Talk A-2: The Confidentiality Conflict

Imagine yourself as an experienced incident responder aiding an organisation that has fallen victim to a cyber-attack. As you navigate through the various incident response phases—such as (1) the root cause analysis (RCA) to determine the initial attack vector, (2) the recovery phase to restore operations and resume the victim’s business as usual, and (3) communication with the threat actor who reveals the “patient zero”—you uncover valuable information. After additional research, the confidentiality conflict arises: the information proves highly relevant and has the potential to significantly benefit the broader cybersecurity community. However, sharing this information may compromise the privacy and/or confidentiality of the victim. It may also affect the security of the company you work for. What should/would you do?

The goal of this presentation is to discuss how to share information found in incident response engagements and discuss the reasoning behind why to share, with whom, and when. Examples of scenarios include:

1. Discovering a new vulnerability. In an incident response engagement, you discover the threat actor is exploiting a zero-day vulnerability of a widely used application. How would you disclose this information? Would you contact the vendor of this application? Would you announce it in your closed network? Would you write a blog about this finding? Would you take measures to ensure the protection of your other customers?
2. Blackmail after widely sharing information. In an incident response engagement, a new ransomware group is discovered. Interesting indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) are found, and communication with the threat actor reveals more information. You decide to publish a blog on your findings to share with the rest of the cyber security world. Hours later, the threat actor contacts you to delete the blog, or they will publish information harming your client and your company. Would you take the blog down? Or would you keep the blog online?
3. Obtaining access to threat actor infrastructure. In an incident response engagement, the root cause analysis reveals that the threat actor exfiltrated data. While the threat actor tried to erase its activity, you were able to retrieve the credentials used to upload the data. Curious as you are, you decided to see if you could access the exfiltration server. To your surprise, you have access and see that there is information of various other victims on this machine. What do you do? Delete the data of your client? Share this information with law enforcement? Notify other victims? Try to see if you can get further access to the infrastructure of the threat actor? Write a cool blog on how you infiltrated a ransomware gang?
4. Advising the leader of a country. As an incident responder, you canceled all your social activities, to join your IR team on a massive case affecting various governmental bodies across various continents. Suddenly, while coordinating the incident response, you are invited to a call with one of the country's president. What do you tell your friends that ask why you missed their birthday party? Do you tell them this cool story that you just advised a president? Would that reveal anything sensitive or jeopardize the effectiveness of the incident's containment potentially resulting in an even larger crisis?
5. Wearing your IR team’s branded clothing. Alternatively, you help this big, listed, multinational recover from a cyber-attack while only a limited number of people know about the situation at hand. Do you wear your IR team's branded clothing while working on-site at the client? What if someone notices that an IR team is working for their organisation, potentially resulting in internal awareness and spreading of (mis)information about the incident? What would it do to the stock price of your client if this information reaches news outlets?

You can share often more than you think. But there is a right time and a right way to do it. By the end of this presentation, we will disclose the various practices Northwave Cyber Security CERT has put into practice. We will show the decision tree made from all experiences and mistakes we have made. This decision tree ensures the Confidentiality Conflict is carefully considered before information is shared with any recipient. The goal of our presentation is to inform and inspire the wider community on effective information sharing practices in their respective fields.