Press Release

CISA Releases Open-Source Eviction Strategies Tool for Cyber Incident Response

Cyber defenders will now be better equipped to contain and evict the adversary during incident response
Released
Related topics:
Cybersecurity Best Practices

WASHINGTON –Today, the Cybersecurity and Infrastructure Security Agency (CISA) released an Eviction Strategies Tool, a no-cost resource designed to support cyber defenders in their efforts to respond to cyber incidents. CISA contracted with MITRE to develop this tool that enables cyber defenders to create tailored response plans and adversary eviction strategies within minutes. They will also be able to develop customized playbooks aimed at containing and evicting adversaries from compromised systems and networks.

The tool includes COUN7ER, a database of atomic post-compromise countermeasures mapped to adversary tactics, techniques, and procedures (TTPs), and Cyber Eviction Strategies Playbook NextGen, a web-based application that matches incident findings with countermeasures obtained from COUN7ER. Together, these resources help defenders build systematic eviction plans with distinct countermeasures to thwart and evict unique intrusions.

“How an organization approaches remediation and eviction of an incident is critically important to a successful response effort. Over the years, we have seen organizations struggle with identifying the right steps to take and the correct sequencing of actions to properly evict advanced adversaries from their enterprises,” said Jermaine Roebuck, Associate Director for Threat Hunting, CISA. “This tool will level the playing field by making it easier for IT staff and cyber defenders to coordinate efforts and achieve a successful eviction. I encourage public and private sector organizations to incorporate this capability into their incident response plans.” 

Key features of the Eviction Strategies Tool include:

  • Enables cyber defenders to build response plans based on either MITRE ATT&CK® or on free text that describes threat actor activities on compromised assets.
  • Exports defensive measure options in numerous formats, such as JSON, Microsoft Word and Excel, and markdown.
  • Builds on knowledge from other frameworks, including MITRE D3FEND™, as well as MITRE ATT&CK.
  • Contains more than 100 fully developed, researched and curated atomic actions that incident responders can take to contain and evict adversary agency within their networks and assets.

To encourage collaboration and development, CISA offers Cyber Eviction Strategies Playbook NextGen and COUN7ER to the public under the MIT Open Source License. Cyber defenders are encouraged to review the new tool and provide feedback using CISA’s anonymous product survey.

For more information on best practices to implement preventative measures and manage cyber risks, visit Cybersecurity Best Practices.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on XFacebookLinkedIn, Instagram

Related Articles