JCDC Working and Collaborating to Build Cyber Defense for Civil Society and High-Risk Communities

Last fall, the Cybersecurity and Infrastructure Security Agency (CISA) and United Kingdom’s National Cyber Security Centre (UK-NCSC) held the first international convening of the Strategic Dialogue on Cybersecurity of Civil Society Under Threat of Transnational Repression. With the convening eight countries, we discussed options to advance the cybersecurity of civil society and calibrate our agencies’ support to the communities at highest risk. The second meeting is planned for May 2024.
Recently, CISA participated in the third Summit for Democracy in Seoul, South Korea, as part of our continuing commitment to counter cybersecurity threats against civil society. In alignment with this summit and our strategic dialogue work, CISA is providing a suite of resources on our new High-Risk Communities webpage today to help civil society organizations with bolstering their cyber defense and resilience.
These resources are the product of a year-long effort spearheaded by the Joint Cyber Defense Collaborative in partnership with industry and civil society. Informed by the unique expertise and experiences of our civil society and industry partners, these resources directly respond to the unique threat profile and operational realities of high-risk organizations that are targeted by sophisticated threat actors.
As leaders of high-risk organizations know all too well, operating a robust cybersecurity program can be costly. And many sources of funding do not account for the cost of hiring and retaining information security professionals or implementing effective cybersecurity solutions. At the same time, civil society organizations and their affiliates are at heightened risk of becoming targets of Advanced Persistent Threats – and cybersecurity incidents that lead to disruptions in their work can have dire ramifications for the vulnerable communities they serve.
Here are some of the resources that CISA released today as part of its cyber defense plan to support civil society organizations:
1. Launch a CISA.gov Webpage for High-Risk Communities.
CISA’s High-Risk Communities webpage serves as a one-stop-shop for cybersecurity guidance and free or discounted tools and resources that are tailored to meet the needs of high-risk organizations that want to improve their cybersecurity baseline while operating with limited resources.
2. Release Project Upskill: CISA’s Tailored Cybersecurity Guidance for High-Risk Communities.
Research from the CyberPeace Institute shows that less than 15-percent of non-governmental civil society organizations have cybersecurity experts on their staff and 33-percent do not have dedicated IT or security resources available to secure their individual employees, let alone the enterprise. That means employees at high-risk organizations serve as the first line of defense against malicious cyber actors that seek to disrupt operations or conduct reconnaissance.
Project Upskill is designed to arm individuals employed by or supporting high-risk organizations with simple steps to meaningfully improve their cyber hygiene. We crafted it to be accessible to a non-technical audience so that all individuals across civil society are empowered to support their own cyber defense.
The steps outlined in this new resource are not a “silver bullet” against cyber intrusions however, they can make it more difficult and costly for malign cyber actors to target individuals and the organization.
3. Highlight Free Tools & Services for Mission-Based Organizations.
Collectively, a wide array of free or discounted tools and services are available to high-risk communities. For example, certain organizations can apply to receive free cybersecurity protection under Cloudflare’s Project Galileo. Individuals who enroll in Google’s Advanced Protection Program (free to the public) benefit from additional account safeguards, including enhanced protection against phishing attempts and harmful downloads. Organizations seeking guidance on how to harden their enterprise will benefit from visiting the Global Cyber Alliance’s Cybersecurity Toolkit for Mission-Based Organizations, and high-risk individuals and organizations can turn to Access Now’s Digital Security Helpline for support with incident response if they believe they have been compromised.
All of these resources, and more, are located on CISA’s High-Risk Communities webpage.
4. Help Prospective Volunteers Connect with their Local Cyber Volunteer Clinic.
Across the United States, academic institutions, non-profits, and municipalities are setting up cybersecurity clinics and volunteer corps to provide free, hands-on support for incident response and resilience building.
High-risk organizations often qualify for support from these volunteer clinics. Therefore, CISA is building a webpage that will have information about the cyber volunteer programs across the country. Our intent is to help build capacity by providing a centralized place for prospective volunteers to learn about prerequisites and application processes for joining their local cyber volunteer program, and help qualifying organizations learn how to obtain assistance.
At the third Summit for Democracy, Secretary of State Antony Blinken stated, “As authoritarian and repressive regimes deploy technologies to undermine democracy and human rights, we need to ensure that technology sustains and supports democratic values and norms.” We believe that the work initiated through this partnership across civil society, technology companies, the US government, and international partner governments we are contributing to a rights respecting digital world.”

CISA Announces Malware Next-Gen Analysis

The Cybersecurity and Infrastructure Security Agency (CISA) has announced  a new release of our malware analysis system, called Malware Next-Gen, which allows any organization to submit malware samples and other suspicious artifacts for analysis. Malware Next-Gen allows CISA to more effectively support our partners by automating analysis of newly identified malware and enhancing the cyber defense efforts.
Timely, actionable intelligence on malware, such as how it works and what it is designed to do, is crucial to network defenders conducting potential cyber incident response and/or threat hunts.  Malware Next-Gen provides advanced and reliable malware analysis on a scalable platform, capable of meeting the increasing demands of future workloads. The integrated system provides CISA analysts and operations community members with multilevel containment capabilities for the automatic analysis of potentially malicious files or uniform resource locators (URLs).
“Effective and efficient malware analysis helps security professionals detect and prevent malicious software from enabling adversary access to persistence within an organization. Malware Next-Gen is a significant leap forward in CISA's commitment to enhancing national cybersecurity,” said CISA Executive Assistant Director for Cybersecurity Eric Goldstein. “Our new automated system enables CISA’s cybersecurity threat hunting analysts to better analyze, correlate, enrich data, and share cyber threat insights with partners. It facilitates and supports rapid and effective response to evolving cyber threats, ultimately safeguarding critical systems and infrastructure.”
Since November, Malware Next-Gen has been available to .gov and .mil organizations. Nearly 400 registered users have submitted more than 1,600 files resulting in the identification of approximately 200 suspicious or malicious files and URLs, which were quickly shared with partners. While members of the public may submit a malware sample; only authorized, registered users are able to receive analytical results from submissions.

JCDC Builds Foundation for Pipelines Cyber Defense Planning Effort

Businesses, communities, and families across America depend on the reliable availability of oil and natural gas for countless functions of everyday life. Recognizing the criticality of the oil and natural gas (ONG) subsector to our shared security and prosperity, over 25 ONG organizations—with an emphasis on high-throughput midstream natural gas pipeline owner-operators–and their industrial control systems (ICS) vendors convened through the Joint Cyber Defense Collaborative (JCDC) to undertake the 2023 JCDC Pipelines Cyber Defense Planning Effort.

The 2023 JCDC Pipelines Cyber Defense Planning Effort was a novel approach to bring together pipeline owner-operators and their ICS vendors, in partnership with the Transportation Security Administration and Department of Energy, to address shared challenges – whether ransomware incidents like the 2021 intrusion into Colonial Pipeline or persistent targeting by threat actors like the People’s Republic of China who possess the capability to disrupt natural gas pipelines, as highlighted in the ODNI 2023 Annual Threat Assessment. An effective response to these threats demands public-private collaboration efforts to defend pipeline networks against compromise and ensure that they continue to function in a worst-case scenario.

This effort resulted in a detailed by-industry, for industry network architecture diagram and adjoining principles, the ONG Pipelines Reference Architecture. Pipeline owner-operators and ICS vendors built this architecture to serve as a voluntary model to guide their investment, planning, and operations as they work to better segment their networks and mitigate intrusion campaigns. The ONG Pipelines Reference Architecture offers practical guidance for stepping up risk management and showcases the interplay between network segmentation, multi-factor authentication (MFA), external dependencies, and critical field devices.

By organizing collaboration between midstream pipeline owner-operators and ICS vendors, this cyber defense planning effort facilitated a foundation for industry to proactively take transformative steps to harden the digital networks that run our nation’s largest natural gas pipelines against compromises – an example of the vision first established by the Cyberspace Solarium Commission and codified by Congress to catalyze cyber defense planning that yields real change in our nation’s cybersecurity.

IACIPP Announces Launch of ‘CIP WEEK’ in Europe

The International Association of Critical Infrastructure Protection Professionals (IACIPP) has announced the launch of ‘Critical Infrastructure Protection Week’ in Europe as part of an initiative focused towards enhancing collaboration and cooperation amongst the industry.
With the imminent implementation of The Critical Entities Resilience Directive (CER Directive), which lays down obligations on EU Member States to take specific measures to ensure that essential services and infrastructures, for the maintenance of vital societal functions or economic activities, are provided in an unobstructed manner in the internal market. The deadline of 17th October 2024 is set for when Member States shall adopt and publish the measures necessary to comply with this Directive.
The NIS2 Directive, also known as the Network and Information Security Directive, is also a significant piece of legislation being implemented by 17th October 2024, aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
It builds upon the previous NIS Directive, addressing its shortcomings and expanding its scope to enhance security requirements, reporting obligations, and crisis management capabilities.
Compliance with the CER Directive and NIS2 Directive are crucial for businesses operating in the EU to safeguard their systems, mitigate threats, and ensure resilience. Penalties are enforceable on agencies and operators for non-compliance.
In light of the forthcoming challenges with the Directives, and the ever increasing threats against European critical infrastructures, IACIPP is launching ‘CIP Week’ in Europe to help raise awareness and promote greater collaboration amongst operators, agencies and the CI security community.
The first ‘Critical Infrastructure Protection Week’ will take place in Madrid Spain and will see IACIPP host the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Project’ conference as the first two events as part of the initiative. Additional events are expected to be announced as part of the CIP Week in due course.
John Donlon QPM, Chairman of The International Association of Critical Infrastructure Protection Professionals, said, “IACIPP is delighted to be announcing this new initiative in Europe, with the important aim of encouraging greater information sharing, collaboration and co-operation within the industry.”
“The CER and NIS2 Directives are two of the most important pieces of legislation to arrive in Europe in recent years, and IACIPP along with other professional bodies have a degree of concern over the lack of preparation of some of the operators and agencies for the October deadline, and believe more needs to be done to ensure these minimum standards are met, and indeed exceeded in subsequent years.”
“We are delighted the ‘Critical Infrastructure Protection & Resilience Europe’ conference and exhibition and ‘EU-CIP Horizon Europe Project’ conference are the first two events to contribute towards CIP Week, which we aim to be an annual event. Madrid is an excellent location for the launch of this program, with the CN-PIC driving Spain’s efforts to meet the Directives’ deadlines and be prepared.” Added Mr Donlon.
Critical Infrastructure Protection & Resilience Europe (CIPRE) is the premier conference in Europe to discuss the operational threats and challenges, delivering though leadership and strategies for operators and agencies to plan security and resilience to their operations and assets.
The EU-CIP Horizon Europe Project* is set up to establish a novel pan European knowledge network for Resilient Infrastructures, which will enable policy makers to shape and produce data-driven evidence-based policies, while boosting the innovation capacity of Critical Infrastructures (CI) operators, authorities, and innovators (including SMEs).
Emilia Gugliandolo, Project Coordinator of EU-CIP, said, “The EU-CIP Project is delighted to be invited as part of the CIP Week initiative, enabling greater opportunities for the industry to explore the challenges and opportunities for bringing about synergetic, emerging disruptive solutions to security issues via cross-projects collaboration and innovation. We look forward to successful collaborations between the sectors and professionals in achieving the overall goals for the industry.”
IACIPP is an international association of practitioners and professionals involved in the security, resilience and safety of critical infrastructure, both physical and information infrastructure, open to critical infrastructure operators and government agencies, including site managers, security officers, government agency officials, policy makers, research & academia. The Association also aims to share ideas, information, experiences, technology and best practise to enhance these objectives.
IACIPP is inviting the industry to join in CIP Week in Madrid on 12th-14th November 2024.

NCCoE Publishes Final NIST IR 8432, Cybersecurity of Genomic Data

The NIST National Cybersecurity Center of Excellence (NCCoE) has published the Final NIST IR 8432, Cybersecurity of Genomic Data. This report summarizes the current practices, challenges, and proposed solutions for securing genomic data, as identified by genomic data stakeholders from industry, government, and academia. This effort is informed by direction from Congress, the White House, and NIST's existing expertise in genomics as well as cybersecurity.

NCCoE Guidance: CSF Profile for Genomic Data

Following the findings from NIST 8432, the NCCoE released Draft NIST IR 8467, Cybersecurity Framework (CSF) Profile for Genomic Data. This CSF Profile provides voluntary, actionable guidance to help organizations manage, reduce, and communicate cybersecurity risks for systems, networks, and assets that process any type of genomic data.

New Privacy Framework Profile

NCCoE is currently addressing the broader privacy landscape for genomic data by creating the Privacy Framework Profile for Genomic Data. The Privacy Framework Profile, developed using the NIST Privacy Framework, is intended to supplement the CSF Profile, as well as existing security and privacy guidelines and standards. This will be NIST's first Privacy Framework Profile, scheduled for public release in 2024.

Why Genomic Data?

Genomic data, including deoxyribonucleic acid (DNA) sequences, variants, and gene activity, has fueled the rapid growth of the U.S. bioeconomy. However, this valuable information is subject to cybersecurity and privacy concerns that are inadequately addressed with current policies, guidance documents, and technical controls. NCCoE's forthcoming guidance aims to help organizations assess, tailor, and prioritize their risk mitigation strategies and cyber investments for genomic data.

PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) assess that People’s Republic of China (PRC) state sponsored cyber actors are seeking to pre position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.
Actions to take today to mitigate Volt Typhoon activity:
• Apply patches for internet-facing systems. Prioritize patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon.
• Implement phishing-resistant MFA.
• Ensure logging is turned on for application, access, and security logs and store logs in a central system.
CISA, NSA, FBI and partners released this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus)
The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non continental United States and its territories, including Guam. Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts. CCCS assesses that the direct threat to Canada’s critical infrastructure from PRC state sponsored actors is likely lower than that to U.S. infrastructure, but should U.S. infrastructure be disrupted, Canada would likely be affected as well, due to cross-border integration. ASD’s ACSC and NCSC-NZ assess Australian and New Zealand critical infrastructure, respectively, could be vulnerable to similar activity from PRC state-sponsored actors.
As the authoring agencies have previously highlighted, the use of living off the land (LOTL) techniques is a hallmark of Volt Typhoon actors’ malicious cyber activity when targeting critical infrastructure. The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years. Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.
The authoring agencies urge critical infrastructure organizations to apply the mitigations in this advisory and to hunt for similar malicious activity using the guidance herein provided, along with the recommendations found in joint guide Identifying and Mitigating Living Off the Land Techniques.
These mitigations are primarily intended for IT and OT administrators in critical infrastructure organizations. Following the mitigations for prevention of or in response to an incident will help disrupt Volt Typhoon’s accesses and reduce the threat to critical infrastructure entities.
If activity is identified, the authoring agencies strongly recommend that critical infrastructure organizations apply the incident response recommendations in this advisory and report the incident to the relevant agency.

Global ransomware threat expected to rise with AI, NCSC warns

Artificial intelligence (AI) is expected to increase the global ransomware threat over the next two years cyber chiefs have warned in a new report published.
The near-term impact of AI on the cyber threat assessment, published by the National Cyber Security Centre (NCSC), a part of GCHQ, concludes that AI is already being used in malicious cyber activity and will almost certainly increase the volume and impact of cyber attacks – including ransomware – in the near term.
Among other conclusions, the report suggests that by lowering the barrier of entry to novice cyber criminals, hackers-for-hire and hacktivists, AI enables relatively unskilled threat actors to carry out more effective access and information-gathering operations. This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years.
Ransomware continues to be the most acute cyber threat facing UK organisations and businesses, with cyber criminals adapting their business models to gain efficiencies and maximise profits.
To tackle this enhanced threat, the Government has invested £2.6 billion under its Cyber Security Strategy to improve the UK’s resilience, with the NCSC and private industry already adopting AI’s use in enhancing cyber security resilience through improved threat detection and security-by-design.
The Bletchley Declaration, agreed at the UK-hosted AI Safety Summit at Bletchley Park in November, also announced a first-of-its-kind global effort to manage the risks of frontier AI and ensure its safe and responsible development. In the UK, the AI sector already employs 50,000 people and contributes £3.7 billion to the economy, with the government dedicated to ensuring the national economy and jobs market evolve with technology as set out under the Prime Minister’s five priorities.

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

The UK and allies have issued a fresh warning to critical infrastructure operators about the threat from cyber attackers using sophisticated techniques to camouflage their activity on victims’ networks.
The National Cyber Security Centre – a part of GCHQ – and agencies in the US, Australia, Canada and New Zealand have detailed how threat actors have been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection.
This kind of tradecraft, known as ‘living off the land’, allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behaviour making it difficult to differentiate – even by organisations with more mature security postures.
The NCSC assesses it is likely this type of activity poses a threat to UK critical national infrastructure and so all providers are urged to follow the recommended actions to help detect compromises and mitigate vulnerabilities.
The new ‘Identifying and Mitigating Living Off The Land’ guidance warns that China state-sponsored and Russia state-sponsored actors are among the attackers that have been observed living off the land on compromised critical infrastructure networks.

Ministry of Defence of the Netherlands Uncovers COATHANGER, a Stealth Chinese Fortigate RAT

The Ministry of Defence (MOD) of the Kingdom of the Netherlands was impacted in 2023 by an intrusion into one of its networks. The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks.
During an incident response case, the Netherlands’ MIVD found a Remote Access Trojan (RAT) present on the FortiGate device that had been used for initial access.
The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These organizations have been notified of the incident.
MIVD & AIVD assess with high confidence that the intrusion at the MOD, as well as the development of the malware described in this report, was conducted by a state-sponsored actor from the People’s Republic of China.
MIVD & AIVD emphasize that this incident does not stand on its own, but is part of a wider trend of Chinese political espionage against the Netherlands and its allies.
The COATHANGER malware provides access to compromised FortiGate devices after installation. The implant connects back periodically to a Command & Control server over SSL, providing a BusyBox reverse shell.

Incident Response Guide for the WWS Sector

CISA, the Federal Bureau of Investigation (FBI), and the Environmental Protection Agency released a joint Incident Response Guide for the Water and Wastewater Systems (WWS) Sector. The guide includes contributions from over 25 WWS Sector organizations spanning private industry, nonprofit, and government entities. This coordination enabled CISA, FBI, and EPA to develop a guide with meaningful value to WWS Sector organizations.

Specifically, the guide provides information about the federal support available at each stage of the cyber incident response (IR) lifecycle and aims to enhance WWS Sector cybersecurity by:

• Establishing clear guidance for reporting cyber incidents;
• Connecting utilities with available cybersecurity resources, services, and no-cost trainings;
• Empowering utilities to build a strong cybersecurity baseline to improve cyber resilience and cyber hygiene; and
• Encouraging utilities to integrate into their local cyber communities.

CISA, FBI, and EPA urge all WWS Sector and critical infrastructure organizations to review this guidance and incorporate it into their organizational cyber incident response planning. Organizations can visit CISA.gov/water for additional sector tools, information, and resources.

1 2 3 53