PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks
Enabling Threat-Informed Cybersecurity: Evolving CISA’s Approach to Cyber Threat Information Sharing
One of CISA’s most important and enduring roles is providing timely and actionable cybersecurity information to our partners across the country. Nearly a decade ago, CISA stood up our Automated Indicator Sharing, or AIS, program to widely exchange machine-readable cyber threat information. We know that the only constant in cybersecurity is change, and we’re evolving our information sharing approaches to maximize value to our partners and keep pace with a changing threat environment.
How Did We Get Here?
Every day, CISA evaluates the cyber threat environment, considers the impact of known vulnerabilities, and assesses the defensive posture of entities across our Nation to determine how we can most effectively safeguard critical infrastructure and government networks. Our insight is derived from a variety of sources to include classified and open-source reporting; operational collaboration with government and industry partners; findings from CISA assessments and incident response; and from information shared by members of our broad cybersecurity community through mechanisms such as AIS.
CISA then translates these insights into timely and relevant information. We share information broadly on a global scale, through alerts, advisories, and our Known Exploited Vulnerabilities catalog. We enrich our shared services and cyber capabilities with cyber threat information (CTI). And we leverage these insights to design and prioritize new cyber capabilities for programs such as Continuous Diagnostics and Mitigation (CDM). Across the board, CISA incorporates our unique insights of the global cyber threat environment into everything we offer to provide value to our partners.
While these threat-informed products and capabilities are important to many of our stakeholders, we know that organizations also benefit from receiving cyber threat information to shape investment decisions and prioritize mitigation actions. It is not enough to monitor broad cyber threats generally; organizations must apply threat information to their own risk and technology environments. AIS was established to satisfy legislative requirements and to provide stakeholder communities with a cost-effective means by which to exchange cyber threat indicators and defensive measures with CISA and, in doing so, with thousands of cybersecurity practitioners across the country and with partners across the globe. When it was first established, AIS was a novel model that helped many organizations around the world. But now, it’s time for a change.
Where Are We Going?
As the cyber threat environment evolves, so must our capabilities to analyze and share cyber threat information. When AIS was first designed, the U.S. Government was focused on filling an identified gap in cyber threat intelligence for many organizations and ensuring strong privacy controls. In the early days of AIS, the priority was speed. A decade later, the cybersecurity industry has matured substantially; current products and services are addressing information requirements for most organizations and, in an era of information overload, practitioners still require speed but value context, precision, and tailored insights over volume and velocity alone.
In 2024, CISA will begin a strategic effort to modernize our approach to enterprise cyber threat information sharing. This effort will drive three key areas of progress:
- Simplification: We will refocus and consolidate our customer-facing cyber threat intelligence offerings under a new initiative called Threat Intelligence Enterprise Services (TIES). The TIES Exchange Platform will unify our information sharing capabilities under a single banner for federal agencies and certain user communities, enabling streamlined provision of cyber threat information from our partners and commercial sources. This will offer a common view which will facilitate communications and enable threat-specific engagement. As we design and implement this central solution, CISA is working in parallel to modernize our AIS capability which, in the future, will further complement CISA-curated threat feeds made available by this shared service platform.
- Partner-Centered Design: Throughout this process, we will be driven by the requirements of our partners, including federal agencies, critical infrastructure organizations, and state, local, tribal, territorial governments, to ensure that we are adding value rather than duplicating capabilities. We will continuously seek feedback and ensure that the platform itself is built around human-centered design principles to enable ease-of-use even for under-resourced organizations.
- Learning from Experience: We will rigorously learn from known challenges with the legacy AIS system: we know that it must be easy to both share and receive, that shared information must have sufficient context to enable prioritized action; and that every participant must recognize meaningful value that is additive to existing cybersecurity capabilities. At the same time, we will build upon the successes of the AIS program, including a rigorous focus on privacy and confidentiality by design.
What to Expect Next?
CISA's goal is to facilitate collective, automated cyber defense through increased sharing and context, shaped by an acute understanding of the threat environment. While CISA implements this transition over the next two years, the AIS program will remain available, and we encourage users to continue leveraging this capability and actively share indicators back with CISA.
The shared visibility into cyber threats is our best defense. When an organization identifies threat activity and keeps it to itself, our adversaries win. When we rapidly share actionable information across a community of partners, we take back the advantage. And, when we turn actionable information into strategic investments to drive the most important mitigations, we achieve enduring change. In this new year, we encourage every organization to make a commitment- perhaps a New Year’s resolution- to cybersecurity information sharing, including incident information, indicators of compromise, or even feedback and insights that could benefit peers across the Nation. We look forward to sharing more details about TIES and our cyber threat exchange modernization initiatives throughout the year.
Report provides recommended actions and mitigation strategies for HPH sector, critical infrastructure and software manufacturers
The Cybersecurity and Infrastructure Security Agency (CISA) published a Cybersecurity Advisory (CSA), Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment, detailing the agency’s key findings and activities during a Risk and Vulnerability Assessment (RVA) conducted at a healthcare and public health (HPH) organization in early 2023. The advisory also provides network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access.
The CISA assessments team identified several findings as potentially exploitable vulnerabilities that could compromise the confidentiality, integrity, and availability of the tested environment. Tailored for HPH organizations of all sizes as well as for all critical infrastructure organizations, the advisory provides several recommended mitigations mapped to 16 specific cybersecurity weaknesses identified during the RVA. Also, the advisory provides three mitigation strategies that all organizations should implement: (1) Asset management and security, (2) Identity management and device security, and (3) Vulnerability, patch, and configuration management. Each strategy has specific focus areas with details and steps on how HPH entities can implement them to strengthen their cybersecurity posture.
“Exposure of common vulnerabilities and insecure configurations can result in detrimental cyber activity for U.S. healthcare organizations, such as ransomware, data breaches, or denial-of-service. The intent of this advisory is to help organizations maintain the availability, confidentiality, and integrity of their critical healthcare and public health systems, functions, and data,” said CISA Deputy Director Nitin Natarajan. “Adversaries and criminals will continue to target organizations seen as target rich, cyber poor. To reduce the burden of cybersecurity on customers, manufacturers of HPH technology products should implement the recommended actions in the advisory that are aligned to our Principles and Approaches for Secure by Design Software white paper. Also, we strongly encourage healthcare entities and all organizations to review this advisory, implement the mitigations and enroll in our vulnerability scanning service which can further help reduce cyber risk.”
This advisory builds on the CISA and Health and Human Services Healthcare Cybersecurity Toolkit and CISA’s Mitigation Guide for HPH Sector that were recently released. The recommended mitigations for network defenders are mapped to the Cross-Sector Cybersecurity Performance Goals (CPGs).
The recommended actions for software manufacturers are aligned to the recently updated, Principles and Approaches for Secure by Design Software, a joint guide co-sealed by 18 U.S. and international agencies. It urges software manufacturers to take urgent steps necessary to design, develop, and deliver products that are secure by design.
Europol, law enforcement authorities from 17 countries and the European Union Agency for Cybersecurity (ENISA) have joined forces with the private sector partners, including Group-IB and Sansec, to fight digital skimming attacks.
With the support of national Computer Security Incident Response Teams (CSIRT), the two-month action has enabled Europol and its partners to notify 443 online merchants that their customers’ credit card or payment card data had been compromised. This action, led by Greece, falls under the EMPACT priority, which targets the criminals behind online fraud schemes.
Digital skimming is the act of stealing credit card information or payment card data from customers of an online store. Criminals use sophisticated information technology to intercept data during the online checkout process, without customers or online merchants noticing anything unusual.
Data theft often goes unnoticed
Digital skimming attacks can go undetected for a long time. Payment or credit card information stolen as a result of these criminal acts is often offered for sale on illicit marketplaces on the darknet. Customers are usually not aware that their payment details have been compromised until the criminals have already used them to carry out an unauthorised transaction. Generally, it is difficult for customers to find the point of compromise.
Europol is participating in the digital skimming action with the aim of informing affected e-commerce platforms and other online merchants that they have been unintentional points of compromise for such stolen payment data. Europol, national law enforcement authorities, national Computer Security Incident Response Teams and trusted private industry partners identify affected online merchants and provide technical support to these platforms to resolve the issues and protect future customers.
NCCoE Announces Technology Collaborators for Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector Project
The NCCoE has invited technology providers and industry experts from Amazon Web Services, Cisco, Dragos, Garland Technology, Inductive Automation, Qcor, Rockwell, Siemens, TDI Technologies, and Tenable to collaborate on the Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project.
These collaborators will work with the NCCoE project team to demonstrate a practical solution to assist organizations in detecting, responding, and recovering from a cyber incident within an operational technology environment.
The result will be a freely available NIST Cybersecurity Practice Guide that includes a reference design and a detailed description of the practical steps needed to implement the solution based on the NIST Cybersecurity Framework and industry standards and best practices.
Each of these organizations responded to a notice in the Federal Register to submit capabilities that aligned with desired solution characteristics for the project. The accepted collaborators were extended a Cooperative Research and Development Agreement, enabling them to participate in a consortium in which they will contribute expertise and hardware or software to help refine a reference design and build example standards-based solutions.
The Cybersecurity and Infrastructure Security Agency (CISA) has published a Request for Information from all interested parties on secure by design software practices, including the Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software whitepaper, as part of its ongoing, collective secure by design campaign across the globe.
To better inform CISA’s Secure by Design campaign, CISA and its partners seek information on a wide range of topics, including the following:
- Incorporating security early into the software development life cycle (SDLC): What changes are needed to allow software manufacturers to build and maintain software that is secure by design, including smaller software manufacturers? How do companies measure the dollar cost of defects in their SDLC?
- Security is often relegated to be an elective in education: What are some examples of higher education incorporating foundational security knowledge into their computer science curricula; When new graduates look for jobs, do companies evaluate security skills, knowledge, and experience during the hiring stage, or are employees reskilled after being hired?
- Recurring vulnerabilities: What are barriers to eliminating recurring classes of vulnerability; how can we lead more companies to identify and invest in eliminating recurring vulnerabilities; how could the common vulnerabilities and exposures (CVE) and common weakness enumeration (CWE) programs help?
- Operational technology (OT): What incentives would likely lead customers to increase their demand for security features; Which OT products or companies have implemented some of the core tenants of secure by design engineering?
- Economics of secure by design: What are the costs to implement secure by design and default principles and tactics, and how do these compare to costs responding to incidents and breaches?
“While we have already received a wide range of feedback on our secure by design campaign, we need to incorporate the broadest possible range of perspectives,” said CISA Director Jen Easterly. Our goal to drive toward a future where technology is safe and secure by design requires action by every technology manufacturer and clear demand by every customer, which in turn requires us to rigorously seek and incorporate input. The President’s National Cybersecurity Strategy calls for a fundamental shift in responsibility for security from the customer to software manufacturers, and input from this RFI will help us define our path ahead, including updates to our joint seal Secure by Design whitepaper.
Co-sealed by 18 U.S. and international agencies, our recent Secure by Design guidance strongly encourages every software manufacturer to build products in a way that reduces the burden of cybersecurity on customers. More recently, CISA launched a new series of Secure by Design Alerts outlining the real-world harms that result from technology products that are not secure by design.
With its partners, CISA encourages technology manufacturers and all interested stakeholders to review the Request for Information and provide written comment on or before 20 February 2024. Instructions for submitting comment are available in the Request for Information. The feedback on current analysis or approaches will help inform future iterations of the whitepaper and our collaborative work with the global community.