Law Enforcement Requested Investigation Pause
A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.
Signals
- •Formal LEA request (letter, subpoena, voluntary hold request) asking for pause of specific actions
- •Attacker activity evidence suggests ongoing operation LEA may be monitoring
- •LEA-provided IoCs or TTPs that imply a broader investigation context
Pivot Actions
- 1.Engage legal counsel immediately -- LEA requests interact with regulatory notification obligations, customer contracts, and insurance clauses in complex ways
- 2.Designate a single LEA liaison to avoid fragmented communication; document every major finding in an LEA-consumable format (preserving original evidence, not just analyses)
- 3.Continue safe parallel work: forensic preservation, evidence-admissibility hygiene, and internal briefing can proceed without disrupting LEA operations
- 4.Prepare for the LEA-request-ends scenario: have containment and notification plans pre-staged so response can resume without delay
- 5.Do not volunteer public or customer communications that may interfere with LEA operations; equally, do not miss regulator deadlines on LEA's behalf without explicit written acknowledgement
Alternate Evidence Sources
- •LEA-provided threat-intel under NDA or classified framework
- •Legal-privileged communications with counsel that document the LEA-interaction trail
- •Parallel preservation work that does not interfere with the LEA request but maintains investigative momentum