Working with Law Enforcement During a Breach

We have a team of Digital Forensics and Incident Response (DFIR) experts here at Lodestone Security working daily with organizations that have fallen victim to a cyber attack. During our investigation, clients ask a lot of common questions. In this post, I am sharing some of the common questions about working with authorities, and our general recommendations.

Should we work with any law enforcement agencies?

We encourage our clients to work with local agents and share any information that you feel comfortable sharing. The typical agency that responds to cyber crime, including extortion events like ransomware, is the Federal Bureau of Investigation (FBI).  Circumstances of the attack or regulations governing your organization might dictate otherwise. Ideally, you would reach out prior to a data breach and make contact with a local agent as a part of building your Incident Response Plan (IRP) and include that contact information in the IRP document.

Do you share our information with law enforcement?

Without explicit permission from you, we do not share your information with anyone. We engage under complete confidentiality which frequently includes attorney client privilege. The team at Lodestone does contribute de-identified statistics and observed Tactics, Techniques, and Practices (TTP) to various cybersecurity industry information exchanges and sharing groups to help combat cybercrime.  Law enforcement agencies are part of these groups as well. We take every precaution to ensure any information we share is not identifiable or attributable to persons or organizations.

Can I use the FBI instead of a commercial DFIR team?

While the FBI is an investigative agency, they do not have the resources to help everyone perform exhaustive forensic investigations and determine root cause. They also don’t have resources to help remediate the damage done, repair the security flaws that allowed the attack, or restore your organization to normal operations. FBI agents will likely refer you to a private sector DFIR firm like Lodestone to conduct the investigation and ask you to share back information that you learn.

Does it make a difference? Do they catch the criminals?

Yes! While not every criminal will be discovered and arrested, they gather as much information as they can, as it can and does lead to identifying and apprehending the criminals. More importantly, the FBI’s database of TTPs and other threat intelligence has become top-notch over the last few years.  That vast improvement is significantly fueled by contributions from the private sector.  Several of us here at Lodestone can proudly say that we have helped to identify criminals that the FBI has successfully arrested.

What information do they want?

Taken from a recent ransomware alert, here are some pieces that the FBI generally asks for. Keep in mind, you don’t have to share everything. Even just one item could be a piece they are missing from other cases.

  • Recovered executable file
  • Complete phishing email file with headers
  • Live memory (RAM) capture
  • Images of infected systems
  • Malware samples
  • Network and Host Based Log files
  • Email addresses of the attackers
  • A copy of the ransom note
  • Ransom amount and if the ransom was paid
  • Bitcoin wallets used by the attackers
  • Bitcoin wallets used to pay the ransom (if applicable)
  • Tor sites used to contact the attackers
  • Names of any other malware identified on your system
  • Copies of any communications with attackers
  • Document use of domains for C2
  • Identification of website or forum where data was leaked

 

In general, we encourage you to work with privacy counsel to ensure you are making the best decisions when sharing any information with anyone. If you don’t have any established relationships with privacy counsel, we have some great partners that we love to recommend.

Feel free to reach out to us with any questions you have about incident response, data breach readiness, or ransomware.

Author

  • James Habben

    James Habben is the Director of Business Development at Lodestone Security. Over his 15 years of cybersecurity experience, James has been involved in some of the largest data breaches in history, providing guidance and leadership through complex challenges. In addition, he helps companies to proactively improve their cybersecurity posture through policy, process, and cross-function data breach simulations. James has spoken at many conferences on new trends and techniques, and enjoys contributing to the cybersecurity community.