1 of 47

May 13, 2025

2 of 47

May 13, 2025

3 of 47

May 13, 2025

In September 2022, CISA released its first-ever, comprehensive strategic plan since the agency was established in 2018. The 2023-2025 Strategic Plan communicates CISA’s mission and vision, promotes unity of effort across the agency and our partners, and defines success for CISA as an agency.
The Plan highlights our commitment to reducing risk and describes a forward-leaning, unified approach to achieving CISA’s vision of ensuring secure and resilient critical infrastructure for the American people.
It is intended to strengthen the foundation of the agency by further building on our core mission, values, and principles.
Our Strategic Plan lays out four ambitious goals that we must achieve to address the diverse and dynamic challenges facing our nation:

First, we will spearhead the national effort to ensure the defense and resilience of cyberspace.

In our role as America’s Cyber Defense Agency, CISA must build the national capacity to defend against, and recover from, cyberattacks. Here, we will continue to work with federal partners to bolster their response to cyber incidents, while also safeguarding the federal civilian executive branch networks. Additionally, we will continue to partner with the private sector and state, local, tribal, and territorial (SLTT) governments to detect and mitigate cyber threats and vulnerabilities before they become incidents.

Second, we will reduce risks to, and strengthen the resilience of, America’s critical infrastructure.

To achieve the second goal, CISA must further strengthen its understanding of current and future security risks to better meet the diverse needs of our stakeholders and the nation’s infrastructure. Here we will continue to serve as a key partner to critical infrastructure owners and operators across the nation to help reduce risks and build their security capacity to withstand new threats.

Third, we will strengthen whole-of-nation operational collaboration and information sharing.

At the heart of CISA’s mission is partnership and collaboration. Goal three focuses on the shared commitments and investments made across critical infrastructure sectors by both public and private infrastructure owner and operators. Through our partnerships, CISA will expand and strengthen these shared commitments, provide products and services that make continued investment in infrastructure security and resilience the smart and easy choice, and enhance information sharing and collaboration at the local, regional, and national levels.

Fourth, and foundational to our success, we will unify as “One CISA” through integrated functions, capabilities, and workforce.

We are building a culture of excellence based on core values and core principles that prize teamwork and collaboration, innovation and inclusion, ownership and empowerment, and transparency and trust. As one team unified behind our shared mission, we will “work smart” to operate in an efficient and cost-effective manner.

“Next Slide”

4 of 47

May 13, 2025

CISA’s 10 regional offices are in the same cities as, or are in close proximity to, the 10 existing Federal Emergency Management Agency regional offices.
The agency’s regional staff are located across the country and support all 56 states and territories by providing a unique service to the critical infrastructure community and position owners/operators to enhance security capabilities through a wide range of initiatives.
CISA’s programs are implemented at both the national and regional levels and leverage international partnerships. Through CISA’s regions, we can offer more hands-on technical assistance and subject matter expertise to state, local, tribal, and territorial stakeholders around the country.
Through CISA’s various programs and our 10 CISA regions, the agency can assess current and future risks to the nation’s cyber and physical infrastructure. These risks run the gamut from vehicle ramming and active shooters, to malware and ransomware, as well as the disruption of a central communications hub – any of which can take down an individual organization or even a local government. CISA can also connect directly with our stakeholders in each of CISA’s 10 regions, to develop a more focused approach to regional issues.
Within each CISA Region, the agency has local and regional Protective Security Advisors (PSAs), Cybersecurity Advisors (CSAs), Emergency Communications Coordinators, and Chemical Security Inspectors.
CISA also has Regional External Affairs Officers (REAOs) who work closely with regional directors to address communication needs in the field, respond to regional media and congressional inquiries, and work closely with the regional sector outreach coordinators (RSOCs) on stakeholder engagement.
CISA regional staff can help organizations conduct free assessments to identify security vulnerabilities that may help with converging security operations, directly supporting owners/operators with tangible risk mitigation solutions.
If you haven’t worked with our regional staff yet, I encourage you to reach out. I’m happy to put you in touch with the members of our team who will support your individual needs, or you can find more about our regions on CISA.gov.

5 of 47

Threats to Critical Infrastructure

America remains at risk from a variety of threats including:

Acts of Terrorism
Domestic Violence
Cyber Attacks
Extreme Weather
Pandemics
Accidents or Technical Failures

5

May 13, 2025

The risk environment affecting critical infrastructure is complex and uncertain; threats, vulnerabilities, and consequences have all evolved over the last 10 years.

For example, critical infrastructure that has long been subject to risks associated with physical threats and natural disasters is now increasingly exposed to cyber risks, which stems from growing integration of information and communications technologies with critical infrastructure operations and an adversary focus on exploiting potential cyber vulnerabilities.

Growing interdependencies across the systems that control our infrastructure, particularly information and communications technologies, have increased vulnerabilities across a range of physical and cyber threats. NIPP 2013 draws on existing structures and partnerships to promote an inclusive partnership framework that…

Integrates all levels of government, private, and non-profit sectors
Recognizes unique expertise and capabilities of each participant
Reflects key role and knowledge of critical infrastructure owners and operators to address today’s all-hazards risk environment

6 of 47

Critical Infrastructure

6

May 13, 2025

7 of 47

Security Advisors

Security Advisors are personnel who serve as critical infrastructure specialists with areas of expertise in physical security and cybersecurity.

Provide state, local, tribal, territorial (SLTT) officials and the private-sector with CISA resources

Security advice
Information sharing
Incident response
Special event planning
Training and exercises
Reach back to DHS / CISA

7

May 13, 2025

8 of 47

Protected Critical Infrastructure Information (PCII)

The Protected Critical Infrastructure Information (PCII) Program protects critical infrastructure information voluntarily shared with the federal government for homeland security purposes.

PCII protected information is not released through:

Freedom of Information Act disclosure requests
State, local, tribal, territorial disclosure laws
Use in civil litigation
Use for regulatory purposes

8

May 13, 2025

9 of 47

Use of PCII

PCII is used by CISA and other Federal and SLTT security analysts to:

Analyze and secure critical infrastructure and protected systems (cyber)
Identify vulnerabilities and develop risk assessments
Enhance recovery preparedness measures

9

May 13, 2025

10 of 47

PCII Protections

To qualify for PCII protections:

Information must be related to the security of the critical infrastructure; and
A submitter must attest the information is:

Voluntarily submitted
Not customarily found in the public domain
Not submitted in lieu of compliance with any regulatory requirement

10

May 13, 2025

11 of 47

Physical Security

11

May 13, 2025

12 of 47

Protective Security Advisors

Coordinate and collaborate with executive-level Federal, State, Local, Tribal, Territorial (FSLTT) and private-sector officials to:

Identify, assess, and protect nationally and regionally significant critical infrastructure
Conduct risk reduction surveys and assessments
Analyze and identify dependencies, gaps, interdependencies, and vulnerabilities during planning and event execution for NSSE and SEAR events
Respond to, and recover from, natural or man-made incidents, both physical and cyber, in accordance with the National Response Framework
Coordinate DHS training based on needs analysis

Provide advice to FSLTT and private-sector on security and resilience policies

�

12

May 13, 2025

13 of 47

Infrastructure Survey Tool

The Infrastructure Survey Tool (IST) is a web-based vulnerability survey tool that applies weighted scores to identify infrastructure vulnerabilities and trends across sectors.

Facilitates the consistent collection of security information, such as:

Physical Security
Security Force
Security Management
Information Sharing
Protective Measures
Dependencies

13

May 13, 2025

14 of 47

Infrastructure Survey Tool Data Categories

Facility Information
Contacts
Facility Overview
Information Sharing*
Protective Measures Assessment*
Criticality*
Security Management Profile*
Security Areas/Assets

Physical Security*

Building Envelope
Vehicle Access Control
Parking
Site’s Security Force
Intrusion Detection System (IDS)/Video Surveillance System (VSS)
Access Control
Security Lighting

Additional DHS Products and Services
Criticality Appendix
Images
Security Force*
Cyber Vulnerability
Dependencies*

14

* Comparative analysis provided

May 13, 2025

15 of 47

Infrastructure Survey Tool Deliverables

Generates the Protective Measures Index and Resilience Measurement Index
Allows CISA and facility owners and operators to:

Identify security gaps
Compare a facility’s security in relation to similar facilities
Track progress toward improving critical infrastructure security

15

May 13, 2025

Each question asked during the Survey leads to a “score”…and using these scores, we end up with a Protective Measures Index (PMI) and Resilience Measures Index (RMI)
Coupled together the scores enable us to compare them against “Like-Facilities” around the nation, leading to a true “Apples to Apples” comparison on security and resilience

Survey and assessment information is shared with owners and operators through interactive dashboards. This feature provides an overview of a facility’s security and resilience postures and identifies potential areas of concern. The dashboards compare over 1,500 protection and resilience variables common to any facility, with those of similar facilities across the United States. The dashboards also allow users to explore the impacts of potential improvements to their security and resilience status.

16 of 47

Infrastructure Survey Tool Dashboards

Survey and assessment information is shared with owners and operators through interactive dashboards
Dashboards allow users to explore the impacts of potential improvements to their security and resilience status

16

May 13, 2025

17 of 47

Security Assessment at First Entry (SAFE) Tool

The Security Assessment at First Entry (SAFE) tool is designed to assess the current security posture and identify options for facility owners and operators to mitigate relevant threats
The SAFE tool is suited for all facilities, including smaller ones such as rural county fairgrounds, houses of worship with only weekend services and few members, and small health clinics

17

May 13, 2025

18 of 47

Snapshot of Common Physical Security Vulnerabilities

18

Lack of designated security manager
No written security, emergency management or business continuity plans

Lack of access control & perimeter security
Suspicious package procedures
Mass notification procedures
Active Shooter procedures
Training and exercising

Lack of alarm and video surveillance systems
Missed opportunities to collaborate with Law Enforcement and Fusion Centers
Lack of employee background and recurring checks

May 13, 2025

19 of 47

Services Snapshot

19

Security Assessment at First Entry
Infrastructure Survey Tool
Infrastructure Visualization Platform
Security planning best practices

Tabletop Exercise Templates
Planning and facilitation services for tabletops to Full-scale exercises

CISA Active Shooter Preparedness
Protecting Infrastructure During Public Demonstrations
De-escalation Series
Power of Hello
Personal Security Considerations
Unauthorized Drones over Stadiums

Countering Improvised Explosive Device Programs
Insider Threat Mitigation
Vehicle Ramming Mitigation

Cyber Vulnerability Scanning
Cyber Resilience Review
Cyber Infrastructure Survey
Cyber Security Evaluation Tool (CSET)

May 13, 2025

20 of 47

Information Sharing Example- Physical Security Considerations for Temporary Facilities

20

Temporary facilities are those established for set timeframes for hosting a venue/event.

Unique security challenges due to their provisional nature.

The dynamic threat environment underscore the importance of incorporating security measures to keep facilities and people safe.

Although there are currently no specific or imminent threats to temporary facilities, CISA recommends operators determine whether a security plan exists for the facility and if current protective measures provide the necessary security.

May 13, 2025

21 of 47

Information Sharing Example- Protecting Infrastructure During Public Demonstrations

21

The right to assemble is recognized as a key American value and is protected in the First Amendment of the U.S. Constitution.

Risk Mitigations:

Communicate with Law Enforcement and Fusion Centers to understand when demonstrations could become violent criminal acts.
Close business for the day or identify scheduled demonstrations and adjust business hours
Maintain emergency plans which include evacuations and shelter-in-place procedures
Consider shutting down power, water and ventilation
Remove valuables from plain view and increase visual security to deter a criminal act

May 13, 2025

22 of 47

Suspicious Activity Reporting

The Nationwide Suspicious Activity Reporting Initiative is a joint collaborative effort by DHS, FBI, and SLTT law enforcement for gathering, documenting, processing, analyzing, and sharing suspicious activity reporting to help prevent terrorism

22

May 13, 2025

23 of 47

Recognize the Signs - Indicators

23

May 13, 2025

(U) Early into 2025, we face a variety of cyber threats to U.S. critical infrastructure from sophisticated state-sponsored cyber actors, criminal hacktivists, and financially-motivated cybercriminals.¹ PRC state-sponsored cyber actors continue to pre-position cyber exploitation and attack capabilities on critical infrastructure networks for disruptive or destructive attacks in the event of a major crisis or conflict with the United States, which may also provide them with broad access to sensitive information.² Recent PRC compromises of the Department of Treasury’s Office of Foreign Assets Control in December, and the multiple breaches of U.S. telecoms by Salt Typhoon, a PRC state-sponsored cyber threat group, in November, demonstrate the PRC’s clear intent and capability to conduct cyber operations targeting sensitive U.S. networks.^3,4,5

(U) In addition, other nation-state actors, namely Russia, Iran, and North Korea, also continue to pose evolving threats to U.S. critical infrastructure networks.⁶ Russia, for its part, continues to seek access to U.S. federal, state, and local government, as well as private sector networks for espionage purposes, while also conducting cyber operations targeting software supply chains, such as the Russia Foreign Intelligence Service’s (SVR) targeting of SolarWinds^USPER in 2021 and unpatched JetBrains TeamCity servers in 2023.^7,8

(U) Iranian state-sponsored cyber actors, and other sympathetic cyber actors, have targeted U.S. critical infrastructure with opportunistic cyber attacks in retaliation for U.S. support to Israel during the current conflict in the Middle East.⁹ While these attacks have been largely low-level and opportunistic, Iran is still capable of conducting potentially impactful cyber operations, as seen with their attempted hack-and-leak operations related to the recent U.S. Presidential election.¹⁰

(U) Finally, North Korean state-sponsored cyber actors and other financially-motivated cybercriminal groups continue to target U.S. critical infrastructure with ransomware attacks, resulting in disrupted operations and significant financial costs on victims.¹¹ To compound on this threat, state-sponsored cyber actors are cooperating with cybercriminal groups and utilizing ransomware in their operations to both fund future cyber operations and other national priorities, while also serving as a means to collect sensitive information.^12,13 For example, as of Late October 2024, APT45, a sub-group of the DPRK’s Lazarus Group, was observed collaborating with the Play ransomware group, either as an affiliate or an initial access broker, in a recent ransomware attack.¹⁴

(U) PRC cyber actors are prepositioning on Homeland networks for cyber exploitation, espionage and cyber attack capabilities in the homeland in the event of regional conflict with Taiwan. As you’ve probably seen in government and media reporting, there are multiple campaigns being conducted by these threat actors. According to DHS assessments, Volt Typhoon is primarily targeting 5 critical lifeline sectors, however, the IC assesses these actors would capitalize on multiple targets to incur cascading effects throughout the Homeland. High value sectors include Communications and Information Technology, as we’ve seen on the news, due to interdependencies throughout all critical infrastructure.

(U) Volt Typhoon’s use of legitimate credentials and administrative tools allow the actors to remain undetected by security and detection software. This technique, known as living off the land, allows these actors to blend in with normal network traffic by using native tools and processes on systems. LOTL can be used across multiple environments, including on-premises, cloud, hybrid, windows, Linux and mac OS environments. According to CISA Joint Guidance, released with TSA, EPA, DOE, and FVEY partners, Windows environments are most commonly observed, due to the operating systems widespread use in corporate and enterprise settings. Cyber threat actors have also been observed utilizing third-party remote access software, including remote monitoring and mobile device management systems commonly used in government and OT. These tools have high privileges necessary for every day use, making administrative access more easily obtained by threat actors. ��(U) Threat actors utilize multiple tactics to gain initial access into compromised systems. We primarily observe cyber actors exploiting Common vulnerabilities and exposures (CVEs) and Known exploited vulnerabilities (KEVs). Actors who have the know how to execute these published vulnerabilities before network defenders can institute patches or replace hardware can gain initial access without much effort, and can then pivot, steal credentials or elevate privileges to deepen access to victim networks. KEVs and CVEs can be mitigated through lifecycle replacements of end-of-life hardware, patching outdated software and are typically published by the vendor. Some prevention actions network defenders can take include credential refresh, expired account purging, or multi factor authentication.

(U) Zero-day exploits, created by sophisticated cyber actors or advanced persistent threat actors, can provide high payoff for targeted systems, however, there is hesitancy to deploy these exploits due to attribution or the exposure of the actor’s cyber tradecraft. What we primarily observe is cyber actors exploiting poor cybersecurity practices, commonly utilizing CVEs and KEVs or unsecure internet facing devices or programs.

One thing to particularly highlight is unsecure edge devices or vulnerable internet connected device, such as a SOHO router or unsecure connected OT system. These device compromises can allow for a malicious cyber actor to gain access to the outer portions of a targeted network and then pivot to internal, operational portions.

*ENDNOTES*

[1] (U); Department of Homeland Security; 02 October 2024; “Department of Homeland Security 2025 Homeland Threat Assessment”; https://www.dhs.gov/publication/homeland-threat-assessment

[2] (U); Department of Homeland Security; 02 October 2024; “Department of Homeland Security 2025 Homeland Threat Assessment”; https://www.dhs.gov/publication/homeland-threat-assessment

[3] (U); Bleeping Computer; 02 January 2025; “Chinese hackers targeted sanctions office in Treasury attack”; https://www.bleepingcomputer.com/news/security/chinese-hackers-targeted-sanctions-office-in-treasury-attack/

[4] (U); Dark Reading; 19 November 2024; “Salt Typhoon Hits T-Mobile as Part of Telecom Attack Spree”; https://www.darkreading.com/cloud-security/salt-typhoon-tmobile-telecom-attack-spree

[5] (U); Dark Reading; 06 January 2025; “China's Salt Typhoon Adds Charter, Windstream to Telecom Victim List”; https://www.darkreading.com/cyberattacks-data-breaches/china-salt-typhoon-charter-windstream-telecom-victims

[6] (U); Department of Homeland Security; 02 October 2024; “Department of Homeland Security 2025 Homeland Threat Assessment”; https://www.dhs.gov/publication/homeland-threat-assessment

[7] (U); Department of Homeland Security; 02 October 2024; “Department of Homeland Security 2025 Homeland Threat Assessment”; https://www.dhs.gov/publication/homeland-threat-assessment

[8] (U); Joint Cybersecurity Advisory; AA23-347A; 13 December 2023; “Russian Foreign Intelligence Service (SVR) Exploiting JetBrains TeamCity CVE Globally”

[9] (U); Department of Homeland Security; 02 October 2024; “Department of Homeland Security 2025 Homeland Threat Assessment”; https://www.dhs.gov/publication/homeland-threat-assessment

[10] (U); Microsoft; 08 August 2024; “Iran Targeting 2024 US Election”; https://blogs.microsoft.com/on-the-issues/2024/08/08/iran-targeting-2024-us-election/

[11] (U); Department of Homeland Security; 02 October 2024; “Department of Homeland Security 2025 Homeland Threat Assessment”; https://www.dhs.gov/publication/homeland-threat-assessment

[12] (U); Joint Cybersecurity Advisory; AA24-207A; 25 July 2024; “North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs”

[13] (U); Microsoft; 15 October 2024; “Escalating Cyber Threats Demand Stronger Global Defense and Cooperation”; https://blogs.microsoft.com/on-the-issues/2024/10/15/escalating-cyber-threats-demand-stronger-global-defense-and-cooperation/

[14] (U); Palo Alto Networks, Unit 42; 30 October 2024; “Jumpy Pisces Engages in Play Ransomware”; https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomware/

24 of 47

“If You See Something, Say Something”

To become a partner, send an email to:

seesay@hq.dhs.gov

For more information visit:

www.dhs.gov/see-something-say-something

24

“If You See Something, Say Something®” is a national anti-terrorism campaign that raises public awareness of the indicators of terrorism and terrorism-related crime, as well the importance of reporting suspicious activity to state and local law enforcement.

May 13, 2025

25 of 47

Cybersecurity

25

26 of 47

Cybersecurity Advisors

26

Offer cybersecurity assistance to critical infrastructure owners and operators and SLTT officials.

Introduce organizations to various CISA cybersecurity products and services, along with other public and private resources, and act as liaisons to CISA cyber programs.

Provide:

Cyber preparedness assessments and protective resources
Working group support
Leadership, partnership in public-private development
Coordination and support in times of cyber threat, disruption, or attack.

27 of 47

Threat Actor Tactics, Techniques and Procedures

27

UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE

Initial Access Tactics, Techniques and Procedures

Known Exploited Vulnerabilities (KEVs) and Common Vulnerabilities and Exposures (CVEs)
Exploitation of end-of-life hardware and software
Unsecure edge devices
Use of default passwords or weak passwords
Phishing
Credential compromise
Access brokering and zero-day exploits

Threat actors utilize multiple tactics to gain initial access into compromised systems. We primarily observe cyber actors exploiting Common vulnerabilities and exposures (CVEs) and Known exploited vulnerabilities (KEVs). Actors who have the know how to execute these published vulnerabilities before network defenders can institute patches or replace hardware can gain initial access without much effort, and can then pivot, steal credentials or elevate privileges to deepen access to victim networks. KEVs and CVEs can be mitigated through lifecycle replacements of end-of-life hardware, patching outdated software and are typically published by the vendor. Some prevention actions network defenders can take include credential refresh, expired account purging, or multi factor authentication.

Zero-day exploits, created by sophisticated cyber actors or advanced persistent threat actors, can provide high payoff for targeted systems, however, there is hesitancy to deploy these exploits due to attribution or the exposure of the actor’s cyber tradecraft. What we primarily observe is cyber actors exploiting poor cybersecurity practices, commonly utilizing CVEs and KEVs or unsecure internet facing devices or programs.

One thing to particularly highlight is unsecure edge devices or vulnerable internet connected device, such as a SOHO router or unsecure connected OT system. These device compromises can allow for a malicious cyber actor to gain access to the outer portions of a targeted network and then pivot to internal, operational portions.

The graphic in the slide demonstrates a path to compromise by Volt Typhoon via a vulnerable SOHO device. The actor would gain initial access through either poor security procedures, a CVE or KEV, or a zero day exploit to gain access to the device. From there, actors would extract credentials from devices on the network and utilize the now compromised legitimate credentials to blend in with normal traffic to extract information, move deeper into the network and identify additional targets.

28 of 47

Common Threat Vectors

28

(U) Compromised Credentials

(U) Threat actors can obtain valid credentials through data breaches, social-engineering and phishing attacks, or simple brute force tactics
(U) Since 2013, malicious cyber actors have leveraged stolen credentials in approximately 31 percent of all breaches

(U) Third-party Service Providers

(U) Typically require trusted network connectivity and privileged access to customer networks
(U) Service provider compromises can expand to impact multiple customer environments
(U) Legitimate remote monitoring and management software can help threat actors avoid defenses

(U) Public-facing Devices and Applications

(U) Common vector used by both state-sponsored cyber actors and cybercriminal groups
(U) Threat actors scan for internet-facing devices, such as firewalls, virtual private networks, and routers

(U) Another common threat vector involves using compromised, legitimate credentials for initial access into a network.²³ According to one cybersecurity report, since 2013, stolen credentials have featured in approximately 31 percent of all breaches.²⁴Threat actors can obtain valid credentials in a variety of ways, including leveraging credentials harvested from prior data breaches for credential stuffing attacks, social-engineering or phishing attacks, or simple brute force tactics.²⁵ This threat vector is particularly noteworthy for organizations with weak password policies, or those utilizing hardware or software products with default configurations or default administrator usernames and passwords.²⁶

(U) Third-party organizations that provide management services for information and communications technology (ICT) systems, such as managed or cloud service providers, usually require trusted network connectivity and privileged access to their customers’ networks.²⁷ This privileged access to a wide range of customer networks makes vulnerable third-party service providers an attractive target for both state-sponsored cyber actors and cybercriminal groups, potentially enabling a single compromise to expand to multiple victim organizations.²⁸ Additionally, compromising service providers that utilize legitimate remote monitoring and management software for end-user support can provide threat actors opportunities to bypass administrative privilege requirements, software management control policies, and other cyber defenses.²⁹

(U) Finally, threat actors can utilize zero-day or known vulnerabilities in public-facing devices and applications.³⁰ Threat actors often scan for internet-facing devices, such as firewalls, virtual private networks, routers, and other edge network infrastructure, looking for vulnerabilities that can be exploited for initial access into a network.^31,32For example, PRC-linked threat actors, such as Volt Typhoon, are known to target and exploit network edge devices and then pivot to using Living Off The Land techniques, such as masking threat activity to appear as legitimate network traffic and making detection more difficult by leveraging domain-trust relationships.³³

*ENDNOTES*

[23] (U); Joint Cybersecurity Advisory; AA22-137A; 17 May 2022; “Weak Security Controls and Practices Routinely Exploited for Initial Access”

[24] (U); Verizon; 01 May 2024; “2024 Data Breach Investigations Report”; https://www.verizon.com/business/resources/reports/dbir/

[25] (U); Verizon; 01 May 2024; “2024 Data Breach Investigations Report”; https://www.verizon.com/business/resources/reports/dbir/

[26] (U); Joint Cybersecurity Advisory; AA22-137A; 17 May 2022; “Weak Security Controls and Practices Routinely Exploited for Initial Access”

[27] (U); Joint Cybersecurity Advisory; AA22-131A; 11 May 2022; “Protecting Against Cyber Threats to Managed Service Providers and their Customers”

[28] (U); Joint Cybersecurity Advisory; AA22-131A; 11 May 2022; “Protecting Against Cyber Threats to Managed Service Providers and their Customers”

[29] (U); Joint Cybersecurity Advisory; AA23-025A; 25 January 2023; “Protecting Against Malicious Use of Remote Monitoring and Management Software”

[30] (U); Joint Cybersecurity Advisory; AA22-137A; 17 May 2022; “Weak Security Controls and Practices Routinely Exploited for Initial Access”

[31] (U); Joint Cybersecurity Advisory; AA24-038A; 07 February 2024; “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure”

[32] (U); Joint Cybersecurity Advisory; AA23-250A; 07 September 2023; “Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475”

[33] (U); CISA; December 2024; “Vulnerability Snapshot: Financial Services Sector”

29 of 47

Common Threat Vectors (cont.)

29

(U) Social-engineering

(U) Includes phishing and all its variations (e.g. vishing, smishing, etc.)
(U) Generative artificial intelligence (GenAI) can improve attack success rates

(U) Unpatched Vulnerabilities in Software/Hardware

(U) One of the most common poor security practices
(U) In 2023, more than half of the most frequently exploited vulnerabilities were publicly disclosed vulnerabilities initially exploited as zero-days

(U) Insider Threats

(U) Includes both malicious and non-malicious insider threats
(U) Can result in theft, espionage, and sabotage of an organizations IT infrastructure, systems, and data

(U) First is social-engineering, including phishing and all its variations, which persisted as one of the most prevalent vectors for cybersecurity incidents in 2024.¹⁵ Social-engineering attacks prey on the human element of organizations and can encompass both broad and targeted campaigns, potentially resulting in victims divulging sensitive information or providing a means for initial access into a network.¹⁶ Additionally, the growing capabilities of generative artificial intelligence tools provide threat actors with opportunities to improve the success rates of attempted social-engineering attacks through the creation of synthetic text, images, audio, and videos.¹⁷

(U) Unpatched software or systems, a common security oversight, can be exploited by threat actors using publicly known common vulnerabilities and exposures (CVEs) to gain access to sensitive information or conduct an attack.¹⁸ In December 2024, CISA conducted a review of Financial Services Sector entities participating in the CISA Vulnerability Scanning (VS) service.¹⁹ Of the 828 entities scanned, 39 percent of entities utilized one or more End of Support (EOS) operating systems, and an additional 20 percent of entities had 987 instances of unsupported software.²⁰

(U) Insider threats, or more specifically – individuals within an organization with authorized access, can wittingly or unwittingly provide threat actors with sensitive information, initial access into a network, or even conduct malicious activity themselves.²¹ According to a 2024 survey of IT and cybersecurity professionals, roughly 83 percent of organizations surveyed reported at least one instance of an insider incident in the last year, a 23 percent increase from 2023, largely due to the increasing complexity of IT environments, the adoption of new technologies, and inadequate security measures.²²

*ENDNOTES*

[15] (U); Verizon; 01 May 2024; “2024 Data Breach Investigations Report”; https://www.verizon.com/business/resources/reports/dbir/

[16] (U); CISA; 01 February 2021; “Avoiding Social Engineering and Phishing Attacks”; https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks

[17] (U); Federal Bureau of Investigation; I-120324-PSA; 03 December 2024; “Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud”; https://www.ic3.gov/PSA/2024/PSA241203

[18] (U); Joint Cybersecurity Advisory; AA22-137A; 17 May 2022; “Weak Security Controls and Practices Routinely Exploited for Initial Access”

[19] (U); CISA; December 2024; “Vulnerability Snapshot: Financial Services Sector”

[20] (U); CISA; December 2024; “Vulnerability Snapshot: Financial Services Sector”

[21] (U); CISA; Date UNK; “Defining Insider Threats”; https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats

[22] (U); Cybersecurity Insiders; Date UNK; “Insider Threat Report – New Data Shows Spike in Insider Attacks in 2024”; https://www.cybersecurity-insiders.com/2024-insider-threat-report/

[23] (U); Joint Cybersecurity Advisory; AA22-137A; 17 May 2022; “Weak Security Controls and Practices Routinely Exploited for Initial Access”

30 of 47

Common Indicators of Compromise

30

(U) Unusual outbound network traffic

(U) Anomalous traffic patterns or volumes could indicate attempted data exfiltration or communications with a command-and-control server

(U) Geographic abnormalities

(U) Connections from multiple geographically distant locations within a short timeframe from a single user is a potential indicator of compromise

(U) Abnormal account behaviors

(U) Abnormal behavior includes unusual login times, unauthorized access to files or databases, and failed login attempts

(U) These next two slides compile and describe a few common indicators of a potential compromise in a network.

(U) Unusual outbound network traffic is a common indicator of a potential compromise.³⁴ Detecting anomalies in traffic patterns and volumes could indicate an attempt by an intruder to exfiltrate data from a network or an infected system communicating to a command-and-control server.³⁵

(U) Next, connections to a network from abnormal geographic locations could also be an indicator of a potential compromise.³⁶ While not a perfect indicator, a high or increased volume of connections from abnormal geographic locations, particularly connections from multiple geographically distant locations within a short timeframe from a single user, should warrant further investigation.^37,38

(U) Additionally, anomalies in account behavior, such as abnormal login times, unauthorized access to files or databases, and failed login attempts can serve as an indicator of a compromised user account.³⁹ Threat actors often attempt to escalate their privileges, which may first begin with a compromised low-privilege account, in order to access sensitive information, modify files, or move laterally through a network.⁴⁰ Therefore, attempts to escalate an accounts privileges or attempts to access other users’ accounts is a solid indicator of compromise.⁴¹

*ENDNOTES*

[34] (U); SentinelOne; 11 March 2023; “What are Indicators of Compromise (IoCs)?”; https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-are-indicators-of-compromise-iocs-a-comprehensive-guide/

[35] (U); SentinelOne; 11 March 2023; “What are Indicators of Compromise (IoCs)?”; https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-are-indicators-of-compromise-iocs-a-comprehensive-guide/

[36] (U); DEVO; Date UNK; “Threat Hunting Guide”; https://www.devo.com/threat-hunting-guide/indicators-of-compromise/

[37] (U); SentinelOne; 11 March 2023; “What are Indicators of Compromise (IoCs)?”; https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-are-indicators-of-compromise-iocs-a-comprehensive-guide/

[38] (U); Joint Cybersecurity Advisory; AA24-038A; 07 February 2024; “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure”

[39] (U); SentinelOne; 11 March 2023; “What are Indicators of Compromise (IoCs)?”; https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-are-indicators-of-compromise-iocs-a-comprehensive-guide/

[40] (U); DEVO; Date UNK; “Threat Hunting Guide”; https://www.devo.com/threat-hunting-guide/indicators-of-compromise/

[41] (U); DEVO; Date UNK; “Threat Hunting Guide”; https://www.devo.com/threat-hunting-guide/indicators-of-compromise/

31 of 47

Common Indicators of Compromise

31

(U) Increased database read requests or modifications

(U) Routine review of application, security, and event logs can help identify changes to databases and detect attempted data exfiltration

(U) Suspicious files or processes

(U) Malware may disguise itself as legitimate software or initiate startup processes that may appear suspicious

(U) Unusual system behavior

(U) Unusual behavior includes system crashes, unexpected restarts, slow performance, and unexpected patches

(U) High-volume web traffic levels

(U) Abnormal volumes of web traffic or unauthorized connections with known-bad threat indicators

(U) Notable increases in database read requests or entire database dumps can also serve as a potential indicator.⁴² Routine review of application, security, and event logs can help identify changes to databases, which may suggest attempts to exfiltrate data by a threat actor.⁴³

(U) Malware present on a network may make operating system registry changes, which can launch startup processes or store operational data that persists through system reboots.⁴⁴ As malware can disguise itself as legitimate software, identification of suspicious files or processes can serve as a potential indicator and should warrant further investigation.⁴⁵

(U) Additionally, unusual system behavior, which includes system crashes, unexpected restarts, slow performance, and unexpected patches, can also serve as potential indicators of a compromised system.^46,47

(U) Finally, unusual or a high volume of web traffic levels to a particular website or IP address could be a potential indicator of a compromise, particularly if unauthorized connections are made with known-bad threat indicators, such as malicious IP addresses.^48,49

*ENDNOTES*

[42] (U); UpGuard; 18 November 2024; “What are Indicators of Compromise (IOCs)?”; https://www.upguard.com/blog/indicators-of-compromise

[43] (U); Joint Cybersecurity Advisory; AA24-038A; 07 February 2024; “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure”

[44] (U); DEVO; Date UNK; “Threat Hunting Guide”; https://www.devo.com/threat-hunting-guide/indicators-of-compromise/

[45] (U); SentinelOne; 11 March 2023; “What are Indicators of Compromise (IoCs)?”; https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-are-indicators-of-compromise-iocs-a-comprehensive-guide/

[46] (U); SentinelOne; 11 March 2023; “What are Indicators of Compromise (IoCs)?”; https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-are-indicators-of-compromise-iocs-a-comprehensive-guide/

[47] (U); UpGuard; 18 November 2024; “What are Indicators of Compromise (IOCs)?”; https://www.upguard.com/blog/indicators-of-compromise

[48] (U); SentinelOne; 11 March 2023; “What are Indicators of Compromise (IoCs)?”; https://www.sentinelone.com/cybersecurity-101/threat-intelligence/what-are-indicators-of-compromise-iocs-a-comprehensive-guide/

[49] (U); Joint Cybersecurity Advisory; AA20-245A ; 01 September 2020; “Technical Approaches to Uncovering and Remediating Malicious Activity”

32 of 47

Criticality of Periodic Assessments

Periodic assessments are essential for physical and cyber resilience
Can’t protect if you don’t know what needs protection
Can’t fix what needs if you don’t know what’s wrong

TLP:WHITE

32

33 of 47

Cybersecurity Services (Voluntary & No Cost)

Cyber Resilience Review (CRR)
External Dependencies Management (EDM)
Cyber Infrastructure Survey (CIS)
Ransomware Readiness Assessment (RRA)
Cyber Tabletop Exercises (CTTX)
Cybersecurity Performance Goals (CPG)
Vulnerability Scanning / Hygiene (CyHy)
Known Exploited Vulnerabilities (KEV)
Cyber Security Evaluation Tool (CSET)

33

Tactical

Strategic

STRATEGIC

(C-Suite Level)

TECHNICAL

(Network Admin Level)

May 13, 2025

34 of 47

Vulnerability Scanning / Hygiene

34

Purpose: Assess Internet-accessible systems for known vulnerabilities and configuration errors.

Delivery: Identify public-facing Internet security risks, through service enumeration and vulnerability scanning online by CISA.

Benefits:

Continual review of system to identify potential problems
Weekly reports detailing current and previously mitigated vulnerabilities
Recommended mitigation for identified vulnerabilities

Network Vulnerability & Configuration Scanning:

Identify network vulnerabilities and weakness

May 13, 2025

35 of 47

Vulnerability Scanning Report Card

35

High Level Findings

 Latest Scans

 Addresses Owned

 Addresses Scanned

 Hosts

 Services

 Vulnerable Hosts

 Vulnerabilities

Vulnerabilities

 Severity by Prominence

 Vulnerability Response Time

 Potentially Risky Open Services

May 13, 2025

36 of 47

Cybersecurity Performance Goals

36

EXAMPLE

The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques.
Informed by existing cybersecurity frameworks and guidance, as well as the real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners.
Aids in identifying areas for potential future investment.

May 13, 2025

37 of 47

Ransomware Readiness Assessment

37

Ransomware disrupts or halts an organization's operations and poses a dilemma for management: pay the ransom and hope that the attackers keep their word about restoring access and not disclosing data, or do not pay the ransom and restore operations themselves.
The methods used to access an organization's information and systems are aimed at forcing a ransom to be paid. Ransomware attacks target the organization's data.
RRA helps you understand your cybersecurity posture and assess how well your organization is equipped to defend and recover from a ransomware incident.

EXAMPLE

May 13, 2025

38 of 47

The Cyber Security Evaluation Tool (CSET)

The Cyber Security Evaluation Tool (CSET) provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture.
CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices.
Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations.

38

May 13, 2025

39 of 47

Ransomware Vulnerability Warning Pilot (RVWP)

A new effort to warn critical infrastructure entities that their systems have exposed vulnerabilities that may be exploited by ransomware threat actors.

Leverages existing authorities and technology to proactively identify information systems that contain security vulnerabilities commonly associated with ransomware attacks.

CISA’s Cyber Hygiene Vulnerability Scanning
Known threat vectors
Administrative Subpoena Authority
Homeland Security Act of 2002.

39

May 13, 2025

40 of 47

Pre-Ransomware Notification Program

Ransomware actors often take some time after gaining initial access to a target before encrypting or stealing information, a window of time that often lasts from hours to days (dwell time).

CISA’s Joint Cyber Defense Collaborative – receives tips from the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity.

Local CISA field forces receive notification from our JCDC and contact the affected entity.

May 13, 2025

41 of 47

Known Exploited Vulnerabilities Catalog (KEV)

May 13, 2025

42 of 47

Cybersecurity Training Resources

42

CISA is committed to providing the nation with access to cybersecurity training and workforce development efforts to develop a more resilient and capable cyber nation.

The National Initiative for Cybersecurity Careers and Studies (NICCS) website contains a searchable training catalog with over 6,000 cyber- related courses offered by nationwide cybersecurity educators

Interactive National Cybersecurity Workforce Framework
CISA Learning
Scholarships for Service and Centers for Academic Excellence
Cyber Competitions
Tools and resources for cyber managers

Incident Response Training though IMR Series
Industrial Control Systems

May 13, 2025

43 of 47

Our Nation’s Cyber Workforce Foundation

The National Cybersecurity Workforce Framework is a collection of definitions that describe types of cybersecurity work and skills requires to perform it. �

When used nationally, the definitions help establish universally applicable cybersecurity skills, training/development, and curricula
7 Categories, 30+ Specialty Areas
Baselines knowledge, skills, and abilities & tasks

Operate & Maintain

Securely Provision

Analyze

Collect & Operate

Oversight &

Development

Protect &

Defend

Investigate

May 13, 2025

44 of 47

Key Takeaways

Become familiar with the CISA webpage and subscribe to CISA advisories
Engage with your local CISA region and stay connected with your advisors.
Develop, train and exercise physical, cyber, emergency action and business continuity plans.
Sign-up for CISA’s vulnerability scanning services and other resilience services
Encourage lowering cyber incident reporting thresholds and report suspicious activity

23

May 13, 2025

45 of 47

Sign up for CISA Communications

Includes information about upcoming trainings, events, and notifications about CISA publications.

Subscribe Here (public.govdelivery.com/accounts/USDHSCISA/subscriber/new)

Enter your email address on the landing page.
Be sure to check the box for the “Region 4 Stakeholder Update” at the bottom of the subscriber preference page under the General tab.

45

May 13, 2025

46 of 47

46

Andrew Balter

Protective Security Advisor

E: andrew.balter@mail.cisa.dhs.gov

C: 202.821.9034

Ryan K. Lewis

Cybersecurity Advisor

E: ryan.lewis@mail.cisa.dhs.gov

C: 202.975.9453

CISARegion4@cisa.dhs.gov

May 13, 2025

47 of 47

47

May 13, 2025