Wed, Sep 9, 2015

What to Do When the FBI Informs You of a Breach: Part 2

This two-part series discusses what to do when your company is approached by the FBI regarding a breach. Part 1 looked at the start of a cyber incident and how the FBI gets involved, while Part 2 offers pointers on how to best work with the FBI during a cyber security breach investigation.

In Part 1, we covered who the FBI is, how they’re organized and potentially how they found out about your cyber security breach. Now we’re ready to discuss next steps on working effectively with the agency.

After you’ve been approached, you’ll want to know what to do throughout the cybercrime investigation. Let’s go through the most common questions a company asks during an investigation with the FBI.

How should I involve this agent in our internal investigation?

When the FBI informs you that your company has been breached, do not approach the situation with disbelief. Agents often meet with a high level of denial during these kinds of cyber investigations, and it’s a waste of precious time.

Instead, use this opportunity to immediately find out what the agent may already know.

Your first question to the agent should be:

What was the tactic, technique or procedure (TTP) used in this type of security attack?

This essentially means you are asking for the:

  • IP addresses
  • domains
  • malware
  • registry keys
  • timeframe of attacker activity
  • other attacker fingerprints

When you get these TTPs, you will want to include them as part of your investigation. This information allows you to focus your internal investigation and avoid trying to boil the ocean by forensically examining every conceivable machine. Moreover, if you have to bring in outside help, giving them the cyber TTPs upfront will allow their investigation to be far more streamlined, efficient and economical.

Once the agent provides these TTPs, ask yourself:

How do we look for these attacker fingerprints quickly and how will we preserve this information in a forensically sound manner?

You will want to be thinking in terms of “what is evidence and how can I properly preserve it” from the very beginning. The FBI can provide you with crucial information, but you may not want to provide them with potentially irrelevant, yet sensitive, corporate information. One way to avoid having the government imaging a lot of your corporate machines is to preserve the information in such a way that the government can rely on it at trial. This includes using and documenting all the basic tenets of forensic collection and chain of custody.

How can the FBI help?

The FBI can assist your organization’s cybercrime investigation in two critical ways: i) the information they already have and ii) the information they can collect.

  1. What they already know. The FBI may already have a treasure trove of information for your company to use in your investigation. Go into any discussion with the FBI trying to find out what information they have available that will help expedite and focus your internal process. This would include the attacker fingerprints mentioned earlier and also what the attacker is commonly seeking. Knowing what the attacker is typically after can allow you to get out in front of a persistent adversary.
  2. What they can collect. Depending on the type of investigation, the FBI can seize email accounts and malicious domains, or gather information about how the attacker was trying to use the stolen data. This frequently requires a working relationship with the FBI regarding your own findings. For example, if your investigation determines that the attacker was using the malicious domain “,” the FBI may be able to monitor that domain or investigate the owner/subscriber of that domain.

The FBI can also help you get third parties to comply with the investigation. If, for example, a third party website host is involved in relation to the attack, then the FBI can solicit the assistance of the hosting company. This could include the hosting company shutting down the website or requesting that stolen data be removed.

And, of course, the FBI can arrest the attacker. If your company is being extorted or blackmailed by an attacker, the FBI can get involved to neutralize the threat.

What will the FBI not do during the investigation?

There are three main things the FBI will not do for your company during a cybercrime investigation.

  1. Internal forensics. Because the FBI is coming to you, it does not mean they can help you with the civil or regulatory requirements surrounding the breach. The FBI’s job is to investigate violations of criminal law and collect and analyze intelligence information. This will not entail doing forensics inside your company to determine the number of people that must be notified regarding the breach. It will not involve dissecting where your company’s architecture or response plan broke down. Instead, they are investigating other aspects of the attack outside of your company to track down the culprit.
  2. Tell you about your own architecture. It is your company’s responsibility to know how your network is controlled and secured. The FBI won’t tell you what architecture you should be using or policies that should be implemented, or conduct a comprehensive security assessment.
  3. Do computer forensics to assist with breach notification. When the FBI sees a server that’s under the control of an attacker, they may not review all of this data and provide a list of compromised data. Identifying and notifying your clients of the attack is your company’s responsibility, not the FBI’s.

What complications arise when working with law enforcement?

There are a few complications you may encounter during an investigation, including:

  1. It’s not your investigation any more. If you find out what is causing the breach, it doesn’t mean the investigation ends. You can stop your internal investigation, but the FBI’s investigation may continue on.
  2. What they seize is evidence their It may be your property, but it quickly becomes law enforcement’s property when they seize it. Make sure you have properly backed up or made copies of everything you turn over for evidence because once something is seized, it is literally out of your hands.
  3. Anything you say or write down could be used in court. Have your attorney present the moment the FBI informs you of a breach. Anything you say or write down, from day one to the close of investigation, may be used against you in a future civil suit or regulatory proceeding.

While it is never a good thing when the FBI informs you of a breach, preparing yourself with the above knowledge will make the investigation go as smoothly as possible.

Go behind the scenes with Kroll’s Cyber Leader, Former FBI Agent Tim Ryan, in his presentation here.

To learn more about how to prepare for a data breach, contact Kroll today.


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.