[Chris Crowley is a cybersecurity instructor and industry analyst. This is Part 1 of his series of easy-to-use “best practice” documents – a veritable Swiss Army Knife of security operations assets on topics ranging from email writing to shift handoffs to training –  created to help SOC professionals save time on common housekeeping tasks. ]

You send messages frequently. Text, chat and email: all day, every day. Something so commonplace risks complacency and developing bad habits. Plus, many people won’t give a second thought to cranking out a quick message, but when it comes to writing something you know you have to write – and which will have a wide audience – your tendency may be to freeze up (and break out into a cold sweat).

That’s not ideal, especially when you’re a security operations professional, and your time is already stretched thin. Let’s explore a few best practices with respect to security operations communications that will make the process more seamless and effective, and feel less burdensome.

This communications verification template will mostly deal with email. But these suggestions also apply to chat and other short-form communications.

In cybersecurity, you often have to convey information about sensitive subjects in a timely and authoritative manner. The audience of your messages includes IT professionals who might understand the technical jargon, but often includes non-technical people who need to make a decision based on the shared information. Anticipate people with multiple backgrounds and perspectives will read your writing.

Read: How the Siempilfy Security Operations SOAR Platform can help coordinate a companywide crisis response

Clear and concise language is necessary to make sure recipients are informed about important information. Let’s look at the important components of good messaging. This post assumes you are composing a formal communication. A distilled version of these practices are beneficial in less formal writing, too.

Content

A written message is intended to convey something. In the case of the SOC, it’s usually about a potentially bad situation. The SOC might be requesting information or action from other departments, warning about threats in the world at large, or informing specific people about a known problem that needs to be addressed. Be clear and upfront what type of message you’re delivering.

In constructing the communication, write an outline first. If this is a less formal message, start by writing the bullet points of what you intend to write in the email body. Then verify the most important item is addressed first. You can change the order after you’ve started composing the message. But, the outline helps to prioritize and structure the information you’re attempting to convey before you start that more detailed effort. 

My 10 best tips for improving your writing skills, amassed over a couple decades of working with words:

[thread] pic.twitter.com/AVqlfVvURT

— Emily Triplett Lentz (@emilytlentz) January 13, 2021

Be brief and be brilliant. Express what you know. If there is uncertainty, that’s OK. Characterize how certain you are about information. If there’s uncertainty, state what you are doing to address the uncertainty if it can be addressed.

Let’s briefly consider an example in the template below. There was a phishing email sent into your environment, and a lot of employees received it. The following is a good example of characterizing the situation. (For the purpose of this example, assume this message is being sent to IT operations managers and business unit leads to inform them of the developing situation. This is not something sent to the whole company. Also notice the URL is expressed, but broken in a way an email client won’t reconstruct it.)

Example Email Template

Subject: [SOC: AWARENESS] Widespread successful phishing email

For your awareness, there has been a widely distributed phishing email with the subject line, “Great News about Extending Work From Home at MyCompany!” 

No action is needed at this time from you. You are being informed in the event that staff you manage forward this message. Please indicate they should immediately desist from any forwarding of this message, and should not enroll at the https[:][//] work-from-home- mycompany[.]com online form. This is a fraudulent, imposter website intended to steal account passwords. 

Please do not send any further broadcast of this information unless you receive a copy of the message. We are working quickly to remove the malicious messages from within all mailboxes.

The security team is taking action to identify all staff who signed up at this website. The security team is suspending accounts where passwords are suspected as stolen. We have approximately 5,000 more accounts to review (roughly half of the account total) and have so far suspended 350 accounts as a protection measure. This should take approximately three (3) more hours with planned completion by 21:00 GMT (5:00pm US Eastern time).

If staff are suddenly unable to access email or the company issued laptop, the person’s account may be suspended. The staff member should contact the corporate help desk for assistance. No direct notification will be provided to the affected individual.

We do not anticipate any follow-on notification for this situation to be sent. Again, please tell affected staff to contact the help desk to restore access to suspended accounts.

As is standard for security operations messaging, please reply-all if you respond to this message, and only reply if there is operational necessity for doing so. Detailed questions can be asked by calling the security team hotline: x.55555 or in the #security-open slack chat channel.

Security Team
Security Update: 2021-09-14 — 17:48 GMT

As a general practice, don’t send emails about phishing emails to the general user population. But this case is providing situational awareness to managers who would be accustomed to receiving security updates. It explains the situation, what to do and why there may be operational interruption of user accounts. We’ve used the convention of including a label inside square brackets. Using a label helps recipients to write filter rules and find things quickly when searching.

Action Items 

Place action requests at the very beginning. Why? Do you read every word of every email message? Sometimes a request for action is buried in paragraph three, and the recipient didn’t get that far. That’s a different problem of attention and being too busy. But realize that problem exists. In the body of the email, use the convention of, “TODO(Name of Person Assigned):Action to be performed.” No ambiguity there. This is important if you’re conducting operations like response and directing people to perform action. 

Attachments

Not including the attachment seems like an honest mistake. We’ve all probably made it at least once. But, making it suggests that you’re going too fast or not attending to the details. To avoid this transgression, stop at the end of the sentence when you reference an attachment, and add it right then. If you know you are going to add an attachment eventually, add it immediately. Ingrain a double check for the attachment before hitting send as a habit. 

The Blueprint of Modern Security Operations [Free E-Book Download]

Often, a formal notification includes a PDF document as an attachment. You might attach a document for someone to review or for comment. You might need to include supporting documentation to make your point, but it’s too long for the body of the message. There are a number of types of attachments you might end up sending: Consider if the recipient can open it. Minimize and economize, and if you’re writing a formal notification email, consolidate multiple attachments into a single one. You may also use links instead of attachments in messages. The same principle applies to links.

To: (and CC: and BCC:)

In email messaging, we have three options for addressing recipients. This may seem elementary, but believe me, it’s worth rehashing, especially for infosec incidents.

• To: are the people who need to do something or are being told something.
• CC: (carbon copy) is generally for those who need to be aware but aren’t being directly addressed. If you have a hierarchical organization, it is considered good form to “CC up” the organizational hierarchy for situational awareness in adverse security situations. 
• BCC: (blind carbon copy) is informing someone else but keeping the rest of the recipients of the message unaware the BCC addresses are receiving this message. BCC also means the person is excluded from the rest of the thread. 

Let’s start with BCC. The best way to use it is when you move someone to BCC to indicate the person is receiving the notification that they’re being removed from the email thread. State why the person is being removed. It’s courteous, professional and indicates the person isn’t needed for the conversation and that the person doesn’t need to informed about the details of the rest of the conversation.

Choosing between To: and CC: is more about courtesy and convention than informing people. In security operations, the standard practice is to “always reply all.”

The biggest takeaway when it comes to security operations communications is that exactly the right people are included in the messaging. That is, everyone who needs to be informed has been informed, and those who don’t “need to know” are excluded. This is consistent with the “always reply all.”

Style, Threads, and Appropriate Language

A well-written sentence is beautiful. A subject and verb are required to form a sentence in the English language. A predicate may also be included. Write in full sentences, unless you intentionally include a list of items. 

A paragraph is a collection of sentences on the same subject. If you’re sending a complicated email, break it into several paragraphs to make it more readable and digestible, and consider including a summary at the beginning of the message in the form of a list of section titles. 

Here are some great tips for writing coherent, impactful prose:

My 10 best tips for improving your writing skills, amassed over a couple decades of working with words:

[thread] pic.twitter.com/AVqlfVvURT

— lcamtuf (@lcamtuf) October 17, 2021

Checklist – C.A.A.T.S

Hey, if you’re having trouble remembering this, just remember cats… Well, CAATS, but you get the idea.

Content should be complete and appropriate. Know something? Articulate it as known and certain. Are there unknowns? That’s OK, there usually are. Explain what is being done to make the unknown known. Estimate the time it will take to finish your investigation to resolve the problem of the unknown. Provide a count of what territory has been covered and what remains. Do this as a count and percentage if applicable. For example, “We have assessed 720 out of 10,000 (about 1% of) workstations for the specific indicators of the attack. We continue to improve the speed of assessment, but we expect it will take another six hours until we’ve assessed all workstations.”

Action requested in your message? Repeat the request at the beginning and end. Don’t bury it in the middle.

Attach the attachment! (When you have a lot on your mind, it’s easier to forget than you think.)

To: Are all of the people who should be addressed by the email on the To: line (or included in the thread for chat)? For email, are the people who should be informed but don’t need to take action on the CC: line? If you need to use BCC: (I suggest avoiding it), have you blind copied the correct person, and indicated why they’re being removed in the body of the message?

Style counts! Write in grammatically correct sentences. Use paragraphs to organize topics. Use sections for long, complicated topics. Proofread the entire message, sentence by sentence, prior to sending it. If you’re prone to errors, read one sentence at a time, starting from the last sentence and working to the first sentence. This takes you out of the mindset of knowing what you meant to write, and puts you in the mindset of reading what you actually wrote.

So do you feel you’re ready to communicate like a published author? OK, you don’t have to be Hemingway, but if you follow the advice above, the process of writing will be much easier. For your convenience, the Siemplify team has distilled some of the key messages from this post in the below infographic. Feel free to print it out and keep it close by the next time you’re about to stage an important SecOps communication.

For even more help moving beyond the daily cyber grind and concentrating on what matters most – building resiliency and investigating and remediating real threats, fast – visit siemplify.co to download our free community edition and start SOAR’ing today.

The post How to Write Crisp and Clear Security Operations Communications Before You Hit Send [Template + Infographic] appeared first on Siemplify.

*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Chris Crowley. Read the original post at: https://www.siemplify.co/blog/how-to-write-crisp-and-clear-security-operations-communications-before-you-hit-send-template-infographic/