The FBI’s CAT has been stalking cyber rats for nearly 20 years

"We have this whole of government approach that we take in response to intrusions that are targeting the US government and our allies," Unit Chief Scott Ledford

The FBI’s Cyber Action Team has been in place for nearly 20 years. National concern about cybersecurity didn’t start last week or last year, after all. The CAT, as the FBI calls it, started in response to an increase in the number and complexity of computer intrusion investigations FBI field offices were working. For an update on the 65-member CAT, we turn to Unit Chief Scott Ledford.

Interview transcript: 

 

Scott Ledford CAT, as you said, was formed in 2005, consist of about 65 operators positioned in more than 30 field offices and divisions around the U.S. and as well as even three legal attachés including Germany, Prague and The Hague. The full-time team, of course, is stationed here in Northern Virginia. We’re about 15 minutes from Dulles International Airport by design. And consist entirely of special agents, computer scientists and information technology specialists.

Tom Temin And basically, then your mission now is helping entities in the public, in the economy that are affected by cyber threats or cyber incidents.

Scott Ledford We do. So, with a highly specialized team, we do for cyber or say what, like SWAT or HRT does for the FBI. So, we respond to government agencies, other government agencies that are targeted, the private sector, even foreign partners as a global fly team. So, we’ll respond across the world to help our partners, those victims investigate and determine how they were compromised when identify what data was taken, potentially even help them understand and mitigate the threat in some ways and essentially kind of write the narrative of the intrusion to help them understand what happened and what occurred and how they can respond to it.

Tom Temin And how do the cases come to you? Do people know to call the CAT? How do you get the work over the transom?

Scott Ledford So the FBI, as you may know, we have 56 field offices across the U.S. and they are responsible for day-to-day investigations, not just cyber, but counterintelligence, criminal investigative division, as well as counterterrorism. And typically, the victim in that office or a victim in in their [area of responsibility (AOR)] will be either compromised and they’ll notify the FBI. But more often than not, it’s actually the FBI notifying the company or the partner that they’ve been compromised. And then that field office will open up an investigation. And through that initial investigation, they’ll make a determination that they need additional expertise or it’s just a large-scale intrusion that exhausts the local resources of that field office. So, they’ll ask CAT our flight team to respond on site to perform the IR, the investigative response.

Tom Temin And you said the FBI will sometimes let the entity know that it’s been compromised. And how do you know?

Scott Ledford Sometimes just through our investigations and intelligence collections will identify information. And then in an ongoing investigation, it helps us identify that there’s another victim that’s been targeted by the same threat actor, either through, like I said, through intelligence or through IP addresses that we identify. We notice that this actor is targeting other companies and will identify that company and notify them of the intrusion and then work together with them to determine the appropriate level of response. Whether it’s them working on their own to determine what occurred and to remediate, or they’re asking for FBI assistance or maybe even third-party assistance from a private sector cybersecurity company.

Tom Temin So, for example, if you know of a group in Romania or something that has been attacking health care entities, that gives you some prior understanding of where the next attack might happen.

Scott Ledford Sometimes it can, yes.

Tom Temin And what are you seeing in terms of trends? I mentioned health care, because that seems to be a really big target these days. Not exclusively, but maybe it’s the most vulnerable, and that’s where people go to get the ransomware. But what else do you see going on generally?

Scott Ledford I think we’ve seen a shift over the last couple of years where the complexity of the intrusion has increased. We’re seeing more vulnerabilities being exploited and quicker access to the systems as well as actors living off the land, as we describe it, where they’re essentially compromising the network in some sort of way, and then compromising credentials of legitimate users on that network and then using those credentials to move around the network and extract data, which is often more difficult for entities to detect because from their perspective, oftentimes it looks like it’s just a user on their network with legitimate employees using that network, not necessarily an adversary who’s compromised and access their network.

Tom Temin And is phishing the most common still way of getting those credentials and so on?

Scott Ledford I believe phishing is still one of the most common ways that we’re seeing that. And then as well as occasionally just exploits that are out there, often unpatched systems. We’re still seeing the companies that are compromised by vulnerabilities that have been known for quite some time. I guess a good thing is that we’re starting to see a decrease in the amount of dwell time, meaning that how long an actor is on a network before they are detected either by the company or through a notification by us. But I think there’s a question as to whether or not that dwell time is decreased because of the elevation and the expertise in the capabilities to detect those intrusions or just simply ransomware, which by nature the actors want you to know that they’re on the system once they’ve compromised it and begun encryption because that’s where they want to exploit your data and your company and extort you financially.

Tom Temin We’re speaking with Scott Ledford. He is the unit chief for the FBI’s Cyber Action Team, the CAT. And there must be some interagency cooperation going on here. CISA is kind of the keeper of vulnerabilities and the big software trends. Do you communicate with them and some others, so that everybody knows what everybody else is up to.

Scott Ledford We do regularly. We have this whole of government approach that we take in response to intrusions that are targeting the US government and our allies. So, it’s not uncommon for us to deploy on site together with CISA, whether it’s another government agency, critical infrastructure or private sector partner. We share intelligence, we share information with them. We notify them of our actions and our deployments, they notify us of theirs. And it’s a partnership. Specifically, what was outlined in Presidential Policy directive PPD 41, where it designates the FBI as lead for threat response and CISA as the lead for asset response. So, we do that together as a team, cyber is a team sport. We’re more effective for the American people if we do that together.

Tom Temin And when you do have a response, do people go literally on site to that company or that entity that’s been hacked? And then what happens?

Scott Ledford So more often than not, we do physically deploy on site globally or at minimum, that may be a hybrid. We don’t necessarily send the entire team, obviously, and certainly not 65 team members; typically from 3 to 4 personnel physically on site. Walk alongside that company to help them figure out what happened and how they can respond to it and, of course, inform our investigations so we can try to hold the individuals accountable for compromising that network. So, it can be oftentimes three to four people physically there. And there’ll be a remote team who are offsite but still assisting with that investigation, which can include malware, reverse engineers that can be intrusion analysts who are seeing the data in real time as we collect it and ingest it and normalize it and start to do analysis on it. And then they can remotely help us look at that data and help determine together what’s occurred at the victim without overwhelming the victim or the partner with so many personnel from the US government, from the FBI, from CISA, but still afford them a good amount of resources to help them understand what’s occurred on their network.

Tom Temin Well, I imagine when you have a ransomware attack that hit your company or whatever, it’s some reassurance to have FBI agents actually show up on site. They must be a good morale booster.

Scott Ledford I hope so. We’re there to help the victim. The truth is you could do everything right and still get compromised. So, our job there is to help walk alongside that victim, help them understand what’s occurred on their network and investigate that. And obviously, we want them to be able to get back to their business as quickly as possible. And we want to be able to collect the information that we need to try to hold the individuals accountable for that, whether that’s indictments or sanctions, whatever the case may be. Our point is to conduct the investigation, gather that data, analyze it, generates actionable leads that our field officers can follow up on, and then help the victim kind of return to normal as best as we can.

Tom Temin So you’ll log on to their systems and actually look at what happened, analysis of logs and that kind of thing.

Scott Ledford We do. So we are there under their consent. So, we ask for consent or permission from the company for us to respond. And then we work with that entity to determine what level of consent they’re comfortable with that’s doing. So that could mean us deploying an endpoint agent to collect data that could simply mean them providing data for us to analyze and look at. But it can include collecting digital artifacts from their network, logs from their firewall, or there’s any number of things that would help us understand exactly what’s occurred on their network and how they can respond to it better.

Tom Temin And most of the, or at least what you read, is that a lot of the hacking and the break ins and the ransomware originate from outside the United States and therefore basically beyond the physical reach of federal entities. But do you ever discover, say, a hacking ring or some nefarious group in the United States, and then you can rate them?

Scott Ledford We do on a regular basis. We do, as you said, we find actors who are operating overseas, sometimes in countries that are difficult to reach, which is where some of the sanctions may come in or some of the international cooperation that we have with our host countries that we operate in across the world. But oftentimes we’ll see them operating here within the United States or even there a partnership sometimes between operators who are living here in the United States, working with actors who are in this country partnering with overseas actors as well. And that’s on a regular basis where our field offices are leading the investigations to hold them accountable, conducting search warrants and arrest, implementing surveillance to try to collect data regarding them and identify who they are and where they’re at so ultimately, we can hold them accountable for this.

Tom Temin Yeah, it’s a good thing I don’t work there because I would just want to take a sledgehammer to every computer in their place. But this stuff can be pretty frustrating. And just give us a sense of the of the workload in the year. How many cases do you investigate and visit on an annual basis?

Scott Ledford Sure. So, I don’t think I can get into exact numbers of how many incidents we actually respond to. I could say that it is for most, and it tends to be increasing, because this field is very complex. The actors they’re getting more sophisticated. So, our response and our ability to respond, we must try to at least match, if not exceed that. So, our ability to respond and send operators on site to conduct those investigations, we have to make sure that we have enough people, we have enough resources, that they are well-trained, that they are well-prepared, and that they are professional, to walk alongside those victims and help understand what has happened.

Tom Temin And do you have any contractor support to augment the CAT or is it strictly federal?

Scott Ledford So the team itself is strictly FBI employees. I think I said earlier, it’s a mixture of computer scientists, special agents, supervisory special agents, information technology specialists. We have contract support who help us design some of the tools that we use behind the scenes and stuff. But as far as personnel who are physically deploying on site, those are going to be primarily FBI employees are actually entirely FBI employees. And then we do have some contract analysts who help provide some forensic support to us behind the scenes.

Tom Temin And finally, what tier metric for success. If someone has been broken into would that be, for example, getting their data back without paying ransom, for example?

Scott Ledford Sure. That would always be a goal. On the ransomware incidents is to help the victim recover their network in this case, that’s primarily a responsibility that the victim has. The FBI is not generally in the business of doing the remediation and restoration of a company’s network. That may be a side effect of our response because everything that we identify and we locate, we are going to share with that company. That’s their data, it’s their network. So obviously we want them to fully understand exactly what has occurred. So, at the end of each day, we’re going to provide them with a full list and accounting of everything that we’ve located on their network and helped inform their remediation and restoration process. So yeah, one success would be potentially helping them recover and prevent the payment of that ransomware, which is still the FBI’s official position, is that we recommend not paying for a variety of reasons.

Scott Ledford But other measure of our successes could be just ensuring that the victim has been able to learn more about their network. They understand what has occurred, how they were compromised, what data was taken. Ideally, we’ve identified the initial point of compromise. We’ve determined if the actor is still present on the network and then we’ve evicted that actor from the network and help the victim understand exactly how they were compromised and potentially some recommendations on how they can remediate that moving forward. And then for the FBI’s perspective, it’s gathering the information that we need to conduct a successful federal investigation, and again, hopefully leading to either an indictment here of subjects, whether they’re a domestic, international or some sort of partnership, whether overseas allies where they can hold the individuals in their country accountable.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Cyber Leaders Exchange Army USCIS SSA

    Cyber Leaders Exchange: Army, SSA and USCIS cyber chiefs on securing software through automation

    Read more
    Cyber Leaders Exchange NSA

    Cyber Leaders Exchange 2024: NSA’s Kristina Walter on exposing ‘sophisticated’ cyber adversaries

    Read more