No One Is Entitled to Their Own Facts, Except in Cybersecurity? Presenting an Investigation Handbook To Develop a Shared Narrative of Major Cyber Incidents

You get a fact…and you get a fact…and you get a fact! It sounds like a meme until you realize that's how most people treat their conceptions of what happened after a major cyber incident investigation. If you asked ten people even in the infosec community right now what happened during the Colonial Pipeline hack, you'd get ten different answers that are substantially different on fundamental facts of Who, What, Where, When, Why, and How. In December of 2021, Harvard's Belfer Center released a report based on a workshop involving over 100 international experts. Our project investigated how the aviation industry draws lessons learned from aviation incidents and how a process could be applied to cyber incident investigations. Based on this, we have created the Major Cyber Incident Investigations Playbook. This new document, pending publication at Harvard and being released here at Black Hat, is a playbook to make major cyber incident investigations more actionable by setting up an independent review board for major cyber incidents. This can be how we build a shared historical narrative. We have condensed the deliberations over trade-offs included in the playbook into eight fundamental questions on how to conduct a major cyber investigation, and most importantly how to communicate the indisputable facts of an incident, as opposed to the opinions on the incident. We include a Crisis Sheet and Facts Sheet to help anyone who is handed this playbook for the first time *after* an incident has already occurred. The analysis included in any review board's report should not only provide lessons learned and recommendations but should also lay to rest disputes over the fundamental facts such as where the attack occurred, the name of the technologies or vulnerabilities exploited, the people harmed, and the approximate cost of the incident and cleanup.