The mission of the FBI is to protect the American people and uphold the Constitution of the United States. That applies to cyberspace as well, according to Howard Marshall, deputy assistant director, Cyber Security Division, FBI.
“There are 56 field offices, with a cyber task force in all [of them],” Marshall told the audience at a recent MeriTalk Cyber Event. “What you don’t see is that we have 400 resident agencies, smaller satellite offices that report in. They’re important because they allow us to respond within a matter of hours anywhere in the U.S.”
Nor are the agency’s cyber law enforcement activities confined to American soil. Because cyber crime is a global threat, the cyber legal attaché program has personnel in about 72 countries, including China and Russia. “There are commonalities we have as civilized countries, even if our relations are adversarial,” Marshall said.
The cyber security division that Marshall leads takes advantage of those overseas attachés. “If you’re sitting in our facility in Chantilly, you’re not nearly as close to the adversary as if you’re in Prague, or Riga, or Seoul,” he said.
In addition, the FBI has detailees in the Department of Homeland Security and the intelligence community, who address cyber readiness, outreach and intelligence-gathering. “We have a fairly large footprint with NSA, slightly smaller with DHS, even smaller with the [CIA],” he said.
The motivations for cyber attacks range just as widely as in the physical world, Marshall said. “Hacktivism, crime, an insider threat, espionage, terrorism, warfare – what it is you’re trying to protect [indicates] which adversary you may be facing.”
The three biggest areas of concern for the FBI in cyberspace currently are the Internet of Things (IoT), ransomware, and business email compromise, he said.
The Mirai IoT botnet attack in 2016 involved about half a million IoT-enabled devices, Marshall said. The perpetrators, two college students, “went out and figured out who in China makes the most stuff on the Internet. They found all their products, and built their bot that way,” he said. “It was much bigger than anything we’d seen at the time.”
The students’ goal was to sell their services to the companies suffering from the botnet’s DDOS attacks, without, of course, telling the companies they were the ones running the attacks on the companies’ websites.
The Wannacry ransomware attack in May 2017, which has been widely attributed to North Korea, targeted Windows operating systems. Marshall read excerpts from an FBI agent’s formal report on a hospital in a large urban area that was paralyzed by the attack. The hospital’s CT scanner went down, then all the machines in its radiology department.
The devices “were unpatched and vulnerable because they were considered closed systems” by the hospital, Marshall said. The attack was so severe the hospital had to put out a bypass call; for more than 24 hours, ambulances could not bring patients to its emergency room.
Just three days before his speech, Marshall said, the FBI’s Internet Crime Complaint Center (IC3) put out a notice regarding business email compromise (BEC).
Included in the notice are suggestions for preventive and mitigation approaches:
- Frequently monitor your Email Exchange server for changes in configuration and custom rules for specific accounts;
- Consider adding an email banner stating when an email comes from outside your organization so they are easily noticed;
- Conduct End User education and training on the BEC threat and how to identify a spear phishing email;
- Ensure company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information;
- Contact requestors by phone before complying with e-mail requests for payments or personnel records;
- Consider requiring two parties sign off on payment transfers
With the frequency and severity of these three types of attacks on the rise, Paul Parker, Chief Technologist – Federal and National Government at SolarWinds, advises federal agencies to leverage tools that can help deliver a strategic advantage in cyber defenses. He stated that, “Knowledge is power, and today’s Federal IT Leaders need real-time access to data to make critical decisions.”
Parker continued, “The access to, and aggregation of this data, can be commonly overlooked, while decisions are being made that affect everything from budgets to people’s lives. Tools covering areas like Traffic Analysis, Network Discovery, and System and Application monitoring can give leaders a picture of the comprehensive IT environment. This information—overlaid with security relevant data from Performance Management and SIEM tools designed to provide both historical insights and predictive intelligence—is critical. With rapidly evolving cyber threats, the access to impactful information may matter more than ever before.”