The latest cybercrime studies confirm that attacks are once again at an all-time high. But as ransomware continues to reign, and nation-state attacks and espionage-related incidents rise, authorities warn that the numbers reported may only be the tip of the iceberg.
A recent report by the U.S. Government Accountability Office, highlighting federal U.S. agencies’ challenges with reporting mechanisms, assures that cybercrime is likely underreported.
The reasons why large, medium and small companies choose not to report a cyberattack include fear of reputation damage, business disruption and the risks of sharing data with the government. These misconceptions are impacting private companies, as they fail to recognize the benefits of working with federal agencies and law enforcement to respond to cybercrime.
On July 20, I attended the Northeast Cybersecurity Summit. At the event, agents from the FBI and Homeland Security revealed how cyberintelligence collaboration works and how companies can leverage it.
Business disruption: What really happens when the FBI or Homeland Security shows up?
One of the main myths regarding the involvement of federal agencies and authorities is the disruption of business operations. Companies may think that calling federal agencies can complicate an already difficult situation.
“I think there are some misconceptions out there about either the FBI, Homeland Security or any law enforcement agency,” Jeff Hunter, special agent of the FBI, said. Hunter added that companies often think that when authorities show up, they will take away all the servers and shut down business operations. “That’s really not the reality,” Hunter said.
Computer forensics: The benefits of reporting and making the call
Hunter highlighted the FBI’s interest in establishing a two-way dialogue from the start.
“For example, with ransomware, the FBI has a case on every ransomware variant out there,” he said. “So with quick notification, we’re able to put you in direct contact with the actual agents that are working that variant to get to you the IoC [indicators of compromise] very quickly.”
Indicators of compromise in computer forensics is evidence or clues, often in the form of metadata breadcrumbs, that help organizations resolve cyber incidents, revealing key information about the attack and the attacker.
Hunter added that the FBI can also help, for example, by providing a list of IPs related to the incident, which a company may want to blacklist while doing triage: identify, prioritize and resolve.
“We understand that usually, when we get the call, it’s because ‘the house is on fire,’” Hunter said, stressing that the goal of the FBI isn’t to create further chaos but to help companies by offering them the bureau’s resources.
Mark Gibble, officer of the Homeland Security Investigations Task Force at the Department of Homeland Security, agreed with Hunter and added, “For you, it’s a big deal, it’s ‘your home,’ ‘your castle,’ but for us, it might be the third or fourth incident we’ve been to in the same day.”
“So, in addition to the IoC, sometimes we may have already found some of your exfiltrated data,” Gibble said. “Or, we may have some insight into where some of the compromises living on your system are located.”
Gibble also highlighted the importance of reporting minor incidents.
“Sometimes you might be having a small problem,” Gibble said. “And when we show up, we might say it’s about to get much bigger. Here’s the information; go for it. Fix ‘your house.’”
Legal reporting responsibilities and collaboration incentives
In the U.S., there are several federal and state security breach notification laws, which include the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and the California Consumer Privacy Act. Emerging legislation, such as the Cyber Incident Reporting for Critical Infrastructure Act and the U.S. Securities and Exchange Commission rule, are putting pressure on companies to report cybercrime.
Still, there needs to be more clarity about the mandates and legal requirements that companies have to notify, cooperate and collaborate with the government when they experience a breach.
Homeland Security and the FBI can help companies answer critical questions, Gibble said. Questions such as:
- What have other corporations who suffered the same type of attack done in the last 48 hours?
- How will the attack evolve?
- Who is behind it, and what’s happening?
- Should our company pay the ransom?
Gibble added that Homeland Security or other agencies might also have information on the particular threat actor running the attack and provide a broader perspective. While companies have their own research, preparedness and incident response plans, Homeland Security, for example, has national and global data on cybercrime, Gibble added.
SEE: TechRepublic Premium’s Incident Response Policy
Who to contact when a cybersecurity attack strikes
Companies and security teams are also often confused about who to contact when a cybersecurity attack begins to unfold. With different agencies involved, state and national jurisdictions in play, and different task forces specializing in different types of attacks, who should they call first?
“Notifying any law enforcement agency is obviously advisable,” Hunter said. The special agent explained that companies can reach out to the FBI, the Secret Service, Homeland Security and other local authorities that coordinate with federal agencies. All federal and state authorities work together when it comes to U.S. cybercrime and will put a company in contact with the best and closest on-ground resource if requested.
Being more specific, Hunter advised companies to contact CyWatch. “That’s the FBI’s cybersecurity incident response, 24-hour hotline. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. They can route you to the FBI field office that covers that incident very quickly. You could be on the phone with either a cyber supervisor or the agents that are actually working on that variant very quickly.”
And if the FBI finds out that counsel represents a company, it will seek to include the counsel early in the conversation. “We like to bring everybody in and make it a very collaborative conversation,” Hunter said.
“A pre-existing relationship with your FBI office before an incident occurs is paramount,” Hunter said. Having this relationship builds trust and speeds up processes.
Why companies should establish pre-existing relationships with FBI and Homeland Security
Another question companies usually have is whether a determined agency works with specific cybercrimes. Does the contact change if the type of attack (e.g., nation-state attacks or crypto crimes) changes?
“Homeland Security focuses on a lot of Dark Web and ransomware,” Gibble said. “Whereas the Secret Service is doing a lot of crypto tracing. If I have a crypto-tracing question, I’m going to ask them,” Gibble said and added that the FBI, given its long-standing history and size, can redirect calls to local resources closer to the incident.
“At the end of the day, call someone, and we will get it to the right person; we are not going to drop the ball or blow you off,” Gibble said. Contact with authorities can be provided via phone calls or conferences, even in rural areas. Additionally, if a company wants an agent to be present, it can be arranged by linking state or local law enforcement offices.
Gibble agreed with Hunter that the best way to answer the question of whom to contact is to establish a pre-existing relationship and integrate the contact into the incident response plan. Companies that establish pre-existing relationships will also feel more comfortable when an incident occurs, as they already know the law enforcement agent. The pre-existing relationship can also help navigate the complexities of sharing data with government agencies.
Final takeaways for businesses
Experts on the panel concluded the event with advice for companies. The importance of taking ownership of security and reaching out to others in the same sector, law enforcement or academics was stressed by Gibble.
“That’s how law enforcement is learning. None of us are born with intuitive knowledge,” Gibble said. “Increase your brain trust.”
In addition, businesses should conduct a data and system inventory and have an incident response or forensic team that can come in and help during an attack. Incident response plans should be updated monthly rather than yearly, and employees must be educated to recognize malicious messages.
“Sounds simple, but the majority of incidents that I investigate are still tracked back to an employee clicking on a malicious link,” Hunter said.
Companies can benefit by building relationships with law enforcement agencies, whether it be the FBI, Homeland Security, the Secret Service or local departments. Through collaboration, they can leverage the expertise law enforcement has on areas like forensics, laws, global trends, specific technologies and attacks, remediation and response techniques, and broader global information. This collaboration can help the private sector better respond to attacks and resolve them more rapidly and efficiently, while strengthing national and international digital security.
Companies that want to contact Homeland Security can do so through the Cybersecurity and Infrastructure Security Agency, which leads the U.S. effort to reduce cybercrime. CISA can be contacted by email at email@example.com or by phone at 888-282-0870. Additionally, different incidents can be reported to CISA at its incident report site. The FBI can be contacted through the Internet Crime Complaint Center. The IC3 is the U.S. central hub for reporting cybercrime.