Rapid response fly team can deploy across the globe within hours to respond to major cyber threats.
USA : Across the globe, malicious cyber activity threatens public safety and national and economic security. Criminals target organizations such as schools, hospitals, power and utility companies, and other critical infrastructure entities that serve communities.
As the lead federal agency for investigating cyberattacks and intrusions, the FBI developed a specialty group—the Cyber Action Team, or CAT—that can deploy across the globe within hours to respond to major cyber threats and attacks against these critical services.
Composed of about 65 members, CAT is an investigative rapid response fly team that leverages special agents, computer scientists, intelligence analysts, and information technology specialists from across FBI field offices and Headquarters.
“We respond onsite to victims who may include national government entities, private companies, or even sometimes foreign partner networks that have been compromised by an adversary,” said Scott Ledford, head of the Cyber Action Team and the Advanced Digital Forensics Team. “Our job is to help conduct the investigation—we collect digital evidence and locate, identify, and reverse engineer malware. We also help the victim understand when they were compromised and how, writing a timeline and a narrative of that intrusion with the ultimate goal of identifying who is responsible, attributing that attack.”
CAT was established in 2005 in response to an increase in the number and complexity of computer intrusion investigations in FBI field offices. At the time, not all field offices had personnel with the cyber expertise necessary to properly respond to and investigate sophisticated computer intrusions.
“There was this transition that was taking place between what investigations the FBI was responsible for and the types of crimes that we were starting to see,” explained Ledford. “Cyber was such a growing threat at the time, and so it became necessary that some field offices would reach out and say, ‘Hey, do you know of any cyber experts who can help me work through an investigation?”
As the team formalized its processes and expanded, in 2016, the Presidential Policy Directive 41, “United States Cyber Incident Coordination” was signed, setting forth principles for the federal government’s response to cyber incidents involving government or private sector entities. The FBI was appointed the lead federal agency for cyber threat response activities.
“From an investigative standpoint, the FBI is unique. We’re one of the few agencies in the U.S. government that has both law enforcement and counterintelligence authorities,” said Ledford. “And those authorities, and the American people’s trust in us, help us to deliver a unique blend of national security and criminal investigative skills, expertise, and resources to implement that blended response and help facilitate an investigation, regardless of whether it leads us overseas or to a courtroom here in the U.S.”
The bulk of CAT’s cases usually involve the FBI identifying an organization with a particular intrusion that’s either so complex or large-scale that the local field office requests additional assistance.
In one case, CAT deployed to a health care company that a separate intrusion investigation had identified as compromised. CAT’s response helped lead to the identification of several compromised systems and accounts on their network. While working alongside the company, CAT disrupted the threat—and prevented further exploitation across their network.
CAT also receives requests from FBI legal attachés, the State Department, the National Security Council, and the White House to assist other countries when they face cyberattacks.
“It could be a country that doesn’t have the resources or the expertise that the U.S. government has, and they’ve reached out and asked for help,” said Ledford. “There can be a NATO or a non-NATO ally country that says, ‘We’ve been hit hard by this adversary, and we don’t have the localized personnel, we don’t have the resources, we don’t have the expertise to respond to this. Can you help us with it?”
In another case, CAT deployed overseas to provide incident response support to a NATO ally that had been targeted by a destructive cyberattack. CAT responded and worked together with U.S. partners to determine the initial intrusion vector, identify other networks that were impacted, collect and analyze digital evidence, and ultimately attribute the intrusion to a foreign government. The NATO ally severed diplomatic ties with the foreign government, closed the foreign government’s in-country embassy, and evicted them from the country.
“We have some talented people, and they work hard every single day,” said Ledford. “It’s an honor to sit alongside them.”
