“Should we call the cops?” It’s one of the first questions inside the war room of most organizations facing a data breach. And by “cops,” most of us are thinking “FBI.” But will the FBI actually care about your case? Can they help before you even understand what happened? Who would you even call if you wanted to?
FBI Special Agent Dean Neubauer, part of the Omaha, Nebraska, Field Office’s cyber squad, joined Pratum on a panel hosted by Iowa’s Secretary of State. Agent Neubauer’s team includes analysts, computer scientists and CART personnel (the Computer Analysis Response Team that handles digital forensics). His insights reveal what you need to know about working with the FBI on a breach—including steps you can take right now before a breach hits you.
What the FBI Is Watching: Business E-mail Compromise
“Outside of very large ransoms, we see the most damage from business e-mail compromise (BEC), on the order of about $2 billion in business loss per year,” Agent Neubauer says. “A week and a half ago, we dealt with an Iowa company that was a victim of a compromise that cost them $2.3 million.”
BEC scams typically involve a message that seems to come from a co-worker or trusted vendor but includes a bogus link. For example, Pratum recently worked a case in which an accounts payable employee unwittingly sent a $400,000 payment to a malicious actor’s bank account. The hacker inserted themselves into an e-mail thread about a real invoice, then fooled the employee into using a new account number.
In the case Agent Neubauer recently worked, a hacker took control of the company CFO’s e-mail address and tricked employees into transferring funds. The typical cause of these breaches is someone using the same password in multiple places, which makes it far easier for hackers to steal credentials.
The FBI’s Cybersecurity Tips
Clearly, your best strategy is to never need the FBI’s assistance. To secure your system, Agent Neubauer emphasizes several cybersecurity basics.
- Properly log events and store the records – A system monitoring solution such as SIEM or XDR maintains logs that provide the FBI’s starting point for an investigation. But agents find many organizations using basic systems that retain logs for no more than 48 hours. That’s rarely much help, considering that hackers typically lurk in the system for weeks or months before you detect them. Two days’ of logs gives investigators almost nothing to go on. Pratum’s policy for its SIEM/XDR clients is to retain logs for a full year.
- Implement Multifactor Authentication – MFA makes you more secure, period. “Ninety-five percent of the business e-mail compromise victims I have contact with don’t have MFA enabled at the time,” Agent Neubauer says. In one recent case, he says, the victim exempted part of its system from using MFA. Guess where the threat actors got in?
- Patch your systems – This is another classic best practice, but countless organizations let it slide, leaving known vulnerabilities wide open to exploitation. Agent Neubauer puts special emphasis on updating VPN devices, which are a favorite target for hackers. In one recent week, Agent Neubauer’s office saw five different Iowa companies exploited via the same SonicWall VPN. The hackers found the vulnerabilities via scanning tools, then sent in human hackers to start pivoting and escalating through the network.
- Test your backups – It’s not enough simply to have data backups. You also need proof that you can rapidly and reliably restore data from the backups. That means testing them.
- Beware of professional social media scams – The FBI has seen a spike in hackers phishing employees through LinkedIn or other professional social media platforms rather than through their company e-mail account. Scammers send the victim a link to an attractive job listing or a document that appears valuable. The link often leads to what looks like an Office 365 login page. In reality, it’s a credential harvester that hackers use to steal login information. But again, if you have MFA in place, they won’t be able to get in, even with your credentials.
When to Contact the FBI
Notify the FBI as soon as you suspect an attack. For example, your team may spot a phishing e-mail before anyone in your office falls for it. Telling the FBI about it lets them add the spoofed domain to the files accessed by offices nationwide.
Some organizations hesitate to call the FBI because they fear word will get out about their breach. But Agent Neubauer says the FBI won’t leak the information. “We won’t go to the media, with the exception of issuing a press release following an arrest,” he says. If you hear that a victim company is working with the FBI, that’s because the victim company or one of its vendors alerted the media.
Even if you’re not currently dealing with a breach, the FBI likes to hear from you. “It gives us a chance to network and establish relationships,” Agent Neubauer says. “That way in the future, you’re not having to cold call and work through to the cyber squad. When minutes matter, that’s critical.”
How to File a Report
The process starts when you file a report with the Internet Crime Complaint Center (IC3) at this site . Reporting your breach can activate the FBI’s recovery of assets team, which could dramatically reduce your financial loss. A detailed IC3 complaint about a fraudulent bank transfer, for example, includes details like the sending bank, receiving bank, account numbers, amounts involved, etc. Thanks to extensive relationships with financial institutions, the FBI can instigate a financial fraud kill chain that freezes accounts and may get your money back.
How the FBI Responds
Agent Neubauer says a special agent may show up to gather information, including logs, and put it into their systems. Your situation may require a full incident response from a team of agents and other professionals (the Cyber Action Team) that can be on-site anywhere in 24 hours. “We’d be looking for how the actors got in, what they took, what they’re using to communicate,” Agent Neubauer says. “It’s all the same stuff traditional IR would do, but it’s focused on a criminal prosecution and not how to fix your stuff.”
If you need help preparing your incident response plan, including how you’ll work with law enforcement, contact Pratum today.