With the threat of ransomware and malicious cyber activities reaching “epidemic proportions,” Morrison & Foerster gathered those in the trenches of response to sophisticated cyberattacks for an inside look at law enforcement interactions during a breach.

Hosted by Morrison & Foerster Partner Miriam Wugmeister, the “What Really Happens When You Call the FBI” panel included Deputy Assistant Director of the Federal Bureau of Investigation’s Cyber Division Herbert Stapleton, FBI Senior Advisor to Director Scott McCulloch, and cybersecurity firm Mandiant Vice President David Wong.

In the wake of an incident, Wugmeister said she hears concerns from victims around whether the FBI will share their information with regulators, questions about what information the agency might collect and what will be done with it, and that they might be identified publicly.

Panelists sought to assuage those concerns, saying the FBI works to understand the reasons behind a cyberattack, targets the attack from multiple angles, cooperates with other agencies and foreign partners, and has the tools to potentially recover data or fraudulent proceeds potentially lost in an incident.

Stapleton pointed to the recent Colonial Pipeline cyberattack, in which investigators recovered $2.3 million of the $4.3 million in bitcoin the company paid to hackers.

“We have had some success in the past with identifying where a victim’s exfiltrated or stolen data might be located and bringing that data back into the fold before it’s broadcast or posted on dark web-type forums where it can be accessed by anybody in the world,” he said. “That’s not to say that we can do that in every single case, but we can do that in zero percent of the cases that we don’t know about. From my perspective, that’s really the importance of reporting and exploring what’s in the realm of possibility when it comes to working with law enforcement.”

The agency can also help to understand threat actors, their tactics, techniques and the reasons behind their actions — like whether they intend to monetize stolen data, Wong said. And it has insights and connections that help further an investigation.

“The FBI has capabilities that you and I don’t have as lawyers, as individuals, where they can work with attorney generals and other prosecutors to be able to get information that we might not be able to get, both domestically and internationally,” he said.

The agency communicates with victims and considers those conversations throughout an investigation and before releasing information publicly, Stapleton and McCulloch said. While information can be sought through subpoenas or search warrants, it is most often obtained through victim engagement and interviews, which Stapleton said is essentially a voluntary process. An investigator will notify the victim of ideal information needed to combat or investigate a threat, but will also be open to conversations about what best serves the agency and the victim, he said.

“The goal at every point is to make sure we are helping the company remediate and not making anything worse by the steps we take against the threat and getting the company’s input on those as we go,” McCulloch said. “The whole point of the exercise is to have an effect on the threat, but also to make the victim whole through every attempt that we can — to give them whatever benefits we are able to provide through the judicial system as we move forward with prosecution or disruption or action with a foreign partner.”

Stapleton noted the FBI’s role is to investigate violations of federal law and national security threats, and that it would not intentionally provide information to regulators.

“There can obviously be a legal process, just like there is with the victim, where regulators have the authority to get certain information, but we’re not giving information to the regulator so they can access it and then come back, ultimately, on the victim,” he said.

While most conversations center around necessary action following a breach, Wong advised companies to develop a relationship with their local FBI field office early.

“I think if you can develop a relationship in advance with a local office you can trust, you are probably going to be more willing to share information with them and they will know who to contact,” he said.

Looking at his fellow panelists, Stapleton said, “This is the kind of team that a victim is going to need in the aftermath of a cyber incident.”

“What the FBI really wants is to be a part of that team, an appropriate part of that team, so we can bring our capabilities to the fight,” he said.

Photo by Sean DuBois on Unsplash