Security

Handling Breaches at the Bureau: A Conversation with Supervisory Special Agent Elvis Chan

FBI Supervisory Special Agent Elvis Chan who manages a squad discusses how they investigate national cybersecurity incidents

Last updated: September 15, 2025

An avatar of the author
Anna Ralph
Seal of the U.S. Department of Justice Federal Bureau of Investigation on a dark blue background
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article summarizes an interview with FBI Supervisory Special Agent Elvis Chan about the FBI Cyber Division’s role as the lead federal agency for significant data breaches and practical guidance for corporate incident response. It highlights common real-world problems—human error, business email compromise, ransomware, APTs, and nation-state attacks—while emphasizing the operational need for practiced incident response plans, cross-functional stakeholder involvement, and retention and analysis of DNS and other logs. Key outcomes include prioritizing DNS log collection and retention (ideally 3–6 months when possible), using cloud storage wisely with local backups, and investing in prevention, detection, and tabletop exercises to improve resiliency and reduce breach costs.

What role does the FBI play in investigating corporate data breaches and what should companies do operationally when a breach occurs?

According to SSA Chan, the FBI is the lead federal agency tasked with conducting investigations into significant data breaches and acts as the “boots on the ground” to find the attackers and determine what was stolen. Companies themselves remain responsible for remediation and should have an internal incident response team or retain an incident response firm to clean and restore systems. Operationally, organizations should have a practiced incident response plan developed with all stakeholders (InfoSec, DevOps, compliance, senior leadership, and legal), run tabletop exercises to rehearse the plan, preserve relevant logs and evidence, and coordinate with counsel and the FBI when appropriate.

Why are DNS logs important during incident response and how long should organizations retain them?

SSA Chan emphasizes that DNS logs are particularly useful for showing attacker intent and lateral movement, often revealing compromised hosts both inside and outside the corporate network and sometimes exposing exfiltration attempts via anomalous DNS queries or large DNS-encapsulated packets. Many organizations either do not enable DNS logging or retain logs for only one to two months, which is often insufficient because breaches frequently go undiscovered for 90–120 days. At a minimum, Chan recommends saving one to two months of logs, and if budget allows, retaining three to six months of logs to help investigators connect activity over time and identify culprits.

How should organizations balance log storage costs with the need for extended retention, and what are best practices mentioned?

The article notes that long-term log storage can be costly, particularly for larger organizations, and recommends leveraging cloud storage to reduce expenses while maintaining accessibility. SSA Chan still advises keeping a couple of external backups on site as an additional safeguard. Organizations should understand and configure cloud storage effectively for their specific environment, optimize what logs to store (focusing on those that reveal the breach), and budget for retaining more months of logs when possible. Overall, the balance involves prioritizing essential logs, using cloud economics, and maintaining local backups to ensure evidence is available for investigations.

We recently had the privilege of sitting down with FBI Supervisory Special Agent Elvis Chan who manages a squad responsible for investigating national cybersecurity incidents.

The FBI Cyber Division has been around since 2004; however, it was in 2017 that the FBI was designated as the lead federal agency during significant data breaches. “We’ll be the boots on the ground,” says SSA Chan. It’s on the FBI to conduct investigations while it’s up to the companies themselves to hire their own incident response team for remediation. “We don’t help clean up the companies’ networks… Our job is to find the bad guys, and find what was stolen.”

Malicious adversaries will continue to sow chaos and wage attacks against critical systems and sensitive data. With the growing frequency of business email compromise, ransomware, advanced persistent threats and nation-state attacks, the more we know about the cyber threats we’re facing, the better.

Prepare for the worst

“There should always be lawyers with nerds, talking in a room. Everyone get together and figure out, in the event of a breach, what’s the most important information for us to have.”

According to SSA Chan, a large majority of the breaches he’s seen are due to human error, whether that’s someone clicking a bad link or a misconfigured system. Regardless of how the breach happens though, you need to be prepared with a proper incident response plan. In preparing this plan, we look back at what cybersecurity expert Dick Clarke explained during his webinar; everyone must be involved during this planning process: InfoSec and DevOps of course, but compliance, senior leadership, general counsel, and lawyers as well. “All stakeholders need to provide their input.”

Now, it’s one thing to know the plan, it’s another to follow the plan. In the event of a breach, a plan is worthless if it is not practiced. SSA Chan explains the necessity of tabletop exercises, of putting that plan into action and making the stakes as real as possible in preparation for the real thing.

Getting to Know Your DNS Data

“At the core of every business, is data of some kind. Whether it be customer data or intellectual property… [collecting and] having server logs of where the crown jewels are kept – that’s the most important thing that I’m looking for.”

As far as DNS data, “DNS logs, in particular, are extremely useful in showing intent and lateral movement,” explains SSA Chan. “Those are interesting because a lot of the time DNS queries will illuminate other compromised boxes, either in the company’s network or external to the company’s network. You can find out where they are, corporately speaking.”

SSA Chan also mentions threat actors leveraging DNS for their own purposes through exfiltration. If there are larger packets getting jammed through DNS, that could be an indicator that there’s a bad actor trying to exfiltrate data.

“I don’t need everything. I need the logs that help me see the breach.”

At this point, SSA Chan notes that many companies do not save their logs for long enough. “Either they don’t turn logging on for their DNS or their firewalls or they only save it for 1 to 2 months”, even though most breaches aren’t discovered for 90-120 days.

At a minimum, you should be saving 1-2 months of logs; however, if possible and if budget allows, saving 3-6 months worth of logs can greatly help to connect the dots in finding the culprit.

Making the Cloud Work for You

It can be very costly to store all this data though, and the bigger your company, the more expensive it becomes. Cloud storage has become a great option in alleviating some of these costs. SSA Chan still believes in a couple of external backups on site for good measure. Now, while cloud does reduce the cost of storing all that data, companies still need to know what they’re working with so they can optimize the cloud for their unique framework. “The cloud is a boon. You have to know how to use the cloud and configure it.”

Key Takeaways

“There’s no shame in getting breached.” It’s just like being the victim of any other crime. Ultimately it’s about how well you bounce back, and how well you return to business as usual. This is what having a plan is all about: resiliency. Though this is not to say that you don’t need measures in place to optimize prevention and detection.

Cybersecurity is an investment. The adage “An ounce of prevention is worth a pound of cure” comes to mind. The cost of hiring an incident response firm to clean up a breach is exorbitant. Limiting access to data, putting measures in place to keep you secure and attending to everyday details can greatly reduce potential the damage, and costs, of a breach.

Published in:

Security

Published on: March 22, 2018

An avatar of the author

Anna is a passionate content writer who’s always eager to learn something new about cyber security.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more