@TwitterSupport A Lesson In Incident Response Comms

If you are a user of the social media platform Twitter (it’s where the cool kids moved to when their parents joined Facebook, and what the younger kids avoid in favour of Tik Tok). There was a bit of a breachy weachy that went on.

There are plenty of stories that are speculating on the how, what, why, who, where aspect of the story, and I’m not investigating this and will wait for actual details to become available.

Of course though, whenever an organisation is breached, two things happen. First there is an outpouring of outrage as to how the victim organisation could be so stupid as to allow an attack to happen, which in quick succession is followed up with, “If only they’d bought my tool / hired my services / listened to my Defcon talk they wouldn’t have been in this mess.”

@TheGrugq, @QuinnyPig and @TinkerSec all made good points in relation to this.

In fact, it’s worth checking out the tweet threat that @QuinnyPig laid out on the topic, he makes some very valid observations throughout.

Twitter Support

Breaches can happen to anyone, and how you respond to it in the heat of the moment really showcases the organisation and its culture. In this respect, I think Twitter did a phenomenal job of acknowledging the issue and posting regular updates. This was from both Jack and the official TwitterSupport account.

I recommend checking out what TwitterSupport had to say, it’s worth dissecting the thread as a good example of not only how to communicate with your users, but you can also, to a degree, unpick the order in which their incident response team was working.

Let’s start at the beginning:

Straight out of the gates, Twitter Support is acknowledging there’s an incident and that they’re working on it. There’s no mincing words, none of this, “it’s a third party”. Straight up owning it”
The next update shows they’re trying to stem the tide of the problem. Again, it’s direct, it’s telling users they’re going to not be able to undertake certain actions while they’re figuring stuff out. It’s very clear and accessible language.
OK we’re back in business. Looks like Twitter is getting a handle on the situation and they’re trying to restore functionality – but no promises. But seeing as things are settling down, now’s the time to share with the world what they know.
Bear in mind, these tweets are around 4 hours after the initial tweet where they said there’s an incident. It’s impressive how quickly their incident response team is able to pull together all the information about possible ways they were breached and what the bad actors have been doing. Again, they’re clear that they don’t have all the answers, but answers aren’t necessarily what people are after, they want transparency, and that’s what they’re getting.
This is an important recap for those joining late into the conversation and reiterates the steps they’ve been taking.
Anyone that’s ever worked an incident will appreciate that these are not easy decisions to make. But they’ve acknowledged it was a disruptive step and that they will return accounts only when they are certain they can do so securely. Measure twice, cut once.
I’ve seen naysayers and armchair critics yell on social media about how twitter should have already had limited access to internal systems… but suffice to say, we don’t know what access is being limited and whether that can be limited on an ongoing basis to maintain operations. However, kudos again to Twitter for taking it on the chin, not hiding behind any excuses and trying to be transparent.

Am I a total Twitter fanboi who thinks they’ve done no wrong? Of course not, but that’s not the point. We all make mistakes, every organisation makes mistakes, we all run risks. I don’t think yelling at them will help, especially when they seem to be doing a great job at handling the incident.

I’ll leave the final word to QuinnyPig – Security is a trade-off. Make things secure enough and nobody will be able to use the damned thing.