JCDC Success Stories
In its short history, JCDC has unified cyber defense between industry and government to improve information sharing, planning efforts for large-scale cyber events, and collaborating on enhanced cyber threat guidance. This collaboration has allowed us to enhance the way government and industry work together to coordinate on cyber operations, ensuring that actions are informed and actionable. Examples include improving information sharing and threat mitigation, coordinating on cyber playbooks, expediting updates to the Known Exploited Vulnerabilities Catalog, as well jointly developing alerts and advisories to better inform and protect the cyber community on cyber threats and vulnerabilities, threat actor tactics, and detection and mitigation guidance.
See below to learn about other notable examples of JCDC’s operational collaboration leading to real insight and action.
JCDC partners contributed substantial support, technical insights, and key findings to three significant guidance documents CISA published as part of our Volt Typhoon cyber defense planning initiative earlier this year. CISA assesses that Volt Typhoon, a People’s Republic of China (PRC) state-sponsored cyber threat group, seeks to compromise and maintain access to U.S. critical infrastructure using living off the land (LOTL) to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure.
On February 7, 2024, CISA published the joint Cybersecurity Advisory (CSA) PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure and supplemental joint guidance Identifying and Mitigating LOTL Techniques. The CSA provides an overview of Volt Typhoon activity and urges organizations to implement the identified mitigations. The joint guide provides network defenders information on how to hunt for Volt Typhoon LOTL infiltration of their systems. On March 19, 2024, CISA also released a supplemental fact sheet, PRC State-Sponsored Cyber Activity: Actions for Critical Infrastructure Leaders, with tailored, digestible guidance for leaders of critical infrastructure organizations.
CISA developed these products to bolster nationwide efforts to combat Volt Typhoon operations, consistent with one of JCDC’s 2024 priorities: defend against advanced persistent threat operations. These products generated broad interest, as evidenced by web traffic. The February CSA was CISA’s most viewed advisory in the first half of 2024, and the fact sheet received the most views in its product line for the first three months of its release.
Countering Volt Typhoon’s effort to infiltrate the nation’s critical infrastructure is a top priority for CISA, and JCDC partners have strengthened our ongoing cyber defense planning efforts with their expertise and commitment to operational collaboration.
In April 2024, CISA launched the High-Risk Communities webpage to bolster the digital security of communities that advance democracy and human rights. The product of a year-long planning effort between over 45 industry, interagency, and civil society partners, this new webpage includes a suite of cyber hygiene guides for non-technical users, a collection of cybersecurity tools and services, and information on cyber volunteer programs targeted for high-risk communities. Through this effort, CISA and JCDC are not only raising the cybersecurity baseline by extending cybersecurity resources to under-resourced communities (whom play a critical role in advancing democracy), but also forging new partnerships with a diverse array of civil society and industry participants that contribute to the cyber ecosystem. These partnerships are a critical part of JCDC’s mission to unite the global cyber community in the collective defense of cyberspace.
What JCDC Participants are saying
“Collaborating with JCDC, we recognize a unique and profound responsibility that extends beyond our corporate boundaries. This public-private partnership is not just an opportunity to enhance national cybersecurity; it’s a commitment to protect and support high-risk and vulnerable communities, including human rights groups, journalists, and dissidents.” – Authentic8
“When JCDC reached out to us about an initiative focused on protecting vulnerable communities online, we were excited to help make resources more accessible from a trusted voice…We hope that other governments can see these efforts on providing protections to vulnerable communities as a model for effective collaboration.” - Cloudflare
Since March 2023, JCDC participants have engaged in collaborative planning to address risks posed by threat actors to remote monitoring and management (RMM) platforms. RMM software continuously monitors a machine or system’s status and health and enables remote administrative functions. Threat actors exploit RMM platforms to gain footholds into servers and customer networks, including small and medium-sized organizations that support our national critical infrastructure.
JCDC participants, including 11 industry participants (ANB Bank, CNWR Inc, ConnectWise, Corporate Information Technologies, CompTIA Information Sharing and Analysis Organization, CyberRx, ISC2 Inc, Huntress, Kaseya, N-able, and the Open Group) and three federal participants (Department of Homeland Security, Department of Treasury, and the Office of the Director of National Intelligence) contributed to the JCDC RMM Cyber Defense Plan (published in August 2023). The plan encourages collective action across the RMM community to enhance information sharing, increase visibility, and fuel creative cybersecurity solutions. Moreover, it focuses on educating RMM end-user organizations on the risk to RMM infrastructure while providing guidance on how to promote security best practices moving forward.
In February 2024, JCDC participants shared evidence of an active exploitation of ConnectWise’s ScreenConnect product with CISA, triggering early coordination with the private sector that led to CISA adding CVE-2024-1709 to the Known Exploited Vulnerabilities Catalog.
JCDC’s RMM planning efforts also resulted in:
- the development of a new data normalization process for RMM vendor partners to enhance digital forensics and incident response in coordination with CISA;
- increased awareness of and registration in CISA’s free cybersecurity services;
- and new Secure by Design pledge signatures from RMM entities.
Although the formal planning effort concluded in April 2024, an enduring operational community will ensure JCDC participants and the RMM community continue to organize and support efforts that raise the cybersecurity baseline for RMM platforms and safeguard against preventable intrusions.
Earlier this year, CISA marked its first anniversary of the Secure by Design initiative, the agency’s effort to shift more responsibility of security from end users to technology manufacturers. The initiative’s inaugural joint guide, Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default, and its subsequent update, were shaped by inputs from hundreds of JCDC participants and others, including individuals, companies, and trade associations. These resources emphasize the importance of integrating security measures during the initial development of widely used software. Following the update in October 2023, the Secure by Design initiative has yielded six Alerts, focusing on topics such as directory traversal vulnerabilities, eliminating default passwords, small office/home office routers, and Structured Query Language (SQL) injection vulnerabilities. Additionally, more than 140 of the world’s leading software manufacturers have committed to designing products with greater security built in through signing CISA’s pledge.
CISA, JCDC participants, and pledge signees are raising the cybersecurity baseline by actively promoting a cultural shift within the software industry through the Secure by Design initiative. The goal is for manufacturers to prioritize the development of technology products that are secure out of the box, which can help protect against attempts by malicious cyber actors to gain access to devices, data, and connected infrastructure.
The success of this initiative exemplifies JCDC’s dedication to enrichment and the timely development of other joint cybersecurity guides, advisories, and alerts. These resources benefit cybersecurity experts, organizations, and the broader community by providing measurable and actionable recommendations for making software secure by design. Visit Secure by Design to learn more about the initiative’s principles, stay informed on the latest Alerts, or take the Secure by Design Pledge.
In response to the exploitation of multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways by different cyber threat actors, Ivanti, Volexity, and Mandiant collaborated with CISA, resulting in the release of a February 2024 joint Cybersecurity Advisory. CISA led red team testing of at-risk Ivanti devices to deliver unique insights into the validity of the vendor’s guidance and integrity checker tooling. Additionally, CISA released Secure by Design principles for edge device vendors. The coordination between JCDC public and private sector participants placed timely updates in the hands of our nation’s cyber defenders (especially federal, state, local, tribal, territorial, and critical infrastructure entities), assisting with defense operations against advanced persistent threats. Notably, the teamwork between industry and government led to CISA releasing multiple publications on the exploitation of common vulnerabilities and exposures, as well as providing notifications to vulnerable entities. This coordinated response highlights the real-world impact of bi-directional information sharing and underscores how contributions from industry are instrumental in defending our national cyberspace from emerging and evolving threats.
JCDC participants shared valuable feedback on CISA’s joint Secure by Design product, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” This collaborative product incorporated inputs from hundreds of JCDC participants, including individuals, companies, and trade associations, and JCDC participants who attended a JCDC focus group at DEFCON 2023. Initially published in April 2023, this product was one of 254 unique CISA products shared with JCDC participants and international partners in 2023.
In October 2023, CISA and 17 other U.S. and international organizations, including the Federal Bureau of Investigation (FBI) and National Security Agency (NSA), published an updated version, “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.” The updated version included contributions from multiple JCDC participants and emphasized the need to prioritize designing security measures during the initial development process of widely used software. JCDC participants, together with CISA, are actively involved in promoting a cultural shift within the industry to emphasize building robust technology products to reasonably protect against malicious cyber actors’ attempts at gaining access to devices, data, and connected infrastructure. This product is an example of JCDC’s dedication to joint enrichment and development of timely cybersecurity guides, advisories, and alerts to benefit cybersecurity experts, cybersecurity organizations, and the broader community.
Since July 2023, JCDC participants, including Mandiant, Shadowserver, GreyNoise, ZeroFox, and IBM Security X-Force, have provided continuous insight into post-exploitation activity of the NetScaler (formerly Citrix) Application Delivery Controller and NetScaler Gateway vulnerability (CVE-2023-3519).
Recognizing the importance of open multi-directional communication, CISA established real-time information sharing with industry partners possessing advanced insight into exploitation of the vulnerability. JCDC participants shared numerous detection methods; threat actor tactics, techniques, and procedures; and indicators of compromise. CISA then consolidated and shared those details with federal, state, local, tribal, and territorial governments, as well as international partners, to assist their response efforts.
As a result of the initial information-sharing efforts, many JCDC participants shared additional associated technical information that CISA was then able to amplify and enrich. CISA also used this information to update Cybersecurity Advisory Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells with the new information to assist cyber defenders with detecting and responding to this malicious activity.
Between 2021 and 2022, CISA recognized an emerging Chinese APT campaign impacting state, local, tribal, and territorial (SLTT) partners, with the actors employing the use of common tactics, techniques, and procedures. CISA collaborated with affected SLTT government organizations and JCDC members to better understand the nature of the activity and identify multiple zero-day vulnerabilities used as initial intrusion vectors. CISA also acted as a broker to share timely and actionable network defense information among JCDC members and SLTT governments. This broader perspective enabled multiple SLTT governments to locate and respond to associated intrusion activity while supporting JCDC members’ understanding of the same. Finally, CISA collaborated with SLTT organizations and JCDC members, including interagency partners, to develop two network defense advisories based on this activity and share with JCDC members and SLTT partners.