CISA rapidly notifies relevant critical infrastructure stakeholders of elevated risk exposure, conducts incident management operations, provides vulnerability assessments, and directly deploys risk management information, tools, and technical services to mitigate risk, including regulatory enforcement where authorized.
Continuous Diagnostics and Mitigation
The Continuous Diagnostics and Mitigation (CDM) Program is an implementation approach consistent with the information security continuous monitoring methodology. CDM is a suite of capabilities and tools that enables network administrators to know the state of their respective networks at any given time, thus reducing the attack surface of their networks; informs on the relative risks of threats; and makes it possible for system personnel to identify and mitigate flaws at near-network speed.
The CDM Program fortifies government networks and systems with capabilities and tools. These capabilities and tools identify cybersecurity risks on an ongoing basis; prioritize these risks based on potential impacts; and enable cybersecurity personnel to mitigate the most significant problems first.
The CDM tools Special Item Number (SIN) supports the CISA CDM Program. The hardware and software products and associated services under this SIN undergo a DHS product qualification process to be added to the CDM Approved Products List (APL). The full list of CDM subcategories includes tools, associated maintenance, and other related activities, such as training. The SIN is organized by CDM capabilities into five subcategories. As shown below, the five CDM Tools SIN subcategories cover the fifteen CDM Tool Functional Areas (TFAs) and allow for future innovation.
The CDM Tools SIN on GSA IT Schedule 70 is available to SLTT entities through the Cooperative Purchasing Agreement. Please reach out to firstname.lastname@example.org for further information.
Enhanced Cybersecurity Services
The Enhanced Cybersecurity Services (ECS) program facilitates the protection of IT networks by offering intrusion detection and prevention services through approved service providers. All U.S.-based public or private entities, including State, Local, Tribal, and Territorial (SLTT) organizations are eligible to participate.
ECS is a near real-time intrusion detection and prevention capability, not a threat feed. CISA partners with approved service providers that have completed a rigorous system accreditation process to offer ECS. Upon approval, these service providers receive unclassified, sensitive and classified cyber threat information from CISA and use it to protect their ECS customers.
The two primary ECS services are Domain Name System (DNS) sinkholing and email filtering. These services block possible malware communications and spear phishing campaigns targeting networks.
For ECS, the National Cybersecurity and Communications Integration Center (NCCIC) sources information from across the federal government and intelligence community, and shares it with ECS service providers, As the hub for national cybersecurity, the NCCIC has a unique vantage point into the threats targeting the .gov, SLTT, and critical infrastructure.
Participating in ECS affords organizations quick and efficient way to receive protections that use classified information to thwart possible malicious communications and spearphishing campaigns without having to meet the otherwise burdensome requirements of maintaining secure facilities and employing cleared personnel.
ECS is a commercial intrusion detection and prevention service sponsored by CISA and offered by approved private sector partners to any U.S.-based public or private entity. As a potential ECS customer, you can reach out directly to accredited ECS service providers to learn more about pricing and technical requirements. The ECS service provider you choose does not have to be your Internet provider.
For more information about the program and ECS service provider contact information, please visit www.dhs.gov/ecs.
Incident Response, Recovery, and Cyber Threat Hunting
The incident response team falls under the guidance of the NCCIC Hunt and Incident Response Team (HIRT). HIRT provides incident response, management and coordination activities for cyber incidents occurring in the critical infrastructure sectors as well as government entities at the Federal, State, Local, Tribal, and Territorial levels. HIRT works with its constituents to identify and contain adversary activity and develop mitigation plans for removal and remediation of root cause. HIRT provides technical expertise and capacity to its constituents in responding to incidents. Incident response efforts focus on finding the root cause of an incident by searching for TTPs along with behaviors and associated artifacts in the victim network.
NIST defines an incident as a computer security incident, a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. HIRT further defines an individual incident as a distinct, potentially malicious event, perpetrated by a single threat actor, using a single TTP; or series of related TTPs, against a single victim. Examples include but are not limited to, malware infections, data theft, data corruption, and ransomware encryption, denial of service, control systems intrusions and threats against assets.
In support of incident response, HIRT has four types of customer engagements:
- remote assistance,
- advisory deployment,
- remote deployment, and
- on-site deployment.
HIRT incident response is action taken to respond to a suspected incident and address the increased risk resulting from the incident. The goal is to manage the situation in a way that ensures safety, reduces risk, limits damage and reduces recovery time and costs. Most response actions will be technical in nature but any action taken to reduce the impact of an incident is considered part of the incident response. Following an engagement and upon completion of analysis, the HIRT will deliver an Engagement Report (ER) to the customer within 30-60 days. The ER provides the background, scope, findings, security best practices, and conclusions relevant to the hunt.
The Advanced Malware Analysis Center provides 24/7 dynamic analysis of malicious code. Stakeholders submit samples via an online website and receive a technical document outlining analysis results. Experts detail recommendations for malware removal and recovery activities. This service can be performed in conjunction with incident response services if required.
Service benefits include:
- Isolated network – A standalone, closed computer network system ensures containment.
- Classified capability – A Sensitive Compartmented Information Facility (SCIF) is used for coordination with members of the intelligence community, law enforcement, and trusted third parties as it is the only accredited federal malware lab of its kind.
- Analytical capabilities – Experts analyze the current state of computer systems, storage mediums, and physical memory of computer systems.
- Extrication of malicious code – Analysts conduct static analysis and behavior analysis of malicious code types (e.g., worms, Trojans, spyware, botnets, and rootkits) using standard reverse engineering and debugging tools for malicious artifacts that are extracted from infected systems and submitted to NCCIC for analysis.