When a Startup Should Call the FBI - Overview
Key topics on When a Startup Should Call the FBI
- The FBI is the national law enforcement agency, and post -9.11, also the domestic security agency.
- National security cyber matters comprise matters related to foreign states, foreign terrorist organizations, as well as domestic terrorism.
- The COVID 19 pandemic has really accelerated cybercrime.
- With the growth of ransomware as a service and the money mule network, even low-skill actors today are getting into the ransomware game.
- You should have an incident response plan that you can put into action if you fall victim to a ransomware attack.
- Business Email Compromise (BEC) occurs when someone sends you an email or text eliciting you to take some action and asks you to wire money.
- With regard to intellectual property, you have to do your due diligence as an organization to protect your information.
- To report an issue, ic3.gov is cyber-focused while tips.fbi.gov is for all tips that the FBI get.
Expanding your knowledge on When a Startup Should Call the FBI
- Kubernetes API Access Security Hardening
- Teleport Application Access
- Teleport Quick Start
- Teleport Access Plane
Ben: 00:00:02.377 Welcome to Access Control, a podcast providing practical security advice for startups. Advise from people who've been there. Each episode we'll interview a leader in their field and learn best practices and practical tips for securing your org. For today's episode, I’ll talk to Elvis Chan. Elvis is assistant special agent in charge, assigned to the San Francisco FBI field office. Chan manages a squad responsible for investigating national security cyber matters, and has over 14 years of experience in the bureau. Elvis has extensive industry experience from the semiconductor industry. I got the chance to interview Elvis Chan as part of the FBI's outreach program. I'm grateful for his time today and look forward to covering practical advice for helping stay secure. Hi, Elvis. Thanks for joining us today.
Elvis: 00:00:47.849 Hi, Ben. Thanks for having me.
The type of crimes investigated by the FBI
Ben: 00:00:49.183 The podcast has a lot of international listeners. For people who aren't familiar with the FBI, can you tell me a bit about the bureau does and what kind of crimes it investigates?
Elvis: 00:00:57.510 I think for an international audience, the most relevant way to say it is that we're the national law enforcement agency. Although there are 14,000 local and state-level law enforcement agencies. But we're the one that works across interstate lines. We also have an international presence, as you're aware of. We are also post-9/11, the domestic security agency. So trying to prevent the next terrorist attack from happening or the next big cyberattack from happening. So that's the dual hat that we wear as law enforcement agency and domestic security agency.
Defining national security cyber matters
Ben: 00:01:32.804 What exactly are national security cyber matters?
Elvis: 00:01:35.924 Anything that is either related to a foreign state like — Russia, China and Iran come to mind — or a foreign terrorist organization like ISIS, Al-Qaeda, Hamas, Hezbollah. Although we would also call domestic terrorism. So anything terrorism-related. So domestic terrorism would also be a national security issue.
Ben: 00:01:56.794 And then what makes it cyber specific?
Elvis: 00:01:59.475 So anything that is related to computer intrusions, right? Like network intrusions, cyber network operations, those are all considered cyber issues that the FBI would handle within the cyber branch. So I run the cyber branch for FBI San Francisco. And we have a cyber division that's at headquarters. There are programming division. So that that's how that would work. We were also discussing just because it's online doesn't necessarily mean it's a cybercrime. So we were talking about business email compromises where someone just gets an email and they're trying to elicit someone to do something, typically to wire money to a bad guy's account. That is not considered a cybercrime because there's no computer intrusion nexus. There's social engineering, obviously, but typically our white-collar crime squads would handle that.
Issues investigated by the San Francisco FBI field office
Ben: 00:02:50.964 As part of my research, I’ve learned a lot through the San Francisco Field Office website. You have bulletins of issues you cover. Can you tell me a little bit more about the specific issues that you investigate?
Elvis: 00:03:02.082 Some of the things that have been ripped from the headlines that you're aware of are the SolarWinds investigation, where the lead Field Office investigating the breach of SolarWinds. And then another one that you've probably seen recently in the headlines is the DarkSide ransomware variant. So that was involved in the attack. The ransomware attack against Colonial Pipeline and our office was able to cease a significant portion of that ransom back. We are what you would consider a full-service office. We have the second largest cyber investigative program within the FBI, only behind FBI New York. We handle all the cyber threats that you would consider.
Ben: 00:03:40.271 Just because you're based in San Francisco, you cover all national cyber matters.
Elvis: 00:03:44.609 So the way it works in the FBI — it's really venue-specific or territory-specific. So if I say AoR, that means area of responsibility. There's a lot of acronyms and jargon in the US government. Our AoR, San Francisco's area of responsibility, is the entire San Francisco Bay Area, which comprises 17 counties. And the way it works is if there is a company that is headquartered in our area that gets hit with a cyberattack, then we are responsible for it. So, for example, even though Colonial Pipeline got hit with the DarkSide ransomware attack, the first DarkSide ransomware attacks were against companies in the Silicon Valley. So we opened up an investigation, and then we keep that DarkSide variant. We're the lead office for it. And so even though Colonial Pipeline is headquartered in Atlanta, we coordinate with the Atlanta Field Office to collect the evidence we need for our investigation.
Cybersecurity advice for the c-suite
Ben: 00:04:45.957 The podcast has been mostly focused for developers, engineers and ops people. I think some of these issues also affect the C-suite. Do you have any advice on sort of issues to be on the lookout for?
Elvis: 00:04:57.884 It's all the same stuff at this point. I think what you've seen since COVID started — and we have the lockdowns in last March — that everything has been accelerated. The COVID 19 pandemic has really accelerated cybercrime and then [inaudible] sponsored computer network operations in general. What I would tell all of your listeners to listen to, whether they're in the C-suite or whether they are cybersecurity practitioners, as I found that supply chain compromises — I think we had just mentioned SolarWinds before, that's one of the really big deals. Ransomware has become a really big problem. And I would say a large cause of that is A, people are working from home, maybe going through the wireless router at home is not as secure as going through a corporate router behind a firewall. The other thing is with ransomware, there's now ransomware as a service, so you still have these large, organized crime groups that are in charge of developing the ransomware and setting up the money laundering services, the money mule network. However, they have this new thing called ransomware as a service. So just think of a fast food franchise and you can be a knucklehead in your mom's basement. If you can afford the franchise fee, then you can just get access to a control panel like for DarkSide. And then at your fingertips, you'll be able to do scanning for vulnerable systems, and you'll be able to deploy the ransomware and you'll have access to a money mule network that will help you launder the funds and then hopefully cash out the money too. Unfortunately, it's a lot easier now, and that's why we see a lot of other actors who would typically be considered low-skill actors getting into the ransomware game.
Ben: 00:06:48.674 For people who aren't familiar, ransomware is software which would go in and encrypt your system and you have to pay the money for the encryption key.
Elvis: 00:06:58.099 Exactly. And the official FBI stance is to not pay the ransom. And there's really two reasons for that. No.1 is — it's a [inaudible]. In my experience, about one out of every four times you pay the ransom, you get the key that perfectly decrypts all of your data. For the other three out of four times, they may give you the key. But a lot of your data will still be corrupted after you try to decrypt it. So you're going to be spending — even after you pay the ransom, you're going to be spending extra money to remediate your systems anyway. So I think it's better to just not spend the money on the ransom and put all of that towards remediation. The second reason not to do it is because you will just be emboldening the criminals. I think we're all familiar that in South America, kidnapping is a cottage industry and we do not want ransomware to be a cottage industry. Although it is really turning into one in the last year and a half.
Ben: 00:07:51.271 I think a lot of the ransomware is sort of Windows-based. So I guess they might attack small businesses, which may not be super tech-savvy. They might have like MSPs like a doctor's office or a dental office. If you were to sort of wake up and suddenly found all of your systems had a ransomware attack, what should you do?
Elvis: 00:08:09.549 So hopefully and this will be one of my bits of advice. My first bit of advice is hopefully you have an incident response plan of some sort. And you'll dust it off. Hopefully you had a hard copy because if it's on your computer network, you're going to be in trouble. And then you should just start following your plan. Typically, that will involve calling all of the relevant stakeholders, right? You're going to be calling your C-suite, you're going to call your general counsel, you'll be working with your information security and the other bits of the information technology staff. And then you're just off to the races. If you're a large organization, you may have an incident response company on retainer. You may have a cyber insurance company that has a portfolio of vendors that you're supposed to use. And then hopefully maybe step 17 or step 23 has "contact law enforcement". That's where you're going to pick up the phone, typically it's on a Friday evening after your hair's been on fire and you're going to make a phone call to me, and then we're going to talk it out and see if there's anything that we can do to help.
Ben: 00:09:11.098 And is there much you can really do?
Elvis: 00:09:13.385 I hate to say it, but it depends, right? So if it's a variant of ransomware that we know sometimes in very small circumstances, we do have the decryption key that we can share with you. But at the very least, what we're going to be able to do is if you are able to figure out what variant of ransomware that is attacking your company's network, we probably have an investigation on it. And we probably already engaged with dozens of victims before. So we've collected a list of indicators that we could share back with you to help you and your remediation company to do [inaudible]. That's probably the most valuable thing that we do. We're also there to help offer guidance if you decide to pay the ransom. What are the pitfalls that you should be looking out for? What are the things to be mindful of? So we offer a wealth of at least information that we can share. And we make it a point within our field office, if you've been hit by a ransomware attack, we're going to talk to you on the phone, and we'll try to do what we can. But at the end of the day we are the FBI. The "I" stands for investigation. We're not the FBR. So it will be up to you and your incident response company to do the repair portion.
Business Email Compromise (BEC) explained
Ben: 00:10:25.840 I don't think I've had any friends who've been hit by ransomware. But one thing that does come up pretty common is the Business Email Compromise, just as it was under your cybercrimes. You kind of mentioned this is sort of more of a white-collar cybercrime. But for people who are unfamiliar with the BEC, can you sort of say what it is?
Elvis: 00:10:44.674 Yeah, absolutely. So BEC – business email compromise. So yeah. You're using the term that we like to use within the industry. That is where someone is either sending you email or a text, and it is just eliciting you to do some action. Typically, they are pretending to be a vendor or a contractor or someone who you are expecting to send money to. And what they will do is they will say, "Here, I am your vendor and I've changed my bank account. Please wire money to this new account." A lot of people fall for it, right? They're working quickly. Everyone is overworked, understaffed at this point, trying to get everything done. And they may not realize that they've just wired money to an account controlled by a bad guy. And so they may not notice because in most of the cases for BECs, the bad guys will use a domestic account. They'll have set up a money mule network. So if you ever see signs like on the side of the road that says, "Do you want to work from home?" A lot of times you are being a money mule, right? So you have set up an account. Money will just mysteriously land in that account. You can take one hundred bucks off or whatever if they allow you, and then you're supposed to send it on to another place. And so that way, they'll launder money domestically. But inevitably, these money transactions end up going overseas. Now I do have one bright spot. So there's too many of these business email compromises for us to open a case on everyone. But we've set up this thing called "the financial fraud kill chain". And so if you go to our website, ic3.gov, you can just fill out this form and send it to us. And I promise you that we have human beings looking for financial fraud kill chain requests 24 hours a day, 7 days a week. Because we know that if we can act on it in the first 24 hours, we have an 82% success rate of clawing your money back. That was our statistics as of last year.
When the crime should be reported
Ben: 00:12:43.413 Yeah. I think my follow-up question is: At what point should the crime be reported? I'm guessing within 24 hours of wiring them the money.
Elvis: 00:12:49.981 Yeah, absolutely. Within 24 hours. Anything shady that you see happen, even if it doesn't involve any loss to you. If you have email addresses or bank accounts or any of that information to share, that are belonging to a bad guy, we would greatly appreciate you sharing that information. Because it could be connected to an existing investigation. And then we'll be following up with you to see what else happened. But at the very least, you can at least report it to us online. And it'll literally take you five minutes.
Defining and protecting trade secrets
Ben: 00:13:20.254 Moving on. Another sort of issue is intellectual property. It's a big concern for Bay Area companies both, I think, for insider threats, competitors and possible nation states. How are trade secrets defined and when does sort of a trade secret become an intellectual property crime?
Elvis: 00:13:39.658 So that is a good question. So full disclosure, I'm not a lawyer. But the way trade secrets work is pretty much how is it handled? How is this information handled? And so you have to do your due diligence as an organization to protect your information. And it can't just be, "Oh, well, we're leaving it out in the open in this file and whoever can access it." There have to be at least certain levels of security. Because at the end of the day, if we catch the bad guy and they'll say, "Well, this wasn't a trade secret because they just left it on their publicly facing website." Or they did not securely configure their website properly. And anyone can just scan it and find that information. So you need to be able to securely store your data, whether it's electronic or physical. And that's one of the ways that you can tell whether something is a trade secret or not, right? Like that recipe for Coca-Cola, right? You hear it's in a double safe in Fort Knox, somewhere in Georgia. Well, that will let people know that, yes, we are doing our due diligence to treat this as a trade secret. And then the theft happens when, despite all of your security measures, someone is able to thwart them and then abscond with your information and then use it for their own purposes.
FBI involvement in investigating financial issues
Ben: 00:14:58.552 Lastly, the last sort of category I found was financial issues, either securities or wire fraud. This is also a pretty common one for Bay Area companies I've heard about in the startup world. Can you tell me how the FBI is involved in these types of investigations?
Elvis: 00:15:13.202 Both of those types of fraud, like securities fraud — actually, there's a big trial going on right now, the Theranos trial, right? So that's an investment fraud situation. So the FBI, we prosecute those types of crimes all the time. A lot of the time we really rely on referrals from the public. Typically, it is former employees at a company who see some shady dealings and do not want to be a part of it or its current employees who know that something is going on. Sometimes regulators are able to catch things, or we will get anonymous tips. But that's how we usually learn about these types of fraud is — just through the regular gumshoe law enforcement techniques.
At what point a CSO should consider contacting the FBI
Ben: 00:15:54.055 If you're an employee and you think something sort of fishy is happening at your company, what's the best way to sort of report a possible issue?
Elvis: 00:16:01.269 You can also use ic3.gov. Or you can just go to tips.fbi.gov. Either of those will work. So IC3 is mostly online-focused, cyber-focused. tips.fbi.gov — that's for all of the threats or all of the tips that we get.
Logs and data that are useful to keep
Ben: 00:16:18.254 From past episodes, I've worked a lot of CISOs. I will point what a CISO consider contacting the FBI. This kind of goes back to your point earlier of — you have a checklist. As you're going through that checklist, what sort of things did you look for once you started the interaction — sort of logs and data is useful to provide to you?
Elvis: 00:16:38.977 I'll take the first part of that question. Yeah. If you have an incident response, you'll have some sort of internal company measure of — and it'll typically be a data loss, right? Like we've lasted this many thousands of customer data or we've been damaged financially this amount of money. So the federal statute, it's only $5,000. But as you can imagine, we can't just take every $5,000 case. We have to prioritize based on financial losses. So typically, we will get a call from a CISO. It depends on the situation because if it's someone who's never dealt with us before, they may call us only when it's a very high amount. Although if we've already established a relationship, then they know they can just pick up the phone and call me and we can talk it out. I'll be honest, right? Like, "Hey. I don't know if we would be able to open an investigation for this. The financial threshold is not enough. Hey. It doesn't seem like you have any financial loss or data loss at all." And yeah, we'll be able to have that conversation. I guess I'm going to get my second tip is that people and organizations they should already have established lines of communication with their local FBI field office. Just so that the first time you're calling the FBI isn't that frantic Friday evening. You at least have an email or you'll know who to call ahead of time. So that when you're following your incident response plan, you can just, as you said, just check things off.
Ben: 00:18:08.884 For sort of keeping logs, I know there's certain requirements if you're going through sort of FedRAMP or HIPAA. When do you kind of get them —? What sort of logs and data is useful for an investigation?
Elvis: 00:18:20.669 So I would say all of the logs that you would think of for doing your own incident response. So these are going to be the firewall logs, these are going to be your mail server logs, they're going to be your antivirus logs, they're going to be just your typical office and windows logs. Those are all super useful for us. What I always like to say is people usually do not realize that they've been breached until 90 days after the breach actually happened. So it behooves your organization to have at least 90 days’ worth of logs. I would prefer 6 months to 12 months’ worth of logs just because the average is 90 days from breach to detection. That doesn't mean that there are people who have been hacked for a year and not realized it. And we've had companies that have not realized they've been hacked for a year until something really shady happens or less the bad guys make a mistake and they trip whatever alarms. But having at least a year's worth of logs really will help us in our investigation.
What to do if an adversary is in the network
Ben: 00:19:21.258 Yeah. And honestly the podcast is called Access Control. If an adversary is in the network, what should you do?
Elvis: 00:19:26.771 So I think it depends on what type of organization you are. But most of the time you're going to want to cut them off, right? That means cutting your internet connection and then trying to figure out what the heck happened. That's the majority of cases. I know that there are companies that are a little more sophisticated and they've set up honey nets, right? So to try to draw the actors so that they can learn more about their tactics to share with their incident response company as well as with law enforcement. I would say in most cases, I don't recommend doing this because the bad guys could be distracting you and you think you've got them covered. But while you're looking in front, they're sneaking in some other backdoor that you didn't even know they had open.
Ben: 00:20:08.896 Yeah. I guess if they would have lateral movement in your network, it's probably already game over.
Elvis: 00:20:14.217 Exactly. Exactly. So disconnecting from the internet is pretty much the safest bet.
Supply chain risks
Ben: 00:20:19.545 Right. Yeah. And another common theme that's come up of late has been around supply chain risks. We've seen a lot over the last year with various companies running into the supply chain getting compromised. Can you tell me about how the FBI works in this area?
Elvis: 00:20:37.634 Both the cyber program in the FBI and the counterintelligence program of the FBI — we are both really focused on this. From the cyber aspect ,it's obviously related to the technology companies that comprise your network or that are part of your network. All the software companies, the hardware appliance companies, that's where we're really focused. And then on the counterintelligence side, they're very hardware focused as well as, where are these vendors from? Where are they located? Who could they potentially be working for? And I think you and I both know in this industry, much of the stuff that we are using right now is made in China, manufactured in China. But I would say that there's a big difference between something being manufactured in China and then something being designed in China, right? So if it's American-made there's a lot of prominent companies that are American-made but still manufactured in China. I would — from a risk management standpoint — still think that's safer as opposed to Chinese-designed and Chinese-manufactured.
Ben: 00:21:39.917 We have lots of customers and companies who use open source software, and they often include lots of external sort of libraries into sort of like — I guess that's sort of your bill of materials, which I guess also applies for hardware and software.
Elvis: 00:21:52.694 At the end of the day, you have to make money. It's all about risk management. It's all about as long as you're aware of what your exposure is and you can weigh what the risks are and you have taken enough mitigation strategies for these risks. That's all you can do at the end of the day. How would you ever make money if you were just like a little turtle and you just hide in a hole? You would not make any money at all, right? So you have to get out of your shell, get out of the hole, and you have to be able to take on some risks. But it has to be a smart risk. And then you have to have contingencies in place so that you can be resilient and snap back after you've been breached because invariably every single organization — FBI included — will be breached, right? So we were impacted by the SolarWinds investigation. We were able to snap back. That's really the key.
Ben: 00:22:43.355 And I know we had the ex-VP of Security from MPM, which is common for node modules. And he said, actually, a lot of it would be around — it would become like script kiddies trying to run crypto miners on infrastructure. And I guess that's very different from a nation state attack. If you think [inaudible] is more mischievous than to [inaudible] script, can you do that sort of change when you should sort of interact with the FBI or how should you report it?
Elvis: 00:23:13.904 No. Absolutely. I mean, I would ask people to feel comfortable reporting to us regardless of if it's a script kiddie or a nation state. But these are very different levels, and your information security personnel are going to be able to tell. Like for the SolarWinds investigation or for Hafnium. When Microsoft announced that that's very bespoke, it is very tailored and it screams nation state. Obviously, there should be more concern with that in general, and you would definitely call the FBI if you think there is an advanced, persistent threat involved. If there's a script kiddie, typically you have the technological wherewithal to be able to boot them off, right? And I'd still appreciate you reporting that through ic3.gov so that we can handle them. Because a lot of times if these are 16 year old, 17 year old invariably boys, I don't know why, in their mom's basement doing these things, we can just go and knock and have a talk with them and say, "Hey. You're a smart kid, why don't you stay on the straight and narrow? Don't try to steal stuff or become an affiliate for a ransomware career. You should just go to college, get a computer science degree and then work for one of these tech companies." Just like you.
Ben: 00:24:25.613 Yeah. I mean, that's a great point. So if I have a young daughter, but when she's kind of older, possibly trying to hack people. And if parents are in a similar situation, do you know of any sort of programs that sort of help the black hat turn to a white hat?
Elvis: 00:24:42.618 I think having good parental involvement is the best. But there are lots of good nonprofit organizations, right? Girls Who Code. There's a lot of good ones right now. And I think both of my daughters have taken coding classes in school and in summer programs. And this is just a regular thing now. And since we both admitted that we have daughters, I do want to say that the disparity of technology field, especially around coders and programmers, it's heavily skewed male. I think the last statistics I saw were 80% male, and that's not right. I think the more diversity that we can have in all industries, the better off it will be.
The best way to send a tip or work formally with the FBI
Ben: 00:25:24.470 I think we've covered this kind of already, but the TSA say — I don't know if it's actually the TSA does say this, but they say this in the London Underground. If you see something, say something. What's the best way to send in a tip or work more formally? Kind of as he said, it's good to get introduced to the local field office.
Elvis: 00:25:40.391 If you just want to report a tip because you're tired of that Nigerian prince sending you emails, then ic3.gov is the way to go. If it's something that you don't think is cyber-related, but you think the FBI should know about it, definitely “see something, say something” — go to tips.fbi.gov. Or you can just go on to your favorite search engine and try to figure out where your local FBI office is. We have operators 24-7 who are ready to take calls.
Making the career change from tech to being an agent
Ben: 00:26:11.290 Changing gears a little bit. I've met a few agents when I used to live in San Francisco, now in Oakland. Often the first time you meet an FBI agent, you have a certain archetype in mind, and they're very different. Do you have any advice for people kind of similar to yourself who are you thinking about changing careers from industry to joining the bureau?
Elvis: 00:26:31.028 I hadn't told you, but I had actually worked in the semiconductor industry for 12 years before I joined the bureau. So we are always looking to hire a more diverse workforce. And every type of job skill that you can imagine we need within the FBI. If you're specifically looking at the special agent ranks, then we're definitely hiring for diversity. But right now, we're leaning more heavily on those who have a technological bent, those who have a financial bent or those who have a background like who have a law degree. So we have some pretty highly qualified people who gave up lucrative jobs so that they could work for the FBI and other government service as well. But we're really hiring all types of people. Anything that you can imagine we definitely need in the FBI.
Ben: 00:27:21.763 Then how did you find the change from the semiconductor industry to sort of cybercrimes? Because I guess semiconductors — it's a very [inaudible] sort of industry. Six Sigma it's probably same process-driven, but also kind of different.
Elvis: 00:27:33.281 It's completely different. Yeah. We don't use Six Sigma. There's no black belt going on in the FBI except for actual martial arts. I would say the company I worked at, I'm not going to name it, but it was a very large bureaucratic corporation. And so I slid into a very large governmental bureaucracy. So for me, the transition was actually pretty easy. I think the difference is — as an engineer, if I'm doing a really good job, what that means is I'm generating more profit for my company. However, in the FBI, if I'm doing a really good job, I'm either saving people's lives or I'm preventing someone's life savings from being stolen or I'm preventing a human being from being trafficked for prostitution, right? So it's a very different objectives, and I would say that it's much more of a fulfilling career, at least for me.
Closing tips for startups big and small
Ben: 00:28:25.707 So coming up onto the end, do you have any last closing tips for startups either big or small?
Elvis: 00:28:31.227 I've already said no.1 — establish communication with your FBI office. No.2 — have a good incident response plan. So I have two more tips. No.3 — if you're not using multifactor authentication to be able to access your email or your corporate networks, you have to do that. That will take care of the vast majority of problems. And then the fourth piece of advice is for ransomware attacks. The no.1 key to handle your ransomware attack is prevention, and that's through backups, right? So back up your most critical data. And for your listeners, I'll make this apply to them in their real life. We like to use the 3-2-1 backup method. So you should have at least three backups of your most critical data on two separate mediums. So typically, that's a solid state external drive and the cloud, right? And then one of your backups should be offline at all times because we have observed that with all the new variants of ransomware, they find your online backups and they corrupt them. Those are the four tips that you do. You will be in so much better shape and ready for that breach when it inevitably happens.
Ben: 00:29:41.588 Those are some great tips to close out. Thank you so much for your time today.
Elvis: 00:29:45.184 Well, thank you for having me, Ben.