The Cybersecurity and Infrastructure Security Agency (CISA) released an Eviction Strategies Tool on July 30 to help cyber defenders better respond to cyber incidents.
The agency contracted with MITRE to develop the no-cost resource, which allows cyber defenders to rapidly build tailored response plans and adversary eviction strategies. The tool also allows users to create customized playbooks designed to contain and remove adversaries from compromised systems and networks.
“How an organization approaches remediation and eviction of an incident is critically important to a successful response effort. Over the years, we have seen organizations struggle with identifying the right steps to take and the correct sequencing of actions to properly evict advanced adversaries from their enterprises,” said Jermaine Roebuck, associate director for threat hunting at CISA.
“This tool will level the playing field by making it easier for IT staff and cyber defenders to coordinate efforts and achieve a successful eviction. I encourage public and private sector organizations to incorporate this capability into their incident response plans,” Roebuck added.
The tool includes COUN7ER, which CISA said is “a database of atomic post-compromise countermeasures” that users can execute based on adversary tactics, techniques, and procedures (TTPs).
It also includes Cyber Eviction Strategies Playbook NextGen, a web-based application that pairs incident findings with countermeasures obtained from COUN7ER.
“Together, these resources help defenders build systematic eviction plans with distinct countermeasures to thwart and evict unique intrusions,” CISA said.
Users can start a new playbook based on MITRE ATT&CK® – a globally-accessible knowledge base of adversary tactics and techniques – or on “free text” that describes the threat actor activities.
Cyber defenders also have the option to browse common templates that represent ongoing cyber incidents being actively monitored by CISA. Some of these templates include Volt Typhoon, SolarWinds Compromise, and Active Directory Identity Remediation.
Users can also import and continue working on an existing playbook. The agency notes that existing playbooks built with the Eviction Strategies Tool “can be loaded and updated as needed.” The tool exports defensive measure options in several formats, such as JSON, Microsoft Word and Excel, and Markdown.
CISA is encouraging cyber defenders to try out the new tool and provide feedback through an anonymous product survey that can be found here.