When cyberattacks strike, this is how your department assists the FBI investigation
In recent years, the FBI has created a vast array of technological and investigative capabilities and partnerships to respond to cyberattacks on American interests
This feature is part of our new PoliceOne Digital Edition, a quarterly supplement to PoliceOne.com that brings a sharpened focus to some of the most challenging topics facing police chiefs and police officers everywhere. To read all of the articles included in the Winter 2016 issue, click here.
By Doug Wyllie
American organizations from the private and public sector are increasingly vulnerable to cyberattacks. From foreign government actors committing cyberwarfare to vast criminal enterprises engaging in corporate espionage, to individual hacktivists seeking merely to unleash mayhem, the threats to our internet infrastructure has been proven time and again.
Massive breaches of credit card and financial records theft have occurred at a variety of merchants including Target Corporation, Goodwill Industries and Home Depot. Government agencies that have been attacked include NASA, the Department of Defense and the Office of Personnel Management.
Teenage kids have successfully shut down wide swaths of the internet with DDoS (distributed denial of service) attacks launched merely for fun or to just prove they could do it. Most recently, Dyn, an internet services company that links web addresses to specific numeric codes, called IP addresses, was the victim of a huge DDoS attack.
Calling on the investigative assets of the FBI
Generally speaking, no matter the nature of the cyberattack, the investigation into the offense is led by the FBI. Most local police departments will recommend to victims that they contact the local FBI or USSS, if they have been victim to an intrusion, breach or other computer related fraudulent activity.
When a cyberattack is reported directly to the FBI by the victim company or government entity, the FBI follows a fairly straightforward process in making a determination as to whether an investigation is warranted. Once a private sector entity determines they would like FBI assistance, a Cyber Supervisory Special Agent or Cyber Special Agent will speak with a company’s internal computer incident response team, the Director of Incident Response or an equivalent position.
Malcolm Palmore, who serves as the Assistant Special Agent in Charge of the San Francisco Division’s Cyber Branch, told PoliceOne that the FBI is uniquely interested in the potential impact of the breach, complexity of the intrusion (use of technical exploits) and the potential ability to determine attribution (for eventual prosecution).
“After an initial phone triage and with the consent of the company affected, the FBI will dispatch one or two personnel — depending on the scale of the breach more may be required — to the victim’s location for the purpose of direct discussions about the breach and the potential collection of evidence,” Palmore said. “Those investigators may request logs, diagrams of the network architecture and a bit-level copy of the damaged or effected hardware or systems.”
Palmore said that following the initial on-scene response, there may be a requirement to return for additional consensually retrieved information, initiate legal process to obtain access to user data and continue conversations with internal or external (third-party) responders or vendors used in the response to conduct remediation activities.
Following the steps outlined above, the FBI begins a methodical review of data and information retrieved from the victim company. This review will highlight the need to engage potential third-party entities which may have information necessary to promote the direction of the investigation.
Palmore said that a review of the initial data will likely result in one or more of the following:
- The creation of detailed reports done by computer scientists or forensics examiners, which provide a road map of the intrusion and highlights the actions of the threat actor
- The identification of other equipment or logs that may be of evidentiary value to the investigative team
- The need to conduct additional interviews or interactions with employees
“This information is nearly always obtained via use of legal process, unless the effected entity provides the information of its own volition — which does not typically happen in today’s environment,” Palmore said.
Because of the nature of cyberattacks where threat actors may or may not reside outside of the borders of the United States, many aspects of the initiation of legal process require the use of a Mutual Legal Assistance Treaty or MLAT. MLATs are a formal way of sending U.S. Legal Process to a foreign government, it is then ingested into their legal system and presented to a foreign judge or magistrate for signature giving the appropriate authority to the host (recipient) country’s internal investigative resources to act on the information in collaboration with the FBI.
Local departments supporting the FBI
“Due to the limited resources available by all departments, most local authorities (city and local) are not equipped to respond to breach investigations,” Palmore said.
That having been said, Palmore indicated that local agencies are doing their part to support the FBI’s investigations into cyberattacks.
“Many police departments have invested in standing up local digital forensics labs and a formal investigative forensics component, but this relates to the examination of hardware, phones and other electronic apparatus,” Palmore said. “Additionally, the FBI has 16 regionally based digital forensics labs called Regional Computer Forensics Labs or RCFL.”
If a local police department has a capacity to investigation cyber intrusions, they are likely members of a FBI sponsored Cyber Task Force (CTF) or a USSS sponsored Electronic Crimes Task Force (ECTF). The path to getting investigators educated on the threat and the technical aspects of investigating can be expensive. The relationships with the federal departments are leveraged for access to training and the equipment needed to conduct investigations.
The greatest threats from cyberattacks
“The greatest threat to private enterprises are the prolific criminal intrusion threat actors engaged in malicious behavior on a large scale targeting U.S. based businesses and consumers,” Palmore said. “Threat actors continue to leverage available resources obtained in the dark web and those exploits are used to target businesses or consumers not properly protected against potential breaches or exploits.”
In addition to the malicious behavior of criminal threat actors, Palmore said that private sector entities must also be on guard to what the United States Intelligence Community describes as the Advanced Persistent Threat (APT) posed by Nation State threat actors.
“Both sets of threat actors are extremely technically proficient,” Palmore said.
Palmore said that the typical consumer has to guard against the same potential threats, but don’t have business scalable resources to protect themselves. Consumers must use InfoSec fundamentals such as the use of anti-virus or malware solutions (with active subscriptions), anti-spyware — they must invest in a system of backups and practice excellent password management.
Information sharing and partnerships
Palmore said that FBI and its other federal partners are big proponents of information sharing among business entities.
“Participation in either a government-sponsored, DHS’ Automated Information Sharing, or those sponsored by the private sector, such as the Facebook-sponsored platform Threat Exchange or the Cyber Threat Alliance sponsored by Palo Alto Networks, will absolutely help to increase any potential victims understanding of the cyber threat landscape,” Palmore said.
Indeed, in recent years, the FBI has created a vast array of technological and investigative capabilities and partnerships. Just this summer, in the Presidential Policy Directive-41 on U.S. Cyber Incident Coordination Policy, the structure of those partnerships is outlined. In the response to a cyberattack, the FBI will work with organizations including the Department of Justice, the National Cyber Investigative Joint Task Force (NCIJTF), DHS, the National Cybersecurity and Communications Integration Center and others.
For further information about how the FBI conducts its cyber investigation, check out the FBI’s website.
About the author
Doug Wyllie is Editor at Large for PoliceOne, responsible for providing police training content and expert analysis on a wide range of topics and trends that affect the law enforcement community.