Eviction Strategies Tool

CISA Product Feedback Survey

Overview

CISA has developed and maintains the publicly accessible Eviction Strategies Tool to support cyber defenders during the containment and eviction phases of incident response (IR). The tool comprises: 

• Playbook-NG, a web application for next-generation operations; and
• COUN7ER, a database of atomic post-compromise countermeasures mapped to adversary tactics, techniques, and procedures (TTPs). 

Together, Playbook-NG and COUN7ER can assemble a systematic eviction plan that leverages distinct countermeasures to contain and evict a unique intrusion. CISA offers Playbook-NG and COUN7ER to the public under the MIT Open Source License to encourage development. CISA designed Playbook-NG and COUN7ER to substantially accelerate the creation of response plans and to assist defenders with tailored adversary eviction strategies. Users can export results of their inputs, but the Eviction Strategies Tool is not open to users altering it. CISA will maintain Playbook-NG and COUN7ER on the Eviction Strategies Tool’s GitHub page and welcomes user feedback via our anonymous product survey.

Note: The cybersecurity community often uses the terms “eradication” and “eviction” interchangeably to describe the process of removing a cyber threat actor or malicious code from a compromised environment. The National Institute of Standards and Technology (NIST) Cybersecurity Framework uses the term “eradication” to describe how responders remove malware or persistence mechanisms. Other cybersecurity publications use the term “eviction” to emphasize the deliberate removal of a threat actor through a coordinated effort to prevent reentry or retaliation. Although both terms describe removing the threat, “eviction” emphasizes a strategic, actor-aware approach, and “eradication” focuses on removing technical artifacts.

The Playbook-NG Web Application

The next generation of cyber IR playbooks, Playbook-NG is a stateless (i.e., not retaining data or session information between uses), web-based application that cyber defenders can use to match incident findings with countermeasures for adversary containment and eviction.

1. A cyber defender provides Playbook-NG’s interface MITRE ATT&CK^®  TTP IDs or free text that describes threat actor activities on compromised assets.
2. Playbook-NG then provides a corresponding list of recommended response actions.
3. The cyber defender can then export the results in numerous formats, such as JSON, Microsoft Word and Excel, and markdown. Note: Playbook-NG does not save information about the cyber defender or their inputs; rather, the application clears the work when the defender browses off or clears the playbook. When the defender exports a JSON file playbook, they can later upload it back into Playbook-NG to view, modify and update. This allows Playbook-NG to update any countermeasures that have changed since the defender’s last visit while allowing the defender the ability to update plans with new findings in minutes.

Playbook-NG also allows cyber defenders to start with an incident template that CISA created and curated. These templates describe specific collections of TTPs in a campaign or event that a cyber defender may use as is or quickly customize. Playbook-NG provides an agile set of guidance that follows a “write once, share many” model of defensive strategies. Authors can reference these strategies to help draft other publications. See “Citing a Countermeasure” below. 

In addition to providing guidance in a live crisis, Playbook-NG can help generate realistic plans for tabletop exercise (TTX) scenarios. Cyber defenders can easily use Playbook-NG’s text extract functionality to paste in a report with TTP IDs and generate a playbook to use in an exercise discussion.

The COUN7ER Database of Defensive Measures

Playbook-NG pulls entries from COUN7ER, a database of post-compromise countermeasures and mitigations. COUN7ER is a researched and curated collection of atomic actions that incident responders can take to contain and evict cyber threat actors and their operations from networks and assets. Serving as a Rosetta Stone of defensive measures, COUN7ER cross-references its countermeasures with multiple frameworks—including MITRE’s ATT&CK, D3FEND, and Common Weakness Enumeration (CWE)—and aligns them with threat-informed preventive best practice where applicable. The current COUN7ER catalog contains over 100 fully developed entries.

Each COUN7ER entry contains the following information:

• Intended Outcome: The effect this countermeasure has on adversaries; the Intended Outcome answers: “Why do we want to do this and what would it get us as defenders?”
• Preparation: The necessary actions to take before successfully implementing the countermeasure.
• Risks: The caveats and considerations about the countermeasure’s implementation, which inform the organization’s risk calculus and IR planning.
• Guidance: Core procedure and process guidance in implementing the countermeasure.
• Related Countermeasures: Other entries in COUN7ER that have the same or similar outcomes; the defender can use these should they need to pivot to another countermeasure.
• References: Authoritative sources for procedures and common technology related to this mitigation. 

COUN7ER: Regularly Updated From Cyber Threat Intelligence

CISA regularly reviews the COUN7ER database and updates it based on incident observations, threat intelligence, and other sources of information on threat actor tactics. Countermeasures undergo a rigorous review process to conform to written style, voice, and accuracy. CISA conducts internal TTXs to exercise countermeasures and examine potential challenges with implementation as well as effectiveness against adversary actions. 

Please share your thoughts with us via our anonymous product survey; we welcome your feedback.

For more information, contact us at playbook-ng@mail.cisa.dhs.gov. 

Citing a Countermeasure

Click on the styles below for how to cite a countermeasure (e.g., CM0002) according to their respective style rules.

Chicago Style

Cybersecurity and Infrastructure Security Agency. CM0002: Disable Server Message Block (SMB) Protocol. COUN7ER Playbook, modified: November 15, 2023. https://www.cisa.gov/resources-tools/resources/eviction-strategies-tool.

APA (7th Edition)

Cybersecurity and Infrastructure Security Agency. (2023). CM0002: Disable Server Message Block (SMB) Protocol. COUN7ER Playbook. Modified: November 15, 2023. Retrieved from https://www.cisa.gov/resources-tools/resources/eviction-strategies-tool.

Legal Bluebook (21st Edition)

Cybersecurity and Infrastructure Security Agency, CM0002: Disable Server Message Block (SMB) Protocol, COUN7ER Playbook (modified: Nov. 15, 2023), https://www.cisa.gov/resources-tools/resources/eviction-strategies-tool.

Disclaimer

COUN7ER Disclaimer

COUN7ER, including any associated information, playbook, strategies, countermeasures, apparatus, process, product, guidance or any other content, is provided “as is” and for general informational purposes only. Neither CISA nor the United States Government, nor any of their employees, make any warranty, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, suitability, or efficacy of any output or content from COUN7ER. Users hereby acknowledge that using COUN7ER may require expert knowledge and advanced technical capabilities beyond what is typical for members of the public; and that the use or reliance upon the countermeasures, content, or any other information obtained from COUN7ER may cause adverse consequences, including potential device or system failure.   

Users assume all risks from the use of COUN7ER, and without limiting the foregoing, users are responsible for any actions they take on systems and devices. In no event shall the United States Government, its employees, or its contractors or subcontractors be liable for any damages including, but not limited to, direct, indirect, special or consequential damages, arising out of, resulting from, or in any way connected with COUN7ER or its use; whether or not based upon warranty, contract, tort, or otherwise; whether or not arising out of negligence; and whether or not injury was sustained from, or arose out of the results of, or reliance upon COUN7ER. 

References to any specific entity, commercial product, process, data format or service by trade name, trademark, manufacturer, or otherwise, do not constitute or imply an endorsement, recommendation, or favoring by CISA or the United States Government. CISA takes no responsibility for the content of external websites, statements, claims, representations, or other materials created or maintained by third parties. All trademarks are the property of their respective owners. Users acknowledge that information within COUN7ER may not constitute the most up-to-date guidance or technical information and COUN7ER is not intended to, and does not constitute advice for compliance, regulatory, or legal purposes. Users should confer with their respective advisors and subject matter experts to obtain advice based on their individual circumstances.