- As the Cybersecurity and Infrastructure Security Agency (CISA) becomes a more dominant player in private sector cyber response, organizations are still confused as to what federal agency cyber victims should contact first following an incident.
- CISA is responsible for asset response, or net defense and cyber resiliency, while the FBI and Secret Service are responsible for threat response investigations, said Bryan Vorndran, assistant director within the FBI's cyber division, speaking during the Incident Response Forum Ransomware on Thursday.
- "If your house is robbed, you would likely call law enforcement. After you get your wits about you, you would likely call an alarm company to say what can I do to prevent this from happening again," said Vorndran.
The FBI's primary job is to impose risk and consequences on threat actors, but the agency can only place maximum pressure by leveraging its government position to engage with the private sector.
The dominant players in cyberthreats are China, Russia, Iran, and North Korea, said Vorndran. "We want to, at some point, take players off the field, or make their work so challenging that it's not worth their time to continue to conduct this type of crime."
Russia reportedly arrested members of the REvil ransomware gang following requests from the Biden administration, according to reports Friday. It's the latest legal action taken against the ransomware gang, following several crackdowns from the Department of Justice last year.
With help from the National Security Agency (NSA) and Central Intelligence Agency (CIA), the FBI can disrupt threat actor operations and hand its investigative results — tactics, techniques and procedures (TTPs); indicators of compromise; threat actors — to CISA for the agency to push out to the private sector.
The Secret Service and the FBI are fairly constant collaborators on cyber-related investigations, an essential piece of post-incident response. "Attribution matters," said Vorndran. This is especially true as cyber insurers are enforcing coverage exclusions for cyberattacks attributed to state actors.
Vorndran recommends organizations establish a relationship with local and state governments, including the FBI and CISA and their contacts in an incident response plan. When developing an IR plan, he suggests companies consult with outside counsel and insurance providers during the pre-work stages. It will smooth out engagement with the government, he said.
A federal incident reporting law, which was removed from the National Defense Authorization Act (NDAA) at the last minute, could offset any delays in reporting or disruption in recovering funds.
Because Colonial Pipeline engaged the federal government so quickly following its ransomware attack, the FBI was able to recover $2.3 million of the company's payment. "That operation is not possible without Colonial's immediate engagement with the U.S. government," Vorndran said.
Incident reporting legislation could have two different goals: collecting cyber-related data or incident response that will benefit a victim organization. For Vorndran, 72 hours would be sufficient for data collection, but if more companies expect law enforcement to recover ransom funds, Vorndran expects the timeframe to be closer to 24 hours.
CISA would be the agency to collect data and house it for agencies like the FBI to use in their investigations.
"The interagency in the U.S. government and the collective interaction with the private sector, both victims and infrastructure providers alike, is maturing by the week, and we are getting better and better and better," said Vorndran.