Incident Response and Reporting to the FBI

This tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, covers actions the Federal Bureau of Investigation (FBI) and US Department of Justice (DOJ) can take against cyber actors, and when and how to report a cyber incident.

Introduction

The benefits of reporting a cyber incident to the FBI are more evident today than ever before. FBI Cyber is equipped with a highly skilled and strategically placed workforce, prepared to assist after a cyber incident in the United States and 20 countries. Our mission is rooted in service, driving us to share relevant information and practical tools that can help victims mitigate threats in real time.

• With every engagement, we harness our partnerships, expertise, global footprint, and unique investigative and intelligence authorities to support victims:
• The FBI has specially trained cyber squads in each of our 56 field offices, working hand-in-hand with interagency task force partners.
• The FBI leads the National Cyber Investigative Joint Task Force (NCIJTF), a task force of more than 30 co-located agencies from the intelligence community and law enforcement.
• The rapid response Cyber Action Team can deploy across the country within hours to respond to major incidents.
• With cyber assistant legal attachés in embassies across the globe, the FBI works closely with our international counterparts to seek justice for victims of malicious cyber activity.
• The Internet Crime Complaint Center (IC3) collects reports of internet crime from the public. Using such complaints, the IC3’s Recovery Asset Team has assisted in freezing hundreds of thousands of dollars for victims of cyber crime.
• CyWatch is the FBI’s 24/7 operations center and watch floor, providing around-the-clock support to track incidents and communicate with field offices across the country.

How Can the FBI Assist After a Cyber Incident?

When you report a cyber incident, the FBI may be able to take the following actions: 

Identifying and stopping the activity

• Information Sharing: FBI agents who are familiar with patterns of malicious cyber activity can work with your security and technical teams to help you quickly identify threats and understand the context of the incident.
• International Partnerships: The FBI has Cyber Assistant Legal Attachés around the world and can leverage the assistance of international law enforcement partners to locate stolen data and identify perpetrators.
• Recovery Asset Team (RAT): The FBI’s RAT was established in February 2018 by the FBI’s Internet Crime Complaint Center (IC3) to streamline communication with financial institutions and assist with the recovery of funds for victim companies that made transfers to domestic accounts under fraudulent pretenses. The FBI’s RAT had a 66 percent success rate in 2024, freezing over $469 million of fraudulent domestic transfers and $92 million of international transfers.
• Apprehend or Impose Costs on Cyber Actors: The DOJ and FBI can bring forth indictments and other deterring actions to degrade cyber actors’ capabilities.

Seizing or disrupting the actor’s technical infrastructure

DOJ and FBI have a mounting record of successful court-authorized operations to disrupt cyberattacks, counter ransomware, or neutralize botnets that have hijacked millions of innocent computers worldwide. The DOJ and FBI’s unique authorities allow actions to be taken against cyber actors’ technical infrastructure that private companies cannot legally take on their own.

Sharing valuable insights from other investigations that may help mitigate damage and prevent future incidents

• Disclosing information about an incident to the FBI enables investigators to make connections among related incidents.
• This enhances the FBI’s abilities to share valuable insights and information regarding the perpetrator’s tactics, tools, and techniques. Such information may allow you to better protect your company’s network and assist the FBI in identifying and warning you (and others) of future malicious activity.

Supporting your organization’s data breach response

• Under many federal and state laws, law enforcement may be able to temporarily delay otherwise mandatory data breach disclosures when law enforcement determines doing so is appropriate for investigative reasons.
• Proactive reporting to law enforcement may help your organization deal with government regulators such as the Federal Trade Commission, which has declared that it will look more favorably on a company that has reported a cyber incident to law enforcement and cooperated with the investigation than companies that have not.
• If an incident becomes public, cooperation may strengthen your organization’s position with shareholders, insurers, lawmakers, and the media.

When Should You Report a Cyber Incident?

Organizations should report a cyber incident as soon as the incident is verified. This should be done as timely as possible to best enable attribution of an attack—since speed is often the critical element of a credible attribution. Additionally, reporting to the FBI avails the organization of protections provided to victims and witnesses. The FBI’s cyber mission puts victims first, and the FBI will continue to treat victim information as sensitive and safeguard it from unwarranted or unnecessary disclosure. 

Organizations that experience a cybersecurity incident are encouraged to preserve original evidence relevant to the incident. Generally, the most important pieces of evidence are log files (from critical servers, network appliance, security information and event management (SIEM) solutions, etc.), malware samples, and pre-remediated access to disk drives and memory of compromised computers. Such information is generally not privileged information (attorney-client, work product, etc.), and the voluntary and proper sharing of cyber threat information by a company/company’s counsel for cybersecurity purposes generally does not expose companies to additional liability. Furthermore, any report should be done in coordination with the organization’s legal team to comply with statutory and regulatory requirements, as applicable.  

Electronic evidence dissipates over time, so speed is essential in a cyber-intrusion investigation. Enlisting the FBI’s help during an incident enables quick investigative action and allows the preservation of evidence, which increases the odds of a successful prosecution or other action to disrupt the perpetrators. 

Proactively building relationships with key government agencies, especially your local FBI field office, and with your sector risk management agencies, facilitates a successful response to a cyber incident. The FBI provide companies with a dedicated point-of-contact if an incident should occur and provides access to FBI cyber mitigation resources. 

What Should Be Reported?  

An array of technical data and incident information can prove helpful for investigators, including 

• indicators of compromise (IOCs), i.e., threat actor IP addresses
• threat actor tactics, techniques and procedures (TTPs)
• threat actor communications, e.g., ransom notes, TOR addresses
• event timeline
• nature of the incident
• point of contact for regular communication with investigators
• logs from the affected machines
• images of the affected machines
• actions that have been taken
• forensic reports

How Will the FBI Protect My Organization’s Interests and Information?

Federal law enforcement agencies investigating cyber incidents seek first and foremost to assist victim entities as well as identify and apprehend those responsible for a cyber incident. The FBI is not a regulatory agency, and efforts are directed toward investigating the intrusion, not judging the adequacy of defenses in place.

The FBI needs technical details about an intrusion (e.g., malware samples) to advance its investigation, not privileged communications or other documents or communications unrelated to the incident. The FBI will work closely with a victim company’s counsel to address concerns about access to information.

The FBI is mindful of the reputational harm that a cyber incident can cause a company or organization. As such, the FBI does not publicly confirm or deny the existence of an investigation and will ensure that information that may harm a company is not needlessly disclosed.

The FBI prioritizes causing as little disruption as possible to normal business operations. On-site investigations are carefully coordinated with your company to minimize the impact, including, for example, by working around your organization’s schedule and minimizing system downtime.

Further Reading

InfraGard

InfraGard’s network of 80+ US chapters unites businesses, academia, and law enforcement to share intelligence and prevent hostile acts against the United States.

Domestic Security Alliance Council (DSAC)

DSAC is a US government-industry partnership that enhances the timely exchange of security and intelligence information between federal agencies and the private sector.

DOJ Computer Crime and Intellectual Property Section (CCIPS)

CCIPS is a network of federal prosecutors trained to pursue computer crime and IP offenses in each of United States Attorneys’ Offices. See: Best Practices for Victim Response and Reporting of Cyber Incidents resource.

National Security Cyber Specialist (NSCS)

NSCS is a network of DOJ headquarters and field personnel trained to handle national security-related cyber issues. To contact a NSCS representative, email DOJ.Cyber.Outreach@usdoj.gov or NSCS_Watch@usdoj.gov.

The information in this report is being provided “as is” for informational purposes only. The FBI does not endorse any commercial entity, product, company, or service, including any linked within this document.

Return: Toolkit For Action