Source: Federal Bureau of Investigation FBI Crime News
Across the globe, malicious cyber activity threatens public safety and national and economic security. Criminals target organizations such as schools, hospitals, power and utility companies, and other critical infrastructure entities that serve communities.
As the lead federal agency for investigating cyberattacks and intrusions, the FBI developed a specialty group—the Cyber Action Team, or CAT—that can deploy across the globe within hours to respond to major cyber threats and attacks against these critical services.
Composed of about 65 members, CAT is an investigative rapid response fly team that leverages special agents, computer scientists, intelligence analysts, and information technology specialists from across FBI field offices and Headquarters.
“We respond onsite to victims who may include national government entities, private companies, or even sometimes foreign partner networks that have been compromised by an adversary,” said Scott Ledford, head of the Cyber Action Team and the Advanced Digital Forensics Team. “Our job is to help conduct the investigation—we collect digital evidence and locate, identify, and reverse engineer malware. We also help the victim understand when they were compromised and how, writing a timeline and a narrative of that intrusion with the ultimate goal of identifying who is responsible, attributing that attack.”
CAT was established in 2005 in response to an increase in the number and complexity of computer intrusion investigations in FBI field offices. At the time, not all field offices had personnel with the cyber expertise necessary to properly respond to and investigate sophisticated computer intrusions.
“There was this transition that was taking place between what investigations the FBI was responsible for and the types of crimes that we were starting to see,” explained Ledford. “Cyber was such a growing threat at the time, and so it became necessary that some field offices would reach out and say, ‘Hey, do you know of any cyber experts who can help me work through an investigation?”
As the team formalized its processes and expanded, in 2016, the Presidential Policy Directive 41, “United States Cyber Incident Coordination” was signed, setting forth principles for the federal government’s response to cyber incidents involving government or private sector entities. The FBI was appointed the lead federal agency for cyber threat response activities.
“From an investigative standpoint, the FBI is unique. We’re one of the few agencies in the U.S. government that has both law enforcement and counterintelligence authorities,” said Ledford. “And those authorities, and the American people’s trust in us, help us to deliver a unique blend of national security and criminal investigative skills, expertise, and resources to implement that blended response and help facilitate an investigation, regardless of whether it leads us overseas or to a courtroom here in the U.S.”
The bulk of CAT’s cases usually involve the FBI identifying an organization with a particular intrusion that’s either so complex or large-scale that the local field office requests additional assistance.
In one case, CAT deployed to a health care company that a separate intrusion investigation had identified as compromised. CAT’s response helped lead to the identification of several compromised systems and accounts on their network. While working alongside the company, CAT disrupted the threat—and prevented further exploitation across their network.
CAT also receives requests from FBI legal attachés, the State Department, the National Security Council, and the White House to assist other countries when they face cyberattacks.
“It could be a country that doesn’t have the resources or the expertise that the U.S. government has, and they’ve reached out and asked for help,” said Ledford. “There can be a NATO or a non-NATO ally country that says, ‘We’ve been hit hard by this adversary, and we don’t have the localized personnel, we don’t have the resources, we don’t have the expertise to respond to this. Can you help us with it?”
In another case, CAT deployed overseas to provide incident response support to a NATO ally that had been targeted by a destructive cyberattack. CAT responded and worked together with U.S. partners to determine the initial intrusion vector, identify other networks that were impacted, collect and analyze digital evidence, and ultimately attribute the intrusion to a foreign government. The NATO ally severed diplomatic ties with the foreign government, closed the foreign government’s in-country embassy, and evicted them from the country.
“We have some talented people, and they work hard every single day,” said Ledford. “It’s an honor to sit alongside them.”
Key Tactic: Strong Communication Skills
In addition to excellent technical skills, CAT members are closely vetted for strong communication skills. Ledford explained that part of the CAT applicant selection process entails a multi-day live technical exercise that’s designed and curated by CAT:
“We design a network environment. We may mimic an industry, for example, an electric utility. And then we compromise that environment, and we litter it with artifacts, digital evidence, and malware. Then we task applicants to investigate this cyber incident and present their findings.
At the end of the five days, applicants present their findings, and we identify who has the technical capability and expertise to find digital evidence of a crime hidden within this mountain of data that we’ve thrown at them.
If the applicant passes that phase of that selection exercise, we invite them to participate in a panel presentation. Our CAT members will play the roles of the victims we’re trying to help and their own resource teams, for example, a company CEO, a U.S. attorney, a third-party legal counsel, or IT administrator.
You’re essentially giving us the narrative of the cyber intrusion. You’re telling us a story about what happened. While some of the panel questions will be very technical in nature, some will be more basic questions—the applicant will need to be able to explain to a CEO, for example, who might not have technical expertise, what the problem was and how to fix it. We’re looking to see whether you can take something that’s exceptionally technically complex and explain it in such a way that everyone in the room understands it.
We’re also looking for interpersonal ability. For example, in the case of a company CEO, at that moment during a cyberattack, they may be going through one of the most stressful times of their company’s existence—there may be data leaked that can make or break that company’s future and their profits, as well as their ability to employ people and their ability to deliver services to their customers. You need the communications skills to interact with them during a difficult time and gain trust.”