Insights from the FBI on cybersecurity

Cybersecurity is a regular theme around here, but there’s a key perspective we haven’t heard from directly: the FBI. Curious what law enforcement is thinking about in the cyber sphere these days? Thinking of reaching out to your local field office?

?

This summer, I had the chance to connect with Brett Leatherman , the FBI’s Deputy Assistant Director for Cyber Operations and the Director of the National Cyber Investigative Joint Task Force. He manages the agency’s strategy of imposing costs on some of the world’s most sophisticated cyber adversaries – including those who target SMBs (and subsequently, their MSPs).

?

From accessing FBI resources to a recent shift in strategy to advice on navigating cyberattacks, here’s what Leatherman wanted MSPs to know during a bonus episode of The Business of Tech.

?

What’s the FBI tracking these days?

?

My first question for Leatherman was for SMBs in particular. What trends is he tracking for small and medium-sized business spaces these days?

?

His first answer shouldn’t come as a surprise: ransomware.

?

But in the last year, a new pattern has emerged where bad actors target the underlying ecosystem that supports specific sectors (like healthcare or energy), triggering a cascading impact on other victims and downstream customers, ultimately shrinking the window an organization has to consider payment. In other words, they’re getting better at extortion.

?

His second answer is also expected: AI. During the lead-up to the election, the FBI saw its first campaign where a state actor (yes, Russia) leveraged AI to scale their disinformation campaigns/influence operations.

?

Third, Leatherman cited the targeting of supply chains within software as a growing concern. It’s not an emerging problem, but it’s worsening due to vulnerabilities that organizations disclosed/patched a while ago, meaning the actors didn’t need to deploy sophisticated tools to pull it off.

?

The FBI’s recent shift in strategy

?

In response, law enforcement has done a noticeably better job pushing back against cyber criminals. We’ve been hearing more and more about people facing court time, for example.

?

What’s been behind the shift? Leatherman attributed the success to the FBI's strategy, which is to “impose costs on malicious cyber actors while also providing substantial assistance to victims of cybercrime.”

?

One example of this was the response against LockBit in partnership with the UK’s National Crime Agency. Leatherman and his team completed both a technical operation that degraded their infrastructure enough to access crypto keys and indicted a number of affiliates – serving as a major deterrent against future adversaries.

?

The importance of pre-incident engagement

?

Another explanation for the success is the private sector improving engagement with law enforcement. We often talk about this at a very high level – having an incident response plan ready, knowing who to call, etc. – but I wanted to hear Leatherman’s take on what that intake really looks like.

?

Before a breach ever occurs, your goal, according to Leatherman, should be to have a relationship with your local FBI field office.

?

But what’s the actual expectation for that interaction? What does it even look like?

?

Per Leatherman, it’s pretty simple: locate your nearest FBI field office at FBI.gov (there are 56 nationwide) and ask to speak to a cyber supervisor or a member of the cyber task force. Once connected, tell them more about your business model and customer base; this will help inform them about what threat actors might target your organization and establish a local contact.

?

Timing-wise, Leatherman suggests touching base annually or every six months.

?

Working with the FBI during and after an incident

?

When an incident finally arrives on your doorstep (remember, it’s not if, but when), Leatherman recommends two locations to submit your information: tips.fbi.gov or IC3.gov (the Internet Crime Complaint Center).

?

Of course, an incident response plan and prep work will make this process much easier. For example, Leatherman says it’s a good idea to know ahead of time what you’re willing to share with law enforcement, how to communicate with the FBI outside of your impacted system, and questions like: do we have cyber insurance? Are we going to reach out to the cyber insurer first? Do we have inside or external counsel that we want to run this by first? What has internal counsel previously recommended?

?

Take it from Leatherman:

?

“We also have 21 and counting cyber assistant legal act caches located in embassies around the world. So if you haven't seen the actor on your networks before and you don't know how to address it, chances are good one of those 56 field offices or those foreign partners that we engage with have seen it. So it's important for us to be able to share intelligence quickly with the teams who are helping you identify, contain, and ultimately eradicate the adversary,” he said.

?

If you’re worried about sharing information with the FBI that may be contentious, you’re not alone. Leatherman explained that while very few people have concerns about sharing everything about the bad actor, legal counsel often gets involved with data exfiltration related to trade secrets, log files, etc.

?

However, Leatherman wants you to know that the image of the FBI rooting around Linux servers is just a myth:

?

“We don't want to get information that ultimately doesn't promote attribution towards the adversary,” he said.

?

FBI policies and procedures to be aware of

?

In fact, the FBI has policies and procedures for information handling. I asked Leatherman to explain these a bit, and he cited a few pieces of publicly available information you can check out:

●????? The Federal Criminal Code identifies what the FBI looks for in pursuing actors

●????? The Computer Fraud and Abuse Act explains the charges the FBI seeks against actors and how they accomplish that mission

●????? The Victim’s Rights Act outlines how the FBI treats victims and how they gather evidence of criminal conduct for use in investigations

?

“The FBI is there to help. We are a law enforcement agency in your community. It doesn't cost you a dime to call us. You're already paying our salaries and your taxes. So reach out, engage us. We hope that everybody will establish that relationship with their local FBI field office,” he said.

?

Defensive v. offensive deterrence

?

Finally, I had a premise I wanted Leatherman to respond to. If cybersecurity is an area where neither my client nor I want to spend money, could leaning into the basics – multi factor authentication, pass keys, backups, etc. – get us most of the way? Is thinking so naive?

?

Leatherman doesn’t see that strategy as naive; while offensive deterrence (tapping law enforcement to go after adversaries) is important, defensive deterrence can help discourage actors from going after your organization:

?

“Defensive deterrence is raising the general cyber hygiene of your organization so that the actors decide, this is not an entity I want to use or disclose one of my more technical tools on, so I'm going to move on to another victim who's got less cyber hygiene,” he said.

?

?

Feeling inspired to contact your local FBI office? Have you done so already? As always, my inbox is open for stories, questions, insights, or whatever else is on your mind.