How to Partner with Law Enforcement Following a Cyberattack

A cyberattack is a crime, and it is law enforcement’s job to investigate. Which agency should an organization call once it discovers a breach? What is law enforcement going to do? Answering these questions in advance of a breach can help enterprise leadership prepare for the role law enforcement will fill and build a more collaborative relationship.

A leader with the Federal Bureau of Investigation (FBI) and two cybersecurity experts with experience in the government and private sectors give InformationWeek insight into establishing a relationship with law enforcement and what to expect during a cybersecurity incident investigation.

Building a Relationship with Law Enforcement

If your incident response plan has a single line item that says, “Call law enforcement,” that can leave you scrambling in the event of a cybersecurity incident. Forming relationships with specific law enforcement contacts before a cyberattack or a breach will prepare organizations, and there are plenty of avenues to building that connection.

Simply picking up the phone and calling the local FBI field office can give cybersecurity leadership an easy place to start. “We have private sector coordinators in each of the 56 field offices. Those are special agents and other staff whose primary role is to build relationships with our private sector partners,” Donald Alway, assistant director in charge, FBI Los Angeles, tells InformationWeek.

Related:Damage Control: Addressing Reputational Harm After a Data Breach

The FBI also has different programs that engage private partner sectors. For example, the FBI in Los Angeles has the CyberHood Watch program. This program brings together thousands of people for cybersecurity information sharing.

“Imagine your neighborhood watch where all your neighbors, who are all from different backgrounds, [with] different jobs. They have different perspectives, but they all share a common goal to protect the community,” says Alway.

The FBI also runs Citizens Academy programs for private sector leaders, including a CISO Academy. These programs give leaders an inside look at how the FBI works and what to expect from the Bureau when it responds to a cybersecurity incident.

“Going through the Citizens Academy, that really opens a lot of the executives’ eyes as to who the FBI is and what they do,” says Stephen Boyce, director of the Magnet Digital Investigation Suite at digital investigation solutions company Magnet Forensics.

A number of organizations also facilitate collaboration between private sector leaders and law enforcement. For example, InfraGard connects US critical infrastructure stakeholders with the FBI, offering education, threat sharing and networking opportunities.

Related:The Mind of the Inside Attacker

Company leaders can also engage with industry-specific Information Sharing and Analysis Centers (ISACs). “For example, a financial sector company might be the member of the FS-ISAC,  and the FS-ISCA will have relationships and events … with law enforcement,” says Ed Cabrera, chief cybersecurity officer of cybersecurity software company Trend Micro and former secret service strategic advisor to the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC).

Involving Law Enforcement in Your Incident Response Plan

Cybersecurity leadership can directly involve law enforcement contacts in incident response planning. “Law enforcement has expressed an interest in -- certainly in recent years -- being a part of those proactive incident response plans, tabletop exercises,” says Boyce, who previously worked with the US State Department and FBI.

Tabletop exercises bring leadership -- the CISO, general counsel and other executive leaders and stakeholders -- together to run through various scenarios. How will an organization respond to ransomware? A business email compromise? What will each internal stakeholder do in a specific scenario, and what will external parties, like law enforcement, do?

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

“Invite those agents from those field office or division offices to participate,” Cabrera recommends. “Once they start participating in your incident response plan and as you test it and do a tabletop, they will tell you exactly what they’re going to do and when they’re going to do it.”

Running through tabletop exercises, before the stress and pressure of a real incident, helps stakeholders to get to know one another, their roles and build trust. “Everything hinges on trust,” says Cabrera.

Determining Which Agencies to Contact

Several different law enforcement agencies handle cybercrime in the US, which can be confusing for leadership, especially in the wake of a cyberattack or breach. Major agencies that handle cybercrime include:

A number of organizations exist to help coordinate private sector and law enforcement collaboration. The National Cyber-Forensics and Training Alliance (NCFTA) is a nonprofit that provides a neutral forum for private sector and law enforcement to work together. The NCCIC is another way the federal government provides incident response support.

The FBI also has a 24/7 operation for tracking cybersecurity incidents: CyWatch. CyWatch helps to manage the FBI’s response to cybercrime and coordinate with domestic law enforcement.

“They [CyWatch] will actually point the victim organization in the right direction,” says Boyce.

The National Cyber Investigative Joint Task Force (NCIJTF) is a multi-agency cybersecurity center, and it also plays a role in coordination and information sharing during a cyber threat investigation.

While there are many ways to get in touch with law enforcement, it is important to make a call or submit a report to bring law enforcement to the table.

“Every victim of a cyber intrusion should report their incident to CISA or the FBI every time -- it’s the only way that we can offer assistance, help protect other potential victims and enable action to disrupt the malicious actors,” the Cybersecurity and Infrastructure Security Agency (CISA) shares in an emailed statement.

For companies with an international presence, it is important to consider if agencies in other countries need to be informed. Each country will have its own law enforcement bodies and protocols. For example, the cybercrime unit of the National Crime Agency (NCA) handles cybercrime investigation in coordination with other law enforcement agencies.

Working with Law Enforcement After a Breach

In the event of a cyberattack, it is important that a designated point of contact work with law enforcement. It could be the CISO, general counsel or any stakeholder who understands the organization’s incident response plan.

Law enforcement can conjure concerns among company leadership. Are they going to face reprimands? How much information will the responding agency take?

Boyce emphasizes that law enforcement is not going to behave like a regulatory body. “They’re not going to say ‘Hey, you didn’t follow NIST standards; you didn’t follow the ISO standards.’ Law enforcement isn’t in the business of doing that, and they aren’t in the business of doing your notification requirements, whether that’s to the general public or to your customers,” he explains.

Nor is law enforcement going to come to an organization and demand unfettered access to tear through its systems.

“That misconception that we’re going to put an FBI stamp on it and haul everything away is something we want to overcome,” says Alway. “We may share some of the indicators of compromise [IOCs]. We often will give that back to the IT folks, who will go then look within their own systems for some of these indicators, and they often will identify the threat themselves with our help and guidance.”

But there is an expectation that an organization will cooperate with law enforcement agents and their requests. “What law enforcement never wants to have is an uncooperative victim,” says Cabrera. “If they need to, [they] will subpoena and/or provide search warrants for certain data.”

Law enforcement will come with the intention of acting as partner to the victim organization, alongside other stakeholders like remediation firms and insurance companies. “We would really expect to be seen as true partners in every sense of the word,” says Alway. A law enforcement team could include investigative agents with cybersecurity backgrounds, as well as technical experts, such as computer scientists and data analysts.

That partnership will be based on information sharing. Organizations will tell law enforcement about the nature of the incident, provide logs, and any other evidence of the intrusion and answer questions. Law enforcement will share their knowledge of IOCs and any information they have that can help enterprises during the remediation process.

“There’s no such thing as over communication in cyber incidents,” says Alway.

It is important to keep in mind that law enforcement’s job takes time. “A lot of times the investigation piece could drag on for multiple years, whereas the company [or] organization is on a shorter timeline,” says Cabrera. “Their focus is on obviously … speeding up detection, response, recovery, and remediation.”

While the FBI conducts its investigation and helps organizations to contain an incident, leaders can also get outside help as they work to regain operations. “That’s really where CISA comes in: helping the organization get back to a state of operations, of resiliency,” says Boyce.