Enhancing Collaboration: Incident Response Teams and Law Enforcement

Written by

Cyber-attacks are on the rise — the number of global ransomware attacks increased by 95% in 2023, compared to 2022. With this growing threat, cooperation between Incident Response Teams (IRTs) and law enforcement has never been more important.

This evolving relationship has seen success in recent years but still comes with many challenges.

Bridging the communication gap between your organization’s IRT and law enforcement is essential in order to establish the best possible remediation process. But where do you start?

Below I’m going to cover the methods your organization’s IRT can use to facilitate effective partnerships with law enforcement, as well as best practices for using those partnerships to combat evolving cyber threats and safeguard your organization’s digital infrastructure.

How IRTs and Law Enforcement Work Together

After a cyber security incident occurs, it’s the responsibility of the IRT to discover, analyze, review, and then, should the nature of the incident require it - bring findings back to law enforcement. While I don’t consider IRTs part of law enforcement, they are very much part of this important legal process.

Law enforcement agencies, like INTERPOL, the FBI, the US Secret Service, and local police, usually want to act as a partner to an organization that’s been the victim of a cybercrime, rather than take over the entire investigation.

Initially, the IRT will provide agencies with data logs, information about the nature of the incident, and any other relevant evidence, and agency officials will then share information they find about indicators of compromise (IOCs) and anything that will help your organization through the remediation process.

“It is wise to involve law enforcement agencies on a regular basis.”

As your leadership team and IRT plan for various cyber-attack scenarios, it is wise to involve law enforcement agencies on a regular basis so that all parties are on the same page ahead of time.

It’s also important to have one designated point of contact from your organization to reach out and work with law enforcement through the entire process to keep everything streamlined.

A Slow Process That’s Worth the Effort

There can be quite a bit of hesitancy on the part of IRTs to work directly with law enforcement after a cyber cyber-attack. But a cyber-attack is a serious offense and it’s important to analyze what happened and then take the right steps.

“Working with law enforcement is the only way you’re going to stop a repeat attack.”

If that incident turns out to be someone hacking, breaking the law, or something malicious, working with law enforcement is the only way you’re going to stop a repeat attack. Yes, it can be a slow process but if you don't take offenders to court and impose some form of sanctions on them, it’s likely they’ll attack again because they believe they can get away with it.

One reason some IRTs may hesitate to work with law enforcement is that many organizations today operate internationally, and cyber-attacks can cross jurisdictional boundaries.

Differences in laws, regulations, and legal processes across jurisdictions can make it difficult for IRTs to collaborate with law enforcement agencies.

For example, the national CERT teams in some countries have the legal power to instruct ISPs to remove websites, while others require a court order. Understanding those nuances are critical because otherwise organizations will not understand the correct route to go and hamper efforts to address critical cyber threats.

How FIRST Facilitates Partnerships Between IRTs and Law Enforcement

At FIRST, we have Special Interest Groups (SIGs) that were created for members to share expertise on a certain area of technology and to address its common challenges. One of these SIGs aims specifically to improve the collaboration and partnership between IRTs and law enforcement. Our Law Enforcement SIG can advise on which agencies to work with, inform incident response plan strategies, and help develop relevant documentation (like MOUs) to ensure everyone is on the same page ahead of a security incident. Members of the SIG work to bring IRTs and law enforcement together so you can better understand each other.

The Most Effective Communication Strategies

To ensure your organization is set up for a successful remediation process following a cyber-attack, it’s important to bring the IRT and law enforcement into one room ahead of time (whether virtual or in-person) to have conversations about what they can and can't do for one another.

Some of the most effective ways to set up on-going communication between IRTs and law enforcement include:

  • Regular information sharing meetings: these provide opportunities to share updates on cyber incident response efforts and discuss emerging threats or trends.
  • Training and workshops: these can cover cyber incident response procedures, legal considerations, digital forensics techniques, and evidence handling protocols.
  • Formalized information-sharing agreements or memoranda of understanding (MOUs): these agreements will define the scope of collaboration, establish legal frameworks for information exchange, and address confidentiality and data protection concerns.

It’s also important to stay adaptable and flexible because cyber threats are constantly evolving.

Reviewing and revising your incident response plan regularly and sharing it with the agencies you work with is crucial for maintaining effective communication.

Better Cooperation for a Safer Internet

As an Incident Response Team member, working with law enforcement can be challenging but it’s never been more important. Intensified cooperation between IRTs and law enforcement is the only way to combat cyber threats and protect digital infrastructure now and in the future.

What’s hot on Infosecurity Magazine?