CyberSecurity Resources & Updates

CISA Releases Joint Guide for Software Manufacturers: The Case for Memory Safe Roadmaps
12/06/2023

Today, as part of the Secure by Design campaign, CISA published The Case for Memory Safe Roadmaps: Why Both C-Suite Executives and Technical Experts Need to Take Memory Safe Coding Seriously in collaboration with the following partners:

  • United States National Security Agency
  • United States Federal Bureau of Investigation
  • Australian Signals Directorate’s Australian Cyber Security Centre
  • Canadian Centre for Cyber Security
  • United Kingdom National Cyber Security Centre
  • New Zealand National Cyber Security Centre
  • Computer Emergency Response Team New Zealand

Malicious cyber actors routinely exploit memory safety vulnerabilities, which are common coding errors and the most prevalent type of disclosed software vulnerability. Preventing and responding to these vulnerabilities cost both software manufacturers and their customer organizations significant time and resources.

The Case for Memory Safe Roadmaps details how software manufacturers can transition to memory safe programming languages (MSLs) to eliminate memory safety vulnerabilities. The guidance provides manufacturers steps for creating and publishing memory safe roadmaps that will show their customers how they are owning security outcomes, embracing radical transparency, and taking a top-down approach to developing secure products—key Secure by Design tenets.

CISA and our partners urge C-suite and technical experts at software manufacturers to read this guidance and implement memory safe roadmaps to eliminate memory safety vulnerabilities from their product.

For more information and resources, visit CISA.gov/SecureByDesign.

Cyber Training Bulletin  –  December 2023 and January 2024

CSD Cyber Defense Education and Training (CDET) Offerings
12/01/23

Highlights: What You Want to Know

  • The CYBER.ORG Range celebrates its one-year anniversary! Made possible with initial funding from the state of Louisiana and expanded by CISA, the Range has been leveraged by over 2,000 teachers in high school classrooms and over 30,000 student accounts from all 50 states in just one year. CYBER.ORG Range differs from other industry ranges, as it makes learning cybersecurity easier for teachers and students alike who want to increase their confidence in cyber education and explore the field. The Range is also available for students who have had no prior knowledge in cybersecurity. Learn more at https://cyber.org/news/happy-birthday-cyberorg-range-celebrating-one-year-and-reaching-all-50-states
  • Two courses were added to the Federal Virtual Training Environment (FedVTE), for the Cyber Defense Analyst and the Cyber Defense Infrastructure Support Specialist. Each new course is mapped to the NICE Framework, and each features guided labs from subject matter experts demonstrating the skills necessary to succeed in these two roles.

Incident Response

This free training series includes 100-level webinars for a general audience which are cybersecurity topic overviews that provide core guidance and best practices to make your network more resilient to attacks. It also includes 200-level Cyber Range Training courses for government employees and contractors across federal, state, local, tribal, and territorial government, educational partners, and critical infrastructure partners. These Cyber Range Trainings provide guided step-action labs to learn and practice investigation, remediation, and incident response skills.

IR Training Events through January 2024

Date

 Course Code Registration Begins Course

Hours

12/07/2023

 IR209 11/07/2023 Defend Against Ransomware Attacks Cyber Range Training 4
01/11/2024 IR110 11/16/2023

Introduction to Log Management Webinar

1

To learn more or register visit: https://www.cisa.gov/resources-tools/programs/Incident-Response-Training

CISA Releases First Secure by Design Alert
11/29/2023
Today, CISA published guidance on How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity as a part of a new Secure by Design (SbD) Alert series.   

This SbD Alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles:

  • Take Ownership of Customer Security Outcomes.
  • Embrace Radical Transparency and Accountability.

For more information on SbD principles, see Secure by Design and Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.

CISA and UK NCSC Unveil Joint Guidelines for Secure AI System Development

11/26/2023 

Today, in a landmark collaboration, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) are proud to announce the release of the Guidelines for Secure AI System Development. Co-sealed by 23 domestic and international cybersecurity organizations, this publication marks a significant step in addressing the intersection of artificial intelligence (AI), cybersecurity, and critical infrastructure.

The Guidelines, complementing the U.S. Voluntary Commitments on Ensuring Safe, Secure, and Trustworthy AI, provide essential recommendations for AI system development and emphasize the importance of adhering to Secure by Design principles. The approach prioritizes ownership of security outcomes for customers, embraces radical transparency and accountability, and establishes organizational structures where secure design is a top priority.

The Guidelines apply to all types of AI systems, not just frontier models. We provide suggestions and mitigations that will help data scientists, developers, managers, decision-makers, and risk owners make informed decisions about the secure design, model development, system development, deployment, and operation of their machine learning AI systems.

This document is aimed primarily at providers of AI systems, whether based on models hosted by an organization or making use of external application programming interfaces. However, we urge all stakeholders—including data scientists, developers, managers, decision-makers, and risk owners make—to read this guidance to help them make informed decisions about the design, deployment, and operation of their machine learning AI systems.

CISA invites stakeholders, partners, and the public to explore the Guidelines for Secure AI System Development as well as our recently published Roadmap for AI to learn more about our strategic vision for AI technology and cybersecurity. To access learn more, visit CISA.gov/AI.

CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware
11/15/2023

Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: Rhysida Ransomware, to disseminate known Rhysida ransomware indicators of compromise (IOCs), detection methods, and tactics, techniques, and procedures (TTPs) identified through investigations as recently as September 2023.

Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.

CISA, FBI, and MS-ISAC encourage organizations review the joint CSA for recommended mitigations to reduce the likelihood and impact of Rhysida and other ransomware incidents. For more information, see CISA’s #StopRansomware webpage, which includes the updated #StopRansomware Guide.

CISA Releases Roadmap for Artificial Intelligence Adoption
11/14/2023

Today, CISA released its Roadmap for Artificial Intelligence—in alignment with White House Executive Order 14110: Safe, Secure, And Trustworthy Development and Use of Artificial Intelligence—to outline a comprehensive set of actions CISA will take along five lines of effort:

  1. Responsibly use AI to support our mission.
  2. Assure AI systems.
  3. Protect critical infrastructure from malicious use of AI.
  4. Collaborate and communicate on key AI efforts with the interagency, international partners, and the public.
  5. Expand AI expertise in our workforce.

Learn more about CISA’s Roadmap for Artificial Intelligence at cisa.gov/AI.

CISA Releases Update to Royal Ransomware Advisory

11/13/2023

Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released an update to joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware. The updated advisory provides network defenders with additional information on tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as June 2023.

Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.

CISA encourages network defenders to review the updated CSA and to apply the included mitigations. See #StopRansomware for additional guidance on ransomware protection, detection, and response.

CISA, NSA, and Partners Release New Guidance on Securing the Software Supply Chain
11/09/2023 

Today, CISA, the National Security Agency (NSA), and partners released Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. Developed through the Enduring Security Framework (ESF), this guidance provides software developers and suppliers with industry best practices and principles, including managing open source software and software bills of materials (SBOM), to maintain and provide awareness about the security of software.

Organizations can use this guide to assess and measure their security practices relative to the software lifecycle; the suggested practices may be applied across the acquisition, deployment, and operational phases of a software supply chain.

CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

CISA Releases Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed
11/07/2023 

Today, CISA, in response to active, targeted exploitation, released guidance for addressing Citrix NetScaler ADC and Gateway vulnerability CVE-2023-4966. The vulnerability, also known as Citrix Bleed, could allow a cyber actor to take control of an affected system.

CISA recommends organizations patch unmitigated appliances, hunt for any malicious activity, and report any positive findings to CISA. Review CISA’s guidance for more information.

FEMA and CISA Release Joint Guidance on Planning Considerations for Cyber Incidents
11/07/2023 

Today, the Federal Emergency Management Agency (FEMA) and the Cybersecurity and Infrastructure Security Agency (CISA) released the joint guide Planning Considerations for Cyber Incidents: Guidance for Emergency Managers to provide state, local, tribal, and territorial (SLTT) emergency managers with foundational knowledge of cyber incidents to increase cyber preparedness efforts in their jurisdictions.

Emergency managers should be able to understand and prepare for the potential impacts of cyber incidents on their communities and emergency operations. FEMA and CISA encourage emergency managers to review this guide for recommendations on how to plan for and respond to cyber incidents.

For continued updates on efforts related to the guide, including webinars, please visit FEMA’s webpage.

CISA Published When to Issue VEX Information
11/06/2023

Today, CISA published When to Issue Vulnerability Exploitability eXchange (VEX) Information, developed by a community of industry and government experts with the goal to offer some guidance and structure for the software security world, including the large and growing global SBOM community.

This guide explains the circumstances and events that could lead an entity to issue VEX information and describes the entities that create or consume VEX information. Whether, and when, to issue VEX information is a business decision for most suppliers and possibly a more individual decision for independent open source developers. This document identifies factors that influence the decision.

For more information, read the new reference material When to Issue Vulnerability Exploitability eXchange (VEX) Information.

CISA Updates Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities

10/24/2023 

Today, CISA updated its guidance addressing two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI).

The guidance now notes that Cisco has fixed these vulnerabilities for the 17.9 Cisco IOS XE software release train with the 17.9.4a update. According to Cisco’s Security Advisory: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature, fixes are still to be determined for the following Cisco IOS XE software release trains: 17.6, 17.3, 16.12 (Catalyst 3650 and 3850 only). CISA urges organizations with the 17.9 Cisco IOS XE software release train to immediately update to the 17.9.4a release.

CISA urges organizations to review:

CISA has added CVE-2023-20198 and CVE-2023-20273 to its Known Exploited Vulnerabilities Catalog, which, per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect FCEB networks against active threats.

Note: The Cisco Security Advisory initially pointed to another vulnerability as part of this activity. However, as stated in the Cisco Talos blog, Cisco has since determined that the vulnerability “CVE-2021-1435 that had previously been mentioned is no longer assessed to be associated with this activity.”

CISA Releases Fact Sheet on Effort to Revise the National Cyber Incident Response Plan (NCIRP)

10/20/2023 

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a fact sheet on the effort to revise the National Cyber Incident Response Plan (NCIRP). Through the Joint Cyber Defense Collaborative (JCDC), CISA will work to ensure that the updated NCIRP addresses significant changes in policy and cyber operations since the initial NCIRP was released.

First published in 2016, the NCIRP was developed in accordance with Presidential Policy Directive 41 (PPD-41) on U.S. Cyber Incident Coordination and describes how federal government, private sector, and state, local, tribal, territorial (SLTT) government entities will organize to manage, respond to, and mitigate the consequences of significant cyber incidents.

NCIRP 2024 will address changes to the cyber threat landscape and in the nation’s cyber defense ecosystem by incorporating principles grounded in four main areas:

  • Unification
  • Shared Responsibility
  • Learning from the Past
  • Keeping Pace with Evolutions in Cybersecurity

CISA encourages all organizations to read the fact sheet and visit CISA’s NCIRP webpage to learn about this long-term effort and stay updated on the development of the NCIRP 2024.

CISA Releases Guidance for Addressing Cisco IOS XE Web UI Vulnerabilities

10/20/2023

Today, CISA, in response to active, widespread exploitation, released guidance addressing two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, affecting Cisco’s Internetworking Operating System (IOS) XE Software Web User Interface (UI). An unauthenticated remote actor could exploit these vulnerabilities to take control of an affected system. Specifically, these vulnerabilities allow the actor to create a privileged account that provides complete control over the device.

CISA urges organizations running Cisco IOS XE Web UI to review CISA’s guidance and immediately implement the mitigations outlined in:

These mitigations include disabling the HTTP Server feature on internet-facing systems, and hunt for malicious activity on their network.

CISA Releases New Resources Identifying Known Exploited Vulnerabilities and Misconfigurations Linked to Ransomware
Oct. 12, 2023

Today, as part of the Ransomware Vulnerability Warning Pilot (RVWP), CISA launched two new resources for combating ransomware campaigns:

  • A “Known to be Used in Ransomware Campaigns” column in the KEV Catalog that identifies KEVs associated with ransomware campaigns.
  • A “Misconfigurations and Weaknesses Known to be Used in Ransomware Campaigns” table on StopRansomware.gov that identifies misconfigurations and weaknesses associated with ransomware campaigns. The table features a column that identifies the Cyber Performance Goal (CPG) action for each misconfiguration or weakness.

These two new resources will help organizations become more cybersecure by providing mitigations that protect against specific KEVs, misconfigurations, and weaknesses associated with ransomware.

CISA encourages all organizations to review the blog about this RVWP effort, as well as the new KEV catalog column and updated StopRansomware.gov site and implement applicable mitigations today.

CISA and NSA Release New Guidance on Identity and Access Management
Oct. 4, 2023

Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems.

This publication, which follows ESF’s Identity and Access Management Recommended Best Practices Guide for Administrators, assesses and addresses challenges developers and technology manufacturers face in identity and access management (IAM). The guidance specifically addresses technology gaps that limit the adoption and secure employment of multifactor authentication (MFA) and single sign-on (SSO) technologies within organizations.

Although the publication primarily addresses challenges facing large organizations, it also provides recommendations applicable to smaller organizations. CISA encourages cybersecurity defenders to review this guidance and to speak to their software vendors about implementing its recommendations.

FBI and CISA Release Advisory on Snatch Ransomware
Sept. 20, 2023

Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Snatch Ransomware, which provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware variant. FBI investigations identified these IOCs and TTPs as recently as June 1, 2023.

Snatch threat actors operate a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.

FBI and CISA encourage organizations review the joint CSA for recommended steps and best practices to reduce the likelihood and impact of Snatch ransomware incidents. For general ransomware guidance, visit StopRansomware.gov, which provides resources, including the updated Joint #StopRansomware Guide.

CISA Releases Continuous Diagnostics and Mitigation Program: Identity, Credential, and Access Management (ICAM) Reference Architecture
Sept. 15, 2023

Today, CISA released the Continuous Diagnostics and Mitigation Program: Identity, Credential, and Access Management (ICAM) Reference Architecture to help federal civilian departments and agencies integrate their identity and access management (IDAM) capabilities into their ICAM architectures. Prior to this release, there was no singular, authoritative, and recognized reference for architecting an ICAM capability across an enterprise. This publication provides:

  • a description of the federal ICAM practice area, including how ICAM services and components implement ICAM use cases,
  • a description of related CDM capabilities,
  • an introduction to federation services, and
  • a high-level notional physical implementation.

In addition, it explores zero trust architecture and illustrates how ICAM and CDM help enable it.

CISA Releases its Open Source Software Security Roadmap
Sept. 12, 2023

Today, CISA released an Open Source Software Security Roadmap to lay out—in alignment with the National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan—how we will partner with federal agencies, open source software (OSS) consumers, and the OSS community, to secure OSS infrastructure. To that end, the roadmap details four key goals:

  1. Establish CISA’s role in supporting the security of OSS,
  2. Understand the prevalence of key open source dependencies,
  3. Reduce risks to the federal government, and
  4. Harden the broader OSS ecosystem.

See CISA’s Open Source Software Security Roadmap to learn more.

NSA, FBI, and CISA Release Cybersecurity Information Sheet on Deepfake Threats
Sept. 12, 2023

Today, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Information Sheet (CSI), Contextualizing Deepfake Threats to Organizations, which provides an overview of synthetic media threats, techniques, and trends. Threats from synthetic media, such as deepfakes, have exponentially increased—presenting a growing challenge for users of modern technology and communications, including the National Security Systems (NSS), the Department of Defense (DoD), the Defense Industrial Base (DIB), and national critical infrastructure owners and operators. Between 2021 and 2022, U.S. Government agencies collaborated to establish a set of employable best practices to take in preparation and response to the growing threat. Public concern around synthetic media includes disinformation operations, designed to influence the public and spread false information about political, social, military, or economic issues to cause confusion, unrest, and uncertainty.

The authoring agencies urge organizations review the CSI for recommended steps and best practices to prepare, identify, defend against, and respond to deepfake threats.

To report suspicious activity or possible incidents involving deepfakes, contact one of the following agencies:

CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

Sept. 7, 2023

Today, CISA, Federal Bureau of Investigation (FBI), and U.S. Cyber Command’s Cyber National Mission Force (CNMF) published a joint Cybersecurity Advisory (CSA), Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475. This CSA provides information on an incident at an Aeronautical Sector organization, with malicious activity occurring as early as January 2023.

CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.

The authoring agencies urge organizations to review this CSA and implement the recommended mitigations, which align with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs)—developed by CISA and the National Institute of Standards and Technology (NIST)—as well as NSA-recommended best practices for securing infrastructure.

All organizations should report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory by contacting your local FBI field office and CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.

CISA Releases Capacity Enhancement Guide to Strengthen Agency Resilience to DDoS Attack
Sept. 6, 2023

CISA has released actionable guidance for Federal Civilian Executive Branch (FCEB) agencies to help them evaluate and mitigate the risk of volumetric distributed denial-of-service (DDoS) attacks against their websites and related web services. The Capacity Enhancement Guide: Volumetric DDoS Against Web Services Technical Guidance:

  • Helps agencies prioritize DDoS mitigations based on mission and reputational impact.
  • Describes DDoS mitigation services so agencies can make risk-informed tradeoff decisions on how to use available resources most effectively.

CISA encourages FCEB agencies to review the guidance and apply the recommendations. Visit Capacity Enhancement Guides for Federal Agencies for more ways to reduce cybersecurity risk.

CISA and International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware

August 31, 2023

Today, the United Kingdom’s National Cyber Security Centre (NCSC-UK), the United States’ Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI), New Zealand’s National Cyber Security Centre (NCSC-NZ), Canadian Centre for Cyber Security (CCCS), and the Australian Signals Directorate (ASD) published a joint Malware Analysis Report (MAR), on Infamous Chisel a new mobile malware targeting Android devices with capabilities to enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information. Infamous Chisel mobile malware has been used in a malware campaign targeting Android devices in use by the Ukrainian military.

Infamous Chisel is a collection of components targeting Android devices and is attributed to Sandworm, the Russian Main Intelligence Directorate’s (GRU’s) Main Centre for Special Technologies, GTsST. The malware’s capability includes network monitoring, traffic collection, network backdoor access via The Onion Router (Tor) and Secure Shell (SSH), network scanning and Secure Copy Protocol (SCP) file transfer.

The authoring organizations urge users, network defenders, and stakeholders to review the malware analysis report for indicators of compromise (IOCs) and detection rules and signatures to determine system compromise. For more information about malware, see CISA’s Malware, Phishing, and Ransomware page. The joint MAR can also be read in full on the NCSC-UK website. Associated files relating to this report can also be accessed via the NCSC’s Malware Analysis Reports page. For more information on Russian state-sponsored cyber activity, please see CISA’s Russia Cyber Threat Overview and Advisories webpage.

CISA and FBI Publish Joint Advisory on QakBot Infrastructure

August 30, 2023

Today, the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Identification and Disruption of QakBot Infrastructure, to help organizations detect and protect against newly identified QakBot-related activity and malware. QakBot—also known as Qbot, Quackbot, Pinkslipbot, and TA570—is responsible for thousands of malware infections globally.

Originally used as a banking trojan to steal banking credentials for account compromise, QakBot—in most cases—was delivered via phishing campaigns containing malicious attachments or links to download the malware, which would reside in memory once on the victim network. QakBot has since grown to deploy multiple types of malware, trojans, and highly-destructive ransomware variants targeting the United States and other global infrastructures, including the Election Infrastructure Subsector, Financial Services, Emergency Services, and Commercial Facilities Sectors.

CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. To report incidents and anomalous activity, please contact one of the following organizations:

Organizations are also encouraged to visit CISA‘s Malware, Phishing, and Ransomware and StopRansomware.gov pages—StopRansomware provides a range of free U.S. government resources and services that can help bolster cyber hygiene, cybersecurity posture and reduce risk to ransomware, and contains an updated Joint #StopRansomware Guide.

CISA’s VDP Platform 2022 Annual Report Showcases Success

August 25, 2023

Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its inaugural Vulnerability Disclosure Policy (VDP) Platform 2022 Annual Report, highlighting the service’s progress supporting vulnerability awareness and remediation across the Federal Civilian Executive Branch (FCEB). This report showcases how agencies have used the VDP Platform—launched in July 2021—to safeguard the FCEB and support risk reduction. The VDP platform gives federal agencies a single, user-friendly interface to intake vulnerability information and to collaborate with the public researcher community for vulnerability awareness and remediation.

CISA urges FCEB agencies to review the VDP Platform 2022 Annual Report and encourages use of the platform to promote good-faith security research if they are not already doing so. By promoting an agency’s VDP to the public security researcher community, the platform benefits users by harnessing researchers’ expertise to search for and detect vulnerabilities that traditional scanning technology might not find.

CISA is actively seeking to enhance future collaborations with the public security researcher community and welcomes participation and partnership.

CISA, NSA, and NIST Publish Factsheet on Quantum Readiness
August 22, 2023

Today, the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA) and National Institute of Standards and Technology (NIST) released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap.

CISA, NSA, and NIST urge organizations to review the joint factsheet and to begin preparing now by creating quantum-readiness roadmaps, conducting inventories, applying risk assessments and analysis, and engaging vendors. For more information and resources related to CISA’s PQC work, visit Post-Quantum Cryptography Initiative.

CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan
August 16, 2023

Today, CISA released the Remote Monitoring and Management (RMM) Cyber Defense Plan, the first proactive Plan developed by industry and government partners through the Joint Cyber Defense Collaborative (JCDC). This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers.

This release builds off the JCDC 2023 Planning Agenda and marks a major milestone in the continued evolution and maturation of the Collaborative’s development to satisfy JCDC’s core functions:

  • Developing and coordinating cyber defense plans
  • Operational collaboration and cybersecurity information fusion
  • Producing and disseminating cyber defense guidance

Through this effort, CISA and partners across government and the private sector will take steps to measurably reduce some of the most significant cyber risks facing the global cyber community.

CISA encourages organizations to review JCDC’s RMM Strategic Cyber Defense Plan and 2023 Planning Agenda webpages. Visit CISA.gov/JCDC to learn about other ways JCDC is uniting the global cyber community in the collective defense of cyberspace.

CISA Releases its Cybersecurity Strategic Plan
August 4, 2023

Today, CISA released a strategic plan to lay out how we will fulfill our cybersecurity mission over the next three years. The CISA Cybersecurity Strategic Plan aligns the following nine objectives to specific enabling measures and measures of effectiveness to drive accountability:

  • Increase visibility into, and ability to disrupt, cybersecurity threats and campaigns
  • Coordinate disclosure of, hunt for, and drive mitigation of critical and exploitable vulnerabilities
  • Plan for, exercise, and execute joint cyber defense operations and coordinate the response to significant cybersecurity incidents
  • Understand how attacks really occur—and how to stop them
  • Drive implementation of measurably effective cybersecurity investments
  • Provide cybersecurity capabilities and services that fill gaps and help measure progress
  • Drive development of trustworthy technology products
  • Understand and reduce cybersecurity risks posed by emergent technologies
  • Contribute to efforts to build a national cyber workforce

Learn more about CISA’s Cybersecurity Strategic Plan at https://www.cisa.gov/cybersecurity-strategic-plan.

NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing 

July 18, 2023

Today, the National Security Agency (NSA) and CISA published 5G Network Slicing: Security Considerations for Design, Deployment, and Maintenance. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s). This guidance builds upon the 2022 ESF guidance Potential Threats to 5G Network Slicing.

CISA encourages 5G providers, integrators, and network operators to review this guidance and implement the recommended actions. For additional 5G guidance, visit CISA.gov/5G-library.

CISA Develops Factsheet for Free Tools for Cloud Environments

July 18, 2023

CISA has developed and published a factsheet, Free Tools for Cloud Environments, to help businesses transitioning into a cloud environment identify proper tools and techniques necessary for the protection of critical assets and data security. Free Tools for Cloud Environments provides network defenders and incident response/analysts open-source tools, methods, and guidance for identifying, mitigating, and detecting cyber threats, known vulnerabilities, and anomalies while operating a cloud or hybrid environment.

Cloud service platforms and cloud service providers (CSPs) have developed built-in security capabilities for organizations to enhance security capabilities while operating in cloud environments. Organizations are encouraged to use the built-in security features from CSPs and to take advantage of free CISA- and partner-developed tools/applications to fill security gaps and complement existing security features. Publicly available PowerShell tools exist to all network defenders for investigation and aid of an organization’s security posture, including:

Note: These tools are highlighted and explained to assist with on-site investigation and remediation in cloud environments but are not all-encompassing and are provided for informational purposes only. CISA does not endorse any commercial product or service, including any subjects of analysis.

CISA encourages network defenders to take the measures above and consult the Free Tools for Cloud Environments factsheet to reduce the likelihood of a damaging cyber incident, detect malicious activity, respond to confirmed incidents, and strengthen resilience.

2023 CWE Top 25 Most Dangerous Software Weaknesses

June 28, 2023

The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, has released the 2023 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.

The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV).

CISA encourages developers and product security response teams to review the CWE Top 25 and evaluate recommended mitigations to determine those most suitable to adopt. Over the coming weeks, the CWE program will be publishing a series of further articles on the CWE Top 25 methodology, vulnerability mapping trends, and other useful information that help illustrate how vulnerability management plays an important role in Shifting the Balance of Cybersecurity Risk.

CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments
June 28, 2023

Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI) to provide recommendations and best practices for organizations to strengthen the security of their CI/CD pipelines against the threat of malicious cyber actors (MCAs).

Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one is critical in securing a CI/CD environment. Organizations will find in this guide a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security.

CISA and NSA encourage all organizations to review this CSI and apply the recommended actions.

Cyber Training Bulletin – June and July 2023

CSD Cyber Defense Education and Training (CDET) Offerings

Highlights: What You Want to Know

  • CISA has two new Notices of Funding Opportunities to announce:
    • The Cybersecurity Workforce Development and Training for Underserved Communities cooperative agreement is awarding up to $3 million to non-traditional training organizations capable of providing cybersecurity training resources and apprenticeship opportunities to individuals in underserved communities.  Applications are now being accepted through July 6, 2023. Learn more about it here.
    • The Cybersecurity Education and Training Assistance Program(CETAP) is awarding $6.8 million to non-profits that seek to implement cybersecurity education and training into K-12 classrooms in all 50 states and U.S. territories. This funding seeks to bring awareness to students about cybersecurity at an early age so that they have the skills, knowledge and excitement needed to pursue a career in cybersecurity. Applications are being accepted through July 25, 2023. Learn more here.
  • In May and June, U.S. Executive Branch employees and contractors can participate in eleven CDM Dashboard courses, including the new CDM and Federal Mandates-Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current federal cybersecurity directives, mandates and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.
  • CISA recently added a new set of training modules on ransomware preventionhosted in the Federal Virtual Training Environment (FedVTE). The modules provide an overview on ransomware and six preventative controls to help prevent ransomware attacks.
#StopRansomware Guide Released by NSA and Partners

May 24, 2023

To guide network defenders in protecting against the rapidly evolving ransomware tactics of malicious cyber actors, the National Security Agency (NSA) and several partners are publicly releasing the “#StopRansomware Guide” Cybersecurity Information Sheet (CSI) today.

Originally released in 2020 by the Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC), the guidance was updated to include additional best practices and recommendations based on operational insight from CISA, MS-ISAC, NSA, and the Federal Bureau of Investigation (FBI).

Additional guidance includes recommendations for preventing common initial infection vectors, cloud backups, and Zero Trust Architecture (ZTA). These recommended practices align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CSI also expands the ransomware response checklist to include threat hunting tips for detection and analysis.

This report is part of the #StopRansomware effort initiated by CISA. Relatedly, in February 2023, NSA and several partners teamed up with the South Korean government to highlight malicious cyber actors’ use of ransomware to target critical infrastructure.

Read the full report here.

Read more

Cyber Training Bulletin – May and June 2023

CSD Cyber Defense Education and Training (CDET) Offerings

Highlights: What You Want to Know

  • In May and June, U.S. Executive Branch employees and contractors can participate in eleven CDM Dashboard courses, including the new CDM and Federal Mandates-Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current federal cybersecurity directives, mandates and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.

CISA’s Cybersecurity Workforce Training for Underserved Communities and CyberWarrior

CISA’s non-traditional training program grantee, CyberWarrior, increases opportunity and economic mobility for people of all backgrounds through training, mentorship and technology. Through its CyberWarrior Academy, it delivers hands-on, intensive, lab-driven technical training in cybersecurity methods and procedures.

CyberWarrior Training Events through June 2023

Date

Audience

Course

05/18/2023

General
Public

May Master Class – Ransomware
May Master Class | CyberWarrior.com

06/15/2023

General
Public

June Master Class – Social Engineering
June Master Class | CyberWarrior.com

07/13/2023

General
Public

July Master Class – DeepFakes
July Master Class | CyberWarrior.com

08/17/2023

General
Public

August Master Class – Open Source Intelligence
August Master Class | CyberWarrior.com

09/14/2023

General
Public

September Master Class – Incident Response
September Master Class | CyberWarrior.com

To learn more or sign up, visit: https://www.cyberwarrior.com/cybersecurity-events/

CISA Urges Organizations to Incorporate the FCC Covered List Into Risk Management Plans
05/01/2023 

The Federal Communications Commission (FCC) maintains a Covered List of communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons to national security pursuant to the Secure and Trusted Communications Networks Act of 2019.

As the 6th annual National Supply Chain Integrity Month concludes, CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation’s most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts, in addition to adopting recommendations listed in Defending Against Software Supply Chain Attacks—a joint CISA and NIST resource that provides guidance on using NIST’s Cyber Supply Chain Risk Management (C-SCRM) framework to identify, assess, and mitigate risks. All critical infrastructure organizations are also urged to enroll in CISA’s free Vulnerability Scanning service for assistance in identifying vulnerable or otherwise high-risk devices such as those on FCC’s Covered List.

CISA Requests for Comment on Secure Software Self-Attestation Form
04/28/2023

CISA has issued requests for comment on the Secure Software Self-Attestation Form. CISA, in coordination with the Office of Budget and Management (OMB), released proposed guidance on secure software. This guidance seeks to secure software leveraged by the federal government. CISA expects agencies to use this proposed form to reduce the risk to the federal environment, thereby implementing a standardized process for agencies and software producers that will create transparency on the security of software development efforts.

Visit CISA.gov/secure-software-attestation-form for more information and to review the document. The comment period is open until June 26, 2023. CISA is specifically requesting insight on the feasibility, clarity, and usefulness of the document. To submit a comment, click the comment box at the top of Regulations.gov.

Cyber Training Bulletin – April and May 2023

CSD Cyber Defense Education and Training (CDET) Offerings

Highlights: What You Want to Know

  • On Thursday, April 6, 2023, DHS invites college and university students, faculty and staff, law enforcement and alumni to learn how the U.S. Department of Homeland Security (DHS) empowers and builds resilience within campus communities during the DHS If You See Something, Say Something® public awareness campaign, Be Prepared and Resilient: DHS Tools to Promote Campus Safety webinar. The webinar will take place virtually via Zoom Webinar from 2:00 pm – 3:30 pm EDT. Hear from the DHS “If You See Something, Say Something®” campaign, National Threat Evaluation and Reporting Office, DHS Office for State and Local Law EnforcementCybersecurity & Infrastructure Security Agency, and Federal Emergency Management Agency. A question-and-answer session will follow the panel discussion. We welcome you to share this event with other students, faculty and staff, law enforcement and alumni in your organization and community. Note that registration is free yet required to attend this webinar, and additional details regarding agenda sessions will be distributed to registrants later. Click here to register.
  • In April and May, U.S. Executive Branch employees and contractors can participate in eleven CDM Dashboard courses, including the new CDM and Federal Mandates-Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current federal cybersecurity directives, mandates and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.

JCDC Cultivates Pre-Ransomware Notification Capability
03/23/2023 

In today’s blog post, Associate Director of the Joint Cyber Defense Collaborative (JCDC) Clayton Romans highlighted recent successes of pre-ransomware notification and its impact in reducing harm from ransomware intrusions. With pre-ransomware notifications, organizations can receive early warning and potentially evict threat actors before they can encrypt and hold critical data and systems for ransom. Using this proactive cyber defense capability, CISA has notified more than 60 entities of early-stage ransomware intrusions since January 2023, including critical infrastructure organizations in the Energy, Healthcare and Public Health, Water and Wastewater Systems sectors, as well as the education community.

The pre-encryption ransomware notification was cultivated with the help of the cybersecurity research community and through CISA’s relationships with infrastructure providers and cyber threat intelligence companies.

For more information, visit #StopRansomware. To report early-stage ransomware activity, visit Report Ransomware. CISA also encourages stakeholders and network defenders to review associate director Romans’ post, Getting Ahead of the Ransomware Epidemic: CISA’s Pre-Ransomware Notifications Help Organizations Stop Attacks Before Damage Occurs, to learn more about CISA’s Pre-Ransomware Notification Initiative.

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management
03/21/2023 

As part of the Enduring Security Framework (ESF), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) has released Identity and Access Management Recommended Best Practices Guide for Administrators. These recommended best practices provide system administrators with actionable recommendations to better secure their systems from threats to Identity and Access Management (IAM).

IAM—a framework of business processes, policies, and technologies that facilitate the management of digital identities—ensures that users only gain access to data when they have the appropriate credentials. This paper provides recommended best practices and mitigations to counter threats to IAM related to:

  • identity governance
  • environmental hardening
  • identity federation/single sign-on
  • multifactor authentication
  • IAM auditing and monitoring

This guidance was developed and published by a CISA- and NSA-led working panel with ESF, a public-private cross-sector partnership that aims to address risks that threaten critical infrastructure and national security systems.

CISA Releases SCuBA Hybrid Identity Solutions Architecture Guidance Document for Public Comment
03/15/2023 

CISA has released a draft Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Architecture guidance document for public comment. The request for comment period is open until April 17, 2023. Comments may be submitted to CyberSharedServices@cisa.dhs.gov.

In accordance with Executive Order 14028, CISA’s SCuBA project aims to develop consistent, effective, modern, and manageable security that will help secure agency information assets stored within cloud operations. This guidance will help federal civilian departments and agencies securely and efficiently integrate their traditional on-premises enterprise networks with cloud-based solutions.

CISA encourages federal program and project managers involved in identity management interoperability and vulnerability mitigation to review and provide comment. Visit CISA’s SCuBA project page for more information and to review the guidance document.

Cyber Training Bulletin – February and March 2023
CSD Cyber Defense Education and Training (CDET) Offerings

Highlights: What You Want to Know

  • A new category has been added to FedVTE under the Cybersecurity Courses called Non-Technical Cybersecurity. Some new courses that fall into this category include Cloud Monitoring, Critical Infrastructure Protection and Cybersecurity Investigations. To see the full list of available courses in this category, visit https://fedvte.usalearning.gov/courses_nontech_cybersecurity.php
  • CISA is offering the new Analysis of a Cyber Incident course on FedVTE. This three-module course teaches the beginner analyst how to develop the analytical skills and capabilities needed to handle a potential cyber incident — from analysis to reporting findings. This course is available to federal employees. For a full list of available courses on FedVTE for federal employees, please see the course catalog. For courses available to the public, please visit https://fedvte.usalearning.gov/public_fedvte.php
  • In February and March, U.S. Executive Branch employees and contractors can participate in eleven CDM Dashboard courses, including the new CDM and Federal Mandates-Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current federal cybersecurity directives, mandates and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.
FBI and CISA Release #StopRansomware: Royal Ransomware
March 2, 2023

Today, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released joint Cybersecurity Advisory (CSA) #StopRansomware: Royal Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Royal ransomware variants. FBI investigations identified these TTPs and IOCs as recently as January 2023.

Royal ransomware attacks have spread across numerous critical infrastructure sectors including, but not limited to, manufacturing, communications, healthcare and public healthcare (HPH), and education.

CISA encourages network defenders to review the CSA and to apply the included mitigations. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response.

CISA Urges Increased Vigilance One Year After Russia’s Invasion of Ukraine
February 23, 2023
Original Release Date: 

CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia’s 2022 invasion of Ukraine. CISA urges organizations and individuals to increase their cyber vigilance in response to this potential threat.

In response to the heightened geopolitical tensions resulting from Russia’s full-scale invasion of Ukraine, CISA maintains public cybersecurity resources, including Shields Up—a one-stop webpage that provides resources to increase organizational vigilance and keep the public informed about current cybersecurity threats. CISA recommends that all organizations review and consider implementing the below guidance:

#StopRansomware – Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities
February 9, 2023

CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and Republic of Korea’s Defense Security Agency and National Intelligence Service have released a joint Cybersecurity Advisory (CSA), Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities, to provide information on ransomware activity used by North Korean state-sponsored cyber to target various critical infrastructure sectors, especially Healthcare and Public Health (HPH) Sector organizations.

The authoring agencies urge network defenders to examine their current cybersecurity posture and apply the recommended mitigations in this joint CSA, which include:

  • Train users to recognize and report phishing attempts.
  • Enable and enforce phishing-resistant multifactor authentication.
  • Install and regularly update antivirus and antimalware software on all hosts.

See Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities for ransomware actor’s tactics, techniques, and procedures, indicators of compromise, and recommended mitigations. Additionally, review StopRansomware.gov for more guidance on ransomware protection, detection, and response.

For more information on state-sponsored North Korean malicious cyber activity, see CISA’s North Korea Cyber Threat Overview and Advisories webpage.

CISA Releases ESXiArgs Ransomware Recovery Script
February 7, 2023

CISA has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.

CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment.

Organizations can access the recovery script here: https://github.com/cisagov/ESXiArgs-Recover

Cyber Training Bulletin – February and March

CSD Cyber Defense Education and Training (CDET) Offerings

Highlights: What You Want to Know

    • A new category has been added to FedVTE under the Cybersecurity Courses called Non-Technical Cybersecurity. Some new courses that fall into this category include Cloud Monitoring, Critical Infrastructure Protection and Cybersecurity Investigations. To see the full list of available courses in this category, visit https://fedvte.usalearning.gov/courses_nontech_cybersecurity.php
    • CISA is offering the new Analysis of a Cyber Incident course on FedVTE. This three-module course teaches the beginner analyst how to develop the analytical skills and capabilities needed to handle a potential cyber incident — from analysis to reporting findings. This course is available to federal employees. For a full list of available courses on FedVTE for federal employees, please see the course catalog. For courses available to the public, please visit https://fedvte.usalearning.gov/public_fedvte.php
    • In February and March, U.S. Executive Branch employees and contractors can participate in eleven CDM Dashboard courses, including the new CDM and Federal Mandates-Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current federal cybersecurity directives, mandates and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.

JCDC Announces 2023 Planning Agenda
January 26, 2023

Today, the Joint Cyber Defense Collaborative (JCDC) announced its 2023 Planning Agenda. This release marks a major milestone in the continued evolution and maturation of the collaborative’s planning efforts. JCDC’s Planning Agenda brings together government and private sector partners to develop and execute cyber defense plans that achieve specific risk reduction goals focused on systemic risk, collective cyber response, and high-risk communities.

Through this effort, CISA and partners across government and the private sector will take steps to measurably reduce some of the most significant cyber risks facing the global cyber community. This effort also aims to deepen our collaborative capabilities to enable more rapid action when the need arises.

CISA encourages organizations to review JCDC’s Planning Agenda webpage and CISA Executive Assistant Director Eric Goldstein’s blog post on this effort for a deeper understanding of the collaborative’s joint cyber defense plans. Visit CISA.gov/JCDC to learn about other ways JCDC is uniting the global cyber community in the collective defense of cyberspace.

CISA Updates Best Practices for Mapping to MITRE ATT&CK®
January 17, 2023

Today, CISA updated Best Practices for MITRE ATT&CK® Mapping. The MITRE ATT&CK® framework is a lens through which network defenders can analyze adversary behavior and, as CISA Executive Assistant Director Eric Goldstein noted in his June 2021 blog post on the framework, it directly supports “robust, contextual bi-directional sharing of information to help strengthen the security of our systems, networks, and data.” CISA highly encourages the cybersecurity community to use the framework because it provides a common language for threat actor analysis.

CISA coordinated this update of the best practices with the Homeland Security Systems Engineering and Development Institute™ (HSSEDI), a DHS-owned R&D center operated by MITRE. The update covers changes that the MITRE ATT&CK team made to the framework since CISA initially published the best practices in June 2021. The update also covers common analytical biases, mapping mistakes, and specific ATT&CK mapping guidance for industrial control systems (ICS).

NCSC-UK Releases Guidance on Using MSP for Administering Cloud Services
January 11, 2023

The United Kingdom’s National Cyber Security Centre (NCSC-UK) has released a blog post, Using MSPs to administer your cloud services, that provides organizations security considerations for using a third party, such as a managed service provider (MSP), to administer cloud services. Contracting with an MSP for cloud service management has become an increasingly appealing option for organizations.

The post discusses the trade-offs involved as well as specific security checks organizations should make to confirm the MSP’s ability to defend against cyber threats.

CISA encourages organizations using MSPs for administering cloud services to implement the guidance NCSC-UK provides in the blog post.

 


CSD Cyber Defense Education and Training (CDET) Offerings

Highlights: What You Want to Know

  • A new category has been added to FedVTE under the Cybersecurity Courses called Non-Technical Cybersecurity. Some new courses that fall into this category include Cloud Monitoring, Critical Infrastructure Protection, and Cybersecurity Investigations. To see the full list of available courses in this category, visit https://fedvte.usalearning.gov/courses_nontech_cybersecurity.php
  • CISA is offering the new Analysis of a Cyber Incident course on FedVTE. This three-module course teaches the beginner analyst how to develop the analytical skills and capabilities needed to handle a potential cyber incident — from analysis to reporting findings. This course is available to federal employees. For a full list of available courses on FedVTE for federal employees, please see the course catalog. For courses available to the public, please visit https://fedvte.usalearning.gov/public_fedvte.php
  • In January and February, U.S. Executive Branch employees and contractors can participate in numerous CDM Dashboard courses, including the new CDM and Federal Mandates-Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current Federal cybersecurity directives, mandates, and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.
December 8, 2022: CISA Releases Phishing Infographic

CISA published a Phishing Infographic to help protect both organizations and individuals from successful phishing operations. This infographic provides a visual summary of how threat actors execute successful phishing operations. Details include metrics that compare the likelihood of certain types of “bait” and how commonly each bait type succeeds in tricking the targeted individual. The infographic also provides detailed actions organizations and individuals can take to prevent successful phishing operations—from blocking phishing attempts to teaching individuals how to report successful phishing operations.

Incident Response

CISA offers no-cost, cybersecurity incident response training for government employees and contractors across federal, state, local, tribal, and territorial government, as well as educational and critical infrastructure partners. Course types include Awareness Webinars and Cyber Range Training. These courses provide valuable learning opportunities for everyone from cyber newbies to veteran cybersecurity engineers.

 IR Training Events through January 2023

Date

Course Code

 Registration Begins 

 Course

Hours

 12/01/2022

 IR 106

 11/01/2022

 Preventing DNS Infrastructure Tampering 

 1

 12/08/2022

 IR 108

 11/08/2022

 Understanding Indicators of Compromise

 1

 12/15/2022

 IR 204

 11/15/2022

 Defending Internet Accessible Systems

 4

To learn more or register visit: Incident Response Training | CISA

November 16, 2022: CISA and FBI Release Advisory on Iranian Government-Sponsored APT Actors Compromising Federal Network

Today, CISA and the Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA), Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester. The CSA provides information on an incident at a Federal Civilian Executive Branch (FCEB) organization in which Iranian government-sponsored APT actors exploited a Log4Shell vulnerability in unpatched VMware Horizon server.

The CSA includes a malware analysis report (MAR), MAR-10387061-1-v1 XMRig Cryptocurrency Mining Software, on the mining software that the APT actors used against the compromised FCEB network. The CSA also provides tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) obtained from the incident response as well as recommended mitigations.

CISA and FBI strongly recommend organizations apply the recommended mitigations and defensive measures, which include:

  • Updating affected VMware Horizon and unified access gateway (UAG) systems to the latest version.
  • Minimizing your organization’s internet-facing attack surface.
  • Exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the CSA.
  • Testing your organization’s existing security controls against the ATT&CK techniques described in the CSA.

For additional information on malicious Iranian government-sponsored cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.

November 10, 2022: CISA Releases SSVC Methodology to Prioritize Vulnerabilities

Today CISA published its guide on Stakeholder-Specific Vulnerability Categorization (SSVC), a vulnerability management methodology that assesses vulnerabilities and prioritizes remediation efforts based on exploitation status, impacts to safety, and prevalence of the affected product in a singular system.

As stated in Executive Assistant Director (EAD) Eric Goldstein’s blog post Transforming the Vulnerability Management Landscape, implementing a methodology, such as SSVC, is a critical step to advancing the vulnerability management ecosystem. Additionally, the blog details advances—including

CISA’s Known Exploited Vulnerabilities (KEV) catalog, Common Security Advisory Framework (CSAF) machine-readable security advisories, and the Vulnerability Exploitability eXchange (VEX)—that, used in conjunction with SSVC, will reduce the window cyber threat actors have to exploit networks.

CISA encourages organizations to read EAD Goldstein’s blog post and to use the following resources on the SSVC webpage to strengthen their vulnerability management processes:

  • CISA’s SSVC decision tree
  • SSVC Guide on using SSVC and the SSVC decision tree
  • SSVC Calculator for prioritizing vulnerability responses in an organization’s respective environment
Nov. 7, 2022: CSD Cyber Defense Education and Training (CDET) Offerings

Highlights: What You Want to Know

  • CISA will host the 200th Industrial Control Systems Cybersecurity (301L) course on November 7th! This is a four-day, instructor-led, hands-on lab that is taught at a training facility in Idaho Falls, Idaho, USA. This course has a full day capstone activity dedicated to a Red Team versus Blue Team exercise. To register, please visit https://www.cisa.gov/uscert/ics/Calendar
  • A new category has been added to FedVTE under the Cybersecurity Courses called Non-Technical Cybersecurity. Some new courses that fall into this category include Cloud Monitoring, Critical Infrastructure Protection, and Cybersecurity Investigations. To see the full list of available courses in this category, visit https://fedvte.usalearning.gov/courses_nontech_cybersecurity.php
  • CISA now offers a new Analysis of a Cyber Incident course on FedVTE. This three-module course teaches the beginner analyst how to develop the analytical skills and capabilities needed to handle a potential cyber incident — from analysis to reporting findings. This course is available to federal employees. For a full list of available courses on FedVTE for federal employees, please see the course catalog. For courses available to the public, please visit https://fedvte.usalearning.gov/public_fedvte.php
  • In November and December, U.S. Executive Branch employees and contractors can participate in numerous CDM Dashboard courses, including the new CDM and Federal Mandates- Featuring how to use the CDM Dashboard to enable automated BOD-22-01 Reporting course. This course presents information regarding current Federal cybersecurity directives, mandates, and policies, and how they can be supported by the CDM Agency Dashboard. Featured prominently will be details on how to use the CDM Dashboard to enable automated BOD-22-01 Reporting.
CISA Upgrades to Version 2.0 of Traffic Light Protocol in One Week – Join Us!

October 25, 2022

On Nov. 1, 2022, CISA will upgrade from Traffic Light Protocol (TLP) 1.0 to TLP 2.0 in accordance with the recommendation by the Forum of Incident Response Security Teams (FIRST) that organizations move to 2.0 by the end of 2022. TLP Version 2.0 brings the following key updates:

  • TLP:CLEAR replaces TLP:WHITE for publicly releasable information.
  • TLP:AMBER+STRICT supplements TLP:AMBER, clarifying when information  may be shared with the recipient’s organization only.

CISA encourages all network defenders and partners to upgrade to TLP Version 2.0 to facilitate greater information sharing and collaboration. For more information see:

Cybersecurity Awareness Month 2022: CISA Mid-Campaign Announcement

Hello Campaign Partners and Friends,

Cybersecurity Awareness Month is in full swing! Our next focus is on cyber careers, and you can get involved by participating in: The National Initiative for Cybersecurity and Education’s (NICE) Cybersecurity Career Awareness Week from October 17-22.

CISA focuses on building a cyber aware public and introducing them to cyber careers from an early age. We do this through a variety of training programs for educators, the federal cyber workforce and critical infrastructure operators, as well as non-traditional training opportunities to help bring skilled professionals into the workforce quicker than traditional pathways. With these resources, CISA strives to reach those who may not have access to training in underserved communities. Some of the key resources for Cybersecurity Career Awareness Week include:

We will continue to share our campaign theme, See Yourself in Cyber, and the four action steps below:

  1. Enable Multi-Factor Authentication
  1. Use Strong Passwords – see this week’s focus below!
  1. Recognize and Report Phishing
  1. Update Your Software

 Get involved by:

  • Amplifying messages through emails, blogs, and social media.
  • Using the CISA and NCA Cybersecurity Awareness Month websites’ resources and information to create your own outreach campaign.
  • Connecting with peers, families, friends and your communities as cybersecurity awareness ambassadors, sharing how we can all See Ourselves in Cyber.