulatory frameworks, including entities like the privacy and Information commissioner in Australia and others such as the ACSC and the Department of Home Affairs. The competition aimed at instigating consideration of privacy implications for individuals and how organizations handle reporting requirements to their third parties, suppliers, and customers.
It was heartening to witness participants deeply pondering these aspects, showcasing a broad and comprehensive approach while wearing different hats and considering varied perspectives. The context-dependency of legal and regulatory considerations was not lost, recognizing the diversity across organizations, industries, asset registers, and international regimes.
Vaughan: How about the disposition of the victim organization? Did any participants in the competition take that into account?
Ryan: Indeed, I was pleasantly surprised to observe several teams contemplating different regulatory frameworks, including sector-specific ones. In the intricate realm of cybersecurity, considering such frameworks is a practical necessity. It was truly uplifting to see teams conscientiously acknowledging and referencing frameworks like GDPR, illustrating an awareness that could be instrumental in shaping effective responses from a legal and regulatory standpoint.
Vaughan: Excellent insights. Given that the competition was entirely conducted virtually with participants spread across Australia and possibly beyond, how did they manage remote communication and collaboration? Did you observe effective teamwork in this virtual environment?
Ryan: Absolutely. To provide a bit of context, we had around 200 women participating in the competition, all based in Australia. During the registration process, participants answer questions about their skill set, leveraging a sort of sophisticated Excel-based algorithm, I presume. The questions encompass their communication prowess, legal and regulatory knowledge in cyber, and technical skills. Based on their self-assessed responses, we then assemble teams, aiming for a balanced mix of these diverse skills to create a level playing field.
It's worth noting that participants may find themselves in teams with individuals they've never met before, offering a great opportunity to connect with new people embarking on their cyber journey, eager to explore incident response and engage in the competition. The hope is that participants cultivate a valuable network, forge new friendships, and gain cyber allies to stay connected with in the future. The competition has a national scope, attracting participants from all corners of Australia, and being entirely virtual, we organize them into teams.
Each team is equipped with a Slack instance for seamless and secure communication amongst themselves and with us as the competition organizers. They also utilize our tool Gauntlet, disseminating information, requiring input, and assigning tasks. Additionally, they have access to tools like Cydarm for case management, aiding in central coordination, communication, and information storage.
Cydarm facilitates task assignments, role delineation, and ensures clarity on responsibilities within the team, contributing to maintaining a structured and organized approach—a crucial aspect of incident response. Shanna can probably elaborate on the importance of this organizational level when responding to incidents—ensuring meticulous record-keeping, not just for operational efficiency but also to comply with legal requirements. Utilizing these tools not only adds an element of fun but also proves invaluable for the effective functioning of the participant teams.
Without tools like Cydarm, team participation in the competition would be significantly more challenging. I can imagine notepads, confusing emails, and a general lack of centralized communication and management. In the realm of responding to cyber incidents, where chaos often reigns with various moving parts, having these virtual communication and coordination tools is undeniably essential.
Vaughan: Shanna, does this align with your experience regarding the challenges faced during real incidents?
Shanna: Absolutely. While I appreciate Excel and its spreadsheet capabilities, the chaos that ensues when multiple individuals make changes simultaneously, filter data, or alter rows can be disruptive for the entire team. Cydarm proves to be an invaluable tool. In recent conversations, especially focusing on communication within organizations, the significance of a centralized repository becomes evident.
It's not just about technical aspects but also about having a central hub for all information. As an incident coordinator, knowing what analysts are working on, understanding the technical details, and quickly identifying the right contacts among internal stakeholders or customers become crucial. Cydarm's role in consolidating this information in one place ensures that everyone gets the necessary information when needed.
Delays in external communication often stem from internal information hurdles. Legal involvement, while essential, can sometimes impede the flow of internal information. With tools like Cydarm's management sections offering different user roles, teams can access the required information without oversharing. These tools are invaluable for any incident response team.
In today's landscape, the expectation of physically working together in an office has long dissipated. I haven't collaborated with my team in person on an incident for nearly a decade; everything happens through various communication channels like Slack or Teams. The need for collaboration environments remains, and having a single platform for findings, information gathering, and intelligence collaboration accelerates the incident response process significantly.
Incident communications, akin to intelligence reporting, require timeliness and relevance for effectiveness. In a scenario where a 72-hour window is at play, layers of approvals can shorten that timeframe considerably. Organizing information in a centralized system prevents the frantic search through communication histories and ensures a smooth process, especially when regulatory obligations come into play.
Preparing for such scenarios should be part of an organization's playbook, considering legal and regulatory obligations. Understanding the required information at different points in the incident response timeline allows for a more streamlined process, avoiding last-minute chaos. The value of playbooks and foresight cannot be emphasized enough—preparation is key.
Vaughan: And speaking of preparation, Shanna, with your background in DFIR, what advice would you offer to those who've heard about the competition and are eager to participate next year or are considering a career in cyber and want to start honing these skills? What tool sets do you recommend they familiarize themselves with to contribute effectively?
Shanna: Retrospect Labs did a fantastic job by providing a virtual environment with essential tools. In my training courses and blogs, I consistently emphasize using open-source tools, ensuring accessibility to everyone, as not everyone can invest in pricey commercial options. Autopsy, part of the Sleuth Kit, stands out as an open-source forensics tool—ideal for exploring disk or memory images for information.
Tools by Eric Zimmerman are invaluable; they parse various Windows artifacts. Learning to collect Windows event logs and using a parser to view them in formats like CSV or Excel is crucial. Understanding that many artifacts obtained during an incident need specialized tools for parsing is fundamental. Autopsy, Eric Zimmerman's tools, and RegRipper, designed for dissecting Windows registry files, provide a strong foundation.
Starting with these three tools gives you a solid beginning to analyze computer activities during an incident. As you progress, you may explore additional tools tailored to specific needs, but these three serve as an excellent baseline for anyone looking to embark on this journey.
Continued in Part 3...