What to do when the FBI informs you of a data breach: Part 1
August 27, 2015
Tim Ryan leads Kroll’s Cyber Security and Investigations Practice. Prior to Kroll he was a special agent and computer forensic examiner with the Federal Bureau of Investigation (FBI), where he supervised the largest FBI cyber squad in the United States. He also supervised one of the FBI’s largest criminal computer forensic laboratories. Before joining the FBI, Tim was an accomplished attorney in private practice in Arizona.
This two-part series covers what to do when your company is approached by the FBI regarding a breach. Part 1 looks at the start of a cyber incident and how the FBI gets involved, while Part 2 covers how to best work with the FBI during a cyber security breach investigation.
A company learns about a cyber security breach of their enterprise in one of the same three ways you would discover that your house is on fire: you smell the smoke, the smoke detector goes off, or the fire department is at your house when you get home.
Scenario 1: You smell the smoke.
You don’t need to be an expert to know the smell of smoke. In the case of a breach, “smelling the smoke” is similar to users realizing something is going wrong with their computers or data. Companies will usually hear about this when internal users or help desk employees detect some sort of an anomaly as they’re working. It could be account lockouts, machines that start running very slowly or users unable to access files.
Scenario 2: You hear the smoke detector going off.
Your house has smoke detectors. Your company has computer security software: devices such as intrusion detection software, anti-virus, firewalls and other tools that are designed to send out alerts when they detect security incidents. These devices are frequently the way an enterprise security teams realize something is wrong.
Scenario 3: As you arrive home you see ominous flashing lights and red trucks.
Or, in this case, you find the FBI on your doorstep to inform you of the security incident.
While you may experience one or all of these types of alerts, a data breach notification by any law enforcement agency is particularly complex. This is because you have at least two sets of investigators: the company and law enforcement. Each group has its own objectives and methods. Understanding the differences and how the teams can work together collaboratively will ensure the best possible outcome.
If you’ve been informed of a breach by the FBI, the best thing you can do is understand what information the FBI has that can assist you, what information you have that the FBI needs and how to share this information in the most effective manner. This knowledge will help the investigation go much smoother.
In order to facilitate working with the FBI in a cyber investigation, it helps to understand how the FBI is organized and how it operates during cyber investigations. Let’s start by going through the most common questions a company will have when approached by the FBI.
How did this FBI agent find out I was hacked?
The FBI investigates both criminal matters (for example, bank robberies) and national security matters (like spies and terrorists). This is different from just about every other law enforcement agency and is particularly important for cyber investigations. Cyber investigations can either be criminal or involve national security. This affects how the FBI learned about your breach. In cybercrime investigations, the FBI may have greater latitude in sharing information with your company. In a national security investigation, the FBI is limited, as a matter of law, as to what they are allowed to share.
For example, in a cybercrime, if an attacker steals data and sends it to a Gmail account, then the FBI can issue a subpoena to find out the owner of the Gmail account, any IP addresses that have logged in and how long the account has been around. They can also issue a search warrant for the contents of this account.
By investigating this account, they may find out that hundreds of additional accounts were breached — including yours. Therefore the FBI is going to have a significant amount of information they can share with you, including IP addresses, the type of data stolen and probably dates of attacker activity. All of this information can be fed into your internal investigation to quickly identify suspect machines, suspect user accounts and logs to preserve.
How is the FBI organized?
The FBI’s organizational structure should affect your expectations when you deal with different FBI agents and offices. FBI Headquarters (FBI HQ) in Washington, D.C. is the hub of many investigations. This doesn’t mean that FBI HQ actually runs the cases, but rather it is frequently in a coordination role. For example, FBI HQ liaises with the Central Intelligence Agency (CIA), National Security Agency (NSA) and other members of the U.S. intelligence community to create a more complete picture of threats.
Investigations are most often run out of FBI field offices. There are currently 56 field offices covering every major metropolitan area in the United States. Every field office has a cyber squad. This is where cyber investigations are frequently initiated and carried out.
The FBI also has resident agencies. These smaller offices are spread throughout the state, but they answer to the state’s main office. They may or may not have cyber expertise.
Who gave this agent the order to go and knock on my door?
The power of the FBI is in “setting leads.” Despite what Hollywood may portray, the FBI’s true strength is that an agent in one office can pick up the phone and call an agent from another office (hundreds or thousands of miles away) to get something done. This is accomplished through a system of lead-setting where the primary investigator (the agent who knows everything about the investigation) can set a lead to another office to complete a specific task, such as interviewing a witness, executing a search warrant or informing a company that it has been breached. For example, a cyber special agent in San Diego investigating a group of Eastern European hackers can set a lead to a cyber special agent in New Jersey to inform a company in New Jersey that it has been breached. The agent in San Diego is called the “case agent” and the agent in New Jersey would be called the “lead agent.”
Why does that matter to you?
That means that the lead agent who shows up at your doorstep may only be carrying out a lead issued from another state. This agent may not know all the specifics about how the attack has been carried out. The case agent will have all of those details.
While the FBI is sometimes accused of not sharing things, the agent who shows up at your doorstep may not have all the details on the case or attack. Knowing this will help you navigate the FBI to get the information you need.
That said, it’s important for you to find out who is on your doorstep. Ask the agent if the lead about the breach is being run out of the agent’s field office or another one. Ask for the contact information and field office of the case agent.
Understanding which agent is running the case will help get you the most actionable information for your own investigation and mitigation strategies.
How long does a typical investigation take?
An FBI cybercrime investigation will, on average, take longer than an investigation of the street crimes you frequently read about in local newspapers. It could take months or sometimes even years. Remember, even if your company wants the investigation to end, or if you feel like your company has uncovered what caused the breach, the law enforcement investigation may still continue.
Find out how to best work with the FBI during a cyber investigation in Part 2 of this series.
Go behind the scenes with Kroll’s Cyber Leader, Former FBI Agent Tim Ryan, in his presentation here.