CISA Insights - Ransomware Outbreak

August 21, 2019
2:00 pm

The Threat and How to Think About It

CISA Insights logoRansomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike. And that’s only what we’re seeing – many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on. We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?).

CISA’s Role as the Nation’s Risk Advisor

Helping organizations protect themselves from ransomware attacks is a chief priority for the Cybersecurity and Infrastructure Security Agency (CISA). We have assisted many ransomware response and recovery efforts, building an understanding of how ransomware attacks unfold, and what potential steps you can take to better defend systems. But we also recognize that there’s no such thing as perfect cybersecurity and ransomware infections can still happen, so we’ve also developed recommendations to help organizations limit damage, and recover smartly and effectively.

Ransomware Mitigations to Help You Defend Today and Secure Tomorrow

The below recommendations – our first “CISA INSIGHTS” product – lay out three sets of straightforward steps any organization can take to manage their risk. These recommendations are written broadly for all levels within an organization. It’s never as easy as it should be, so if you need help, we urge you to reach out for assistance – CISA is here to help, but so is the FBI, numerous private sector security firms, state authorities, and others.

Actions for Today – Make Sure You’re Not Tomorrow’s Headline:

  1. Backup your data, system images, and configurations and keep the backups offline
  2. Update and patch systems
  3. Make sure your security solutions are up to date
  4. Review and exercise your incident response plan
  5. Pay attention to ransomware events and apply lessons learned

Actions to Recover If Impacted – Don’t Let a Bad Day Get Worse:

  1. Ask for help! Contact CISA, the FBI, or the Secret Service
  2. Work with an experienced advisor to help recover from a cyber attack
  3. Isolate the infected systems and phase your return to operations
  4. Review the connections of any business relationships (customers, partners, vendors) that touch your network
  5. Apply business impact assessment findings to prioritize recovery

Actions to Secure Your Environment Going Forward – Don’t Let Yourself be an Easy Mark:

  1. Practice good cyber hygiene; backup, update, whitelist apps, limit privilege, and use multifactor authentication
  2. Segment your networks; make it hard for the bad guy to move around and infect multiple systems
  3. Develop containment strategies; if bad guys get in, make it hard for them to get stuff out
  4. Know your system’s baseline for recovery
  5. Review disaster recovery procedures and validate goals with executives

Please visit the CISA Resource Page on Ransomware for more information. Victims of ransomware should report it immediately to CISA at, a local FBI Field Office, or Secret Service Field Office.

DHS Leads the Implementation of Email Authentication Services Across the Federal Government

October 16, 2018
11:00 am

This time last year, the Department of Homeland Security (DHS) made a commitment to the American people: it should not be easy to impersonate the federal government through spoofing-related phishing campaigns. Today, we announced that we have reached the one-year milestone for Binding Operational Directive (BOD) 18-01: a vast majority of the federal community are meeting critical web and email security enhancements. Throughout the year, the DHS team has been accelerating progress, conducting hundreds of agency exchange meetings and establishing a collaborative, public-facing website to support this cross-government effort and further advance federal website and data integrity.

DHS saw the strongest level of email authentication enforcement through Domain-based Message Authentication, Reporting and Conformance (DMARC) adoption increase by eight times across the federal civilian government—making the Federal government a leader across all sectors in DMARC use and email authentication. BOD 18-01 was also critical step in addressing one of the federal government’s greatest and ongoing challenges, phishing, and we are continuing to take steps to combat this pervasive threat.

While a majority of the federal government anticipates meeting all of the BOD deadlines today, DHS still has work to do to ensure a successful and enduring implementation of these critical security enhancements. Encouraged by progress but always with an eye towards an unflinching adversary, we will not relent in our mission of safeguarding information systems for the Federal IT Enterprise and, most importantly, the American people.

The Patch Factory: Global Infrastructure for Managing Cybersecurity Vulnerabilities

September 18, 2018
11:38 am

The Department of Homeland Security strives every day to help federal agencies, state, local, territorial and tribal governments, and critical infrastructure asset owners and operators raise the baseline of cybersecurity. With the continuous growth of connected systems and rapid technology evolution, cyber vulnerabilities are being discovered in more devices and systems than ever before. DHS is committed to assisting manufacturers with security of their products through a steady stream of vulnerability information.

DHS sponsors a number of programs that are core components of vulnerability identification, response, and management practices around the world. They provide services and information to help users, system administrators, operators and manufacturers maintain safer, more secure software without government intervention. Each is publicly available and free for use by entities building or maturing their vulnerability management functions.

Listing Known Vulnerabilities

Sponsored by DHS Office of Cybersecurity and Communications (CS&C), the Common Vulnerabilities and Exposures (CVE) is the de facto global standard for the identification and definition of security vulnerabilities. The Homeland Security Systems Engineering and Development Institute (HSSEDI), which is operated by The MITRE Corporation, runs the CVE program that enables vendors to identify and communicate to their customers how vulnerabilities affect their products and services.

Each CVE is comprised of an identification number, a description, and at least one reference for the general public to know where the vulnerability has been publicly disclosed. The list of CVEs enables a diverse community of public and private stakeholders to effectively communicate and share vulnerability and exposure information.

Providing CVEs for unique vulnerabilities helps different product vendors track and fix vulnerabilities, and allows end users to correlate security update information for vulnerabilities discovered on their networks.

Multi-Party Coordination, Analysis, & Tools for Discovery

The CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University, provides multi-party coordinated vulnerability disclosure services and produces vulnerability discovery tools. Multi-party vulnerability coordination and disclosure is the practice of coordinating a newly discovered vulnerability across a wide range of vendors and technologies at the same time.

The CERT/CC receives vulnerability reports from different kinds of researchers around the world and notifies the vendors who are potentially affected. CERT/CC also acts as a neutral third party to help develop mitigations (typically software updates) in an appropriate timeframe and publish actionable advice in the form of Vulnerability Notes.

The CERT/CC also develops and publishes open source tools to discover, analyze and diagnose software and system vulnerabilities. For example, CERT/CC’s Basic Fuzzing Framework and Tapioca tools have been used to find and help mitigate significant vulnerabilities in a wide range of applications, including thousands of smartphone apps.

Verified Data for Effective and Efficient System Maintenance

DHS and the National Institute of Standards and Technology co-sponsor the National Vulnerability Database (NVD) that performs analysis and provides expanded CVE entry information.  This analysis provides data points such as severity scores, impact ratings, and enhanced search capabilities for users of the information.  Also, it contains a record of each CVE-tagged defect and the associated fix or mitigation.

One of the important elements of the NVD is that it provides IT professionals with a rubric to measure the risk associated with known vulnerabilities and to prioritize system maintenance accordingly.

Coordination and Security Training for Control Systems and Medical Devices

The NCCIC Vulnerability Management and Coordination (VMC) team, through support from Idaho National Laboratory (INL), coordinates Industrial Control Systems (ICS) vulnerability disclosure. INL team members have unique expertise in assessing risks in critical systems and this collaboration provides the opportunity for DHS to act as a trusted third party in extremely sensitive disclosures.

In addition to assessing sensitive vulnerabilities in critical infrastructure, such as energy, food/agriculture or water systems, this collaborative team also reviews those that could result in hazards for critical manufacturing or in medical devices. Building a well-connected and capable community of practitioners, particularly in the private sector, has been instrumental in strengthening DHS’ coordination network for these types of sensitive vulnerabilities.

To help the ICS community improve their cyber defenses, the NCCIC offers training and procedures that teams can use in improving their ICS security and developing or their own capabilities. In FY17, NCCIC trained more than 1,400 professionals in ICS security either in on-line courses or instructor led classes at INL.

Continuous Improvement

DHS and its program partners are always evolving and adapting to keep up with the ever-changing and growing cyber vulnerability mission. Recent milestones and achievements include:

  • The CVE Security Automation Working Group launched a pilot program in May 2017 to improve open, automated data sharing within the CVE Program and between HSSEDI and the CVE Numbering Authorities (CNAs). CNAs are organizations authorized to assign CVE IDs for products within a particular scope. Enabling CNAs to share detailed data more quickly benefits the entire program.
  • The CERT/CC Vulnerability Analysis team established a one-day Vulnerability Response training course for project managers and others who may need to respond to vulnerabilities identified in their products. CERT/CC also published The CERT Guide to Coordinated Vulnerability Disclosure, a compilation of lessons learned based on their handling of vulnerabilities in the past three decades.
  • At the NVD, NIST engineers have recently redesigned their data model, adding flexibility for new types of information and to improve search capability. The NVD is now finding ways to automate more data analysis and severity scoring through natural language processing and machine learning.

DHS recognizes community engagement as a critical component of discovering and correcting vulnerabilities before risks become incidents.

To suggest additional topics for a series on cybersecurity and risk management, please contact: cscexternalaffairs@HQ.DHS.GOV

The Patch Factory - Global Infrastructure for Managing Cybersecurity Vulnerabilities
Vulnerability discovery (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Initial disclosure of vulnerabilities (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Analysis and Coordination on fighting/assessing the vulnerability (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Analysis and disclosure, continued (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Remediation Phase - patch updates (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Remediation Phase - simple fixes (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Remediation Phase - scanning signatures (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Remediation Phase -  intrusion signatures (Global infrastructure for Managing Cybersecurity Vulnerabilities)
Remediation Phase - countermeasures (Global infrastructure for Managing Cybersecurity Vulnerabilities)
DHS Seal  (Global infrastructure for Managing Cybersecurity Vulnerabilities)

Download infographic (633KB JPG)

DHS Releases Binding Operational Directive With New Procedures For Securing Federal High Value Assets

May 25, 2018
11:49 am

Department of Homeland Security Secretary Kirstjen Nielsen issued Binding Operational Directive (BOD) 18-02, Securing High Value Assets, earlier this month, to enhance the Department’s coordinated approach to securing the federal government’s High Value Assets (HVAs) from cybersecurity threats.

For the past several years, DHS has worked with federal agencies to identify, prioritize, and assess the cybersecurity posture of some of the federal government’s most critical, high impact information systems. We refer to these systems as high value assets (HVAs) and, in 2016, issued a cybersecurity directive requiring federal agencies to take specific actions to protect their most critical systems.

With the issuance of BOD 18-02, DHS introduces a more focused, integrated approach to addressing weaknesses across federal agency HVAs, facilitates ongoing collaboration across cybersecurity teams to drive timely remediation, and ensures senior executive involvement to manage risk across an agency enterprise.

Our team in the National Protection and Programs Directorate (NPPD) also works with federal civilian agencies to conduct customized security assessments of HVAs and assist with remediation of identified vulnerabilities. In-depth security assessments and security architecture reviews of prioritized agency HVAs help identify vulnerabilities and weaknesses that may allow an adversary to penetrate a system, move through an agency’s network, and access and exfiltrate sensitive data without detection.

Since 2016, DHS has identified close to 200 high priority vulnerabilities through HVA assessments and worked closely with agencies to mitigate all critical findings as quickly as possible. We also coordinated with the National Institute of Standards and Technology (NIST) to develop a guidance document called the HVA Control Overlay, to provide further technical guidance for federal agencies to secure HVAs based on additional specifications for protections applied to high impact systems like HVAs.

Although federal agencies have a primary responsibility for their own cybersecurity, DHS provides operational assessment services, technical assistance, and a common set of security tools like the HVA Control Overlay to federal civilian executive branch agencies to help them manage their cyber risk. BOD 18-02 supports the Department’s efforts to safeguard and secure the Federal IT Enterprise by requiring all federal agencies to prioritize the security of their most critical and high impact systems.

For more information on DHS BOD 18-02, Securing High Value Assets, please visit


Cyber Storm VI: Testing the Nation’s Ability to Respond to a Cyber Incident

April 13, 2018
12:01 pm

Cyber threats to government networks and other critical infrastructure are one of our Nation’s most pressing security challenges. Consequences from attacks threaten the safety and security of the homeland, our economic competitiveness, and our way of life. With the majority of critical infrastructure owned and operated by the private sector, securing cyberspace is only possible through close collaboration, what we described as a “Collective Defense” model of shared responsibility.

Exercises are critical to testing this coordination, and more importantly, to building and maintaining strong relationships among the cyber incident response community. Carried out regularly, these exercises allow us to achieve solutions to some of the biggest challenges facing the homeland as well as raise the overall profile of cyber events and cyberattacks.

Cyber Storm VI was led by the Department of Homeland Security (DHS) and involved more than 1,000 members of the private industry, government and international partners who participated in a three-day distributed exercise that focused on the critical manufacturing and transportation sectors. The exercise evaluated and improved the capabilities of the cyber response community, informed preparedness and resilience planning efforts, and evaluated the effectiveness of the National Cyber Incident Response Plan in guiding response. Growth in this community of partners acknowledges the increasing value of information sharing and the benefits of exercising their organizations cyber response plans.

During the exercise, participants faced a simulated cyber crisis of national and international consequence that required them to use their training, policies, processes, and procedures for identifying and responding to a multi-sector cyberattack targeting critical infrastructure. The Cyber Storm VI scenario was an environment where no single organization was is in a position to stop or mitigate the impacts of the attack by itself. Thus, the scenario promoted cooperation and information sharing across the United States government, states, the private sector, and international partners.

The DHS National Cybersecurity and Communications Integration Center (NCCIC) served as the focal point for federal response and coordination during the event. NCCIC is a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement. The NCCIC is also designated as the federal interface for private sector information sharing, cross-sector coordination, and incident response.

A comprehensive after-action process will take place to discuss initial, high-level findings. An after-action conference will also be held to validate these findings and inform the development of an after action report. This information, along with the lessons from previous exercises and real-world incidents, is integral for strengthening the Nation’s capacity to respond to a cyber incident. It also assists DHS in creating more challenging scenarios to test the security and resiliency of their partners in the years to come.

For more information about the Cyber Storm exercise series, and to view the final reports from Cyber Storms I-V, visit

Take steps to ‘own’ your online presence

January 26, 2018
12:57 pm

Data Privacy Day, which takes place Jan. 28, 2018, is an international effort designed to inspire dialogue and empower individuals take action to protect privacy, safeguard data, and enable trust in our interconnected world.

Millions of people are unaware of how their personal information is being used, collected and shared in our digital society. Following a year of massive data breaches at both public companies and government organizations, it’s time we all learn how to secure our personal information and “own” our online presence.

Data Privacy Day also encourages businesses to be more transparent about how they collect and use data we provide to them.

We produce a nearly endless stream of data in our daily lives and conduct much of our lives on the internet and on our connected devices. Yet few people understand how much of their personal information is being collected and shared from our devices and the services we use online. This data can be stored indefinitely, and our personal information can be used in both beneficial and unwelcome ways. Even seemingly innocuous information – such as your favorite restaurants or items you purchase online – can be used to make inferences about your socioeconomic status, preferences and more.

I encourage everyone to think about the information you share online, and how that information is collected, stored and reused.

Follow these tips from the Stop.Think.Connect.™ cybersecurity awareness campaign for staying safe and private online:

  • PERSONAL INFO IS LIKE MONEY: VALUE IT. PROTECT IT. Information about you, such as your purchase history or location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites. You should delete unused apps, keep others current and review app permissions.
  • SHARE WITH CARE. Think before posting about yourself and others online. Consider what it reveals, who might see it and how it could be perceived now and in the future. It’s a good idea to review your social network friends and all contact lists to ensure everyone still belongs.
  • OWN YOUR ONLINE PRESENCE. Set the privacy and security settings on websites and apps to your comfort level for information sharing. Each device, application or browser you use will have different features to limit how and with whom you share information. It’s OK to ask others for help.
  • LOCK DOWN YOUR LOGIN. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Choose one account and turn on the strongest authentication tools available, such as biometrics, security keys or a unique one-time code sent to your mobile device.
  • KEEP A CLEAN MACHINE. Keep all software, operating systems (mobile and PC) and apps up to date to protect data loss from infections and malware.
  • APPLY THE GOLDEN RULE ONLINE. Post only about others as you would have them post about you.
  • SECURE YOUR DEVICES. Every device should be secured by a password or strong authentication – finger swipe, facial recognition etc. These security measures limit access to authorized users only and protect your information if devices are lost or stolen.
  • THINK BEFORE YOU APP. Information about you, such as the games you like to play, your contacts list, where you shop and your location, has tremendous value. Be thoughtful about who gets that information and understand how it’s collected through apps.

To learn more about staying safe and private online, visit Stop.Think.Connect.

Sharing Critical Information to Protect the Networks and Systems We All Rely Upon

October 31, 2017
9:44 am

By Jeanette Manfra, Assistant Secretary, Office of Cybersecurity and Communications, Department of Homeland Security

It’s fitting that October, which is National Cybersecurity Awareness Month, has also been an extremely busy month for the Department of Homeland Security’s cybersecurity information sharing operations. In the field of cybersecurity, DHS shares timely, accurate information far and wide with our partners and constituents so that they can take proper action to protect themselves.

On October 16, our partners at the Software Engineering Institute’s CERT Division reported to DHS that researchers had disclosed a major weakness in the Wi-Fi Protected Access II (WPA2) protocol that secures nearly all wireless network traffic, and named the exploit technique KRACK, short for “Key Reinstallation Attack” The vulnerabilities are in the 802.11i protocol, which means that any standards-compliant implementation of WPA2 is likely to be affected.

That morning, shortly after being notified by CERT, DHS’s US-Computer Emergency Readiness Team (US-CERT) issued a public alert to ensure that information about the vulnerabilities reached as wide an audience as possible.

When vulnerabilities like KRACK are discovered and disclosed, it is critical that DHS share this information widely and as quickly as possible so that our partners and constituents can be aware of the risk and take steps to protect themselves. In the case of KRACK, if exploited, an attacker within range of a Wi-Fi network can view network traffic that users assume to be protected by WPA2 encryption. If additional layers of transport security (such as HTTPS) are not in place, an attacker could capture email, chat messages, photos, or other user information like credit card numbers and passwords.

To prevent the attack, users and administrators must update affected products as security updates become available. Individuals should also identify which WiFi enabled devices they are currently using (the CERT Vulnerability Note contains a list of affected vendors) and ensure that the necessary updates are applied. There is no one patch for all affected devices. Some Wi-Fi enabled devices that people might overlook are televisions, home security systems and wearable devices. In those cases, users should check for customer support information from the device manufacturer.

That same day, DHS issued a Binding Operational Directive (BOD) 18-01 to all federal departments and agencies. This directive, titled “Enhance Email and Web Security,” mandates the use of specific cybersecurity best practices at all agencies, including DMARC and HSTS. HSTS, or HTTP Strict Transport Security, is a way to force the use of HTTPS. This way, even if wireless frame-level encryption is bypassed—as it is in KRACK—traffic with the HSTS website is protected against snooping, modification or injection. DMARC, or Domain-based Message Authentication, Reporting and Conformance, is a way to protect against domain spoofing in email messages, in which a cyber actor uses a fake email address disguised to look like an authentic one.

Later in the same week, on October 20, we released a joint Technical Alert based on collaborative analysis between DHS and the FBI on Advanced Persistent Threat activities targeting critical infrastructure, particularly the energy sector. In the alert, we provide a detailed description of the actors’ tactics, techniques and procedures, including in-depth technical analysis of various phases in the Cyber Kill Chain. We also included several sets of Indicators Of Compromise (IOCS) in the Structured Threat Indicator Expression (STIX), a common language used in disseminating cyber threat information, to help cybersecurity professionals detect and defend against these activities in their own networks.

As these examples show, information sharing is a key part of DHS’s important mission to enhance the awareness of new vulnerabilities and malicious cyber activities. DHS actively collaborates with public and private sector partners every day to share actionable information gleaned from research, network defense, cybercrime investigations, and incident reports. Without this collaboration, we would be less able to inform our partners and constituents on emerging threats and appropriate mitigation strategies. We applaud security researchers who disclose vulnerabilities in a thoughtful and coordinated manner, which has the effect of increasing security of the entire internet ecosystem. We also greatly appreciate the feedback we receive from our partners on products like our Technical Alert, so that we can continuously hone our processes to better help network defenders do their job. As National Cybersecurity Awareness Month comes to a close, DHS is ready to continue sharing valuable operational information and working together to make a safer, stronger Internet for all Americans.


Was this page helpful?

This page was not helpful because the content:
Back to Top