Who’s your fed buddy?

SAN FRANCISCO —  Let’s pretend it’s 1 a.m., Saturday, on a holiday weekend: That bleary-eyed time during which cyber intruders love to pounce. There’s been an attack, your organization’s data has been seized, and you’re trying to determine whether or not there are any decryption keys available. Who do you call? 

You should already know. If you don’t already have a relationship with law enforcement, the time to reach out isn’t “everybody’s asleep” o-clock. It’s now, says U.S. Secret Service (USSS) Deputy Special Agent in Charge/Cyber Matt O’Neill. 

“Reach out. We want to help. We want to deal with this,” he said during Contrast Security’s  Modern Bank Heists panel: one of the sessions that kicked off the RSA 2023 security conference here on Monday, April 24. 

The panel, moderated by Contrast Security Chief Product Officer Steve Wilson, also included Mastercard Chief Security Officer Ron Green. Besides being the chief of security for one of the world’s largest payment processing corporations, Green is also on the Advisory Board of the USSS: a classic private/public sector example of the conference’s 2023 slogan, “Stronger Together.”

As detailed in Contrast’s 2023 Cyber Bank Heists report, threats to the financial industry have surged 64% year over year. And with almost all of the threats that the panelists talked about — business email compromise (BEC), wire transfer fraud, digital front-running, ransomware/DOXing, account takeover and virtual currency fraud — the key to survival is to build relationships with law enforcement before the problem happens, O’Neill said. 

“These are the relationships that you need to have if you don't have them already,” he said. “Identify the agent in your office in your area, whether it's Secret Service or FBI — and not just ‘Hey, this is the general number.’ You need to know the person. You need to go out. You need to have coffee with them. Have dinner with them.” 

If at all possible, get their personal number, he advised. That’s who you call when you’re jerked out of sleep at 1 a.m. 

Call first, or figure out WTH happened?

Sharing is caring. But beyond  the USSS’s “Call us right away, we’re here for you” is the real, hairy world of incident response, where the mood is more “WTH is going on?!?!” than “Gee, I better call my Secret Service pal.” 

Businesses aren’t in the habit of reaching out in the midst of an attack, O’Neill acknowledged: a reluctance that was confirmed in other RSA sessions throughout the week. For one, during Wednesday’s Real World Stories of Incident Response and Threat Intelligence, panel participants counseled caution when it comes to sharing data too soon, before a targeted organization has had time to even validate what they think they know. Maybe. 

“Not knowing the information and data sets that are valid in that first 24 hours and how dynamic those [are] can become absolutely critical,” noted Wendi Whitmore, Senior Vice President, Palo Alto Networks Unit 42. “Not only are we, as Unit 42, responding on behalf of clients, but then we're also leading our internal … rapid response across the company. … We have an obligation to make sure that as soon as we understand what the latest threat intelligence is, and what an attack vector is, that all of our products are detecting this and are able to protect our clients.” 

For Unit 42, (and for what one assumes/hopes/prays is every security company out there), the first and foremost obligation is to make sure that products are protecting clients around the world, she said. Easier said than done, given the challenge of figuring out who needs attention, as in, how many clients are actually going to be impacted by the incident?

“Is this a thing or is it actually maybe not a thing?” Whitmore said. “It might take us 12 to 24 or even 48 hours or longer to figure that out. And then, what type of action plans [did we already put in place]?”

It probably goes without saying that even if you’re not a security company, you’ve still got a fast-moving situation, often full of uncertainty, on your hands. 

Delay$ are co$tly

But here’s the thing: Delays are expensive, particularly if the incident in question is one of the financial attacks that’s plaguing banks and FinTechs: e.g., wire fraud. 

Let’s turn the clock back to 1 a.m. again. Are you trying to figure out whether to make a ransomware payment? Well, you don’t have the luxury of waiting until Monday. You don’t have time to engage in what the Secret Service calls “the Super Bowl of finger pointing” — that mad scramble when companies try to figure out who or what, internally, was responsible for the problem. 

“The problem is that if you wait until after you've made the determination as to who's responsible, a lot of times the money is long gone,” O’Neill stressed during the Modern Bank Heists panel. The law isn’t there to “double-victimize” the victims, he said. The USSS isn’t a regulator, and they’re not interested in charging you. You can think of the Secret Service as the Clawback Department: It investigates cybercrimes and tries to recover stolen funds. They're not there to nail you because you’re not, say, Payment Card Industry- (PCI-) compliant.

“Our job is to help you,” O’Neill said. “We want to arrest [perpetrators], and we want to take their ill-gotten gains.”

The statistics tell the story: If you notify law enforcement within 24 hours, something like 55% to 60% of stolen funds will be recovered. After 72 hours, it drops to about 1%. A small team in the USSS’s global operations center has recovered close to $300 million in VC funds since 2019, in almost every instance because they were alerted within the first 12 to 24 hours. 

During the delay before the incident is reported, the criminals are moving the funds around in a series of hops in a financial flow that’s grown ever more complex: Instead of one large dollar amount fraudulent transaction moved in one hop overseas, the crooks have taken to tactics such as breaking the loot down into multiple lower dollar amounts, or eschewing traditional banks in favor of virtual asset service providers. 

Don’t hesitate, just call

I asked the panelists on the Real World Cyber Incidents and Threat Intel panel about calling law enforcement immediately in order to limit the financial pain a cyber incident response can cause if you delay in reporting it. Their response: Oh, a financially motivated incident, you say? That’s something else entirely. Yes, call right away, even if you’re not sure what you’re looking at.

It’s “critical in such cases where the U.S. government can work in coordination with other governments abroad to claw that money back,” said Katie Nickels, Certified Instructor, SANS Institute and Director of Intelligence, Red Canary

Not sure if it’s a real incident? That’s where having a relationship comes in, she said. 

“Think about establishing those relationships early,” Nickels advised. “So you have a [federal] agent where you say, ‘Hey, we saw this thing today. There's a weird wallet address. This might be unusual. We're not totally sure yet, but I want to give you an early heads up.’ 

“It’s all about establishing that trust for the incident. And then being able to say with a level of confidence, ‘we're not totally sure, but here's an early tip,’ so they can take action.”

Do you know who your local fed rep is? Are you on a first-name basis? Do they take their coffee black or with cream? Sugar? Almond milk? Kids' names?

If not, here’s your homework: Go learn. Invite him or her out for lunch. Get that personal phone number, and apologize in advance for any late night gut feelings that may result in witching-hour calls. 

While you're at it, familiarize yourself what your fed agent's dealing with: Check out the Cyber Heists Report to learn more about the latest threats that are plaguing the financial and FinTech industries and the agents who are trying to keep them safe.