Part one of our three-part series on victim notifications introduced the concept of victim notifications and the basics of preparing for a notification. The second post of the series provided details on how companies can prepare for, validate, and respond to victim notifications. This post concludes the three-part series with a brief discussion around issues that organizations that provide victim notifications face and recommendations for how they can provide notifications in a practical and effective manner.
With increased awareness of intrusion activity, any number of organizations may be in a position to provide notice of compromise. These notifying organizations include but are not limited to: law enforcement, ISPs, security researchers, or business partners. Mandiant has provided victim notifications since 2009 and continuously works to refine the reporting and notification process.
Identifying a Point of Contact
One of the most difficult challenges to overcome in delivering a victim notification is identifying the correct office or individual to contact. Identifying the right point of contact goes a long way in ensuring the proper handling of sensitive information. Public information sources such as search engines, social networks and corporate websites are good sources, but often times do not easily reveal the best point of contact. Calling the organization's main office or security division is often the quickest and most efficient way to locate the correct point of contact. Further down in this post, we take a brief look at operational security concerns when delivering the notification.
The goal in providing a notification is to inform an organization of compromise. Well-crafted notifications contain details the victim organization can use to confirm the breach and develop a course of action.
Examples of details to include in a notification:
- Accurate dates and times (GMT) of attacker activity
- IP addresses and / or hostnames of compromised systems
- Stolen or compromised credentials used by the attackers
- Directory or keyword searches performed by the attackers
- Lists of files or other data accessed or stolen by the attackers
- Other attacker command and control activity
Avoid including vague details in the notification. Vague details and unsupported assertions may cause the recipient to lose interest or question its relevance. For example, informing an organization that one of their IP addresses communicated with a hostile domain requires supporting details. Otherwise, the victim may simply assume they have "a virus" and dismiss the notification. Provide specific details such as filenames of stolen data or the usernames and passwords stolen and used by attackers to conduct malicious activity. Hard-hitting details help the organization understand the magnitude of the compromise and create a sense of urgency to take action.
Remember, the organization needs information to validate the breach and estimate the severity of the compromise. Provide as much detail as possible to aid them in their efforts.
Message Delivery and Security
Delivering a notice of compromise is a highly sensitive and challenging process. These notifications may cause a great deal of uncertainty within the organization. Rightfully, the recipient's first reaction includes skepticism of the information, the messenger, and the motivation of the messenger. When delivering the message, draw attention to the details and strive to help the victim understand the problem and potential countermeasures.
In most cases, an initial phone call or other out-of-band communication is the safest way to deliver the initial notification. Email should be the last resort for preliminary communication. In my experience, contacts initially reached by phone are more likely to accept the notification.
After the organization validates the information, offer to participate in a follow-up meeting. During the follow-up meeting, be prepared and willing to answer questions about the source of the information and provide insight into the attacker's motives, tactics, techniques and procedures.
Organizations may request copies of the notification in electronic form, particularly in cases involving data loss. In such cases, it is crucial to ensure notifications remain protected from the prying eyes of the attacker. Requiring secure communication conveys the severity of the issue and the importance of operational security.
Awareness of advanced attacks has increased and more organizations are actively informing others of compromise. Keep in mind that an organization may receive notification from multiple sources. Invest the time and effort to create an informative notice, notify responsibly, and be open to working with the victim as they investigate and remediate their compromise.
Carlos and I hope this series has been helpful to you.
If you'd like to contact us regarding a complex or sensitive notification, email firstname.lastname@example.org.