CISA analyzed and mapped the Fiscal Year (FY) 2019 RVA findings to provide critical infrastructure entities with lists of observed successful attack paths. See infographic, Risk and Vulnerability Assessments (RVA) to the MITRE ATT&CK Framework, to see how adversaries lateral and escalate, and the success rate percentage for each tactic and technique. CISA encourages network administrators and IT professionals to review the [infographic] and apply the recommended defensive strategies to protect against the observed tactics and techniques.
Due to the limited sample size, the presented data should not be considered a rigorous statistical representation of the complex and varied sector entities that exist within the United States. Organizations should consider additional attack vectors and mitigation strategies based on their unique environment.
To schedule a Risk and Vulnerability Assessment, contact CISAServiceDesk@cisa.dhs.gov.