The Federal Bureau of Investigation has been “working nonstop” investigating the SolarWinds attack, which impacted dozens of government agencies and private sector companies, said FBI director Christopher Wray at Fordham University’s International Conference on Cyber Security. The bureau is working on identifying new victims, analyzing evidence, and sharing findings from the attack.
The FBI has been beating the public-private sector cooperation drum for several years now, and Wray stuck to that theme during his talk. No one organization can deal with attacks alone, so it is important to develop relationships in and out of government, academia, and the private sector, Wray said. For example, the FBI took part in the international effort led by the European Union Agency for Law Enforcement Cooperation to take down the Emotet botnet earlier this week. That kind of disuption, which involves coordinating with multiple organizations, including Internet service providers, security companies, law enforcement, and the legal system, "demands cooperation," Wray said.
“There’s a saying that the best time to patch the roof is when the sun is shining. It’s the same concept here. We want people to start to build those relationships with their local FBI field office before they have a major intrusion,” Wray said, noting that it is difficult to figure out who to contact or what needs to be done, in the middle of a crisis.
There was “no choice but to work together” after the terror attacks on Sept. 11, 2001, and the same holds true of cyber-threats, Wray said. The government is doing a better job of coordinating across its agencies, but more needs to be done to encourage coordination with private sector. The FBI has created hubs where organizations can work together and build relationships before there is a problem—such as the National Cyber Investigative Joint Task Force—and allows the FBI to share information obtained from sensitive sources. And if the FBI receives information from one entity, they are in a position where they can use that information to stop the attack from succeeding elsewhere.
“We may not be able to share precisely how we knew you were in trouble,” but the FBI can still give the information needed to respond and remediate, Wray said, noting that the bureau was “both an intelligence and law enforcement agency.”
For the SolarWinds attack, the FBI is the “lead agency” and coordinating the effort to identify additional victims to the attack as well as sharing intelligence that can be used to “to inform operations, intelligence [collection] and network defense,” Wray said.
That level of ccoordination is evident in the relationship the FBI has with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. The FBI is the agency dealing with threats, handling incident response and forensics to find out what happened. CISA is the agency for managing and protecting the assets, and so is in charge of remediation and recovery. The coordination between the two means organizations don't have to choose between response and remediation when they reach out for help. The partnership "removes the specter of the left-hand-right-hand problem," Wray said, referencing a situation where neither agency knows what the other is doing.
Cyber threat intelligence is "the ultimate team sport," Wray said.
Many organizations are reluctant to call the FBI or other law enforcement agencies in the case of an incident over concerns that their efforts to get back up and running as soon as possible may be delayed by the effort to identify the perpetrators. While the FBI wants "to make it harder and more painful for criminals to cause harm," the agency is willing to "forgo traditional law enforcement activities if we think we can make an impact some other way," Wray said. An example is how the FBI tipped off Facebeook and Twitter to the presence of the Internet Research Agency, a Russian troll farm, on social media networks. It was much quicker to let the social media firms take enforcement action using their own terms of service rather than try to go through law enforcement channels.
"It doesn’t matter whose action leads us to that outcome; what matters is that we are working together," Wray said.
In remarks after Wray's talk, Matt Gorham, the assistant director of the FBI's cyber division repeated Wray's call for organizations to reach out to the FBI for help. People should feel confident that when they call the FBI for help, the bureau knows that they were the victim. “And we know how to work with a victim,” he said.
“A lot of times this comes down to a level of comfort that we’re not out there to look at your content; what we’re really looking for are those artifacts of intrusion,” Gorham said. “It’s been my experience that there may be a hesitancy to call the FBI the first time; it’s a very quick call the second time.”