Security Experts:

Incident Response - What to Have Ready Before Calling In The FBI

When the worst happens, and a breach has caused serious damage to your organization, you may be placed into a position where you need to contact law enforcement, perhaps even the FBI. If that happens to be the case, a recent document published by Public Intelligence outlines the things that will help you when the feds have to be called in.

Breach Response PlanThe document released on Tuesday is rather brief, yet it has a listing of what the FBI can do to help your organization during incident response, and perhaps more importantly, what the FBI needs from the organization in order to provide the best assistance possible.

Tagged as Unclassified, but Law Enforcement Sensitive, the "Pre-Deployment Checklist for Cyber Investigations" starts simple, by listing the things the FBI can do, from any one of the 56 offices in the U.S. that deal with cyber investigations.

This includes investigative interviews of the subject, victim, or any witnesses; evidence collection including forensic images of any systems; electronic surveillance (with proper legal authority); investigative analysis including e-mail header analysis, network traffic analysis, and intrusion analysis, and malware analysis.

Moreover, the FBI can deploy the Cyber Action Team (CAT) and leverage a global team of legal attachés.

“The mission of the CAT is to deploy globally at the direction of Cyber Executive Management, in order to bring in-depth cyber expertise, specialized investigative skills, and direct connectivity to those cyber initiatives, investigations, and emergencies deemed critical and significant,” the document explains.

“...Legal Attachés or LEGATS,” the document adds, exist throughout the world to support the FBI’s mission.

“These LEGATS foster strategic partnerships to local law enforcement, intelligence, and security services agencies to facilitate information exchange...”

So in order to make the process as painless as possible, what information to organizations need to make available? The list is about what one would expect if you’re in the security industry.

First the FBI says that if all possible, have as much information about the organization’s inventory as possible, including workstations, servers, routers, switches, etc. After that, an inventory of software and applications should be available as well. In short, a full asset list for the company. Something most organizations already have to one degree or another.

Network topology maps are also listed, with a note that they should provide a current, functional understanding of the organization’s network. Be ready to present a list of forward facing and internal IP addresses, as well as web, proxy, IDS, VPN, DNS, database, remote access, and firewall logs. The list also mentions the need for any locally created system images (assuming the situation centers on a compromised server or host).

If they are kept, physical access logs are also useful, as well as domain infrastructure, group policy hierarchy, and access control details. Have the organization’s legal department (or representative) prepare the necessary documents in order to assure that the information given to the FBI can be done so legally.

No one wants to think about the fact that a security incident could lead to the involvement of federal authorities. However, thanks to this little document, the process can be slightly less stressful for everyone involved and help you prepare for the worst.

The full document can be found here in PDF format.

Related Reading: Business Continuity Planning in a Cloud Enabled World

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.