Informed by U.S. cyber intelligence and real-world events, each CISA Insight provides background information on particular cyber threats and the vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-federal partners can implement. This page is continuously updated to reflect new CISA Insights as they are made available.
SolarWinds and AD-M365 Compromise Risk Decisions for Leaders
Since December 2020, CISA has been responding to a significant cybersecurity incident in which an advanced persistent threat (APT) actor gained initial access to enterprise networks of U.S. government agencies, critical infrastructure entities, and private sector organizations. The APT actor only targeted a select group of organizations affected by the SolarWinds Orion compromise for follow-on network exploitation. Additionally, the APT actor used techniques other than the supply chain compromise to access targeted networks. After gaining persistent, invasive access to select organizations’ enterprise networks, the APT actor targeted their federated identity solutions and their Active Directory/M365 environments. This CISA Insights will help executive leaders of affected entities understand and be able to articulate the threat, risk, and associated actions their organizations should take. For additional details, see CISA websites, https://us-cert.cisa.gov/Remediating-APT-Compromised-Networks and https://www.cisa.gov/supply-chain-compromise.
What Every Leader Needs to Know About the Ongoing APT Cyber Activity (December 2020)
CISA is tracking a significant cyber incident impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and private sector organizations. An advanced persistent threat (APT) actor compromised the SolarWinds Orion software supply chain and is abusing commonly used authentication mechanisms. If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk. CISA urges organizations to prioritize measures to identify and address this threat. For details, review the related CISA Alert, which CISA will update as information becomes available.
Actions to Counter Email-Based Attacks on Election-Related Entities (September 2020)
Malicious cyber actors have been known to use sophisticated phishing operations to target political parties and campaigns, think tanks, civic organizations, and associated individuals. Email systems are the preferred vector for initiating malicious cyber operations. Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing. To protect against these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) strongly recommends organizations involved in any election-related activities prioritize the protection of accounts from email-based attacks by:
- Using provider-offered protections, if utilizing cloud email.
- Securing user accounts on high value services.
- Implementing email authentication and other best practices.
- Securing email gateway capabilities.
Ransomware Outbreak (August 2019)
Helping organizations protect themselves from ransomware attacks is a chief priority for the Cybersecurity and Infrastructure Security Agency (CISA). We have assisted many ransomware response and recovery efforts, building an understanding of how ransomware attacks unfold, and what potential steps you can take to better defend systems. But we also recognize that there’s no such thing as perfect cybersecurity and ransomware infections can still happen, so we’ve also developed recommendations to help organizations limit damage, and recover smartly and effectively.
Mitigate DNS Infrastructure Tampering (January 2019)
In late 2018, cybersecurity organizations across the globe started to detect an increase in malicious activity targeting the Domain Name System (DNS) infrastructure on which we all rely. Using common tactics, outlined below, the attackers were able to redirect and intercept web and email traffic, and could have achieved the same for other networked services. The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private sector owners of critical infrastructure, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Emergency Directive 19-01 – Mitigate DNS Infrastructure Tampering and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
Remediate Vulnerabilities for Internet-Accessible Systems (January 2019)
Adversaries operating in cyberspace can make quick work of unpatched Internet-accessible systems. Moreover, the time between an adversary’s discovery of a vulnerability and their exploitation of it (i.e., the ‘time to exploit’) is rapidly decreasing. Industry reports estimate that adversaries are now able to exploit a vulnerability within 15 days (on average) of discovery. After gaining entry into information systems and networks, these adversaries can cause significant harm. Internet-accessible information systems include any system that is globally accessible over the public internet (i.e., has a publicly routed internet protocol (IP) address or a hostname that resolves publicly in DNS to such an address) and encompass those systems directly managed by an organization, as well as those operated by a third-party on an organization’s behalf. As organizations continue to expand their Internet presence through increased use and operation of interconnected and complex Internet accessible systems, it is more critical than ever to rapidly remediate vulnerabilities inherent to these systems. Failure to do so could allow malicious actors to compromise networks through exploitable, externally-facing systems. The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private sector owners of critical infrastructure, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Binding Operational Directive 19-02 – Vulnerability Remediation Requirements for Internet-Accessible Systems and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
Enhance Email and Web Security (2019)
Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) protocol remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email. At the same time, users transmitting data via unencrypted HTTP protocol, which does not protect data from interception or alteration, are vulnerable to eavesdropping, tracking, and the modification of the data itself.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private entities, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Binding Operational Directive 18-01 – Enhance Email and Web Security and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
Enhancing Chemical Security During Heightened Geopolitical Tensions (January 2020)
In light of recent international events with the potential for retaliatory aggression against the U.S. and our critical infrastructure, CISA urges facilities with chemicals of interest (COI)—whether tiered or untiered under the Chemical Facility Anti-Terrorism Standards (CFATS) program—to consider enhanced security measures to decrease the likelihood of a successful attack. As noted in the recent National Terrorism Advisory System (NTAS) Bulletin, certain offensive cyber operations have been attributed to the Iranian government, which allegedly has targeted a variety of industries and organizations, including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base.
Increased Geopolitical Tensions and Threats (January 2020)
Increased geopolitical tensions and threats of aggression may result in cyber and physical attacks against the Homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad. Knowing how you, your organization, and your personnel may be exposed or targeted during increased tensions can help you better prepare. In many cases, implementing the Cybersecurity and Infrastructure Security Agency (CISA) Cyber Essentials can dramatically improve your defenses. Should an incident occur, engage with partners, like CISA, and work with cyber or physical first responders to gain technical assistance. Review your organization from an outside perspective and ask the tough questions—are you attractive to Iran and its proxies because of your business model, who your customers and competitors are, or what you stand for?
Secure High Value Assets (January 2020)
A High Value Asset (HVA) is information or an information system that is so critical to an organization that the loss or corruption of this information or loss of access to the system would have serious impact to the organization’s ability to perform its mission or conduct business. These assets, systems, and datasets may contain sensitive controls, instructions or data used in critical operations, or they may house unique collections of data. These sensitivities make HVAs of particular interest to criminal, politically-motivated, or state-sponsored actors for either direct exploitation of the data or to cause a loss of confidence by the public.
Preparedness Grant Guidance
FY20 Preparedness Grant Guidance (February 2020)
The Secretary of Homeland Security has released the Fiscal Year (FY) 2020 Preparedness Grant guidance. It directs and encourages investment in the areas of cybersecurity, soft targets and crowded places, intelligence and information sharing, emerging threats, and elections infrastructure security. These articulated priorities reflect the transformation underway in our shared risk environment and threat landscape. As a Nation with increasing reliance on collective preparedness and response, multi-disciplinary collaboration, and shared skills and resources, we must stay ahead of our adversaries. The challenges confronting State, Local, Tribal, and Territorial jurisdictions should and do inform how we prevent, prepare, protect, and respond to all-hazard situations, as well as domain-specific security conditions. The changes in the FY20 grant guidance reflect great opportunity for addressing emergent risks, closing historically underinvested capability and capacity gaps, and providing investment for high-performance innovations.
COVID-19 Disinformation Activity (May 2020)
False and misleading information related to the coronavirus (COVID-19) are a significant challenge. This CISA Insight provides an overview of coronavirus disinformation and steps that can be taken to reduce the risk of sharing inaccurate information with your friends and family.
Risk Management for Novel Coronavirus (COVID-19)
This product is for executives to help them think through physical, supply chain, and cybersecurity issues that may arise from the spread of Novel Coronavirus, or COVID-19. According to the U.S. Centers for Disease Control and Prevention (CDC), COVID-19 has been detected in locations around the world, including multiple areas throughout the U.S. This is a rapidly evolving situation and for more information, visit the CDC’s COVID-19 Situation Summary.
Cybersecurity Perspectives Healthcare and Public Health (HPH) Response to COVID-19 (January 2021)
Disruptive ransomware and other malicious cyber attacks significantly reduce HPH entities’ ability to provide patient care and can contribute to patient mortality. Threat actors aim to disrupt HPH entities who have a low tolerance for down-time and may be experiencing resource and staffing constraints due to the COVID-19 pandemic. CISA recommends that all HPH entities review the following observations and findings - derived from an analysis of HPH entities enrolled in CISA’s free vulnerability scanning service from March to November 2020 - and take appropriate action to reduce potential vulnerability and maintain resilient cybersecurity practices.
COVID-19 Vaccination Hesitancy Within the Critical Infrastructure Workforce (March 2021)
COVID-19 vaccination hesitancy within the critical infrastructure workforce represents a risk to our National Critical Functions and critical infrastructure companies and operations. Employers of workers within the critical infrastructure sectors are essential to reducing vaccine hesitancy within their workforce by becoming messengers of accurate, reliable, and timely information. This CISA Insight provides an overview of COVID-19 vaccination hesitancy and steps that critical infrastructure owners and operators can take to reduce the risk and encourage vaccine acceptance across their critical sectors’ workforce.