Best Practices for Victim Response and Reporting of Cyber Incidents from the DOJ

Table of Contents

When a manufacturer discovered ransomware encrypting its production systems on a Tuesday morning, the company had no documented incident response plan and had never contacted the FBI. By the time they called law enforcement three days later, critical forensic evidence had been overwritten during recovery efforts, and the attackers had already used the same credentials to hit a second facility. The Department of Justice's Cybersecurity Unit published Best Practices for Victim Response and Reporting of Cyber Incidents precisely to prevent that outcome.

What is the DOJ Cybersecurity Unit?

In December 2014, the Criminal Division of the Department of Justice established the Cybersecurity Unit within the Computer Crime and Intellectual Property Section (CCIPS). The unit provides legal guidance on how criminal electronic surveillance statutes and the Computer Fraud and Abuse Act intersect with cybersecurity practice, a question that trips up many incident response teams who worry that active network monitoring or honeypots might create legal exposure. The unit's guidance document is designed to help organizations prepare for, respond to, and report cyber incidents in a way that supports both recovery and potential prosecution.

Identify your crown jewels before an incident

The DOJ guidance opens with a principle that incident response planners often skip. You cannot protect what you haven't mapped. Before a breach, organizations should document which systems, data sets, and personnel are mission-critical. For a law firm, that might be client matter files and email. For a manufacturer with defense contracts, it's likely CUI (Controlled Unclassified Information) and ERP data. For a healthcare organization, it's ePHI.

This mapping exercise drives everything downstream, which systems get monitored most closely, which get restored first, and which incidents trigger an immediate call to law enforcement. Without it, teams make those decisions under fire. The output should be a tiered asset inventory with owners, data classifications, and recovery priority levels assigned to each system before anything goes wrong.

Build your incident response plan around the DOJ framework

The DOJ framework organizes response into five phases: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. Each phase has specific recommendations that most generic IT policies miss.

Preparation: Establish relationships with law enforcement before an incident, not during one. The FBI's Internet Crime Complaint Center (IC3) and local FBI field offices accept voluntary outreach from organizations that want to register as potential victims and understand reporting expectations. Organizations should also pre-designate an incident response coordinator, outside legal counsel, and a forensic investigation firm on retainer. When a breach happens at 2 AM, the wrong time to find a forensics vendor is 2:01 AM.

Detection and analysis: The DOJ guidance emphasizes preserving evidence from the first moment of detection. This is where many organizations make costly mistakes. Taking a compromised server offline before imaging it, wiping and re-imaging endpoints before malware samples are collected, or allowing users to continue operating on affected systems can destroy the forensic trail investigators need to identify the threat actor, determine scope, and support prosecution. At minimum, affected systems should be imaged before any remediation work begins. SIEM tools can capture log data in real time; if your organization doesn't have centralized logging with at least 90 days of retention, that gap will hurt you when you need to determine when a threat actor first entered your environment.

Containment: Isolate affected systems from the network without destroying evidence. This means disabling network adapters rather than powering down machines where possible. Segment the affected environment using firewall rules or VLAN changes rather than pulling cables indiscriminately. If credentials are believed compromised, reset passwords in Active Directory and revoke active sessions, but log what was revoked and when, because that sequence of actions matters during forensic analysis.

Eradication and recovery: The DOJ guidance warns against rushing to restore systems before the root cause is fully understood. Organizations frequently re-infect themselves by restoring from backups that were already compromised, or returning systems to production before the attacker's persistence mechanism, scheduled tasks, malicious registry keys, backdoor accounts, has been removed. A clean rebuild from a known-good baseline, combined with a forced password reset for all accounts and a review of administrative privileges, is the safer path. Recovery sequencing should follow your asset priority list, restore the systems your business cannot function without first, and document what was restored and when.

Report to law enforcement, and why it matters

The DOJ guidance devotes significant attention to reporting, because most organizations either don't report incidents at all or wait too long. The FBI received 880,418 complaints in 2023, but estimates suggest that represents a fraction of actual incidents. Underreporting has real consequences: threat actors operate undisturbed across multiple victims, law enforcement cannot identify patterns that link attacks, and organizations miss the opportunity to receive threat intelligence in return.

Reporting to the FBI or CISA does not obligate an organization to make a public disclosure, and law enforcement generally allows organizations to stabilize before making any public statement. What reporting does do. It gives investigators the opportunity to attribute the attack, potentially interrupt ongoing criminal infrastructure, and sometimes recover stolen data. In ransomware cases, the FBI has on multiple occasions obtained decryption keys that victims were able to use without paying the ransom, as in the 2022 Hive ransomware takedown, where the FBI recovered decryption keys and distributed them to victims before the gang's infrastructure was seized, but only because those victims reported quickly.

For incidents involving federal systems, HIPAA-covered data, or personally identifiable information, separate reporting obligations under CISA, HHS, or state breach notification laws may apply. Counsel should be engaged early to ensure those obligations are met on schedule.

What Stratify IT does to prepare your organization

Stratify IT helps organizations operationalize the DOJ framework before an incident forces the issue. That starts with asset classification and a documented incident response plan with defined roles, escalation paths, and pre-approved forensic vendors. We deploy SIEM and EDR tools that give your team centralized visibility across endpoints, servers, and network traffic, so detection happens in hours, not weeks. For more on how EDR, DNS filtering, and incident response work together as a defensive stack, that is covered in detail separately. For organizations subject to CMMC, HIPAA, or SOC 2, we align incident response documentation to the specific reporting and evidence-preservation requirements those frameworks impose.

When an incident does occur, Stratify IT's managed security team is available to support containment, coordinate with your forensics partner, and help you work through the law enforcement notification process. Contact us to build an incident response plan that holds up when it matters.

If your organization supports DoD contracts, incident response planning should align with CMMC compliance expectations and controlled unclassified information requirements.

Frequently Asked Questions

Does contacting the FBI about a ransomware attack mean we'll lose control of our own recovery timeline?

Not in practice. The FBI generally works around your recovery needs rather than taking over. Agents can collect forensic evidence without requiring you to keep systems offline indefinitely. That said, you should discuss your operational constraints early in the conversation. Companies that delay contact for days trying to recover first often destroy the chain-of-evidence data that would have helped investigators identify the group and potentially recover decryption keys.

What specifically counts as forensic evidence that gets destroyed during recovery, and how do we preserve it?

Volatile memory (RAM) is the first thing lost when a system reboots, it can contain active malware processes, encryption keys, and attacker session data. Log files are the next casualty, especially if retention windows are short or logging wasn't enabled on affected systems. Before reimaging anything, take full disk images and memory captures using tools like FTK Imager or Magnet RAM Capture. Even a single preserved system can provide more investigative value than a dozen cleaned ones.

If we have cyber insurance, does our insurer's incident response process conflict with the DOJ's reporting guidance?

It can create friction. Many cyber insurers require you to use their pre-approved IR vendors and may discourage early law enforcement contact for liability reasons. Review your policy before an incident to understand whether it restricts who you can call and when. Ideally, your legal counsel, insurer, and a pre-vetted IR firm should all be aligned on the notification sequence before you're sitting in front of an active breach at 2 a.m.

How do we handle the employee who was phished or whose credentials were stolen, what's the internal HR and legal exposure there?

This is where many companies create unnecessary secondary problems. Treating the victim employee as a suspect before the investigation concludes damages trust and can compromise the investigation if the person becomes uncooperative. Your incident response plan should specify that HR involvement is guided by legal counsel, and that disciplinary decisions wait until forensics are complete. Exceptions exist, if the insider threat indicators are strong, but default to treating credential theft as a security failure, not a personnel one.

What's the difference between reporting to the FBI versus CISA, and do we need to contact both?

They serve different functions. The FBI focuses on criminal investigation and prosecution, they want to build a case and potentially identify threat actors. CISA's role is more defensive. They aggregate threat data, issue advisories, and can provide technical assistance to help you and others in your sector avoid the same attack. For significant incidents, contacting both is reasonable and neither filing competes with the other. CISA also has a lower threshold for what it considers reportable, especially for critical infrastructure operators.

How do you actually document 'crown jewels' in a way that's useful during an incident rather than just a compliance checkbox?

The useful version is a living asset register tied to your network topology, specific hostnames, data store locations, backup schedules, and the name of the person who can authorize taking each system offline. A spreadsheet listing 'customer PII' and 'financial systems' in broad strokes helps nobody at 3 a.m. Map it to actual servers, cloud buckets, and SaaS platforms. Pair that with a contact list that includes vendor emergency lines and system owners' personal cell numbers, and you have something that actually speeds decisions under pressure.