Handling Breaches at the Bureau: A Conversation with Supervisory Special Agent Elvis Chan
We recently had the privilege of sitting down with FBI Supervisory Special Agent Elvis Chan who manages a squad responsible for investigating national cybersecurity incidents.
The FBI Cyber Division has been around since 2004; however, it was in 2017 that the FBI was designated as the lead federal agency during significant data breaches. “We’ll be the boots on the ground,” says SSA Chan. It’s on the FBI to conduct investigations while it’s up to the companies themselves to hire their own incident response team for remediation. “We don’t help clean up the companies’ networks… Our job is to find the bad guys, and find what was stolen.”
Malicious adversaries will continue to sow chaos and wage attacks against critical systems and sensitive data. With the growing frequency of business email compromise, ransomware, advanced persistent threats and nation-state attacks, the more we know about the cyber threats we’re facing, the better.
Prepare for the worst
“There should always be lawyers with nerds, talking in a room. Everyone get together and figure out, in the event of a breach, what’s the most important information for us to have.”
According to SSA Chan, a large majority of the breaches he’s seen are due to human error, whether that’s someone clicking a bad link or a misconfigured system. Regardless of how the breach happens though, you need to be prepared with a proper incident response plan. In preparing this plan, we look back at what cybersecurity expert Dick Clarke explained during his webinar; everyone must be involved during this planning process: InfoSec and DevOps of course, but compliance, senior leadership, general counsel, and lawyers as well. “All stakeholders need to provide their input.”
Now, it’s one thing to know the plan, it’s another to follow the plan. In the event of a breach, a plan is worthless if it is not practiced. SSA Chan explains the necessity of tabletop exercises, of putting that plan into action and making the stakes as real as possible in preparation for the real thing.
Getting to Know Your DNS Data
“At the core of every business, is data of some kind. Whether it be customer data or intellectual property… [collecting and] having server logs of where the crown jewels are kept – that’s the most important thing that I’m looking for.”
As far as DNS data, “DNS logs, in particular, are extremely useful in showing intent and lateral movement,” explains SSA Chan. “Those are interesting because a lot of the time DNS queries will illuminate other compromised boxes, either in the company’s network or external to the company’s network. You can find out where they are, corporately speaking.”
SSA Chan also mentions threat actors leveraging DNS for their own purposes through exfiltration. If there are larger packets getting jammed through DNS, that could be an indicator that there’s a bad actor trying to exfiltrate data.
“I don’t need everything. I need the logs that help me see the breach.”
At this point, SSA Chan notes that many companies do not save their logs for long enough. “Either they don’t turn logging on for their DNS or their firewalls or they only save it for 1 to 2 months”, even though most breaches aren’t discovered for 90-120 days.
At a minimum, you should be saving 1-2 months of logs; however, if possible and if budget allows, saving 3-6 months worth of logs can greatly help to connect the dots in finding the culprit.
Making the Cloud Work for You
It can be very costly to store all this data though, and the bigger your company, the more expensive it becomes. Cloud storage has become a great option in alleviating some of these costs. SSA Chan still believes in a couple of external backups on site for good measure. Now, while cloud does reduce the cost of storing all that data, companies still need to know what they’re working with so they can optimize the cloud for their unique framework. “The cloud is a boon. You have to know how to use the cloud and configure it.”
Key Takeaways
“There’s no shame in getting breached.” It’s just like being the victim of any other crime. Ultimately it’s about how well you bounce back, and how well you return to business as usual. This is what having a plan is all about: resiliency. Though this is not to say that you don’t need measures in place to optimize prevention and detection.
Cybersecurity is an investment. The adage “An ounce of prevention is worth a pound of cure” comes to mind. The cost of hiring an incident response firm to clean up a breach is exorbitant. Limiting access to data, putting measures in place to keep you secure and attending to everyday details can greatly reduce potential the damage, and costs, of a breach.