The U.S. Department of Homeland Security Cybersecurity and Information Security Agency (CISA) has released an infographic mapping analysis of 44 of its Risk and Vulnerability Assessments (RVAs) conducted in Fiscal Year 2019 to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) Framework. The infographic identifies routinely successful attack paths CISA observed during RVAs conducted across multiple sectors. Cyber attackers can use these attack paths to compromise organizations. CISA encourages network administrators and IT professionals to review the infographic and apply the recommended defensive strategies to protect against the observed tactics and techniques. It also encourages them to review CISA’s Cyber Essentials (also described and posted to the WaterISAC portal here) for more information on where to start implementing organizational cybersecurity practices. Access the infographic at CISA.

During an RVA, CISA collects data through onsite assessments and combines it with national threat and vulnerability information in order to provide an organization with actionable remediation recommendations prioritized by risk. This assessment is designed to identify vulnerabilities that adversaries could potentially exploit to compromise network security controls. After completing the RVA, the organization will receive a final report that includes business executive recommendations, specific findings and potential mitigations, as well as technical attack path details. An RVA is just one many services offered by CISA to its critical infrastructure partners. WaterISAC encourages its members to look into these services to identify potential system vulnerabilities and generally improve the cybersecurity postures of their organizations. Read more about these services at CISA’s Cyber Resource Hub.