Fun with incident response on Twitter

Sharing knowledge about security in the open.

I created an account on Twitter yesterday. It tweets intimidating breach scenarios.

Thinking critically through worst case scenarios will make you better at security, and better at articulating these risks to others.

Enter @badthingsdaily. This account has a queue of tabletop scenarios to think about, set up to tweet daily (and maybe a little bit more). I’m hoping this will kick off discussions about incident response and prevention, for use in casual discussion or education.

This should be useful for experienced security teams too. If you work on one, throw it in a slack channel and see if people bite.

If thinking through a tabletop scenario is tough for you, here’s what came to my mind with the above example:

Where else has this happened?

Identifying publicly known cases, or personal anecdotes, can be valuable in helping others understand a risk. It’s much easier to champion the effort or time involved with a mitigation if you can prove the associated risk.

What is the threat?

In this scenario, the senior engineer who is prone to a mistake is the threat. What else could this engineer have damaged? What is the blast radius of a casual mistake by an engineer? What mitigates mistakes made by your engineers?

Who cares about source code, what about leaking our data? Can that happen?

What is the risk?

In this case, you might panic about how reliant you are on the secrecy of your source code. How much is the secrecy of source code relied on? Do we care about work in progress being known to the world? Have we violated licenses or patents that will now be visible? Do we have api tokens and secrets littered throughout our codebase? Could a competitor take advantage of our code?

How do you lower the impact of your source code leaking? Is it possible to make source code secrecy irrelevant?

How many f-bombs are in our comments? Will we offend anyone? Do we care?

What defenses aren’t in place? What defenses should exist?

Maybe it is totally implausible that you could find yourself in this scenario. Is it because code wouldn’t leak in the first place, or that it wouldn’t be valuable or embarrassing? Why would someone say that this is unlikely, and do you take those protections for granted?

Do you use any products to reduce risk? Do you avoid secrets altogether when possible?

How would you respond?

Suspend your beliefs and assume your protections failed. The incident happened. Who would be in charge? Who would be coordinating tasks to determine our risk? Is this a legal risk? Is this a PR risk? Should someone from each of those teams be involved? Who?

Have you ever been a part of a large credential rotation? What the heck does that look like?

Would we get ahead of the bad press by blogging about it proactively? Would we wait to comment if we don’t feel it was noticed? How do we decide something like that, especially if it doesn’t fall under breach notification laws?

Does this incident require specific forensic skills? Probably not, but other scenarios might.


The badthingsdaily account is queued up to spit out all kinds of scary scenarios to make your friends panic for the next couple weeks or so. I’ll curate good suggestions for the queue if you DM or tweet them to me, and that will extend the queue. Have fun!


I write about security on medium.