Working with the FBI

Transcription

1 Working with the FBI WMACCA Data Privacy & Security Conference September 17, 2014

2

3

4 Individuals Organized Crime Syndicates Hacktivist Groups Nation States Nation-States Individuals Industry Law Enforcement & Government Infrastructure

5 National Cybersecurity Framework DHS (Protection, Prevention, Mitigation, & Recovery) Coordinate the national protection, prevention, mitigation of, and recovery from cyber events Disseminate domestic cyber threat and vulnerability analysis Protect critical infrastructure Secure federal civilian systems Investigative cyber crimes under DHS jurisdiction FOREIGN DOMESTIC DOJ/FBI (Detection Investigation, Attribution, & Disruption) DOD/NSA (Defense, Prevention, & Overseas Intelligence) Investigate, attribute, disrupt, and prosecute cyber crimes Lead domestic national security operations Conduct domestic collection, analysis, and dissemination of cyber threat intelligence Support the national protection, prevention, mitigation of, and recovery from cyber incidents Coordinate cyber threat investigations

6 FBI Cyber Mission To proactively protect the United States against: Terrorist attack Foreign intelligence operations and espionage Cyber-based attacks & high technology crimes As the only United States agency with the authority to investigate both criminal and national security computer intrusions, the FBI is following a number of emerging cyber threats.

7 FBI Cyber Incident Response Teams Network Traffic Analysis Capabilities/Skill Sets Analysis of network traffic (netflow and pcap) Router configuration files and other network related log files Host-Based Forensics Malware Legal Collect forensic host images and live memory capture Analyze images for indicators of compromise Analyze samples of malicious code Process legal documentation (consent/trespasser) Intelligence Research evidence in FBI/USIC databases and disseminate to partners

8 FBI Objectives in Responding to Cyber Incident Investigate and prosecute Cyber crimes Work with victim to Continue operations System owner retains control of systems System owner (not Special Agent) produces logs, memory images, etc. No crime scene tape around your networks Protect data Not advance team for regulators or plaintiffs lawyers Maintain confidentiality of PII and other protected data Maintain confidentiality of incident Assist in mitigation and recovery Provide signatures, TTPs Provide classified information as needed

9 Victim Systems Owner Preparation Ensure availability of : -CISO, CSO, Legal, Senior System Administrator, Network Architect, Lead Developer Legal Banner/Computer Use Agreement Network Topography Maps Internal/External IP Address and Host List List of Network Devices (switches, routers) Incident Logs (security, host, IDS, web, database) Archived Network Traffic Forensic Images of Compromised Hosts Physical Access Logs (video, key cards)

10 Lessons Learned From Prior Incidents - Technical No accurate map of the network No accurate list of authorized devices on the network Insufficient logs Not logging the right activity Not maintaining logs for sufficient period of time Personnel not trained to retrieve or analyze logs Insufficient backups Inability to restore operations Proprietary software - Not secure/not patched

11 Lessons Learned From Prior Incidents - Legal No prior consideration of key legal issues Privacy issues data sharing Operations in foreign jurisdictions Local/state regulations re: breach notification Engaging experienced outside counsel Third party agreements Third party liabilities Insurance policies Corporate policy preventative measures

12 Working with Law Enforcement Are you engaged with your local FBI or Secret Service Field Office? Consent to search/monitor? How much can you share? Maintaining privilege Preservation of evidence

13 iguardian The FBI s Guardian platform was developed for real-time intake and management of criminal and national security cyber threat reporting iguardian: The platform for trusted industry partners For access, the following information to Unit Chief Timothy S. Marsh at [email protected] and Paul E. Konschak at [email protected] : 1) First / Last name 2) Specify if current InfraGard member 3) address 4) Telephone number 5) Company name 6) Company address 7) Title / position

14 eguardian eguardian: The platform for law enforcement officials Access Law enforcement officials without a Law Enforcement Enterprise Portal (LEEP) account: Apply for a LEEP account at Choose the No option for are you a sponsored applicant? After submitting LEEP application, send an to SSA Brian D. Abellera at [email protected], Kelvin Blue at [email protected], and Jasan Dahlgren at [email protected] with the following information: 1) First / Last name 2) address 3) Telephone number 4) Address» NOTE: If you already have a LEEP account, follow the instructions above and include your LEEP username in the

15 Conclusion Questions?