Why the FBI treats cyber cases like kidnappings


Written by

The quicker a business can detect a malicious attack, the better chance it has of avoiding an incident that could shut it down for good, according to a member of the FBI’s cyber division.

FBI Assistant Section Chief Brett Leatherman told a Capitol Hill audience Friday that small and medium businesses need to move away from breach prevention and toward protecting their networks under the assumption that someone, somewhere will attempt to steal their data.

“You can never 100 percent protect your environment from penetration from a sophisticated adversary — it won’t happen,” Leatherman said at a cybersecurity event hosted by Travelers Insurance. “It’s not about sitting there waiting for logs to give you an alert. It’s about actually going into your environment and hunting for an adversary there with the belief that you are already compromised. Not a lot of organizations do that.”

Leatherman said that if business do find out they are hacked, they should mirror the timeframe in which the FBI conducts kidnapping investigations. He explained that investigators often throw every available resource at a case within the first 48 to 72 hours, since evidence degrades after that timeframe. He implored business leaders to adopt a mindset in which compromises can be detected within the first two weeks in order to thwart a massive breach of personal information.

“If [attackers] can move laterally in that environment, it could be the difference between staying in business and going out of business,” Leatherman said. “It could be the difference between losing 1,000 records of [personal information] or 1 million records.”

He also echoed the bureau’s stance on ransomware: If a business finds itself infected, it is better to remediate the problem or call the FBI than it is to pay a ransom.

Leatherman tacked off a number of reasons why paying attackers is a bad idea: It paints an industrywide target for criminals to focus on, payment doesn’t guarantee businesses will receive full decryption keys, and paid ransom could be categorized as funding illegal activity.

The use of ransomware has skyrocketed recently, with various security firms finding an exponential increase in the malware type over the first few months of 2016.

Leatherman also warned against various pieces of malware that have been infecting supply chains, including Havex and Black Energy. The latter has been tied to the attacks on Ukraine’s energy grid, which occurred late last year.