Time
5 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
5

Video Transcription

00:00
5.7 Working with law enforcement. The objectives for this lesson include understanding what to expect when working with law enforcement and discussing the risks and benefits of working with law enforcement during a cyber incident. Here's a few things that you should have considered and have as part of the I R plan we're discussing
00:20
first,
00:21
who do even call if there's a cyber incident? Is that your local police department? Is it the state Police? Is that the county sheriff? Is it the FBI or the Secret Service? If I were to ask you that question right now, would you have a good answer for me? Most of the time, my findings eyes no. Nobody really knows who they would call, and they haven't really given a lot of thought.
00:41
So this thought provoking, hopefully course, is to get you to think about these things before any of this happens.
00:49
Usually your local police department is not the right answer in.
00:54
This may be not the case, though, if you're in a large metropolitan area. But the majority of law enforcement agencies across the U. S.
01:02
Are very small. They don't have full time cyber units. They have no way to deal with any of the things that we've talked about in this course, and if you were to go to them and report a cyber incident, they would probably refer you to somebody else.
01:15
So don't expect a lot of help from your local police department again unless you're in a major metropolitan area.
01:23
There may be
01:25
regulatory and legal requirements, though, that you report something. Tow law enforcement if you maybe are a grant recipient. If you are in a highly regulated area or organization or business, you might have a requirement to report things. Tow law enforcement. So be aware of what those might be.
01:45
Usually, we see federal law enforcement handling businesses that air compromised, and by handling that could be a broad term. It might be that they say, Okay, thank you for letting us know. Here's a case number. There's not much else we can do for you because we don't have the resource is
02:01
or it might be something that they do actually help you out with.
02:06
But it is going to depend greatly on the type of attack who we think the Attackers are and the capabilities of your organization
02:15
consider looking for local chapters of in for guard. This is an organization that is sponsored by the FBI, and these are usually made up of local business leaders and
02:29
could be financial institutions, private businesses, nonprofits, law enforcement that all get together. And there's chapters all across the United States and its one. It helps you identify who law enforcement contacts are
02:43
because there will be somebody from the FBI assigned to the chapter, but to it also helps network because sometimes other businesses may be great. Resource is for you if you know them on assistance during incidents or sharing indicators of compromise or other intelligence that you might be able to share amongst yourselves. So it
03:01
requires a background check and other things to be part of the in for guard program.
03:06
So it's something you might want toe look into.
03:09
So what can you expect from law enforcement? And this comes from my personal experience and I'll and also the experience. Since coming out of law enforcement, the bottom line is law enforcement is overwhelmed and under resourced in cybercrime.
03:23
There are no cyber crime task forces out in the United States that air sitting waiting for somebody to call them.
03:31
Everyone has an overwhelming case load, and they have a backlog. So the chances of somebody jumping right on what you've got going on is slim to none. Unless it may be ties into another investigation. They're already working.
03:47
They might provide you with a case number, and that could be it. And that may be all that's required from an insurance company or some other regulatory agency.
03:57
Don't expect law enforcement to respond or get actively involved unless there are unique circumstances. And I've touched on those briefly.
04:05
If law enforcement does get involved, however, they won't take over. But they may provide guidance and suggestions. They have to be a little bit careful about what they dio, although they have quite a bit of immunity in these cases.
04:19
But they may provide you some guidelines or some assistance if they have a lot of skills in this area.
04:29
I've noticed most law enforcement agencies that have cyber crime task forces are particularly good at digital forensics and host based investigations.
04:42
It's not as common to find law enforcement agents that are really well versed in incident response network forensics and all the things we've been talking about in this course, not saying they don't exist. They certainly dio, but they're just not widespread.
04:58
You won't find him in every field office or every local law enforcement agency or even cyber crime task forces.
05:04
Will you find people that have this kind of background because they usually if they've grown up in law enforcement, they haven't done this kind of work hands on? They're not responsible for the security of the police network. They are law enforcement officers. So it's usually the people that sometimes leave law enforcement and go to work for
05:24
large organizations that do incident response full time.
05:28
That's where you'll get a lot of the people with experience. But rarely is it going to be within the law enforcement organization that you reach up again. I'm not saying there are. They don't exist. They're just not that common.
05:39
And, um, just remember their motivations are different than yours. So their motivation is going to be to uncover evidence of crimes and to prosecute those crimes or if it's a national security,
05:54
uh, incident, to uncover evidence of that and use it in counterintelligence investigations or other things that they may be working on.
06:01
Their motivation is not the profit and loss is of your company. It's not the reputation of your nonprofit. Those things are they may think of them, but certainly not their motivation. So just be aware of that.
06:15
Some benefits of working with law enforcement include they may be able to obtain additional records to help you out. So they've got multiple capabilities at their disposal, from subpoenas to court or search warrants to look for things like Who owns an I P address or what I P address may be associated with an email address.
06:34
Law enforcement will have the ability to
06:38
use subpoenas to trace down the Internet service provider that was assigned to particular I p address and then through that, ultimately get to the subscriber or business or individual that had that I p address at the date in time that the activity occurred.
06:55
Now they probably aren't going to to share this with you because privacy regulations and other things would prohibit that. But they could give you some clue as to what you might be looking at or also give you an idea of who you may want to follow. up on with your attorney to do a court order with or some sort of a subpoena to. So
07:15
they certainly have information at their disposal that you most likely don't
07:19
some of that they'll share with you some of that they can't.
07:23
Law enforcement involvement may buy you some time between reporting requirements. So
07:29
if the law enforcement gets involved and they say we are actively getting involved in this investigation, please don't tell anyone about our involvement or about the details of this investigation. That way, when you do report it, if you are asked about why you had a delay in reporting,
07:44
you can cite the law enforcement investigation and their request for you not to report it to anyone.
07:49
Get that in writing, of course, from law enforcement. Have them send you an email. Or maybe email won't be the best thing in this circumstance. But have them give it to you and writing. So you can say, Here's the date and time We contacted law enforcement and here was their advice and request of us not to report this.
08:07
Law enforcement may handle evidence now this is great. They're very well versed in chain of custody and all the evidence issues that I've already talked through. So if they agree to handle the evidence, then by all means, that might be a great way to make sure it will be preserved correctly, handled appropriately and usable in some sort of a legal proceeding later on down the road,
08:26
law enforcement may give certain some credibility. So if you go to your border of directors and say we're in the midst of an investigation and we're working with the FBI or the U. S. Secret Service or Department of Homeland Security, that in and of itself may give you some credence and credibility.
08:45
It also might defer some of the questions that you would
08:48
usually be asked because you're in the midst of this investigation
08:52
and it also can help share information from you to others. Because, of course, we want to be good citizens and make sure our other people on businesses and folks we interact with understand what the IOC's are that we saw so they can look for them on their network.
09:07
But also, law enforcement may be able to share with you some things that they've learned that you wouldn't have known about either,
09:13
from different victim organizations that they've worked with.
09:18
All right to wrap up with some quiz questions. One of the benefits of involving law enforcement in your cyber investigation. Maybe
09:28
A. They may be able to obtain additional records and evidence
09:33
be they may have more experience than in how search members
09:37
see their involvement may give the investigation credibility or d all of the above.
09:46
Okay, the answer here is D All the above. Those are all things I mentioned that may help you and maybe a benefit to having law enforcement involved in your investigation.
09:56
So to wrap up, we talked about what to expect when working with law enforcement in your investigation, and we also talked about the risks and benefits of working with law enforcement during a cyber incident.

Up Next

Incident Response Lifecycle

This intermediate-level course will provide the student with in-depth instruction on the lifecycle of cybersecurity incident response.

Instructed By

Instructor Profile Image
Josh Moulin
Instructor