The US cybersecurity agency CISA on Wednesday announced new resources for security teams looking to contain cyberattacks and evict hackers from their networks.
The new Eviction Strategies Tool includes a web-based application called Playbook-NG (Cyber Eviction Strategies Playbook Next Generation), and a database of post-compromise countermeasures, named COUN7ER.
“Together, Playbook-NG and COUN7ER can assemble a systematic eviction plan that leverages distinct countermeasures to contain and evict a unique intrusion,” CISA notes.
The two open source resources, maintained by CISA on the Eviction Strategies Tool’s GitHub page, assist with tailored adversary eviction strategies and are expected to accelerate incident response plan creation.
Playbook-NG is a stateless application that allows defenders to match incident discoveries with countermeasures for hacker eviction, and which can also be used to generate realistic plans for tabletop exercise (TTX) scenarios.
Defenders feed Playbook-NG’s interface with TTPs or descriptions of adversary activities and the application provides recommended response actions, which can be exported. Playbook-NG does not retain information on the defender and their input, but exported files can be re-uploaded and modified.
“Playbook-NG also allows cyber defenders to start with an incident template that CISA created and curated. These templates describe specific collections of TTPs in a campaign or event that a cyber defender may use as is or quickly customize. Playbook-NG provides an agile set of guidance that follows a ‘write once, share many’ model of defensive strategies,” CISA explains.
COUN7ER is a curated collection of post-compromise countermeasures and mitigations that Playbook-NG pulls entries from. These actions are cross-referenced with multiple frameworks — including MITRE’s ATT&CK, D3FEND, and Common Weakness Enumeration (CWE) — and aligned with best practices.
The database currently contains more than 100 fully developed entries, each providing details on the intended outcome, preparation, risks, related countermeasures, guidance, and references.
“CISA regularly reviews the COUN7ER database and updates it based on incident observations, threat intelligence, and other sources of information on threat actor tactics. Countermeasures undergo a rigorous review process to conform to written style, voice, and accuracy,” CISA says.
This week CISA also released new guidance as part of its Journey to Zero Trust series, covering the introduction and planning for microsegmentation in zero trust.
Microsegmentation in Zero Trust, Part One (PDF) defines core concepts, details the phased approach to microsegmentation, and provides planning considerations and examples of microsegmentation scenarios.
Related: Senate Committee Advances Trump Nominee to Lead CISA
Related: Organizations Warned of Exploited PaperCut Flaw
Related: Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
Related: NASA Needs Agency-Wide Cybersecurity Risk Assessment: GAO
